From mduksa at gmail.com  Sun Feb  1 00:44:33 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Sat, 31 Jan 2009 21:44:33 -0800
Subject: [c-nsp] tagged attribute in FreeRadius
Message-ID: <a89d89ac0901312144p4aad209fscf7e2740ec4d8e02@mail.gmail.com>

Does anyone know the syntax on FreeRadius to pass 'tagged' attribute value
from the server to the client?

For example, this is how the attribute is defined in dictionary file:

ATTRIBUTE       ERX-CoS-Parameter-Type                  108     string
has_tag

and this is how I'm trying to return it:

:
:
ERX-CoS-Parameter-Type:1 = "basic_sch",
ERX-CoS-Parameter-Type:2 = "8m"

Is this syntax correct? Obviously it does not wotk in my case, this is why I
ask. Usually there is no :<num> after the attribute name, but I figured that
if a have an attribute with the tag, the tag should be after the colon.
Anyone has experience with this?
Thanks,
Marlon

From sami.joseph at gmail.com  Sun Feb  1 06:43:44 2009
From: sami.joseph at gmail.com (Sami Joseph)
Date: Sun, 1 Feb 2009 13:43:44 +0200
Subject: [c-nsp] How TACACS works? IOS vs IOS XR
Message-ID: <9da37ec40902010343p6a0e3daai3eda774fd1956ee1@mail.gmail.com>

Hello everyone,

I am trying to understand how TACACS works (Authorization) so i would be
able to understand how this works in IOS XR too.

*IOS:*
Let me take it from scratch, in IOS, we can create a user with local
privileges so if we assign priv. 15 to a user, he'll be able to do
everything.

If we want more granularity, we can use the TACACS server to limit the
commands a user can execute and it works like the following, every command
has an Attribute Value pair, the command is sent to the AAA Server and it
will compare that pair to the configured policy (ex. can do show commands
only)


*In IOS XR:*

We assign task IDs locally so that a user can access L2VPN and Traffic eng
components for example but can not change BGP.

Then there are the root/cisco_support accounts and they give higher
privilege to the user.

So assume i want to brign an XR box into TACACS, do i need to make sure that
the AAA server understands the IOS XR AV pairs or is it a standard format?

Do i need to make anything special on IOS XR for the cisco_support user or i
just treat it just like IOS ?

Thanks,
Sam

From good1 at live.com  Sun Feb  1 09:41:10 2009
From: good1 at live.com (Andrew Jimmy)
Date: Sun, 1 Feb 2009 19:41:10 +0500
Subject: [c-nsp] mpls l3vpn
Message-ID: <COL110-DS809E5665BF90911B2C1B191C40@phx.gbl>

Why you get * on destination PE and one extra hop when you do traceroute. 

 

 

traceroute to 192.1.1.5 (192.1.1.5), 30 hops max, 40 byte packets

 1  1.1.0.1 (1.1.0.1)  157.301 ms  207.940 ms  157.392 ms

     MPLS Label=299840 CoS=0 TTL=1 S=0

     MPLS Label=17 CoS=0 TTL=1 S=1

 2  10.1.1.2 (10.1.1.2)  183.165 ms  123.536 ms  185.375 ms

     MPLS Label=300704 CoS=0 TTL=1 S=0

     MPLS Label=17 CoS=0 TTL=2 S=1

 3  * * *

 4  192.1.1.5 (192.1.1.5)  134.623 ms  181.346 ms  183.886 ms

 


From nick.jon.griffin at gmail.com  Sun Feb  1 11:06:13 2009
From: nick.jon.griffin at gmail.com (Nick Griffin)
Date: Sun, 1 Feb 2009 10:06:13 -0600
Subject: [c-nsp] BGP <-> OSPF default route failover
In-Reply-To: <50f158990901311050ldaf5ccdya62adbdc19cdb5e0@mail.gmail.com>
References: <A8A11BA006DA57498FAC0A566868650402F2171E@usilwdex04.spencerstuart.com>
	<50f158990901311050ldaf5ccdya62adbdc19cdb5e0@mail.gmail.com>
Message-ID: <a2b352c40902010806i8416faftd3b8f673a0361889@mail.gmail.com>

As he mentioned above, I don't believe he will be receiving a default route
from the service provider that he can pass in via redistribution, so an
option available is to use the bgp "default-information originate route-map
command he mentioned". I've used this in combination with IP Sla probes and
tracking recently to get the conditional announcement, and base it upon
upstream reachibility since in my case its rare that line protocol on the
isp circuit goes down since there is an on-site service provider switching
equipment. I've used icmp probes for this, but those tend to get dropped
from time to time, I've found a tcp connect probe to port 80 on some well
known web sites seems to work pretty well at least for me. What i did was
tied up a bogus static route to a particular ip address and tied a sla tcp
connect to this, this static route is then referenced by the
default-information route map, so when the tcp connect fails, bgp pulls the
default route out. It looked liked this:

!
!
track 2 rtr 2 reachability
 delay down 10 up 120
!
!
!
router bgp 65501
 no synchronization
 bgp router-id 10.255.255.254
 bgp log-neighbor-changes
 neighbor 10.255.255.252 remote-as 65500
 neighbor 10.255.255.252 description *** eBGP Peering to HQ Switch 1 ***
 neighbor 10.255.255.252 password 7 supersekret
 neighbor 10.255.255.252 ebgp-multihop 2
 neighbor 10.255.255.252 update-source Loopback0
 neighbor 10.255.255.252 default-originate route-map
CONDITIONAL_DEFAULT_ORIGINATE
 neighbor 10.255.255.252 soft-reconfiguration inbound
 no auto-summary
!
ip route 1.1.1.1 255.255.255.255 Null0 name
Used_For_BGP_Default_Originate_DO_NOT_REMOVE track 2
ip route 0.0.0.0 0.0.0.0 upstreamisp
!

!
!
ip prefix-list TRACKED_ROUTE seq 5 permit 1.1.1.1/32
!
ip sla logging traps
ip sla schedule 1 life forever start-time now
ip sla 2
 tcp-connect 209.191.93.52 80 source-ip myipaddress source-port 52142
control disable
 timeout 5000
 frequency 10
ip sla reaction-configuration 2 react timeout threshold-type consecutive 2
action-type trapOnly
ip sla schedule 2 life forever start-time now
!
!
route-map CONDITIONAL_DEFAULT_ORIGINATE permit 10
 match ip address prefix-list TRACKED_ROUTE

Keep in mind, if you have an iBGP adjacencies between the two routers, and
one of the routers is losing it's ebgp default route, and is now preferring
that default route via ibgp via the internal peering AND doing
redistribution into an IGP ie OSPF then you must use the BGP redistribute
internal, bgp process level command. This is in specific scenarios.

HTH,

Nick Griffin

On Sat, Jan 31, 2009 at 12:50 PM, Pete S. <pshuleski at gmail.com> wrote:

> I'd imagine you aren't completely redistributing your bgp tables into
> OSFP, and from your diagram I'll assume you are doing ibgp between
> your edge routers already.  So build a prefix list, and route-map,
> which permits only the default route from bgp.  Redistribute the bgp
> process into ospf, based on that route-map, as an E1 type.  This will
> put the default into your ospf area, and traffic will flow towards the
> closest exit.  If you rather a primary/secondary, use the ospf E2 type
> and assign a large metric to your secondary.
>
> I haven't checked the syntax, but this should probably point you in
> the right direction.
>
> !On your BGP routers
> !
> ip prefix-list bgp_default->ospf seq 5 permit 0.0.0.0/0
> ip prefix-list bgp_default->ospf seq 100 deny 0.0.0.0/0 ge 1 le 24
> !
> route-map bgp->ospf permit 10
>  match ip address prefix-list bgp_default->ospf
> !
> router ospf 100
>  ! I assign an arbitrary site ID, and then prepend my AS onto it but
> whatever suits you, tag is optional
>  ! select your own metric-type and metric depending on the exit
> behavior you want.
>  redistribute bgp 65535 metric-type 2 metric 100  tag 6553501
> route-map bgp->ospf
> !
> !
>
>
>
> --Pete
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From amaged at cisco.com  Sun Feb  1 13:29:27 2009
From: amaged at cisco.com (Ahmed Maged (amaged))
Date: Sun, 1 Feb 2009 19:29:27 +0100
Subject: [c-nsp] How TACACS works? IOS vs IOS XR
In-Reply-To: <9da37ec40902010343p6a0e3daai3eda774fd1956ee1@mail.gmail.com>
References: <9da37ec40902010343p6a0e3daai3eda774fd1956ee1@mail.gmail.com>
Message-ID: <0BB7A1080B7DBD4494E09FF171D2ACEA027F4DD5@xmb-ams-33c.emea.cisco.com>

Hi Sami,

You are right.

If you have TAC+ then do this.

# Set up accounting file if enabling accounting on NAS
accounting file = /var/log/cisco.log

# configuring key between router

key = cisco

# configuring group privilege, so we don't have to configure it for each
user

group = cisco {
       service = exec {
       priv_lvl = 15

# configure as optional so IOS or other vender router can ignore it

       optional task = "#root-system,#cisco-support"
       }


       }

# Set up accounting file if enabling accounting on NAS
accounting file = /var/log/tac.log


user = amaged {
       login = cleartext "amaged"
       member = cisco
}



amaged-ubuntu#

Regards,
Ahmed
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sami Joseph
Sent: Sunday, February 01, 2009 1:44 PM
To: Cisco-nsp
Subject: [c-nsp] How TACACS works? IOS vs IOS XR

Hello everyone,

I am trying to understand how TACACS works (Authorization) so i would be
able to understand how this works in IOS XR too.

*IOS:*
Let me take it from scratch, in IOS, we can create a user with local
privileges so if we assign priv. 15 to a user, he'll be able to do
everything.

If we want more granularity, we can use the TACACS server to limit the
commands a user can execute and it works like the following, every
command
has an Attribute Value pair, the command is sent to the AAA Server and
it
will compare that pair to the configured policy (ex. can do show
commands
only)


*In IOS XR:*

We assign task IDs locally so that a user can access L2VPN and Traffic
eng
components for example but can not change BGP.

Then there are the root/cisco_support accounts and they give higher
privilege to the user.

So assume i want to brign an XR box into TACACS, do i need to make sure
that
the AAA server understands the IOS XR AV pairs or is it a standard
format?

Do i need to make anything special on IOS XR for the cisco_support user
or i
just treat it just like IOS ?

Thanks,
Sam
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From scott at labyrinth.org  Sun Feb  1 13:31:22 2009
From: scott at labyrinth.org (Scott Keoseyan)
Date: Sun, 1 Feb 2009 13:31:22 -0500
Subject: [c-nsp] theoretical and practical route-table limits
Message-ID: <5C548098-B7E6-4B3C-903E-FD75C2152293@labyrinth.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all...

Does Cisco publish absolute theoretical route-table size limitations  
for their various platforms and memory configurations somewhere?  I am  
thinking of doing something with black hole routing locally and I was  
wondering just *how many routes* one could have in a route-table and  
how many BGP entries / peers / views one could contain nowadays.   
Obviously there are other factors, but it would be helpful if there  
was a guideline or published *limitation* somewhere.

Thanks,

Scott

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkmF6noACgkQA7TpMPAlvEcq0ACfcVYRONsK58P0bUvP7l4j197S
uogAnjeQQ5mu/o6oIyJ3+Dwudmne+jht
=6Sqc
-----END PGP SIGNATURE-----

From ismath.shaan at gmail.com  Mon Feb  2 00:53:54 2009
From: ismath.shaan at gmail.com (Basha)
Date: Mon, 2 Feb 2009 14:53:54 +0900
Subject: [c-nsp] show dsl int atm 0
Message-ID: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>

Hi Guys,

I need some assistance trying to understand the out put of show dsl int atm
0 command. Specifically the 'bit errors' column.

ATM0/0/0
Alcatel 20190 chipset information
                ATU-R (DS)                      ATU-C (US)
Modem Status:    Showtime (DMTDSL_SHOWTIME)
DSL Mode:        ITU G.992.1 (G.DMT) Annex A
ITU STD NUM:     0x01                            0x1
Vendor ID:       'STMI'                          'GSPN'
Vendor Specific: 0x0000                          0x0008
Vendor Country:  0x0F                            0xFF
Capacity Used:   15%                             67%
Noise Margin:    21.0 dB                          8.0 dB
Output Power:    13.5 dBm                         2.0 dBm
Attenuation:     23.0 dB                         11.5 dB
Defect Status:   None                            None

Last Fail Code:  None
Watchdog Counter: 0x2A
Watchdog Resets: 0
Selftest Result: 0x00
Subfunction:     0x00
Interrupts:      3834 (0 spurious)
PHY Access Err:  0
Activations:     1
LED Status:      OFF
LED On Time:     0
LED Off Time:    0
Init FW:         embedded
Operation FW:    embedded
FW Version:      2.542
                 Interleave             Fast    Interleave              Fast
Speed (kbps):             0             1536             0               512
Cells:                    0          3404282             0         659208107
Reed-Solomon EC:          0                0             0                 0
CRC Errors:               0                0             0                 1
Header Errors:            0                0             0                 0
Bit Errors:               0            48896
BER Valid sec:            0          7725096
BER Invalid sec:          0                0
LOM Monitoring : Disabled

Customer is running video and is seeing lots of packet drops

Thanks

From blahu77 at gmail.com  Mon Feb  2 03:22:02 2009
From: blahu77 at gmail.com (Mateusz Błaszczyk)
Date: Mon, 2 Feb 2009 08:22:02 +0000 (IST)
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>
Message-ID: <fqoviig79sfdn6eetcUYAxe124vaj_firegpg@mail.gmail.com>

Basha,

2009/2/2 Basha <ismath.shaan at gmail.com>:
> Hi Guys,
>
> I need some assistance trying to understand the out put of show dsl int atm
> 0 command. Specifically the 'bit errors' column.

[...]
> ? ? ? ? ? ? ? ? Interleave ? ? ? ? ? ? Fast ? ?Interleave ? ? ? ? ? ? ?Fast
> Bit Errors: ? ? ? ? ? ? ? 0 ? ? ? ? ? ?48896

[...]

> Customer is running video and is seeing lots of packet drops
>

Video traffic is very susceptible to bit errors due to inpulse noise.
Try enabling interleaving on the DSLAM, which should fix the problem.

Best Regards,

-mat

-- 
pgp-key 0x1C655CAB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 270 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090202/64abac1b/attachment.bin>

From zivl at gilat.net  Mon Feb  2 03:39:05 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Mon, 2 Feb 2009 10:39:05 +0200
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>
References: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622DA83330D@exch2k7.gilat.local>

In my opinion and based on my short experience with ADSL on Cisco routers, the only values that are relevant for me are:

Noise Margin: which represents, as the name says it, how far is your signal from the noise, the higher the better, the lowest recommended value would be around 20%.

Attenuation: the lower the better, anything below 10-15 dB, the highest this value is it means there may be problems in the hard line, or perhaps you're too far from the DSLAM.

These values are of course correlated to the others (Capacity, Output power) everything is a function of line quality, physically talking. The errors may be related to a poor quality.
Some workarounds can be setting the DSL mode to some specific mode instead of automatic, but you should know what is the best, you may talk with your provider and ask about this, when too far from the DSLAM or the line quality is poor, lowering the speed of the link may help improve those values too.
As I said, this is only "field" knowledge, is not based on any "scientific" facts, just mere experience.
Feel free to correct me if I'm wrong about something, I'd be glad to learn some more about this
Hope this helps
Ziv






-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Basha
Sent: Monday, February 02, 2009 7:54 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] show dsl int atm 0

Hi Guys,

I need some assistance trying to understand the out put of show dsl int atm
0 command. Specifically the 'bit errors' column.

ATM0/0/0
Alcatel 20190 chipset information
                ATU-R (DS)                      ATU-C (US)
Modem Status:    Showtime (DMTDSL_SHOWTIME)
DSL Mode:        ITU G.992.1 (G.DMT) Annex A
ITU STD NUM:     0x01                            0x1
Vendor ID:       'STMI'                          'GSPN'
Vendor Specific: 0x0000                          0x0008
Vendor Country:  0x0F                            0xFF
Capacity Used:   15%                             67%
Noise Margin:    21.0 dB                          8.0 dB
Output Power:    13.5 dBm                         2.0 dBm
Attenuation:     23.0 dB                         11.5 dB
Defect Status:   None                            None

Last Fail Code:  None
Watchdog Counter: 0x2A
Watchdog Resets: 0
Selftest Result: 0x00
Subfunction:     0x00
Interrupts:      3834 (0 spurious)
PHY Access Err:  0
Activations:     1
LED Status:      OFF
LED On Time:     0
LED Off Time:    0
Init FW:         embedded
Operation FW:    embedded
FW Version:      2.542
                 Interleave             Fast    Interleave              Fast
Speed (kbps):             0             1536             0               512
Cells:                    0          3404282             0         659208107
Reed-Solomon EC:          0                0             0                 0
CRC Errors:               0                0             0                 1
Header Errors:            0                0             0                 0
Bit Errors:               0            48896
BER Valid sec:            0          7725096
BER Invalid sec:          0                0
LOM Monitoring : Disabled

Customer is running video and is seeing lots of packet drops

Thanks
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From zivl at gilat.net  Mon Feb  2 03:42:40 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Mon, 2 Feb 2009 10:42:40 +0200
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <fqoviig79sfdn6eetcUYAxe124vaj_firegpg@mail.gmail.com>
References: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>
	<fqoviig79sfdn6eetcUYAxe124vaj_firegpg@mail.gmail.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622DA833311@exch2k7.gilat.local>

I second that, You're right, Basha.
I've forgot to mention it in my previous answer.
Setting interleave in the DSLAM will do automatically what I proposed before, lowering the speed of the link in order to improve line quality.
Ziv


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mateusz B?aszczyk
Sent: Monday, February 02, 2009 10:22 AM
To: Basha
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] show dsl int atm 0

Basha,

2009/2/2 Basha <ismath.shaan at gmail.com>:
> Hi Guys,
>
> I need some assistance trying to understand the out put of show dsl 
> int atm 0 command. Specifically the 'bit errors' column.

[...]
> ? ? ? ? ? ? ? ? Interleave ? ? ? ? ? ? Fast ? ?Interleave ? ? ? ? ? ? ?
> Fast Bit Errors: ? ? ? ? ? ? ? 0 ? ? ? ? ? ?48896

[...]

> Customer is running video and is seeing lots of packet drops
>

Video traffic is very susceptible to bit errors due to inpulse noise.
Try enabling interleaving on the DSLAM, which should fix the problem.

Best Regards,

-mat

--
pgp-key 0x1C655CAB



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************



From tim at pelican.org  Mon Feb  2 04:56:58 2009
From: tim at pelican.org (Tim Franklin)
Date: Mon, 02 Feb 2009 09:56:58 +0000
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622DA833311@exch2k7.gilat.local>
References: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>	<fqoviig79sfdn6eetcUYAxe124vaj_firegpg@mail.gmail.com>
	<EC993E87D960A541A66BF21D62AA42A622DA833311@exch2k7.gilat.local>
Message-ID: <4986C36A.1090406@pelican.org>

Ziv Leyes wrote:

> Setting interleave in the DSLAM will do automatically what I proposed
> before, lowering the speed of the link in order to improve line
> quality.

Be careful with what you mean by "speed" in this instance.  Interleaving 
typically increases latency, rather than reducing bandwidth.

Regards,
Tim.


From ian.mackinnon at lumison.net  Mon Feb  2 05:21:11 2009
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Mon, 02 Feb 2009 10:21:11 +0000
Subject: [c-nsp] Policers on 6500 Sup-32
Message-ID: <4986C917.30505@lumison.net>

Hi All,

I am having an issue with policers on a 6500 not actually doing any 
policing.  Running 12.2(33)SXH

I have config like :-
interface Vlan666
  ip address 10.10.10.1 255.255.255.252
  no ip redirects
  logging ip access-list cache out
  service-policy input 2MegPolice
  service-policy output 2MegPolice

policy-map 2MegPolice
   class class-default
    police 2097000 13000    conform-action transmit     exceed-action 
transmit     violate-action drop

So I want to allow a burst and then drop the violate.

A show policy-map interface does not show any exceed or violates.

In mrtg I can see that more than 2Meg is being passed, even as much as 
40M, and I can see the traffic in the destination graphs as well.

Anybody got this working, or seen issues like this?

Thanks
Ian


--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From zivl at gilat.net  Mon Feb  2 05:31:26 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Mon, 2 Feb 2009 12:31:26 +0200
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <4986C36A.1090406@pelican.org>
References: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>
	<fqoviig79sfdn6eetcUYAxe124vaj_firegpg@mail.gmail.com>
	<EC993E87D960A541A66BF21D62AA42A622DA833311@exch2k7.gilat.local>
	<4986C36A.1090406@pelican.org>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622DA83338D@exch2k7.gilat.local>

You're right, I didn't express myself right, so here's a clarification:
In any case of setting interleave mode because of a poor line, you should know that it will decrease performance in many aspects.


-----Original Message-----
From: Tim Franklin [mailto:tim at pelican.org] 
Sent: Monday, February 02, 2009 11:57 AM
To: Ziv Leyes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] show dsl int atm 0

Ziv Leyes wrote:

> Setting interleave in the DSLAM will do automatically what I proposed
> before, lowering the speed of the link in order to improve line
> quality.

Be careful with what you mean by "speed" in this instance.  Interleaving 
typically increases latency, rather than reducing bandwidth.

Regards,
Tim.




 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************





 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************



From skoal at skoal.name  Mon Feb  2 05:50:48 2009
From: skoal at skoal.name (Gergely Antal)
Date: Mon, 02 Feb 2009 11:50:48 +0100
Subject: [c-nsp] Policers on 6500 Sup-32
In-Reply-To: <4986C917.30505@lumison.net>
References: <4986C917.30505@lumison.net>
Message-ID: <4986D008.1000303@skoal.name>

did you set qos to vlan based?

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1726124

Ian MacKinnon wrote:
> Hi All,
> 
> I am having an issue with policers on a 6500 not actually doing any 
> policing.  Running 12.2(33)SXH
> 
> I have config like :-
> interface Vlan666
>   ip address 10.10.10.1 255.255.255.252
>   no ip redirects
>   logging ip access-list cache out
>   service-policy input 2MegPolice
>   service-policy output 2MegPolice
> 
> policy-map 2MegPolice
>    class class-default
>     police 2097000 13000    conform-action transmit     exceed-action 
> transmit     violate-action drop
> 
> So I want to allow a burst and then drop the violate.
> 
> A show policy-map interface does not show any exceed or violates.
> 
> In mrtg I can see that more than 2Meg is being passed, even as much as 
> 40M, and I can see the traffic in the destination graphs as well.
> 
> Anybody got this working, or seen issues like this?
> 
> Thanks
> Ian
> 
> 
> --
> 
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted.  Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison and nPlusOne.
> Finally, the recipient should check this email and any attachments for the
> presence of viruses.  Lumison and nPlusOne accept no liability for any
> damage caused by any virus transmitted by this email.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090202/bf704f64/attachment.bin>

From ian.mackinnon at lumison.net  Mon Feb  2 05:51:40 2009
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Mon, 02 Feb 2009 10:51:40 +0000
Subject: [c-nsp] Policers on 6500 Sup-32
In-Reply-To: <4986D008.1000303@skoal.name>
References: <4986C917.30505@lumison.net> <4986D008.1000303@skoal.name>
Message-ID: <4986D03C.5030908@lumison.net>

Hi Gergely,
Yes, I have the set this.

I did not before (several weeks ago), and was not seeing any traffic in 
the policy-map.
I changed it and can now see traffic in the map :-
nbg01-agg-switch-01#sh policy-map interface vlan 666


  Vlan666

   Service-policy input: 2MegPolice

     class-map: class-default (match-any)
       Match: any
       police :
         2096000 bps 13000 limit 13000 extended limit
       Earl in slot 5 :
         82564118403 bytes
         5 minute offered rate 102792 bps
         aggregate-forwarded 82564118403 bytes action: transmit
         exceeded 0 bytes action: transmit
         aggregate-forward 9008 bps exceed 0 bps

   Service-policy output: 2MegPolice

     class-map: class-default (match-any)
       Match: any
       police :
         2096000 bps 13000 limit 13000 extended limit
       Earl in slot 5 :
         7733193350 bytes
         5 minute offered rate 11896 bps
         aggregate-forwarded 7733193350 bytes action: transmit
         exceeded 0 bytes action: transmit
         aggregate-forward 4568 bps exceed 0 bps



On 02/02/2009 10:50, Gergely Antal wrote:
> did you set qos to vlan based?
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1726124
>
> Ian MacKinnon wrote:
>    
>> Hi All,
>>
>> I am having an issue with policers on a 6500 not actually doing any
>> policing.  Running 12.2(33)SXH
>>
>> I have config like :-
>> interface Vlan666
>>    ip address 10.10.10.1 255.255.255.252
>>    no ip redirects
>>    logging ip access-list cache out
>>    service-policy input 2MegPolice
>>    service-policy output 2MegPolice
>>
>> policy-map 2MegPolice
>>     class class-default
>>      police 2097000 13000    conform-action transmit     exceed-action
>> transmit     violate-action drop
>>
>> So I want to allow a burst and then drop the violate.
>>
>> A show policy-map interface does not show any exceed or violates.
>>
>> In mrtg I can see that more than 2Meg is being passed, even as much as
>> 40M, and I can see the traffic in the destination graphs as well.
>>
>> Anybody got this working, or seen issues like this?
>>
>> Thanks
>> Ian
>>
>>
>> --
>>
>> This email and any files transmitted with it are confidential and intended
>> solely for the use of the individual or entity to whom they are addressed.
>> If you have received this email in error please notify the sender. Any
>> offers or quotation of service are subject to formal specification.
>> Errors and omissions excepted.  Please note that any views or opinions
>> presented in this email are solely those of the author and do not
>> necessarily represent those of Lumison and nPlusOne.
>> Finally, the recipient should check this email and any attachments for the
>> presence of viruses.  Lumison and nPlusOne accept no liability for any
>> damage caused by any virus transmitted by this email.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>      
>
>    


-- 
Ian MacKinnon
Lumison
t: 0845 1199 900
d: 0131 514 4055
P.S. Do you love Lumison?

p.s. Looking for remote access?
Chat to our team about our award winning broadband and VoIP solutions
for remote and home working, or visit www.lumison.net




--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From ian.mackinnon at lumison.net  Mon Feb  2 06:08:10 2009
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Mon, 02 Feb 2009 11:08:10 +0000
Subject: [c-nsp] Policers on 6500 Sup-32
In-Reply-To: <20090202110456.GJ3262@wildfire.net.ic.ac.uk>
References: <4986C917.30505@lumison.net>
	<20090202110456.GJ3262@wildfire.net.ic.ac.uk>
Message-ID: <4986D41A.9040501@lumison.net>

On 02/02/2009 11:04, Phil Mayers wrote:
> On Mon, Feb 02, 2009 at 10:21:11AM +0000, Ian MacKinnon wrote:
>> Hi All,
>>
>> I am having an issue with policers on a 6500 not actually doing any 
>> policing.  Running 12.2(33)SXH
>
> Silly question, but you do have the global "mls qos" set?
:-)

yup
switch#sh mls qos
   QoS is enabled globally

Ian


--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From p.mayers at imperial.ac.uk  Mon Feb  2 06:13:22 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 2 Feb 2009 11:13:22 +0000
Subject: [c-nsp] Netconf (over SSHv2) in SXI
Message-ID: <20090202111322.GK3262@wildfire.net.ic.ac.uk>

All,

Does anyone have working examples talking to the netconf implementation 
in 12.2(33)SXI? Or pointers to libraries / code that works?

I've tried the examples from the cisco website:

www.tinyurl.com/aeof6v

...but I just get back all kinds of invalid XML messages and so forth. I 
can do a "show run" with an empty <get /> i.e. no filter, but if I try 
to issue CLI commands using the:

<rpc ... xmlns:cpi="http://www.cisc.com/cpi_10/schema">
  <get>
    <filter>
      <cpi:config-format-cli-ios-text-cmd> ... </..>
      <cpi:cli-operational-data>
	<show>arp</show>
      </cpi:cli...>

...I get error messages about the cpi: namespace and "debug cns xml" on 
the box tells me the XML stanzas in that namespace have no handler.

It seems like netconf would be really useful for automating IOS; has 
anyone made it work?

From p.mayers at imperial.ac.uk  Mon Feb  2 06:04:56 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 2 Feb 2009 11:04:56 +0000
Subject: [c-nsp] Policers on 6500 Sup-32
In-Reply-To: <4986C917.30505@lumison.net>
References: <4986C917.30505@lumison.net>
Message-ID: <20090202110456.GJ3262@wildfire.net.ic.ac.uk>

On Mon, Feb 02, 2009 at 10:21:11AM +0000, Ian MacKinnon wrote:
>Hi All,
>
>I am having an issue with policers on a 6500 not actually doing any 
>policing.  Running 12.2(33)SXH

Silly question, but you do have the global "mls qos" set?

From ltd at cisco.com  Mon Feb  2 07:11:23 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Mon, 02 Feb 2009 23:11:23 +1100
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
Message-ID: <4986E2EB.3070504@cisco.com>

Phil Mayers wrote:
> Does anyone have working examples talking to the netconf 
> implementation in 12.2(33)SXI? Or pointers to libraries / code that 
> works?
> [..]
> <rpc ... xmlns:cpi="http://www.cisc.com/cpi_10/schema">
>  <get>
>    <filter>
>      <cpi:config-format-cli-ios-text-cmd> ... </..>
>      <cpi:cli-operational-data>
>     <show>arp</show>
>      </cpi:cli...>
>
> ...I get error messages about the cpi: namespace and "debug cns xml" 
> on the box tells me the XML stanzas in that namespace have no handler.
i have worked extensively with Netconf/XML on NX-OS on Nexus 7000.

whatever you're requesting needs to match the schema.  based on my 
experience, i think you'll most likely need to modify what you have to:
    <show><arp /></show>

that is purely a guess - but checking the XML schema definition (XSD) 
that should also be posted on cisco.com will let you verify.
>
> It seems like netconf would be really useful for automating IOS; has 
> anyone made it work?
yes, on N7K at least. :)


cheers,

lincoln.

From chloekcy2000 at yahoo.ca  Mon Feb  2 09:19:43 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Mon, 2 Feb 2009 09:19:43 -0500 (EST)
Subject: [c-nsp] set clock
Message-ID: <753705.89309.qm@web57412.mail.re1.yahoo.com>

Hi
   
  I use show clock and get router / swtich time 
  14:15:22.574 UTC Mon Feb 2 2009
   
  But the correct time is 9:14 am Mon Feb 2, 2009
   
  How can I change it?
   
  How can I use the ntp to get the time?
   
  Thank you

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          

From george.horton at rm.com  Mon Feb  2 09:32:57 2009
From: george.horton at rm.com (George Horton)
Date: Mon, 2 Feb 2009 14:32:57 -0000
Subject: [c-nsp] set clock
In-Reply-To: <753705.89309.qm@web57412.mail.re1.yahoo.com>
References: <753705.89309.qm@web57412.mail.re1.yahoo.com>
Message-ID: <EFA892CE3738D4478E88BC83D5748FA7362E27@EMAIL03.internal.rmplc.net>

Hello

To set the clock use the command 'clock set hh:mm:ss' from enable mode.
NTP can be configured in the global configuration mode use the command
'ntp server hostname'.  The hostname can be an IP or a hostname, just
make sure that you use an NTP server the router/switch can reach.

Cheers
George

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
Sent: 02 February 2009 14:20
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] set clock

Hi
   
  I use show clock and get router / swtich time 
  14:15:22.574 UTC Mon Feb 2 2009
   
  But the correct time is 9:14 am Mon Feb 2, 2009
   
  How can I change it?
   
  How can I use the ntp to get the time?
   
  Thank you

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web
and bookmark your favourite sites. Download it now!          
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
______________________________________________________________________

You might be interested in this...

Schools and Colleges for the Future
Find out more about the programmes shaping education for the future.
http://www.rm.com/futureeducation

______________________________________________________________________

P.S. Think Green - don't print this email unless you really need to.


This message is confidential, so please treat it appropriately and for its intended purpose only.  In particular, if it refers to any technical data, terms or prices not generally available or known, such items are "commercially sensitive information" within the terms of the Freedom of Information Act 2000 and related laws.  As it would be prejudicial to RM's commercial interests if these were disclosed, please refrain from doing so.

 

As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents.  Any views or opinions presented are those of the author only and not of RM.  If you are not the intended recipient of this e-mail, please accept our apologies and arrange for copies of it to be deleted.  For your information, RM may intercept incoming and outgoing email communications.

 

RM Education plc 
Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England 
Registered Number: 1148594


From chris at lavin-llc.com  Mon Feb  2 09:45:48 2009
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Mon, 02 Feb 2009 09:45:48 -0500
Subject: [c-nsp] set clock
Message-ID: <46114.1233585948@lavin-llc.com>

>Hello
>
>To set the clock use the command 'clock set hh:mm:ss' from enable mode.
>NTP can be configured in the global configuration mode use the command
>'ntp server hostname'.  The hostname can be an IP or a hostname, just
>make sure that you use an NTP server the router/switch can reach.
>
>Cheers
>George

And regarding the time of 14:15 UTC v it being 09:15 locally; that has to do with the global timezone setting. UTC is referring to 
Greenwich Mean Time, sometimes also referred to as Zulu time. To change your device to reflect the local time use the 
commands "clock timezone EDT -5". But depending on where you live, you may have to account for Daylight Savings Time. You could use 
the command "clock summer-time 'timezone'". 

Most of us tend to like using the GMT (UTC) timezone because its a global reference that never changes. Therefore you don't have to 
worry about accounting for the dates that your local timezone "springs forward" or "falls back". 

HTH,
-chris 


>
>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[cisco-nsp-bounces at puck.nether.net','','','')">cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
>Sent: 02 February 2009 14:20
>To: cisco-nsp at puck.nether.net
>Subject: [c-nsp] set clock
>
>Hi
>   
>  I use show clock and get router / swtich time 
>  14:15:22.574 UTC Mon Feb 2 2009
>   
>  But the correct time is 9:14 am Mon Feb 2, 2009
>   
>  How can I change it?
>   
>  How can I use the ntp to get the time?
>   
>  Thank you
>
>       
> 
>              
>---------------------------------
>    
>       
>Yahoo!         Canada Toolbar : Search from anywhere on         the web
>and bookmark your favourite sites. Download it now!          
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>______________________________________________________________________
>
>You might be interested in this...
>
>Schools and Colleges for the Future
>Find out more about the programmes shaping education for the future.
>http://www.rm.com/futureeducation
>
>______________________________________________________________________
>
>P.S. Think Green - don't print this email unless you really need to.
>
>
>This message is confidential, so please treat it appropriately and for its intended purpose only.  In particular, if it refers to 
any technical data, terms or prices not generally available or known, such items are "commercially sensitive information" within 
the terms of the Freedom of Information Act 2000 and related laws.  As it would be prejudicial to RM's commercial interests if 
these were disclosed, please refrain from doing so.
>
> 
>
>As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents.  Any views or 
opinions presented are those of the author only and not of RM.  If you are not the intended recipient of this e-mail, please accept 
our apologies and arrange for copies of it to be deleted.  For your information, RM may intercept incoming and outgoing email 
communications.
>
> 
>
>RM Education plc 
>Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England 
>Registered Number: 1148594
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/



From chloekcy2000 at yahoo.ca  Mon Feb  2 10:53:52 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Mon, 2 Feb 2009 10:53:52 -0500 (EST)
Subject: [c-nsp] need help about switch boot up question
Message-ID: <436422.65354.qm@web57407.mail.re1.yahoo.com>

Hi 
   
  I boot up the 4947 switch and see this address
  1/ What is this address for?
  How can I change it?
   
   MAC Address  : 00-35-24-05-fb-6f 
 IP Address   : 192.168.0.5 
 Netmask      : 255.255.255.0 
 Gateway      : 10.1.1.1 
 TftpServer   : 10.1.1.1 
 Main Memory  : 256 MBytes
   
   
  In the default running config, there is 
   
  interface FastEthernet1
 no ip address
 speed auto
 duplex auto
   
  2/ my switch is 48 ports Gig. Ethernet. 
  Where is this phsically "interface FastEthernet1" 
   
  Thank you for your help

   

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          

From willay at gmail.com  Mon Feb  2 10:57:05 2009
From: willay at gmail.com (William)
Date: Mon, 2 Feb 2009 15:57:05 +0000
Subject: [c-nsp] VPN PIX 6.x Translation issue
Message-ID: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>

Hi folks!

I currently have a PIX firewall running 6 code, the firewall has 3
interfaces, inside, outside and inside2.

At the moment I can VPN and communicate to all the hosts on the
inside, what I'd like to do is also be able to communicate with the
hosts on inside2, the security levels are:

outside: 0
inside: 100
inside2: 90

When I try to speak to inside2 hosts, I get the following error:

%PIX-3-305005: No translation group found for icmp src
outside:10.10.199.3 dst inside2:192.168.0.1 (type 8, code 0)

I'm very confused as to where I should be putting global/nat
statements... so far my setup consists of:


nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.10.200.0 255.255.255.0 0 0
nat (inside2) 0 access-list office_outbound_nat0_acl
nat (inside2) 1 192.168.0.0 255.255.255.0 0 0
global (outside) 1 interface

This lets both inside and inside2 hosts contact the internet via int
outside, and no nat stuff that needs to traverse VPN tunnels...

If anyone can assist/educate me on getting this working I would
appreciate it very much!

Cheers,

W

From A.L.M.Buxey at lboro.ac.uk  Mon Feb  2 11:13:09 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 2 Feb 2009 16:13:09 +0000
Subject: [c-nsp] need help about switch boot up question
In-Reply-To: <436422.65354.qm@web57407.mail.re1.yahoo.com>
References: <436422.65354.qm@web57407.mail.re1.yahoo.com>
Message-ID: <20090202161309.GA27986@lboro.ac.uk>

Hi,

>   In the default running config, there is 
>    
>   interface FastEthernet1
>  no ip address
>  speed auto
>  duplex auto
>    
>   2/ my switch is 48 ports Gig. Ethernet. 
>   Where is this phsically "interface FastEthernet1" 

sounds suspiciously like a management interface, usually
found lurking around the back near the console port

alan

From jason at pins.net  Mon Feb  2 11:10:05 2009
From: jason at pins.net (Jason Berenson)
Date: Mon, 02 Feb 2009 11:10:05 -0500
Subject: [c-nsp] Channelized OC3 for 7206VXR
Message-ID: <49871ADD.4060905@pins.net>

Greetings,

We currently have a Turin DACS with DS3's in from the carrier and DS3's 
out to Cisco 7206VXR's.  We would like to swap out the DS3 cards on the 
routers to channelized OC3 cards.  Can anyone tell me the part number in 
a PA for the 7206 that can channelize an OC3 down to DS1?

I found this PA-POS-OC3SML, but it's not clear if it channelizes down to 
the DS3 or DS1.

Thanks,
Jason

From p.mayers at imperial.ac.uk  Mon Feb  2 11:17:05 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 2 Feb 2009 16:17:05 +0000
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <4986E2EB.3070504@cisco.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
Message-ID: <20090202161705.GB4869@wildfire.net.ic.ac.uk>

On Mon, Feb 02, 2009 at 12:11:23PM +0000, Lincoln Dale wrote:
>Phil Mayers wrote:
>> Does anyone have working examples talking to the netconf 
>> implementation in 12.2(33)SXI? Or pointers to libraries / code that 
>> works?
>> [..]
>> <rpc ... xmlns:cpi="http://www.cisc.com/cpi_10/schema">
>>  <get>
>>    <filter>
>>      <cpi:config-format-cli-ios-text-cmd> ... </..>
>>      <cpi:cli-operational-data>
>>     <show>arp</show>
>>      </cpi:cli...>
>>
>> ...I get error messages about the cpi: namespace and "debug cns xml" 
>> on the box tells me the XML stanzas in that namespace have no handler.
>i have worked extensively with Netconf/XML on NX-OS on Nexus 7000.
>
>whatever you're requesting needs to match the schema.  based on my 
>experience, i think you'll most likely need to modify what you have to:
>    <show><arp /></show>

That directly contradicts Cisco's examples.

Can you share the xml for any non-trivial thing you have working? I have 
literally tried every combo of xml and namespacing I can imagine.

This for example fails:

<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" \
		      xmlns:cpi="http://www.cisco.com/cpi_10/schema">
   <edit-config>
      <target>
	 <running/>
      </target>
      <config>
	 <cpi:cli-config-data>
	    <cmd>hostname test</cmd>
	    <cmd>interface fastEthernet0/1</cmd>
	    <cmd>ip address 192.168.1.1 255.255.255.0</cmd>
	 </cpi:cli-config-data>
      </config>
   </edit-config>
</rpc>

The netconf session reports:

<rpc-reply xmlns="urn:ietf:params:netconf:base:1.0">
  <rpc-error>
    <error-type>rpc</error-type>
    <error-tag>unknown-element</error-tag>
    <error-severity>error</error-severity>
    <error-info>
      <bad-element>cli-config-data</bad-element>
    </error-info>
  </rpc-error>
</rpc-reply>

...whilst "debug cns xml" says:

CNS XML Parser: ERROR - no handler for tag <cli-config-data>

*All* the cisco examples I have found fail the same way - elements from 
their namespace:

  http://www.cisco.com/cpi_10/schema

...are just not recognized.

>
>that is purely a guess - but checking the XML schema definition (XSD) 
>that should also be posted on cisco.com will let you verify.

The only XSD I can find is inside the docs I referenced in my tinyurl 
link, and it's minimal at best - it certainly does not document that.

>>
>> It seems like netconf would be really useful for automating IOS; has 
>> anyone made it work?
>yes, on N7K at least. :)

It seems it doesn't do anything useful on 12.2(33)SXI :o(

From daldworth at teliax.com  Mon Feb  2 11:22:23 2009
From: daldworth at teliax.com (David Aldworth)
Date: Mon, 2 Feb 2009 09:22:23 -0700
Subject: [c-nsp] Channelized OC3 for 7206VXR
In-Reply-To: <49871ADD.4060905@pins.net>
References: <49871ADD.4060905@pins.net>
Message-ID: <5D649A61-6E6F-4D64-822D-C9A1A8491753@teliax.com>

I went down this road a few months ago. A CHOC3 card does not seem to  
be available for the 7206 VXR. We wound up putting an Adtran OPTI-3 in  
front of the VXR to mux down the OC3 to DS3's. PA-MC-T3 or 2T3 works a  
charm in the VXR.

David

On Feb 2, 2009, at 9:10 AM, Jason Berenson wrote:

> Greetings,
>
> We currently have a Turin DACS with DS3's in from the carrier and  
> DS3's out to Cisco 7206VXR's.  We would like to swap out the DS3  
> cards on the routers to channelized OC3 cards.  Can anyone tell me  
> the part number in a PA for the 7206 that can channelize an OC3 down  
> to DS1?
>
> I found this PA-POS-OC3SML, but it's not clear if it channelizes  
> down to the DS3 or DS1.
>
> Thanks,
> Jason
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From streiner at cluebyfour.org  Mon Feb  2 11:29:42 2009
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Mon, 2 Feb 2009 11:29:42 -0500 (EST)
Subject: [c-nsp] Channelized OC3 for 7206VXR
In-Reply-To: <49871ADD.4060905@pins.net>
References: <49871ADD.4060905@pins.net>
Message-ID: <Pine.LNX.4.64.0902021125470.15671@whammy.cluebyfour.org>

On Mon, 2 Feb 2009, Jason Berenson wrote:

> We currently have a Turin DACS with DS3's in from the carrier and DS3's out 
> to Cisco 7206VXR's.  We would like to swap out the DS3 cards on the routers 
> to channelized OC3 cards.  Can anyone tell me the part number in a PA for the 
> 7206 that can channelize an OC3 down to DS1?
>
> I found this PA-POS-OC3SML, but it's not clear if it channelizes down to the 
> DS3 or DS1.

That particular card does not support channelized operation.  It's also 
end-of-life.  I'm not aware of a channelized OC3 port adapter for the 7200 
series.

jms



From jaldrich at blueridgecarpet.com  Mon Feb  2 11:32:13 2009
From: jaldrich at blueridgecarpet.com (John Aldrich)
Date: Mon, 2 Feb 2009 11:32:13 -0500
Subject: [c-nsp] ASA O/S version 8
Message-ID: <003101c98553$cdcffeb0$696ffc10$@com>

Hi, we just installed a new ASA, and the folks who sold it to us and
configured it for us (I don't know the first thing about configuring it!
<G>) said they had upgraded it to version 7.4 or something like that, but
that there was a new O/S version 8 available. I'm wondering if this is
something we ought to look at upgrading to ASAP or if it's something we
ought to wait and let someone else get the bugs worked out of first? :-)

Thanks,
John Aldrich
IT Manager, 
Blueridge Carpet
706-276-2001, Ext. 2233



From streiner at cluebyfour.org  Mon Feb  2 11:47:42 2009
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Mon, 2 Feb 2009 11:47:42 -0500 (EST)
Subject: [c-nsp] ASA O/S version 8
In-Reply-To: <003101c98553$cdcffeb0$696ffc10$@com>
References: <003101c98553$cdcffeb0$696ffc10$@com>
Message-ID: <Pine.LNX.4.64.0902021139370.15671@whammy.cluebyfour.org>

On Mon, 2 Feb 2009, John Aldrich wrote:

> Hi, we just installed a new ASA, and the folks who sold it to us and
> configured it for us (I don't know the first thing about configuring it!
> <G>) said they had upgraded it to version 7.4 or something like that, but
> that there was a new O/S version 8 available. I'm wondering if this is
> something we ought to look at upgrading to ASAP or if it's something we
> ought to wait and let someone else get the bugs worked out of first? :-)

Version 8.x for the ASA has been around for awhile and I have a few ASAs 
runninf 8.0(4)ED without too many issues, but they're pretty basic setups 
(access control, layer 2 firewall, multiple contexts, no VPNs).  As far as 
upgading the code goes, the main reasons to upgrade would be:
1. To resolve a published security vulnerability in the code you're 
running now.  Cisco publishes bulletins at http://www.cisco.com/go/psirt/ 
and the bulletins are available to the public.  Note that while the 
bulletins are available, you might need a CCO login and a valid support 
contract to download new code and ASDM packages.
2. To resolve a bug that isn't security related.
3. To get access to a feature you need, if that feature isn't available in 
the code you're running.

Also note that then the code is upgraded on a PIX or ASA, the ASDM (device 
manager) usually needs to be upgraded to match.

jms

From nick.jon.griffin at gmail.com  Mon Feb  2 12:09:15 2009
From: nick.jon.griffin at gmail.com (Nick Griffin)
Date: Mon, 2 Feb 2009 11:09:15 -0600
Subject: [c-nsp] ASA O/S version 8
In-Reply-To: <Pine.LNX.4.64.0902021139370.15671@whammy.cluebyfour.org>
References: <003101c98553$cdcffeb0$696ffc10$@com>
	<Pine.LNX.4.64.0902021139370.15671@whammy.cluebyfour.org>
Message-ID: <a2b352c40902020909u1e60339h2e7404ac41e83582@mail.gmail.com>

Done a couple 8.0.4(16), be aware of sql bug, CSCsu44598 in 8.0.4.



On Mon, Feb 2, 2009 at 10:47 AM, Justin M. Streiner <streiner at cluebyfour.org
> wrote:

> On Mon, 2 Feb 2009, John Aldrich wrote:
>
>  Hi, we just installed a new ASA, and the folks who sold it to us and
>> configured it for us (I don't know the first thing about configuring it!
>> <G>) said they had upgraded it to version 7.4 or something like that, but
>> that there was a new O/S version 8 available. I'm wondering if this is
>> something we ought to look at upgrading to ASAP or if it's something we
>> ought to wait and let someone else get the bugs worked out of first? :-)
>>
>
> Version 8.x for the ASA has been around for awhile and I have a few ASAs
> runninf 8.0(4)ED without too many issues, but they're pretty basic setups
> (access control, layer 2 firewall, multiple contexts, no VPNs).  As far as
> upgading the code goes, the main reasons to upgrade would be:
> 1. To resolve a published security vulnerability in the code you're running
> now.  Cisco publishes bulletins at http://www.cisco.com/go/psirt/ and the
> bulletins are available to the public.  Note that while the bulletins are
> available, you might need a CCO login and a valid support contract to
> download new code and ASDM packages.
> 2. To resolve a bug that isn't security related.
> 3. To get access to a feature you need, if that feature isn't available in
> the code you're running.
>
> Also note that then the code is upgraded on a PIX or ASA, the ASDM (device
> manager) usually needs to be upgraded to match.
>
> jms
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From chris at chrisserafin.com  Mon Feb  2 12:28:08 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Mon, 02 Feb 2009 11:28:08 -0600
Subject: [c-nsp] OSPF not propagating - But for only one route...?
Message-ID: <49872D28.2090503@chrisserafin.com>

I have 2 L3 devices (2811/3750) which are running OSPF and 
redistributing statics/connected networks.

For some reason 1 static route will not redistribute from the switch to 
the router and vice versa,

although OTHER static routes propagate just fine, even after clearing 
the OSPF processes on each

device.

2811:

interface Multilink1
 ip address 1.2.144.106 255.255.255.252
 ip accounting output-packets
 ip nbar protocol-discovery
 ip route-cache flow
 load-interval 30
 no peer neighbor-route
 ppp chap hostname xxxxxxxxx
 ppp multilink
 ppp multilink fragment disable
 ppp multilink links minimum 1
 ppp multilink group 1
 max-reserved-bandwidth 90
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 10.95.11.5 255.255.255.0
 ip accounting output-packets
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 redistribute bgp 65132 metric 1 subnets
 network 10.0.0.0 0.255.255.255 area 0
!
router bgp 65132
 no synchronization
 bgp log-neighbor-changes
 network 0.0.0.0
 redistribute connected
 redistribute static
 redistribute ospf 1 metric 0 match internal external 1 external 2 
route-map ospf-bgp
 neighbor 159.24.144.105 remote-as 65000
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.95.11.9
ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route

!
!
route-map ospf-bgp deny 10
 match tag 65000
!
route-map ospf-bgp permit 20
!
!
!
!


3750:

interface Vlan1
 no ip address
!
interface Vlan9
 ip address 10.95.9.9 255.255.255.0
!
interface Vlan10
 ip address 10.95.10.9 255.255.255.0
!
interface Vlan11
 description [ VLAN to MPLS Sites ]
 ip address 10.95.11.9 255.255.255.0
!
interface Vlan12
 description [ Server VLAN ]
 ip address 10.95.12.9 255.255.255.0
!
interface Vlan13
 ip address 10.95.13.9 255.255.255.0
!
interface Vlan14
 description [ DMZ VLAN ]
 ip address 10.95.14.9 255.255.255.0
 ip helper-address 10.95.12.12
!
interface Vlan16
 ip address 10.95.16.9 255.255.255.0
!
interface Vlan30
 description [ VMWare iSCSI VLAN ]
 ip address 172.27.30.9 255.255.255.0
!
interface Vlan40
 description [ VMWare Development VLAN ]
 ip address 10.95.19.9 255.255.255.0
!
interface Vlan100
 description [ External VLAN ]
 ip address 1.2.27.35 255.255.255.128
!
interface Vlan101
 ip address 172.27.101.9 255.255.255.0
!
interface Vlan102
 ip address 172.27.102.9 255.255.255.0
!
interface Vlan103
 ip address 172.27.103.9 255.255.255.0
!
interface Vlan200
 ip address 172.27.200.9 255.255.255.0
!
router ospf 1
 router-id 10.95.11.9
 log-adjacency-changes
 redistribute connected
 redistribute static
 network 10.0.0.0 0.255.255.255 area 0
!
ip default-gateway 10.95.12.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.95.12.1
ip route 10.95.18.0 255.255.255.0 10.95.11.1 ! this is the problem route
ip route 172.16.0.0 255.255.0.0 10.95.11.1

From gert at greenie.muc.de  Mon Feb  2 12:46:53 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 2 Feb 2009 18:46:53 +0100
Subject: [c-nsp] Channelized OC3 for 7206VXR
In-Reply-To: <Pine.LNX.4.64.0902021125470.15671@whammy.cluebyfour.org>
References: <49871ADD.4060905@pins.net>
	<Pine.LNX.4.64.0902021125470.15671@whammy.cluebyfour.org>
Message-ID: <20090202174653.GR290@greenie.muc.de>

Hi,

On Mon, Feb 02, 2009 at 11:29:42AM -0500, Justin M. Streiner wrote:
> That particular card does not support channelized operation.  It's also 
> end-of-life.  I'm not aware of a channelized OC3 port adapter for the 7200 
> series.

For whatever reason, there is a channelized STM-1 which goes down to E1,
but no channelized OC3 indeed.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090202/37342482/attachment.bin>

From peter at rathlev.dk  Mon Feb  2 12:46:41 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 02 Feb 2009 18:46:41 +0100
Subject: [c-nsp] VPN PIX 6.x Translation issue
In-Reply-To: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
References: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
Message-ID: <1233596801.3421.3.camel@localhost.localdomain>

On Mon, 2009-02-02 at 15:57 +0000, William wrote:
...
> outside: 0
> inside: 100
> inside2: 90
> 
> When I try to speak to inside2 hosts, I get the following error:
> 
> %PIX-3-305005: No translation group found for icmp src
> outside:10.10.199.3 dst inside2:192.168.0.1 (type 8, code 0)
> 
> I'm very confused as to where I should be putting global/nat
> statements... so far my setup consists of:
> 
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 10.10.200.0 255.255.255.0 0 0
> nat (inside2) 0 access-list office_outbound_nat0_acl
> nat (inside2) 1 192.168.0.0 255.255.255.0 0 0
> global (outside) 1 interface

You probably want a NAT-0 for traffic from inside2 to you VPN, i.e.
assuming your VPN users are 10.10.199.0/24:

access-list office_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.10.199.0 255.255.255.0

What does the inside_outbound_nat0_acl ACL look like when it works
there?

Regards,
Peter



From wp at null0.nl  Mon Feb  2 13:20:07 2009
From: wp at null0.nl (Wouter Prins)
Date: Mon, 2 Feb 2009 19:20:07 +0100
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <49872D28.2090503@chrisserafin.com>
References: <49872D28.2090503@chrisserafin.com>
Message-ID: <b5da8bca0902021020p664da9f1k7d9387060c5dca2b@mail.gmail.com>

Try redistribute static subnets?

2009/2/2 ChrisSerafin <chris at chrisserafin.com>

> I have 2 L3 devices (2811/3750) which are running OSPF and redistributing
> statics/connected networks.
>
> For some reason 1 static route will not redistribute from the switch to the
> router and vice versa,
>
> although OTHER static routes propagate just fine, even after clearing the
> OSPF processes on each
>
> device.
>
> 2811:
>
> interface Multilink1
> ip address 1.2.144.106 255.255.255.252
> ip accounting output-packets
> ip nbar protocol-discovery
> ip route-cache flow
> load-interval 30
> no peer neighbor-route
> ppp chap hostname xxxxxxxxx
> ppp multilink
> ppp multilink fragment disable
> ppp multilink links minimum 1
> ppp multilink group 1
> max-reserved-bandwidth 90
> !
> interface FastEthernet0/0
> description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
> ip address 10.95.11.5 255.255.255.0
> ip accounting output-packets
> duplex auto
> speed auto
> !
> router ospf 1
> log-adjacency-changes
> redistribute bgp 65132 metric 1 subnets
> network 10.0.0.0 0.255.255.255 area 0
> !
> router bgp 65132
> no synchronization
> bgp log-neighbor-changes
> network 0.0.0.0
> redistribute connected
> redistribute static
> redistribute ospf 1 metric 0 match internal external 1 external 2 route-map
> ospf-bgp
> neighbor 159.24.144.105 remote-as 65000
> no auto-summary
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 10.95.11.9
> ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route
>
> !
> !
> route-map ospf-bgp deny 10
> match tag 65000
> !
> route-map ospf-bgp permit 20
> !
> !
> !
> !
>
>
> 3750:
>
> interface Vlan1
> no ip address
> !
> interface Vlan9
> ip address 10.95.9.9 255.255.255.0
> !
> interface Vlan10
> ip address 10.95.10.9 255.255.255.0
> !
> interface Vlan11
> description [ VLAN to MPLS Sites ]
> ip address 10.95.11.9 255.255.255.0
> !
> interface Vlan12
> description [ Server VLAN ]
> ip address 10.95.12.9 255.255.255.0
> !
> interface Vlan13
> ip address 10.95.13.9 255.255.255.0
> !
> interface Vlan14
> description [ DMZ VLAN ]
> ip address 10.95.14.9 255.255.255.0
> ip helper-address 10.95.12.12
> !
> interface Vlan16
> ip address 10.95.16.9 255.255.255.0
> !
> interface Vlan30
> description [ VMWare iSCSI VLAN ]
> ip address 172.27.30.9 255.255.255.0
> !
> interface Vlan40
> description [ VMWare Development VLAN ]
> ip address 10.95.19.9 255.255.255.0
> !
> interface Vlan100
> description [ External VLAN ]
> ip address 1.2.27.35 255.255.255.128
> !
> interface Vlan101
> ip address 172.27.101.9 255.255.255.0
> !
> interface Vlan102
> ip address 172.27.102.9 255.255.255.0
> !
> interface Vlan103
> ip address 172.27.103.9 255.255.255.0
> !
> interface Vlan200
> ip address 172.27.200.9 255.255.255.0
> !
> router ospf 1
> router-id 10.95.11.9
> log-adjacency-changes
> redistribute connected
> redistribute static
> network 10.0.0.0 0.255.255.255 area 0
> !
> ip default-gateway 10.95.12.1
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.95.12.1
> ip route 10.95.18.0 255.255.255.0 10.95.11.1 ! this is the problem route
> ip route 172.16.0.0 255.255.0.0 10.95.11.1
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From oboehmer at cisco.com  Mon Feb  2 13:23:23 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 2 Feb 2009 19:23:23 +0100
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <49872D28.2090503@chrisserafin.com>
References: <49872D28.2090503@chrisserafin.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406CBA61B@xmb-ams-333.emea.cisco.com>

ChrisSerafin <> wrote on Monday, February 02, 2009 18:28:

> I have 2 L3 devices (2811/3750) which are running OSPF and
> redistributing statics/connected networks.
> 
> For some reason 1 static route will not redistribute from the switch
> to the router and vice versa,
> 
> although OTHER static routes propagate just fine, even after clearing
> the OSPF processes on each
 
> router ospf 1
>  router-id 10.95.11.9
>  log-adjacency-changes
>  redistribute connected
>  redistribute static
>  network 10.0.0.0 0.255.255.255 area 0
> !
> ip default-gateway 10.95.12.1
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.95.12.1
> ip route 10.95.18.0 255.255.255.0 10.95.11.1 ! this is the problem
> route ip route 172.16.0.0 255.255.0.0 10.95.11.1

as others might have noticed as well: you're missing the "subnets"
keyword in the "redistribute static"..

On the other router, I don't see a "redistribute static subnets" in
OSPF..

General note: I would add the outgoing interface to the static route,
i.e. "ip route 10.95.18.0 255.255.255.0 Vlan11 10.95.11.1"

	oli

From chloekcy2000 at yahoo.ca  Mon Feb  2 13:56:27 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Mon, 2 Feb 2009 13:56:27 -0500 (EST)
Subject: [c-nsp] need help about switch boot up question
In-Reply-To: <20090202161309.GA27986@lboro.ac.uk>
Message-ID: <815803.9371.qm@web57405.mail.re1.yahoo.com>

Thank you 
   
  How about this address when booting up
   
  IP Address : 192.168.0.5 
  Netmask : 255.255.255.0 
  Gateway : 10.1.1.1 
  TftpServer : 10.1.1.1 
  Main Memory : 256 MBytes
   
  What is this address for?
   
  Thank you again
  

A.L.M.Buxey at lboro.ac.uk wrote:
  Hi,

> In the default running config, there is 
> 
> interface FastEthernet1
> no ip address
> speed auto
> duplex auto
> 
> 2/ my switch is 48 ports Gig. Ethernet. 
> Where is this phsically "interface FastEthernet1" 

sounds suspiciously like a management interface, usually
found lurking around the back near the console port

alan


       
---------------------------------
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail 

From sigurbjornl at vodafone.is  Mon Feb  2 13:17:04 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Mon, 02 Feb 2009 18:17:04 +0000
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <49872D28.2090503@chrisserafin.com>
Message-ID: <C5ACE920.10A06%sigurbjornl@vodafone.is>

You need to redistribute static subnets for this to work...

BR,
Sibbi


On 2.2.2009 17:28, "ChrisSerafin" <chris at chrisserafin.com> wrote:

> I have 2 L3 devices (2811/3750) which are running OSPF and
> redistributing statics/connected networks.
> 
> For some reason 1 static route will not redistribute from the switch to
> the router and vice versa,
> 
> although OTHER static routes propagate just fine, even after clearing
> the OSPF processes on each
> 
> device.
> 
> 2811:
> 
> interface Multilink1
>  ip address 1.2.144.106 255.255.255.252
>  ip accounting output-packets
>  ip nbar protocol-discovery
>  ip route-cache flow
>  load-interval 30
>  no peer neighbor-route
>  ppp chap hostname xxxxxxxxx
>  ppp multilink
>  ppp multilink fragment disable
>  ppp multilink links minimum 1
>  ppp multilink group 1
>  max-reserved-bandwidth 90
> !
> interface FastEthernet0/0
>  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
>  ip address 10.95.11.5 255.255.255.0
>  ip accounting output-packets
>  duplex auto
>  speed auto
> !
> router ospf 1
>  log-adjacency-changes
>  redistribute bgp 65132 metric 1 subnets
>  network 10.0.0.0 0.255.255.255 area 0
> !
> router bgp 65132
>  no synchronization
>  bgp log-neighbor-changes
>  network 0.0.0.0
>  redistribute connected
>  redistribute static
>  redistribute ospf 1 metric 0 match internal external 1 external 2
> route-map ospf-bgp
>  neighbor 159.24.144.105 remote-as 65000
>  no auto-summary
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 10.95.11.9
> ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route
> 
> !
> !
> route-map ospf-bgp deny 10
>  match tag 65000
> !
> route-map ospf-bgp permit 20
> !
> !
> !
> !
> 
> 
> 3750:
> 
> interface Vlan1
>  no ip address
> !
> interface Vlan9
>  ip address 10.95.9.9 255.255.255.0
> !
> interface Vlan10
>  ip address 10.95.10.9 255.255.255.0
> !
> interface Vlan11
>  description [ VLAN to MPLS Sites ]
>  ip address 10.95.11.9 255.255.255.0
> !
> interface Vlan12
>  description [ Server VLAN ]
>  ip address 10.95.12.9 255.255.255.0
> !
> interface Vlan13
>  ip address 10.95.13.9 255.255.255.0
> !
> interface Vlan14
>  description [ DMZ VLAN ]
>  ip address 10.95.14.9 255.255.255.0
>  ip helper-address 10.95.12.12
> !
> interface Vlan16
>  ip address 10.95.16.9 255.255.255.0
> !
> interface Vlan30
>  description [ VMWare iSCSI VLAN ]
>  ip address 172.27.30.9 255.255.255.0
> !
> interface Vlan40
>  description [ VMWare Development VLAN ]
>  ip address 10.95.19.9 255.255.255.0
> !
> interface Vlan100
>  description [ External VLAN ]
>  ip address 1.2.27.35 255.255.255.128
> !
> interface Vlan101
>  ip address 172.27.101.9 255.255.255.0
> !
> interface Vlan102
>  ip address 172.27.102.9 255.255.255.0
> !
> interface Vlan103
>  ip address 172.27.103.9 255.255.255.0
> !
> interface Vlan200
>  ip address 172.27.200.9 255.255.255.0
> !
> router ospf 1
>  router-id 10.95.11.9
>  log-adjacency-changes
>  redistribute connected
>  redistribute static
>  network 10.0.0.0 0.255.255.255 area 0
> !
> ip default-gateway 10.95.12.1
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.95.12.1
> ip route 10.95.18.0 255.255.255.0 10.95.11.1 ! this is the problem route
> ip route 172.16.0.0 255.255.0.0 10.95.11.1
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tony at lava.net  Mon Feb  2 13:57:44 2009
From: tony at lava.net (Antonio Querubin)
Date: Mon, 2 Feb 2009 08:57:44 -1000 (HST)
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <49872D28.2090503@chrisserafin.com>
References: <49872D28.2090503@chrisserafin.com>
Message-ID: <alpine.LRH.2.00.0902020856260.3976@cust11798.lava.net>

On Mon, 2 Feb 2009, ChrisSerafin wrote:

> I have 2 L3 devices (2811/3750) which are running OSPF and redistributing 
> statics/connected networks.
>
> For some reason 1 static route will not redistribute from the switch to the 
> router and vice versa,

> redistribute connected
> redistribute static

> ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route

Have you tried 'redistribute static subnets'?

-- 
Antonio Querubin
whois:  AQ7-ARIN

From chris at chrisserafin.com  Mon Feb  2 14:09:48 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Mon, 02 Feb 2009 13:09:48 -0600
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <alpine.LRH.2.00.0902020856260.3976@cust11798.lava.net>
References: <49872D28.2090503@chrisserafin.com>
	<alpine.LRH.2.00.0902020856260.3976@cust11798.lava.net>
Message-ID: <498744FC.90406@chrisserafin.com>

How does 'redistribute static' differ from 'redistribute static subnets'?

Thanks



Antonio Querubin wrote:
> On Mon, 2 Feb 2009, ChrisSerafin wrote:
>
>> I have 2 L3 devices (2811/3750) which are running OSPF and 
>> redistributing statics/connected networks.
>>
>> For some reason 1 static route will not redistribute from the switch 
>> to the router and vice versa,
>
>> redistribute connected
>> redistribute static
>
>> ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route
>
> Have you tried 'redistribute static subnets'?
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.233 / Virus Database: 270.10.16/1926 - Release Date: 1/30/2009 5:31 PM
>
>   


From masood at nexlinx.net.pk  Mon Feb  2 14:18:56 2009
From: masood at nexlinx.net.pk (Masood Ahmad Shah)
Date: Tue, 3 Feb 2009 00:18:56 +0500
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <498744FC.90406@chrisserafin.com>
References: <49872D28.2090503@chrisserafin.com>	<alpine.LRH.2.00.0902020856260.3976@cust11798.lava.net>
	<498744FC.90406@chrisserafin.com>
Message-ID: <012701c9856b$1bab3610$5301a230$@net.pk>

To redistribute static routes to subnets of classful networks you use
"redistribute static subnets" under the ospf router configuration.


Regards,
Masood 
Blog: http://weblogs.com.pk/jahil/

>> redistributing statics/connected networks.
>>
>> For some reason 1 static route will not redistribute from the switch 
>> to the router and vice versa,
>
>> redistribute connected
>> redistribute static
>
>> ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route
>
> Have you tried 'redistribute static subnets'?
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.233 / Virus Database: 270.10.16/1926 - Release Date:
1/30/2009 5:31 PM
>
>   

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From lgeyer at gmail.com  Mon Feb  2 14:49:52 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Mon, 2 Feb 2009 14:49:52 -0500
Subject: [c-nsp] VPN PIX 6.x Translation issue
In-Reply-To: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
References: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
Message-ID: <39647f4d0902021149u10c18081od1d0c88d1cfdebd8@mail.gmail.com>

This has to do with NAT behavior on Pix 6.x and supposedly changed on
the ASA, but I have personally observed the behavior there as well.

Pixes will inherently attempt to translate any traffic they receive on
an interface unless told not to.

In your case following should address the problem.

static (inside,inside2) 10.10.200.0 10.10.200.0 netmask 255.255.255.0

You could also build a nat exempt access-list and define the subnets
in question.

- Laurent

On Mon, Feb 2, 2009 at 10:57 AM, William <willay at gmail.com> wrote:
> Hi folks!
>
> I currently have a PIX firewall running 6 code, the firewall has 3
> interfaces, inside, outside and inside2.
>
> At the moment I can VPN and communicate to all the hosts on the
> inside, what I'd like to do is also be able to communicate with the
> hosts on inside2, the security levels are:
>
> outside: 0
> inside: 100
> inside2: 90
>
> When I try to speak to inside2 hosts, I get the following error:
>
> %PIX-3-305005: No translation group found for icmp src
> outside:10.10.199.3 dst inside2:192.168.0.1 (type 8, code 0)
>
> I'm very confused as to where I should be putting global/nat
> statements... so far my setup consists of:
>
>
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 10.10.200.0 255.255.255.0 0 0
> nat (inside2) 0 access-list office_outbound_nat0_acl
> nat (inside2) 1 192.168.0.0 255.255.255.0 0 0
> global (outside) 1 interface
>
> This lets both inside and inside2 hosts contact the internet via int
> outside, and no nat stuff that needs to traverse VPN tunnels...
>
> If anyone can assist/educate me on getting this working I would
> appreciate it very much!
>
> Cheers,
>
> W
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From oiyankok at yahoo.ca  Mon Feb  2 19:04:26 2009
From: oiyankok at yahoo.ca (ann kok)
Date: Mon, 2 Feb 2009 16:04:26 -0800 (PST)
Subject: [c-nsp] login
Message-ID: <665345.32707.qm@web111312.mail.gq1.yahoo.com>

Hi all

I have the running config but don't understand the meaning

Could you explain to me?


line con 0

 exec-timeout 0 0
 transport input none

line vty 0 4

line vty 5 15

Thank you



      __________________________________________________________________
Connect with friends from any web browser - no download required. Try the new Yahoo! Canada Messenger for the Web BETA at http://ca.messenger.yahoo.com/webmessengerpromo.php


From ahmedazim at gmail.com  Mon Feb  2 19:28:28 2009
From: ahmedazim at gmail.com (Ahmed Mohamed)
Date: Tue, 3 Feb 2009 02:28:28 +0200
Subject: [c-nsp] reacheability issue in MEL link
Message-ID: <bf5694530902021628s3f81a414m4808dd81e3f4f457@mail.gmail.com>

Hello,

this is a real life problem still occuring, and have no idea what may be
causing it ..

we are providing an internet direct service to our customer vial MEL (Metro
Ethernet Link)

CE (CS-7206 VXR) fe2/0.36 ------------------Etherlink(local
carrier)---------------- WS-3759G-24TS--PE(CS-7000)

the solution is providied using a carrier to link the customer CE to an
aggregated switch, using Metro Ethernet
configuring vlan 36 and using dot1q encapsulation
then from the aggregating switch to the PE router using also encapsulation
dot1q for vlan36

all interfaces are up-up , and still ping fails !!

i tried everything, resetting ports, switches, reconfigure interfaces ..etc.
still no joy

any idea what could be causing the problem ?

========================================================================
CE:
-----
interface FastEthernet2/0.36
 bandwidth 61440
 encapsulation dot1Q 36
 ip address 57.78.2.6 255.255.255.252
========================================================================
Agg. switch:
------------------
interface GigabitEthernet1/0/9
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 3109
 switchport trunk allowed vlan 36,3109
 switchport mode trunk
 switchport nonegotiate
 duplex full
 speed 100
 mls qos trust cos
 spanning-tree bpdufilter enable
========================================================================
PE:
------
 interface FastEthernet5/1/1.36
 bandwidth 61440
 encapsulation dot1Q 36
 ip address 57.78.2.5 255.255.255.252
 no ip redirects
 no ip proxy-arp
 no ip route-cache
 no cdp enable
========================================================================
bmil305#sh int FastEthernet5/1/1.36
FastEthernet5/1/1.36 is up, line protocol is up <<<<<<
Hardware is cyBus FastEthernet Interface, address is 0003.fe91.b8a9 (bia
0003.fe91.b8a9)
  Internet address is 57.78.2.5/30
  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
  ARP type: ARPA, ARP Timeout 04:00:00
========================================================================
pmil2534#sh int Fa2/0.36
FastEthernet2/0.36 is up, line protocol is up  <<<<<<
  Hardware is i82543 (Livengood), address is 0022.be8b.1038 (bia
0022.be8b.1038)
  Description: --- To bmil305 - FE5/1/1.5
  Internet address is 57.78.2.6/30
  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
========================================================================
ping pe to CE fails:
----------------------------
bmil305#ping 57.78.2.6   <<<<<<,
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 57.78.2.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
========================================================================
PE to internet (google) successfully:
------------------------------------------------------
bmil305#ping 216.239.59.147 source fast 5/1/1.36 repeat 100 size 500
Type escape sequence to abort.
Sending 100, 500-byte ICMP Echos to 216.239.59.147, timeout is 2 seconds:
Packet sent with a source address of 57.78.2.5
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 36/40/112 ms
========================================================================

From ariemer at wesenergy.com.au  Mon Feb  2 21:54:21 2009
From: ariemer at wesenergy.com.au (Aaron Riemer)
Date: Tue, 3 Feb 2009 11:54:21 +0900
Subject: [c-nsp] Initiating Connections to VPN Clients
Message-ID: <0867622C64B50C4B878AB45C95F43F110678BFAE@MAILWA01.wesenergy.local>

Hi guys,
 
I am trying to work out why I cannot initiate connections to our VPN
clients. ICMP seems to be okay and I can see that there is nothing in
the log indicating the connections are denied. What could I be missing
here? Connections inbound from the VPN clients work flawlessly. 
 
Thanks for any suggestions,
 
Aaron.
 

LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

From ariemer at wesenergy.com.au  Mon Feb  2 22:07:30 2009
From: ariemer at wesenergy.com.au (Aaron Riemer)
Date: Tue, 3 Feb 2009 12:07:30 +0900
Subject: [c-nsp] login
In-Reply-To: <665345.32707.qm@web111312.mail.gq1.yahoo.com>
References: <665345.32707.qm@web111312.mail.gq1.yahoo.com>
Message-ID: <0867622C64B50C4B878AB45C95F43F110678BFC6@MAILWA01.wesenergy.local>

These are your console and VTY lines for managing the device. Con being
out of band management. VTY being in band management.. i.e. telnet and
SSH.  

Aaron.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ann kok
Sent: Tuesday, 3 February 2009 9:04 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] login

Hi all

I have the running config but don't understand the meaning

Could you explain to me?


line con 0

 exec-timeout 0 0
 transport input none

line vty 0 4

line vty 5 15

Thank you



      __________________________________________________________________
Connect with friends from any web browser - no download required. Try
the new Yahoo! Canada Messenger for the Web BETA at
http://ca.messenger.yahoo.com/webmessengerpromo.php

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

From bitkraft at gmail.com  Mon Feb  2 22:55:33 2009
From: bitkraft at gmail.com (Brian Spade)
Date: Mon, 2 Feb 2009 19:55:33 -0800
Subject: [c-nsp] core OSPF configurations
Message-ID: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>

Hi,

Let's say you have a core router with 50+ SVIs and 4 uplinks to two other
OSPF routers in the same area.

What is the best way to configure OSPF to inject all 50+ SVIs into the
routing domain?

Would you configure network statements for all SVI networks and passive the
interfaces?
Would you configure OSPF on the uplink interfaces only and redistributed
connected to create type-5 externals?

/bs

From ltd at cisco.com  Mon Feb  2 23:19:40 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Tue, 03 Feb 2009 15:19:40 +1100
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <20090202161705.GB4869@wildfire.net.ic.ac.uk>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
	<20090202161705.GB4869@wildfire.net.ic.ac.uk>
Message-ID: <4987C5DC.9090505@cisco.com>



Phil Mayers wrote:
> On Mon, Feb 02, 2009 at 12:11:23PM +0000, Lincoln Dale wrote:
>> Phil Mayers wrote:
>>> Does anyone have working examples talking to the netconf 
>>> implementation in 12.2(33)SXI? Or pointers to libraries / code that 
>>> works?
>>> [..]
>>> <rpc ... xmlns:cpi="http://www.cisc.com/cpi_10/schema">
>>>  <get>
>>>    <filter>
>>>      <cpi:config-format-cli-ios-text-cmd> ... </..>
>>>      <cpi:cli-operational-data>
>>>     <show>arp</show>
>>>      </cpi:cli...>
>>>
>>> ...I get error messages about the cpi: namespace and "debug cns xml" 
>>> on the box tells me the XML stanzas in that namespace have no handler.
>> i have worked extensively with Netconf/XML on NX-OS on Nexus 7000.
>>
>> whatever you're requesting needs to match the schema.  based on my 
>> experience, i think you'll most likely need to modify what you have to:
>>    <show><arp /></show>
>
> That directly contradicts Cisco's examples.
indeed it does contradict the example you pointed to in 7600 IOS 12.2SR 
documentation, and isn't what i would have expected.
one thing i did notice is that your example had an incorrect xmlns 
specified (www.cisc.com/... rather than www.cisco.com/...).  the xmlns 
needs to be exact.

and again - if you're testing this on a 6500 IOS 12.2SXI, make sure you 
are matching the schema for _that_.

> Can you share the xml for any non-trivial thing you have working? I 
> have literally tried every combo of xml and namespacing I can imagine.
to reiterate, its important that what you're requesting match the schema 
(XSD).  the .XSD files are on cisco.com somewhere matching the IOS 
release you are running.



cheers,

lincoln.

From pshuleski at gmail.com  Tue Feb  3 00:36:38 2009
From: pshuleski at gmail.com (Pete S.)
Date: Tue, 3 Feb 2009 00:36:38 -0500
Subject: [c-nsp] core OSPF configurations
In-Reply-To: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
References: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
Message-ID: <50f158990902022136q6ddba3a9scc4002b7a10f9021@mail.gmail.com>

Many ways to go about it.  I'm not sure any is more correct than
another.  As long as you aren't wasting the router's CPU sending ospf
hello's out all of the SVI interfaces.

For my personal preference, I try to enumerate the networks in the the
ospf process.
This allows me to quickly see all the networks being announced on that
router just by sh run | b router ospf.  The list may get long.  but it
is a definitive list of what that router is allowed to announce.  You
can always supernet if you have contiguous space, or break it off into
another area, and range, if appropriate.

I'm also a fan of using passive-interface default, and no
passive-interface <interface> for the uplinks, in the routing process.
  Also for centralization.  I can see exactly what interfaces should
have OSPF neighbors.  This also gives you the control to add
additional SVIs, without any additional interface commands.

I tend to treat redistribute connected as a bad practice, simply
because, if an interface is created and IP'd, i don't necessarily ever
want it to instantly start announcing its network through my routing
protocol.  One wrong subnet typo on a new SVI, can instantly cause
issues...

I'm sure you'll hear a few opinions on how to do it, as there are a
few approaches.  If there are cpu or network benefits for one way over
another, I'd love to hear them.



--Pete

From david at hughes.com.au  Tue Feb  3 01:30:50 2009
From: david at hughes.com.au (David Hughes)
Date: Tue, 3 Feb 2009 16:30:50 +1000
Subject: [c-nsp] Fast UDLD timers in SXI?
Message-ID: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>

Hi

My trawling around CCO doco hasn't helped - I'm obviously running  
short of CCO foo today.

Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down  
to 1 second) or if we are still stuck with the old 7 sec timers.  We  
can do 1 sec UDLD on 2900 class switches so I hope we see it in the  
"premier switching platform" some time soon.  We need some way to pick  
up a link failure at the far end of an EoMPLS xconnect in a reasonable  
time.


Thanks

David
...

From jeff at ocjtech.us  Tue Feb  3 02:11:13 2009
From: jeff at ocjtech.us (Jeffrey Ollie)
Date: Tue, 3 Feb 2009 01:11:13 -0600
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <4987C5DC.9090505@cisco.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
	<20090202161705.GB4869@wildfire.net.ic.ac.uk>
	<4987C5DC.9090505@cisco.com>
Message-ID: <935ead450902022311t17704123lb68a64f3db4c6179@mail.gmail.com>

This piqued my interest, so I whipped up a quick program to do some
testing.  I've attached the resulting program, which when run against
my 6500 running 12.2(33)SXI produces a copy of the running config.

Some things I observed:

1.  Netconf over SSHv2 (http://www.rfc-editor.org/rfc/rfc4742.txt)
requires a "hello" message to be sent by the client, which didn't
appear to be documented in any of the Cisco docs.

2. If the "hello" message had problems, no error message is sent to
the client (an error message is logged though).

4. The namespace that it sends ("urn:ietf:params:netconf:base:1.0") is
different from what it expects
("urn:ietf:params:xml:ns:netconf:base:1.0") which I found a little
confusing.

5. I wasn't able to get any of the command fiiltering working.

The script is in Python, and you'll need the Paramiko (SSHv2) and lxml
(XML parsing) extensions.  Sample output (actual config file
truncated):

<?xml version='1.0' encoding='UTF-8'?>
<hello>
  <capabilities>
    <capability>urn:ietf:params:netconf:base:1.0</capability>
    <capability>urn:ietf:params:netconf:capability:writeable-running:1.0</capabi
lity>
    <capability>urn:ietf:params:netconf:capability:startup:1.0</capability>
    <capability>urn:ietf:params:netconf:capability:url:1.0</capability>
    <capability>urn:cisco:params:netconf:capability:notification:1.0</capability
>
  </capabilities>
  <session-id>1391240248</session-id>
</hello>

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:netconf:base:1.0" message-id="101">
  <data>
    <cli-config-data-block>!
! Last configuration change at 22:43:26 CST Mon Feb 2 2009 by Cisco
! NVRAM config last updated at 10:23:27 CST Mon Feb 2 2009 by Cisco
!
...
netconf ssh
!
end
</cli-config-data-block>
  </data>
</rpc-reply>

-- 
Jeff Ollie

"You know, I used to think it was awful that life was so unfair. Then
I thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe."

	-- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"

From gert at greenie.muc.de  Tue Feb  3 02:15:50 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 3 Feb 2009 08:15:50 +0100
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
Message-ID: <20090203071550.GU290@greenie.muc.de>

Hi,

On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote:
> Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down  
> to 1 second) or if we are still stuck with the old 7 sec timers.  We  
> can do 1 sec UDLD on 2900 class switches so I hope we see it in the  
> "premier switching platform" some time soon.  We need some way to pick  
> up a link failure at the far end of an EoMPLS xconnect in a reasonable  
> time.

Can you use BFD?

(Yes, this is not answering your question - I don't know the answer - but
it might be an alternative approach if this a layer 3 link)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090203/211f2d34/attachment.bin>

From p.mayers at imperial.ac.uk  Tue Feb  3 03:10:18 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 3 Feb 2009 08:10:18 +0000
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <935ead450902022311t17704123lb68a64f3db4c6179@mail.gmail.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
	<20090202161705.GB4869@wildfire.net.ic.ac.uk>
	<4987C5DC.9090505@cisco.com>
	<935ead450902022311t17704123lb68a64f3db4c6179@mail.gmail.com>
Message-ID: <20090203081018.GB15269@wildfire.net.ic.ac.uk>

On Tue, Feb 03, 2009 at 07:11:13AM +0000, Jeffrey Ollie wrote:
>This piqued my interest, so I whipped up a quick program to do some
>testing.  I've attached the resulting program, which when run against
>my 6500 running 12.2(33)SXI produces a copy of the running config.
>
>Some things I observed:

Yep, those match my observations.

>The script is in Python, and you'll need the Paramiko (SSHv2) and lxml

I used Twisted & a Nevow web UI, but seems python is popular ;o)

><?xml version='1.0' encoding='UTF-8'?>
><rpc-reply xmlns="urn:ietf:params:netconf:base:1.0" message-id="101">
>  <data>
>    <cli-config-data-block>!

Yeah - note that the cli-config-data-block element is not namespaced 
here. I suspect the netconf XML parser/generator is just broken in SXI.  
I'm going to bug TAC later today - it's either a software or docs bug.

From Marcus.Gerdon at versatel.de  Tue Feb  3 03:18:48 2009
From: Marcus.Gerdon at versatel.de (Marcus.Gerdon)
Date: Tue, 3 Feb 2009 09:18:48 +0100
Subject: [c-nsp] Channelized OC3 for 7206VXR
Message-ID: <227142482560EF458FF1F7E784E26AB823D075@FLBVEXCH01.versatel.local>

Hi,

the PA-MC-STM1 can be configured for SDH or Sonet framing on the controller, below which the TUG structure (don't know how's that called in Sonet) is configured. As far as I know (only done SDH for some time) when switching to Sonet we're in OCx world.

I've no installed PA at hand without links conencted so maybe someone can simply try what can be configured when in Sonet mode ?

regards,

Marcus
 

> -----Urspr?ngliche Nachricht-----
> Von: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von Gert Doering
> Gesendet: Montag, 2. Februar 2009 18:47
> An: Justin M. Streiner
> Cc: cisco-nsp at puck.nether.net
> Betreff: Re: [c-nsp] Channelized OC3 for 7206VXR
> 
> Hi,
> 
> On Mon, Feb 02, 2009 at 11:29:42AM -0500, Justin M. Streiner wrote:
> > That particular card does not support channelized 
> operation.  It's also 
> > end-of-life.  I'm not aware of a channelized OC3 port 
> adapter for the 7200 
> > series.
> 
> For whatever reason, there is a channelized STM-1 which goes 
> down to E1,
> but no channelized OC3 indeed.
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                            
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             
> gert at greenie.muc.de
> fax: +49-89-35655025                        
> gert at net.informatik.tu-muenchen.de
> 

From allan.eising at gmail.com  Tue Feb  3 03:45:04 2009
From: allan.eising at gmail.com (Allan Eising)
Date: Tue, 3 Feb 2009 09:45:04 +0100
Subject: [c-nsp] Initiating Connections to VPN Clients
In-Reply-To: <0867622C64B50C4B878AB45C95F43F110678BFAE@MAILWA01.wesenergy.local>
References: <0867622C64B50C4B878AB45C95F43F110678BFAE@MAILWA01.wesenergy.local>
Message-ID: <f7b7d3c40902030045w88fabc2u8f0a226182a1246e@mail.gmail.com>

On Tue, Feb 3, 2009 at 3:54 AM, Aaron Riemer <ariemer at wesenergy.com.au> wrote:
> Hi guys,
>
> I am trying to work out why I cannot initiate connections to our VPN
> clients. ICMP seems to be okay and I can see that there is nothing in
> the log indicating the connections are denied. What could I be missing
> here? Connections inbound from the VPN clients work flawlessly.
>
> Thanks for any suggestions,
>
> Aaron.
>
>
> LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

How is the server part of your vpn configured? Do you use dynamic maps?
Could you post the relevant configuration here?

Regards,

Allan

From nasir.shaikh at bt.com  Tue Feb  3 03:45:55 2009
From: nasir.shaikh at bt.com (nasir.shaikh at bt.com)
Date: Tue, 3 Feb 2009 08:45:55 -0000
Subject: [c-nsp] How secure are VLANs and VRFs?
Message-ID: <2B0ABDF9E4A1204AA7467F20075354560801EA46@E03MVZ4-UKDY.domain1.systemhost.net>

Hi,
I am looking for some studies/papers to convince my customer (and
myself) that VLANs can be as secure as physical segments and VRFs also
provide a secure segregation of traffic. A few years back I came across
a post referring to a document on the FBI or the NSA site stating that
VLANs were deemed just as secure as physical wires. 
 
I am sure that there are Service Providers offering an Internet VRF over
their MPLS cloud or enterprises with unfiltered Internet vrf on a
campus. How do you convince a customer about the security of a vrf?

Any references will be appreciated 

Nasir Shaikh 
CCIE #15845 | Senior Consultant | BT | Global Professional Services | E:
nasir.shaikh at bt.com | http://HYPERLINK
"http://www.bt.com/consulting"www.bt.com/consulting



From tim at pelican.org  Tue Feb  3 04:24:44 2009
From: tim at pelican.org (Tim Franklin)
Date: Tue, 3 Feb 2009 09:24:44 -0000 (GMT)
Subject: [c-nsp] set clock
In-Reply-To: <46114.1233585948@lavin-llc.com>
References: <46114.1233585948@lavin-llc.com>
Message-ID: <6b7153d53a0f0d50d41d62a27d0ebbc3.squirrel@webmail.pelican.org>

On Mon, February 2, 2009 2:45 pm, chris at lavin-llc.com wrote:

> Most of us tend to like using the GMT (UTC) timezone because its a global
> reference that never changes. Therefore you don't have to
> worry about accounting for the dates that your local timezone "springs
> forward" or "falls back".

Also, it lets you correlate logs from different time zones without having
to try and adjust everything - pretty much the same reason you run NTP on
a device in the first place.

This is useful point to be ready to explain to local ops people when
they're campaigning for national time zones on network devices, IME.

Regards,
Tim.



From thomas at dupas.be  Tue Feb  3 04:45:27 2009
From: thomas at dupas.be (Thomas Dupas)
Date: Tue, 3 Feb 2009 10:45:27 +0100
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <20090203071550.GU290@greenie.muc.de>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>,
	<20090203071550.GU290@greenie.muc.de>
Message-ID: <5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>

I assume it's a L2 link (EoMPLS), so BFD won't help much.

We're in the same situation, also stuck with UDLD timers and 2 parallel EoMPLS xconnects. I can't get the convergence lower then 20 seconds with the default UDLD, so I'm also hoping for fast UDLD

Best Regards,

Thomas

________________________________________
Van: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] namens Gert Doering [gert at greenie.muc.de]
Verzonden: dinsdag 3 februari 2009 8:15
Aan: David Hughes
CC: Cisco NSP ((E-mail))'
Onderwerp: Re: [c-nsp] Fast UDLD timers in SXI?

Hi,

On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote:
> Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down
> to 1 second) or if we are still stuck with the old 7 sec timers.  We
> can do 1 sec UDLD on 2900 class switches so I hope we see it in the
> "premier switching platform" some time soon.  We need some way to pick
> up a link failure at the far end of an EoMPLS xconnect in a reasonable
> time.

Can you use BFD?

(Yes, this is not answering your question - I don't know the answer - but
it might be an alternative approach if this a layer 3 link)

gert
--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

From eimantas at occ.lt  Tue Feb  3 04:12:19 2009
From: eimantas at occ.lt (=?UTF-8?B?RWltYW50YXMgWmRhbmV2acSNaXVz?=)
Date: Tue, 03 Feb 2009 11:12:19 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
Message-ID: <49880A73.2010702@occ.lt>

Hi all,

I have configured vpn on asa 5520 (software version 7.2). vpnclient 
connect to asa and says everything is ok. But i cannot ping any computer 
in inside network.

asa is working in router mode, single context. No nat on inside or 
outside interface

hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# interface ethernet1
hostname(config-if)# ip address 10.10.1.200 255.255.0.0
hostname(config-if)# nameif inside
hostname(config-if)# no shutdown
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

Thanks

Eimantas

From peter at rathlev.dk  Tue Feb  3 05:25:31 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 03 Feb 2009 11:25:31 +0100
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <49880A73.2010702@occ.lt>
References: <49880A73.2010702@occ.lt>
Message-ID: <1233656731.3494.195.camel@localhost.localdomain>

On Tue, 2009-02-03 at 11:12 +0200, Eimantas Zdanevi?ius wrote:
> I have configured vpn on asa 5520 (software version 7.2). vpnclient 
> connect to asa and says everything is ok. But i cannot ping any computer 
> in inside network.
> 
> asa is working in router mode, single context. No nat on inside or 
> outside interface
> 
...

What does the log say? Where's the ACLs for the interfaces? Are you sure
the firewall isn't denying the traffic as it does default?

Regards,
Peter


From eimantas at occ.lt  Tue Feb  3 06:47:41 2009
From: eimantas at occ.lt (=?UTF-8?B?RWltYW50YXMgWmRhbmV2acSNaXVz?=)
Date: Tue, 03 Feb 2009 13:47:41 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <498819FE.90609@lumison.net>
References: <49880A73.2010702@occ.lt> <498819FE.90609@lumison.net>
Message-ID: <49882EDD.608@occ.lt>

Alasdair Gow wrote:
> Hi,
>
> It looks like eth0 and eth1 are on the same network.
> they need to be on separate networks IIRC.
>
> Cheers,
> Ally
>   
sorry about my mistake. interfaces are on diferent networks
maske are 255.255.255.0

From eimantas at occ.lt  Tue Feb  3 06:57:02 2009
From: eimantas at occ.lt (=?UTF-8?B?RWltYW50YXMgWmRhbmV2acSNaXVz?=)
Date: Tue, 03 Feb 2009 13:57:02 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <1233656731.3494.195.camel@localhost.localdomain>
References: <49880A73.2010702@occ.lt>
	<1233656731.3494.195.camel@localhost.localdomain>
Message-ID: <4988310E.20109@occ.lt>

Peter Rathlev wrote:
> ...
>
> What does the log say? Where's the ACLs for the interfaces? Are you sure
> the firewall isn't denying the traffic as it does default?
>
> Regards,
> Peter
>   
Its hard to find anything in log, because this is a production firewall 
and there is a lot of messages in syslog.
if i'm greeping on ip addresses vpnclient  real address or  vpn address  
in syslog i cant find anything wrong.
on outside interface i have acl which accepts pings from any source to 
inside interface computers. and i can ping from any computer from 
outside to any computer on inside. Even in ASDM real time logging i 
can't see any message about dropping packets from vpn tunnel.



From engel.labiro at gmail.com  Tue Feb  3 09:30:15 2009
From: engel.labiro at gmail.com (Engelhard Labiro)
Date: Tue, 3 Feb 2009 23:30:15 +0900
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <49880A73.2010702@occ.lt>
References: <49880A73.2010702@occ.lt>
Message-ID: <74b0c3330902030630i1d7bf31i7e97698c29bb462e@mail.gmail.com>

> hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15

I guess this is a routing problem, since you assign 192.168.0.x to vpn
client which is located on different segment with PIX's own interface.
The pix must response to arp  request for 192.168.0.10 to 15 on behalf
of the vpn client. This is can be done with proxy arp setting on the
inside interface of the PIX... I forgot the command.
Or if you have a router in PIX's inside I/F, just create a route to
192.168.0.x pointing back
to your PIX's inside I/F.

HTH
Engel

From steve at ibctech.ca  Tue Feb  3 08:31:49 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Tue, 03 Feb 2009 08:31:49 -0500
Subject: [c-nsp] A little confusion: OSPF and iBGP
Message-ID: <49884745.2030304@ibctech.ca>

Hi everyone,

I've got a couple of questions regarding the use of iBGP and OSPF.

I've got:

rtrA - connected to Internet, and routes some prefixes of my /21 (and v6
/32) to the infrastructure/servers

rtrB - private eBGP peering with another company, and connects some
multihome clients with eBGP (they use space from our /21 and advertise
back to us with private AS). Also has numerous prefixes from our /21 on
the client facing sides. For these clients, our edge is their default
gateway for the prefix

rtrC - connects the multihomed clients secondary connection with a lower
eBGP preference, and also has a few prefixes from the /21 for other
access clients

Currently, I use OSPF to share the loopback interface IPs, and use iBGP
for the rest.

For the prefixes at the client access edge that are put in place
statically, I advertise them to the other internal peers via iBGP. Would
it be best to leave it this way, or to put this address space into the
IGP instead, and have BGP only announce the actual eBGP learnt routes?

Also, should all of my routers have a pull-up route for the entire /21,
or just for the prefixes that they house?

Thanks,

Steve

From ross at kallisti.us  Tue Feb  3 09:32:39 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Tue, 3 Feb 2009 09:32:39 -0500
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <20090203081018.GB15269@wildfire.net.ic.ac.uk>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
	<20090202161705.GB4869@wildfire.net.ic.ac.uk>
	<4987C5DC.9090505@cisco.com>
	<935ead450902022311t17704123lb68a64f3db4c6179@mail.gmail.com>
	<20090203081018.GB15269@wildfire.net.ic.ac.uk>
Message-ID: <20090203143239.GA31065@kallisti.us>

On Tue, Feb 03, 2009 at 08:10:18AM +0000, Phil Mayers wrote:
> On Tue, Feb 03, 2009 at 07:11:13AM +0000, Jeffrey Ollie wrote:
> >This piqued my interest, so I whipped up a quick program to do some
> >testing.  I've attached the resulting program, which when run against
> >my 6500 running 12.2(33)SXI produces a copy of the running config.
> >
> >Some things I observed:
> 
> Yep, those match my observations.
> 
> >The script is in Python, and you'll need the Paramiko (SSHv2) and lxml
> 
> I used Twisted & a Nevow web UI, but seems python is popular ;o)

FWIW, I've been working on NETCONF software in python for JUNOS (see a
recent j-nsp thread about my frustrations...) and have the beginnings
of a library for generating and parsing NETCONF documents in Python
with lxml.

It's got all JUNOS centric stuff, so it won't be too much help as-is,
but if you're interested let me know.

> ><rpc-reply xmlns="urn:ietf:params:netconf:base:1.0" message-id="101">
> > <data>
> >   <cli-config-data-block>!
> 
> Yeah - note that the cli-config-data-block element is not namespaced 
> here. I suspect the netconf XML parser/generator is just broken in SXI.  
> I'm going to bug TAC later today - it's either a software or docs bug.

Well, in an XML sense, it's taken the default namespace provided by
the rpc-reply tag.  So that is "<urn:ietf:params:netconf:base:1.0:data>".
I don't know if there's a data element defined by NETCONF, so I can't
speak to the well-formedness of the above XML, only its validity.

Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From eimantas at occ.lt  Tue Feb  3 09:33:43 2009
From: eimantas at occ.lt (=?UTF-8?B?RWltYW50YXMgWmRhbmV2acSNaXVz?=)
Date: Tue, 03 Feb 2009 16:33:43 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <74b0c3330902030626t28f66045j89b0d7e7bfeccc0c@mail.gmail.com>
References: <49880A73.2010702@occ.lt>
	<74b0c3330902030626t28f66045j89b0d7e7bfeccc0c@mail.gmail.com>
Message-ID: <498855C7.7050405@occ.lt>

Engelhard Labiro wrote:
>> hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
>>     
>
> I guess this is a routing problem, since you assign 192.168.0.x to vpn
> client which is located on different segment with PIX's own interface.
> The pix must response to arp  request for 192.168.0.10 to 15 on behalf
> of the vpn client. This is can be done with proxy arp setting on the
> inside interface of the PIX... I forgot the command.
> Or if you have a router in PIX's inside I/F, just create a route to
> 192.168.0.x pointing back
> to your PIX's inside I/F.
>
> HTH
> Engel
>   
When client connects to the asa, asa automaticaly adds a route:
S    192.168.0.10 255.255.255.255 [1/0] via default_gw, outside

Eimantas

From sigurbjornl at vodafone.is  Tue Feb  3 09:47:42 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Tue, 03 Feb 2009 14:47:42 +0000
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <498855C7.7050405@occ.lt>
Message-ID: <C5AE098E.10AC9%sigurbjornl@vodafone.is>

Not unless you configure RRI, see

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a00809d07de.shtml

BR,
Sibbi


On 3.2.2009 14:33, "Eimantas Zdanevi?ius" <eimantas at occ.lt> wrote:

> Engelhard Labiro wrote:
>>> hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
>>>     
>> 
>> I guess this is a routing problem, since you assign 192.168.0.x to vpn
>> client which is located on different segment with PIX's own interface.
>> The pix must response to arp  request for 192.168.0.10 to 15 on behalf
>> of the vpn client. This is can be done with proxy arp setting on the
>> inside interface of the PIX... I forgot the command.
>> Or if you have a router in PIX's inside I/F, just create a route to
>> 192.168.0.x pointing back
>> to your PIX's inside I/F.
>> 
>> HTH
>> Engel
>>   
> When client connects to the asa, asa automaticaly adds a route:
> S    192.168.0.10 255.255.255.255 [1/0] via default_gw, outside
> 
> Eimantas
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From sigurbjornl at vodafone.is  Tue Feb  3 09:55:17 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Tue, 03 Feb 2009 14:55:17 +0000
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <498855C7.7050405@occ.lt>
Message-ID: <C5AE0B55.10ACC%sigurbjornl@vodafone.is>

If you're connecting through a natted host to the VPN you might try adding

crypto isakmp nat-traversal 30

I have a fairly similar setup to yours which works just fine.

BR,
Sibbi III



On 3.2.2009 14:33, "Eimantas Zdanevi?ius" <eimantas at occ.lt> wrote:

> Engelhard Labiro wrote:
>>> hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
>>>     
>> 
>> I guess this is a routing problem, since you assign 192.168.0.x to vpn
>> client which is located on different segment with PIX's own interface.
>> The pix must response to arp  request for 192.168.0.10 to 15 on behalf
>> of the vpn client. This is can be done with proxy arp setting on the
>> inside interface of the PIX... I forgot the command.
>> Or if you have a router in PIX's inside I/F, just create a route to
>> 192.168.0.x pointing back
>> to your PIX's inside I/F.
>> 
>> HTH
>> Engel
>>   
> When client connects to the asa, asa automaticaly adds a route:
> S    192.168.0.10 255.255.255.255 [1/0] via default_gw, outside
> 
> Eimantas
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From eimantas at occ.lt  Tue Feb  3 10:22:15 2009
From: eimantas at occ.lt (=?ISO-8859-2?Q?Eimantas_Zdanevi=E8ius?=)
Date: Tue, 03 Feb 2009 17:22:15 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <C5AE0B55.10ACC%sigurbjornl@vodafone.is>
References: <C5AE0B55.10ACC%sigurbjornl@vodafone.is>
Message-ID: <49886127.1050805@occ.lt>

Sigurbj?rn Birkir L?russon wrote:
> If you're connecting through a natted host to the VPN you might try adding
>
> crypto isakmp nat-traversal 30
>
> I have a fairly similar setup to yours which works just fine.
>   
This solved the problem, thanks!

Another problem is that client sets default gateway to tunnel.
How can i configure only some networks to go trough tunnel?


Eimantas

From frnkblk at iname.com  Tue Feb  3 10:26:03 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Tue, 3 Feb 2009 09:26:03 -0600
Subject: [c-nsp] Multicast grooming
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADtC0iKdk8dSaw5jR/EVRzQAQAAAAA=@iname.com>

How many entries can be made with the "ip igmp snooping vlan static" on a
2960G?

I'm thinking of bringing in two GigE's of video and then grooming them with
that feature down to one GigE.  

Besides entries, is this feature implemented in hardware or software, such
that there might be scalability concerns, too?

Regards,

Frank


From ahmedazim at gmail.com  Tue Feb  3 11:02:34 2009
From: ahmedazim at gmail.com (Ahmed Mohamed)
Date: Tue, 3 Feb 2009 18:02:34 +0200
Subject: [c-nsp] reacheability issue in MEL link
In-Reply-To: <64206.172.25.144.4.1233648371.squirrel@imap.snnap.net>
References: <64206.172.25.144.4.1233648371.squirrel@imap.snnap.net>
Message-ID: <bf5694530902030802j483cec14w230a5e674f6d61@mail.gmail.com>

but this is an MCS (Mission Critical Site) solution,

i.e. we ordered the same circuit from the same carrier to implement the
solution in aother location for resilliency , and it works fine

P.S. : at some point i had 8% success rate of 100 pings , but after that all
dead

i told the carrier i want to have the packets transferred with dot1q
encapsulation, and they replied that they are providing a transparent
environment, reagardless the two ends are access or trunk

On Tue, Feb 3, 2009 at 10:06 AM, Tom Storey <tom at snnap.net> wrote:

> Are you sure that the two ports that face your metro ethernet provider are
> actually trunks?
>
> In my experience, carriers will only present access ports to "end users",
> where end users are yourself and your customer.
>
> This means that you do not setup trunking or sub-interfaces on any of your
> and your customers equipment, you configure access ports aswell.
>
> It means that you can have a lot of 1:1 patching from your ethernet
> provider to your aggregation switch, but it helps your carrier protect
> their network from certain types of misconfiguration - i.e. they cant
> accidentaly trunk someone elses VLAN down to you.
>
> > Hello,
> >
> > this is a real life problem still occuring, and have no idea what may be
> > causing it ..
> >
> > we are providing an internet direct service to our customer vial MEL
> > (Metro
> > Ethernet Link)
> >
> > CE (CS-7206 VXR) fe2/0.36 ------------------Etherlink(local
> > carrier)---------------- WS-3759G-24TS--PE(CS-7000)
> >
> > the solution is providied using a carrier to link the customer CE to an
> > aggregated switch, using Metro Ethernet
> > configuring vlan 36 and using dot1q encapsulation
> > then from the aggregating switch to the PE router using also
> encapsulation
> > dot1q for vlan36
> >
> > all interfaces are up-up , and still ping fails !!
> >
> > i tried everything, resetting ports, switches, reconfigure interfaces
> > ..etc.
> > still no joy
> >
> > any idea what could be causing the problem ?
> >
> > ========================================================================
> > CE:
> > -----
> > interface FastEthernet2/0.36
> >  bandwidth 61440
> >  encapsulation dot1Q 36
> >  ip address 57.78.2.6 255.255.255.252
> > ========================================================================
> > Agg. switch:
> > ------------------
> > interface GigabitEthernet1/0/9
> >  switchport trunk encapsulation dot1q
> >  switchport trunk native vlan 3109
> >  switchport trunk allowed vlan 36,3109
> >  switchport mode trunk
> >  switchport nonegotiate
> >  duplex full
> >  speed 100
> >  mls qos trust cos
> >  spanning-tree bpdufilter enable
> > ========================================================================
> > PE:
> > ------
> >  interface FastEthernet5/1/1.36
> >  bandwidth 61440
> >  encapsulation dot1Q 36
> >  ip address 57.78.2.5 255.255.255.252
> >  no ip redirects
> >  no ip proxy-arp
> >  no ip route-cache
> >  no cdp enable
> > ========================================================================
> > bmil305#sh int FastEthernet5/1/1.36
> > FastEthernet5/1/1.36 is up, line protocol is up <<<<<<
> > Hardware is cyBus FastEthernet Interface, address is 0003.fe91.b8a9 (bia
> > 0003.fe91.b8a9)
> >   Internet address is 57.78.2.5/30
> >   MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
> >      reliability 255/255, txload 1/255, rxload 1/255
> >   Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
> >   ARP type: ARPA, ARP Timeout 04:00:00
> > ========================================================================
> > pmil2534#sh int Fa2/0.36
> > FastEthernet2/0.36 is up, line protocol is up  <<<<<<
> >   Hardware is i82543 (Livengood), address is 0022.be8b.1038 (bia
> > 0022.be8b.1038)
> >   Description: --- To bmil305 - FE5/1/1.5
> >   Internet address is 57.78.2.6/30
> >   MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
> >      reliability 255/255, txload 1/255, rxload 1/255
> >   Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
> > ========================================================================
> > ping pe to CE fails:
> > ----------------------------
> > bmil305#ping 57.78.2.6   <<<<<<,
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 57.78.2.6, timeout is 2 seconds:
> > .....
> > Success rate is 0 percent (0/5)
> > ========================================================================
> > PE to internet (google) successfully:
> > ------------------------------------------------------
> > bmil305#ping 216.239.59.147 source fast 5/1/1.36 repeat 100 size 500
> > Type escape sequence to abort.
> > Sending 100, 500-byte ICMP Echos to 216.239.59.147, timeout is 2 seconds:
> > Packet sent with a source address of 57.78.2.5
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > Success rate is 100 percent (100/100), round-trip min/avg/max = 36/40/112
> > ms
> > ========================================================================
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>

From petelists at templin.org  Tue Feb  3 10:20:42 2009
From: petelists at templin.org (Pete Templin)
Date: Tue, 03 Feb 2009 09:20:42 -0600
Subject: [c-nsp] core OSPF configurations
In-Reply-To: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
References: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
Message-ID: <498860CA.90707@templin.org>

Brian Spade wrote:

> What is the best way to configure OSPF to inject all 50+ SVIs into the
> routing domain?
> 
> Would you configure network statements for all SVI networks and passive the
> interfaces?
> Would you configure OSPF on the uplink interfaces only and redistributed
> connected to create type-5 externals?

If it were me, the SVIs would be announced into BGP, so that my OSPF 
world stayed small and clean.

That said, remember that the network statement(s) only have to match, 
through wildcard math, the _IP addresses_ of the interfaces to be 
included in OSPF.  If you run a single area, 'network 0.0.0.0 
255.255.255.255 area 0' is all you need.  Flipside, if you want to lock 
down OSPF to the point that shifting an interface within a subnet causes 
OSPF to drop so you can catch the culprit in the act, 'network 
10.20.30.254 0.0.0.0 area 0' matches exactly that one address (but the 
interface's correct netmask is used when inserting the route into OSPF).

pt

From sigurbjornl at vodafone.is  Tue Feb  3 10:29:40 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Tue, 03 Feb 2009 15:29:40 +0000
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <49886127.1050805@occ.lt>
Message-ID: <C5AE1364.10AE2%sigurbjornl@vodafone.is>

Something along these lines if you wanted to just send 10.10.53.0/24 and
10.10.54.0/24 through the VPN tunnel

tunnel-group testgroup general-attributes
    default-group-policy testpolicy

group-policy testpolicy internal
group-policy testpolicy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value TunnelList

access-list TunnelList standard permit 10.10.53.0 255.255.255.0
access-list TunnelList standard permit 10.10.54.0 255.255.255.0

BR,
Sibbi


On 3.2.2009 15:22, "Eimantas Zdanevi?ius" <eimantas at occ.lt> wrote:

> Sigurbj?rn Birkir L?russon wrote:
>> If you're connecting through a natted host to the VPN you might try adding
>> 
>> crypto isakmp nat-traversal 30
>> 
>> I have a fairly similar setup to yours which works just fine.
>>   
> This solved the problem, thanks!
> 
> Another problem is that client sets default gateway to tunnel.
> How can i configure only some networks to go trough tunnel?
> 
> 
> Eimantas


From tsuther at i3bus.com  Tue Feb  3 12:30:48 2009
From: tsuther at i3bus.com (Tom Sutherland)
Date: Tue, 3 Feb 2009 12:30:48 -0500
Subject: [c-nsp] VPN PIX 6.x Translation issue
In-Reply-To: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
References: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
Message-ID: <1233682248.7244.16.camel@angry-butler444>

have you tried "global (outside) 0 interface" ?


-----Original Message-----
From: William <willay at gmail.com>
To: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Subject: [c-nsp] VPN PIX 6.x Translation issue
Date: Mon, 2 Feb 2009 10:57:05 -0500

Hi folks!

I currently have a PIX firewall running 6 code, the firewall has 3
interfaces, inside, outside and inside2.

At the moment I can VPN and communicate to all the hosts on the
inside, what I'd like to do is also be able to communicate with the
hosts on inside2, the security levels are:

outside: 0
inside: 100
inside2: 90

When I try to speak to inside2 hosts, I get the following error:

%PIX-3-305005: No translation group found for icmp src
outside:10.10.199.3 dst inside2:192.168.0.1 (type 8, code 0)

I'm very confused as to where I should be putting global/nat
statements... so far my setup consists of:


nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.10.200.0 255.255.255.0 0 0
nat (inside2) 0 access-list office_outbound_nat0_acl
nat (inside2) 1 192.168.0.0 255.255.255.0 0 0
global (outside) 1 interface

This lets both inside and inside2 hosts contact the internet via int
outside, and no nat stuff that needs to traverse VPN tunnels...

If anyone can assist/educate me on getting this working I would
appreciate it very much!

Cheers,

W
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From steve at ibctech.ca  Tue Feb  3 13:28:26 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Tue, 03 Feb 2009 13:28:26 -0500
Subject: [c-nsp] A little confusion: OSPF and iBGP
In-Reply-To: <200902040158.39927.mtinka@globaltransit.net>
References: <49884745.2030304@ibctech.ca>
	<200902040158.39927.mtinka@globaltransit.net>
Message-ID: <49888CCA.1040801@ibctech.ca>

Mark Tinka wrote:
> On Tuesday 03 February 2009 09:31:49 pm Steve Bertrand 
> wrote:

Thanks for the feedback Mark,

> For customer aggregation edge routers, prefixes used to 
> assign /30 (/126 for v6, or whatever you use for this 
> purpose) point-to-point addresses, as well as assignments 
> for their own use on their LAN's, from your own blocks, 
> would be included in your iBGP running on these router. 
> Typically, we assign whole /24's or more for this purpose, 
> and announce a shorter block within our network; keeps our 
> iBGP table as small as possible (can't have little /30's or 
> /126's running around in your iBGP, now can you :-)).

So far, I seem to be doing ok then, less the ability to aggregate the /30's.

At first, I allocated space for /30's from a reserved space for only
that purpose, and have this reserved space on both the inside, and
outside of the edge routers (and have to have the little /30's floating
around).

That's easy enough to rectify at this point by renumbering my
intra-router links, so thank you for pointing that out :)

Steve

From mtinka at globaltransit.net  Tue Feb  3 12:58:24 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 4 Feb 2009 01:58:24 +0800
Subject: [c-nsp] A little confusion: OSPF and iBGP
In-Reply-To: <49884745.2030304@ibctech.ca>
References: <49884745.2030304@ibctech.ca>
Message-ID: <200902040158.39927.mtinka@globaltransit.net>

On Tuesday 03 February 2009 09:31:49 pm Steve Bertrand 
wrote:

> For the prefixes at the client access edge that are put
> in place statically, I advertise them to the other
> internal peers via iBGP. Would it be best to leave it
> this way, or to put this address space into the IGP
> instead, and have BGP only announce the actual eBGP
> learnt routes?

Best to keep your IGP carrying only your Loopbacks, and iBGP 
handling your customer prefixes.

Doing this affords you the filtering capabilities of BGP and 
allows you to operationalize your routing policy better.

> Also, should all of my routers have a pull-up route for
> the entire /21, or just for the prefixes that they house?

Normally, I'd recommend the aggregates be originated by a 
very stable device in the network. We do this using our 
route reflectors, and change the NEXT_HOP attribute of the 
aggregates to point to the Null/Discard interface on all 
peripheral routers.

These edge routers would then be configured to re-announce 
the aggregates to remote eBGP peers (customers, transit 
providers, public/private peers, e.t.c.).

For customer aggregation edge routers, prefixes used to 
assign /30 (/126 for v6, or whatever you use for this 
purpose) point-to-point addresses, as well as assignments 
for their own use on their LAN's, from your own blocks, 
would be included in your iBGP running on these router. 
Typically, we assign whole /24's or more for this purpose, 
and announce a shorter block within our network; keeps our 
iBGP table as small as possible (can't have little /30's or 
/126's running around in your iBGP, now can you :-)).

So far, you seem to be on the right track.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090204/d8c07e3c/attachment.bin>

From deanperrine at gmail.com  Tue Feb  3 15:20:57 2009
From: deanperrine at gmail.com (Dean Perrine)
Date: Tue, 3 Feb 2009 12:20:57 -0800
Subject: [c-nsp] Cisco MARS vs. Q1 Qradar - and other vendors
Message-ID: <2db25e4e0902031220n792504aep25ded027db17cec5@mail.gmail.com>

Does anyone have some input on security event correlation systems?

Currently reviewing Cisco MARS vs. Q1 Labs QRadar.

Environment information:
Very large DMVPN, IPS's, FW's, CSM.

Thanks,

==========================
Dean Perrine

From peter at rathlev.dk  Tue Feb  3 15:26:12 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 03 Feb 2009 21:26:12 +0100
Subject: [c-nsp] VPN PIX 6.x Translation issue
In-Reply-To: <1233682248.7244.16.camel@angry-butler444>
References: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
	<1233682248.7244.16.camel@angry-butler444>
Message-ID: <1233692772.4202.1.camel@localhost.localdomain>

On Tue, 2009-02-03 at 12:30 -0500, Tom Sutherland wrote:
> have you tried "global (outside) 0 interface" ?

Huh? A "global-0"? What does that do? Does it explicitly _not_ translate
to the interface address of the outside interface? ;-)

Regards,
Peter



From peter at rathlev.dk  Tue Feb  3 15:46:53 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 03 Feb 2009 21:46:53 +0100
Subject: [c-nsp] Cisco MARS vs. Q1 Qradar - and other vendors
In-Reply-To: <2db25e4e0902031220n792504aep25ded027db17cec5@mail.gmail.com>
References: <2db25e4e0902031220n792504aep25ded027db17cec5@mail.gmail.com>
Message-ID: <1233694013.4202.20.camel@localhost.localdomain>

On Tue, 2009-02-03 at 12:20 -0800, Dean Perrine wrote:
> Does anyone have some input on security event correlation systems?
> 
> Currently reviewing Cisco MARS vs. Q1 Labs QRadar.

We have a MARS-110 and I must frankly say I'm not impressed. The system
needs a _lot_ of training to be useful and the built in templates aren't
worth much in my eyes. (We've had 10 people take the "MARS" training
course and even then only a couple of us find it at most marginally
useful.)

My personal conclusion is that a combination of SEC, NFsen and a few
scripts parsing logfiles etc. are an easier, cheaper and better way of
accomplishing event correlations. It's (relatively) easy to do the
visualisations in a similar way to what MARS does by feeding GraphViz
with input from either CDP (L2-topology) or your IGP or BGP
(L3-topology).

Of course this means you have to love using these tools and you need to
have several people on staff with the relevant skills. CS-MARS could be
the right thing as an "almost turn key" solution.
 
> Environment information:
> Very large DMVPN, IPS's, FW's, CSM.

The integration from CS-MARS towards many other Cisco products would be
the one maybe strong point.

I'd say let the people having to work with it make the decision. :-)

Regards,
Peter



From pierre at userid.org  Tue Feb  3 16:35:26 2009
From: pierre at userid.org (Pierre Lamy)
Date: Tue, 03 Feb 2009 16:35:26 -0500
Subject: [c-nsp] Cisco switch FLP
Message-ID: <4988B89E.2020609@userid.org>

One of my fellow engineers needs to understand auto-advertise and 
autoneg with regards to Cisco switches.

Can anyone confirm that hard coded speed/duplex settings on a generic 
modern Cisco switch, will not prevent the switch port from sending fast 
link pulses, advertising the switch port's hardcoded speed/duplex 
settings so that the device at the other end, will be able to bring up a 
link if the remote device itself does not send out FLP?

Pierre

From gert at greenie.muc.de  Tue Feb  3 16:53:16 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 3 Feb 2009 22:53:16 +0100
Subject: [c-nsp] Cisco switch FLP
In-Reply-To: <4988B89E.2020609@userid.org>
References: <4988B89E.2020609@userid.org>
Message-ID: <20090203215316.GK290@greenie.muc.de>

Hi,

On Tue, Feb 03, 2009 at 04:35:26PM -0500, Pierre Lamy wrote:
> Can anyone confirm that hard coded speed/duplex settings on a generic 
> modern Cisco switch, will not prevent the switch port from sending fast 
> link pulses, advertising the switch port's hardcoded speed/duplex 
> settings so that the device at the other end, will be able to bring up a 
> link if the remote device itself does not send out FLP?

It will autoneg 100M, but it will usually result in a duplex mismatch.

"Don't hardcode ports unless you know for sure that you need it" (because
you connect to a Cisco 7200 with PA-FE or the like).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090203/9bf67582/attachment.bin>

From swmike at swm.pp.se  Tue Feb  3 17:13:54 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 3 Feb 2009 23:13:54 +0100 (CET)
Subject: [c-nsp] Cisco switch FLP
In-Reply-To: <4988B89E.2020609@userid.org>
References: <4988B89E.2020609@userid.org>
Message-ID: <alpine.DEB.1.10.0902032311570.16135@uplift.swm.pp.se>

On Tue, 3 Feb 2009, Pierre Lamy wrote:

> Can anyone confirm that hard coded speed/duplex settings on a generic 
> modern Cisco switch, will not prevent the switch port from sending fast 
> link pulses, advertising the switch port's hardcoded speed/duplex 
> settings so that the device at the other end, will be able to bring up a 
> link if the remote device itself does not send out FLP?

Generic behaviour is that if you hard-code both speed and duplex, switch 
stops advertising to the other end using autoneg.

So 100/full fixed at one end and other end set to auto/auto, will result 
in that end thinking it is speaking to a hub that doesn't do autoneg, and 
it'll detect the 100, but will go to 100/half.

There are recent hw from the past 1-2 years that can advertise 
capabilities even when being fixed, but it has to be configured in another 
way.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From rekordmeister at gmail.com  Tue Feb  3 17:21:06 2009
From: rekordmeister at gmail.com (MKS)
Date: Tue, 3 Feb 2009 22:21:06 +0000
Subject: [c-nsp] Ethernet to ATM local connect
Message-ID: <fad2fb270902031421t19fa9e33udd037782b94a2c03@mail.gmail.com>

Hi there

Is there a cisco platform / sw out there that can the following (the
critical part being _second-dot1q_)

interface gig3/1.10
 encapsulation dot1q 10 second-dot1q 2

interface atm2/0/0
 pvc 0/400 l2transport
 encapsulation aal5

connect atm-ethvlan atm2/0/0 0/400 gigabitethernet3/1.10 interworking ethernet

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1096615

Regards
MKS

From sigurbjornl at vodafone.is  Tue Feb  3 17:31:56 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Tue, 03 Feb 2009 22:31:56 +0000
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <4986C36A.1090406@pelican.org>
Message-ID: <C5AE765C.10B3A%sigurbjornl@vodafone.is>

Moving the Target Noise Margin or whatever it is called in your DSLAM is a
better plan.  

Interleaving has far more to do with sync stability, i.e. it allows the
router some time to respond to changes in the line quality before loosing
the sync, it also increases latency.  The more interleaving time you allow,
the greater the latency, but then again, better sync stability.

I would use both, interleave at a low setting, and a higher target noise
margin if you're running sensitive services such as IPTV over the line.

4ms interleave + 9dB target noise margin should leave the line relatively
stable.  If you find the maximum sync speed of the line moves below your set
minimum to offer the service when you're at 9dB (the higher the target noise
margin the lower the sync speed), the line probably isn't good enough to
offer the service to begin with.

BR,
Sibbi


On 2.2.2009 09:56, "Tim Franklin" <tim at pelican.org> wrote:

> Ziv Leyes wrote:
> 
>> Setting interleave in the DSLAM will do automatically what I proposed
>> before, lowering the speed of the link in order to improve line
>> quality.
> 
> Be careful with what you mean by "speed" in this instance.  Interleaving
> typically increases latency, rather than reducing bandwidth.
> 
> Regards,
> Tim.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From david at hughes.com.au  Tue Feb  3 17:49:49 2009
From: david at hughes.com.au (David Hughes)
Date: Wed, 4 Feb 2009 08:49:49 +1000
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>,
	<20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
Message-ID: <45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>


Yup, that's exactly the situation.  STP will work around some of the  
problem caused by this but if you are presenting an etherchannel over  
multiple xconnects you can't pick up the link failure of part of the  
etherchannel without UDLD.  We did some initial proof of concepts with  
2900s running 2 second timers and it was great.  Imagine the look on  
my face when we found out that 6500s don't have the functionality of a  
$1,000 access switch .....

So, is the config option on SXI still 7 seconds at best?


Thanks

David
...


On 03/02/2009, at 7:45 PM, Thomas Dupas wrote:

> I assume it's a L2 link (EoMPLS), so BFD won't help much.
>
> We're in the same situation, also stuck with UDLD timers and 2  
> parallel EoMPLS xconnects. I can't get the convergence lower then 20  
> seconds with the default UDLD, so I'm also hoping for fast UDLD
>
> Best Regards,
>
> Thomas
>
> ________________________________________
> Van: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net 
> ] namens Gert Doering [gert at greenie.muc.de]
> Verzonden: dinsdag 3 februari 2009 8:15
> Aan: David Hughes
> CC: Cisco NSP ((E-mail))'
> Onderwerp: Re: [c-nsp] Fast UDLD timers in SXI?
>
> Hi,
>
> On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote:
>> Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down
>> to 1 second) or if we are still stuck with the old 7 sec timers.  We
>> can do 1 sec UDLD on 2900 class switches so I hope we see it in the
>> "premier switching platform" some time soon.  We need some way to  
>> pick
>> up a link failure at the far end of an EoMPLS xconnect in a  
>> reasonable
>> time.
>
> Can you use BFD?
>
> (Yes, this is not answering your question - I don't know the answer  
> - but
> it might be an alternative approach if this a layer 3 link)
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


From harbor235 at gmail.com  Tue Feb  3 18:21:33 2009
From: harbor235 at gmail.com (harbor235)
Date: Tue, 3 Feb 2009 18:21:33 -0500
Subject: [c-nsp] Ring Protocol
Message-ID: <836bf1f90902031521i7aca90ffyf72d0fc3fcc8189c@mail.gmail.com>

I am looking to deploy a Ethernet Ring topology in a campus. The ring is to
connect
multiple buildings via a high speed 10G backbone. Does Cisco offer any
products in this
area? The ONS is too expensive, looking for something smaller that is
Ethernet based.


mike

From rubensk at gmail.com  Tue Feb  3 19:06:35 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Tue, 3 Feb 2009 22:06:35 -0200
Subject: [c-nsp] Ring Protocol
In-Reply-To: <836bf1f90902031521i7aca90ffyf72d0fc3fcc8189c@mail.gmail.com>
References: <836bf1f90902031521i7aca90ffyf72d0fc3fcc8189c@mail.gmail.com>
Message-ID: <6bb5f5b10902031606w5ba0331cq96e1d518522d5504@mail.gmail.com>

I don't think Cisco currently have an 10G ethernet ring offer. It
might come up when REP (Resilient Ethernet Protocol) gets implemented
in the 6500 IOS. It was supposed to be on SXI, but that didn't happen.
If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit
Etherchannel, perhaps ?

Outside of Cisco-land, Extreme, Foundry and Force 10 seems to have
currently shipping solutions.


Rubens



On Tue, Feb 3, 2009 at 9:21 PM, harbor235 <harbor235 at gmail.com> wrote:
> I am looking to deploy a Ethernet Ring topology in a campus. The ring is to
> connect
> multiple buildings via a high speed 10G backbone. Does Cisco offer any
> products in this
> area? The ONS is too expensive, looking for something smaller that is
> Ethernet based.
>
>
> mike
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rubensk at gmail.com  Tue Feb  3 19:37:57 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Tue, 3 Feb 2009 22:37:57 -0200
Subject: [c-nsp] Ring Protocol
In-Reply-To: <6bb5f5b10902031606w5ba0331cq96e1d518522d5504@mail.gmail.com>
References: <836bf1f90902031521i7aca90ffyf72d0fc3fcc8189c@mail.gmail.com>
	<6bb5f5b10902031606w5ba0331cq96e1d518522d5504@mail.gmail.com>
Message-ID: <6bb5f5b10902031637l67b82e22o228f0c2aa84feca2@mail.gmail.com>

A little bird from C whispered me the following:

"I'd take a look at the ME-4924-10GE device (REP Supports ~50ms
failover), as well as this you have support for it on the larger devices
like the 7600.

4924 support for REP started in 12.2(44)SG -
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_bulletin_c25_468227.html

7600 has supported REP since 12.2(33)SRC -
http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_cfg_rep.html"

I stand corrected.


Rubens

On Tue, Feb 3, 2009 at 10:06 PM, Rubens Kuhl <rubensk at gmail.com> wrote:
> I don't think Cisco currently have an 10G ethernet ring offer. It
> might come up when REP (Resilient Ethernet Protocol) gets implemented
> in the 6500 IOS. It was supposed to be on SXI, but that didn't happen.
> If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit
> Etherchannel, perhaps ?
>
> Outside of Cisco-land, Extreme, Foundry and Force 10 seems to have
> currently shipping solutions.
>
>
> Rubens
>
>
>
> On Tue, Feb 3, 2009 at 9:21 PM, harbor235 <harbor235 at gmail.com> wrote:
>> I am looking to deploy a Ethernet Ring topology in a campus. The ring is to
>> connect
>> multiple buildings via a high speed 10G backbone. Does Cisco offer any
>> products in this
>> area? The ONS is too expensive, looking for something smaller that is
>> Ethernet based.
>>
>>
>> mike
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

From harbor235 at gmail.com  Tue Feb  3 20:51:25 2009
From: harbor235 at gmail.com (harbor235)
Date: Tue, 3 Feb 2009 20:51:25 -0500
Subject: [c-nsp] Ring Protocol
In-Reply-To: <6bb5f5b10902031637l67b82e22o228f0c2aa84feca2@mail.gmail.com>
References: <836bf1f90902031521i7aca90ffyf72d0fc3fcc8189c@mail.gmail.com>
	<6bb5f5b10902031606w5ba0331cq96e1d518522d5504@mail.gmail.com>
	<6bb5f5b10902031637l67b82e22o228f0c2aa84feca2@mail.gmail.com>
Message-ID: <836bf1f90902031751u5031b0a9n223e5ec9cb5cb70d@mail.gmail.com>

Thank you for all your replies, that was exactly what I was looking for.

mike

On Tue, Feb 3, 2009 at 7:37 PM, Rubens Kuhl <rubensk at gmail.com> wrote:

> A little bird from C whispered me the following:
>
> "I'd take a look at the ME-4924-10GE device (REP Supports ~50ms
> failover), as well as this you have support for it on the larger devices
> like the 7600.
>
> 4924 support for REP started in 12.2(44)SG -
>
> http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_bulletin_c25_468227.html
>
> 7600 has supported REP since 12.2(33)SRC -
>
> http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_cfg_rep.html
> "
>
> I stand corrected.
>
>
> Rubens
>
> On Tue, Feb 3, 2009 at 10:06 PM, Rubens Kuhl <rubensk at gmail.com> wrote:
> > I don't think Cisco currently have an 10G ethernet ring offer. It
> > might come up when REP (Resilient Ethernet Protocol) gets implemented
> > in the 6500 IOS. It was supposed to be on SXI, but that didn't happen.
> > If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit
> > Etherchannel, perhaps ?
> >
> > Outside of Cisco-land, Extreme, Foundry and Force 10 seems to have
> > currently shipping solutions.
> >
> >
> > Rubens
> >
> >
> >
> > On Tue, Feb 3, 2009 at 9:21 PM, harbor235 <harbor235 at gmail.com> wrote:
> >> I am looking to deploy a Ethernet Ring topology in a campus. The ring is
> to
> >> connect
> >> multiple buildings via a high speed 10G backbone. Does Cisco offer any
> >> products in this
> >> area? The ONS is too expensive, looking for something smaller that is
> >> Ethernet based.
> >>
> >>
> >> mike
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
>

From engel.labiro at gmail.com  Tue Feb  3 21:41:56 2009
From: engel.labiro at gmail.com (Engelhard Labiro)
Date: Wed, 4 Feb 2009 11:41:56 +0900
Subject: [c-nsp] reacheability issue in MEL link
In-Reply-To: <bf5694530902030802j483cec14w230a5e674f6d61@mail.gmail.com>
References: <64206.172.25.144.4.1233648371.squirrel@imap.snnap.net>
	<bf5694530902030802j483cec14w230a5e674f6d61@mail.gmail.com>
Message-ID: <74b0c3330902031841s3bfa256fu486b1c5eb4fe2e94@mail.gmail.com>

> i told the carrier i want to have the packets transferred with dot1q
> encapsulation, and they replied that they are providing a transparent
> environment, reagardless the two ends are access or trunk

Does your carrier support 802.1QinQ or something alike that is able to
transport your dot1q tag?
http://www.ippacket.org/blog/archives/2004/08/ieee_8021q-in-q.html
just FYI, we have a CE router (7206VXR) with trunking port to provider's PE.
This working without problem here, YMMV.

From andy.saykao at staff.netspace.net.au  Wed Feb  4 02:11:32 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Wed, 4 Feb 2009 18:11:32 +1100
Subject: [c-nsp] MPLS QoS question about the HOSE model
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654BB1@vic-cr-ex1.staff.netspace.net.au>

Hi All,
 
I'm continuing to try and understand QoS a little better in relation to
applying it to our MPLS VPN network but it seems the more I read about
it the more I'm confused. Not to mention the lack of configuration
examples out there.
 
I understand that we can provide two QoS solutions for MPLS VPN
customers.
 
1/ Guaranteed BW at ingress/egress (also known as the HOSE model).
2/ Full QOS deployment with varying class of service based on IPP and/or
DSCP.
 
In relation to solution 1, I'm not really clear about guaranteeing the
bandwidth at the ingress/egress. Is the bandwidth guarantee in regards
to the physical link connecting the CE to the PE? Or are we giving the
customer a guarantee on the PE to P link (which would make more sense to
me)?
 
[ CE ] --- 2M/2M ---> [ PE ] ---> [ P ]
 
Imagine if the customer had a 2M/2M SHDSL connection into the SP's MPLS
network, are we able to for example guarantee a ICR of 256K and ECR of
512K??? And why would we do this when the customer would expect to be
able to send/receive up to 2M because that's what they're paying for.
 
My thinking is probably flawed, so if anybody could clear up my
misconceptions about the hose model, that would be great!
 
Thanks.
 
Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From eimantas at occ.lt  Wed Feb  4 02:45:00 2009
From: eimantas at occ.lt (=?ISO-8859-2?Q?Eimantas_Zdanevi=E8ius?=)
Date: Wed, 04 Feb 2009 09:45:00 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <C5AE1364.10AE2%sigurbjornl@vodafone.is>
References: <C5AE1364.10AE2%sigurbjornl@vodafone.is>
Message-ID: <4989477C.8060706@occ.lt>

Sigurbj?rn Birkir L?russon wrote:
> Something along these lines if you wanted to just send 10.10.53.0/24 and
> 10.10.54.0/24 through the VPN tunnel
>
> tunnel-group testgroup general-attributes
>     default-group-policy testpolicy
>
> group-policy testpolicy internal
> group-policy testpolicy attributes
>     split-tunnel-policy tunnelspecified
>     split-tunnel-network-list value TunnelList
>
> access-list TunnelList standard permit 10.10.53.0 255.255.255.0
> access-list TunnelList standard permit 10.10.54.0 255.255.255.0
>
> BR,
> Sibbi
>   
This perfectly sets routes for specified networks.
But how to disable default gateway setting on vpn client?

If i go to ASA ASDM->Configuration->VPN->Default Tunnel Gateway it says:

To configure default tunnel gateway, go to Static Route.

i have two static routes configured:

S    aaa.bbb.ccc.ddd 255.255.255.255 [1/0] via 10.10.1.2, inside
S*  0.0.0.0 0.0.0.0 [1/0] via 10.10.4.254, outside

From eng_mssk at hotmail.com  Wed Feb  4 03:25:59 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 4 Feb 2009 10:25:59 +0200
Subject: [c-nsp] Ethernet to ATM local connect
In-Reply-To: <fad2fb270902031421t19fa9e33udd037782b94a2c03@mail.gmail.com>
References: <fad2fb270902031421t19fa9e33udd037782b94a2c03@mail.gmail.com>
Message-ID: <BLU102-W2795BBF30B32EB082B7912FAC30@phx.gbl>


http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/qinq.html#wp1043332

> Date: Tue, 3 Feb 2009 22:21:06 +0000
> From: rekordmeister at gmail.com
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Ethernet to ATM local connect
> 
> Hi there
> 
> Is there a cisco platform / sw out there that can the following (the
> critical part being _second-dot1q_)
> 
> interface gig3/1.10
>  encapsulation dot1q 10 second-dot1q 2
> 
> interface atm2/0/0
>  pvc 0/400 l2transport
>  encapsulation aal5
> 
> connect atm-ethvlan atm2/0/0 0/400 gigabitethernet3/1.10 interworking ethernet
> 
> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1096615
> 
> Regards
> MKS
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________
Show them the way! Add maps and directions to your party invites. 
http://www.microsoft.com/windows/windowslive/events.aspx

From avayner at cisco.com  Wed Feb  4 04:41:30 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 4 Feb 2009 10:41:30 +0100
Subject: [c-nsp] Ethernet to ATM local connect
In-Reply-To: <fad2fb270902031421t19fa9e33udd037782b94a2c03@mail.gmail.com>
References: <fad2fb270902031421t19fa9e33udd037782b94a2c03@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D7275397@xmb-ams-331.emea.cisco.com>

Hi,

Take a look here:
http://www.cisco.com/en/US/products/hw/routers/ps368/module_installation
_and_configuration_guides_chapter09186a0080440138.html#wp1135748

Then, using ES20 for Ethernet with EVC, you have the option to
bridge-domain a QinQ VLAN to the same global SVI.

I have never tested it, and am not sure if it's a common application,
but I think this should work.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of MKS
Sent: Wednesday, February 04, 2009 00:21
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Ethernet to ATM local connect

Hi there

Is there a cisco platform / sw out there that can the following (the
critical part being _second-dot1q_)

interface gig3/1.10
 encapsulation dot1q 10 second-dot1q 2

interface atm2/0/0
 pvc 0/400 l2transport
 encapsulation aal5

connect atm-ethvlan atm2/0/0 0/400 gigabitethernet3/1.10 interworking
ethernet

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1
096615

Regards
MKS
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From wim.holemans at ua.ac.be  Wed Feb  4 04:51:09 2009
From: wim.holemans at ua.ac.be (Holemans Wim)
Date: Wed, 4 Feb 2009 10:51:09 +0100
Subject: [c-nsp] VSS upgrade problems
Message-ID: <A9C0DC3E3383224B83C528B074390E8C551E@xmail04.ad.ua.ac.be>

I'm testing a VSS solution for our campus network, most things seem to
work as expected. I ran however into problems when testing the eFSU
upgrade procedure. 

The system came with ip base 12.33SXH4 on, I created the cluster with
this version without problem (although the notes state that you should
use at least ip services). I upgraded the system the traditional way to
ip base 12.33 SXI without problem. The I decided to test the eFSU
upgrade procedure (available from 12.33SXI) which should give no
downtime at all (if all your connections are trunks to both chassis). I
tried to upgrade from ip base 12.33SXI to ip services 12.33SXI. This
however failed and kept my standby chassis continuously booting until I
removed the VSS connection between both (I forgot to activate the issu
rollback timer...)

 

This were the messages i got

1)  On the master :

 

01:01:47: %PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH: Asymmetrical redundant
configuration: Active SP has (1048576/8192K) memory, Standby has
(1048576/65536K).

01:01:47: %PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH: Asymmetrical redundant
configuration: Active RP has (1048576/8192K) memory, Standby has
(1048576/65536K).

01:01:48: %PFREDUN-SW2_SP-6-ACTIVE: Standby initializing for RPR mode

01:01:50: %ISSU-SW2_SP-4-FSM_INCOMP: Version of local ISSU client ISSU
ifs client(110) in session 327962 is incompatible with remote side.

01:01:50: %RFS-SW2_SP-3-START_NEGO_SESSION: RFS nego (327962:262609) to
[issu:rfs:Secondary RFS Server Port:0x3050000] failed:
[ISSU_RC_NEGO_ERROR]

01:02:21: %RF-SW2_SP-5-RF_RELOAD: Peer reload. Reason: RF Client RFS
RF(520) notification timeout

01:02:22: %VSLP-SW2_SP-3-VSLP_LMP_FAIL_REASON: Te2/5/4: Disabled by Peer
Reload Request

01:02:22: %VSLP-SW2_SP-2-VSL_DOWN:   Last VSL interface Te2/5/4 went
down

 

01:02:22: %VSLP-SW2_SP-2-VSL_DOWN:   All VSL links went down while
switch is in ACTIVE role

 

01:02:23: %PFREDUN-SW2_SP-6-ACTIVE: Standby processor removed or
reloaded, changing to Simplex mode

01:02:23: %RF-SW2_SP-3-NOTIF_TMO: Notification timer Expired for RF
Client: RFS RF(520)

01:02:24: %RF-SW2_SP-5-RF_RELOAD: Peer reload. Reason: Proxy request to
reload peer

 

2)  On the slave :

 

 

*Feb  3 10:48:12.695: %ISSU-SW1_SPSTBY-3-FSM_MISMATCH_MTU: ISSU nego
failed for client ISSU ifs client(110) entity_id 113 session 65694 due
to mismatch of mtu size 36 & 72.

-Traceback= 40252F70 4025350C 40969458 417A050C 417A0578 40966980
40966BE0 40966FD8 409A8FFC 4042FD60 40447984 4088E6C0 4088E6AC

*Feb  3 10:48:12.735: %ISSU-SW1_SPSTBY-4-FSM_INCOMP: Version of local
ISSU client ISSU ifs client(110) in session 65694 is incompatible with
remote side.

*Feb  3 10:48:12.735: %RFS-SW1_SPSTBY-3-START_NEGO_SESSION: RFS nego
(65694:65693) to [issu:rfs:65536:0x10000] failed: [ISSU_RC_NEGO_ERROR]

*Feb  3 10:48:43.551: %SYS-SW1_SPSTBY-5-RELOAD: Reload requested - From
Active Switch (Reload peer unit).

*Feb  3 10:48:45.071: %VSLP-SW1_SPSTBY-3-VSLP_LMP_FAIL_REASON:  5/4 :
Link down

*Feb  3 10:48:45.071: %VSLP-SW1_SPSTBY-2-VSL_DOWN:   Last VSL interface
5/4  went down

 

*Feb  3 10:48:45.075: %VSLP-SW1_SPSTBY-2-VSL_DOWN:   All VSL links went
down while switch is in Standby role

 

*Feb  3 10:48:45.083: %SATVS_IBC-SW1_SPSTBY-5-VSL_DOWN_SCP_DROP: VSL
inactive - dropping cached SCP packet: (SA/DA:0x4/0x4,
SSAP/DSAP:0x2/0x1, OP/SEQ:0x1E/0x13, SIG/INFO:0x1/0x501,
eSA:0000.0500.0000)

 

*Feb  3 10:48:46.127: %SYS-SW1_SPSTBY-5-RELOAD: Reload requested by
Delayed Reload. Reload Reason: Admin requested reload of the Standby
during ISSU.

*Feb  3 10:48:46.127: %OIR-SW1_SPSTBY-6-CONSOLE: Changing console
ownership to switch processor

 

 

Two things are strange : the message about the
PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH because these are 2 identical
supervisor boards, secondly the mtu mismatch error. I tried to find some
info about the MTU error but neither the Cisco website neither google
gave any info about this errors.

 

Anyone has an idea or just a pointer to more detailed technical detail ?
There is not that much documentation on the Cisco website about VSS...

 

Any help would be appreciated,

 

Greetings,

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 


From rmikisa at gmail.com  Wed Feb  4 04:34:22 2009
From: rmikisa at gmail.com (Mikisa Richard)
Date: Wed, 4 Feb 2009 12:34:22 +0300
Subject: [c-nsp] VPN with Static mapping - ASA5520
In-Reply-To: <4989477C.8060706@occ.lt>
References: <C5AE1364.10AE2%sigurbjornl@vodafone.is> <4989477C.8060706@occ.lt>
Message-ID: <4989611E.8070109@gmail.com>

Hi all,

Scenario is the need to create a VPN tunnel to remote site but remote 
site requires that the machine (local host) they connect to have a 
public IP. So I have setup a static mapping 10.101.25.25 -> 41.202.X.X. 
The tunnel comes up but the connection to the 10.101.25.25 fails. Conf 
below.  Point to note is that I have a working VPN tunnel to a different 
remote site that uses local net as 10.101.25.0/24. Would the fact the I 
am trying to use an IP from that range be the reason the connection fails?

!!
access-list acl-out extended permit ip any host 41.202.X.X
!!
access-list Inside_nat0_outbound extended permit ip host 41.202.X.X host 
131.166.X.X
access-list Outside_80_cryptomap extended permit ip host 41.202.X.X host 
131.166.X.X
!!
static (Inside,Outside) tcp 41.202.X.X ftp 10.101.25.25 ftp netmask 
255.255.255.255
!!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 80 match address Outside_80_cryptomap
crypto map Outside_map 80 set peer 131.166.X.Y
crypto map Outside_map 80 set transform-set ESP-3DES-SHA

crypto isakmp nat-traversal  30

tunnel-group 131.166.X.X type ipsec-l2l
tunnel-group 131.166.X.X ipsec-attributes
 pre-shared-key *

Regards
Richard






From ian.mackinnon at lumison.net  Wed Feb  4 06:37:12 2009
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Wed, 04 Feb 2009 11:37:12 +0000
Subject: [c-nsp] OSPF and metrics
Message-ID: <49897DE8.2000709@lumison.net>

Hi All,

I think my brain is misfiring today.

I am trying to provide some backup services between to gateway routers, 
on one router I just have a simple route statetment, and on the second 
router I have the same route with a metric on the end :-

router 1
     ip route 10.0.0.0 255.255.255.0 10.1.0.0.1
router 2
     ip route 10.0.0.0 255.255.255.0 10.2.0.01 666

ie router1 sends it via its connection, and router 2 is available when 
the link from router 1 goes away

This is then redistributed into ospf on both router, both routers then 
have the same neighbour upstream
  redistribute static metric-type 1 subnets

However when I look upstream I am not seeing the metric, and it is 
choosing the router 2 route

What am I missing?

Thanks
Ian




--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From ian.mackinnon at lumison.net  Wed Feb  4 07:11:16 2009
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Wed, 04 Feb 2009 12:11:16 +0000
Subject: [c-nsp] OSPF and metrics
In-Reply-To: <49897DE8.2000709@lumison.net>
References: <49897DE8.2000709@lumison.net>
Message-ID: <498985E4.7060509@lumison.net>

and what is the default distance of OSPF?

yes its 110, so you need to make the floating route have a distance 
higher than that!

So, all working now.



On 04/02/2009 11:37, Ian MacKinnon wrote:
> Hi All,
>
> I think my brain is misfiring today.
>
> I am trying to provide some backup services between to gateway 
> routers, on one router I just have a simple route statetment, and on 
> the second router I have the same route with a metric on the end :-
>
> router 1
>     ip route 10.0.0.0 255.255.255.0 10.1.0.0.1
> router 2
>     ip route 10.0.0.0 255.255.255.0 10.2.0.01 666
>
> ie router1 sends it via its connection, and router 2 is available when 
> the link from router 1 goes away
>
> This is then redistributed into ospf on both router, both routers then 
> have the same neighbour upstream
>  redistribute static metric-type 1 subnets
>
> However when I look upstream I am not seeing the metric, and it is 
> choosing the router 2 route
>
> What am I missing?
>
> Thanks
> Ian
>
>
>
>
> -- 
>
> This email and any files transmitted with it are confidential and 
> intended
> solely for the use of the individual or entity to whom they are 
> addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted.  Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison and nPlusOne.
> Finally, the recipient should check this email and any attachments for 
> the
> presence of viruses.  Lumison and nPlusOne accept no liability for any
> damage caused by any virus transmitted by this email.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


-- 
Ian MacKinnon
Lumison
t: 0845 1199 900
d: 0131 514 4055
P.S. Do you love Lumison?

p.s. Looking for remote access?
Chat to our team about our award winning broadband and VoIP solutions
for remote and home working, or visit www.lumison.net



--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From rens at autempspourmoi.be  Wed Feb  4 07:27:08 2009
From: rens at autempspourmoi.be (Rens)
Date: Wed, 4 Feb 2009 13:27:08 +0100
Subject: [c-nsp] Ethernet VPN circuits
Message-ID: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com>

Hi,

 

We have a provider that has a new product and I would like to know if I
could use it with our current infrastructure to interconnect sites.

 

This is how it works on the provider site:

 

1 Central Site where everything arrives

Multiple Remote Sites that you can connect to the Central Site

 

Per Remote Site we have to define a VLAN tag.

 

So it would look like this:

 

My CS router     <=> my CS switch           <=> provider CS switch     <=>
provider Backbone     <=> provider RS switch     <=> My RS router

7206VXR           <=> 3550                         <=> 2960
<=> No Idea                     <=> 2960                         <=> 1841

 

So if I want to do a /30 OSPF between my CS router and my RS router

I would use vlan 200 for this at RS router (subinterface dot1q) it enters
the provider RS switch and they add the predefined vlan as outer tag.
(example 800)

It arrives like this at my CS site and now I have a problem.

 

1) I either remove the outer tag VLAN (800) on the switch so on my router I
can do the same subinterface dot1q 200 => but this won't work when I want to
do the same thing with multiple RS

2)  Can I pass the double tag through my switch to our 7206 and configure a
double dot1q subinterface, so the router removes both outer & inner 800 &
200 and OSPF goes up :-)

 

Any help is appreciated.

 

Regards,

 

Rens


From oles at ovh.net  Wed Feb  4 06:38:08 2009
From: oles at ovh.net (oles at ovh.net)
Date: Wed, 4 Feb 2009 12:38:08 +0100
Subject: [c-nsp] VSS upgrade problems
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C551E@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C551E@xmail04.ad.ua.ac.be>
Message-ID: <20090204113808.GY28467@ovh.net>

> tried to upgrade from ip base 12.33SXI to ip services 12.33SXI. This
> 01:02:21: %RF-SW2_SP-5-RF_RELOAD: Peer reload. Reason: RF Client RFS
> RF(520) notification timeout

Hi,
I guest you have the problem I had with my (VSS/SXI) AND (a big setup
file, lot of ports, lot of port channels ...). I spent 3 nights looking
for a solution. If it's your problem, I found out this solution:
- shutdown all carts in the master (except sup720)
  "no power enable switch 1-2 module 1-4,6-9"
  you can leave slave with no changes
- then start the slave
- the sync of the setup between master/slave won't generate any "timeout" 
- you can restart the cart again
  power enable switch 1-2 module 1-4,6-9
- all is working again 

Once all is up:
- you have to add the new ports/new port channels with a "sleep 10"
  between every command (it allows the router to sync the setup
  between master/slave
- you can't touch any inter vlan XX, ip add XX YY. it creates a big 
  timeout and the slave reload.

Cisco said me, this bug will be fixed in SXI1. 4 weeks ? I don't know.

Regards,
Octave

From sigurbjornl at vodafone.is  Wed Feb  4 08:17:13 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Wed, 04 Feb 2009 13:17:13 +0000
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <4989477C.8060706@occ.lt>
Message-ID: <C5AF45D9.10B96%sigurbjornl@vodafone.is>

Hmm, assuming you are using the Cisco VPN client you shouldn't be getting a
default if the split-tunnel configuration is working

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a0080702999.shtml#s2

Has pretty good ASDM instructions on how to do this, I don't use the ASDM :)

BR,
Sibbi


On 4.2.2009 07:45, "Eimantas Zdanevi?ius" <eimantas at occ.lt> wrote:

> Sigurbj?rn Birkir L?russon wrote:
>> Something along these lines if you wanted to just send 10.10.53.0/24 and
>> 10.10.54.0/24 through the VPN tunnel
>> 
>> tunnel-group testgroup general-attributes
>>     default-group-policy testpolicy
>> 
>> group-policy testpolicy internal
>> group-policy testpolicy attributes
>>     split-tunnel-policy tunnelspecified
>>     split-tunnel-network-list value TunnelList
>> 
>> access-list TunnelList standard permit 10.10.53.0 255.255.255.0
>> access-list TunnelList standard permit 10.10.54.0 255.255.255.0
>> 
>> BR,
>> Sibbi
>>   
> This perfectly sets routes for specified networks.
> But how to disable default gateway setting on vpn client?
> 
> If i go to ASA ASDM->Configuration->VPN->Default Tunnel Gateway it says:
> 
> To configure default tunnel gateway, go to Static Route.
> 
> i have two static routes configured:
> 
> S    aaa.bbb.ccc.ddd 255.255.255.255 [1/0] via 10.10.1.2, inside
> S*  0.0.0.0 0.0.0.0 [1/0] via 10.10.4.254, outside


From gert at greenie.muc.de  Wed Feb  4 08:30:42 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 4 Feb 2009 14:30:42 +0100
Subject: [c-nsp] VSS upgrade problems
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C551E@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C551E@xmail04.ad.ua.ac.be>
Message-ID: <20090204133042.GO290@greenie.muc.de>

Hi,

On Wed, Feb 04, 2009 at 10:51:09AM +0100, Holemans Wim wrote:
> ip base 12.33 SXI without problem. The I decided to test the eFSU
> upgrade procedure (available from 12.33SXI) which should give no
> downtime at all (if all your connections are trunks to both chassis). I
> tried to upgrade from ip base 12.33SXI to ip services 12.33SXI. This

As far as I understand (this was mentioned in the VSS talk at networkers
last week) this will only work between minor releases carrying the same
feature set.

So: 

  ip services SXI -> ip services SXI1         --> will work
  ip services SXI -> advanced ip services SXI --> will not work

(Now the specific error messages are indeed not as helpful as one might
imagine...)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090204/51226587/attachment.bin>

From deric.kwok2000 at gmail.com  Wed Feb  4 09:02:39 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Wed, 4 Feb 2009 09:02:39 -0500
Subject: [c-nsp] access list help
Message-ID: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>

Hi All

I am new in cisco and trying to config the access list in my switch

My switch ip is 192.168.0.118

I am trying to block the http traffic in the host 192.168.0.115

When I do it in, I can not accces the switch !
But I can access http://192.168.0.115

Can you help what is wrong?
Can you give me examples?

access-list 120 deny   tcp any host 192.168.0.115 eq www any log
access-list 120 remark restrict www traffic to host 192.168.0.115
access-list 120 permit ip any host 192.168.0.115
(config)#interface vlan1
(config-if)#ip access-group 120 in

I also don't understand the access list only for deny 192.168.0.115.
Why it blocks me in  switch 192.168.0.118. but 192.168.0.115 is still fine?


More Questions:

ls access-list in switch same as router also?
and
Can you give me example to have access list for 3 hours?

Thank you for your help.

From eimantas at occ.lt  Wed Feb  4 09:05:46 2009
From: eimantas at occ.lt (=?ISO-8859-2?Q?Eimantas_Zdanevi=E8ius?=)
Date: Wed, 04 Feb 2009 16:05:46 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <C5AF45D9.10B96%sigurbjornl@vodafone.is>
References: <C5AF45D9.10B96%sigurbjornl@vodafone.is>
Message-ID: <4989A0BA.5080401@occ.lt>

Sigurbj?rn Birkir L?russon wrote:
> Hmm, assuming you are using the Cisco VPN client you shouldn't be getting a
> default if the split-tunnel configuration is working
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
> 86a0080702999.shtml#s2
>
> Has pretty good ASDM instructions on how to do this, I don't use the ASDM :)
>
> BR,
> Sibbi
Can be this because of routing metrics?

default gateway on asa has metric set to 1
vpnclient uses vodafone mobile connection.

Maybe, because of this vpn default route overrides vodafone default route?


From sigurbjornl at vodafone.is  Wed Feb  4 09:07:06 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Wed, 04 Feb 2009 14:07:06 +0000
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <4989A0BA.5080401@occ.lt>
Message-ID: <C5AF518A.10BBD%sigurbjornl@vodafone.is>

It shouldn't be sending you a default route at all, just the tunnel routes

BR,
Sibbi


On 4.2.2009 14:05, "Eimantas Zdanevi?ius" <eimantas at occ.lt> wrote:

> Sigurbj?rn Birkir L?russon wrote:
>> Hmm, assuming you are using the Cisco VPN client you shouldn't be getting a
>> default if the split-tunnel configuration is working
>> 
>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
>> 86a0080702999.shtml#s2
>> 
>> Has pretty good ASDM instructions on how to do this, I don't use the ASDM :)
>> 
>> BR,
>> Sibbi
> Can be this because of routing metrics?
> 
> default gateway on asa has metric set to 1
> vpnclient uses vodafone mobile connection.
> 
> Maybe, because of this vpn default route overrides vodafone default route?
> 


From steve at ibctech.ca  Wed Feb  4 09:10:24 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 04 Feb 2009 09:10:24 -0500
Subject: [c-nsp] access list help
In-Reply-To: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
Message-ID: <4989A1D0.1040101@ibctech.ca>

Deric Kwok wrote:
> Hi All
> 
> I am new in cisco and trying to config the access list in my switch
> 
> My switch ip is 192.168.0.118
> 
> I am trying to block the http traffic in the host 192.168.0.115
> 
> When I do it in, I can not accces the switch !
> But I can access http://192.168.0.115
> 
> Can you help what is wrong?
> Can you give me examples?
> 

This rule states "deny tcp traffic from any host, to 192.168.0.115, port 80"

> access-list 120 deny   tcp any host 192.168.0.115 eq www any log

This rule states that you want to allow the rest of all traffic to .115

> access-list 120 permit ip any host 192.168.0.115

Now, by default, without any other rules, the switch denies ALL other
traffic implicitly, including traffic destined to the management IP on
the switch itself.

To allow ALL other traffic to travel into, out of and to the switch, add:

# access-list 120 permit any any

...which will allow ALL other traffic to and from all ports, to any IP
address at any port.

I'd recommend permitting what you want explicitly, and then
deny-by-default, but the above will get you back up and going.

> I also don't understand the access list only for deny 192.168.0.115.
> Why it blocks me in  switch 192.168.0.118. but 192.168.0.115 is still fine?

See above.

Steve

From mauritz at three6five.com  Wed Feb  4 09:47:55 2009
From: mauritz at three6five.com (Mauritz Lewies)
Date: Wed, 04 Feb 2009 16:47:55 +0200
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
	, <20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
	<45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
Message-ID: <1233758875.6907.22.camel@mauritzlewies>

I've not had much chance to play with it but will Ethernet CFM not work
for this?





On Wed, 2009-02-04 at 08:49 +1000, David Hughes wrote:

> Yup, that's exactly the situation.  STP will work around some of the  
> problem caused by this but if you are presenting an etherchannel over  
> multiple xconnects you can't pick up the link failure of part of the  
> etherchannel without UDLD.  We did some initial proof of concepts with  
> 2900s running 2 second timers and it was great.  Imagine the look on  
> my face when we found out that 6500s don't have the functionality of a  
> $1,000 access switch .....
> 
> So, is the config option on SXI still 7 seconds at best?
> 
> 
> Thanks
> 
> David
> ...
> 
> 
> On 03/02/2009, at 7:45 PM, Thomas Dupas wrote:
> 
> > I assume it's a L2 link (EoMPLS), so BFD won't help much.
> >
> > We're in the same situation, also stuck with UDLD timers and 2  
> > parallel EoMPLS xconnects. I can't get the convergence lower then 20  
> > seconds with the default UDLD, so I'm also hoping for fast UDLD
> >
> > Best Regards,
> >
> > Thomas
> >
> > ________________________________________
> > Van: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net 
> > ] namens Gert Doering [gert at greenie.muc.de]
> > Verzonden: dinsdag 3 februari 2009 8:15
> > Aan: David Hughes
> > CC: Cisco NSP ((E-mail))'
> > Onderwerp: Re: [c-nsp] Fast UDLD timers in SXI?
> >
> > Hi,
> >
> > On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote:
> >> Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down
> >> to 1 second) or if we are still stuck with the old 7 sec timers.  We
> >> can do 1 sec UDLD on 2900 class switches so I hope we see it in the
> >> "premier switching platform" some time soon.  We need some way to  
> >> pick
> >> up a link failure at the far end of an EoMPLS xconnect in a  
> >> reasonable
> >> time.
> >
> > Can you use BFD?
> >
> > (Yes, this is not answering your question - I don't know the answer  
> > - but
> > it might be an alternative approach if this a layer 3 link)
> >
> > gert
> > --
> > USENET is *not* the non-clickable part of WWW!
> >                                                           //www.muc.de/~gert/
> > Gert Doering - Munich, Germany                             gert at greenie.muc.de
> > fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From eng_mssk at hotmail.com  Wed Feb  4 09:53:24 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 4 Feb 2009 16:53:24 +0200
Subject: [c-nsp] PPPoA sessions
Message-ID: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>


Hey all , 
i have a router with PPPoE and PPPoA sessions 
i used to the OID 1.3.6.1.4.1.9.9.194.1.1.1 to draw the PPPoE sessions
i searched for OID to draw the PPPoA but didnt find an OID for it
can anyone help ??
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us

From eimantas at occ.lt  Wed Feb  4 09:57:27 2009
From: eimantas at occ.lt (=?ISO-8859-2?Q?Eimantas_Zdanevi=E8ius?=)
Date: Wed, 04 Feb 2009 16:57:27 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <C5AF518A.10BBD%sigurbjornl@vodafone.is>
References: <C5AF518A.10BBD%sigurbjornl@vodafone.is>
Message-ID: <4989ACD7.1050708@occ.lt>

Sigurbj?rn Birkir L?russon wrote:
> It shouldn't be sending you a default route at all, just the tunnel routes
>
> BR,
> Sibbi
>
>   
Problem solved.

Default route was overrided by linux NetworkManager (vpnc) software on 
vpnclient machine. I need to set 'Use this connection only for resources 
on this network' in vpn connection configuration.

Cisco vpn client software don't overrides default route.

From deric.kwok2000 at gmail.com  Wed Feb  4 10:04:16 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Wed, 4 Feb 2009 10:04:16 -0500
Subject: [c-nsp] access list help
In-Reply-To: <4989A1D0.1040101@ibctech.ca>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
	<4989A1D0.1040101@ibctech.ca>
Message-ID: <40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>

Hi Steve

Thank you.

I don't understand why I can access http://192.168.0.115 if this access-list
is valid ?

My access list doesn't block www traffic to http://192.168.0.115
but block telnet / www to switch 192.168.0.118

I also don't understand about "access-list 120 permit any any"

If I have hundred access lists, I have to put this "permit any any" at the
end of each of hundred access-list

Thank you for your help

On Wed, Feb 4, 2009 at 9:10 AM, Steve Bertrand <steve at ibctech.ca> wrote:

> Deric Kwok wrote:
> > Hi All
> >
> > I am new in cisco and trying to config the access list in my switch
> >
> > My switch ip is 192.168.0.118
> >
> > I am trying to block the http traffic in the host 192.168.0.115
> >
> > When I do it in, I can not accces the switch !
> > But I can access http://192.168.0.115
> >
> > Can you help what is wrong?
> > Can you give me examples?
> >
>
> This rule states "deny tcp traffic from any host, to 192.168.0.115, port
> 80"
>
> > access-list 120 deny   tcp any host 192.168.0.115 eq www any log
>
> This rule states that you want to allow the rest of all traffic to .115
>
> > access-list 120 permit ip any host 192.168.0.115
>
> Now, by default, without any other rules, the switch denies ALL other
> traffic implicitly, including traffic destined to the management IP on
> the switch itself.
>
> To allow ALL other traffic to travel into, out of and to the switch, add:
>
> # access-list 120 permit any any
>
> ...which will allow ALL other traffic to and from all ports, to any IP
> address at any port.
>
> I'd recommend permitting what you want explicitly, and then
> deny-by-default, but the above will get you back up and going.
>
> > I also don't understand the access list only for deny 192.168.0.115.
> > Why it blocks me in  switch 192.168.0.118. but 192.168.0.115 is still
> fine?
>
> See above.
>
> Steve
>

From ahmedazim at gmail.com  Wed Feb  4 10:14:34 2009
From: ahmedazim at gmail.com (Ahmed Mohamed)
Date: Wed, 4 Feb 2009 17:14:34 +0200
Subject: [c-nsp] reacheability issue in MEL link
In-Reply-To: <0BB7A1080B7DBD4494E09FF171D2ACEA02855555@xmb-ams-33c.emea.cisco.com>
References: <bf5694530902021628s3f81a414m4808dd81e3f4f457@mail.gmail.com>
	<0BB7A1080B7DBD4494E09FF171D2ACEA02855555@xmb-ams-33c.emea.cisco.com>
Message-ID: <bf5694530902040714j3a1fa8f5q1a5f54209d74ddf@mail.gmail.com>

<CE>--------------------------------Metroethernet(carrier)---------------------<switch>----ethernet(cable)-----<PE>

for a link as simple as above, if :
+ the CE , the Agg. switch and the PE interfaces are in the same vlan
+ the CE and the PE IP interfaces are in the same subnet

the i must (at least) have an entry in arp table, and ping successful, which
is not the case

what was getting me crazy , is that all interfaces are up-up all the time,
but i just recieved a feedback today that MetroEthernet carriers have NTU's
acting as Ethernet HUB, so as long as they are functional , you will have
the interfaces up-up even if the circuit is broken inside the carrier !!!

tomorrow i will order dual dispatch to both ends, will test circuit
termination at both ends

"traceroute mac" feature is not in CE or PE IOS



On Wed, Feb 4, 2009 at 1:25 PM, Ahmed Maged (amaged) <amaged at cisco.com>wrote:

> Troubleshoot layer by layer.
>
> If the lower layers doesn't work, don't expect anything to behave
> properly.
>
> Follow the L2 frame with (ltrace) if available on your IOS.
>
> How about debugging?
>
> Can you install a sniffer?
>
> What do you see on the interfaces counters?
>
> Did you try anything else other than ping, maybe ICMP is blocked.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ahmed Mohamed
> Sent: Tuesday, February 03, 2009 2:28 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] reacheability issue in MEL link
>
> Hello,
>
> this is a real life problem still occuring, and have no idea what may be
> causing it ..
>
> we are providing an internet direct service to our customer vial MEL
> (Metro
> Ethernet Link)
>
> CE (CS-7206 VXR) fe2/0.36 ------------------Etherlink(local
> carrier)---------------- WS-3759G-24TS--PE(CS-7000)
>
> the solution is providied using a carrier to link the customer CE to an
> aggregated switch, using Metro Ethernet
> configuring vlan 36 and using dot1q encapsulation
> then from the aggregating switch to the PE router using also
> encapsulation
> dot1q for vlan36
>
> all interfaces are up-up , and still ping fails !!
>
> i tried everything, resetting ports, switches, reconfigure interfaces
> ..etc.
> still no joy
>
> any idea what could be causing the problem ?
>
> ========================================================================
> CE:
> -----
> interface FastEthernet2/0.36
>  bandwidth 61440
>  encapsulation dot1Q 36
>  ip address 57.78.2.6 255.255.255.252
> ========================================================================
> Agg. switch:
> ------------------
> interface GigabitEthernet1/0/9
>  switchport trunk encapsulation dot1q
>  switchport trunk native vlan 3109
>  switchport trunk allowed vlan 36,3109
>  switchport mode trunk
>  switchport nonegotiate
>  duplex full
>  speed 100
>  mls qos trust cos
>  spanning-tree bpdufilter enable
> ========================================================================
> PE:
> ------
>  interface FastEthernet5/1/1.36
>  bandwidth 61440
>  encapsulation dot1Q 36
>  ip address 57.78.2.5 255.255.255.252
>  no ip redirects
>  no ip proxy-arp
>  no ip route-cache
>  no cdp enable
> ========================================================================
> bmil305#sh int FastEthernet5/1/1.36
> FastEthernet5/1/1.36 is up, line protocol is up <<<<<<
> Hardware is cyBus FastEthernet Interface, address is 0003.fe91.b8a9 (bia
> 0003.fe91.b8a9)
>  Internet address is 57.78.2.5/30
>  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
>     reliability 255/255, txload 1/255, rxload 1/255
>  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
>  ARP type: ARPA, ARP Timeout 04:00:00
> ========================================================================
> pmil2534#sh int Fa2/0.36
> FastEthernet2/0.36 is up, line protocol is up  <<<<<<
>  Hardware is i82543 (Livengood), address is 0022.be8b.1038 (bia
> 0022.be8b.1038)
>  Description: --- To bmil305 - FE5/1/1.5
>  Internet address is 57.78.2.6/30
>  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
>     reliability 255/255, txload 1/255, rxload 1/255
>  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
> ========================================================================
> ping pe to CE fails:
> ----------------------------
> bmil305#ping 57.78.2.6   <<<<<<,
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 57.78.2.6, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> ========================================================================
> PE to internet (google) successfully:
> ------------------------------------------------------
> bmil305#ping 216.239.59.147 source fast 5/1/1.36 repeat 100 size 500
> Type escape sequence to abort.
> Sending 100, 500-byte ICMP Echos to 216.239.59.147, timeout is 2
> seconds:
> Packet sent with a source address of 57.78.2.5
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Success rate is 100 percent (100/100), round-trip min/avg/max =
> 36/40/112 ms
> ========================================================================
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From steve at ibctech.ca  Wed Feb  4 10:22:26 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 04 Feb 2009 10:22:26 -0500
Subject: [c-nsp] access list help
In-Reply-To: <40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>	
	<4989A1D0.1040101@ibctech.ca>
	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
Message-ID: <4989B2B2.9050801@ibctech.ca>

Deric Kwok wrote:
> Hi Steve
>  
> Thank you.
>  
> I don't understand why I can access http://192.168.0.115
> <http://192.168.0.115/> if this access-list is valid ?
>  
> My access list doesn't block www traffic to http://192.168.0.115
> <http://192.168.0.115/>
> but block telnet / www to switch 192.168.0.118
>  
> I also don't understand about "access-list 120 permit any any"

What type of switch is this? Please post the output of a:

# sh ip access-list

> If I have hundred access lists, I have to put this "permit any any" at
> the end of each of hundred access-list

Only if you don't permit first, and then let the implicit default deny
rule do its thing.

Steve

From frnkblk at iname.com  Wed Feb  4 10:39:16 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Wed, 4 Feb 2009 09:39:16 -0600
Subject: [c-nsp] PPPoA sessions
In-Reply-To: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>
References: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>

I've asked this before on cisco-bba: there doesn't appear to be an OID for
that.

I'm afraid you might need to screen-scrape.

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, February 04, 2009 8:53 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] PPPoA sessions


Hey all ,
i have a router with PPPoE and PPPoA sessions
i used to the OID 1.3.6.1.4.1.9.9.194.1.1.1 to draw the PPPoE sessions
i searched for OID to draw the PPPoA but didnt find an OID for it
can anyone help ??
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live
Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&
mkt=en-us
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From linkconnect at googlemail.com  Wed Feb  4 11:00:05 2009
From: linkconnect at googlemail.com (Wayne Lee)
Date: Wed, 4 Feb 2009 16:00:05 +0000
Subject: [c-nsp] PPPoA sessions
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>
References: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>
Message-ID: <3044d0930902040800r680abbb9j84b5910b89d2c1de@mail.gmail.com>

On Wed, Feb 4, 2009 at 3:39 PM, Frank Bulk - iName.com
<frnkblk at iname.com> wrote:
> I've asked this before on cisco-bba: there doesn't appear to be an OID for
> that.
>
> I'm afraid you might need to screen-scrape.
>
> Frank
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Wednesday, February 04, 2009 8:53 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PPPoA sessions
>
>
> Hey all ,
> i have a router with PPPoE and PPPoA sessions
> i used to the OID 1.3.6.1.4.1.9.9.194.1.1.1 to draw the PPPoE sessions
> i searched for OID to draw the PPPoA but didnt find an OID for it
> can anyone help ??


We have the below in our Cacti install which graphs online PPPoA users

<interface>
<name>Get Active PPP Sessions</name>
<description>Queries a Cisco for a list of online users</description>
<oid_index>1.3.6.1.4.1.9.10.24.1.1.4</oid_index>

<fields>
<usersIndex>
<name>Index</name>
<method>walk</method>
<source>value</source>
<direction>input</direction>
<oid>.1.3.6.1.4.1.9.10.24.1.1.4.1.3</oid>
</usersIndex>
<usersFiveMin>
<name>5 Minute Utilization</name>
<method>walk</method>
<source>value</source>
<direction>output</direction>
<oid>.1.3.6.1.4.1.9.10.24.1.1.4.1.3</oid>
</usersFiveMin>
</fields>
</interface>


Regards

Wayne

From tim at pelican.org  Wed Feb  4 11:15:55 2009
From: tim at pelican.org (Tim Franklin)
Date: Wed, 4 Feb 2009 16:15:55 -0000 (GMT)
Subject: [c-nsp] access list help
In-Reply-To: <40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
	<4989A1D0.1040101@ibctech.ca>
	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
Message-ID: <0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>

On Wed, February 4, 2009 3:04 pm, Deric Kwok wrote:

> I don't understand why I can access http://192.168.0.115 if this
> access-list
> is valid ?
>
> My access list doesn't block www traffic to http://192.168.0.115
> but block telnet / www to switch 192.168.0.118

Is your switch being a *switch* in this case, or a *router*, ie a layer-2
or layer-3 hop?

>From the config you're posting, it looks to me like you're applying the
traffic inbound towards the switch only - vlan1 is a layer-3 interface on
the switch.

Traffic that's being switched between layer-2 ports will never be
processed by that ACL.

What are the interfaces on your switch and their IP addresses?

> I also don't understand about "access-list 120 permit any any"
>
> If I have hundred access lists, I have to put this "permit any any" at the
> end of each of hundred access-list

Yes, if you want each of those ACLs to permit by default.  The default
Cisco behaviour is for any traffic not matched at all by an access list to
be denied, ie implicit 'deny any any' at the end of every ACL.

Regards,
Tim.



From dean at eatworms.org.uk  Wed Feb  4 10:27:20 2009
From: dean at eatworms.org.uk (Dean Smith)
Date: Wed, 4 Feb 2009 15:27:20 -0000
Subject: [c-nsp] Ethernet VPN circuits
In-Reply-To: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com>
References: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com>
Message-ID: <004201c986dd$1299bf10$37cd3d30$@org.uk>

Cant speak for your product...but in the UK we've used similar from the 4 or
5 biggest suppliers at the all work the same...

At the central site access is delivered over a single high B/W Trunk. We
(Customer) and supplier agree a vlan tag per site.
At the remote site the port is provided with no vlan tag.
0
So if we have single IP connection between there is no multiple VLAN tags.
Router at the central site - configure your IP interface as Vlan
subinterface on CS Router. Trunk Between CS Router & CS Switch. Configure CS
Switch port facing provider as trunk aswell. (Control the VLANs you want to
send etc on each trunk port). The CS Switch is optional. (we do actually
have these for various reasons - but will be phasing them out in new core
site builds).

At the Remote site its just a straight Ethernet port. Not sure why you'd use
the RS Switch at all.

Dean

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rens
Sent: 04 February 2009 12:27
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Ethernet VPN circuits

Hi,

 

We have a provider that has a new product and I would like to know if I
could use it with our current infrastructure to interconnect sites.

 

This is how it works on the provider site:

 

1 Central Site where everything arrives

Multiple Remote Sites that you can connect to the Central Site

 

Per Remote Site we have to define a VLAN tag.

 

So it would look like this:

 

My CS router     <=> my CS switch           <=> provider CS switch     <=>
provider Backbone     <=> provider RS switch     <=> My RS router

7206VXR           <=> 3550                         <=> 2960
<=> No Idea                     <=> 2960                         <=> 1841

 

So if I want to do a /30 OSPF between my CS router and my RS router

I would use vlan 200 for this at RS router (subinterface dot1q) it enters
the provider RS switch and they add the predefined vlan as outer tag.
(example 800)

It arrives like this at my CS site and now I have a problem.

 

1) I either remove the outer tag VLAN (800) on the switch so on my router I
can do the same subinterface dot1q 200 => but this won't work when I want to
do the same thing with multiple RS

2)  Can I pass the double tag through my switch to our 7206 and configure a
double dot1q subinterface, so the router removes both outer & inner 800 &
200 and OSPF goes up :-)

 

Any help is appreciated.

 

Regards,

 

Rens

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From psirt at cisco.com  Wed Feb  4 11:41:40 2009
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed,  4 Feb 2009 11:41:40 -0500
Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco
	Wireless LAN Controllers
Message-ID: <200902041141.wlc@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless
LAN Controllers

Advisory ID: cisco-sa-20090204-wlc

http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml

Revision 1.0

For Public Release 2009 February 04 1600 UTC (GMT)

Summary
=======

Multiple vulnerabilities exist in the Cisco Wireless LAN Controllers
(WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and
Cisco Catalyst 3750 Integrated Wireless LAN Controllers. This security
advisory outlines details of the following vulnerabilities:

  * Denial of Service Vulnerabilities (total of three)
  * Privilege Escalation Vulnerability

These vulnerabilities are independent of each other.

Cisco has released free software updates that address these
vulnerabilities.

There are no workarounds available for these vulnerabilities.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml.

Affected Products
=================

Vulnerable Products
+------------------

The following products and software versions are affected for each
vulnerability.

Denial of Service Vulnerabilities
+--------------------------------

Two denial of service (DoS) vulnerabilities affect software versions
4.2 and later. All Cisco Wireless LAN Controller (WLC) platforms are
affected.

A third DoS vulnerability affects software versions 4.1 and later. The
following platforms are affected by this vulnerability:

  * Cisco 4400 Series Wireless LAN Controllers
  * Cisco 4100 Series Wireless LAN Controllers
  * Cisco Catalyst 6500 Series/7600 Series Wireless Services Module
    (WiSM)
  * Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers

    Note: The Cisco Wireless LAN Controller Modules supported on Cisco
    2800 and 3800 series Integrated Services Routers are not vulnerable.
    The Cisco 2000 and 2100 Series Wireless LAN Controllers are also not
    affected by this vulnerability.

Privilege Escalation Vulnerability
+---------------------------------

Only WLC software version 4.2.173.0 is affected by this vulnerability.

Determination of Software Versions
+---------------------------------

To determine the WLC version that is running in a given environment, use
one of the following methods:

  * In the web interface, choose the Monitor tab, click Summary in
    the left pane, and note the Software Version.
  * From the command-line interface, type "show sysinfo" and note the
    Product Version, as shown in the following example:

        (Cisco Controller) >show sysinfo

        Manufacturer's Name.. Cisco Systems Inc.
        Product Name......... Cisco Controller
        Product Version...... 5.1.151.0
        RTOS Version......... Linux-2.6.10_mvl401
        Bootloader Version... 4.0.207.0
        Build Type........... DATA + WPS
        <output suppressed>

Use the "show wism module <module number> controller 1 status" command
on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and
note the Software Version, as demonstrated in the following example:

    Router#show wism mod 3 controller 1 status

    WiSM Controller 1 in Slot 3
    Operational Status of the Controller
       : Oper-Up
    Service VLAN
       : 192
    Service Port
       : 10
    Service Port Mac Address
       : 0011.92ff.8742
    Service IP Address
       : 192.168.10.1
    Management IP Address
       : 192.168.1.123
    Software Version
       : 5.1.151.0
    Port Channel Number
       : 288
    Allowed vlan list
       : 30,40
    Native VLAN ID
       : 40
    WCP Keep Alive Missed
       : 0

Products Confirmed Not Vulnerable
+--------------------------------

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless
Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless
LAN Controllers are responsible for system-wide wireless LAN functions,
such as security policies, intrusion prevention, RF management, quality
of service (QoS), and mobility.

These devices communicate with Controller-based Access Points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight
Access Point Protocol (LWAPP).

This Security Advisory describes multiple distinct vulnerabilities in
the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These
vulnerabilities are independent of each other.

Denial of Service Vulnerabilities
+--------------------------------

These vulnerabilities are documented in the following Cisco Bug ID and
have been assigned the following Common Vulnerabilities and Exposures
(CVE) identifiers:

  * CSCsq44516 - CVE-2009-0058

    Web authentication is a Layer 3 security feature that causes the
    controller to drop IP traffic (except DHCP and DNS related packets)
    from a particular client until that client has correctly supplied
    a valid username and password. An attacker may use a vulnerability
    scanner to cause the device to stop servicing web authentication
    or cause a reload of the device. The following error messages may
    appear on the console during an active attack:

        SshPmStMain/pm_st_main.c:1954/
           ssh_pm_st_main_batch_addition_result:
           Failed to add rule to the engine:
           restoring old state
        SshEnginePmApiPm/engine_pm_api_pm.c:1896/
           ssh_pme_enable_policy_lookup:
           Could not allocate message

  * CSCsm82364 - CVE-2009-0059

    An attacker may cause a device reload when sending a malformed post
    to the web authentication "login.html" page. The following error
    messages may appear on the WLC console during this attack:

        Cisco Crash Handler
        Signal generated during a signal 11,
           count 193
        Memory 0x14ef1e44 has been freed!

    Note: A crash file is not generated during this attack.

  * CSCso60979 - CVE-2009-0061

    Affected Cisco WLC, WiSM and Catalyst 3750 Wireless LAN Controller
    models are vulnerable to a DoS condition that is triggered by the
    receipt of certain IP packets. Upon receiving these IP packets, the
    affected device may become unresponsive and require a reboot to
    recover.

    Note: This vulnerability affects software versions 4.1 and later in
    the Cisco 4400 series WLCs, Cisco Catalyst 6500 WiSM, and the Cisco
    Catalyst 3750 Integrated Wireless LAN Controllers. Cisco 4100, 2100,
    and 2000 series WLCs are not affected by this vulnerability.

Privilege Escalation Vulnerability
+---------------------------------

A privilege escalation vulnerability exists only in WLC software version
4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain
full administrative rights on the affected system.

Note: Wireless network users are not affected by this vulnerability.

This vulnerability is documented in Cisco Bug ID CSCsv62283 and has
been assigned the Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0062.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss

* Certain packets may cause WebAuth services to hang or reload the
device (CSCsq44516)

CVSS Base Score - 6.1
    Access Vector -            Adjacent Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   None
    Integrity Impact -         None
    Availability Impact -      Complete

CVSS Temporal Score - 5.0
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* Crash handling invalid post for webauth (CSCsq44516)

CVSS Base Score - 6.1
    Access Vector -            Adjacent Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   None
    Integrity Impact -         None
    Availability Impact -      Complete

CVSS Temporal Score - 5.0
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* WLC TSEC driver may hang or crash the device (CSCso60979)

CVSS Base Score - 7.8
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   None
    Integrity Impact -         None
    Availability Impact -      Complete

CVSS Temporal Score - 6.4
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* Local Management Users may obtain full admin rights (CSCsv62283)

CVSS Base Score - 9.0
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           Single
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 7.8
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

Impact
======

Successful exploitation of the denial of service vulnerabilities may
cause the affected device to hang or reload. Repeated exploitation
could result in a sustained DoS condition. The privilege escalation
vulnerability may allow an authenticated user to obtain full
administrative rights on the affected system.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

+-----------------------------------------------------+
| Vulnerability | Affected | First      | Recommended |
| / Bug ID      | Release  | Fixed      | Release     |
|               |          | Version    |             |
|---------------+----------+------------+-------------|
|               | 4.1      | Migrate to | 4.2.176.0   |
|               |          | 4.2        |             |
|               |----------+------------+-------------|
|               | 4.2      | 4.2.173.0  | 4.2.176.0   |
|               |----------+------------+-------------|
|               | 5.0      | Migrate to | 5.2.157.0   |
| CSCsq44516    |          | 5.2        |             |
|               |----------+------------+-------------|
|               | 5.1      | Contact    | Contact TAC |
|               |          | TAC        |             |
|               |----------+------------+-------------|
|               | 5.2      | Not        | Not         |
|               |          | vulnerable | Vulnerable  |
|---------------+----------+------------+-------------|
|               | 4.1      | Migrate to | 4.2.176.0   |
|               |          | 4.2        |             |
|               |----------+------------+-------------|
|               | 4.2      | 4.2.112.0  | 4.2.176.0   |
|               |----------+------------+-------------|
| CSCsm82364    | 5.0      | Not        | Not         |
|               |          | vulnerable | vulnerable  |
|               |----------+------------+-------------|
|               | 5.1      | Not        | Not         |
|               |          | vulnerable | vulnerable  |
|               |----------+------------+-------------|
|               | 5.2      | 5.2.157.0  | 5.2.157.0   |
|---------------+----------+------------+-------------|
|               | 4.1      | Migrate to | 4.2.176.0   |
|               |          | 4.2        |             |
|               |----------+------------+-------------|
|               | 4.2      | 4.2.117.0  | 4.2.176.0   |
|               |----------+------------+-------------|
|               | 5.0      | Migrate to | 5.2.157.0   |
| CSCso60979    |          | 5.2        |             |
|               |----------+------------+-------------|
|               | 5.1      | Not        | Not         |
|               |          | vulnerable | vulnerable  |
|               |----------+------------+-------------|
|               | 5.2      | Not        | Not         |
|               |          | vulnerable | vulnerable  |
|---------------+----------+------------+-------------|
|               | 4.1      | Not        | Not         |
|               |          | vulnerable | vulnerable  |
|               |----------+------------+-------------|
|               | 4.2      | 4.2.174.0  | 4.2.176.0   |
|               |----------+------------+-------------|
|               | 5.0      | Not        | Not         |
| CSCsv62283    |          | Vulnerable | Vulnerable  |
|               |----------+------------+-------------|
|               | 5.1      | Not        | Not         |
|               |          | Vulnerable | vulnerable  |
|               |----------+------------+-------------|
|               | 5.2      | Not        | Not         |
|               |          | Vulnerable | vulnerable  |
+-----------------------------------------------------+

Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510
Access Points (APs) are recommended to migrate to release 4.2.176.0.
Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are
recommended to migrate to 5.2 or later.

Workarounds
===========

There are no workarounds for any of these vulnerabilities.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt at cisco.com or security-alert at cisco.com for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. These
vulnerabilities were found during internal testing and during the
resolution of customer support cases.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+------------------------------------------------------------+
| Revision 1.0 | 2009-February-04 | Initial public release.  |
+------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: Feb 04, 2009                             Document ID: 108336
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua
xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU
=waFY
-----END PGP SIGNATURE-----

From deric.kwok2000 at gmail.com  Wed Feb  4 13:24:47 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Wed, 4 Feb 2009 13:24:47 -0500
Subject: [c-nsp] access list help
In-Reply-To: <0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
	<4989A1D0.1040101@ibctech.ca>
	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
	<0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>
Message-ID: <40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>

>
> Thank you Tim and Steve
>


> >Is your switch being a *switch* in this case, or a *router*, ie a layer-2
> or layer-3 hop?
>

I am using this 3500 switch as switch.
As I can't access my switch now, I can get sh ip access-list



>
> >From the config you're posting, it looks to me like you're applying the
> >traffic inbound towards the switch only - vlan1 is a layer-3 interface on
> >the switch.
>
> >Traffic that's being switched between layer-2 ports will never be
> >processed by that ACL.
>

You mean my access-list is only for router not switch?

In this case, how can I do to not allow www traffic to 192.168.0.115 in
switch?

>
> >What are the interfaces on your switch and their IP addresses?
>

the ip address of switch is 192.168.0.118


>
>
> >Yes, if you want each of those ACLs to permit by default.  The default
> >Cisco behaviour is for any traffic not matched at all by an access list to
> >be denied, ie implicit 'deny any any' at the end of every ACL.
>

Could you give me examples ACLs to permit by default?

Thank you so much



>
> Regards,
> Tim.
>
>
>

From alasdairm at gmail.com  Wed Feb  4 14:02:45 2009
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Wed, 4 Feb 2009 19:02:45 +0000
Subject: [c-nsp] Cisco 3750E
Message-ID: <8558A7B4-505F-4CBF-9324-F177C5223E6E@gmail.com>

Hey everyone,

Can anyone tell me what the oversubscription ratios are on the  
10/100/1000 GigE ports on the 48-port 3750E switch?

The Cisco site doesn't seem to reference any oversubscription (unless  
I missed it) so figured I may as well ask!

Cheers
Alasdair

From sigurbjornl at vodafone.is  Wed Feb  4 14:15:21 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Wed, 04 Feb 2009 19:15:21 +0000
Subject: [c-nsp] Cisco 3750E
In-Reply-To: <8558A7B4-505F-4CBF-9324-F177C5223E6E@gmail.com>
Message-ID: <C5AF99C9.10C43%sigurbjornl@vodafone.is>

The claimed forwarding rate is 101.2Mpps.

Assuming full-duplex and maximum speed used on all ports at the same time
(48*2+2*20=136Gbit=17Gbyte/sec of traffic) means that the average packet
size would have to be less than 168 bytes for you not to get wirespeed
forwarding.

Given that I think you can safely assume they're not oversubscribed.

On 4.2.2009 19:02, "Alasdair McWilliam" <alasdairm at gmail.com> wrote:

> Hey everyone,
> 
> Can anyone tell me what the oversubscription ratios are on the
> 10/100/1000 GigE ports on the 48-port 3750E switch?
> 
> The Cisco site doesn't seem to reference any oversubscription (unless
> I missed it) so figured I may as well ask!
> 
> Cheers
> Alasdair
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From vijay.ramcharan at verizonbusiness.com  Wed Feb  4 14:19:35 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Wed, 04 Feb 2009 19:19:35 +0000
Subject: [c-nsp] WAE/WAAS in VRF environment
In-Reply-To: <40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
Message-ID: <A34003A5232DE744807D94D788E0751AAB11B4@ASHEVS011.mcilink.com>

Is it possible to configure application acceleration using WAAS in a vrf
environment? 

In other words, my WAN interface on the router is in a VRF, the LAN
interface is in another VRF and the WAE is on another VRF. 

--------------------------
I have gotten as far as the WAE registering the router: 
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."

wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
        Routers Configured and Seeing this Wide Area Engine(1)
                Router Id        Sent To        Recv ID
                0.0.0.0         209.1.1.1          0000022F
--------------------------

--------------------------
The router registers the WAE as a WCCP client: 
router04#
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"

The router however cannot figure out what its ID is and does not see
itself as a WCCP group router. 
router04#sh ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: 61
        Number of Service Group Clients:     1
        Number of Service Group Routers:     0
        Total Packets s/w Redirected:        0
          Process:                           0
          Fast:                              0
          CEF:                               0
        Redirect access-list:                ACCELERATED-TRAFFIC
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            25957
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
--------------------------

I will contact TAC shortly after this message (if our WAEs are still
supported).  

 
Vijay Ramcharan 

From MLouis at nwnit.com  Wed Feb  4 14:23:54 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Wed, 4 Feb 2009 14:23:54 -0500
Subject: [c-nsp] WAE/WAAS in VRF environment
In-Reply-To: <A34003A5232DE744807D94D788E0751AAB11B4@ASHEVS011.mcilink.com>
References: <40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>,
	<A34003A5232DE744807D94D788E0751AAB11B4@ASHEVS011.mcilink.com>
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25902AFA705@mncmx1.NWNIT.CORP>

How are you routing between your WAN and LAN interfaces today? Are you leaking routes between the VRFs on the same router?

________________________________________
From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Ramcharan, Vijay A [vijay.ramcharan at verizonbusiness.com]
Sent: Wednesday, February 04, 2009 2:19 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] WAE/WAAS in VRF environment

Is it possible to configure application acceleration using WAAS in a vrf
environment?

In other words, my WAN interface on the router is in a VRF, the LAN
interface is in another VRF and the WAE is on another VRF.

--------------------------
I have gotten as far as the WAE registering the router:
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."

wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
        Routers Configured and Seeing this Wide Area Engine(1)
                Router Id        Sent To        Recv ID
                0.0.0.0         209.1.1.1          0000022F
--------------------------

--------------------------
The router registers the WAE as a WCCP client:
router04#
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"

The router however cannot figure out what its ID is and does not see
itself as a WCCP group router.
router04#sh ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: 61
        Number of Service Group Clients:     1
        Number of Service Group Routers:     0
        Total Packets s/w Redirected:        0
          Process:                           0
          Fast:                              0
          CEF:                               0
        Redirect access-list:                ACCELERATED-TRAFFIC
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            25957
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
--------------------------

I will contact TAC shortly after this message (if our WAEs are still
supported).


Vijay Ramcharan
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.


From vijay.ramcharan at verizonbusiness.com  Wed Feb  4 14:31:31 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Wed, 04 Feb 2009 19:31:31 +0000
Subject: [c-nsp] WAE/WAAS in VRF environment
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25902AFA705@mncmx1.NWNIT.CORP>
Message-ID: <A34003A5232DE744807D94D788E0751AAB11CE@ASHEVS011.mcilink.com>

My LAN and WAE interfaces are in the same VRF. They are aware of the
routes within my WAN vrf. The reverse is also true. My WAN vrf is aware
of the routes reachable via the LAN and WAE interfaces.  

I can ping from the WAE in one site over to the WAE in the other site
across the WAN without any problems. 
 
To recap, wae01 and router04 are in one site (with VRFs), while wae02
(ping source below) and the CM is in another site (no VRFs) across the
WAN. 

wae02#ping 209.1.1.2
PING 209.1.1.2 (209.1.1.2) 56(84) bytes of data.
64 bytes from 209.1.1.2: icmp_seq=0 ttl=62 time=52.3 ms
64 bytes from 209.1.1.2: icmp_seq=1 ttl=62 time=52.3 ms
64 bytes from 209.1.1.2: icmp_seq=2 ttl=62 time=52.4 ms

Vijay Ramcharan 
  
-----Original Message-----
From: Mike Louis [mailto:MLouis at nwnit.com] 
Sent: February 04, 2009 14:24
To: Ramcharan, Vijay A; cisco-nsp at puck.nether.net
Subject: RE: WAE/WAAS in VRF environment

How are you routing between your WAN and LAN interfaces today? Are you
leaking routes between the VRFs on the same router?

________________________________________
From: cisco-nsp-bounces at puck.nether.net
[cisco-nsp-bounces at puck.nether.net] On Behalf Of Ramcharan, Vijay A
[vijay.ramcharan at verizonbusiness.com]
Sent: Wednesday, February 04, 2009 2:19 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] WAE/WAAS in VRF environment

Is it possible to configure application acceleration using WAAS in a vrf
environment?

In other words, my WAN interface on the router is in a VRF, the LAN
interface is in another VRF and the WAE is on another VRF.

--------------------------
I have gotten as far as the WAE registering the router:
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."

wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
        Routers Configured and Seeing this Wide Area Engine(1)
                Router Id        Sent To        Recv ID
                0.0.0.0         209.1.1.1          0000022F
--------------------------

--------------------------
The router registers the WAE as a WCCP client:
router04#
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"

The router however cannot figure out what its ID is and does not see
itself as a WCCP group router.
router04#sh ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: 61
        Number of Service Group Clients:     1
        Number of Service Group Routers:     0
        Total Packets s/w Redirected:        0
          Process:                           0
          Fast:                              0
          CEF:                               0
        Redirect access-list:                ACCELERATED-TRAFFIC
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            25957
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
--------------------------

I will contact TAC shortly after this message (if our WAEs are still
supported).


Vijay Ramcharan
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Note: This message and any attachments is intended solely for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, legally privileged,
confidential, and/or exempt from disclosure.  If you are not the
intended recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify the
original sender immediately by telephone or return email and destroy or
delete this message along with any attachments immediately.


From A.L.M.Buxey at lboro.ac.uk  Wed Feb  4 14:37:31 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Wed, 4 Feb 2009 19:37:31 +0000
Subject: [c-nsp] Cisco 3750E
In-Reply-To: <8558A7B4-505F-4CBF-9324-F177C5223E6E@gmail.com>
References: <8558A7B4-505F-4CBF-9324-F177C5223E6E@gmail.com>
Message-ID: <20090204193731.GB30153@lboro.ac.uk>

Hi,
> Hey everyone,
>
> Can anyone tell me what the oversubscription ratios are on the  
> 10/100/1000 GigE ports on the 48-port 3750E switch?

? oversubscription ?

all the 3750E have a 68Mbps wire rate backplane so for pure L2
work they can shove more across the backplane than there are ports.

Also, these switches have StackWise+ stacking with a 64Gbps which means
that all 48 ports can throw 1000 mbits to 48 other ports on another
switch in the stack!

alan

From ibrahim.abozaid at gmail.com  Wed Feb  4 15:51:22 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Wed, 4 Feb 2009 22:51:22 +0200
Subject: [c-nsp] AToM Lab Problem
Message-ID: <a48927f70902041251x52d4f472i18f9628f1bf29987@mail.gmail.com>

Hi All

I was labbing AToM scenario and uses IOS 12.2(33)SRC for ATM AAL5 and ATM
Cell-relay feature but i can't get dynamips run for this image , it always
results "*** Error: 209-unable to start VM instance " error messages

any body lab this feature using different image or know how to fix this
error message ?

complete image name
c7200p-spservicesk9-mz.122-33.SRC3_3.bin


best regards
--Ibrahim

From linkconnect at googlemail.com  Wed Feb  4 16:10:48 2009
From: linkconnect at googlemail.com (Wayne Lee)
Date: Wed, 4 Feb 2009 21:10:48 +0000
Subject: [c-nsp] AToM Lab Problem
In-Reply-To: <a48927f70902041251x52d4f472i18f9628f1bf29987@mail.gmail.com>
References: <a48927f70902041251x52d4f472i18f9628f1bf29987@mail.gmail.com>
Message-ID: <3044d0930902041310w27d8f3b6i3f6b3b718089323@mail.gmail.com>

On Wed, Feb 4, 2009 at 8:51 PM, Ibrahim Abo Zaid
<ibrahim.abozaid at gmail.com> wrote:
> Hi All
>
> I was labbing AToM scenario and uses IOS 12.2(33)SRC for ATM AAL5 and ATM
> Cell-relay feature but i can't get dynamips run for this image , it always
> results "*** Error: 209-unable to start VM instance " error messages
>
> any body lab this feature using different image or know how to fix this
> error message ?
>
> complete image name
> c7200p-spservicesk9-mz.122-33.SRC3_3.bin
>
>
> best regards
> --Ibrahim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


I used the following in my .net file to get a p image to work


[localhost:7201]
    workingdir = /tmp
    udp = 10100
    [[7200]]
        image = /home/dynamips/c7200-spserv.image
        ghostios = True
        # sparsemem = True
        npe = npe-g2


Wayne

From frnkblk at iname.com  Wed Feb  4 16:26:59 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Wed, 4 Feb 2009 15:26:59 -0600
Subject: [c-nsp] PPPoA sessions
In-Reply-To: <3044d0930902040800r680abbb9j84b5910b89d2c1de@mail.gmail.com>
References: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>
	<3044d0930902040800r680abbb9j84b5910b89d2c1de@mail.gmail.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD6jfjOgVXqTq9XL6NxCs2uAQAAAAA=@iname.com>

Definitely doesn't work with 12.2(31)SB14.  I get all zeroes on my box.

OID	Object	Type	Value	
1.3.6.1.4.1.9.10.24.1.1.1.0	cvpdnTunnelTotal	GAUGE	0	
1.3.6.1.4.1.9.10.24.1.1.2.0	cvpdnSessionTotal	GAUGE	0	
1.3.6.1.4.1.9.10.24.1.1.3.0	cvpdnDeniedUsersTotal	COUNTER	0	

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wayne Lee
Sent: Wednesday, February 04, 2009 10:00 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PPPoA sessions

On Wed, Feb 4, 2009 at 3:39 PM, Frank Bulk - iName.com
<frnkblk at iname.com> wrote:
> I've asked this before on cisco-bba: there doesn't appear to be an OID for
> that.
>
> I'm afraid you might need to screen-scrape.
>
> Frank
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Wednesday, February 04, 2009 8:53 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PPPoA sessions
>
>
> Hey all ,
> i have a router with PPPoE and PPPoA sessions
> i used to the OID 1.3.6.1.4.1.9.9.194.1.1.1 to draw the PPPoE sessions
> i searched for OID to draw the PPPoA but didnt find an OID for it
> can anyone help ??


We have the below in our Cacti install which graphs online PPPoA users

<interface>
<name>Get Active PPP Sessions</name>
<description>Queries a Cisco for a list of online users</description>
<oid_index>1.3.6.1.4.1.9.10.24.1.1.4</oid_index>

<fields>
<usersIndex>
<name>Index</name>
<method>walk</method>
<source>value</source>
<direction>input</direction>
<oid>.1.3.6.1.4.1.9.10.24.1.1.4.1.3</oid>
</usersIndex>
<usersFiveMin>
<name>5 Minute Utilization</name>
<method>walk</method>
<source>value</source>
<direction>output</direction>
<oid>.1.3.6.1.4.1.9.10.24.1.1.4.1.3</oid>
</usersFiveMin>
</fields>
</interface>


Regards

Wayne
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From jeff at ocjtech.us  Wed Feb  4 17:16:39 2009
From: jeff at ocjtech.us (Jeffrey Ollie)
Date: Wed, 4 Feb 2009 16:16:39 -0600
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <4986E2EB.3070504@cisco.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
Message-ID: <935ead450902041416k3d8f22aex4d7956ce2932b427@mail.gmail.com>

On Mon, Feb 2, 2009 at 6:11 AM, Lincoln Dale <ltd at cisco.com> wrote:
>
> that is purely a guess - but checking the XML schema definition (XSD) that
> should also be posted on cisco.com will let you verify.

Any clues on where to find the XSDs?  I can't seem to find them except
inline in the documentation and that doesn't seem like the best way to
get them.

-- 
Jeff Ollie

"You know, I used to think it was awful that life was so unfair. Then
I thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe."

	-- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"

From szpajder at staszic.waw.pl  Wed Feb  4 17:34:54 2009
From: szpajder at staszic.waw.pl (Tomasz Lemiech)
Date: Wed, 4 Feb 2009 23:34:54 +0100 (CET)
Subject: [c-nsp] PPPoA sessions
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD6jfjOgVXqTq9XL6NxCs2uAQAAAAA=@iname.com>
References: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>
	<3044d0930902040800r680abbb9j84b5910b89d2c1de@mail.gmail.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD6jfjOgVXqTq9XL6NxCs2uAQAAAAA=@iname.com>
Message-ID: <alpine.LNX.2.00.0902042329170.16656@boss.staszic.waw.pl>

On Wed, 4 Feb 2009, Frank Bulk wrote:

> Definitely doesn't work with 12.2(31)SB14.  I get all zeroes on my box.
>
> OID	Object	Type	Value
> 1.3.6.1.4.1.9.10.24.1.1.1.0	cvpdnTunnelTotal	GAUGE	0
> 1.3.6.1.4.1.9.10.24.1.1.2.0	cvpdnSessionTotal	GAUGE	0
> 1.3.6.1.4.1.9.10.24.1.1.3.0	cvpdnDeniedUsersTotal	COUNTER	0

I use .1.3.6.1.4.1.9.9.150.1.1.1.0 to obtain all sessions count and then 
subtract .1.3.6.1.4.1.9.9.194.1.1.1.0 (number of PPPoE sessions). But 
beware: .1.3.6.1.4.1.9.9.150.1.1.1.0 counts every session shown in "sh 
users" output (including VTY sessions).

Regards,

-- 
Tomasz Lemiech
RLU#189399
TL1942-RIPE

From amsoares at netcabo.pt  Wed Feb  4 19:47:10 2009
From: amsoares at netcabo.pt (Antonio Soares)
Date: Thu, 5 Feb 2009 00:47:10 -0000
Subject: [c-nsp] AToM Lab Problem
In-Reply-To: <3044d0930902041310w27d8f3b6i3f6b3b718089323@mail.gmail.com>
References: <a48927f70902041251x52d4f472i18f9628f1bf29987@mail.gmail.com>
	<3044d0930902041310w27d8f3b6i3f6b3b718089323@mail.gmail.com>
Message-ID: <D49281E48ECE4D0E964DF9FE1FCBFED1@int.convex.pt>

There's another problem: ATM AAL5 over MPLS and ATM Cell Relay over MPLS are not supported with the PA-A1, the only ATM interface
supported by Dynamips.

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/atom25s.html#wp1068980


Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wayne Lee
Sent: quarta-feira, 4 de Fevereiro de 2009 21:11
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] AToM Lab Problem

On Wed, Feb 4, 2009 at 8:51 PM, Ibrahim Abo Zaid <ibrahim.abozaid at gmail.com> wrote:
> Hi All
>
> I was labbing AToM scenario and uses IOS 12.2(33)SRC for ATM AAL5 and 
> ATM Cell-relay feature but i can't get dynamips run for this image , 
> it always results "*** Error: 209-unable to start VM instance " error 
> messages
>
> any body lab this feature using different image or know how to fix 
> this error message ?
>
> complete image name
> c7200p-spservicesk9-mz.122-33.SRC3_3.bin
>
>
> best regards
> --Ibrahim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


I used the following in my .net file to get a p image to work


[localhost:7201]
    workingdir = /tmp
    udp = 10100
    [[7200]]
        image = /home/dynamips/c7200-spserv.image
        ghostios = True
        # sparsemem = True
        npe = npe-g2


Wayne
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From ltd at cisco.com  Wed Feb  4 21:04:36 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Thu, 05 Feb 2009 13:04:36 +1100
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <935ead450902041416k3d8f22aex4d7956ce2932b427@mail.gmail.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>	
	<4986E2EB.3070504@cisco.com>
	<935ead450902041416k3d8f22aex4d7956ce2932b427@mail.gmail.com>
Message-ID: <498A4934.5090604@cisco.com>



Jeffrey Ollie wrote:
> On Mon, Feb 2, 2009 at 6:11 AM, Lincoln Dale <ltd at cisco.com> wrote:
>   
>> that is purely a guess - but checking the XML schema definition (XSD) that
>> should also be posted on cisco.com will let you verify.
>>     
>
> Any clues on where to find the XSDs?  I can't seem to find them except
> inline in the documentation and that doesn't seem like the best way to
> get them.
>
>   
for NX-OS, where i spend most of my time, we post the NetConf XSD right 
alongside the software images.

i am not sure where XSDs are posted on cisco.com (or if they are at all) 
for IOS images, but will ask internally.
to my mind they should be posted along side the images, or linked to 
from the release notes etc., because the schema would be unique to each 
image.


cheers,

lincoln.

From deric.kwok2000 at gmail.com  Wed Feb  4 21:26:05 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Wed, 4 Feb 2009 21:26:05 -0500
Subject: [c-nsp] How to add new rule in the same access-list
Message-ID: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>

Hi

I have old rule in the switch but don't know how to add new rule in the same
access-list

When I add new deny rule, it will be put at the end of the access-list

If I remove the access-list 140, I have to re-type all lines again.

Please help.

Thank you



switch#sh access-list 140
Extended IP access list 140
    deny udp any host 192.168.1.118 eq ntp log (4 matches)
    permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log
    deny udp any host 192.168.1.118 eq snmp log
    permit ip any any (49 matches)

switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#access-list 140 deny tcp any host 192.168.1.118 eq 123 log



switch#sh ip access-lists 140
Extended IP access list 140
    deny udp any host 192.168.1.118 eq ntp log (6 matches)
    permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log (35
matches)
    deny udp any host 192.168.1.118 eq snmp log
    permit ip any any (174 matches)
    deny tcp any host 192.168.1.118 eq 123 log

From brett at looney.id.au  Wed Feb  4 22:13:58 2009
From: brett at looney.id.au (Brett Looney)
Date: Thu, 5 Feb 2009 12:13:58 +0900
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
Message-ID: <063101c9873f$ce734500$6b59cf00$@id.au>

> I have old rule in the switch but don't know how to add new rule
> in the same access-list
> When I add new deny rule, it will be put at the end of the access-list
> If I remove the access-list 140, I have to re-type all lines again.

Start using named access lists:

# show access-list
Extended IP access list BrettTest
    10 deny ip host 192.168.101.88 any
    20 permit tcp host 192.168.17.231 any eq domain
    30 permit udp host 192.168.17.231 any eq domain
    40 permit tcp host 192.168.17.231 any eq www
<and so on>

Then, you can insert/delete lines:

(config)#ip access-list extended BrettTest
(config-ext-nacl)#no 20
(config-ext-nacl)#35 permit tcp host 192.168.17.230 any eq www

Easy. You can also renumber access lists using "ip access-list resequence
BrettTest 10 10".

About the only thing you can't do is insert a remark into the access list -
that'd be a nice feature to have.

B.


From David at Hughes.com.au  Wed Feb  4 23:54:53 2009
From: David at Hughes.com.au (David Hughes)
Date: Thu, 5 Feb 2009 14:54:53 +1000
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <1233758875.6907.22.camel@mauritzlewies>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au> ,
	<20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
	<45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
	<1233758875.6907.22.camel@mauritzlewies>
Message-ID: <C2EE3B72-ADD2-4ADF-B7E1-F00D25F974DB@Hughes.com.au>


Hi

Good point.  I see CFM has been introduced in SXI.  But after wading  
through the doco, particularly in the area of "Continuity Check  
Messages" I see ....

-----
CFM CCMs have the following characteristics:

?Transmitted at a configurable periodic interval by MEPs. The interval  
can be from 10 seconds to 65535 seconds, the default is 30.

?Contain a configurable hold-time value to indicate to the receiver  
the validity of the message. The default is 2.5 times the transmit  
interval.

-----


So I see we now have yet another protocol implementation that isn't  
going to help us improve the availability of the networks we run.  10  
second hello timers?  That's soooo 1980's.  :-)

According to feature navigator, the "UDLD Enhancements" feature which  
I believe provides fast timers is available in SXH4 and SXI.  Our  
boxes are SXF and SXH3.  Can someone with an SXI box check the  
configuration range for

	(config)#udld message time ?
         <7-90> Time in seconds between sending of messages in steady  
state


Thanks

David
...



On 05/02/2009, at 12:47 AM, Mauritz Lewies wrote:

> I've not had much chance to play with it but will Ethernet CFM not  
> work
> for this?
>
>
>
>
>
> On Wed, 2009-02-04 at 08:49 +1000, David Hughes wrote:
>
>> Yup, that's exactly the situation.  STP will work around some of the
>> problem caused by this but if you are presenting an etherchannel over
>> multiple xconnects you can't pick up the link failure of part of the
>> etherchannel without UDLD.  We did some initial proof of concepts  
>> with
>> 2900s running 2 second timers and it was great.  Imagine the look on
>> my face when we found out that 6500s don't have the functionality  
>> of a
>> $1,000 access switch .....
>>
>> So, is the config option on SXI still 7 seconds at best?
>>
>>
>> Thanks
>>
>> David
>> ...
>>
>>
>> On 03/02/2009, at 7:45 PM, Thomas Dupas wrote:
>>
>>> I assume it's a L2 link (EoMPLS), so BFD won't help much.
>>>
>>> We're in the same situation, also stuck with UDLD timers and 2
>>> parallel EoMPLS xconnects. I can't get the convergence lower then 20
>>> seconds with the default UDLD, so I'm also hoping for fast UDLD
>>>
>>> Best Regards,
>>>
>>> Thomas
>>>
>>> ________________________________________
>>> Van: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net
>>> ] namens Gert Doering [gert at greenie.muc.de]
>>> Verzonden: dinsdag 3 februari 2009 8:15
>>> Aan: David Hughes
>>> CC: Cisco NSP ((E-mail))'
>>> Onderwerp: Re: [c-nsp] Fast UDLD timers in SXI?
>>>
>>> Hi,
>>>
>>> On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote:
>>>> Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e.  
>>>> down
>>>> to 1 second) or if we are still stuck with the old 7 sec timers.   
>>>> We
>>>> can do 1 sec UDLD on 2900 class switches so I hope we see it in the
>>>> "premier switching platform" some time soon.  We need some way to
>>>> pick
>>>> up a link failure at the far end of an EoMPLS xconnect in a
>>>> reasonable
>>>> time.
>>>
>>> Can you use BFD?
>>>
>>> (Yes, this is not answering your question - I don't know the answer
>>> - but
>>> it might be an alternative approach if this a layer 3 link)
>>>
>>> gert
>>> --
>>> USENET is *not* the non-clickable part of WWW!
>>>                                                          //www.muc.de/~gert/
>>> Gert Doering - Munich, Germany                             gert at greenie.muc.de
>>> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tvarriale at comcast.net  Thu Feb  5 00:48:59 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Wed, 4 Feb 2009 23:48:59 -0600
Subject: [c-nsp] How to add new rule in the same access-list
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
Message-ID: <65DFE63F24D74C3C844F4312D00A5CDD@flamdt01>

conf t
ip access-list ext 140

But, based on your output, I'd guess your IOS doesn't support sequenceable 
ACLs.

What code are you running?

tv
----- Original Message ----- 
From: "Deric Kwok" <deric.kwok2000 at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, February 04, 2009 8:26 PM
Subject: [c-nsp] How to add new rule in the same access-list


> Hi
>
> I have old rule in the switch but don't know how to add new rule in the 
> same
> access-list
>
> When I add new deny rule, it will be put at the end of the access-list
>
> If I remove the access-list 140, I have to re-type all lines again.
>
> Please help.
>
> Thank you
>
>
>
> switch#sh access-list 140
> Extended IP access list 140
>    deny udp any host 192.168.1.118 eq ntp log (4 matches)
>    permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log
>    deny udp any host 192.168.1.118 eq snmp log
>    permit ip any any (49 matches)
>
> switch#config t
> Enter configuration commands, one per line.  End with CNTL/Z.
> switch(config)#access-list 140 deny tcp any host 192.168.1.118 eq 123 log
>
>
>
> switch#sh ip access-lists 140
> Extended IP access list 140
>    deny udp any host 192.168.1.118 eq ntp log (6 matches)
>    permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log (35
> matches)
>    deny udp any host 192.168.1.118 eq snmp log
>    permit ip any any (174 matches)
>    deny tcp any host 192.168.1.118 eq 123 log
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From Damien.Vigar at det.nsw.edu.au  Thu Feb  5 00:50:24 2009
From: Damien.Vigar at det.nsw.edu.au (Vigar, Damien)
Date: Thu, 5 Feb 2009 16:50:24 +1100
Subject: [c-nsp] 3750-12G interfaces dropping out
In-Reply-To: <5C548098-B7E6-4B3C-903E-FD75C2152293@labyrinth.org>
References: <5C548098-B7E6-4B3C-903E-FD75C2152293@labyrinth.org>
Message-ID: <0DD0E17BE9C0FA47981C67E9939D3D342EABEA0CCB@SLPPEXCCR02.central.det.win>

Hi all,

We're having an odd issue with a 3750 that's running as the core switch at one of our sites. It's been fine for years; suddenly, this week, it's decided that some of it's interfaces should reset randomly, disrupting access to staff phones and PCs in the buildings at the other end.

It's in a stack (as master) with a 3750-48. All interfaces are populated with 1000SX SFP modules (all genuine Cisco).

All edge switches are 3560s. None of the edge switches show anything in the log about the link loss (it's only about 3 seconds) but the core switch shows this:
Date

Time

Priority

Hostname

 Message

02-05-2009

16:30:44

Local7.Notice

10.2.115.182

640: 000609: Feb 5 16:30:44: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to up

02-05-2009

16:30:41

Local7.Notice

10.2.115.182

639: 000608: Feb 5 16:30:41: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to down

02-05-2009

16:28:31

Local7.Notice

10.2.115.182

638: 000607: Feb 5 16:28:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to up

02-05-2009

16:28:28

Local7.Notice

10.2.115.182

637: 000606: Feb 5 16:28:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to down

02-05-2009

16:24:41

Local7.Notice

10.2.115.182

635: 000604: Feb 5 16:24:41: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to up

02-05-2009

16:24:38

Local7.Notice

10.2.115.182

634: 000603: Feb 5 16:24:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to down

02-05-2009

16:16:42

Local7.Notice

10.2.115.182

633: 000602: Feb 5 16:16:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to up

02-05-2009

16:16:38

Local7.Notice

10.2.115.182

632: 000601: Feb 5 16:16:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to down

02-05-2009

16:14:36

Local7.Notice

10.2.115.182

631: 000600: Feb 5 16:14:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to up

02-05-2009

16:14:33

Local7.Notice

10.2.115.182

630: 000599: Feb 5 16:14:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to down

02-05-2009

16:12:03

Local7.Notice

10.2.115.182

629: 000598: Feb 5 16:12:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to up

02-05-2009

16:12:00

Local7.Notice

10.2.115.182

628: 000597: Feb 5 16:12:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to down

02-05-2009

16:01:35

Local7.Notice

10.2.115.182

627: 000596: Feb 5 16:01:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

02-05-2009

16:01:32

Local7.Notice

10.2.115.182

626: 000595: Feb 5 16:01:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down

02-05-2009

15:49:02

Local7.Notice

10.2.115.182

625: 000594: Feb 5 15:49:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/21, changed state to up

02-05-2009

15:49:00

Local7.Notice

10.2.115.182

624: 000593: Feb 5 15:48:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/21, changed state to down

02-05-2009

15:43:24

Local7.Notice

10.2.115.182

623: 000592: Feb 5 15:43:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

02-05-2009

15:43:21

Local7.Notice

10.2.115.182

622: 000591: Feb 5 15:43:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down


I note that it's only the line protocol dropping, not the actual interface. I have seen this happen once when I was looking at the switch - all the activity lights froze, some went out, and then the switch happily went back to normal.
It's only some of the interfaces, too - 1, 2, 5, 9 and 10 out of 12. None of the interfaces on the 3750-48 that's a stack member have been affected at all.

Has anyone seen this sort of behaviour before? It's hard to know where to look. Nothing much has happened this week; we did have a new link to new switches in a building patched in on Monday but that link isn't affected (I disabled the interface and the problem was still occurring while it was down). Some PCs and phones have been set up in one of the buildings that previously were at another site, so perhaps that could be related, although the edge switches in that building show no problems internally...

Regards,

Damien




**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************

From gert at greenie.muc.de  Thu Feb  5 02:24:26 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 5 Feb 2009 08:24:26 +0100
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <C2EE3B72-ADD2-4ADF-B7E1-F00D25F974DB@Hughes.com.au>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
	<20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
	<45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
	<1233758875.6907.22.camel@mauritzlewies>
	<C2EE3B72-ADD2-4ADF-B7E1-F00D25F974DB@Hughes.com.au>
Message-ID: <20090205072426.GU290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 02:54:53PM +1000, David Hughes wrote:
> 	(config)#udld message time ?
>         <7-90> Time in seconds between sending of messages in steady  
> state

SXI, Sup32:

Cisco-M(config)#udld message time ?
  <7-90>  Time in seconds between sending of messages in steady state

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090205/087c841c/attachment.bin>

From sethm at rollernet.us  Thu Feb  5 02:29:54 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 04 Feb 2009 23:29:54 -0800
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
Message-ID: <498A9572.6010608@rollernet.us>

Deric Kwok wrote:
> Hi
> 
> I have old rule in the switch but don't know how to add new rule in the same
> access-list
> 
> When I add new deny rule, it will be put at the end of the access-list
> 
> If I remove the access-list 140, I have to re-type all lines again.
> 

That's correct. You need to remove and recreate it in the correct order
lacking sequences.

~Seth

From ahmedazim at gmail.com  Thu Feb  5 05:10:39 2009
From: ahmedazim at gmail.com (Ahmed Mohamed)
Date: Thu, 5 Feb 2009 12:10:39 +0200
Subject: [c-nsp] reacheability issue in MEL link
In-Reply-To: <7FEDD455961B164D8C4EEA60E22914207D7B0FFFA7@EXCHANGE1.intranet.iseek.com.au>
References: <bf5694530902021628s3f81a414m4808dd81e3f4f457@mail.gmail.com>
	<0BB7A1080B7DBD4494E09FF171D2ACEA02855555@xmb-ams-33c.emea.cisco.com>
	<bf5694530902040714j3a1fa8f5q1a5f54209d74ddf@mail.gmail.com>
	<7FEDD455961B164D8C4EEA60E22914207D7B0FFFA7@EXCHANGE1.intranet.iseek.com.au>
Message-ID: <bf5694530902050210t1415bae2p10386298813fb9cb@mail.gmail.com>

Hi,

just wanted to share with you,

i found the problem in a damaged port,the port is in Fast Ethernet Module :
PA-2FE-TX
the funny thing is that the interfaces goes "up-up" when a cable plugged,
and "down-down" when unplugged, and the Field Engineer confirmed LED shows
normal operation, but the port wouldn't ping !!!

when i moved the circuit to the second port in the module, the ping came
successful

so beware of this tricky fault, always try another port ;)
On Wed, Feb 4, 2009 at 5:48 PM, Matt Carter <matt at iseek.com.au> wrote:

> hi,
>
>
> <off-list>
>
> my advice , check to see if the SP is actually giving you a service which
> you can do trunking on (ie, they have vlan stacking aka dot1q enabled)
>
> if that is the case, ensure you have the vlan dot1q tag native command
> enable to ensure all frames for all vlans are tagged (otherwise the native
> vlan will be untagged) that seems to cause some problem for some carriers
> (getting a mix of vlan colored/uncolored packets)
>
> and yes it is common for failure in the carrier network not to be reflected
> at the switch port you are connected to, enable UDLD or BFD to pick up holes
> in the middle..
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Ahmed Mohamed
>  > Sent: Thursday, 5 February 2009 1:15 AM
> > To: Ahmed Maged (amaged)
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] reacheability issue in MEL link
> >
> >
> <CE>--------------------------------Metroethernet(carrier)----------------
> > -----<switch>----ethernet(cable)-----<PE>
> >
> > for a link as simple as above, if :
> > + the CE , the Agg. switch and the PE interfaces are in the same vlan
> > + the CE and the PE IP interfaces are in the same subnet
> >
> > the i must (at least) have an entry in arp table, and ping successful,
> > which
> > is not the case
> >
> > what was getting me crazy , is that all interfaces are up-up all the
> time,
> > but i just recieved a feedback today that MetroEthernet carriers have
> > NTU's
> > acting as Ethernet HUB, so as long as they are functional , you will have
> > the interfaces up-up even if the circuit is broken inside the carrier !!!
> >
> > tomorrow i will order dual dispatch to both ends, will test circuit
> > termination at both ends
> >
> > "traceroute mac" feature is not in CE or PE IOS
> >
> >
> >
> > On Wed, Feb 4, 2009 at 1:25 PM, Ahmed Maged (amaged)
> > <amaged at cisco.com>wrote:
> >
> > > Troubleshoot layer by layer.
> > >
> > > If the lower layers doesn't work, don't expect anything to behave
> > > properly.
> > >
> > > Follow the L2 frame with (ltrace) if available on your IOS.
> > >
> > > How about debugging?
> > >
> > > Can you install a sniffer?
> > >
> > > What do you see on the interfaces counters?
> > >
> > > Did you try anything else other than ping, maybe ICMP is blocked.
> > >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ahmed Mohamed
> > > Sent: Tuesday, February 03, 2009 2:28 AM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] reacheability issue in MEL link
> > >
> > > Hello,
> > >
> > > this is a real life problem still occuring, and have no idea what may
> be
> > > causing it ..
> > >
> > > we are providing an internet direct service to our customer vial MEL
> > > (Metro
> > > Ethernet Link)
> > >
> > > CE (CS-7206 VXR) fe2/0.36 ------------------Etherlink(local
> > > carrier)---------------- WS-3759G-24TS--PE(CS-7000)
> > >
> > > the solution is providied using a carrier to link the customer CE to an
> > > aggregated switch, using Metro Ethernet
> > > configuring vlan 36 and using dot1q encapsulation
> > > then from the aggregating switch to the PE router using also
> > > encapsulation
> > > dot1q for vlan36
> > >
> > > all interfaces are up-up , and still ping fails !!
> > >
> > > i tried everything, resetting ports, switches, reconfigure interfaces
> > > ..etc.
> > > still no joy
> > >
> > > any idea what could be causing the problem ?
> > >
> > >
> ========================================================================
> > > CE:
> > > -----
> > > interface FastEthernet2/0.36
> > >  bandwidth 61440
> > >  encapsulation dot1Q 36
> > >  ip address 57.78.2.6 255.255.255.252
> > >
> ========================================================================
> > > Agg. switch:
> > > ------------------
> > > interface GigabitEthernet1/0/9
> > >  switchport trunk encapsulation dot1q
> > >  switchport trunk native vlan 3109
> > >  switchport trunk allowed vlan 36,3109
> > >  switchport mode trunk
> > >  switchport nonegotiate
> > >  duplex full
> > >  speed 100
> > >  mls qos trust cos
> > >  spanning-tree bpdufilter enable
> > >
> ========================================================================
> > > PE:
> > > ------
> > >  interface FastEthernet5/1/1.36
> > >  bandwidth 61440
> > >  encapsulation dot1Q 36
> > >  ip address 57.78.2.5 255.255.255.252
> > >  no ip redirects
> > >  no ip proxy-arp
> > >  no ip route-cache
> > >  no cdp enable
> > >
> ========================================================================
> > > bmil305#sh int FastEthernet5/1/1.36
> > > FastEthernet5/1/1.36 is up, line protocol is up <<<<<<
> > > Hardware is cyBus FastEthernet Interface, address is 0003.fe91.b8a9
> (bia
> > > 0003.fe91.b8a9)
> > >  Internet address is 57.78.2.5/30
> > >  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
> > >     reliability 255/255, txload 1/255, rxload 1/255
> > >  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
> > >  ARP type: ARPA, ARP Timeout 04:00:00
> > >
> ========================================================================
> > > pmil2534#sh int Fa2/0.36
> > > FastEthernet2/0.36 is up, line protocol is up  <<<<<<
> > >  Hardware is i82543 (Livengood), address is 0022.be8b.1038 (bia
> > > 0022.be8b.1038)
> > >  Description: --- To bmil305 - FE5/1/1.5
> > >  Internet address is 57.78.2.6/30
> > >  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
> > >     reliability 255/255, txload 1/255, rxload 1/255
> > >  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
> > >
> ========================================================================
> > > ping pe to CE fails:
> > > ----------------------------
> > > bmil305#ping 57.78.2.6   <<<<<<,
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 57.78.2.6, timeout is 2 seconds:
> > > .....
> > > Success rate is 0 percent (0/5)
> > >
> ========================================================================
> > > PE to internet (google) successfully:
> > > ------------------------------------------------------
> > > bmil305#ping 216.239.59.147 source fast 5/1/1.36 repeat 100 size 500
> > > Type escape sequence to abort.
> > > Sending 100, 500-byte ICMP Echos to 216.239.59.147, timeout is 2
> > > seconds:
> > > Packet sent with a source address of 57.78.2.5
> > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > > Success rate is 100 percent (100/100), round-trip min/avg/max =
> > > 36/40/112 ms
> > >
> ========================================================================
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ibrahim.abozaid at gmail.com  Thu Feb  5 05:41:13 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Thu, 5 Feb 2009 12:41:13 +0200
Subject: [c-nsp] AToM Lab Problem
In-Reply-To: <D49281E48ECE4D0E964DF9FE1FCBFED1@int.convex.pt>
References: <a48927f70902041251x52d4f472i18f9628f1bf29987@mail.gmail.com>
	<3044d0930902041310w27d8f3b6i3f6b3b718089323@mail.gmail.com>
	<D49281E48ECE4D0E964DF9FE1FCBFED1@int.convex.pt>
Message-ID: <a48927f70902050241o371e3845w990a298aa3da3e0e@mail.gmail.com>

Dear All


Many thanks for your replies -:)


I think now i have to rent a rack to finish that -:)


best regards
--Ibrahim

On Thu, Feb 5, 2009 at 2:47 AM, Antonio Soares <amsoares at netcabo.pt> wrote:

> There's another problem: ATM AAL5 over MPLS and ATM Cell Relay over MPLS
> are not supported with the PA-A1, the only ATM interface
> supported by Dynamips.
>
>
> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/atom25s.html#wp1068980
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Wayne Lee
> Sent: quarta-feira, 4 de Fevereiro de 2009 21:11
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] AToM Lab Problem
>
> On Wed, Feb 4, 2009 at 8:51 PM, Ibrahim Abo Zaid <
> ibrahim.abozaid at gmail.com> wrote:
> > Hi All
> >
> > I was labbing AToM scenario and uses IOS 12.2(33)SRC for ATM AAL5 and
> > ATM Cell-relay feature but i can't get dynamips run for this image ,
> > it always results "*** Error: 209-unable to start VM instance " error
> > messages
> >
> > any body lab this feature using different image or know how to fix
> > this error message ?
> >
> > complete image name
> > c7200p-spservicesk9-mz.122-33.SRC3_3.bin
> >
> >
> > best regards
> > --Ibrahim
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
> I used the following in my .net file to get a p image to work
>
>
> [localhost:7201]
>    workingdir = /tmp
>    udp = 10100
>    [[7200]]
>        image = /home/dynamips/c7200-spserv.image
>        ghostios = True
>        # sparsemem = True
>        npe = npe-g2
>
>
> Wayne
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jaldrich at blueridgecarpet.com  Thu Feb  5 05:41:39 2009
From: jaldrich at blueridgecarpet.com (John Aldrich)
Date: Thu, 5 Feb 2009 05:41:39 -0500
Subject: [c-nsp] vpn client issues with ASA
Message-ID: <200902050541.39115.jaldrich@blueridgecarpet.com>

We just upgraded our firewall from a Pix to an ASA, and now, for some 
reason, even though we have it specified in the VPN Client software, we are 
having to enter our password every time. Is this a feature of the ASA or is 
it configurable? We never had to do this before, and it's rather annoying. I 
don't think it's the client as I never had to do this before, and also, I 
set up a new connection from scratch and it required the password as well 
when connecting.
Any suggestions?
-- 
Thanks,
John Aldrich
Blueridge Industries
IT Manager

From euang+cisco-nsp at lists.eusahues.co.uk  Thu Feb  5 06:11:00 2009
From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway)
Date: Thu, 5 Feb 2009 11:11:00 +0000
Subject: [c-nsp] PPPoA sessions
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD6jfjOgVXqTq9XL6NxCs2uAQAAAAA=@iname.com>
References: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>
	<3044d0930902040800r680abbb9j84b5910b89d2c1de@mail.gmail.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD6jfjOgVXqTq9XL6NxCs2uAQAAAAA=@iname.com>
Message-ID: <20090205111100.GA26248@hyperion.eusahues.co.uk>

On Wed, Feb 04, 2009 at 03:26:59PM -0600, Frank Bulk wrote:
> Definitely doesn't work with 12.2(31)SB14.  I get all zeroes on my box.
> 
> OID	Object	Type	Value	
> 1.3.6.1.4.1.9.10.24.1.1.1.0	cvpdnTunnelTotal	GAUGE	0	
> 1.3.6.1.4.1.9.10.24.1.1.2.0	cvpdnSessionTotal	GAUGE	0	
> 1.3.6.1.4.1.9.10.24.1.1.3.0	cvpdnDeniedUsersTotal	COUNTER	0	

Those are different to the ones quoted by Wayne.

1.3.6.1.4.1.9.10.24.1.1.4.1.2.tunneltype (2 for l2tp)   cvpdnSystemTunnelTotal
1.3.6.1.4.1.9.10.24.1.1.4.1.3.tunneltype (2 for l2tp)   cvpdnSystemSessionTotal
1.3.6.1.4.1.9.10.24.1.1.4.1.4.tunneltype (2 for l2tp)   cvpdnSystemDeniedUsersTotal

I would have thought those ones work in 12.2SB (not checked though).

-- 
Euan Galloway

From gkg at gmx.de  Thu Feb  5 06:59:30 2009
From: gkg at gmx.de (Garry)
Date: Thu, 05 Feb 2009 12:59:30 +0100
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498A9572.6010608@rollernet.us>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<498A9572.6010608@rollernet.us>
Message-ID: <498AD4A2.9040608@gmx.de>

Seth Mattinen wrote:
> Deric Kwok wrote:
>   
>> Hi
>>
>> I have old rule in the switch but don't know how to add new rule in the same
>> access-list
>>
>> When I add new deny rule, it will be put at the end of the access-list
>>
>> If I remove the access-list 140, I have to re-type all lines again.
>>
>>     
>
> That's correct. You need to remove and recreate it in the correct order
> lacking sequences.
>   
Not necessarily, you can always do a "show access-list 140", you'll get
a numbered list of rules. Then you can delete single lines by doing
something like this:

conf t
ip access-list extended 140
no 30                <-- if the line you want to get rid of is #30
30 permit ...      <-- of course you can add a new #30
31 permit ...      <-- or insert additional lines ...
32 deny ...         <-- dito

AFAIK, the numbering stays constant until the next router reload
...then, it is "renumbered" internally to use the 10-20-30... distance
for every line ... (if anybody knows a way to renumber w/o rebooting,
please let me know)

-garry

From erik at infopact.nl  Thu Feb  5 07:10:04 2009
From: erik at infopact.nl (E. Versaevel)
Date: Thu, 05 Feb 2009 13:10:04 +0100
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498AD4A2.9040608@gmx.de>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>	<498A9572.6010608@rollernet.us>
	<498AD4A2.9040608@gmx.de>
Message-ID: <498AD71C.3050008@infopact.nl>

Garry schreef:
> Seth Mattinen wrote:
>> Deric Kwok wrote:
>>   
>>> Hi
>>>
>>> I have old rule in the switch but don't know how to add new rule in the same
>>> access-list
>>>
>>> When I add new deny rule, it will be put at the end of the access-list
>>>
>>> If I remove the access-list 140, I have to re-type all lines again.
>>>
>>>     
>> That's correct. You need to remove and recreate it in the correct order
>> lacking sequences.
>>   
> Not necessarily, you can always do a "show access-list 140", you'll get
> a numbered list of rules. Then you can delete single lines by doing
> something like this:
> 
> conf t
> ip access-list extended 140
> no 30                <-- if the line you want to get rid of is #30
> 30 permit ...      <-- of course you can add a new #30
> 31 permit ...      <-- or insert additional lines ...
> 32 deny ...         <-- dito
> 
> AFAIK, the numbering stays constant until the next router reload
> ...then, it is "renumbered" internally to use the 10-20-30... distance
> for every line ... (if anybody knows a way to renumber w/o rebooting,
> please let me know)
> 

Time to read back a bit :)

Cisco has 2 kind of access-lists, the 'old' numbered access-lists

access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip any any

These cannot be editted other than deleting them and recreating the modified access-list (which might result in blackholing yourself if you delete the
access-list without removing it from the interfaces ;) as a non exsisting access-list on a interface equals deny any any)

The 2nd kind of access-list are the ip access-lists, these have sequence numbers and thus provide a way to insert/remove single entries from these lists.
The sequence numbers are reset after a router reload or can be resequenced by hand (ip access-list resequence list_name 10 10)
So in order to insert an entry in a ip access-list you need to know the available sequence numbers. If you issue a show ip access-list you'll get an
overview of the access-lists (and sequence numbers)



Erik Versaevel

From dv at dv.ru  Thu Feb  5 07:18:50 2009
From: dv at dv.ru (Dmitry Valdov)
Date: Thu, 5 Feb 2009 15:18:50 +0300 (MSK)
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498AD71C.3050008@infopact.nl>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<498A9572.6010608@rollernet.us> <498AD4A2.9040608@gmx.de>
	<498AD71C.3050008@infopact.nl>
Message-ID: <20090205151337.H22606@xkis.kis.ru>

Hello,

On Thu, 5 Feb 2009, E. Versaevel wrote:

> Cisco has 2 kind of access-lists, the 'old' numbered access-lists
>
> access-list 100 permit ip 192.168.0.0 0.0.0.255 any
> access-list 100 deny ip any any
>
> These cannot be editted other than deleting them and recreating the modified access-list (which might result in blackholing yourself if you delete the
> access-list without removing it from the interfaces ;) as a non exsisting access-list on a interface equals deny any any)

In recent IOS versions they can be edited in the same manner as named ACLs. 
Use number instead of name and specify right ACL type (standard/extended).

ip access-list standard 3
[....]


> The 2nd kind of access-list are the ip access-lists, these have sequence numbers and thus provide a way to insert/remove single entries from these lists.
> The sequence numbers are reset after a router reload or can be resequenced by hand (ip access-list resequence list_name 10 10)
> So in order to insert an entry in a ip access-list you need to know the available sequence numbers. If you issue a show ip access-list you'll get an
> overview of the access-lists (and sequence numbers)


-- 
Dmitry Valdov
CCIE #15379 (R&S and SP)

From tim at pelican.org  Thu Feb  5 07:45:15 2009
From: tim at pelican.org (Tim Franklin)
Date: Thu, 5 Feb 2009 12:45:15 -0000 (GMT)
Subject: [c-nsp] access list help
In-Reply-To: <40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
	<4989A1D0.1040101@ibctech.ca>
	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
	<0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>
	<40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
Message-ID: <9f41bd48f428fb15340c3dde3bab4c8b.squirrel@webmail.pelican.org>

On Wed, February 4, 2009 6:24 pm, Deric Kwok wrote:

>> >Traffic that's being switched between layer-2 ports will never be
>> >processed by that ACL.
>>
>
> You mean my access-list is only for router not switch?

Not so much the ACL, but where you've applied it.

'Interface vlan1' is a layer-3 interface.  Traffic will only go in or out
of this interface if it's going to the IP address of the switch, either
because it's destined to the switch, or because the switch is the IP
next-hop and is going to route (not switch) the traffic on.

Traffic that's being switched between ports at layer-2 only goes in and
out of the physical ports, e.g. fastethernet0/1 - even though they might
be in vlan 1, it doesn't traverse the vlan1 interface.

> In this case, how can I do to not allow www traffic to 192.168.0.115 in
> switch?

I believe you'll need the ACL applied in-bound on every physical port that
could have traffic going towards 192.168.0.115 - so the uplink port, and
any other ports that have devices attached.

> Could you give me examples ACLs to permit by default?

You need a 'permit ip any any' statement at the end of each ACL to permit
by default for that ACL.

This is going to be very important once you start applying the ACL to the
physical ports, as above - if you don't include the 'permit ip any any' at
the end, you'll effectively shut off that port completely.

Regards,
Tim.



From p.mayers at imperial.ac.uk  Thu Feb  5 08:08:53 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 05 Feb 2009 13:08:53 +0000
Subject: [c-nsp] Use "plain old IP" for non-VRF traffic?
Message-ID: <498AE4E5.9050101@imperial.ac.uk>

We have an MPLS L3VPN-based network, and I want to use plain-old IPv4 
(no labels) for the non-VRF traffic.

The reason I want to do this is we're seeing a bug related to 
VACL-capture - packets whose next-hop is a label-imposition are not 
captured. I'm going to deal with that separately via TAC, but we need 
the VACL capture to work ASAP.

This is in 12.2(33)SXI

From oboehmer at cisco.com  Thu Feb  5 08:20:35 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 5 Feb 2009 14:20:35 +0100
Subject: [c-nsp] Use "plain old IP" for non-VRF traffic?
In-Reply-To: <498AE4E5.9050101@imperial.ac.uk>
References: <498AE4E5.9050101@imperial.ac.uk>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0E86B@xmb-ams-333.emea.cisco.com>

Phil Mayers <> wrote on Thursday, February 05, 2009 14:09:

> We have an MPLS L3VPN-based network, and I want to use plain-old IPv4
> (no labels) for the non-VRF traffic.
> 
> The reason I want to do this is we're seeing a bug related to
> VACL-capture - packets whose next-hop is a label-imposition are not
> captured. I'm going to deal with that separately via TAC, but we need
> the VACL capture to work ASAP.
 
unless you are using BGP to carry IPv4 (plain old) prefixes, you can
limit label advertisements to your BGP next-hops (which advertise the
vpnv4 prefixes):

no mpls advertise-labels
mpls advertise-labels for PE-loopbacks
!
ip access-list standard PE-loopbacks
 permit <address> <wildcard>

strictly speaking you only need to do this on the router where you want
to use VACL, then the adjacent LSRs will pop their label towards this
node..

	oli

From p.mayers at imperial.ac.uk  Thu Feb  5 08:35:53 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 05 Feb 2009 13:35:53 +0000
Subject: [c-nsp] Use "plain old IP" for non-VRF traffic?
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0E86B@xmb-ams-333.emea.cisco.com>
References: <498AE4E5.9050101@imperial.ac.uk>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0E86B@xmb-ams-333.emea.cisco.com>
Message-ID: <498AEB39.9090105@imperial.ac.uk>

Oliver Boehmer (oboehmer) wrote:
> Phil Mayers <> wrote on Thursday, February 05, 2009 14:09:
> 
>> We have an MPLS L3VPN-based network, and I want to use plain-old IPv4
>> (no labels) for the non-VRF traffic.
>>
>> The reason I want to do this is we're seeing a bug related to
>> VACL-capture - packets whose next-hop is a label-imposition are not
>> captured. I'm going to deal with that separately via TAC, but we need
>> the VACL capture to work ASAP.
>  
> unless you are using BGP to carry IPv4 (plain old) prefixes, you can

Sadly, we are doing that.

From rens at autempspourmoi.be  Thu Feb  5 08:39:35 2009
From: rens at autempspourmoi.be (Rens)
Date: Thu, 5 Feb 2009 14:39:35 +0100
Subject: [c-nsp] Ethernet VPN circuits
In-Reply-To: <004201c986dd$1299bf10$37cd3d30$@org.uk>
References: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com>
	<004201c986dd$1299bf10$37cd3d30$@org.uk>
Message-ID: <4947ADE167854B32B3F41418CFEE4FF0@EU.corp.clearwire.com>

I think I explained my problem badly below.

On CS we receive the frames like this [outer tag].[inner tag]
On RS they strip of the outer tag

The provider uses the outer tag to decide to which RS it should go

So if I would want to do an OSPF between a CS & RS
I would have this problem:

1) I either remove the outer tag on the switch so on my router I
can do the same subinterface dot1q [inner tag] => but this won't work when I
want to do the same thing with multiple RS

2)  Can I pass the double tag through my switch to our 7206 and configure a
double dot1q [outer tag].[inner tag] on my subinterface ?


-----Original Message-----
From: Dean Smith [mailto:dean at eatworms.org.uk] 
Sent: mercredi 4 f?vrier 2009 16:27
To: 'Rens'; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Ethernet VPN circuits

Cant speak for your product...but in the UK we've used similar from the 4 or
5 biggest suppliers at the all work the same...

At the central site access is delivered over a single high B/W Trunk. We
(Customer) and supplier agree a vlan tag per site.
At the remote site the port is provided with no vlan tag.
0
So if we have single IP connection between there is no multiple VLAN tags.
Router at the central site - configure your IP interface as Vlan
subinterface on CS Router. Trunk Between CS Router & CS Switch. Configure CS
Switch port facing provider as trunk aswell. (Control the VLANs you want to
send etc on each trunk port). The CS Switch is optional. (we do actually
have these for various reasons - but will be phasing them out in new core
site builds).

At the Remote site its just a straight Ethernet port. Not sure why you'd use
the RS Switch at all.

Dean

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rens
Sent: 04 February 2009 12:27
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Ethernet VPN circuits

Hi,

 

We have a provider that has a new product and I would like to know if I
could use it with our current infrastructure to interconnect sites.

 

This is how it works on the provider site:

 

1 Central Site where everything arrives

Multiple Remote Sites that you can connect to the Central Site

 

Per Remote Site we have to define a VLAN tag.

 

So it would look like this:

 

My CS router     <=> my CS switch           <=> provider CS switch     <=>
provider Backbone     <=> provider RS switch     <=> My RS router

7206VXR           <=> 3550                         <=> 2960
<=> No Idea                     <=> 2960                         <=> 1841

 

So if I want to do a /30 OSPF between my CS router and my RS router

I would use vlan 200 for this at RS router (subinterface dot1q) it enters
the provider RS switch and they add the predefined vlan as outer tag.
(example 800)

It arrives like this at my CS site and now I have a problem.

 

1) I either remove the outer tag VLAN (800) on the switch so on my router I
can do the same subinterface dot1q 200 => but this won't work when I want to
do the same thing with multiple RS

2)  Can I pass the double tag through my switch to our 7206 and configure a
double dot1q subinterface, so the router removes both outer & inner 800 &
200 and OSPF goes up :-)

 

Any help is appreciated.

 

Regards,

 

Rens

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From deric.kwok2000 at gmail.com  Thu Feb  5 08:41:33 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Thu, 5 Feb 2009 08:41:33 -0500
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <65DFE63F24D74C3C844F4312D00A5CDD@flamdt01>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<65DFE63F24D74C3C844F4312D00A5CDD@flamdt01>
Message-ID: <40d8a95a0902050541w67d7c382yd23b9017e0cf8c5a@mail.gmail.com>

Hi Tony

You are right. i think my IOS (version 12.0) can't support the numbering

switch#sh access-list 140
Extended IP access list 140
    deny udp any host 192.168.1.118 eq ntp log (643 matches)
    permit udp host 192.186.1.114 host 192.168.1.118 eq snmp log (5950
matches)
    deny udp any host 192.168.1.118 eq snmp log
    permit ip any any (732 matches)
    deny tcp any host 192.168.1.118 eq 123 log

For the future. what can I do it properly?
Could you give me example?

Thank you so much


On Thu, Feb 5, 2009 at 12:48 AM, Tony Varriale <tvarriale at comcast.net>wrote:

> conf t
> ip access-list ext 140
>
> But, based on your output, I'd guess your IOS doesn't support sequenceable
> ACLs.
>
> What code are you running?
>
> tv
> ----- Original Message ----- From: "Deric Kwok" <deric.kwok2000 at gmail.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, February 04, 2009 8:26 PM
> Subject: [c-nsp] How to add new rule in the same access-list
>
>
>  Hi
>>
>> I have old rule in the switch but don't know how to add new rule in the
>> same
>> access-list
>>
>> When I add new deny rule, it will be put at the end of the access-list
>>
>> If I remove the access-list 140, I have to re-type all lines again.
>>
>> Please help.
>>
>> Thank you
>>
>>
>>
>> switch#sh access-list 140
>> Extended IP access list 140
>>   deny udp any host 192.168.1.118 eq ntp log (4 matches)
>>   permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log
>>   deny udp any host 192.168.1.118 eq snmp log
>>   permit ip any any (49 matches)
>>
>> switch#config t
>> Enter configuration commands, one per line.  End with CNTL/Z.
>> switch(config)#access-list 140 deny tcp any host 192.168.1.118 eq 123 log
>>
>>
>>
>> switch#sh ip access-lists 140
>> Extended IP access list 140
>>   deny udp any host 192.168.1.118 eq ntp log (6 matches)
>>   permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log (35
>> matches)
>>   deny udp any host 192.168.1.118 eq snmp log
>>   permit ip any any (174 matches)
>>   deny tcp any host 192.168.1.118 eq 123 log
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From perc69 at gmail.com  Thu Feb  5 08:58:21 2009
From: perc69 at gmail.com (Pelle)
Date: Thu, 5 Feb 2009 14:58:21 +0100
Subject: [c-nsp] Ethernet VPN circuits
In-Reply-To: <4947ADE167854B32B3F41418CFEE4FF0@EU.corp.clearwire.com>
References: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com>
	<004201c986dd$1299bf10$37cd3d30$@org.uk>
	<4947ADE167854B32B3F41418CFEE4FF0@EU.corp.clearwire.com>
Message-ID: <746ca6da0902050558v10b9f0f0j8a40b117f26f5011@mail.gmail.com>

Hi.

> 2)  Can I pass the double tag through my switch to our 7206 and configure a
> double dot1q [outer tag].[inner tag] on my subinterface ?

Yes, but of course it depends on the IOS you are running.

>From a 7206VXR/NPE-G2 running SRC2:

lotta(config)#int GigabitEthernet0/2.123123
lotta(config-subif)#encapsulation dot1Q 123 ?
  native        Make this as native vlan
  second-dot1q  Configure this subinterface as a 1Q-in-1Q subinterface
  <cr>

lotta(config-subif)#encapsulation dot1Q 123 second-dot1q 123 ?
  <cr>

-- 
Pelle

From steve at ibctech.ca  Thu Feb  5 09:02:02 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 05 Feb 2009 09:02:02 -0500
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <40d8a95a0902050541w67d7c382yd23b9017e0cf8c5a@mail.gmail.com>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>	<65DFE63F24D74C3C844F4312D00A5CDD@flamdt01>
	<40d8a95a0902050541w67d7c382yd23b9017e0cf8c5a@mail.gmail.com>
Message-ID: <498AF15A.9080608@ibctech.ca>

Deric Kwok wrote:
> Hi Tony
> 
> You are right. i think my IOS (version 12.0) can't support the numbering
> 
> switch#sh access-list 140
> Extended IP access list 140
>     deny udp any host 192.168.1.118 eq ntp log (643 matches)
>     permit udp host 192.186.1.114 host 192.168.1.118 eq snmp log (5950
> matches)
>     deny udp any host 192.168.1.118 eq snmp log
>     permit ip any any (732 matches)
>     deny tcp any host 192.168.1.118 eq 123 log
> 
> For the future. what can I do it properly?
> Could you give me example?

#sh access-lists
Extended IP access list 110
    permit ip 142.x.x.0 0.0.0.255 208.70.104.0 0.0.7.255
    permit ip 208.70.111.68 0.0.0.3 any
    deny ip any any

# sh run
interface FastEthernet0/1.760
 ip access-group 110 in

...now to change, do a show run, copy the entire ACL 110 list and put it
into a text editor, add/remove the needed lines, then:

# conf t
# int fa0/1.760
# no ip access-group 110 in

...go back to global config context, and paste back in the updated
access list, and re-apply the list as an access-group back on the interface.

Steve

From oboehmer at cisco.com  Thu Feb  5 09:11:36 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 5 Feb 2009 15:11:36 +0100
Subject: [c-nsp] Use "plain old IP" for non-VRF traffic?
In-Reply-To: <498AEB39.9090105@imperial.ac.uk>
References: <498AE4E5.9050101@imperial.ac.uk>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0E86B@xmb-ams-333.emea.cisco.com>
	<498AEB39.9090105@imperial.ac.uk>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0E903@xmb-ams-333.emea.cisco.com>

Phil Mayers <mailto:p.mayers at imperial.ac.uk> wrote on Thursday, February
05, 2009 14:36:

> Oliver Boehmer (oboehmer) wrote:
>> Phil Mayers <> wrote on Thursday, February 05, 2009 14:09:
>> 
>>> We have an MPLS L3VPN-based network, and I want to use plain-old
>>> IPv4 (no labels) for the non-VRF traffic.
>>> 
>>> The reason I want to do this is we're seeing a bug related to
>>> VACL-capture - packets whose next-hop is a label-imposition are not
>>> captured. I'm going to deal with that separately via TAC, but we
>>> need the VACL capture to work ASAP.
>> 
>> unless you are using BGP to carry IPv4 (plain old) prefixes, you can
> 
> Sadly, we are doing that.

Well, then I don't know any other solution than using a different BGP
next-hop for vpnv4 and for ipv4, and restrict label advertisement to the
vpnv4 next-hop. 

	oli

From steve at ibctech.ca  Thu Feb  5 09:25:32 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 05 Feb 2009 09:25:32 -0500
Subject: [c-nsp] One more issue regarding iBGP-OSPF
Message-ID: <498AF6DC.3010703@ibctech.ca>

I'm having a little more trouble trying to put my finger on why a PtP
address block, announced successfully via iBGP is improperly routed
recursively if I don't put it into my OSPF config.

Right off the bat, I know that having the 111.x space on both sides of
rtrB is completely breaking aggregation, but I really want to understand
the problem before I look further at that:

rtrA-111.65/30---111.66/30-rtrB-111.69/30---111.70/30-rtrC

rtrA lo10 = 172.16.104.1/32
rtrB lo10 = 172.16.104.2/32
rtrC == client with eBGP peering to rtrB

In order for things to work as expected, I have to have the 111.68 and
111.64 in OSPF on rtrB, and the 111.64 on rtrA

 network 172.16.104.x 0.0.0.0 area 0
 network 208.70.111.64 0.0.0.3 area 0
 network 208.70.111.68 0.0.0.3 area 0

Both of these routes are already in iBGP, but not used with OSPF running:

B   208.70.111.68/30 [200/0] via 172.16.104.2, 1d11h35m

...but if I take them out of OSPF, then rtrA inserts the BGP learnt
route into the table, and makes it recursive via 192.168.222.1/32, which
is my null interface.

That then immediately breaks the route to the client as well, as .70 is
null-routed.

Have I described my issue clearly enough for someone to see what I am
missing?

Thanks,

Steve

From oboehmer at cisco.com  Thu Feb  5 10:42:29 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 5 Feb 2009 16:42:29 +0100
Subject: [c-nsp] One more issue regarding iBGP-OSPF
In-Reply-To: <498AF6DC.3010703@ibctech.ca>
References: <498AF6DC.3010703@ibctech.ca>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0E9D1@xmb-ams-333.emea.cisco.com>

Steve Bertrand <> wrote on Thursday, February 05, 2009 15:26:

> I'm having a little more trouble trying to put my finger on why a PtP
> address block, announced successfully via iBGP is improperly routed
> recursively if I don't put it into my OSPF config.
> 
> Right off the bat, I know that having the 111.x space on both sides of
> rtrB is completely breaking aggregation, but I really want to
> understand the problem before I look further at that:
> 
> rtrA-111.65/30---111.66/30-rtrB-111.69/30---111.70/30-rtrC
> 
> rtrA lo10 = 172.16.104.1/32
> rtrB lo10 = 172.16.104.2/32
> rtrC == client with eBGP peering to rtrB
> 
> In order for things to work as expected, I have to have the 111.68 and
> 111.64 in OSPF on rtrB, and the 111.64 on rtrA
> 
>  network 172.16.104.x 0.0.0.0 area 0
>  network 208.70.111.64 0.0.0.3 area 0
>  network 208.70.111.68 0.0.0.3 area 0

well, this sounds logical to me as you want to run OSPF between rtrA and
rtrB, don't you? So you have to enable OSPF on the interface.
There shouldn't be a reason to put .68 into OSPF as you seem to be using
next-hop-self on rtrB, so the next-hop is the loopback (advertised via
OSPF).

> Both of these routes are already in iBGP, but not used with OSPF
> running: 
>
> B   208.70.111.68/30 [200/0] via 172.16.104.2, 1d11h35m

this is expected as OSPF has a lower admin distance.
 
> ...but if I take them out of OSPF, then rtrA inserts the BGP learnt
> route into the table, and makes it recursive via 192.168.222.1/32,
> which is my null interface.
> 
> That then immediately breaks the route to the client as well, as .70
> is null-routed.

Well, see above: With OSPF not enabled between rtrA and B, rtrA cannot
resolve the next-hop loopback..

> Have I described my issue clearly enough for someone to see what I am
> missing?

Not sure, I might also be missing something obvious, and possibly also
missing what you're trying to achieve..

	oli

From steve at ibctech.ca  Thu Feb  5 10:47:57 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 05 Feb 2009 10:47:57 -0500
Subject: [c-nsp] One more issue regarding iBGP-OSPF
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0E9D1@xmb-ams-333.emea.cisco.com>
References: <498AF6DC.3010703@ibctech.ca>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0E9D1@xmb-ams-333.emea.cisco.com>
Message-ID: <498B0A2D.6020802@ibctech.ca>

Oliver Boehmer (oboehmer) wrote:
> Steve Bertrand <> wrote on Thursday, February 05, 2009 15:26:
> 
>> I'm having a little more trouble trying to put my finger on why a PtP
>> address block, announced successfully via iBGP is improperly routed
>> recursively if I don't put it into my OSPF config.
>>
>> Right off the bat, I know that having the 111.x space on both sides of
>> rtrB is completely breaking aggregation, but I really want to
>> understand the problem before I look further at that:
>>
>> rtrA-111.65/30---111.66/30-rtrB-111.69/30---111.70/30-rtrC
>>
>> rtrA lo10 = 172.16.104.1/32
>> rtrB lo10 = 172.16.104.2/32
>> rtrC == client with eBGP peering to rtrB
>>
>> In order for things to work as expected, I have to have the 111.68 and
>> 111.64 in OSPF on rtrB, and the 111.64 on rtrA
>>
>>  network 172.16.104.x 0.0.0.0 area 0
>>  network 208.70.111.64 0.0.0.3 area 0
>>  network 208.70.111.68 0.0.0.3 area 0
> 
> well, this sounds logical to me as you want to run OSPF between rtrA and
> rtrB, don't you? So you have to enable OSPF on the interface.
> There shouldn't be a reason to put .68 into OSPF as you seem to be using
> next-hop-self on rtrB, so the next-hop is the loopback (advertised via
> OSPF).

I'm not using next-hop-self. I've read that it is preferable to not use
it, but I will if I have to. My point was that when I remove .68 from
OSPF (which is my objective), the BGP learnt route automatically sets
the next-hop to .68 recursive via my null interface IP (192.168.222.1).
The next-hop really needs to be set to either 172.16.104.2 (lo), or
208.70.111.66 (ptp next-hop).

Is next-hop-self the only way around this behaviour (beside using a
static route)?

>> Both of these routes are already in iBGP, but not used with OSPF
>> running: 
>>
>> B   208.70.111.68/30 [200/0] via 172.16.104.2, 1d11h35m
> 
> this is expected as OSPF has a lower admin distance.

Indeed.

>> ...but if I take them out of OSPF, then rtrA inserts the BGP learnt
>> route into the table, and makes it recursive via 192.168.222.1/32,
>> which is my null interface.
>>
>> That then immediately breaks the route to the client as well, as .70
>> is null-routed.
> 
> Well, see above: With OSPF not enabled between rtrA and B, rtrA cannot
> resolve the next-hop loopback..

What my goal is, is to have only loopbacks in OSPF, and nothing else.
I'll need to toy with next-hop-self to fix the issue.

Thanks for the feedback.

Steve

From swmike at swm.pp.se  Thu Feb  5 10:53:53 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 5 Feb 2009 16:53:53 +0100 (CET)
Subject: [c-nsp] One more issue regarding iBGP-OSPF
In-Reply-To: <498B0A2D.6020802@ibctech.ca>
References: <498AF6DC.3010703@ibctech.ca>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0E9D1@xmb-ams-333.emea.cisco.com>
	<498B0A2D.6020802@ibctech.ca>
Message-ID: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>

On Thu, 5 Feb 2009, Steve Bertrand wrote:

> I'm not using next-hop-self. I've read that it is preferable to not use
> it, but I will if I have to. My point was that when I remove .68 from
> OSPF (which is my objective), the BGP learnt route automatically sets
> the next-hop to .68 recursive via my null interface IP (192.168.222.1).
> The next-hop really needs to be set to either 172.16.104.2 (lo), or
> 208.70.111.66 (ptp next-hop).

BCP is to have all BGP next-hops in your IGP.

> What my goal is, is to have only loopbacks in OSPF, and nothing else.
> I'll need to toy with next-hop-self to fix the issue.

Yes, if you only want loopbacks in OSPF, then use next-hop-self.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From steve at ibctech.ca  Thu Feb  5 10:58:45 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 05 Feb 2009 10:58:45 -0500
Subject: [c-nsp] One more issue regarding iBGP-OSPF
In-Reply-To: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
References: <498AF6DC.3010703@ibctech.ca>	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0E9D1@xmb-ams-333.emea.cisco.com>	<498B0A2D.6020802@ibctech.ca>
	<alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
Message-ID: <498B0CB5.1000300@ibctech.ca>

Mikael Abrahamsson wrote:
> On Thu, 5 Feb 2009, Steve Bertrand wrote:
> 
>> I'm not using next-hop-self. I've read that it is preferable to not use
>> it, but I will if I have to. My point was that when I remove .68 from
>> OSPF (which is my objective), the BGP learnt route automatically sets
>> the next-hop to .68 recursive via my null interface IP (192.168.222.1).
>> The next-hop really needs to be set to either 172.16.104.2 (lo), or
>> 208.70.111.66 (ptp next-hop).
> 
> BCP is to have all BGP next-hops in your IGP.

Ok, thank you. This is what I needed to know ;)

Steve

From jay at west.net  Thu Feb  5 11:49:58 2009
From: jay at west.net (Jay Hennigan)
Date: Thu, 05 Feb 2009 08:49:58 -0800
Subject: [c-nsp] access list help
In-Reply-To: <40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>	<4989A1D0.1040101@ibctech.ca>	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>	<0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>
	<40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
Message-ID: <498B18B6.4050300@west.net>

Deric Kwok wrote:

> I am using this 3500 switch as switch.
> As I can't access my switch now, I can get sh ip access-list

If you weren't able to save the change because you made it via IP 
(telnet or HTTP), reboot the switch and you'll be able to get in again. 
  Otherwise, you'll need to use a console cable locally at the switch.

> You mean my access-list is only for router not switch?

IP access-lists are only for routers (or as you discovered, for 
controlling traffic to the switch itself.)

> In this case, how can I do to not allow www traffic to 192.168.0.115 in
> switch?

You don't.  You do it in the router.  A layer 2 switch is unaware of IP 
addresses or applications with regard to traffic passing through the 
switch.  Because the switch doesn't examine or process IP address, 
protocol, or port information, it can't filter it.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From gary.ciscomail at gmail.com  Thu Feb  5 11:50:47 2009
From: gary.ciscomail at gmail.com (Gary Roberton)
Date: Thu, 5 Feb 2009 16:50:47 +0000
Subject: [c-nsp] Can someone look up which AS is advertising the 146.105.0.0
	/16 network.
Message-ID: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>

Hello all

Can someone look up which AS is advertising the 146.105.0.0 /16 network for
me, thanks.

Gary

From nicotine at warningg.com  Thu Feb  5 11:04:23 2009
From: nicotine at warningg.com (Brandon Ewing)
Date: Thu, 5 Feb 2009 10:04:23 -0600
Subject: [c-nsp] vpn client issues with ASA
In-Reply-To: <200902050541.39115.jaldrich@blueridgecarpet.com>
References: <200902050541.39115.jaldrich@blueridgecarpet.com>
Message-ID: <20090205160423.GA8176@biological.warningg.com>

On Thu, Feb 05, 2009 at 05:41:39AM -0500, John Aldrich wrote:
> We just upgraded our firewall from a Pix to an ASA, and now, for some 
> reason, even though we have it specified in the VPN Client software, we are 
> having to enter our password every time. Is this a feature of the ASA or is 
> it configurable? We never had to do this before, and it's rather annoying. I 
> don't think it's the client as I never had to do this before, and also, I 
> set up a new connection from scratch and it required the password as well 
> when connecting.
> Any suggestions?

You need to add "isakmp ikev1-user-authentication none" to the RA
tunnel-group to disable XAUTH.

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090205/82e9383e/attachment.bin>

From gary.ciscomail at gmail.com  Thu Feb  5 11:56:59 2009
From: gary.ciscomail at gmail.com (Gary Roberton)
Date: Thu, 5 Feb 2009 16:56:59 +0000
Subject: [c-nsp] Using the same IP range in different VRFs - best practice
Message-ID: <cf9098540902050856i374dbd42j8e661332cd6ff58e@mail.gmail.com>

Hi all

Can anyone point me towards a document that outlines best practices to use
regarding natting of IP address for customers in different VRFs.  For
example, when to use the same 'outside' addresses across multiple VRFs and
when to use individual 'static' translations.  I need something like an
SRND.

Thanks.

Gary

From sigurbjornl at vodafone.is  Thu Feb  5 12:00:44 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Thu, 05 Feb 2009 17:00:44 +0000
Subject: [c-nsp] Can someone look up which AS is advertising the
 146.105.0.0 /16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <C5B0CBBC.10D5B%sigurbjornl@vodafone.is>

AS702

BR,
Sibbi


On 5.2.2009 16:50, "Gary Roberton" <gary.ciscomail at gmail.com> wrote:

> 146.105.0.0 


From christian at broknrobot.com  Thu Feb  5 12:01:13 2009
From: christian at broknrobot.com (Christian Koch)
Date: Thu, 5 Feb 2009 12:01:13 -0500
Subject: [c-nsp] Can someone look up which AS is advertising the
	146.105.0.0 /16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
References: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <c93a55220902050901t27656c1bk40e27460e3206155@mail.gmail.com>

use a route server?

On Thu, Feb 5, 2009 at 11:50 AM, Gary Roberton <gary.ciscomail at gmail.com> wrote:
> Hello all
>
> Can someone look up which AS is advertising the 146.105.0.0 /16 network for
> me, thanks.
>
> Gary
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jay at west.net  Thu Feb  5 12:03:07 2009
From: jay at west.net (Jay Hennigan)
Date: Thu, 05 Feb 2009 09:03:07 -0800
Subject: [c-nsp] Can someone look up which AS is advertising the
 146.105.0.0 /16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
References: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <498B1BCB.2070206@west.net>

Gary Roberton wrote:
> Hello all
> 
> Can someone look up which AS is advertising the 146.105.0.0 /16 network for
> me, thanks.

I don't know who is advertising it for you, but AS702 is advertising it 
on all of our feeds.

Hint:  Google "BGP looking glass".

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From blahu77 at gmail.com  Thu Feb  5 12:05:53 2009
From: blahu77 at gmail.com (Mateusz Blaszczyk)
Date: Thu, 5 Feb 2009 17:05:53 +0000 (IST)
Subject: [c-nsp] Can someone look up which AS is advertising the
	146.105.0.0 /16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <fqtojqpo4eds3oyvwwUYAxe124vaj_firegpg@mail.gmail.com>

as-name:         AS702
descr:           Verizon Business EMEA - Commercial IP service provider in Europe


2009/2/5 Gary Roberton <gary.ciscomail at gmail.com>:
> Hello all
>
> Can someone look up which AS is advertising the 146.105.0.0 /16 network for
> me, thanks.
>
> Gary
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
pgp-key 0x1C655CAB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 270 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090205/c2d00edc/attachment.bin>

From paul at paulstewart.org  Thu Feb  5 12:03:04 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Thu, 5 Feb 2009 12:03:04 -0500
Subject: [c-nsp] Can someone look up which AS is advertising the
	146.105.0.0	/16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
References: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <001a01c987b3$9c8a60e0$d59f22a0$@org>


AS702 from here.... any public looking glass sites could tell you this and
show you from various perspectives too...

http://www.traceroute.org

Hope this helps...

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary Roberton
Sent: Thursday, February 05, 2009 11:51 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Can someone look up which AS is advertising the 146.105.0.0
/16 network.

Hello all

Can someone look up which AS is advertising the 146.105.0.0 /16 network for
me, thanks.

Gary
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From SIngram at clayton.com  Thu Feb  5 13:41:26 2009
From: SIngram at clayton.com (Scott Ingram)
Date: Thu, 5 Feb 2009 13:41:26 -0500
Subject: [c-nsp] FW: effectively breaking EIGRP / BGP redistribution
	count-to-infinity loops
References: <A9604D7A0239984EAD184D9A42206FDE039B19D6@EXCHVS01.cgi.clayton.com>
Message-ID: <A9604D7A0239984EAD184D9A42206FDE039B19DC@EXCHVS01.cgi.clayton.com>

My environment is a 2 router and  2 Multihomed MPLS providers running EIGRP and BGP with redistribution.  When I have failovers between MPLS providers I run into random infinity loops.  Is there a way where I could establish the 2  BGP AS numbers to be shared.  I think that would help the looping issues with redistribution.
 
 
my main issue is:
 
- source traffic uses service provider A and return trip uses service provider B during an outage with either service provider A OR B
 
- routing loops when trying to trace to an ip addr loop happens where service provider A route table show route is active looping back and forth to source service provider B

IMPORTANT NOTICE:

This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message.  If you have received this communication in error, please notify the sender immediately and destroy the transmitted information.


From deric.kwok2000 at gmail.com  Thu Feb  5 15:47:41 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Thu, 5 Feb 2009 15:47:41 -0500
Subject: [c-nsp] many interfaces in router,
	how to easy use the access-list rules
Message-ID: <40d8a95a0902051247sf8d9277n9a49eb2ebdf81e1@mail.gmail.com>

Hi

I just try to put permit and deny rules in my router eg: for http access

eg: I have 3 ip addresses in the router in different interface 0 and 1

What is the easy way to put access-list for permit and deny to access http
in the router?

eg: my router interfaces 192.168.0.1/29, 192.168.3.1/24........

access-list permit tcp outsideip1 to 192.168.0.1 eq www
access-list permit tcp outsideip1 to 192.168.3.1 eq www
access-list permit tcp outsideip2 to 192.168.0.1 eq www
access-list permit tcp outsideip2 to 192.168.0.1 eq www
xxxxxx
xxxxxxx
access-list deny tcp any 192.168.0.1 eq www
xxxx

It will have many access-list rules for http only

Thank you

From David at hughes.com.au  Thu Feb  5 16:31:23 2009
From: David at hughes.com.au (David Hughes)
Date: Fri, 6 Feb 2009 07:31:23 +1000
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <20090205072426.GU290@greenie.muc.de>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
	<20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
	<45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
	<1233758875.6907.22.camel@mauritzlewies>
	<C2EE3B72-ADD2-4ADF-B7E1-F00D25F974DB@Hughes.com.au>
	<20090205072426.GU290@greenie.muc.de>
Message-ID: <AB8391FC-B2E2-4A65-B9CA-365A73D1357E@hughes.com.au>


Thanks Gert.  That's not the news I was hoping for.  I'll take it up  
with Cisco and find out what "UDLD Enhancements" are actually in SXI.   
I appreciate your help.


David
...


On 05/02/2009, at 5:24 PM, Gert Doering wrote:

> Hi,
>
> On Thu, Feb 05, 2009 at 02:54:53PM +1000, David Hughes wrote:
>> 	(config)#udld message time ?
>>        <7-90> Time in seconds between sending of messages in steady
>> state
>
> SXI, Sup32:
>
> Cisco-M(config)#udld message time ?
>  <7-90>  Time in seconds between sending of messages in steady state
>
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                           //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jloiacon at csc.com  Thu Feb  5 16:57:05 2009
From: jloiacon at csc.com (Joe Loiacono)
Date: Thu, 5 Feb 2009 16:57:05 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
Message-ID: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>

I realize RANCID is a great tool for keeping track of IOS changes, etc., 
but if a client was looking for a commercial tool that does this, what 
would you  recommend?

Thanks,

Joe Loiacono

From llc at dansketelecom.com  Thu Feb  5 17:09:04 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Thu, 5 Feb 2009 23:09:04 +0100
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <44417CD2F19FEA4F885088340A71D33201B4F2FA@mail.office.dansketelecom.com>

Hi Joe

I would probably recommend Kiwi CatTools http://www.kiwisyslog.com/kiwi-cattools-overview/, a Windows based application.

We used it for a couple of years, but I believe RANCID is more scalable from my perspective...

______________________________________

Med venlig hilsen / Kind regards

Lars Lystrup Christensen 
Director of Engineering, CCIE(tm) #20292

Danske Telecom A/S
Sundkrogsgade 13, 4 
2100 K?benhavn ? 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono
Sent: 5. februar 2009 22:57
To: Cisco-NSP Mailing List
Subject: [c-nsp] Rancid and commercial config management tools

I realize RANCID is a great tool for keeping track of IOS changes, etc., 
but if a client was looking for a commercial tool that does this, what 
would you  recommend?

Thanks,

Joe Loiacono
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From vijay.ramcharan at verizonbusiness.com  Thu Feb  5 17:12:33 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Thu, 05 Feb 2009 22:12:33 +0000
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <A34003A5232DE744807D94D788E0751AAB198E@ASHEVS011.mcilink.com>

We use Opsware NAS. I haven't configured it or anything but it is quite
commercial and can do nice things like configuration checks against a
standard policy, notifications of config changes, config automation and
things like that. 

 
Vijay Ramcharan 
  
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono
Sent: February 05, 2009 16:57
To: Cisco-NSP Mailing List
Subject: [c-nsp] Rancid and commercial config management tools

I realize RANCID is a great tool for keeping track of IOS changes, etc.,

but if a client was looking for a commercial tool that does this, what 
would you  recommend?

Thanks,

Joe Loiacono
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ptimmins at clearrate.com  Thu Feb  5 17:15:50 2009
From: ptimmins at clearrate.com (Paul G. Timmins)
Date: Thu, 5 Feb 2009 17:15:50 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <B98837F93D40A74D8656EAE7C1F57C5659D324@EXCHANGE1.corp.clearrate.net>

If I were you, I'd package up Rancid, call it "JoeWare", and bill them a
ton for it. :) 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono
> Sent: Thursday, February 05, 2009 4:57 PM
> To: Cisco-NSP Mailing List
> Subject: [c-nsp] Rancid and commercial config management tools
> 
> I realize RANCID is a great tool for keeping track of IOS 
> changes, etc., 
> but if a client was looking for a commercial tool that does 
> this, what 
> would you  recommend?
> 
> Thanks,
> 
> Joe Loiacono
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From alexmoya at bellsouth.net  Thu Feb  5 17:53:02 2009
From: alexmoya at bellsouth.net (Alex Moya)
Date: Thu, 5 Feb 2009 17:53:02 -0500
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498A9572.6010608@rollernet.us>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<498A9572.6010608@rollernet.us>
Message-ID: <40028F97-9DBA-4A16-9DB5-DEDF37A375E2@bellsouth.net>

You can add lines if you use sequence numbers on you acl. What version  
are you using


Sent from my iPhone

On Feb 5, 2009, at 2:29 AM, Seth Mattinen <sethm at rollernet.us> wrote:

> Deric Kwok wrote:
>> Hi
>>
>> I have old rule in the switch but don't know how to add new rule in  
>> the same
>> access-list
>>
>> When I add new deny rule, it will be put at the end of the access- 
>> list
>>
>> If I remove the access-list 140, I have to re-type all lines again.
>>
>
> That's correct. You need to remove and recreate it in the correct  
> order
> lacking sequences.
>
> ~Seth
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From alasdairm at gmail.com  Thu Feb  5 18:13:24 2009
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Thu, 5 Feb 2009 23:13:24 +0000
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <B98837F93D40A74D8656EAE7C1F57C5659D324@EXCHANGE1.corp.clearrate.net>
References: <B98837F93D40A74D8656EAE7C1F57C5659D324@EXCHANGE1.corp.clearrate.net>
Message-ID: <1EF5B5B6-210A-4CED-A0B2-22860BE68413@gmail.com>

I use a tool called Network Configuration Store to track device  
configurations I use it because I made it but.... it solved a problem  
I had and see no reason to replace it :-p

Version 3.x requires a Windows system and IIS but everything else is  
free.

It's got a reasonable GUI (nice and easy) and is fairly self contained  
with just a few dependencies. Also fires out e-mail alerts if you give  
it an SMTP server.

http://sf.net/projects/ncs

*** end of plug ! ***



On 5 Feb 2009, at 22:15, Paul G. Timmins wrote:

> If I were you, I'd package up Rancid, call it "JoeWare", and bill  
> them a
> ton for it. :)
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono
>> Sent: Thursday, February 05, 2009 4:57 PM
>> To: Cisco-NSP Mailing List
>> Subject: [c-nsp] Rancid and commercial config management tools
>>
>> I realize RANCID is a great tool for keeping track of IOS
>> changes, etc.,
>> but if a client was looking for a commercial tool that does
>> this, what
>> would you  recommend?
>>
>> Thanks,
>>
>> Joe Loiacono
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From justin at justinshore.com  Thu Feb  5 19:01:09 2009
From: justin at justinshore.com (Justin Shore)
Date: Thu, 05 Feb 2009 18:01:09 -0600
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
Message-ID: <498B7DC5.7060803@justinshore.com>

I'm curious to see what everyone's take is on handling the addressing of 
customer-facing DS1s.  Rather than provision a /30 per customer and 
waste IP space I'm planning on using IP unnumbered to a loopback for the 
vast majority of our most basic DS1 customers.  They'll get assigned 1 
IP out of the pool and if they request (and pay for) any more then I'll 
static route their allocation to their pool IP.  We'll also request that 
they only use the statically-routed subnet for server assignments and 
not PAT their pool IP; that way they can be migrated to our LRE solution 
  with minimal IP and DNS changes as LRE becomes available in their 
local CO.

I'm prepared to offer /30s where needed of course, in case their CPE 
runs into trouble for some reason or in case they wig out over the 
thought of their external interface being in the same bcast domain as 
other customers.  I'm actually looking at options to restrict bcasts 
between IP unnumbered serial interfaces too.  We need to allow direct
access between the sites but not bcast.

One of my concerns is QoS.  We'll be offering QoS-enabled VoIP over 
these DS1s in some cases.  Can I still use service-policies on physical 
interfaces or would it have to be on the loopback and apply to all 
users?  I have not tried QoS and IP unnumbered yet.  Perhaps VoIP 
circuits will have to be addressed with /30s (or /31s since we're 
managing the CE in VoIP installations).

I know that IP unnumbered works in general; I'm just wondering if anyone 
has already done it in production and ran into problems?  My goal is to 
not waste IP space on network and bcast addresses where possible.  No, 
I'm not going to assign /31s; customers just won't be able to comprehend 
that, especially when the IOS through our a warning message when you 
assign a /31 to an interface.  I use /31s internally but not for 
customer links.  IP unnumbered wastes the least amount of IP space. 
Since we're targeting our services at the low-end of the SMB market who 
most likely it already on CATV or RBE DSL and share a bcast domain with 
their neighbors already, I don't envision IP unnumbered to be a big 
deal.  I'm looking for guidance though.  Thoughts?

Thanks
  Justin


From sethm at rollernet.us  Thu Feb  5 20:03:29 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 05 Feb 2009 17:03:29 -0800
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <40028F97-9DBA-4A16-9DB5-DEDF37A375E2@bellsouth.net>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<498A9572.6010608@rollernet.us>
	<40028F97-9DBA-4A16-9DB5-DEDF37A375E2@bellsouth.net>
Message-ID: <498B8C61.9060408@rollernet.us>

Alex Moya wrote:
> You can add lines if you use sequence numbers on you acl. What version
> are you using
> 
> 
> Sent from my iPhone
> 
> On Feb 5, 2009, at 2:29 AM, Seth Mattinen <sethm at rollernet.us> wrote:
> 
>> Deric Kwok wrote:
>>> Hi
>>>
>>> I have old rule in the switch but don't know how to add new rule in
>>> the same
>>> access-list
>>>
>>> When I add new deny rule, it will be put at the end of the access-list
>>>
>>> If I remove the access-list 140, I have to re-type all lines again.
>>>
>>
>> That's correct. You need to remove and recreate it in the correct order
>> lacking sequences.
>>

Like I said, if he doesn't have sequences (which based on the
information given in the original question I can only assume he doesn't
have an IOS that supports it on old-skool access lists).

~Seth

From abalashov at evaristesys.com  Thu Feb  5 20:48:35 2009
From: abalashov at evaristesys.com (Alex Balashov)
Date: Thu, 05 Feb 2009 20:48:35 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B7DC5.7060803@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
Message-ID: <498B96F3.8060204@evaristesys.com>

The problem mainly has to do with troubleshooting.  Sometimes you need 
to know whether a customer's CPE is genuinely down on the WAN side, and 
not necessarily the LAN interface where the head of the routed block 
typically is.  To make that work, it helps to have real transport IPs on 
the WAN interface.

There is no reason why you need to "waste" IP address on the /30s - who 
said they have to be public IPs?  Just carve out some address space out 
of a 10.0.0.0/8 range and use private transport IPs.  All you need them 
for is to test end-to-end connectivity from the aggregation router on 
your side, not for any other reachability purpose.  If they pay for 1 
static IP you can throw it up on a loopback interface on the other side 
and add a /32 route for it over the transport /30 block.

Justin Shore wrote:

> I'm curious to see what everyone's take is on handling the addressing of 
> customer-facing DS1s.  Rather than provision a /30 per customer and 
> waste IP space I'm planning on using IP unnumbered to a loopback for the 
> vast majority of our most basic DS1 customers.  They'll get assigned 1 
> IP out of the pool and if they request (and pay for) any more then I'll 
> static route their allocation to their pool IP.  We'll also request that 
> they only use the statically-routed subnet for server assignments and 
> not PAT their pool IP; that way they can be migrated to our LRE solution 
>  with minimal IP and DNS changes as LRE becomes available in their local 
> CO.
> 
> I'm prepared to offer /30s where needed of course, in case their CPE 
> runs into trouble for some reason or in case they wig out over the 
> thought of their external interface being in the same bcast domain as 
> other customers.  I'm actually looking at options to restrict bcasts 
> between IP unnumbered serial interfaces too.  We need to allow direct
> access between the sites but not bcast.
> 
> One of my concerns is QoS.  We'll be offering QoS-enabled VoIP over 
> these DS1s in some cases.  Can I still use service-policies on physical 
> interfaces or would it have to be on the loopback and apply to all 
> users?  I have not tried QoS and IP unnumbered yet.  Perhaps VoIP 
> circuits will have to be addressed with /30s (or /31s since we're 
> managing the CE in VoIP installations).
> 
> I know that IP unnumbered works in general; I'm just wondering if anyone 
> has already done it in production and ran into problems?  My goal is to 
> not waste IP space on network and bcast addresses where possible.  No, 
> I'm not going to assign /31s; customers just won't be able to comprehend 
> that, especially when the IOS through our a warning message when you 
> assign a /31 to an interface.  I use /31s internally but not for 
> customer links.  IP unnumbered wastes the least amount of IP space. 
> Since we're targeting our services at the low-end of the SMB market who 
> most likely it already on CATV or RBE DSL and share a bcast domain with 
> their neighbors already, I don't envision IP unnumbered to be a big 
> deal.  I'm looking for guidance though.  Thoughts?
> 
> Thanks
>  Justin
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

From damin at nacs.net  Thu Feb  5 20:09:43 2009
From: damin at nacs.net (Gregory Boehnlein)
Date: Thu, 5 Feb 2009 20:09:43 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B7DC5.7060803@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
Message-ID: <01f801c987f7$983bd660$c8b38320$@net>

> I'm curious to see what everyone's take is on handling the addressing
> of customer-facing DS1s.  Rather than provision a /30 per customer and
> waste IP space I'm planning on using IP unnumbered to a loopback for
> the vast majority of our most basic DS1 customers.  They'll get assigned 1
> IP out of the pool and if they request (and pay for) any more then I'll
> static route their allocation to their pool IP.  We'll also request
> that they only use the statically-routed subnet for server assignments and
> not PAT their pool IP; that way they can be migrated to our LRE
> solution with minimal IP and DNS changes as LRE becomes available in their
> local CO.

This is very similar to what we do. While we have several customers that
need larger subnets, the majority of our customers are using IP Unnumbered.

In some cases, we will provide the customer a /29 if they need additional
external IP addresses, but the configuration on their router uses the low IP
in the /29 as it's loopback interface. We send our default route out of the
interface, rather than to the remote gateway IP, so if we change the ip of
the loopback on our side, we do not need to adjust anything for the
customer.

> One of my concerns is QoS.  We'll be offering QoS-enabled VoIP over
> these DS1s in some cases.  Can I still use service-policies on physical
> interfaces or would it have to be on the loopback and apply to all
> users?  I have not tried QoS and IP unnumbered yet.  Perhaps VoIP
> circuits will have to be addressed with /30s (or /31s since we're
> managing the CE in VoIP installations).

We use outbound service policies on unnumbered interfaces just fine:

interface Serial10/1/0/3:0
 description L3 OH/XXXX/XXXX to XXXXXXX channel 12
 ip unnumbered Loopback0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 service-policy output llq
 no fair-queue
 down-when-looped
 no clns route-cache

And the routing statement:

ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA

 
> I know that IP unnumbered works in general; I'm just wondering if
> anyone has already done it in production and ran into problems?  My goal
is to
> not waste IP space on network and bcast addresses where possible.  No,
> I'm not going to assign /31s; customers just won't be able to
> comprehend
> that, especially when the IOS through our a warning message when you
> assign a /31 to an interface.  I use /31s internally but not for
> customer links.  IP unnumbered wastes the least amount of IP space.
> Since we're targeting our services at the low-end of the SMB market who
> most likely it already on CATV or RBE DSL and share a bcast domain with
> their neighbors already, I don't envision IP unnumbered to be a big
> deal.  I'm looking for guidance though.  Thoughts?

I've been doing ip unnumbered since 1995 in production and it "just works".
There are undoubtedly some routers out there that might have issues, but any
Cisco device should be able to handle things just fine.


From mike-cisconsplist at tiedyenetworks.com  Thu Feb  5 23:08:22 2009
From: mike-cisconsplist at tiedyenetworks.com (Mike)
Date: Thu, 05 Feb 2009 20:08:22 -0800
Subject: [c-nsp] setting source address for icmp messages
Message-ID: <498BB7B6.9010509@tiedyenetworks.com>

Hello,

I'm trying to learn how to get my 7204vxr to not send icmp messages with 
the source ip of interface the message is being sent out. I have a 
public ip on my loopback and thought this was what ios preferred if it 
exists? I have some other interfaces which have 10.x.x.x addresses and 
icmp messages like host unreachable and such are sourced from this which 
is undesirable due to inbound filtering at many sites at their gateways 
for rfc1918 and other bogon addresses.

Am I being silly to want this or is there something I can do to get my 
way here?

Tks.

Mike-

From hill.matt.w at edumail.vic.gov.au  Thu Feb  5 23:19:03 2009
From: hill.matt.w at edumail.vic.gov.au (Hill, Matt W)
Date: Fri, 6 Feb 2009 15:19:03 +1100
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <498BB7B6.9010509@tiedyenetworks.com>
References: <498BB7B6.9010509@tiedyenetworks.com>
Message-ID: <E0E97B8128D9DC4A89E8A3B163C69C7A0233C09F@educm02.education.vic.gov.au>

Hi Mike,

Try this:

Ping ip
<follow prompts>
Extended commands <- press "y"

Then you can specify the source.

Cheers,
Matt

-- 
Matt Hill
CCIE #22386
p: +61 3 9637 3509? |? m: +61 4 1330 3635? |? f: +61 3 96372600? |? e: hill.matt.w at edumail.vic.gov.au
Data Communications Consultant |? Infrastructure Engineering? |? ITD? |? DEECD
Level 2 East, 2 Treasury Place, East Melbourne, Victoria, Australia, 3002


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
Sent: Friday, 6 February 2009 3:08 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] setting source address for icmp messages

Hello,

I'm trying to learn how to get my 7204vxr to not send icmp messages with 
the source ip of interface the message is being sent out. I have a 
public ip on my loopback and thought this was what ios preferred if it 
exists? I have some other interfaces which have 10.x.x.x addresses and 
icmp messages like host unreachable and such are sourced from this which 
is undesirable due to inbound filtering at many sites at their gateways 
for rfc1918 and other bogon addresses.

Am I being silly to want this or is there something I can do to get my 
way here?

Tks.

Mike-
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education and Early Childhood Development.

From dale.shaw+cisco-nsp at gmail.com  Thu Feb  5 23:50:42 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Fri, 6 Feb 2009 15:50:42 +1100
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <E0E97B8128D9DC4A89E8A3B163C69C7A0233C09F@educm02.education.vic.gov.au>
References: <498BB7B6.9010509@tiedyenetworks.com>
	<E0E97B8128D9DC4A89E8A3B163C69C7A0233C09F@educm02.education.vic.gov.au>
Message-ID: <3329cbb40902052050s10857e0dq4a256babeca3df9d@mail.gmail.com>

Hi,

When I read the OP I figured he was talking about automatically
generated ICMP messages (e.g. unreachables, source quench), not pings
send for administrative purposes (or IP SLAs or whatever).

I don't personally know of an elegant way to achieve this. One
potentially undesirable option might be to disable unreachables ("no
ip unreachables") on the privately-addressed interfaces. Why are the
messages being generated anyway? no route? ACL violation?

Sending the messages sourced with an address of anything but the
interface where the packet landed probably violates some RFC. I _can_
see why you (Mike) want to do this.

Such packets (sourced with RFC1918 addresses) should be explicitly
nailed at the perimeter anyway.

cheers,
Dale

On Fri, Feb 6, 2009 at 3:19 PM, Hill, Matt W
<hill.matt.w at edumail.vic.gov.au> wrote:
> Hi Mike,
>
> Try this:
>
> Ping ip
> <follow prompts>
> Extended commands <- press "y"
>
> Then you can specify the source.
>
> Cheers,
> Matt
>
> --
> Matt Hill
> CCIE #22386
> p: +61 3 9637 3509  |  m: +61 4 1330 3635  |  f: +61 3 96372600  |  e: hill.matt.w at edumail.vic.gov.au
> Data Communications Consultant |  Infrastructure Engineering  |  ITD  |  DEECD
> Level 2 East, 2 Treasury Place, East Melbourne, Victoria, Australia, 3002
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
> Sent: Friday, 6 February 2009 3:08 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] setting source address for icmp messages
>
> Hello,
>
> I'm trying to learn how to get my 7204vxr to not send icmp messages with
> the source ip of interface the message is being sent out. I have a
> public ip on my loopback and thought this was what ios preferred if it
> exists? I have some other interfaces which have 10.x.x.x addresses and
> icmp messages like host unreachable and such are sourced from this which
> is undesirable due to inbound filtering at many sites at their gateways
> for rfc1918 and other bogon addresses.
>
> Am I being silly to want this or is there something I can do to get my
> way here?
>
> Tks.
>
> Mike-

From rens at autempspourmoi.be  Fri Feb  6 02:15:03 2009
From: rens at autempspourmoi.be (Rens)
Date: Fri, 6 Feb 2009 08:15:03 +0100
Subject: [c-nsp] Ethernet VPN circuits
In-Reply-To: <746ca6da0902050558v10b9f0f0j8a40b117f26f5011@mail.gmail.com>
References: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com><004201c986dd$1299bf10$37cd3d30$@org.uk><4947ADE167854B32B3F41418CFEE4FF0@EU.corp.clearwire.com>
	<746ca6da0902050558v10b9f0f0j8a40b117f26f5011@mail.gmail.com>
Message-ID: <F8E9EB3F4DF348A8ADD9F6CFAEB0ED03@EU.corp.clearwire.com>

Oki thanks,
Then I just need to make sure that the switch between the router & the
circuit can be changed to minimum 1504 system mtu right?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pelle
Sent: jeudi 5 f?vrier 2009 14:58
To: c-nsp
Subject: Re: [c-nsp] Ethernet VPN circuits

Hi.

> 2)  Can I pass the double tag through my switch to our 7206 and configure
a
> double dot1q [outer tag].[inner tag] on my subinterface ?

Yes, but of course it depends on the IOS you are running.

>From a 7206VXR/NPE-G2 running SRC2:

lotta(config)#int GigabitEthernet0/2.123123
lotta(config-subif)#encapsulation dot1Q 123 ?
  native        Make this as native vlan
  second-dot1q  Configure this subinterface as a 1Q-in-1Q subinterface
  <cr>

lotta(config-subif)#encapsulation dot1Q 123 second-dot1q 123 ?
  <cr>

-- 
Pelle
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From perc69 at gmail.com  Fri Feb  6 03:19:57 2009
From: perc69 at gmail.com (Pelle)
Date: Fri, 6 Feb 2009 09:19:57 +0100
Subject: [c-nsp] many interfaces in router,
	how to easy use the 	access-list rules
In-Reply-To: <40d8a95a0902051247sf8d9277n9a49eb2ebdf81e1@mail.gmail.com>
References: <40d8a95a0902051247sf8d9277n9a49eb2ebdf81e1@mail.gmail.com>
Message-ID: <746ca6da0902060019w41fa7544x29dd17a2199e5de@mail.gmail.com>

Hi.

> What is the easy way to put access-list for permit and deny to access http
> in the router?

If you want an *easy* way, you can protect the http process with a ACL:

ip http access-class <acl>

See: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_08.html#wp1020105

This not as "safe" as protecting all ingress interfaces, but it works.
An ingress ACL is better because unwanted packets are dropped using
less resources, especially on a hardware platform.

-- 
Pelle

From p.mayers at imperial.ac.uk  Fri Feb  6 03:41:23 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 6 Feb 2009 08:41:23 +0000
Subject: [c-nsp] VACL capture - is this supposed to work
Message-ID: <20090206084123.GB27732@wildfire.net.ic.ac.uk>

We have this config on a 6500/sup720

int Vlan3799
  description upstream
  ip address ...
int Vlan4000
  descripion core
  ip address ...
  mpls ip

vlan filter CAPTURE_HTTP vlan 3799

int Gi9/1
  switchport
  switchport mode access
  switchport access vlan 3799
  switchport capture
  switchport capture allowed vlan 3799

...and the the CAPTURE_HTTP map does:

 1. tcp port 80, capture & forward
 2. ip any any, forward

The intent is to capture inbound and outbound HTTP traffic, and log it 
with urlsnarf for legal compliance reasons.

This *HAS* been working for months. However, we did a recent upgrade of 
this router to 12.2(33)SXI and it stopped working - the VACL capture 
only seems to capture packets outbound i.e. input on Vl4000, out on 
Vl3799. It does capture any CPU-punt packets in the other direction.

At first I thought it was a bug in SXI, but we failed our default route 
over to another 6500 running SXF9 with the same config, and it suffers 
the same problem.

I had wondered if the problem was that the inbound traffic next-hop has 
an MPLS label imposed, but the other router is 1 hop away so uses 
plain-old IP, and it suffers the same.

So I'm baffled - we have a router that was running SXF10 for months with 
this config, no problem. Another with SXF9 doesn't work, nor does the 
original router with 12.2(33)SXI.

So, question: exactly what traffic should VACL capture actually 
*capture*? Is my config supported?

I have a TAC case open, but we're getting desperate - we need that URL 
logging, and a "normal" SPAN port generates way, way too much traffic - 
having the ACL to filter a sub-set is important.

sh tcam int vl3799 acl in/out ip det

...shows appropriate TCAM entries with the CAP flag set.

Any pointers gratefully received.

From A.L.M.Buxey at lboro.ac.uk  Fri Feb  6 03:52:21 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Fri, 6 Feb 2009 08:52:21 +0000
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498B8C61.9060408@rollernet.us>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<498A9572.6010608@rollernet.us>
	<40028F97-9DBA-4A16-9DB5-DEDF37A375E2@bellsouth.net>
	<498B8C61.9060408@rollernet.us>
Message-ID: <20090206085221.GA32648@lboro.ac.uk>

Hi,

> Like I said, if he doesn't have sequences (which based on the
> information given in the original question I can only assume he doesn't
> have an IOS that supports it on old-skool access lists).

edit the access list on an tftp server and then eg

copy tftp://server/accesslist-name.acl running-config

alan

From gert at greenie.muc.de  Fri Feb  6 04:19:37 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:19:37 +0100
Subject: [c-nsp] access list help
In-Reply-To: <498B18B6.4050300@west.net>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
	<4989A1D0.1040101@ibctech.ca>
	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
	<0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>
	<40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
	<498B18B6.4050300@west.net>
Message-ID: <20090206091937.GW290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 08:49:58AM -0800, Jay Hennigan wrote:
> You don't.  You do it in the router.  A layer 2 switch is unaware of IP 
> addresses or applications with regard to traffic passing through the 
> switch.  Because the switch doesn't examine or process IP address, 
> protocol, or port information, it can't filter it.

There's a few exceptions which I think are noteworthy here - the Catalyst
2950 and 2960 permit filtering on IP and TCP/UDP information, even if they
are just "plain" layer 2 switches.  The ACL capabilities are a bit restricted
("if it can't be mapped to TCAM it won't work") but it's still a very nice
thing to have.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/1465d024/attachment.bin>

From gert at greenie.muc.de  Fri Feb  6 04:20:55 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:20:55 +0100
Subject: [c-nsp] Can someone look up which AS is advertising the
	146.105.0.0 /16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
References: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <20090206092055.GX290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 04:50:47PM +0000, Gary Roberton wrote:
> Can someone look up which AS is advertising the 146.105.0.0 /16 network for
> me, thanks.

Try: "telnet route-views.oregon-ix.net" and then "show ip bgp ..."

route-views.oregon-ix.net>sh ip b 146.105.0.0
BGP routing table entry for 146.105.0.0/16, version 5677725
Paths: (33 available, best #23, table Default-IP-Routing-Table)
  Not advertised to any peer
  3356 701 702
    4.69.184.193 from 4.69.184.193 (4.68.3.50)
      Origin IGP, metric 0, localpref 100, valid, external
      Community: 3356:3 3356:22 3356:86 3356:575 3356:666 3356:2011
  [...]

"teach a man to fish"...

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/64e7036a/attachment-0001.bin>

From gert at greenie.muc.de  Fri Feb  6 04:35:08 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:35:08 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B7DC5.7060803@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
Message-ID: <20090206093508.GB290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 06:01:09PM -0600, Justin Shore wrote:
> I'm curious to see what everyone's take is on handling the addressing of 
> customer-facing DS1s.  

We run all our customers "ip unnumbered", whether it's E1/E3 or DSL
customers.  Since the first 64 kbit ISDN leased line...

Exception:
  - customers on ethernet circuits
  - customers that require dynamic routing
  - customers with multiple circuits and failover
    (to be able to monitor the links independent of the customer service IPs)

QoS, ACLs, etc. are tacked to the physical interface (or virtual, in
case of DSL), never to the loopback.

> I'm actually looking at options to restrict bcasts 
> between IP unnumbered serial interfaces too.  We need to allow direct
> access between the sites but not bcast.

Where should broadcasts come from...?  There is nothing in your router
that would turn "all serial links on this box" into "a big broadcast
domain", except if you configure a bridge group (which is not a good
plan).

> I know that IP unnumbered works in general; I'm just wondering if anyone 
> has already done it in production and ran into problems?  My goal is to 
> not waste IP space on network and bcast addresses where possible.  

Go for IPv6 :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/09cb4f1f/attachment.bin>

From gert at greenie.muc.de  Fri Feb  6 04:38:42 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:38:42 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <01f801c987f7$983bd660$c8b38320$@net>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
Message-ID: <20090206093842.GC290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 08:09:43PM -0500, Gregory Boehnlein wrote:
> We send our default route out of the
> interface, rather than to the remote gateway IP, so if we change the ip of
> the loopback on our side, we do not need to adjust anything for the
> customer.

I can only second this.  If you have a dedicated point-to-point interface for 
things, tacking the route on the interface is usually more robust than
pointing towards a gateway IP that might not be there, or might be learned
recursively over another interface, etc.

For multiaccess-links, *don't* do "ip route 0.0.0.0 0.0.0.0 eth0", of
course (use "... eth0 <gateway_ip>").  Just to make this very clear.

> ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA

One can tack a *name* to routes?  Need to test this :-)

Does this name get carried in IGPs?  Or is it just there in the config
to document things?

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/a01ea539/attachment.bin>

From gert at greenie.muc.de  Fri Feb  6 04:40:56 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:40:56 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B96F3.8060204@evaristesys.com>
References: <498B7DC5.7060803@justinshore.com>
	<498B96F3.8060204@evaristesys.com>
Message-ID: <20090206094056.GD290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 08:48:35PM -0500, Alex Balashov wrote:
> There is no reason why you need to "waste" IP address on the /30s - who 
> said they have to be public IPs?  Just carve out some address space out 
> of a 10.0.0.0/8 range and use private transport IPs.  

RFC1918 (indirectly) says that this is not permitted.

(If you do this, ICMPs sourced by the remote router will send their
packets with an RFC1918 source address, which is strictly not allowed.
If you filter those packets, you'll break traceroute and PMTUd).

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/67913071/attachment.bin>

From oboehmer at cisco.com  Fri Feb  6 04:48:10 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Fri, 6 Feb 2009 10:48:10 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <20090206093842.GC290@greenie.muc.de>
References: <498B7DC5.7060803@justinshore.com><01f801c987f7$983bd660$c8b38320$@net>
	<20090206093842.GC290@greenie.muc.de>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0ECD7@xmb-ams-333.emea.cisco.com>

Gert Doering <> wrote on Friday, February 06, 2009 10:39:

>> ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA
> 
> One can tack a *name* to routes?  Need to test this :-)
> 
> Does this name get carried in IGPs?  Or is it just there in the config
> to document things?

this name stays local to the router, and was/is required for Large-Scale
Dial-out (LSDO) where the router performed an AAA/Radius request to
retrieve dial information, and used the name for this.. Dial - sigh -
almost feels like legacy technology ;-)

But I agree, it's a nice way of documenting things :)

	oli

From gert at greenie.muc.de  Fri Feb  6 04:54:07 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:54:07 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0ECD7@xmb-ams-333.emea.cisco.com>
References: <20090206093842.GC290@greenie.muc.de>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0ECD7@xmb-ams-333.emea.cisco.com>
Message-ID: <20090206095407.GE290@greenie.muc.de>

Hi,

On Fri, Feb 06, 2009 at 10:48:10AM +0100, Oliver Boehmer (oboehmer) wrote:
> this name stays local to the router, and was/is required for Large-Scale
> Dial-out (LSDO) where the router performed an AAA/Radius request to
> retrieve dial information, and used the name for this.. 

Ah, so you put the route in like this:

  ip route 1.2.3.4 255.255.255.255 name customerX

and the router would do a radius-query to get the phone number, authentication
data, etc. to call up?  Cool :-)

> Dial - sigh - almost feels like legacy technology ;-)

Well, it came back in disguise... DSL, L2TP, ... :))

> But I agree, it's a nice way of documenting things :)

Indeed!

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/ef311e3f/attachment.bin>

From blahu77 at gmail.com  Fri Feb  6 05:12:25 2009
From: blahu77 at gmail.com (Mateusz Blaszczyk)
Date: Fri, 6 Feb 2009 10:12:25 +0000
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B7DC5.7060803@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
Message-ID: <383357750902060212k5a18d067t2f615818d5d48f9a@mail.gmail.com>

Justin,

just be sure not to assign .255 address to the customer, windows is
buggy there: http://support.microsoft.com/kb/281579
We've been bitten there.

Best Regards,

-mat
-- 
pgp-key 0x1C655CAB

From benny+usenet at amorsen.dk  Fri Feb  6 05:14:03 2009
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Fri, 06 Feb 2009 11:14:03 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B96F3.8060204@evaristesys.com> (Alex Balashov's message of
	"Thu\, 05 Feb 2009 20\:48\:35 -0500")
References: <498B7DC5.7060803@justinshore.com>
	<498B96F3.8060204@evaristesys.com>
Message-ID: <m34oz7q3dg.fsf@ursa.amorsen.dk>

Alex Balashov <abalashov at evaristesys.com> writes:

> There is no reason why you need to "waste" IP address on the /30s -
> who said they have to be public IPs?  Just carve out some address
> space out of a 10.0.0.0/8 range and use private transport IPs.

You risk that ICMP comes from those addresses. This could happen with
traceroute, where it is harmless, and with ICMP-Packet-Too-Big, where
it isn't harmless.

Is there a way to force a particular IP to be used for ICMP messages
with Cisco?


/Benny


From jcovini at free.fr  Fri Feb  6 05:30:59 2009
From: jcovini at free.fr (jcovini at free.fr)
Date: Fri, 06 Feb 2009 11:30:59 +0100
Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static route
Message-ID: <1233916259.498c11638d5c6@imp.free.fr>

Hey,

Got a strange behavior on a C3560 12.2(35)SE5.

I am locally attached interface to 9.9.9.0/24 network where my next hop 9.9.9.9
is. This interface is member of vrf Internet

I have a vrf static route, working perfect :
ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9


As soon as I remove and replace this route by a tracked one, the IOS adds the
"global" keyword.
I input this :
ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 track 2
and got this in the show run output :
ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 global track 2

Leaking then occurs, traffic is not reaching next-hop 9.9.9.9, but rather goes
to some router defined in the global routing table, which has a 9.0.0.0/8 entry.
My tracker object is correctly defined inside the vrf Internet and is flagged
UP.

I rollback to a non-tracked route : no global keayword added, no leaking,
everything is fine.

Have no idea what's happening here. Got the same config on a 6509 12.2.33sxh,
works like a charm. What error did I do ?

Jerome Covini

From wp at null0.nl  Fri Feb  6 05:52:53 2009
From: wp at null0.nl (Wouter Prins)
Date: Fri, 6 Feb 2009 11:52:53 +0100
Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static
	route
In-Reply-To: <1233916259.498c11638d5c6@imp.free.fr>
References: <1233916259.498c11638d5c6@imp.free.fr>
Message-ID: <b5da8bca0902060252i2ba79755j1d7c02924bd8e2bd@mail.gmail.com>

Can you try to specify the outgoing interface in your static vrf route and
test again?

2009/2/6 <jcovini at free.fr>

> Hey,
>
> Got a strange behavior on a C3560 12.2(35)SE5.
>
> I am locally attached interface to 9.9.9.0/24 network where my next hop
> 9.9.9.9
> is. This interface is member of vrf Internet
>
> I have a vrf static route, working perfect :
> ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9
>
>
> As soon as I remove and replace this route by a tracked one, the IOS adds
> the
> "global" keyword.
> I input this :
> ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 track 2
> and got this in the show run output :
> ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 global track 2
>
> Leaking then occurs, traffic is not reaching next-hop 9.9.9.9, but rather
> goes
> to some router defined in the global routing table, which has a 9.0.0.0/8entry.
> My tracker object is correctly defined inside the vrf Internet and is
> flagged
> UP.
>
> I rollback to a non-tracked route : no global keayword added, no leaking,
> everything is fine.
>
> Have no idea what's happening here. Got the same config on a 6509
> 12.2.33sxh,
> works like a charm. What error did I do ?
>
> Jerome Covini
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jcovini at free.fr  Fri Feb  6 06:05:58 2009
From: jcovini at free.fr (jcovini at free.fr)
Date: Fri, 06 Feb 2009 12:05:58 +0100
Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static
	route
In-Reply-To: <b5da8bca0902060252i2ba79755j1d7c02924bd8e2bd@mail.gmail.com>
References: <1233916259.498c11638d5c6@imp.free.fr>
	<b5da8bca0902060252i2ba79755j1d7c02924bd8e2bd@mail.gmail.com>
Message-ID: <1233918358.498c19967ff9a@imp.free.fr>

Just tried : it still installs the route with "global" flag
ip route vrf Internet 192.168.0.0 255.255.255.0 Vlan999 9.9.9.9 global track 2



Selon Wouter Prins <wp at null0.nl>:

> Can you try to specify the outgoing interface in your static vrf route and
> test again?
>
> 2009/2/6 <jcovini at free.fr>
>
> > Hey,
> >
> > Got a strange behavior on a C3560 12.2(35)SE5.
> >
> > I am locally attached interface to 9.9.9.0/24 network where my next hop
> > 9.9.9.9
> > is. This interface is member of vrf Internet
> >
> > I have a vrf static route, working perfect :
> > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9
> >
> >
> > As soon as I remove and replace this route by a tracked one, the IOS adds
> > the
> > "global" keyword.
> > I input this :
> > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 track 2
> > and got this in the show run output :
> > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 global track 2
> >
> > Leaking then occurs, traffic is not reaching next-hop 9.9.9.9, but rather
> > goes
> > to some router defined in the global routing table, which has a
> 9.0.0.0/8entry.
> > My tracker object is correctly defined inside the vrf Internet and is
> > flagged
> > UP.
> >
> > I rollback to a non-tracked route : no global keayword added, no leaking,
> > everything is fine.
> >
> > Have no idea what's happening here. Got the same config on a 6509
> > 12.2.33sxh,
> > works like a charm. What error did I do ?
> >
> > Jerome Covini
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>



From eric at atlantech.net  Fri Feb  6 06:08:05 2009
From: eric at atlantech.net (Eric Van Tol)
Date: Fri, 6 Feb 2009 06:08:05 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Joe Loiacono
> Sent: Thursday, February 05, 2009 4:57 PM
> To: Cisco-NSP Mailing List
> Subject: [c-nsp] Rancid and commercial config management tools
> 
> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
> but if a client was looking for a commercial tool that does this, what
> would you  recommend?
> 
> Thanks,
> 
> Joe Loiacono

I would also take a look at Solarwinds Network Configuration Manager (formerly Cirrus).  Backup configs, make mass changes, check configs against a specific defined policy, inventory equipment, etc.  It may be worth mentioning that Solarwinds recently purchased Kiwi, and their plan is to integrate some of the Kiwi-specific features into NCM.

-evt

From wp at null0.nl  Fri Feb  6 06:32:57 2009
From: wp at null0.nl (Wouter Prins)
Date: Fri, 6 Feb 2009 12:32:57 +0100
Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static
	route
In-Reply-To: <1233918358.498c19967ff9a@imp.free.fr>
References: <1233916259.498c11638d5c6@imp.free.fr>
	<b5da8bca0902060252i2ba79755j1d7c02924bd8e2bd@mail.gmail.com>
	<1233918358.498c19967ff9a@imp.free.fr>
Message-ID: <b5da8bca0902060332o7fb2ffc2s21d8a544afd6af0e@mail.gmail.com>

Okay then i guess it happens because you didnt specify the vrf in your sla
configuration.

ip sla monitor 1
 type xx
 vrf x

I dont know if the 3560 can do that (my guess is no) :)

Can you post your sla config?

2009/2/6 <jcovini at free.fr>

> Just tried : it still installs the route with "global" flag
> ip route vrf Internet 192.168.0.0 255.255.255.0 Vlan999 9.9.9.9 global
> track 2
>
>
>
> Selon Wouter Prins <wp at null0.nl>:
>
> > Can you try to specify the outgoing interface in your static vrf route
> and
> > test again?
> >
> > 2009/2/6 <jcovini at free.fr>
> >
> > > Hey,
> > >
> > > Got a strange behavior on a C3560 12.2(35)SE5.
> > >
> > > I am locally attached interface to 9.9.9.0/24 network where my next
> hop
> > > 9.9.9.9
> > > is. This interface is member of vrf Internet
> > >
> > > I have a vrf static route, working perfect :
> > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9
> > >
> > >
> > > As soon as I remove and replace this route by a tracked one, the IOS
> adds
> > > the
> > > "global" keyword.
> > > I input this :
> > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 track 2
> > > and got this in the show run output :
> > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 global track 2
> > >
> > > Leaking then occurs, traffic is not reaching next-hop 9.9.9.9, but
> rather
> > > goes
> > > to some router defined in the global routing table, which has a
> > 9.0.0.0/8entry.
> > > My tracker object is correctly defined inside the vrf Internet and is
> > > flagged
> > > UP.
> > >
> > > I rollback to a non-tracked route : no global keayword added, no
> leaking,
> > > everything is fine.
> > >
> > > Have no idea what's happening here. Got the same config on a 6509
> > > 12.2.33sxh,
> > > works like a charm. What error did I do ?
> > >
> > > Jerome Covini
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
>
>
>

From paul at paulstewart.org  Fri Feb  6 06:17:36 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 6 Feb 2009 06:17:36 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
Message-ID: <005401c9884c$83c508f0$8b4f1ad0$@org>

Yes, we use Orion Network Configuration Management (old Cirrus) and love it!
The last release finally has a fairly slick web interface...

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Van Tol
Sent: February 6, 2009 6:08 AM
To: Cisco-NSP Mailing List
Subject: Re: [c-nsp] Rancid and commercial config management tools

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Joe Loiacono
> Sent: Thursday, February 05, 2009 4:57 PM
> To: Cisco-NSP Mailing List
> Subject: [c-nsp] Rancid and commercial config management tools
> 
> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
> but if a client was looking for a commercial tool that does this, what
> would you  recommend?
> 
> Thanks,
> 
> Joe Loiacono

I would also take a look at Solarwinds Network Configuration Manager
(formerly Cirrus).  Backup configs, make mass changes, check configs against
a specific defined policy, inventory equipment, etc.  It may be worth
mentioning that Solarwinds recently purchased Kiwi, and their plan is to
integrate some of the Kiwi-specific features into NCM.

-evt
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From peter.hicks at poggs.co.uk  Fri Feb  6 07:41:10 2009
From: peter.hicks at poggs.co.uk (Peter Hicks)
Date: Fri, 06 Feb 2009 12:41:10 +0000
Subject: [c-nsp] Desktop PoE switch for CME
Message-ID: <498C2FE6.9040608@poggs.co.uk>

Hello

I have a requirement for a number of low-cost 8 or 24-port PoE switches 
on which Cisco 7940 and 7941 IP phones will work successfully.  Ideally 
they need to support a few VLANs and dot1q, and don't *have* to be Cisco.

Does anyone have recommendations, to save me spending ages buying and 
testing?


Peter


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

From r.tahina at moov.mg  Fri Feb  6 07:48:47 2009
From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina)
Date: Fri, 06 Feb 2009 15:48:47 +0300
Subject: [c-nsp] hssi transmit only
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D714D843@xmb-ams-331.emea.ci
	sco.com>
References: <7.0.1.0.2.20090122143031.05b95b78@moov.mg>
	<78C984F8939D424697B15E4B1C1BB3D714D843@xmb-ams-331.emea.cisco.com>
Message-ID: <7.0.1.0.2.20090206154745.04c19108@moov.mg>

Thanks Arie,

It was a clock issue on modem.

Regards.

At 21:37 22/01/2009, Arie Vayner (avayner) wrote:
>No. A regular cable should be fine.
>Arie
>
>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of RAZAFINDRATSIFA
>Rivo Tahina
>Sent: Thursday, January 22, 2009 13:32
>To: cisco-nsp at puck.nether.net
>Subject: [c-nsp] hssi transmit only
>
>Hi all,
>
>I have to connect a modem and a 7200 with HSSI used for transmit
>only, does it need specific cabling/configuration?
>
>Kind regards.
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

From r.tahina at moov.mg  Fri Feb  6 07:53:26 2009
From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina)
Date: Fri, 06 Feb 2009 15:53:26 +0300
Subject: [c-nsp] Multihomed BGP load balancing
Message-ID: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>

Dear All,

I'm multihomed to 2 upstreams, from time to time, 1 link is full 
while the other has half of its capacity unused, as of now, I have to 
manual announce of /24 to try to balance traffics, are there more 
intelligent way to do that?

Regards.

From blahu77 at gmail.com  Fri Feb  6 08:03:16 2009
From: blahu77 at gmail.com (Mateusz Blaszczyk)
Date: Fri, 6 Feb 2009 13:03:16 +0000 (IST)
Subject: [c-nsp] Multihomed BGP load balancing
In-Reply-To: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>
Message-ID: <fquvbldofs5tslaljUYAxe124vaj_firegpg@mail.gmail.com>

>
> I'm multihomed to 2 upstreams, from time to time, 1 link is full while the
> other has half of its capacity unused, as of now, I have to manual announce
> of /24 to try to balance traffics, are there more intelligent way to do
> that?
>

depending on which direction it gets full
you can use dmz-bandwidth for outgoing traffic, there is also something called pfr but all I know is that it is used for traffic optimization.

Best Regards,

-mat

-- 
pgp-key 0x1C655CAB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 270 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/1e841c1e/attachment.bin>

From achatz at forthnet.gr  Fri Feb  6 08:14:49 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 06 Feb 2009 15:14:49 +0200
Subject: [c-nsp] Multihomed BGP load balancing
In-Reply-To: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>
References: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>
Message-ID: <498C37C9.1010908@forthnet.gr>

Someone would say use PfR, but i'm not this one ;)
Great potential, awkward configuration.

-- 
Tassos

RAZAFINDRATSIFA Rivo Tahina wrote on 06/02/2009 14:53:
> Dear All,
> 
> I'm multihomed to 2 upstreams, from time to time, 1 link is full while 
> the other has half of its capacity unused, as of now, I have to manual 
> announce of /24 to try to balance traffics, are there more intelligent 
> way to do that?
> 
> Regards.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From jcovini at free.fr  Fri Feb  6 08:28:36 2009
From: jcovini at free.fr (jcovini at free.fr)
Date: Fri, 06 Feb 2009 14:28:36 +0100
Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static
	route
In-Reply-To: <b5da8bca0902060332o7fb2ffc2s21d8a544afd6af0e@mail.gmail.com>
References: <1233916259.498c11638d5c6@imp.free.fr>
	<b5da8bca0902060252i2ba79755j1d7c02924bd8e2bd@mail.gmail.com>
	<1233918358.498c19967ff9a@imp.free.fr>
	<b5da8bca0902060332o7fb2ffc2s21d8a544afd6af0e@mail.gmail.com>
Message-ID: <1233926916.498c3b041ae71@imp.free.fr>

I would love you to be right, but it is indeed tracking inside the right vrf
I am changing the @IP in the paste below voluntarily (public ips...)

I have pretty similar config running on 6509 12.2.33sxh without this behavior.
The only difference is my 6509 use newer style config (ip sla monitor foo)
instead of former one (rtr foo)


rtr 2
 type echo protocol ipIcmpEcho 1.2.3.4
 timeout 1000
 vrf Internet
 frequency 5
rtr schedule 2 life forever start-time now
track 2 rtr 2 reachability

o#sho rtr config 2
SA Agent, Infrastructure Engine-II.

Entry number: 2
Owner:
Tag:
Type of operation to perform: echo
Target address: 1.2.3.4
Source address: 0.0.0.0
Request size (ARR data portion): 28
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Vrf Name: Internet
Operation frequency (seconds): 5
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None
Enhanced History:



Selon Wouter Prins <wp at null0.nl>:

> Okay then i guess it happens because you didnt specify the vrf in your sla
> configuration.
>
> ip sla monitor 1
>  type xx
>  vrf x
>
> I dont know if the 3560 can do that (my guess is no) :)
>
> Can you post your sla config?
>
> 2009/2/6 <jcovini at free.fr>
>
> > Just tried : it still installs the route with "global" flag
> > ip route vrf Internet 192.168.0.0 255.255.255.0 Vlan999 9.9.9.9 global
> > track 2
> >
> >
> >
> > Selon Wouter Prins <wp at null0.nl>:
> >
> > > Can you try to specify the outgoing interface in your static vrf route
> > and
> > > test again?
> > >
> > > 2009/2/6 <jcovini at free.fr>
> > >
> > > > Hey,
> > > >
> > > > Got a strange behavior on a C3560 12.2(35)SE5.
> > > >
> > > > I am locally attached interface to 9.9.9.0/24 network where my next
> > hop
> > > > 9.9.9.9
> > > > is. This interface is member of vrf Internet
> > > >
> > > > I have a vrf static route, working perfect :
> > > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9
> > > >
> > > >
> > > > As soon as I remove and replace this route by a tracked one, the IOS
> > adds
> > > > the
> > > > "global" keyword.
> > > > I input this :
> > > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 track 2
> > > > and got this in the show run output :
> > > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 global track 2
> > > >
> > > > Leaking then occurs, traffic is not reaching next-hop 9.9.9.9, but
> > rather
> > > > goes
> > > > to some router defined in the global routing table, which has a
> > > 9.0.0.0/8entry.
> > > > My tracker object is correctly defined inside the vrf Internet and is
> > > > flagged
> > > > UP.
> > > >
> > > > I rollback to a non-tracked route : no global keayword added, no
> > leaking,
> > > > everything is fine.
> > > >
> > > > Have no idea what's happening here. Got the same config on a 6509
> > > > 12.2.33sxh,
> > > > works like a charm. What error did I do ?
> > > >
> > > > Jerome Covini
> > > > _______________________________________________
> > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > >
> >
> >
> >
>



From kratzers at ctinetworks.com  Fri Feb  6 08:45:50 2009
From: kratzers at ctinetworks.com (Stephen Kratzer)
Date: Fri, 6 Feb 2009 08:45:50 -0500
Subject: [c-nsp] Multihomed BGP load balancing
In-Reply-To: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>
References: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>
Message-ID: <200902060845.51247.kratzers@ctinetworks.com>

On Friday 06 February 2009 07:53:26 RAZAFINDRATSIFA Rivo Tahina wrote:
> Dear All,
>
> I'm multihomed to 2 upstreams, from time to time, 1 link is full
> while the other has half of its capacity unused, as of now, I have to
> manual announce of /24 to try to balance traffics, are there more
> intelligent way to do that?
>
> Regards.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

If you're connected to two different transit providers, say A and B, and A is 
MUCH more well-connected than B, you could see if A supports communities to 
restrict the advertisement of your routes to their peers and/or customers 
only. This may, however, make the pendulum swing too far the other way. Also, 
if provider B uses provider A as a transit provider also, you could try using 
communities to either increase local pref on provider A's network or decrease 
local pref on provider B's network.

And, when none of those options work as desired, you'll probably go back to 
deaggregating...

Stephen Kratzer
Network Engineer
CTI Networks, Inc.

From erey at ernw.de  Fri Feb  6 09:34:37 2009
From: erey at ernw.de (Enno Rey)
Date: Fri, 6 Feb 2009 15:34:37 +0100
Subject: [c-nsp] Urgently looking for a C2811/2821 to rent or buy _today_ in
	Washington DC area
Message-ID: <20090206143437.GE12988@ws25.ernw.de>

Hi,

I have to give a talk tomorrow that includes a demo/lab with some MPLS VPN stuff.
I brought a 3750-Metro and a 3560 with me (both running latest code) but just noticed the 3560s do not support MPLS VPNs at all.

So I'm urgently looking for some MPLS VPN capable device (acting as PE), preferably a 2811 or 2821 (as we've use for those in our lab anyway).
If anybody in the Washington DC area is reading this, pls contact me off-list. I'm willing to buy/rent a device immediately. The transaction has to happen today (paid by cash if needed) as I'll have to set up the stuff before tomorrow.

thanks,

Enno


-- 
Enno Rey

ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Enno Rey


From manafo at hotmail.com  Fri Feb  6 09:44:16 2009
From: manafo at hotmail.com (Manaf Al Oqlah)
Date: Fri, 6 Feb 2009 16:44:16 +0200
Subject: [c-nsp] DHCP Binding Expiration
Message-ID: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>

Hi all,

I am configuring a Cisco 7600 router as DHCP server for my broadband clients. I am using DHCP snooping and ARP inspection for security reasons and the leased time expiration is set for 30 minutes and no excluded-address is configured. The problem is that I still can see  some clients IP addresses lease expiration are Infinite in the DHCP binding! what could be the reason for this behavior and could be this some sort of attack!! 

Here is my configuration of the DHCP server:
!
ip dhcp pool DHCP-POOL
   network 192.168.48.0 255.255.240.0
   default-router 192.168.48.1
   dns-server x.x.x.x x.x.x.x
   domain-name domain.com
   lease 0 0 30
!

and here is the output of the DHCP binding:

R1#show ip dhcp binding | include Infinite
192.168.50.50        001e.e58d.5f27          Infinite                Automatic
192.168.50.93        0017.3f0c.9d47          Infinite                Automatic
192.168.51.5         001e.e595.11b9          Infinite                Automatic
192.168.56.239       001e.e595.1109          Infinite                Automatic
192.168.56.251       0018.392d.94b5          Infinite                Automatic
192.168.57.7         001e.e595.10f9          Infinite                Automatic
192.168.57.77        0018.392d.9473          Infinite                Automatic
192.168.58.76        001f.3c66.6d1d          Infinite                Automatic
192.168.58.133       0014.bf65.80f7          Infinite                Automatic
192.168.58.137       001e.e58d.6671          Infinite                Automatic
192.168.58.151       00c0.020d.91bf          Infinite                Automatic
192.168.58.162       001e.e595.1b23          Infinite                Automatic
192.168.58.191       001e.e58d.6669          Infinite                Automatic
192.168.58.218       0018.3937.a0d7          Infinite                Automatic
192.168.58.231       0016.367b.086d          Infinite                Automatic


Regards,
Manaf

From razor at meganet.net  Fri Feb  6 11:27:59 2009
From: razor at meganet.net (Paul A)
Date: Fri, 6 Feb 2009 11:27:59 -0500
Subject: [c-nsp] learned routes disappear
Message-ID: <033401c98877$dfe851c0$9fb8f540$@net>

Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
into this.

 

I have two routers, router A and router B doing bgp.

 

Router A is advertising 5 routes to router B, when the session 1st comes up,
router B has 5 routes received from router A. After 1:15 min the learned
routes on router B disappear.

 

 

Router A

Learns the routes from one of my bgp customers.

 

neighbor 2xx.xx.xx.xx description xxx

 neighbor 2xx.xx.xx.xx update-source FastEthernet1/43

 neighbor 2xx.xx.xx.xx default-originate

 neighbor 2xx.xx.xx.xx prefix-list PxxPL-IN in

 neighbor 2xx.xx.xx.xx route-map PLIN in

 neighbor 2xx.xx.xx.xx filter-list 109 in

 neighbor 2xx.xx.xx.xx filter-list 2 out

 neighbor 2xx.xx.xx.xx remote-as xxx

 neighbor 2xx.xx.xx.xx update-source Loopback0

 neighbor 2xx.xx.xx.xx next-hop-self

 

it advertises them to the configured neighbor on router A

 

neighbor 216.xxx update-source Loopback0

 neighbor 216.xxx next-hop-self

 neighbor 216.xxx filter-list 1 in

 neighbor 216.xxx filter-list 1 out

 

If I clear the bpg session or when the session 1st comes up on router B, I
see the routes but then they disappear after 1:15 min.

 

Thanks PA

 


From razor at meganet.net  Fri Feb  6 12:47:44 2009
From: razor at meganet.net (Paul A)
Date: Fri, 6 Feb 2009 12:47:44 -0500
Subject: [c-nsp] learned routes disappear
In-Reply-To: <498C75E9.50809@rainierconnect.net>
References: <033401c98877$dfe851c0$9fb8f540$@net>
	<498C75E9.50809@rainierconnect.net>
Message-ID: <000801c98883$03f8a550$0be9eff0$@net>

Thanks Walter.

I really didn't want to mess with debug as it's a production router and I
would have to do this late night, hopefully without crashing it. I really
was hoping someone ran into this issue before.

FYI the 1st update-source is from router A to my bgp customer on fa1/43 the
other is from router A to router B on loop0
So I think that's fine.

-----Original Message-----
From: Walter Keen [mailto:walter.keen at RainierConnect.net] 
Sent: Friday, February 06, 2009 12:40 PM
To: Paul A
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] learned routes disappear

I would turn on debugging and see if 1:15m corresponds to one of the BGP
nexthop scanning or other events.  Don't leave debugging on any longer
than needed on production systems.  If you can replicate in a lab
scenario, that would be ideal.  One thing that looks odd, is that you
have 2 different update-source interfaces listed on RouterA's neighbor
configuration for RouterB


Paul A wrote:
> Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> into this.
>
>  
>
> I have two routers, router A and router B doing bgp.
>
>  
>
> Router A is advertising 5 routes to router B, when the session 1st comes
up,
> router B has 5 routes received from router A. After 1:15 min the learned
> routes on router B disappear.
>
>  
>
>  
>
> Router A
>
> Learns the routes from one of my bgp customers.
>
>  
>
> neighbor 2xx.xx.xx.xx description xxx
>
>  neighbor 2xx.xx.xx.xx update-source FastEthernet1/43
>
>  neighbor 2xx.xx.xx.xx default-originate
>
>  neighbor 2xx.xx.xx.xx prefix-list PxxPL-IN in
>
>  neighbor 2xx.xx.xx.xx route-map PLIN in
>
>  neighbor 2xx.xx.xx.xx filter-list 109 in
>
>  neighbor 2xx.xx.xx.xx filter-list 2 out
>
>  neighbor 2xx.xx.xx.xx remote-as xxx
>
>  neighbor 2xx.xx.xx.xx update-source Loopback0
>
>  neighbor 2xx.xx.xx.xx next-hop-self
>
>  
>
> it advertises them to the configured neighbor on router A
>
>  
>
> neighbor 216.xxx update-source Loopback0
>
>  neighbor 216.xxx next-hop-self
>
>  neighbor 216.xxx filter-list 1 in
>
>  neighbor 216.xxx filter-list 1 out
>
>  
>
> If I clear the bpg session or when the session 1st comes up on router B, I
> see the routes but then they disappear after 1:15 min.
>
>  
>
> Thanks PA
>
>  
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.0.233 / Virus Database: 270.10.18/1936 - Release Date: 02/05/09
11:34:00


From vijay.ramcharan at verizonbusiness.com  Fri Feb  6 13:03:32 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Fri, 06 Feb 2009 18:03:32 +0000
Subject: [c-nsp] VACL capture - is this supposed to work
In-Reply-To: <20090206084123.GB27732@wildfire.net.ic.ac.uk>
Message-ID: <A34003A5232DE744807D94D788E0751AAB1D6A@ASHEVS011.mcilink.com>

Phil I have a similar config on a few 6500 switches running SXF10 and it
appears to be doing its job. My config is quite similar to yours sans
MPLS. These same switches also do local SPAN to a couple of 10G ports. 

C6506E with Sup720-3BXL running 12.2(18)SXF10

vlan access-map VLAN110-MAP 10
 match ip address VIP-TRAFFIC
 action forward capture
 
vlan access-map VLAN110-MAP 15
 match ip address ANY-VLAN110-TRAFFIC
 action forward

ip access-list extended VIP-TRAFFIC
 permit ip any 1.2.3.0 0.0.0.127
 permit ip 1.2.3.0 0.0.0.127 any

ip access-list extended ANY-VLAN110-TRAFFIC
 permit ip any any

vlan filter VLAN110-MAP vlan-list 110

interface GigabitEthernet1/1
 description PRI-CAPTURE-PORT
 switchport
 switchport access vlan 999
 switchport mode access
 switchport capture
 switchport capture allowed vlan 110
 no ip address
 spanning-tree portfast

swp10#sh int g1/1 | inc rate
  Queueing strategy: fifo
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 181007000 bits/sec, 27250 packets/sec
swp10#


 
Vijay Ramcharan 
  
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: February 06, 2009 03:41
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VACL capture - is this supposed to work

We have this config on a 6500/sup720

int Vlan3799
  description upstream
  ip address ...
int Vlan4000
  descripion core
  ip address ...
  mpls ip

vlan filter CAPTURE_HTTP vlan 3799

int Gi9/1
  switchport
  switchport mode access
  switchport access vlan 3799
  switchport capture
  switchport capture allowed vlan 3799

...and the the CAPTURE_HTTP map does:

 1. tcp port 80, capture & forward
 2. ip any any, forward

The intent is to capture inbound and outbound HTTP traffic, and log it 
with urlsnarf for legal compliance reasons.

This *HAS* been working for months. However, we did a recent upgrade of 
this router to 12.2(33)SXI and it stopped working - the VACL capture 
only seems to capture packets outbound i.e. input on Vl4000, out on 
Vl3799. It does capture any CPU-punt packets in the other direction.

At first I thought it was a bug in SXI, but we failed our default route 
over to another 6500 running SXF9 with the same config, and it suffers 
the same problem.

I had wondered if the problem was that the inbound traffic next-hop has 
an MPLS label imposed, but the other router is 1 hop away so uses 
plain-old IP, and it suffers the same.

So I'm baffled - we have a router that was running SXF10 for months with

this config, no problem. Another with SXF9 doesn't work, nor does the 
original router with 12.2(33)SXI.

So, question: exactly what traffic should VACL capture actually 
*capture*? Is my config supported?

I have a TAC case open, but we're getting desperate - we need that URL 
logging, and a "normal" SPAN port generates way, way too much traffic - 
having the ACL to filter a sub-set is important.

sh tcam int vl3799 acl in/out ip det

...shows appropriate TCAM entries with the CAP flag set.

Any pointers gratefully received.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From walter.keen at RainierConnect.net  Fri Feb  6 12:39:53 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Fri, 06 Feb 2009 09:39:53 -0800
Subject: [c-nsp] learned routes disappear
In-Reply-To: <033401c98877$dfe851c0$9fb8f540$@net>
References: <033401c98877$dfe851c0$9fb8f540$@net>
Message-ID: <498C75E9.50809@rainierconnect.net>

I would turn on debugging and see if 1:15m corresponds to one of the BGP
nexthop scanning or other events.  Don't leave debugging on any longer
than needed on production systems.  If you can replicate in a lab
scenario, that would be ideal.  One thing that looks odd, is that you
have 2 different update-source interfaces listed on RouterA's neighbor
configuration for RouterB


Paul A wrote:
> Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> into this.
>
>  
>
> I have two routers, router A and router B doing bgp.
>
>  
>
> Router A is advertising 5 routes to router B, when the session 1st comes up,
> router B has 5 routes received from router A. After 1:15 min the learned
> routes on router B disappear.
>
>  
>
>  
>
> Router A
>
> Learns the routes from one of my bgp customers.
>
>  
>
> neighbor 2xx.xx.xx.xx description xxx
>
>  neighbor 2xx.xx.xx.xx update-source FastEthernet1/43
>
>  neighbor 2xx.xx.xx.xx default-originate
>
>  neighbor 2xx.xx.xx.xx prefix-list PxxPL-IN in
>
>  neighbor 2xx.xx.xx.xx route-map PLIN in
>
>  neighbor 2xx.xx.xx.xx filter-list 109 in
>
>  neighbor 2xx.xx.xx.xx filter-list 2 out
>
>  neighbor 2xx.xx.xx.xx remote-as xxx
>
>  neighbor 2xx.xx.xx.xx update-source Loopback0
>
>  neighbor 2xx.xx.xx.xx next-hop-self
>
>  
>
> it advertises them to the configured neighbor on router A
>
>  
>
> neighbor 216.xxx update-source Loopback0
>
>  neighbor 216.xxx next-hop-self
>
>  neighbor 216.xxx filter-list 1 in
>
>  neighbor 216.xxx filter-list 1 out
>
>  
>
> If I clear the bpg session or when the session 1st comes up on router B, I
> see the routes but then they disappear after 1:15 min.
>
>  
>
> Thanks PA
>
>  
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From SPfister at dps.k12.oh.us  Fri Feb  6 14:48:48 2009
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Fri, 06 Feb 2009 14:48:48 -0500
Subject: [c-nsp] Need help adding a device to an existing vlan
Message-ID: <498C4DC2.9E6F.00B8.0@dps.k12.oh.us>

I'm sure this is something simple, but I'm not quite seeing it...

I need some help adding a device to an existing, recently created vlan. 

Here is the fragment of our network:

[core 4507] -> [8540] -> [3550] -> [1230 WAP]

[configuration excerpts are below]

The 1230 access point described is attached to our network, and is functioning properly. Recently, I tried to add another 3550 (in another part of the building), and a 1230 access point, copying the first configuration as the model. The vlan 99 (the user workstations) worked right away, but vlan 199 (the wireless access points) I cannot get working.

I can still get to the first access point, but am having trouble with the new one:

- it's unreachable when connected to the new switch, but I can get to it when connected to the first switch
- I can get to the vlan 199 default gateway from the new switch, and can get to the first access point from the new switch, but I can't get to the new access point, even when logged into the new switch.
- If I assign an ip address to the vlan 199 interface, I can get to the new access point from the new switch, but then I can't get to the vlan's default gateway or to the first access point.

Can someone help me find where the problem is? Do I need to allow vlan 1 on the interface on the core 4507?

Thanks for your help!

--Steve

Here are configuration fragments of each:

4507 (vtp server, domain ADM_VTP):
----------------------------------

interface GigabitEthernet1/1
 description Trunk to 8540
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 40,51,99,199,997,998
 switchport mode trunk
 switchport nonegotiate
 no logging event link-status
 qos trust dscp
 tx-queue 3
   priority high
!
interface Vlan199
 description ADM WLAN Management
 ip address 192.168.199.1 255.255.255.0
 ip helper-address 10.99.20.62
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
end

8540 (vtp client, domain ADM_VTP):
----------------------------------

interface GigabitEthernet1/0/0
 description Fiber to 99-c45-clan1
 no ip address
 no ip redirects
 no ip proxy-arp
 no cdp enable
!
interface GigabitEthernet1/0/0.1
 description Native VLAN
 encapsulation dot1Q 1 native
 no ip redirects
 no ip proxy-arp
!
interface GigabitEthernet1/0/0.40
 description Security VLAN
 encapsulation dot1Q 40
 no ip redirects
 no ip proxy-arp
 no cdp enable
 bridge-group 40
!
interface GigabitEthernet1/0/0.51
 description Voice Network
 encapsulation dot1Q 51
 no ip redirects
 no ip proxy-arp
 no cdp enable
 bridge-group 51
!
interface GigabitEthernet1/0/0.99
 description ADM LAN Access VLAN
 encapsulation dot1Q 99
 no ip redirects
 no ip proxy-arp
 no cdp enable
 bridge-group 99
!
interface GigabitEthernet1/0/0.199
 description Admin WLAN Management
 encapsulation dot1Q 199
 no ip redirects
 no ip proxy-arp
 no cdp enable
 bridge-group 199
!
interface GigabitEthernet1/0/0.997
 description ADM IVDL
 encapsulation dot1Q 997
 no ip redirects
 no ip proxy-arp
 bridge-group 97
!
interface GigabitEthernet1/0/0.998
 description Admin WLAN
 encapsulation dot1Q 998
 no ip redirects
 no ip proxy-arp
 bridge-group 98
!
interface GigabitEthernet1/0/2
 description Fiber to 3550
 no ip address
 no ip redirects
 no ip proxy-arp
 no cdp enable
!
interface GigabitEthernet1/0/2.1
 description Native VLAN
 encapsulation dot1Q 1 native
 no ip redirects
 no ip proxy-arp
!
interface GigabitEthernet1/0/2.99
 description ADM LAN Access VLAN
 encapsulation dot1Q 99
 no ip redirects
 no ip proxy-arp
 no cdp enable
 bridge-group 99
!
interface GigabitEthernet1/0/2.199
 description Admin WLAN Management
 encapsulation dot1Q 199
 no ip redirects
 no ip proxy-arp
 bridge-group 199
!
interface GigabitEthernet1/0/2.998
 description Admin WLAN
 encapsulation dot1Q 998
 no ip redirects
 no ip proxy-arp
 bridge-group 98
!
interface BVI199
 description Admin WLAN Management
 ip address 192.168.199.2 255.255.255.0
end

3550 (vtp client, domain ADM_VTP):
---------------------------------

interface GigabitEthernet0/1
 description to 99-c85-catm1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/2
 switchport mode dynamic desirable
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan99
 ip address 10.99.20.211 255.255.248.0
 no ip route-cache
 ntp broadcast client
!
interface Vlan199
 no ip address
!
interface FastEthernet0/38
  description to 1230 WAP
 switchport access vlan 199
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
 no snmp trap link-status
 storm-control broadcast level 1.00
 storm-control multicast level 2.00
 storm-control unicast level 5.00
end


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


From trejrco at gmail.com  Fri Feb  6 15:22:30 2009
From: trejrco at gmail.com (TJ)
Date: Fri, 6 Feb 2009 15:22:30 -0500
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498B8C61.9060408@rollernet.us>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>	<498A9572.6010608@rollernet.us>	<40028F97-9DBA-4A16-9DB5-DEDF37A375E2@bellsouth.net>
	<498B8C61.9060408@rollernet.us>
Message-ID: <000101c98898$a80b7720$f8226560$@com>

>> You can add lines if you use sequence numbers on you acl. What version
>> are you using
>>
>>
>>>> I have old rule in the switch but don't know how to add new rule in
>>>> the same access-list
>>>>
>>>> When I add new deny rule, it will be put at the end of the
>>>> access-list
>>>>
>>>> If I remove the access-list 140, I have to re-type all lines again.
>>>>
>>>
>>> That's correct. You need to remove and recreate it in the correct
>>> order lacking sequences.
>>>
>
>Like I said, if he doesn't have sequences (which based on the information
>given in the original question I can only assume he doesn't have an IOS
that
>supports it on old-skool access lists).


With a word of caution - if this is an ACL that effects YOUR connectivity to
the router: removing the ACL is fine, but the first line you put back in
better be the line that lets you in!  Otherwise you'll be driving in ...
((Or, even better, either un-apply the ACL from the interface -or- start
over with a new ACL, with the new line(s), and apply that to the interface
(and then dump the ACL).  Oh, and the "reload in XX" command is your friend
(but don't forget the "reload cancel" part).))



MAN I am glad I don't need to do any of that any more, sequence numbers are
a Good Thing!
/TJ


From mksmith at adhost.com  Fri Feb  6 15:46:37 2009
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Fri, 6 Feb 2009 12:46:37 -0800
Subject: [c-nsp] learned routes disappear
In-Reply-To: <000801c98883$03f8a550$0be9eff0$@net>
References: <033401c98877$dfe851c0$9fb8f540$@net><498C75E9.50809@rainierconnect.net>
	<000801c98883$03f8a550$0be9eff0$@net>
Message-ID: <17838240D9A5544AAA5FF95F8D520316057BF4DC@ad-exh01.adhost.lan>

Hello Paul:

> 
> Paul A wrote:
> > Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> > into this.
> >
> >
> >
> > I have two routers, router A and router B doing bgp.
> >
> >
> >
> > Router A is advertising 5 routes to router B, when the session 1st comes
> up,
> > router B has 5 routes received from router A. After 1:15 min the learned
> > routes on router B disappear.
> >
> >
How are the routes getting into BGP?  Are the coming in via tie-down routes in the IGP somewhere?  Could it be that you have an IGP failure of some sort such that the routes are being withdrawn legitimately? 

Regards,

Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/c5fae76a/attachment-0001.bin>

From abalashov at evaristesys.com  Fri Feb  6 16:02:04 2009
From: abalashov at evaristesys.com (Alex Balashov)
Date: Fri, 06 Feb 2009 16:02:04 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <20090206094056.GD290@greenie.muc.de>
References: <498B7DC5.7060803@justinshore.com>
	<498B96F3.8060204@evaristesys.com>
	<20090206094056.GD290@greenie.muc.de>
Message-ID: <498CA54C.4010400@evaristesys.com>

Gert Doering wrote:
> Hi,
> 
> On Thu, Feb 05, 2009 at 08:48:35PM -0500, Alex Balashov wrote:
>> There is no reason why you need to "waste" IP address on the /30s - who 
>> said they have to be public IPs?  Just carve out some address space out 
>> of a 10.0.0.0/8 range and use private transport IPs.  
> 
> RFC1918 (indirectly) says that this is not permitted.
> 
> (If you do this, ICMPs sourced by the remote router will send their
> packets with an RFC1918 source address, which is strictly not allowed.
> If you filter those packets, you'll break traceroute and PMTUd).

I find that to be OK.  :)

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

From abalashov at evaristesys.com  Fri Feb  6 16:03:03 2009
From: abalashov at evaristesys.com (Alex Balashov)
Date: Fri, 06 Feb 2009 16:03:03 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CA54C.4010400@evaristesys.com>
References: <498B7DC5.7060803@justinshore.com>
	<498B96F3.8060204@evaristesys.com>
	<20090206094056.GD290@greenie.muc.de>
	<498CA54C.4010400@evaristesys.com>
Message-ID: <498CA587.1070606@evaristesys.com>

Alex Balashov wrote:
> Gert Doering wrote:
>> Hi,
>>
>> On Thu, Feb 05, 2009 at 08:48:35PM -0500, Alex Balashov wrote:
>>> There is no reason why you need to "waste" IP address on the /30s - 
>>> who said they have to be public IPs?  Just carve out some address 
>>> space out of a 10.0.0.0/8 range and use private transport IPs.  
>>
>> RFC1918 (indirectly) says that this is not permitted.
>>
>> (If you do this, ICMPs sourced by the remote router will send their
>> packets with an RFC1918 source address, which is strictly not allowed.
>> If you filter those packets, you'll break traceroute and PMTUd).
> 
> I find that to be OK.  :)
> 

But yeah, it's a little nasty in some cases for that exact reason.  It's 
a much better idea to do a single IP and a /32 route on Loopback.

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

From harbor235 at gmail.com  Fri Feb  6 16:39:29 2009
From: harbor235 at gmail.com (harbor235)
Date: Fri, 6 Feb 2009 16:39:29 -0500
Subject: [c-nsp] learned routes disappear
In-Reply-To: <000801c98883$03f8a550$0be9eff0$@net>
References: <033401c98877$dfe851c0$9fb8f540$@net>
	<498C75E9.50809@rainierconnect.net>
	<000801c98883$03f8a550$0be9eff0$@net>
Message-ID: <836bf1f90902061339o214d9c94p123ecdfc1508d056@mail.gmail.com>

Most likely the 5 routes are not reachable. If you just added the routes via
a supernet advertisement
and they do not exist elsewhere, either locally  connected or learned via an
IGP this behavior will happen.
This is normal and the correct way for BGP to operate.

mike

On Fri, Feb 6, 2009 at 12:47 PM, Paul A <razor at meganet.net> wrote:

> Thanks Walter.
>
> I really didn't want to mess with debug as it's a production router and I
> would have to do this late night, hopefully without crashing it. I really
> was hoping someone ran into this issue before.
>
> FYI the 1st update-source is from router A to my bgp customer on fa1/43 the
> other is from router A to router B on loop0
> So I think that's fine.
>
> -----Original Message-----
> From: Walter Keen [mailto:walter.keen at RainierConnect.net]
> Sent: Friday, February 06, 2009 12:40 PM
> To: Paul A
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] learned routes disappear
>
> I would turn on debugging and see if 1:15m corresponds to one of the BGP
> nexthop scanning or other events.  Don't leave debugging on any longer
> than needed on production systems.  If you can replicate in a lab
> scenario, that would be ideal.  One thing that looks odd, is that you
> have 2 different update-source interfaces listed on RouterA's neighbor
> configuration for RouterB
>
>
> Paul A wrote:
> > Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> > into this.
> >
> >
> >
> > I have two routers, router A and router B doing bgp.
> >
> >
> >
> > Router A is advertising 5 routes to router B, when the session 1st comes
> up,
> > router B has 5 routes received from router A. After 1:15 min the learned
> > routes on router B disappear.
> >
> >
> >
> >
> >
> > Router A
> >
> > Learns the routes from one of my bgp customers.
> >
> >
> >
> > neighbor 2xx.xx.xx.xx description xxx
> >
> >  neighbor 2xx.xx.xx.xx update-source FastEthernet1/43
> >
> >  neighbor 2xx.xx.xx.xx default-originate
> >
> >  neighbor 2xx.xx.xx.xx prefix-list PxxPL-IN in
> >
> >  neighbor 2xx.xx.xx.xx route-map PLIN in
> >
> >  neighbor 2xx.xx.xx.xx filter-list 109 in
> >
> >  neighbor 2xx.xx.xx.xx filter-list 2 out
> >
> >  neighbor 2xx.xx.xx.xx remote-as xxx
> >
> >  neighbor 2xx.xx.xx.xx update-source Loopback0
> >
> >  neighbor 2xx.xx.xx.xx next-hop-self
> >
> >
> >
> > it advertises them to the configured neighbor on router A
> >
> >
> >
> > neighbor 216.xxx update-source Loopback0
> >
> >  neighbor 216.xxx next-hop-self
> >
> >  neighbor 216.xxx filter-list 1 in
> >
> >  neighbor 216.xxx filter-list 1 out
> >
> >
> >
> > If I clear the bpg session or when the session 1st comes up on router B,
> I
> > see the routes but then they disappear after 1:15 min.
> >
> >
> >
> > Thanks PA
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.0.233 / Virus Database: 270.10.18/1936 - Release Date: 02/05/09
> 11:34:00
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From paul at paulstewart.org  Fri Feb  6 16:45:42 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 6 Feb 2009 16:45:42 -0500
Subject: [c-nsp] IDS Recommendations - Cisco?
Message-ID: <000001c988a4$42d8fa60$c88aef20$@org>

Hi there...

Our server farms hang off a pair of 6509's today.  The SVI interfaces are
redundant with HSRP for each VLAN that feeds the servers.... Sup2/MSFC2
running native IOS.

So, we're looking for IDS/firewall solutions to protect a few of the VLAN's
in particular.  We did have a pair of FWSM's in these boxes but had a lot of
grief getting them running only to be faced with hardware failure problems.
They are removed from the picture now.

Several options exist but I'm wondering if a pair of IDSM-2 would serve us
better - each server has its own firewall and we can do some 'basic
limiting' with access-lists to compliment the efforts made by the servers
already.  

Our approach is two staged - first is to limit the exposure and secondly is
to be as secure as possible on the traffic that is exposed.  Since these
server farms do email, web hosting and other public facing service provider
tasks I believe we'll be better investing in IDSM blades or similar...

Another option was to put a pair of Juniper IDP boxes on those VLAN's and
use STP to dump the traffic through them...

Thoughts?  I realize this is kind of a very brief overview - don't want to
bore everyone with our security policies ;)

Thanks,

Paul



From justin at justinshore.com  Fri Feb  6 17:32:03 2009
From: justin at justinshore.com (Justin Shore)
Date: Fri, 06 Feb 2009 16:32:03 -0600
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <20090206093842.GC290@greenie.muc.de>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
	<20090206093842.GC290@greenie.muc.de>
Message-ID: <498CBA63.7080908@justinshore.com>

Gert Doering wrote:
> I can only second this.  If you have a dedicated point-to-point interface for 
> things, tacking the route on the interface is usually more robust than
> pointing towards a gateway IP that might not be there, or might be learned
> recursively over another interface, etc.

I'm going to have to think on this.  This could be a good solution for 
us, though again I don't ever foresee the need to re-IP a loopback.  Can 
anyone give me an example of such a scenario?

> For multiaccess-links, *don't* do "ip route 0.0.0.0 0.0.0.0 eth0", of
> course (use "... eth0 <gateway_ip>").  Just to make this very clear.
> 
>> ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA
> 
> One can tack a *name* to routes?  Need to test this :-)
> 
> Does this name get carried in IGPs?  Or is it just there in the config
> to document things?

LOL.  Yes, Gert.  One can name static routes, contrary to what my 
predecessor thought. :-)  It's local to the router.  It's just a nice 
way to describe what the static is for.

Thanks for the info
  Justin

From justin at justinshore.com  Fri Feb  6 17:34:12 2009
From: justin at justinshore.com (Justin Shore)
Date: Fri, 06 Feb 2009 16:34:12 -0600
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <383357750902060212k5a18d067t2f615818d5d48f9a@mail.gmail.com>
References: <498B7DC5.7060803@justinshore.com>
	<383357750902060212k5a18d067t2f615818d5d48f9a@mail.gmail.com>
Message-ID: <498CBAE4.50503@justinshore.com>

Yes, we exclude .255 and .0 in all our DHCP pools.  I make sure to not 
hand that out manually too.  One good thing about IP unnumbered is that 
I have to point a static route for the customer's assigned IP at their 
interface.  This lets me use uRPF again and eliminates the need for a 
customer ingress ACL on each CE-facing interface.

Justin


Mateusz Blaszczyk wrote:
> Justin,
> 
> just be sure not to assign .255 address to the customer, windows is
> buggy there: http://support.microsoft.com/kb/281579
> We've been bitten there.
> 
> Best Regards,
> 
> -mat

From Gregori.Parker at theplatform.com  Fri Feb  6 17:10:46 2009
From: Gregori.Parker at theplatform.com (Gregori Parker)
Date: Fri, 6 Feb 2009 14:10:46 -0800
Subject: [c-nsp] IDS Recommendations - Cisco?
In-Reply-To: <000001c988a4$42d8fa60$c88aef20$@org>
References: <000001c988a4$42d8fa60$c88aef20$@org>
Message-ID: <1A9866F953006D45AEE0166066114E0915895B59@TPMAIL02.corp.theplatform.com>

I would highly recommend keeping some sort of firewall to ACL/NAT
upstream from your hosts...I personally don't put a lot of stock into
host-based firewalling as one's sole means of protection.  If the FWSM
didn't serve you well (all my problems with FWSM went away since 3.1.6),
you could look into the ASA 5500, or better yet work with TAC to get
your FWSM hardware issues resolved/units replaced.

Anyways, I don't want to second-guess your architecture or reasons, but
IME it's best to have an IDSM passively monitoring a span port behind
the firewall or load-balancer.  The idea here is that you want the
limiting factor upstream from the IDS so that it's not processing
packets/connections that will be dropped/refused anyways.  The IDSM
doesn't act as a firewall, even if you choose to put it inline (I'd
recommend against that unless you really want active mitigation and your
traffic rate is well below 400mbps), and it requires much more tuning to
be useful.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Friday, February 06, 2009 1:46 PM
To: 'Cisco-nsp'
Subject: [c-nsp] IDS Recommendations - Cisco?

Hi there...

Our server farms hang off a pair of 6509's today.  The SVI interfaces
are
redundant with HSRP for each VLAN that feeds the servers.... Sup2/MSFC2
running native IOS.

So, we're looking for IDS/firewall solutions to protect a few of the
VLAN's
in particular.  We did have a pair of FWSM's in these boxes but had a
lot of
grief getting them running only to be faced with hardware failure
problems.
They are removed from the picture now.

Several options exist but I'm wondering if a pair of IDSM-2 would serve
us
better - each server has its own firewall and we can do some 'basic
limiting' with access-lists to compliment the efforts made by the
servers
already.  

Our approach is two staged - first is to limit the exposure and secondly
is
to be as secure as possible on the traffic that is exposed.  Since these
server farms do email, web hosting and other public facing service
provider
tasks I believe we'll be better investing in IDSM blades or similar...

Another option was to put a pair of Juniper IDP boxes on those VLAN's
and
use STP to dump the traffic through them...

Thoughts?  I realize this is kind of a very brief overview - don't want
to
bore everyone with our security policies ;)

Thanks,

Paul


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From justin at justinshore.com  Fri Feb  6 18:08:47 2009
From: justin at justinshore.com (Justin Shore)
Date: Fri, 06 Feb 2009 17:08:47 -0600
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <01f801c987f7$983bd660$c8b38320$@net>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
Message-ID: <498CC2FF.6090109@justinshore.com>

Gregory Boehnlein wrote:
> This is very similar to what we do. While we have several customers that
> need larger subnets, the majority of our customers are using IP Unnumbered.
> 
> In some cases, we will provide the customer a /29 if they need additional
> external IP addresses, but the configuration on their router uses the low IP
> in the /29 as it's loopback interface. We send our default route out of the
> interface, rather than to the remote gateway IP, so if we change the ip of
> the loopback on our side, we do not need to adjust anything for the
> customer.

That's not a bad idea.  Though wouldn't pointing a default at an 
interface force it to ARP constantly?  Several hundred CEs ARPing 
non-stop could be a load issue on your PE.

I'm not too worried about the loopback's IP changing.  I only put a /24 
on the loopback to get us started.  I'll load it with customer DS1s 
until I get to around 90% IP utilization and then create another 
loopback with another /24 or perhaps a /23 this time around.  I padded 
the front of the subnet sufficiently to allow for future HA projects and 
the unforeseeable.  I can't foresee ever needing to change the IP on a 
loopback once I have it in production.

> We use outbound service policies on unnumbered interfaces just fine:
> 
> interface Serial10/1/0/3:0
>  description L3 OH/XXXX/XXXX to XXXXXXX channel 12
>  ip unnumbered Loopback0
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  service-policy output llq
>  no fair-queue
>  down-when-looped
>  no clns route-cache

Excellent.  QoS was something that occurred to me as I was writing my 
original message.


> ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA

So you'd prefer to route a larger customer assignment to the the 
CE-facing interface instead of to their assigned IP unnumbered address?

> I've been doing ip unnumbered since 1995 in production and it "just works".
> There are undoubtedly some routers out there that might have issues, but any
> Cisco device should be able to handle things just fine.

Very good.  On the CE side I really don't anticipate many problems.  I 
see this as more of a CE knowledge thing than anything.  I'm sure we'll 
have several customers that need something special.  I hope that for the 
  most part we can lump them all into an IP unnumbered design.

Thanks for the input
  Justin


From damin at nacs.net  Fri Feb  6 19:06:47 2009
From: damin at nacs.net (Gregory Boehnlein)
Date: Fri, 6 Feb 2009 19:06:47 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CC2FF.6090109@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
	<498CC2FF.6090109@justinshore.com>
Message-ID: <023a01c988b7$f7ad6b20$e7084160$@net>

>> We send our default route out of the interface, rather than to the remote
gateway IP, so if we change the
>> ip of the loopback on our side, we do not need to adjust anything for the
>> customer.
> 
> That's not a bad idea.  Though wouldn't pointing a default at an
> interface force it to ARP constantly?  Several hundred CEs ARPing
> non-stop could be a load issue on your PE.

I've not experienced that.
 
> I'm not too worried about the loopback's IP changing.  I only put a /24
> on the loopback to get us started.  I'll load it with customer DS1s
> until I get to around 90% IP utilization and then create another
> loopback with another /24 or perhaps a /23 this time around.  I padded
> the front of the subnet sufficiently to allow for future HA projects
> and the unforeseeable.  I can't foresee ever needing to change the IP on a
> loopback once I have it in production.

It makes it much easier to groom services from one router to the other if
you have to migrate a lot, and over the years, I have had to migrate a lot
of customers from one router to the next etc..

> > We use outbound service policies on unnumbered interfaces just fine:
> >
> > interface Serial10/1/0/3:0
> >  description L3 OH/XXXX/XXXX to XXXXXXX channel 12
> >  ip unnumbered Loopback0
> >  no ip redirects
> >  no ip unreachables
> >  no ip proxy-arp
> >  service-policy output llq
> >  no fair-queue
> >  down-when-looped
> >  no clns route-cache
> 
> Excellent.  QoS was something that occurred to me as I was writing my
> original message.
> 
> 
> > ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA
> 
> So you'd prefer to route a larger customer assignment to the the
> CE-facing interface instead of to their assigned IP unnumbered address?
> 
> > I've been doing ip unnumbered since 1995 in production and it "just
> works".
> > There are undoubtedly some routers out there that might have issues,
> but any
> > Cisco device should be able to handle things just fine.
> 
> Very good.  On the CE side I really don't anticipate many problems.  I
> see this as more of a CE knowledge thing than anything.  I'm sure we'll
> have several customers that need something special.  I hope that for
> the most part we can lump them all into an IP unnumbered design.

To be truthful, I haven't found anything that we cannot do w/ IP unnumbered
yet.


From paul at paulstewart.org  Fri Feb  6 19:24:34 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 6 Feb 2009 19:24:34 -0500
Subject: [c-nsp] IDS Recommendations - Cisco?
In-Reply-To: <1A9866F953006D45AEE0166066114E0915895B59@TPMAIL02.corp.theplatform.com>
References: <000001c988a4$42d8fa60$c88aef20$@org>
	<1A9866F953006D45AEE0166066114E0915895B59@TPMAIL02.corp.theplatform.com>
Message-ID: <006501c988ba$73c58970$5b509c50$@org>

Thanks for the response...

What we have today is ACL's on the 6500's and then iptables on the Linux
boxes for example.  This has worked fairly well and is basic to administer.
My underlying goal is to have an inline IDS solution that will actively
block (inline) on configured severe signatures - of course the tuning aspect
of this is going to take a lot of work.

A good example to paint a picture here is that some of these servers are for
web hosting.  If a client uploads a php script (example) that has a
vulnerability we would like the IDS to trip on it - again we can't have the
world but that's kind of what I have in mind.  This could be something that
triggers based on sudden SMTP activity where the script is being used
maliciously to send out spam (seen that before).  Just an example but
hopefully that helps share a bit better what we had in mind.  These servers
do a combined throughput of probably 100Mb/s at peak.

I could think of many more scenarios but at a high level I'm looking for
vendor/product recommendations based on actual usage if possible.  Since
we're primarily a Cisco shop I'd love to use something from Cisco but having
said that we want the best solution when possible.  Another option to
consider may be a Sourcefire 3D solution or similar too (powered by Snort).

Appreciate the input...
Paul


-----Original Message-----
From: Gregori Parker [mailto:Gregori.Parker at theplatform.com] 
Sent: February 6, 2009 5:11 PM
To: Paul Stewart; Cisco-nsp
Subject: RE: [c-nsp] IDS Recommendations - Cisco?

I would highly recommend keeping some sort of firewall to ACL/NAT
upstream from your hosts...I personally don't put a lot of stock into
host-based firewalling as one's sole means of protection.  If the FWSM
didn't serve you well (all my problems with FWSM went away since 3.1.6),
you could look into the ASA 5500, or better yet work with TAC to get
your FWSM hardware issues resolved/units replaced.

Anyways, I don't want to second-guess your architecture or reasons, but
IME it's best to have an IDSM passively monitoring a span port behind
the firewall or load-balancer.  The idea here is that you want the
limiting factor upstream from the IDS so that it's not processing
packets/connections that will be dropped/refused anyways.  The IDSM
doesn't act as a firewall, even if you choose to put it inline (I'd
recommend against that unless you really want active mitigation and your
traffic rate is well below 400mbps), and it requires much more tuning to
be useful.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Friday, February 06, 2009 1:46 PM
To: 'Cisco-nsp'
Subject: [c-nsp] IDS Recommendations - Cisco?

Hi there...

Our server farms hang off a pair of 6509's today.  The SVI interfaces
are
redundant with HSRP for each VLAN that feeds the servers.... Sup2/MSFC2
running native IOS.

So, we're looking for IDS/firewall solutions to protect a few of the
VLAN's
in particular.  We did have a pair of FWSM's in these boxes but had a
lot of
grief getting them running only to be faced with hardware failure
problems.
They are removed from the picture now.

Several options exist but I'm wondering if a pair of IDSM-2 would serve
us
better - each server has its own firewall and we can do some 'basic
limiting' with access-lists to compliment the efforts made by the
servers
already.  

Our approach is two staged - first is to limit the exposure and secondly
is
to be as secure as possible on the traffic that is exposed.  Since these
server farms do email, web hosting and other public facing service
provider
tasks I believe we'll be better investing in IDSM blades or similar...

Another option was to put a pair of Juniper IDP boxes on those VLAN's
and
use STP to dump the traffic through them...

Thoughts?  I realize this is kind of a very brief overview - don't want
to
bore everyone with our security policies ;)

Thanks,

Paul


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From david at davidcoulson.net  Fri Feb  6 20:10:51 2009
From: david at davidcoulson.net (David Coulson)
Date: Fri, 06 Feb 2009 20:10:51 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CC2FF.6090109@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>	<01f801c987f7$983bd660$c8b38320$@net>
	<498CC2FF.6090109@justinshore.com>
Message-ID: <498CDF9B.7060507@davidcoulson.net>

Justin Shore wrote:
> That's not a bad idea.  Though wouldn't pointing a default at an 
> interface force it to ARP constantly?  Several hundred CEs ARPing 
> non-stop could be a load issue on your PE. 
It's a serial interface. It doesn't ARP :-)

From nbernadeau at gallantsys.com  Fri Feb  6 16:03:31 2009
From: nbernadeau at gallantsys.com (Nathaniel Bernadeau)
Date: Fri, 06 Feb 2009 16:03:31 -0500
Subject: [c-nsp] Cisco AXSM
Message-ID: <498CA5A3.80306@gallantsys.com>

Has the Cisco AXSM line reach end of life?

-- 
regards,
 
Nathaniel Bernadeau
Gallant Systems,  LLC
11064 Livingston RD Suite 106-C
Fort Washington, MD 20744
Toll Free: 888-836-3751
Ph: 301-627-6358
Fax: 240-823-6897
Cell: 202-246-2229
nbernadeau at gallantsys.com
www.gallantsys.com


From gert at greenie.muc.de  Sat Feb  7 01:08:10 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 7 Feb 2009 07:08:10 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CBA63.7080908@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
	<20090206093842.GC290@greenie.muc.de>
	<498CBA63.7080908@justinshore.com>
Message-ID: <20090207060810.GJ290@greenie.muc.de>

Hi,

On Fri, Feb 06, 2009 at 04:32:03PM -0600, Justin Shore wrote:
> Gert Doering wrote:
> >I can only second this.  If you have a dedicated point-to-point interface 
> >for things, tacking the route on the interface is usually more robust than
> >pointing towards a gateway IP that might not be there, or might be learned
> >recursively over another interface, etc.
> 
> I'm going to have to think on this.  This could be a good solution for 
> us, though again I don't ever foresee the need to re-IP a loopback.  Can 
> anyone give me an example of such a scenario?

Well, one example would be "you currently have 3 routers with lots of
individual E1 cables.  Your telco provider offers you to move all the
E1s into a STM-1, and you can serve the same customers from a single
new router".

Now of course you could move all 3 former loopback IPs to the new box and
migrate all customers at once - or assign a single new one, and migrate
them one by one.

(This might not be the most typical example, but "moving customers to a
different router" is happening out there :) - and then you either have
something that's not dependent on the loopback IP, or you have pains)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090207/2b63b0b5/attachment.bin>

From gert at greenie.muc.de  Sat Feb  7 01:13:56 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 7 Feb 2009 07:13:56 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CC2FF.6090109@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
	<498CC2FF.6090109@justinshore.com>
Message-ID: <20090207061356.GK290@greenie.muc.de>

Hi,

On Fri, Feb 06, 2009 at 05:08:47PM -0600, Justin Shore wrote:
> Gregory Boehnlein wrote:
> >This is very similar to what we do. While we have several customers that
> >need larger subnets, the majority of our customers are using IP Unnumbered.
> >
> >In some cases, we will provide the customer a /29 if they need additional
> >external IP addresses, but the configuration on their router uses the low 
> >IP
> >in the /29 as it's loopback interface. We send our default route out of the
> >interface, rather than to the remote gateway IP, so if we change the ip of
> >the loopback on our side, we do not need to adjust anything for the
> >customer.
> 
> That's not a bad idea.  Though wouldn't pointing a default at an 
> interface force it to ARP constantly?  Several hundred CEs ARPing 
> non-stop could be a load issue on your PE.

There's no ARP on serial links (HDLC or PPP).  There's only "me" and "you".

So if you point a route to the interface, the router will stuff it in, and
the other router will receive it.

You need to be careful about ATM interfaces: it depends on how you configure
them.  If it's PPPoA, or AAL5 SNAP ("direct IP over ATM"), this will
work.  If you involve Ethernet, like with RBE (route-bridged encapsulation)
or with bridge-groups over ATM, you have ARP, and should specify a 
next-hop router.

> I'm not too worried about the loopback's IP changing.  I only put a /24 
> on the loopback to get us started.  I'll load it with customer DS1s 
> until I get to around 90% IP utilization and then create another 
> loopback with another /24 or perhaps a /23 this time around.  I padded 
> the front of the subnet sufficiently to allow for future HA projects and 
> the unforeseeable.  I can't foresee ever needing to change the IP on a 
> loopback once I have it in production.

Imagine customers moving to other routers.

[..]
> >ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA
> 
> So you'd prefer to route a larger customer assignment to the the 
> CE-facing interface instead of to their assigned IP unnumbered address?

Most definitely.

(That way, when the interface goes down, the route is properly withdrawn.
Otherwise, as long as you have route to the customer "IP unnumbered" 
address in your routing table, your PE router will still have the route
active, and will announce it in its IGP - leading to routing loops)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090207/f73560ef/attachment.bin>

From gert at greenie.muc.de  Sat Feb  7 01:14:41 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 7 Feb 2009 07:14:41 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CA54C.4010400@evaristesys.com>
References: <498B7DC5.7060803@justinshore.com>
	<498B96F3.8060204@evaristesys.com>
	<20090206094056.GD290@greenie.muc.de>
	<498CA54C.4010400@evaristesys.com>
Message-ID: <20090207061441.GL290@greenie.muc.de>

Hi,

On Fri, Feb 06, 2009 at 04:02:04PM -0500, Alex Balashov wrote:
> >(If you do this, ICMPs sourced by the remote router will send their
> >packets with an RFC1918 source address, which is strictly not allowed.
> >If you filter those packets, you'll break traceroute and PMTUd).
> 
> I find that to be OK.  :)

Breaking PMTUd is OK?  Thanks very much.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090207/2d74b55d/attachment.bin>

From sthaug at nethelp.no  Sat Feb  7 03:10:12 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Sat, 07 Feb 2009 09:10:12 +0100 (CET)
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <20090207061441.GL290@greenie.muc.de>
References: <20090206094056.GD290@greenie.muc.de>
	<498CA54C.4010400@evaristesys.com>
	<20090207061441.GL290@greenie.muc.de>
Message-ID: <20090207.091012.74683792.sthaug@nethelp.no>

> > >(If you do this, ICMPs sourced by the remote router will send their
> > >packets with an RFC1918 source address, which is strictly not allowed.
> > >If you filter those packets, you'll break traceroute and PMTUd).
> > 
> > I find that to be OK.  :)
> 
> Breaking PMTUd is OK?  Thanks very much.

We block RFC1918 source addresses at our borders. This is not
negotiable. If it breaks PMTUd because some operator used 1918
addresses on links, too bad...

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From gert at greenie.muc.de  Sat Feb  7 03:32:15 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 7 Feb 2009 09:32:15 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <20090207.091012.74683792.sthaug@nethelp.no>
References: <20090206094056.GD290@greenie.muc.de>
	<498CA54C.4010400@evaristesys.com>
	<20090207061441.GL290@greenie.muc.de>
	<20090207.091012.74683792.sthaug@nethelp.no>
Message-ID: <20090207083215.GP290@greenie.muc.de>

Hi,

On Sat, Feb 07, 2009 at 09:10:12AM +0100, sthaug at nethelp.no wrote:
> > Breaking PMTUd is OK?  Thanks very much.
> 
> We block RFC1918 source addresses at our borders. This is not
> negotiable. If it breaks PMTUd because some operator used 1918
> addresses on links, too bad...

In case my opinion on this was not obvious (I received some private e-mail
concerning doubts): I'm very much opposed to breaking PMTUd or traceroutes
by using RFC1918 addresses on links.

(If you can get your routers to source ICMPs from global addresses, then
I have no issue with the RFC1918 part on the transfer networks - but ICMP 
is important, and breaking it is bad).

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090207/d14a17bb/attachment-0001.bin>

From llc at dansketelecom.com  Sat Feb  7 10:20:50 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Sat, 7 Feb 2009 16:20:50 +0100
Subject: [c-nsp] L2TPv3 password keeps changing
Message-ID: <44417CD2F19FEA4F885088340A71D33201B4F41D@mail.office.dansketelecom.com>

 

Hi all,

 

When configuring L2TPv3 on one of our routers, I've noticed that the
password keeps changing all the time, even tough the configuration has
not been altered.

 

The router is a 1811 running 12.4(6)T11 Advanced IP Services.

______________________________________

Med venlig hilsen / Kind regards

Lars Lystrup Christensen 
Director of Engineering, CCIE(tm) #20292


From ross at kallisti.us  Sat Feb  7 10:50:09 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Sat, 7 Feb 2009 10:50:09 -0500
Subject: [c-nsp] IDS Recommendations - Cisco?
In-Reply-To: <006501c988ba$73c58970$5b509c50$@org>
References: <000001c988a4$42d8fa60$c88aef20$@org>
	<1A9866F953006D45AEE0166066114E0915895B59@TPMAIL02.corp.theplatform.com>
	<006501c988ba$73c58970$5b509c50$@org>
Message-ID: <20090207155009.GA407@kallisti.us>

On Fri, Feb 06, 2009 at 07:24:34PM -0500, Paul Stewart wrote:
> A good example to paint a picture here is that some of these servers are for
> web hosting.  If a client uploads a php script (example) that has a
> vulnerability we would like the IDS to trip on it - again we can't have the
> world but that's kind of what I have in mind.

It's a good thought, but watch your session count.  All of the devices
have limits as to the number of sessions they can handle.  When
that's exhausted, expect to be offline.

I also work in hosting, and I have to say, the IDP is a great tool.
But there's nothing we could find that grew in performance with the
size of our installation.

> I could think of many more scenarios but at a high level I'm looking for
> vendor/product recommendations based on actual usage if possible.

If you know your traffic and session levels well, and you want to do
inline blocking, the Juniper ISG with integrated IDP modules are
pretty great tools.  You use NSM to write usual firewall policy, some
rules can optionally have IDP processing enabled.  Very granular.

Like I said - I abandoned it.  Our hosting grew much faster than their
performance could.  Monitoring the session and traffic levels of the
blades was always awkward, and we didn't have such good ideas of our
traffic/session levels.

Finally, remember that your IDP will be the weakest link in the
network.  A firewall is a bad enough single point of failure (ie,
having a session table that can be attacked), the IDP is many times
worse because of the level of processing it requires for each session.

So more power to you - but be very careful, or be prepared for some pain.
All of the IDP implementations we do today are passive.

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From razor at meganet.net  Sat Feb  7 18:49:57 2009
From: razor at meganet.net (Paul A)
Date: Sat, 7 Feb 2009 18:49:57 -0500
Subject: [c-nsp] learned routes disappear
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316057BF4DC@ad-exh01.adhost.lan>
References: <033401c98877$dfe851c0$9fb8f540$@net><498C75E9.50809@rainierconnect.net>
	<000801c98883$03f8a550$0be9eff0$@net>
	<17838240D9A5544AAA5FF95F8D520316057BF4DC@ad-exh01.adhost.lan>
Message-ID: <012c01c9897e$c8051270$580f3750$@net>

Hi Michael, 

 

it seems as I look more and more into this, mind you I?m no bgp expert, I think what is happening might be normal iBGP behavior.

 

Heres how the network is setup.

 

Router A (customer) which connects to router B (my router) . Router B is connection to router C (my 2nd router) over iBGP.

 

My BGP customer advertises 5 routes. The router directly connected to my customer?s bgp router (Router A)  shows all  5 routes when I do a (sh ip bgp sum).

Router C (my 2nd router iBGP) only shows these 5 router when I type ?show ip bgp sum? for about a 1:15 to 1:30 minutes then the routes disappear from State/PfxRcd.

 

When I do a show ip bgp on router B for one of the received routes from router A (cust router) it?s says:

 

Paths: (2 available, best #1, table Default-IP-Routing-Table)

Multipath: iBGP

  Not advertised to any peer

 

The second best route being from my customer (router A) and the 1st  best route being from Router C (my second iBGP router)

 

 

Now on Router C, where I?m confused when I do show ip bgp  for the same route I see.

 

Paths: (2 available, best #1, table Default-IP-Routing-Table)

  Advertised to update-groups:

     1

 

Both routes being from my two up streams on that router.

 

My confusion is when I do a show ip bgp sum <router B?s neighbor address> I see 5 routes under State/PfxRcd then after a minute or two they disappear.

 

Is this normal ibgp behavior? Are the router listed under State/PfxRcd only routes that are inserted in the routing table?

 

 

From: Michael K. Smith - Adhost [mailto:mksmith at adhost.com] 
Sent: Friday, February 06, 2009 3:47 PM
To: Paul A
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] learned routes disappear

 

Hello Paul:

>
> Paul A wrote:
> > Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> > into this.
> >
> >
> >
> > I have two routers, router A and router B doing bgp.
> >
> >
> >
> > Router A is advertising 5 routes to router B, when the session 1st comes
> up,
> > router B has 5 routes received from router A. After 1:15 min the learned
> > routes on router B disappear.
> >
> >
How are the routes getting into BGP?  Are the coming in via tie-down routes in the IGP somewhere?  Could it be that you have an IGP failure of some sort such that the routes are being withdrawn legitimately?

Regards,

Mike


From zivl at gilat.net  Sun Feb  8 04:06:07 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Sun, 8 Feb 2009 11:06:07 +0200
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <498BB7B6.9010509@tiedyenetworks.com>
References: <498BB7B6.9010509@tiedyenetworks.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>

Most recent IOS (last 2-3 years) support for sure the option to put everything on the fly on one line, for example:

ping 1.1.1.1 source loopback0 repeat 1000 size 512 timeout 2 validate df-bit etc, etc... 

A command followed by a question mark is always helpful, a lot of commands can be "extended" on a single command line

Ziv




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
Sent: Friday, February 06, 2009 6:08 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] setting source address for icmp messages

Hello,

I'm trying to learn how to get my 7204vxr to not send icmp messages with 
the source ip of interface the message is being sent out. I have a 
public ip on my loopback and thought this was what ios preferred if it 
exists? I have some other interfaces which have 10.x.x.x addresses and 
icmp messages like host unreachable and such are sourced from this which 
is undesirable due to inbound filtering at many sites at their gateways 
for rfc1918 and other bogon addresses.

Am I being silly to want this or is there something I can do to get my 
way here?

Tks.

Mike-
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From mike-cisconsplist at tiedyenetworks.com  Sun Feb  8 18:28:12 2009
From: mike-cisconsplist at tiedyenetworks.com (Mike)
Date: Sun, 08 Feb 2009 15:28:12 -0800
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>
References: <498BB7B6.9010509@tiedyenetworks.com>
	<EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>
Message-ID: <498F6A8C.80108@tiedyenetworks.com>

No.

I am trying to ensure that if the router ever emits icmp messages like 
'destination host unreachable', 'icmp frag needed' and the like, that 
I'm using a public routed ip and not some random flavor of the week ip 
related to whatever interface the router thinks is closer to the problem.






Ziv Leyes wrote:
> Most recent IOS (last 2-3 years) support for sure the option to put everything on the fly on one line, for example:
>
> ping 1.1.1.1 source loopback0 repeat 1000 size 512 timeout 2 validate df-bit etc, etc... 
>
> A command followed by a question mark is always helpful, a lot of commands can be "extended" on a single command line
>
> Ziv
>
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
> Sent: Friday, February 06, 2009 6:08 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] setting source address for icmp messages
>
> Hello,
>
> I'm trying to learn how to get my 7204vxr to not send icmp messages with 
> the source ip of interface the message is being sent out. I have a 
> public ip on my loopback and thought this was what ios preferred if it 
> exists? I have some other interfaces which have 10.x.x.x addresses and 
> icmp messages like host unreachable and such are sourced from this which 
> is undesirable due to inbound filtering at many sites at their gateways 
> for rfc1918 and other bogon addresses.
>
> Am I being silly to want this or is there something I can do to get my 
> way here?
>
> Tks.
>
> Mike-
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
>
>
>
>
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From illcritikz at gmail.com  Sun Feb  8 18:56:42 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 9 Feb 2009 10:26:42 +1030
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an impact?
Message-ID: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>

Howdy,
I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
obviously), can't seem to find any info on Cisco as to the consequences this
may have to traffic flowing through the Bus at the time(ie dropped packet
rates), and I want to know if the modules go from using Bus only backplane
to crossbar as soon as the module initiates or whether a reload would
actually be required for this.

Cheers

Ben

From deric.kwok2000 at gmail.com  Sun Feb  8 19:08:23 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Sun, 8 Feb 2009 19:08:23 -0500
Subject: [c-nsp] vlan needs help
Message-ID: <40d8a95a0902081608y51452910w500e31c7f5f015a5@mail.gmail.com>

Hi

I try to configure vlan in switch 4948

eg:

port1 and port2 unchange
port3-port15 vlan2
port16 to port24 vlan3

When I try to connect this 4948 switch (eg: port 4) to another upstream
switch,  machines eg: 192.168.0.100 in upstream  switch can't ping to
machine eg: 192.168.0.222 in port3 or port15 of 4948

I check the light in those ports connected are flashing.

I also setup ip in int vlan2 as 192.168.0.30 as same network but it still
won't work

Do I need to setup anything to make it work?

Thank you

From masood at nexlinx.net.pk  Sun Feb  8 19:19:42 2009
From: masood at nexlinx.net.pk (Masood Ahmad Shah)
Date: Mon, 9 Feb 2009 05:19:42 +0500
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an impact?
In-Reply-To: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
Message-ID: <015a01c98a4c$1ecd04f0$5c670ed0$@net.pk>

Yea it is hot-swappable. You must install the Switch Fabric Module in either
slot 5 or slot 6 of the Catalyst 6506 switch. For redundancy, you can
install a standby Switch Fabric Module. The module first installed functions
as the primary module. When you install two Switch Fabric Modules at the
same time, the module in slot 5 acts as the primary module, and the module
in slot 6 acts as the backup. If you reset the module in slot 5, the module
in slot 6 becomes the primary module.


Regards,
Masood
Blog: http://weblogs.com.pk/jahil/


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele
Sent: Monday, February 09, 2009 4:57 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] WS-6500-SFM insertion into production box, much of an
impact?

Howdy,
I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
obviously), can't seem to find any info on Cisco as to the consequences this
may have to traffic flowing through the Bus at the time(ie dropped packet
rates), and I want to know if the modules go from using Bus only backplane
to crossbar as soon as the module initiates or whether a reload would
actually be required for this.

Cheers

Ben
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From illcritikz at gmail.com  Sun Feb  8 19:32:40 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 9 Feb 2009 11:02:40 +1030
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <015a01c98a4c$1ecd04f0$5c670ed0$@net.pk>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
	<015a01c98a4c$1ecd04f0$5c670ed0$@net.pk>
Message-ID: <4422cf660902081632o1179998rd6036025c928e0fb@mail.gmail.com>

Thank you for cut and pasting the information from Cisco that i've already
read :)
Seriously though, that doesn't answer my question.

On Mon, Feb 9, 2009 at 10:49 AM, Masood Ahmad Shah <masood at nexlinx.net.pk>wrote:

> Yea it is hot-swappable. You must install the Switch Fabric Module in
> either
> slot 5 or slot 6 of the Catalyst 6506 switch. For redundancy, you can
> install a standby Switch Fabric Module. The module first installed
> functions
> as the primary module. When you install two Switch Fabric Modules at the
> same time, the module in slot 5 acts as the primary module, and the module
> in slot 6 acts as the backup. If you reset the module in slot 5, the module
> in slot 6 becomes the primary module.
>
>
> Regards,
> Masood
> Blog: http://weblogs.com.pk/jahil/
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele
> Sent: Monday, February 09, 2009 4:57 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] WS-6500-SFM insertion into production box, much of an
> impact?
>
> Howdy,
> I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> obviously), can't seem to find any info on Cisco as to the consequences
> this
> may have to traffic flowing through the Bus at the time(ie dropped packet
> rates), and I want to know if the modules go from using Bus only backplane
> to crossbar as soon as the module initiates or whether a reload would
> actually be required for this.
>
> Cheers
>
> Ben
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From rubensk at gmail.com  Sun Feb  8 20:36:33 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Sun, 8 Feb 2009 23:36:33 -0200
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
Message-ID: <6bb5f5b10902081736j61899799i7eed2e6e07216779@mail.gmail.com>

Remember that full SFM usage requires all modules to be
fabric-enabled. If there are any line cards that aren't fabric
enabled, all traffic will still go thru the bus, doesn't matter if it
is an OIR or from power-up.

Your question is if this OIR stands for Online Insertion and Removal
or for Online Insertion and Reboot... although I don't know the
answer, what I saw over the years is that even if it doesn't require a
reboot, you will want to do one, because any issues will have after
that will make you wonder whether if it's due to OIR or not, so you
will end up rebooting anyway.

So, reboot while you have a planned window to do so, not when you are
under pressure.


Rubens


On Sun, Feb 8, 2009 at 9:56 PM, Ben Steele <illcritikz at gmail.com> wrote:
> Howdy,
> I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> obviously), can't seem to find any info on Cisco as to the consequences this
> may have to traffic flowing through the Bus at the time(ie dropped packet
> rates), and I want to know if the modules go from using Bus only backplane
> to crossbar as soon as the module initiates or whether a reload would
> actually be required for this.
>
> Cheers
>
> Ben
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From illcritikz at gmail.com  Sun Feb  8 21:25:45 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 9 Feb 2009 12:55:45 +1030
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <6bb5f5b10902081736j61899799i7eed2e6e07216779@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
	<6bb5f5b10902081736j61899799i7eed2e6e07216779@mail.gmail.com>
Message-ID: <4422cf660902081825l27c4a7e9ta96b75a58509df22@mail.gmail.com>

Thanks Rubens, i'm aware of the line card requirements to operate in full
compact mode, my question i'm really interested in is during the insertion
of the module is there any dropped packets while the cards move from a Bus
switching mode to compact switching.

On Mon, Feb 9, 2009 at 12:06 PM, Rubens Kuhl <rubensk at gmail.com> wrote:

> Remember that full SFM usage requires all modules to be
> fabric-enabled. If there are any line cards that aren't fabric
> enabled, all traffic will still go thru the bus, doesn't matter if it
> is an OIR or from power-up.
>
> Your question is if this OIR stands for Online Insertion and Removal
> or for Online Insertion and Reboot... although I don't know the
> answer, what I saw over the years is that even if it doesn't require a
> reboot, you will want to do one, because any issues will have after
> that will make you wonder whether if it's due to OIR or not, so you
> will end up rebooting anyway.
>
> So, reboot while you have a planned window to do so, not when you are
> under pressure.
>
>
> Rubens
>
>
> On Sun, Feb 8, 2009 at 9:56 PM, Ben Steele <illcritikz at gmail.com> wrote:
> > Howdy,
> > I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> > obviously), can't seem to find any info on Cisco as to the consequences
> this
> > may have to traffic flowing through the Bus at the time(ie dropped packet
> > rates), and I want to know if the modules go from using Bus only
> backplane
> > to crossbar as soon as the module initiates or whether a reload would
> > actually be required for this.
> >
> > Cheers
> >
> > Ben
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>

From mtinka at globaltransit.net  Sun Feb  8 23:10:01 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Mon, 9 Feb 2009 12:10:01 +0800
Subject: [c-nsp] vlan needs help
Message-ID: <200902091210.06334.mtinka@globaltransit.net>

On Monday 09 February 2009 08:08:23 am Deric Kwok wrote:

> When I try to connect this 4948 switch (eg: port 4) to
> another upstream switch,  machines eg: 192.168.0.100 in
> upstream  switch can't ping to machine eg: 192.168.0.222
> in port3 or port15 of 4948

Is the connection between both switches configured as an 
802.1Q trunk? If so, make sure you're allowing all VLAN ID's 
across this trunk (to check that things are working first, 
then filter if necessary).

Is the VLAN ID between both switches for this subnet the 
same?

Do you have the VLAN ID's configured in the VLAN database of 
either switch (I think later code does this automatically 
when a VLAN ID is assigned to a port, but I can't be sure 
how universal this is)?

Cheers,

Mark.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090209/cd2a8d35/attachment-0001.bin>

From link at pobox.com  Mon Feb  9 01:13:51 2009
From: link at pobox.com (Terje Bless)
Date: Mon, 9 Feb 2009 07:13:51 +0100
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <4422cf660902081825l27c4a7e9ta96b75a58509df22@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
	<6bb5f5b10902081736j61899799i7eed2e6e07216779@mail.gmail.com>
	<4422cf660902081825l27c4a7e9ta96b75a58509df22@mail.gmail.com>
Message-ID: <47ac005a0902082213o7e6f9acdw5bfb4873467773df@mail.gmail.com>

On Mon, Feb 9, 2009 at 3:25 AM, Ben Steele <illcritikz at gmail.com> wrote:
> Thanks Rubens, i'm aware of the line card requirements to operate in full
> compact mode, my question i'm really interested in is during the insertion
> of the module is there any dropped packets while the cards move from a Bus
> switching mode to compact switching.

It's been a while so my mind may be playing tricks on me, but as I
recall the box hiccups a bit while it does its backplane sync magic
and then continues on its merry way. Depending on timing and your
traffic patterns this event may or may not rate as "noticeable" to
your users.

Note that I can't swear that my recollection reflects inserting a new
SFM into a box currently in bus mode (as opposed to swapping out an
existing SFM), so YMMV. I'll echo the recommendation to schedule
downtime and reload the box just to be sure.

-link

From oboehmer at cisco.com  Mon Feb  9 02:27:28 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 9 Feb 2009 08:27:28 +0100
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <498F6A8C.80108@tiedyenetworks.com>
References: <498BB7B6.9010509@tiedyenetworks.com><EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>
	<498F6A8C.80108@tiedyenetworks.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>

Mike <> wrote on Monday, February 09, 2009 00:28:

> No.
> 
> I am trying to ensure that if the router ever emits icmp messages like
> 'destination host unreachable', 'icmp frag needed' and the like, that
> I'm using a public routed ip and not some random flavor of the week ip
> related to whatever interface the router thinks is closer to the
> problem. 

I don't think this can be done..

	oli

From oboehmer at cisco.com  Mon Feb  9 02:32:04 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 9 Feb 2009 08:32:04 +0100
Subject: [c-nsp] learned routes disappear
In-Reply-To: <012c01c9897e$c8051270$580f3750$@net>
References: <033401c98877$dfe851c0$9fb8f540$@net><498C75E9.50809@rainierconnect.net><000801c98883$03f8a550$0be9eff0$@net><17838240D9A5544AAA5FF95F8D520316057BF4DC@ad-exh01.adhost.lan>
	<012c01c9897e$c8051270$580f3750$@net>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C5@xmb-ams-333.emea.cisco.com>

Paul,

looks like you're preferring the route from the upstream over your
customer's advertisement (for whatever reason), so it is expected that
Router B is not advertising the path received from your customer/Router
A.

You are correct: The PfxRcd counter in "show ip bgp sum" only shows the
best paths, you need to look at "show ip bgp neighbor x.x.x.x" (or "show
ip bgp neighbor x.x.x.x routes") to see all paths..

	oli


Paul A <> wrote on Sunday, February 08, 2009 00:50:

> Hi Michael,
> 
> 
> 
> it seems as I look more and more into this, mind you I'm no bgp
> expert, I think what is happening might be normal iBGP behavior. 
> 
> 
> 
> Heres how the network is setup.
> 
> 
> 
> Router A (customer) which connects to router B (my router) . Router B
> is connection to router C (my 2nd router) over iBGP. 
> 
> 
> 
> My BGP customer advertises 5 routes. The router directly connected to
> my customer's bgp router (Router A)  shows all  5 routes when I do a
> (sh ip bgp sum).  
> 
> Router C (my 2nd router iBGP) only shows these 5 router when I type
> "show ip bgp sum" for about a 1:15 to 1:30 minutes then the routes
> disappear from State/PfxRcd.  
> 
> 
> 
> When I do a show ip bgp on router B for one of the received routes
> from router A (cust router) it's says: 
> 
> 
> 
> Paths: (2 available, best #1, table Default-IP-Routing-Table)
> 
> Multipath: iBGP
> 
>   Not advertised to any peer
> 
> 
> 
> The second best route being from my customer (router A) and the 1st 
> best route being from Router C (my second iBGP router) 
> 
> 
> 
> 
> 
> Now on Router C, where I'm confused when I do show ip bgp  for the
> same route I see. 
> 
> 
> 
> Paths: (2 available, best #1, table Default-IP-Routing-Table)
> 
>   Advertised to update-groups:
> 
>      1
> 
> 
> 
> Both routes being from my two up streams on that router.
> 
> 
> 
> My confusion is when I do a show ip bgp sum <router B's neighbor
> address> I see 5 routes under State/PfxRcd then after a minute or two
> they disappear.  
> 
> 
> 
> Is this normal ibgp behavior? Are the router listed under
> State/PfxRcd only routes that are inserted in the routing table? 
> 
> 
> 
> 
> 
> From: Michael K. Smith - Adhost [mailto:mksmith at adhost.com]
> Sent: Friday, February 06, 2009 3:47 PM
> To: Paul A
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] learned routes disappear
> 
> 
> 
> Hello Paul:
> 
>> 
>> Paul A wrote:
>>> Hi, I'm having a bgp issue I can't figure out and hoping someone
>>> has ran into this. 
>>> 
>>> 
>>> 
>>> I have two routers, router A and router B doing bgp.
>>> 
>>> 
>>> 
>>> Router A is advertising 5 routes to router B, when the session 1st
>>> comes up, router B has 5 routes received from router A. After 1:15
>>> min the learned routes on router B disappear. 
>>> 
>>> 
> How are the routes getting into BGP?  Are the coming in via tie-down
> routes in the IGP somewhere?  Could it be that you have an IGP
> failure of some sort such that the routes are being withdrawn
> legitimately?   
> 
> Regards,
> 
> Mike
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From gert at greenie.muc.de  Mon Feb  9 02:50:21 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 9 Feb 2009 08:50:21 +0100
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an impact?
In-Reply-To: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
Message-ID: <20090209075021.GW290@greenie.muc.de>

Hi,

On Mon, Feb 09, 2009 at 10:26:42AM +1030, Ben Steele wrote:
> I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> obviously), can't seem to find any info on Cisco as to the consequences this
> may have to traffic flowing through the Bus at the time(ie dropped packet
> rates), and I want to know if the modules go from using Bus only backplane
> to crossbar as soon as the module initiates or whether a reload would
> actually be required for this.

I've never done this, so I can speak from personal experience.

Judging from the overwall way the box decides how to do switching
("if there is a 3A DFC in the system, all 3B PFCs fall back to 3A mode,
and you need a reload to get it back to 3B"), my guess would be "you
can insert it just fine, but it won't be used for switching unless you
reload".  So I'd schedule a maintenance window with downtime.

I'm looking forward to hear about your experiences, though :-)

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090209/0413f326/attachment.bin>

From peter at rathlev.dk  Mon Feb  9 04:07:20 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 09 Feb 2009 10:07:20 +0100
Subject: [c-nsp] WS-6500-SFM insertion into production box,
 much of an impact?
In-Reply-To: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
Message-ID: <1234170440.3420.13.camel@localhost.localdomain>

On Mon, 2009-02-09 at 10:26 +1030, Ben Steele wrote:
> I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> obviously), can't seem to find any info on Cisco as to the consequences this
> may have to traffic flowing through the Bus at the time(ie dropped packet
> rates),

Just to chime in with more non-certain knowlegde: When doing OIR the box
does a "bus stall" AFAIK. This happens between when the pins start
connecting and when all pins are connected.

If this were to not cause any lost packets, the modules would have to
buffer while the bus stall is in effect and retransmit whatever was on
the wire when it happened. I don't think they do.

Regards,
Peter


From achatz at forthnet.gr  Mon Feb  9 04:10:33 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Mon, 09 Feb 2009 11:10:33 +0200
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>
References: <498BB7B6.9010509@tiedyenetworks.com><EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>	<498F6A8C.80108@tiedyenetworks.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>
Message-ID: <498FF309.8010105@forthnet.gr>

I believe that with a little bit of local PBR and NAT magic and it can be done.
I'm sure i've done it in the past for traceroute "time-exceeded/port-unreachable" local 
generated massages.

But, i don't know if it's worth the hassle.

-- 
Tassos

Oliver Boehmer (oboehmer) wrote on 09/02/2009 09:27:
> Mike <> wrote on Monday, February 09, 2009 00:28:
> 
>> No.
>>
>> I am trying to ensure that if the router ever emits icmp messages like
>> 'destination host unreachable', 'icmp frag needed' and the like, that
>> I'm using a public routed ip and not some random flavor of the week ip
>> related to whatever interface the router thinks is closer to the
>> problem. 
> 
> I don't think this can be done..
> 
> 	oli
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From illcritikz at gmail.com  Mon Feb  9 04:32:50 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 9 Feb 2009 20:02:50 +1030
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <1234170440.3420.13.camel@localhost.localdomain>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
	<1234170440.3420.13.camel@localhost.localdomain>
Message-ID: <4422cf660902090132x7bc04294s5446e10007298e0c@mail.gmail.com>

Thanks for all the replies, personally i'm thinking it will be a few second
hiccup like you often get with OIR then on its way again but the fact i'm
changing how the underlying switch fabric works with this makes it more
interesting... i've scheduled an outage for this Sunday evening so I will
let you all know how it goes.
Cheers

Ben

On Mon, Feb 9, 2009 at 7:37 PM, Peter Rathlev <peter at rathlev.dk> wrote:

> On Mon, 2009-02-09 at 10:26 +1030, Ben Steele wrote:
> > I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> > obviously), can't seem to find any info on Cisco as to the consequences
> this
> > may have to traffic flowing through the Bus at the time(ie dropped packet
> > rates),
>
> Just to chime in with more non-certain knowlegde: When doing OIR the box
> does a "bus stall" AFAIK. This happens between when the pins start
> connecting and when all pins are connected.
>
> If this were to not cause any lost packets, the modules would have to
> buffer while the bus stall is in effect and retransmit whatever was on
> the wire when it happened. I don't think they do.
>
> Regards,
> Peter
>
>

From jmaimon at ttec.com  Mon Feb  9 07:11:54 2009
From: jmaimon at ttec.com (Joe Maimon)
Date: Mon, 09 Feb 2009 07:11:54 -0500
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>
References: <498BB7B6.9010509@tiedyenetworks.com><EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>	<498F6A8C.80108@tiedyenetworks.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>
Message-ID: <49901D8A.1090100@ttec.com>



Oliver Boehmer (oboehmer) wrote:
> Mike <> wrote on Monday, February 09, 2009 00:28:
> 
>> No.
>>
>> I am trying to ensure that if the router ever emits icmp messages like
>> 'destination host unreachable', 'icmp frag needed' and the like, that
>> I'm using a public routed ip and not some random flavor of the week ip
>> related to whatever interface the router thinks is closer to the
>> problem. 
> 
> I don't think this can be done..
> 
> 	oli


Of course it can be done, its just really inelegant and requires nat, 
which is problematic for many.

It sure would be nice were it to be a nice feature such as control-plane 
nat or an interface level command such as

ip icmp source-interface loopback10

From oboehmer at cisco.com  Mon Feb  9 07:15:47 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 9 Feb 2009 13:15:47 +0100
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <49901D8A.1090100@ttec.com>
References: <498BB7B6.9010509@tiedyenetworks.com><EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>	<498F6A8C.80108@tiedyenetworks.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>
	<49901D8A.1090100@ttec.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5CB7B@xmb-ams-333.emea.cisco.com>

Joe Maimon <mailto:jmaimon at ttec.com> wrote on Monday, February 09, 2009
13:12:

> Oliver Boehmer (oboehmer) wrote:
>> Mike <> wrote on Monday, February 09, 2009 00:28:
>> 
>>> No.
>>> 
>>> I am trying to ensure that if the router ever emits icmp messages
>>> like 'destination host unreachable', 'icmp frag needed' and the
>>> like, that I'm using a public routed ip and not some random flavor
>>> of the week ip related to whatever interface the router thinks is
>>> closer to the problem.
>> 
>> I don't think this can be done..
>> 
>> 	oli
> 
> 
> Of course it can be done, its just really inelegant and requires nat,
> which is problematic for many.

Sorry, you are right of course, I was referring to a config knob instead
of ugly/complicated NAT/PBR/etc. hacks..

> It sure would be nice were it to be a nice feature such as
> control-plane nat or an interface level command such as
> 
> ip icmp source-interface loopback10

that would be a nice way of doing this, a global knob sounds too scary
to me..

	oli

From Michael.Robson at manchester.ac.uk  Mon Feb  9 07:41:06 2009
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Mon, 9 Feb 2009 12:41:06 +0000
Subject: [c-nsp] 6500 card compatibility
In-Reply-To: <mailman.2528.1234181540.2617.cisco-nsp@puck.nether.net>
References: <mailman.2528.1234181540.2617.cisco-nsp@puck.nether.net>
Message-ID: <53569A15-0B4D-4D59-84C3-4174D852372E@manchester.ac.uk>

As I understand it, the WS-X6182-2PA 2 port adapter FlexWAN (with PA- 
POS-OC3SMI 155 SDH Daughter Card inserted) is not compatible with a  
6500E/sup720-3b setup: can anyone confirm or refute this?

Thanks,


Michael
-- 


From cisco-nsp at tracker.fire-world.de  Mon Feb  9 07:45:47 2009
From: cisco-nsp at tracker.fire-world.de (Sebastian Wiesinger)
Date: Mon, 9 Feb 2009 13:45:47 +0100
Subject: [c-nsp] Cisco 4900M and QinQ
Message-ID: <20090209124547.GA16723@danton.fire-world.de>

Hi,

has anyone a working QinQ tunnel on a Cisco 4900M? I tried it in the
lab with 12.2(50)SG Enterprise Services SSH and it didn't work.

Setup like this:

[Node 1]---trunk---[4900M]===dot1q-tunnel===[3550]---trunk---[Node 2]

l2protocol-tunnel enabled for cdp/stp/vtp

The symptoms were:

Node 1 has the mac-address of Node 2 in the cam table.
Node 2 DOESN'T have the mac-address of Node 1.

The cam table on the 4900M doesn't show any entries on the
dot1q-tunnel interface to Node 1.

The funny thing:

Node 1 DOESN'T have a cdp neighbor entry for Node 2.
Node 2 does have a cdp neighbor entry for Node 1.

This is the opposite to the mac address symtoms. :)

Consequently a ping between the two nodes times out.

Can anyone confirm this? When I replace the 4900M with a 3550 the QinQ
works instantly.

Kind Regards,

Sebastian

-- 
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

From skoal at skoal.name  Mon Feb  9 08:59:33 2009
From: skoal at skoal.name (Gergely Antal)
Date: Mon, 09 Feb 2009 14:59:33 +0100
Subject: [c-nsp] Lab setup
Message-ID: <499036C5.9010807@skoal.name>

Hiall

I want to build a lab setup for education proposes and,
I have 2 7206 VXR's and each of them has a PA-POS-2OC3 card.
Is it somehow possible to cross-connect these cards or I need some active equipment for this?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090209/0ea80a27/attachment.bin>

From razor at meganet.net  Mon Feb  9 09:44:03 2009
From: razor at meganet.net (Paul A)
Date: Mon, 9 Feb 2009 09:44:03 -0500
Subject: [c-nsp] learned routes disappear
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C5@xmb-ams-333.emea.cisco.com>
References: <033401c98877$dfe851c0$9fb8f540$@net><498C75E9.50809@rainierconnect.net><000801c98883$03f8a550$0be9eff0$@net><17838240D9A5544AAA5FF95F8D520316057BF4DC@ad-exh01.adhost.lan>
	<012c01c9897e$c8051270$580f3750$@net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C5@xmb-ams-333.emea.cisco.com>
Message-ID: <00db01c98ac4$da35ecc0$8ea1c640$@net>

Thanks for the reply Oli.

-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com] 
Sent: Monday, February 09, 2009 2:32 AM
To: Paul A; Michael K. Smith - Adhost
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] learned routes disappear

Paul,

looks like you're preferring the route from the upstream over your
customer's advertisement (for whatever reason), so it is expected that
Router B is not advertising the path received from your customer/Router
A.

You are correct: The PfxRcd counter in "show ip bgp sum" only shows the
best paths, you need to look at "show ip bgp neighbor x.x.x.x" (or "show
ip bgp neighbor x.x.x.x routes") to see all paths..

	oli


Paul A <> wrote on Sunday, February 08, 2009 00:50:

> Hi Michael,
> 
> 
> 
> it seems as I look more and more into this, mind you I'm no bgp
> expert, I think what is happening might be normal iBGP behavior. 
> 
> 
> 
> Heres how the network is setup.
> 
> 
> 
> Router A (customer) which connects to router B (my router) . Router B
> is connection to router C (my 2nd router) over iBGP. 
> 
> 
> 
> My BGP customer advertises 5 routes. The router directly connected to
> my customer's bgp router (Router A)  shows all  5 routes when I do a
> (sh ip bgp sum).  
> 
> Router C (my 2nd router iBGP) only shows these 5 router when I type
> "show ip bgp sum" for about a 1:15 to 1:30 minutes then the routes
> disappear from State/PfxRcd.  
> 
> 
> 
> When I do a show ip bgp on router B for one of the received routes
> from router A (cust router) it's says: 
> 
> 
> 
> Paths: (2 available, best #1, table Default-IP-Routing-Table)
> 
> Multipath: iBGP
> 
>   Not advertised to any peer
> 
> 
> 
> The second best route being from my customer (router A) and the 1st 
> best route being from Router C (my second iBGP router) 
> 
> 
> 
> 
> 
> Now on Router C, where I'm confused when I do show ip bgp  for the
> same route I see. 
> 
> 
> 
> Paths: (2 available, best #1, table Default-IP-Routing-Table)
> 
>   Advertised to update-groups:
> 
>      1
> 
> 
> 
> Both routes being from my two up streams on that router.
> 
> 
> 
> My confusion is when I do a show ip bgp sum <router B's neighbor
> address> I see 5 routes under State/PfxRcd then after a minute or two
> they disappear.  
> 
> 
> 
> Is this normal ibgp behavior? Are the router listed under
> State/PfxRcd only routes that are inserted in the routing table? 
> 
> 
> 
> 
> 
> From: Michael K. Smith - Adhost [mailto:mksmith at adhost.com]
> Sent: Friday, February 06, 2009 3:47 PM
> To: Paul A
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] learned routes disappear
> 
> 
> 
> Hello Paul:
> 
>> 
>> Paul A wrote:
>>> Hi, I'm having a bgp issue I can't figure out and hoping someone
>>> has ran into this. 
>>> 
>>> 
>>> 
>>> I have two routers, router A and router B doing bgp.
>>> 
>>> 
>>> 
>>> Router A is advertising 5 routes to router B, when the session 1st
>>> comes up, router B has 5 routes received from router A. After 1:15
>>> min the learned routes on router B disappear. 
>>> 
>>> 
> How are the routes getting into BGP?  Are the coming in via tie-down
> routes in the IGP somewhere?  Could it be that you have an IGP
> failure of some sort such that the routes are being withdrawn
> legitimately?   
> 
> Regards,
> 
> Mike
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.0.233 / Virus Database: 270.10.19/1938 - Release Date: 02/06/09
17:28:00


From jml at packetpimp.org  Mon Feb  9 09:20:45 2009
From: jml at packetpimp.org (Jason LeBlanc)
Date: Mon, 09 Feb 2009 09:20:45 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <A34003A5232DE744807D94D788E0751AAB198E@ASHEVS011.mcilink.com>
References: <A34003A5232DE744807D94D788E0751AAB198E@ASHEVS011.mcilink.com>
Message-ID: <49903BBD.9020000@packetpimp.org>

+1 I really like Opsware.

Ramcharan, Vijay A wrote:
> We use Opsware NAS. I haven't configured it or anything but it is quite
> commercial and can do nice things like configuration checks against a
> standard policy, notifications of config changes, config automation and
> things like that. 
>
>  
> Vijay Ramcharan 
>   
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono
> Sent: February 05, 2009 16:57
> To: Cisco-NSP Mailing List
> Subject: [c-nsp] Rancid and commercial config management tools
>
> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
>
> but if a client was looking for a commercial tool that does this, what 
> would you  recommend?
>
> Thanks,
>
> Joe Loiacono
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From jmplank at gmail.com  Mon Feb  9 10:49:30 2009
From: jmplank at gmail.com (Jason Plank)
Date: Mon, 9 Feb 2009 10:49:30 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <adc8da300902090749yce2e512vc9108360cd67cf1a@mail.gmail.com>

I'm a huge fan of Cirrus by Solarwinds. It works very well. They integrated
it into Solarwinds.. which can be either good or bad. Depends on how you
look at it :) I'm not sure if you can still get a standalone version, but
since it uses a sql database it's easy to backup.

On Thu, Feb 5, 2009 at 4:57 PM, Joe Loiacono <jloiacon at csc.com> wrote:

> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
> but if a client was looking for a commercial tool that does this, what
> would you  recommend?
>
> Thanks,
>
> Joe Loiacono
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
--
Jason Plank
(CCIE #16560)

From clinton at scripty.com  Mon Feb  9 12:27:25 2009
From: clinton at scripty.com (Clinton Work)
Date: Mon, 09 Feb 2009 10:27:25 -0700
Subject: [c-nsp] Lab setup
In-Reply-To: <499036C5.9010807@skoal.name>
References: <499036C5.9010807@skoal.name>
Message-ID: <4990677D.3060506@scripty.com>


You can connect the cards back to back and they should work fine.  Just 
a couple of notes:

a) Set both POS interfaces to "clock source internal" because there is 
no network clock  in a back to back configuration.
b) Looks like the POM-OC3-MM and POM-OC3-SMIR optics are safe in a back 
to back configuration without optical pads.  If you using the 
POM-OC3-SMLR you will need at least 10db pads on a short fiber patch.  
c) Make sure you to cross over the transit/receive on the back to back 
fibers patch cables. 

Clinton. 

Gergely Antal wrote:
> Hiall
>
> I want to build a lab setup for education proposes and,
> I have 2 7206 VXR's and each of them has a PA-POS-2OC3 card.
> Is it somehow possible to cross-connect these cards or I need some active equipment for this?
>
>   

From simon at slimey.org  Mon Feb  9 12:30:31 2009
From: simon at slimey.org (Simon Lockhart)
Date: Mon, 9 Feb 2009 17:30:31 +0000
Subject: [c-nsp] Lab setup
In-Reply-To: <4990677D.3060506@scripty.com>
References: <499036C5.9010807@skoal.name> <4990677D.3060506@scripty.com>
Message-ID: <20090209173031.GR11420@virtual.bogons.net>

On Mon Feb 09, 2009 at 10:27:25AM -0700, Clinton Work wrote:
> a) Set both POS interfaces to "clock source internal" because there is 
> no network clock  in a back to back configuration.

Surely if you're connecting back to back you want "clock source internal" on
one end, and "clock source network" on the other end - otherwise you've got 
two free running clocks which might be in sync, or might not...

Simon

From petelists at templin.org  Mon Feb  9 12:34:19 2009
From: petelists at templin.org (Pete Templin)
Date: Mon, 09 Feb 2009 11:34:19 -0600
Subject: [c-nsp] Lab setup
In-Reply-To: <20090209173031.GR11420@virtual.bogons.net>
References: <499036C5.9010807@skoal.name> <4990677D.3060506@scripty.com>
	<20090209173031.GR11420@virtual.bogons.net>
Message-ID: <4990691B.4020507@templin.org>

Simon Lockhart wrote:
> On Mon Feb 09, 2009 at 10:27:25AM -0700, Clinton Work wrote:
>> a) Set both POS interfaces to "clock source internal" because there is 
>> no network clock  in a back to back configuration.
> 
> Surely if you're connecting back to back you want "clock source internal" on
> one end, and "clock source network" on the other end - otherwise you've got 
> two free running clocks which might be in sync, or might not...

Au contraire.  Each side of the POS path is separate, so both as 'clock 
source internal' is best.

http://www.cisco.com/en/US/tech/tk482/tk607/technologies_tech_note09186a0080094bb9.shtml

pt




From justin at justinshore.com  Mon Feb  9 12:46:32 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 09 Feb 2009 11:46:32 -0600
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
Message-ID: <49906BF8.2070802@justinshore.com>

Eric Van Tol wrote:
> It may be worth mentioning that Solarwinds recently purchased Kiwi, and their plan is to integrate some of the Kiwi-specific features into NCM.

That sucks.  Now it will become overpriced and bundled with bloatware vs 
the inexpensive sleek tool it once was.  Might as well have been bought 
by a well-known 800lbs gorilla.

J


From justin at justinshore.com  Mon Feb  9 12:50:54 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 09 Feb 2009 11:50:54 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
Message-ID: <49906CFE.7040407@justinshore.com>

Manaf Al Oqlah wrote:
> Hi all,
> 
> I am configuring a Cisco 7600 router as DHCP server for my broadband clients. I am using DHCP snooping and ARP inspection for security reasons and the leased time expiration is set for 30 minutes and no excluded-address is configured. The problem is that I still can see  some clients IP addresses lease expiration are Infinite in the DHCP binding! what could be the reason for this behavior and could be this some sort of attack!! 

I get them too.  I never have figured out what causes them.  So far it 
hasn't been a big deal for me.

BTW, I'd recommend not using the IOS DHCP server for anything that more 
than convenience at a very small site.  I would highly recommend 
deploying a server-based DHCP server like ISC DHCPd.  Lots more bells a 
whistles to work with.  Plus you can have redundancy with the 
server-based solution.  The IOS DHCP server is a fairly stripped down 
implementation.  I don't think it was intended to be used in large 
environments like a SP's broadband network.

Justin

From cchurc05 at harris.com  Mon Feb  9 12:53:43 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Mon, 9 Feb 2009 11:53:43 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49906CFE.7040407@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>

Aren't those BOOTP clients that don't understand the concept of an
expiration? 

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Monday, February 09, 2009 12:51 PM
To: Manaf Al Oqlah
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DHCP Binding Expiration


Manaf Al Oqlah wrote:
> Hi all,
> 
> I am configuring a Cisco 7600 router as DHCP server for my broadband
clients. I am using DHCP snooping and ARP inspection for security
reasons and the leased time expiration is set for 30 minutes and no
excluded-address is configured. The problem is that I still can see
some clients IP addresses lease expiration are Infinite in the DHCP
binding! what could be the reason for this behavior and could be this
some sort of attack!! 

I get them too.  I never have figured out what causes them.  So far it 
hasn't been a big deal for me.

BTW, I'd recommend not using the IOS DHCP server for anything that more 
than convenience at a very small site.  I would highly recommend 
deploying a server-based DHCP server like ISC DHCPd.  Lots more bells a 
whistles to work with.  Plus you can have redundancy with the 
server-based solution.  The IOS DHCP server is a fairly stripped down 
implementation.  I don't think it was intended to be used in large 
environments like a SP's broadband network.

Justin
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From chris.flav at yahoo.ca  Mon Feb  9 13:01:47 2009
From: chris.flav at yahoo.ca (chris.flav at yahoo.ca)
Date: Mon, 9 Feb 2009 18:01:47 +0000
Subject: [c-nsp] 7200VXR for Session Border Controller
Message-ID: <799300665-1234202468-cardhu_decombobulator_blackberry.rim.net-792359161-@bxe105.bisx.prod.on.blackberry>

Hello,

We are looking to deploy a SBC for SIP subscribers and are looking at
using a 7204VXR.  We are not needing transcoding facilities but simply
forwarding SIP INVITES and signalling to and from a SIP server to
subscribers.

The documentation regarding the setup of such a system is terse,
therefore any pointers to related information or example configs would
be appreciated.

Thanks,

C. Flav




From A.L.M.Buxey at lboro.ac.uk  Mon Feb  9 13:01:01 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 9 Feb 2009 18:01:01 +0000
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49906CFE.7040407@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
Message-ID: <20090209180101.GA4542@lboro.ac.uk>

Hi,

> BTW, I'd recommend not using the IOS DHCP server for anything that more  
> than convenience at a very small site.  I would highly recommend  
> deploying a server-based DHCP server like ISC DHCPd.  Lots more bells a  

agreed - DHCP brough out 2600 series routers to their knees. a quick
ISC config sorted thigns out - and gave us some nice bells and whistles

alan

From A.L.M.Buxey at lboro.ac.uk  Mon Feb  9 13:02:06 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 9 Feb 2009 18:02:06 +0000
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <49906BF8.2070802@justinshore.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
	<49906BF8.2070802@justinshore.com>
Message-ID: <20090209180206.GB4542@lboro.ac.uk>

Hi,

> Eric Van Tol wrote:
>> It may be worth mentioning that Solarwinds recently purchased Kiwi, and their plan is to integrate some of the Kiwi-specific features into NCM.
>
> That sucks.  Now it will become overpriced and bundled with bloatware vs  
> the inexpensive sleek tool it once was.  Might as well have been bought  
> by a well-known 800lbs gorilla.


..and thats just Kiwi - what'll happen to Solarwinds?  ;-)

alan

From paul at paulstewart.org  Mon Feb  9 13:15:38 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Mon, 9 Feb 2009 13:15:38 -0500
Subject: [c-nsp] IDS Recommendations - Cisco?
In-Reply-To: <20090207155009.GA407@kallisti.us>
References: <000001c988a4$42d8fa60$c88aef20$@org>
	<1A9866F953006D45AEE0166066114E0915895B59@TPMAIL02.corp.theplatform.com>
	<006501c988ba$73c58970$5b509c50$@org>
	<20090207155009.GA407@kallisti.us>
Message-ID: <000b01c98ae2$69d09890$3d71c9b0$@org>

Thanks very much for the reply (and other replies I got to date as well)....

So, you are doing passive monitoring today - would that mean that when your
IDP systems alarm that this generates an alert to your NOC for immediate
investigation (on a serious issue)?  I'm just wanting to understand your
process a bit to see how it might fit into our plans here....;)

Cheers,

Paul


-----Original Message-----
From: Ross Vandegrift [mailto:ross at kallisti.us] 
Sent: Saturday, February 07, 2009 10:50 AM
To: Paul Stewart
Cc: 'Gregori Parker'; 'Cisco-nsp'
Subject: Re: [c-nsp] IDS Recommendations - Cisco?

On Fri, Feb 06, 2009 at 07:24:34PM -0500, Paul Stewart wrote:
> A good example to paint a picture here is that some of these servers are
for
> web hosting.  If a client uploads a php script (example) that has a
> vulnerability we would like the IDS to trip on it - again we can't have
the
> world but that's kind of what I have in mind.

It's a good thought, but watch your session count.  All of the devices
have limits as to the number of sessions they can handle.  When
that's exhausted, expect to be offline.

I also work in hosting, and I have to say, the IDP is a great tool.
But there's nothing we could find that grew in performance with the
size of our installation.

> I could think of many more scenarios but at a high level I'm looking for
> vendor/product recommendations based on actual usage if possible.

If you know your traffic and session levels well, and you want to do
inline blocking, the Juniper ISG with integrated IDP modules are
pretty great tools.  You use NSM to write usual firewall policy, some
rules can optionally have IDP processing enabled.  Very granular.

Like I said - I abandoned it.  Our hosting grew much faster than their
performance could.  Monitoring the session and traffic levels of the
blades was always awkward, and we didn't have such good ideas of our
traffic/session levels.

Finally, remember that your IDP will be the weakest link in the
network.  A firewall is a bad enough single point of failure (ie,
having a session table that can be attacked), the IDP is many times
worse because of the level of processing it requires for each session.

So more power to you - but be very careful, or be prepared for some pain.
All of the IDP implementations we do today are passive.

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie


From b.turnbow at twt.it  Mon Feb  9 13:26:02 2009
From: b.turnbow at twt.it (Brian Turnbow)
Date: Mon, 9 Feb 2009 19:26:02 +0100
Subject: [c-nsp] 7200VXR for Session Border Controller
In-Reply-To: <799300665-1234202468-cardhu_decombobulator_blackberry.rim.net-792359161-@bxe105.bisx.prod.on.blackberry>
References: <799300665-1234202468-cardhu_decombobulator_blackberry.rim.net-792359161-@bxe105.bisx.prod.on.blackberry>
Message-ID: <F2207DB22012F94E92D7030F81A2629401DBE1A0@twt-exch.milano.twt>

You need to look for unified border element , it used to be multiservice ip to ip gateway.
There should be some basic examble on the site as well.

Here is the configuration guide

http://www.ciscosystems.com/en/US/docs/ios/voice/cube/configuration/guide/12_4t/vb_12_4t_book.html
 


Brian 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chris.flav at yahoo.ca
Sent: luned? 9 febbraio 2009 19.02
To: Cisco NSP
Subject: [c-nsp] 7200VXR for Session Border Controller

Hello,

We are looking to deploy a SBC for SIP subscribers and are looking at
using a 7204VXR.  We are not needing transcoding facilities but simply
forwarding SIP INVITES and signalling to and from a SIP server to
subscribers.

The documentation regarding the setup of such a system is terse,
therefore any pointers to related information or example configs would
be appreciated.

Thanks,

C. Flav



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From eric at atlantech.net  Mon Feb  9 14:09:37 2009
From: eric at atlantech.net (Eric Van Tol)
Date: Mon, 9 Feb 2009 14:09:37 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <49906BF8.2070802@justinshore.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
	<49906BF8.2070802@justinshore.com>
Message-ID: <2C05E949E19A9146AF7BDF9D44085B863517B3BBE5@exchange.aoihq.local>

> -----Original Message-----
> From: Justin Shore [mailto:justin at justinshore.com]
> Sent: Monday, February 09, 2009 12:47 PM
> To: Eric Van Tol
> Cc: Cisco-NSP Mailing List
> Subject: Re: [c-nsp] Rancid and commercial config management tools
> 
> Eric Van Tol wrote:
> > It may be worth mentioning that Solarwinds recently purchased Kiwi, and
> their plan is to integrate some of the Kiwi-specific features into NCM.
> 
> That sucks.  Now it will become overpriced and bundled with bloatware vs
> the inexpensive sleek tool it once was.  Might as well have been bought
> by a well-known 800lbs gorilla.
> 
> J

Actually, I cannot speak in certainties, but I don't believe that this is the plan.  SW has a long history of purchasing other network management products and continuing development on those product lines, while also taking the backend technology and using it to improve their existing products.

-evt


From justin at justinshore.com  Mon Feb  9 14:10:38 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 09 Feb 2009 13:10:38 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
Message-ID: <49907FAE.4050006@justinshore.com>

Church, Charles wrote:
> Aren't those BOOTP clients that don't understand the concept of an
> expiration? 

Once when I was curious (and very bored) I tracked a couple of them 
down.  One was a Windows XP machine and the other was a fairly new 
D-Link router/firewall CPE (which we have hundreds on our network).  I 
don't know if either of them support Bootp but I would expect this 
problem to come up more often if that was the case.  I'm trying to think 
of what our customers would have on our edges that would support Bootp. 
  Nothing comes to mind.  I'm sure you can configure some older clients 
to do Bootp of course (Macs still support it if you intentionally 
configure it that way) but no major demographic comes to mind.  I can 
certainly be missing something though.

Justin


From cchurc05 at harris.com  Mon Feb  9 14:21:43 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Mon, 9 Feb 2009 13:21:43 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49907FAE.4050006@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
	<49907FAE.4050006@justinshore.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>

Interesting.  Might be fun (in a dorky networking kind of way) to look
at a packet capture of it.  Maybe the client doesn't like the lease
time, or it's tied into DDNS somehow.  I looked a bit, and found in the
RFC (http://www.faqs.org/rfcs/rfc2131.html) a blurb about lease times:

"The client may ask for a
   permanent assignment by asking for an infinite lease.  Even when
   assigning "permanent" addresses, a server may choose to give out
   lengthy but non-infinite leases to allow detection of the fact that
   the client has been retired. "

I've seen those infinite leases before, never cared enough to look into
it.  Might be interesting to find out why though...

Chuck 

-----Original Message-----
From: Justin Shore [mailto:justin at justinshore.com] 
Sent: Monday, February 09, 2009 2:11 PM
To: Church, Charles
Cc: Manaf Al Oqlah; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DHCP Binding Expiration


Church, Charles wrote:
> Aren't those BOOTP clients that don't understand the concept of an
> expiration? 

Once when I was curious (and very bored) I tracked a couple of them 
down.  One was a Windows XP machine and the other was a fairly new 
D-Link router/firewall CPE (which we have hundreds on our network).  I 
don't know if either of them support Bootp but I would expect this 
problem to come up more often if that was the case.  I'm trying to think

of what our customers would have on our edges that would support Bootp. 
  Nothing comes to mind.  I'm sure you can configure some older clients 
to do Bootp of course (Macs still support it if you intentionally 
configure it that way) but no major demographic comes to mind.  I can 
certainly be missing something though.

Justin


From justin at justinshore.com  Mon Feb  9 14:30:16 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 09 Feb 2009 13:30:16 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
	<49907FAE.4050006@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>
Message-ID: <49908448.6080300@justinshore.com>

Church, Charles wrote:
> Interesting.  Might be fun (in a dorky networking kind of way) to look
> at a packet capture of it.  Maybe the client doesn't like the lease
> time, or it's tied into DDNS somehow.  I looked a bit, and found in the
> RFC (http://www.faqs.org/rfcs/rfc2131.html) a blurb about lease times:
> 
> "The client may ask for a
>    permanent assignment by asking for an infinite lease.  Even when
>    assigning "permanent" addresses, a server may choose to give out
>    lengthy but non-infinite leases to allow detection of the fact that
>    the client has been retired. "
> 
> I've seen those infinite leases before, never cared enough to look into
> it.  Might be interesting to find out why though...

One thing on my to do list is to figure out how to always reject lease 
extension requests to force the CPE to pull a new IP every time a lease 
expires.  This would prevent many of the less technical users from 
trying to run a publicly-accessible server.  Set the lease time to 2 
hours, client tries to extend the lease at 50% of the lease (1hr) and 
the server NAKs.  The only question is will the client continue to 
request the IP until the lease expires before falling back and do a 
DISCOVER at the 2hr mark (interrupting the flow of traffic) or will it 
do a bcast DISCOVER in response to the NAK and immediately switch to the 
new IP once it gets an OFFER 1hr before the original lease expires, thus 
interrupting traffic again.

I've seen systems do something similar before (or at least I thought 
they were).  When I first got Cox CATV I could only keep my IP for about 
a day before it changed.  One way to mitigate the flow of traffic 
problem would be to grant short lease extensions automatically until the 
wee hours of the morning and then force the change.  Something to think 
about.

It's on my list right behind setting up an OSS walled garden and 
convincing the boss to replace our 7 different DHCP & provisioning 
systems with CNR.  Oh, and finishing my IPv6 deployment.

Thanks for the info
  Justin

From panocisco77 at gmail.com  Mon Feb  9 14:49:55 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Mon, 9 Feb 2009 14:49:55 -0500
Subject: [c-nsp] Hello
Message-ID: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>

Hello every one

From A.L.M.Buxey at lboro.ac.uk  Mon Feb  9 15:01:58 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 9 Feb 2009 20:01:58 +0000
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49908448.6080300@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
	<49907FAE.4050006@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>
	<49908448.6080300@justinshore.com>
Message-ID: <20090209200158.GB7043@lboro.ac.uk>

Hi,

> expires.  This would prevent many of the less technical users from  
> trying to run a publicly-accessible server.  Set the lease time to 2  

default TCP inbound deny works wonders for this. Or, even crueller, NAT

> I've seen systems do something similar before (or at least I thought  
> they were).  When I first got Cox CATV I could only keep my IP for about  
> a day before it changed.  One way to mitigate the flow of traffic  
> problem would be to grant short lease extensions automatically until the  
> wee hours of the morning and then force the change.  Something to think  
> about.

you can flush/destroy the DHCP binding table - it'll have the same effect
(good fun - all those PCs set to print to the IP address that the
pritner got when it was installed then have to be reconfigured etc)

> systems with CNR.  Oh, and finishing my IPv6 deployment.

DHCPv6 or router solicited?

alan

From jfitz at Princeton.EDU  Mon Feb  9 16:01:12 2009
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Mon, 9 Feb 2009 16:01:12 -0500
Subject: [c-nsp] VRF and BGP ?
Message-ID: <46AB14E5-3FC2-4033-B574-DD3972A520AA@princeton.edu>

I am running 12.2.SXI on a 6500 with sup-720


I currently have 3 full BGP peers with two on I1 and one on I2.

I now need a fourth peer with ESNet (gov ISP) but only allow  two /22  
net from Princeton U. access to ESNet.

My dilemma is how to only let the two nets see the additional ESNet  
routes so that no other host on campus will try and use the ESNET  
routes and fail.

I have not used the VRF feature yet, but it appears that it might do  
the trick if I can create a separate routing domain with just ESNet  
routes, and then point only the two nets to the VRF so they check the  
ESNet table first and if not present fall thru to the global table.    
I should be able to use a ROUTE-MAP to accomplish this.

 From the doc it states that I can create a VRF and import routes from  
the global table but that means everybody will still see the routes to  
ESNet ( I would guess anyway).

  Can I peer directly with the VRF without doing an import from the  
global table so only it has the ESNet routes?

Does anybody have any suggestions on this issue?


Thanks for any help.



Jeff Fitzwater
OIT Network Systems
Princeton University

From jaldrich at blueridgecarpet.com  Mon Feb  9 16:36:42 2009
From: jaldrich at blueridgecarpet.com (John Aldrich)
Date: Mon, 9 Feb 2009 16:36:42 -0500
Subject: [c-nsp] Cannot connect to ASA using ASDM software
Message-ID: <000001c98afe$7f9cab70$7ed60250$@com>

For some reason, our new ASA 5510 series will ONLY let me connect via the
web interface. Every time I try it says it is "unable to read the
configuration from the ASA." However, running the Java version works just
fine. I'd really like to know what the problem is and why it can't load the
config? Do I need to be connected via serial cable to the ASA or something?

Thanks,
John Aldrich
IT Manager, 
Blueridge Carpet
706-276-2001, Ext. 2233


From manafo at hotmail.com  Mon Feb  9 16:40:35 2009
From: manafo at hotmail.com (Manaf Al Oqlah)
Date: Mon, 9 Feb 2009 23:40:35 +0200
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <20090209200158.GB7043@lboro.ac.uk>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl><49906CFE.7040407@justinshore.com><FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net><49907FAE.4050006@justinshore.com><FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net><49908448.6080300@justinshore.com>
	<20090209200158.GB7043@lboro.ac.uk>
Message-ID: <BLU130-DS515730CBF12F0DE195739C5BC0@phx.gbl>

hi all,

thank you for your help.
It seems that all those hosts with infinite expiration time are devices that 
do not have "client identifier" such as D-Link, Cisco Linksys routers or 
Unix systems. does it make sense?

Manaf
--------------------------------------------------
From: <A.L.M.Buxey at lboro.ac.uk>
Sent: Monday, February 09, 2009 10:01 PM
To: "Justin Shore" <justin at justinshore.com>
Cc: <cisco-nsp at puck.nether.net>; "Church, Charles" <cchurc05 at harris.com>
Subject: Re: [c-nsp] DHCP Binding Expiration

> Hi,
>
>> expires.  This would prevent many of the less technical users from
>> trying to run a publicly-accessible server.  Set the lease time to 2
>
> default TCP inbound deny works wonders for this. Or, even crueller, NAT
>
>> I've seen systems do something similar before (or at least I thought
>> they were).  When I first got Cox CATV I could only keep my IP for about
>> a day before it changed.  One way to mitigate the flow of traffic
>> problem would be to grant short lease extensions automatically until the
>> wee hours of the morning and then force the change.  Something to think
>> about.
>
> you can flush/destroy the DHCP binding table - it'll have the same effect
> (good fun - all those PCs set to print to the IP address that the
> pritner got when it was installed then have to be reconfigured etc)
>
>> systems with CNR.  Oh, and finishing my IPv6 deployment.
>
> DHCPv6 or router solicited?
>
> alan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From cchurc05 at harris.com  Mon Feb  9 16:54:23 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Mon, 9 Feb 2009 15:54:23 -0600
Subject: [c-nsp] Cannot connect to ASA using ASDM software
In-Reply-To: <000001c98afe$7f9cab70$7ed60250$@com>
References: <000001c98afe$7f9cab70$7ed60250$@com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01E4DF2D@mspe2k1.cs.myharris.net>

I'm guessing you've upgraded to the latest Java version.  Seems like the
last one broke the ASDM partially.  You can https to the ASA, and then
pick the 'run applet' option.  On mine, that'll spawn the ASDM
executable and it works.  But running the executable directly ends up
doing what you're seeing.  It's annoying. 

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Aldrich
Sent: Monday, February 09, 2009 4:37 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cannot connect to ASA using ASDM software


For some reason, our new ASA 5510 series will ONLY let me connect via
the
web interface. Every time I try it says it is "unable to read the
configuration from the ASA." However, running the Java version works
just
fine. I'd really like to know what the problem is and why it can't load
the
config? Do I need to be connected via serial cable to the ASA or
something?

Thanks,
John Aldrich
IT Manager, 
Blueridge Carpet
706-276-2001, Ext. 2233

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From rubensk at gmail.com  Mon Feb  9 17:06:23 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Mon, 9 Feb 2009 20:06:23 -0200
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <6bb5f5b10902091406n44016486o897ebf8d534c7d32@mail.gmail.com>

Why not a free(not open, but no cost) tool with commercial support ?
http://inventory.alterpoint.com/

BTW, what are people's opinions comparing RANCID to Network Authority
Inventory (formerly known as ZipTie) in the configuration management
discipline ?


Rubens


On Thu, Feb 5, 2009 at 7:57 PM, Joe Loiacono <jloiacon at csc.com> wrote:
> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
> but if a client was looking for a commercial tool that does this, what
> would you  recommend?
>
> Thanks,
>
> Joe Loiacono
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From bms314 at gmail.com  Mon Feb  9 17:22:44 2009
From: bms314 at gmail.com (Brian)
Date: Mon, 9 Feb 2009 16:22:44 -0600
Subject: [c-nsp] Cannot connect to ASA using ASDM software
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01E4DF2D@mspe2k1.cs.myharris.net>
References: <000001c98afe$7f9cab70$7ed60250$@com>
	<FA1BA229357DB640B944218F3585FECA01E4DF2D@mspe2k1.cs.myharris.net>
Message-ID: <7aaaf7f0902091422j7e3a9392ya450f908238e4b0a@mail.gmail.com>

You need to upgrade to the latest interim release of ASDM 6.1.5(57) to
fix the Java issue with JRE6update11.

Brian

On 2/9/09, Church, Charles <cchurc05 at harris.com> wrote:
> I'm guessing you've upgraded to the latest Java version.  Seems like the
> last one broke the ASDM partially.  You can https to the ASA, and then
> pick the 'run applet' option.  On mine, that'll spawn the ASDM
> executable and it works.  But running the executable directly ends up
> doing what you're seeing.  It's annoying.
>
> Chuck
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Aldrich
> Sent: Monday, February 09, 2009 4:37 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cannot connect to ASA using ASDM software
>
>
> For some reason, our new ASA 5510 series will ONLY let me connect via
> the
> web interface. Every time I try it says it is "unable to read the
> configuration from the ASA." However, running the Java version works
> just
> fine. I'd really like to know what the problem is and why it can't load
> the
> config? Do I need to be connected via serial cable to the ASA or
> something?
>
> Thanks,
> John Aldrich
> IT Manager,
> Blueridge Carpet
> 706-276-2001, Ext. 2233
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From A.L.M.Buxey at lboro.ac.uk  Mon Feb  9 17:23:29 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 9 Feb 2009 22:23:29 +0000
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <6bb5f5b10902091406n44016486o897ebf8d534c7d32@mail.gmail.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<6bb5f5b10902091406n44016486o897ebf8d534c7d32@mail.gmail.com>
Message-ID: <20090209222329.GA7319@lboro.ac.uk>

Hi,

> BTW, what are people's opinions comparing RANCID to Network Authority
> Inventory (formerly known as ZipTie) in the configuration management
> discipline ?

ooh. well, i've only used RANCID to store the configs in nice
CVS control - whereas ZipTie's main claim is the pushing of
configs and updating of IOS firmware via a webby interface, non?

alan

From hnyhus at gmail.com  Mon Feb  9 17:31:31 2009
From: hnyhus at gmail.com (=?UTF-8?Q?H=C3=A5vard_Nyhus?=)
Date: Mon, 9 Feb 2009 23:31:31 +0100
Subject: [c-nsp] Need help adding a device to an existing vlan
In-Reply-To: <498C4DC2.9E6F.00B8.0@dps.k12.oh.us>
References: <498C4DC2.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <6bc4a240902091431k4315c3bfv98f4eed20a382a67@mail.gmail.com>

> interface FastEthernet0/38
>  description to 1230 WAP
>  switchport access vlan 199
>  switchport trunk encapsulation dot1q
>  switchport mode trunk
>  no ip address
>  no snmp trap link-status
>  storm-control broadcast level 1.00
>  storm-control multicast level 2.00
>  storm-control unicast level 5.00
> end

This won't work. Try the following:


switchport mode access
no switchport trunk encap dot1q


-- 
H?vard Staub Nyhus
Atea AS
+47 41 88 00 99

From cchurc05 at harris.com  Mon Feb  9 17:30:19 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Mon, 9 Feb 2009 16:30:19 -0600
Subject: [c-nsp] Cannot connect to ASA using ASDM software
In-Reply-To: <7aaaf7f0902091422j7e3a9392ya450f908238e4b0a@mail.gmail.com>
References: <000001c98afe$7f9cab70$7ed60250$@com>
	<FA1BA229357DB640B944218F3585FECA01E4DF2D@mspe2k1.cs.myharris.net>
	<7aaaf7f0902091422j7e3a9392ya450f908238e4b0a@mail.gmail.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01E4DF4D@mspe2k1.cs.myharris.net>

I'm still using 5.2.x ASDM, as the ASA is running 7.2.x still (both late
interim releases).  Hoping for a newer ASDM soon.  5.2(4)50 still is
broken. 


Chuck 
-----Original Message-----
From: Brian [mailto:bms314 at gmail.com] 
Sent: Monday, February 09, 2009 5:23 PM
To: Church, Charles; John Aldrich; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cannot connect to ASA using ASDM software


You need to upgrade to the latest interim release of ASDM 6.1.5(57) to
fix the Java issue with JRE6update11.

Brian

On 2/9/09, Church, Charles <cchurc05 at harris.com> wrote:
> I'm guessing you've upgraded to the latest Java version.  Seems like
the
> last one broke the ASDM partially.  You can https to the ASA, and then
> pick the 'run applet' option.  On mine, that'll spawn the ASDM
> executable and it works.  But running the executable directly ends up
> doing what you're seeing.  It's annoying.
>
> Chuck
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Aldrich
> Sent: Monday, February 09, 2009 4:37 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cannot connect to ASA using ASDM software
>
>
> For some reason, our new ASA 5510 series will ONLY let me connect via
> the
> web interface. Every time I try it says it is "unable to read the
> configuration from the ASA." However, running the Java version works
> just
> fine. I'd really like to know what the problem is and why it can't
load
> the
> config? Do I need to be connected via serial cable to the ASA or
> something?
>
> Thanks,
> John Aldrich
> IT Manager,
> Blueridge Carpet
> 706-276-2001, Ext. 2233
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From walter.keen at RainierConnect.net  Mon Feb  9 17:44:52 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Mon, 09 Feb 2009 14:44:52 -0800
Subject: [c-nsp] VRF and BGP ?
In-Reply-To: <46AB14E5-3FC2-4033-B574-DD3972A520AA@princeton.edu>
References: <46AB14E5-3FC2-4033-B574-DD3972A520AA@princeton.edu>
Message-ID: <4990B1E4.9040902@rainierconnect.net>

I use VRF's quite a bit on 7600 and other platforms with internal OSPF
neighbors.  So long as the interfaces you are connecting with (dot1q
vlan's in my case most of the time) are associated with that vrf, you
should be able to do so, although, I've never tried to leak routes from
the global routing table into a VRF, or use BGP (in OSPF there is a vrf
tag you must use if I remember correctly).  Using VRF's will give you a
seperate routing table isolated from your global routing table however. 
I'm not an expert on this subject so if anyone has corrections, please
chime in.

Jeff Fitzwater wrote:
> I am running 12.2.SXI on a 6500 with sup-720
>
>
> I currently have 3 full BGP peers with two on I1 and one on I2.
>
> I now need a fourth peer with ESNet (gov ISP) but only allow  two /22
> net from Princeton U. access to ESNet.
>
> My dilemma is how to only let the two nets see the additional ESNet
> routes so that no other host on campus will try and use the ESNET
> routes and fail.
>
> I have not used the VRF feature yet, but it appears that it might do
> the trick if I can create a separate routing domain with just ESNet
> routes, and then point only the two nets to the VRF so they check the
> ESNet table first and if not present fall thru to the global table.  
> I should be able to use a ROUTE-MAP to accomplish this.
>
> From the doc it states that I can create a VRF and import routes from
> the global table but that means everybody will still see the routes to
> ESNet ( I would guess anyway).
>
>  Can I peer directly with the VRF without doing an import from the
> global table so only it has the ESNet routes?
>
> Does anybody have any suggestions on this issue?
>
>
> Thanks for any help.
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From justin at justinshore.com  Mon Feb  9 18:11:17 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 09 Feb 2009 17:11:17 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <BLU130-DS515730CBF12F0DE195739C5BC0@phx.gbl>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl><49906CFE.7040407@justinshore.com><FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net><49907FAE.4050006@justinshore.com><FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net><49908448.6080300@justinshore.com>
	<20090209200158.GB7043@lboro.ac.uk>
	<BLU130-DS515730CBF12F0DE195739C5BC0@phx.gbl>
Message-ID: <4990B815.1000509@justinshore.com>

Manaf Al Oqlah wrote:
> hi all,
> 
> thank you for your help.
> It seems that all those hosts with infinite expiration time are devices 
> that do not have "client identifier" such as D-Link, Cisco Linksys 
> routers or Unix systems. does it make sense?

I don't think that's the cause of the problem.  We have several hundreds 
if not thousands of Linksys and D-Link CPEs on our assorted last-mile 
access mediums and only a few dozen infinite leases.  I'd expect far 
more infinite leases if a blank client ID was the cause.

Justin



From lukasz at bromirski.net  Mon Feb  9 18:14:52 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Tue, 10 Feb 2009 00:14:52 +0100
Subject: [c-nsp] Cisco 4900M and QinQ
In-Reply-To: <20090209124547.GA16723@danton.fire-world.de>
References: <20090209124547.GA16723@danton.fire-world.de>
Message-ID: <4990B8EC.8000403@bromirski.net>

On 2009-02-09 13:45, Sebastian Wiesinger wrote:
> Hi,
>
> has anyone a working QinQ tunnel on a Cisco 4900M? I tried it in the
> lab with 12.2(50)SG Enterprise Services SSH and it didn't work.

QinQ on 4900M and Sup-6E will be supported on 12.2(52)SG.

Currently it isn't:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_15594.html#wp363642

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From bitkraft at gmail.com  Mon Feb  9 18:50:14 2009
From: bitkraft at gmail.com (Brian Spade)
Date: Mon, 9 Feb 2009 15:50:14 -0800
Subject: [c-nsp] core OSPF configurations
In-Reply-To: <498860CA.90707@templin.org>
References: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
	<498860CA.90707@templin.org>
Message-ID: <505b616c0902091550l51674b46je8d870a429e13f6a@mail.gmail.com>

Thanks Pete & Pete for your insight.  :-)

  I was hoping to get more feedback from engineers, but this definitely
helps.

/bs

On Tue, Feb 3, 2009 at 7:20 AM, Pete Templin <petelists at templin.org> wrote:

> Brian Spade wrote:
>
>  What is the best way to configure OSPF to inject all 50+ SVIs into the
>> routing domain?
>>
>> Would you configure network statements for all SVI networks and passive
>> the
>> interfaces?
>> Would you configure OSPF on the uplink interfaces only and redistributed
>> connected to create type-5 externals?
>>
>
> If it were me, the SVIs would be announced into BGP, so that my OSPF world
> stayed small and clean.
>
> That said, remember that the network statement(s) only have to match,
> through wildcard math, the _IP addresses_ of the interfaces to be included
> in OSPF.  If you run a single area, 'network 0.0.0.0 255.255.255.255 area 0'
> is all you need.  Flipside, if you want to lock down OSPF to the point that
> shifting an interface within a subnet causes OSPF to drop so you can catch
> the culprit in the act, 'network 10.20.30.254 0.0.0.0 area 0' matches
> exactly that one address (but the interface's correct netmask is used when
> inserting the route into OSPF).
>
> pt
>

From agristina+cisco-nsp at gmail.com  Mon Feb  9 19:00:23 2009
From: agristina+cisco-nsp at gmail.com (Andrew Gristina)
Date: Mon, 9 Feb 2009 16:00:23 -0800
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <6bb5f5b10902091406n44016486o897ebf8d534c7d32@mail.gmail.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<6bb5f5b10902091406n44016486o897ebf8d534c7d32@mail.gmail.com>
Message-ID: <70bb1b8f0902091600p5d928c77s8aa1dfd400030367@mail.gmail.com>

Free as in beer isn't as valuable as Free as in speech.

On Mon, Feb 9, 2009 at 2:06 PM, Rubens Kuhl <rubensk at gmail.com> wrote:
> Why not a free(not open, but no cost) tool with commercial support ?
> http://inventory.alterpoint.com/
>
> BTW, what are people's opinions comparing RANCID to Network Authority
> Inventory (formerly known as ZipTie) in the configuration management
> discipline ?
>
>
> Rubens
>
>
> On Thu, Feb 5, 2009 at 7:57 PM, Joe Loiacono <jloiacon at csc.com> wrote:
>> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
>> but if a client was looking for a commercial tool that does this, what
>> would you  recommend?
>>
>> Thanks,
>>
>> Joe Loiacono
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From lowen at pari.edu  Mon Feb  9 20:22:14 2009
From: lowen at pari.edu (Lamar Owen)
Date: Mon, 9 Feb 2009 20:22:14 -0500
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49906CFE.7040407@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
Message-ID: <200902092022.14601.lowen@pari.edu>

On Monday 09 February 2009 12:50:54 Justin Shore wrote:
> Manaf Al Oqlah wrote:
> > The problem is that I still can see  some
> > clients IP addresses lease expiration are Infinite in the DHCP binding!
> > what could be the reason for this behavior and could be this some sort of
> > attack!!
>
> I get them too.  I never have figured out what causes them.  So far it
> hasn't been a big deal for me.

BOOTP.

BOOTP clients can bring any DHCP server to its knees, especially if the BOOTP 
client is badly coded.  For instance, I run a Smoothwall Advanced Firewall 
here in a testing mode (I'm tech support for the local reseller), and I 
started noticing all of the sudden that ALL of the leases were taken, and most 
were clients with an UNKNOWN expiry.  I looked closely, and the MAC addresses 
were sequential, and there were right at 100 of them.

Tracked it down to, believe it or not, a Catalyst 8540MSR switch, which was 
requesting via BOOTP for every single one of its MACs.

From dale.shaw+cisco-nsp at gmail.com  Mon Feb  9 20:31:50 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 10 Feb 2009 12:31:50 +1100
Subject: [c-nsp] core OSPF configurations
In-Reply-To: <505b616c0902091550l51674b46je8d870a429e13f6a@mail.gmail.com>
References: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
	<498860CA.90707@templin.org>
	<505b616c0902091550l51674b46je8d870a429e13f6a@mail.gmail.com>
Message-ID: <3329cbb40902091731icbb7bc3i8eb71d5c352825e1@mail.gmail.com>

Hi,

On Tue, Feb 10, 2009 at 10:50 AM, Brian Spade <bitkraft at gmail.com> wrote:
>
> Thanks Pete & Pete for your insight.  :-)
>
>  I was hoping to get more feedback from engineers, but this definitely
> helps.

Strange comment.

Anyway, if it was me, I'd:

router ospf <processID>
 passive-interface default
 no passive-interface uplink1
 ...
 no passive-interface uplink4
!
interface VlanA
 ip ospf <processID> area <n>
...
interface VlanZ
 ip ospf <processID> area <n>

I like the "ip ospf area" interface command better than network
statements. It's a personal preference as the end result is the same.

Irrespective of the method you choose, it's easy to get a quick
summary of what interface is in what area with "show ip ospf interface
brief"

One potential benefit of redistributing them is that you'd be able to
summarise all the SVIs into that one area you mentioned. Another is
that in the process of redistributing you could do some route-map
voodoo to make "different stuff" happen.

I guess whether you turn this core router into an ASBR depends on your
current network design (e.g. area design, # of routes, OSPF router
load) and where you see it going in the future. If it's just "how
would you inject these routes into OSPF?", see above.

cheers,
Dale

From frnkblk at iname.com  Mon Feb  9 21:49:10 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Mon, 9 Feb 2009 20:49:10 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49908448.6080300@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>	<49906CFE.7040407@justinshore.com>	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>	<49907FAE.4050006@justinshore.com>	<FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>
	<49908448.6080300@justinshore.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACTJwq598e6QrO6JOyTmoOTAQAAAAA=@iname.com>

The ability to provide a new/different IP every time has been oft-discussed
on ISC' dhcp-user listserv.  IIRC, it contradicts the spec.  You would have
customize the code to have that functionality, or, as someone said, play
with the leases file.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Monday, February 09, 2009 1:30 PM
To: Church, Charles
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DHCP Binding Expiration

<snip>

One thing on my to do list is to figure out how to always reject lease
extension requests to force the CPE to pull a new IP every time a lease
expires.  This would prevent many of the less technical users from
trying to run a publicly-accessible server.  Set the lease time to 2
hours, client tries to extend the lease at 50% of the lease (1hr) and
the server NAKs.  The only question is will the client continue to
request the IP until the lease expires before falling back and do a
DISCOVER at the 2hr mark (interrupting the flow of traffic) or will it
do a bcast DISCOVER in response to the NAK and immediately switch to the
new IP once it gets an OFFER 1hr before the original lease expires, thus
interrupting traffic again.

I've seen systems do something similar before (or at least I thought
they were).  When I first got Cox CATV I could only keep my IP for about
a day before it changed.  One way to mitigate the flow of traffic
problem would be to grant short lease extensions automatically until the
wee hours of the morning and then force the change.  Something to think
about.

It's on my list right behind setting up an OSS walled garden and
convincing the boss to replace our 7 different DHCP & provisioning
systems with CNR.  Oh, and finishing my IPv6 deployment.

Thanks for the info
  Justin
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From dale.shaw+cisco-nsp at gmail.com  Mon Feb  9 21:57:58 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 10 Feb 2009 13:57:58 +1100
Subject: [c-nsp] core OSPF configurations
In-Reply-To: <3329cbb40902091731icbb7bc3i8eb71d5c352825e1@mail.gmail.com>
References: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
	<498860CA.90707@templin.org>
	<505b616c0902091550l51674b46je8d870a429e13f6a@mail.gmail.com>
	<3329cbb40902091731icbb7bc3i8eb71d5c352825e1@mail.gmail.com>
Message-ID: <3329cbb40902091857sd8b14a1yfb85ca1040629504@mail.gmail.com>

Poor form, I know, to follow up on my own post, but:

On Tue, Feb 10, 2009 at 12:31 PM, Dale Shaw
<dale.shaw+cisco-nsp at gmail.com> wrote:
> One potential benefit of redistributing them is that you'd be able to
> summarise all the SVIs into that one area you mentioned.

You can obviously also do this just by placing the SVIs in a different area.

This would result in them being advertised into the backbone area as
type-3s. You can filter, summarise, make the area a stub, and so on.
Again it all comes down to what you are trying to achieve.

cheers,
Dale

From jason at chatinara.com  Mon Feb  9 22:32:24 2009
From: jason at chatinara.com (Jason Ford)
Date: Mon, 09 Feb 2009 22:32:24 -0500
Subject: [c-nsp] Two BGP Routers and EIGRP
Message-ID: <4990F548.8010908@chatinara.com>

Hey all,

I am seeing an issue with routes dropping in our configuration and 
wanted to do a sanity check. We have two sup2/msfc2 w/ 512MB (router A 
and B) each connected to a distinct BGP peer. We are running eigrp on 
these routers as well to redistribute static and connected routes to two 
other routers (router C and D) in our network. Currently I have a 
default static route configured on router B to point to the BGP peer's 
uplink. This in turn injects a default route into eigrp which router 
A/C/D pick up. This is my question, is there a better way to set this 
up? We do not want to push all BGP routes to router C and D because they 
do not need all of the routes simply only a default route that is 
dynamic if router D dies.

Second part is, we see inbound routes getting dropped  and causing 
bouncing routes but it is only a select few. Traffic from peer comes to 
router D and then router D sends it back to peer then peer sends it back 
to router D etc etc. Is this due to the way I have the network setup up 
above? If I hard reset the BGP session, the problem goes away for ~3 
weeks. Is this a limitation of sup2's with BGP now that we are over 256k 
routes?

Any suggestions are more than welcomed!

jason

From ccie15385 at gmail.com  Tue Feb 10 01:29:45 2009
From: ccie15385 at gmail.com (JH Cockburn)
Date: Tue, 10 Feb 2009 08:29:45 +0200
Subject: [c-nsp] VRF and BGP ?
In-Reply-To: <4990B1E4.9040902@rainierconnect.net>
References: <46AB14E5-3FC2-4033-B574-DD3972A520AA@princeton.edu>
	<4990B1E4.9040902@rainierconnect.net>
Message-ID: <000601c98b48$fbf407f0$f3dc17d0$@com>

Hi All,
We had a similar situation where we had to create an "internet" vrf and
"leak/connect" that to the global routing table.
So we had a couple of interfaces belonging to the internet vrf of which one
connected back to the same device on an interface in the global network. We
had ospf as IGP to exchange infrastructure/loopback addresses and BGP for
Internet addresses. The problem was that OSPF did come up at first, so the
problem on the 6500's/7600's is that they use the same MAC address for all
L3 interfaces. Change the one side's MAC to a MAC of your choice and up
comes OSPF and after that BGP can do its thing.
So when we implemented this on our GSRs/7206's it still didn't work... So
after a bit of ol debugging I came to the conclusion that the following
happens:
The router (either VRF of global) wants to connect to the (OSPF) neighbor,
needs to do a arp for the address but then sees it already has an attached
interface with that IP/MAC pair so it never sends the arp and goes into a
loop of sorts. (Maybe some real propeller head can give the real reasons..)
So the OSPF never comes up. I added static arp entries (see below) and
jippeee, OSPF comes up etc...

-----
arp 10.241.0.66 001f.26e0.d419 ARPA
arp vrf internet 10.241.0.65 001f.26e0.d41a ARPA
-----

I hope this helps and gives you some idea what to look for when you need
this..

Cheers
JC

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen
Sent: Tuesday, February 10, 2009 12:45 AM
To: Jeff Fitzwater
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VRF and BGP ?

I use VRF's quite a bit on 7600 and other platforms with internal OSPF
neighbors.  So long as the interfaces you are connecting with (dot1q
vlan's in my case most of the time) are associated with that vrf, you
should be able to do so, although, I've never tried to leak routes from
the global routing table into a VRF, or use BGP (in OSPF there is a vrf
tag you must use if I remember correctly).  Using VRF's will give you a
seperate routing table isolated from your global routing table however. 
I'm not an expert on this subject so if anyone has corrections, please
chime in.

Jeff Fitzwater wrote:
> I am running 12.2.SXI on a 6500 with sup-720
>
>
> I currently have 3 full BGP peers with two on I1 and one on I2.
>
> I now need a fourth peer with ESNet (gov ISP) but only allow  two /22
> net from Princeton U. access to ESNet.
>
> My dilemma is how to only let the two nets see the additional ESNet
> routes so that no other host on campus will try and use the ESNET
> routes and fail.
>
> I have not used the VRF feature yet, but it appears that it might do
> the trick if I can create a separate routing domain with just ESNet
> routes, and then point only the two nets to the VRF so they check the
> ESNet table first and if not present fall thru to the global table.  
> I should be able to use a ROUTE-MAP to accomplish this.
>
> From the doc it states that I can create a VRF and import routes from
> the global table but that means everybody will still see the routes to
> ESNet ( I would guess anyway).
>
>  Can I peer directly with the VRF without doing an import from the
> global table so only it has the ESNet routes?
>
> Does anybody have any suggestions on this issue?
>
>
> Thanks for any help.
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From eng_mssk at hotmail.com  Tue Feb 10 01:38:53 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Tue, 10 Feb 2009 08:38:53 +0200
Subject: [c-nsp] Hello
In-Reply-To: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>
References: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>
Message-ID: <BLU102-W453F28EF9DCBB7E3E1A120FABD0@phx.gbl>


hello dude :)

> Date: Mon, 9 Feb 2009 14:49:55 -0500
> From: panocisco77 at gmail.com
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Hello
> 
> Hello every one
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx

From dale.shaw+cisco-nsp at gmail.com  Tue Feb 10 01:49:01 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 10 Feb 2009 17:49:01 +1100
Subject: [c-nsp] Hello
In-Reply-To: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>
References: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>
Message-ID: <3329cbb40902092249w6e227dd5rda4543601db2d1fd@mail.gmail.com>

On Tue, Feb 10, 2009 at 6:49 AM, Renelson Panosky <panocisco77 at gmail.com> wrote:
> Hello every one

*insert terrible routing protocol adjacency "dad joke" here*

:-)

cheers,
Dale

From cisco-nsp at tracker.fire-world.de  Tue Feb 10 04:33:44 2009
From: cisco-nsp at tracker.fire-world.de (Sebastian Wiesinger)
Date: Tue, 10 Feb 2009 10:33:44 +0100
Subject: [c-nsp] Cisco 4900M and QinQ
In-Reply-To: <4990B8EC.8000403@bromirski.net>
References: <20090209124547.GA16723@danton.fire-world.de>
	<4990B8EC.8000403@bromirski.net>
Message-ID: <20090210093344.GA29512@danton.fire-world.de>

* ?ukasz Bromirski <lukasz at bromirski.net> [2009-02-10 00:16]:
> On 2009-02-09 13:45, Sebastian Wiesinger wrote:
> >Hi,
> >
> >has anyone a working QinQ tunnel on a Cisco 4900M? I tried it in the
> >lab with 12.2(50)SG Enterprise Services SSH and it didn't work.
> 
> QinQ on 4900M and Sup-6E will be supported on 12.2(52)SG.
> 
> Currently it isn't:
> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_15594.html#wp363642

These release nodes are somewhat vague. There is nowhere mentioned
that QinQ is not supported, just that layer 2 protocol tunneling
isn't. Or am I overlooking something?

It's nice that you can configure QinQ even if it isn't working... :(

Well I'll have to wait vor 52SG then.. thanks for the explanation.

Regards,

Sebastian

-- 
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

From rocker.rockerfeller at gmail.com  Tue Feb 10 07:10:45 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Tue, 10 Feb 2009 15:10:45 +0300
Subject: [c-nsp] Annoying POPups
Message-ID: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>

Hi,

I have a group of ips on my network a /24 that when browsing are getting an
annoying popup across the browser.

This strange behaviour started last week when the same block could not
access any http site.

Later the problem resolved itself so I thought till today.

Now the block can browse but the annoying pop up pops everytime the page is
refreshed and browsing is annoyingly.

Any advise assistance on how I can trace the loophole on my network and
rectify will be much appreciated.

Rocker.

From A.L.M.Buxey at lboro.ac.uk  Tue Feb 10 07:40:19 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Tue, 10 Feb 2009 12:40:19 +0000
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <48D7B275.50700@imperial.ac.uk>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk>
Message-ID: <20090210124019.GA8143@lboro.ac.uk>

hi,

okay - after fruitful time on the test/devel router and then
a prolonged period on 2 select routers, we're now SXI across
the board.... which has finally thrown up an error (of sorts!)
hurrah! :-)

having exhausted my usual supply of cisco and google (and c-nsp ;-) )
searches I thought I'd throw this one to the list before
visiting my TAC friends for the 3rd time this week.

note: so far we only obsrve this error on systems with 2 Sup720's in
SSO redundancy mode

this is whats being logged:

Feb 10 12:26:38: SP: Critical error processing oif ltl index change event (0100.5b00.073c, XXX, 0xB8B)
Feb 10 12:30:32: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
Feb 10 12:30:32: SP: Critical error processing oif ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
Feb 10 12:30:48: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
Feb 10 12:30:48: SP: Critical error processing oif ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
Feb 10 12:31:54: SP: Critical error processing rpf ltl index change event (0100.5b07.0076, XXX, 0xBBF)

hmm. very nice . XXX represents a VLAN number. if done simple obfuscation
of the MAC and this info just because of policy - however, those MACs *do* 
start with 0100 which is multicast L2 ....so currently I've got a feeling
that this is a problem with TTL=1 (and being dropped - eg ghost or rubbish
multicast app) and its hitting the RPF MLS  - what say you all?

alan


From mvanton at gmail.com  Tue Feb 10 08:05:54 2009
From: mvanton at gmail.com (vince anton)
Date: Tue, 10 Feb 2009 14:05:54 +0100
Subject: [c-nsp] changes in 7600 with DFC3BXL
Message-ID: <87e0d3ae0902100505k55a55b0cg76f87369abe6f49f@mail.gmail.com>

hey all,

Quick question for you, hope you can help me.

Im working on installing the DFCs in existing 67xx cards in our 7600s:

7606 w/SUP720-3BXL
2 x 6748-GE-TX
1 x 6704

Im aware there are some differences in how the box reacts when a DFC is
installed (the PFC will no longer need to make all the decisions, etc...).
In particular this seems to change the beahviour for qos policers as well as
L2 etherchannels.  Im using both of these, but I cant seem to find any
definite documentation on CCO explaining the exact changes and perhaps any
recommendations.  Of course I need to know how the box will behave in order
to plan for this as part of the DFC upgrade, and so far all I found was an
FAQ at
http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_item09186a00809a7673.shtmlwhich
doesn't give so much detail, and a few items in the archives of the
list which touched the surface but didnt dig deep.

would appreciate if anyone can share any detailed info as to how qos and
etherchannel behaviour changes in PFC vs DFCX3BXL

thanks,

anton

From maillist at webjogger.net  Tue Feb 10 08:53:14 2009
From: maillist at webjogger.net (Adam Greene)
Date: Tue, 10 Feb 2009 08:53:14 -0500
Subject: [c-nsp] Hello
References: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>
	<3329cbb40902092249w6e227dd5rda4543601db2d1fd@mail.gmail.com>
Message-ID: <687F25C7A2714E929A0860D03408EE60@GINKGO>

Dang, you beat me to it!

----- Original Message ----- 
From: "Dale Shaw" <dale.shaw+cisco-nsp at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, February 10, 2009 1:49 AM
Subject: Re: [c-nsp] Hello


> On Tue, Feb 10, 2009 at 6:49 AM, Renelson Panosky <panocisco77 at gmail.com> 
> wrote:
>> Hello every one
>
> *insert terrible routing protocol adjacency "dad joke" here*
>
> :-)
>
> cheers,
> Dale
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 



From Marcus.Gerdon at versatel.de  Tue Feb 10 08:51:44 2009
From: Marcus.Gerdon at versatel.de (Marcus.Gerdon)
Date: Tue, 10 Feb 2009 14:51:44 +0100
Subject: [c-nsp] Q-in-Q termination on 6500/7600
Message-ID: <227142482560EF458FF1F7E784E26AB82C3129@FLBVEXCH01.versatel.local>

Hi @all,

I'm looking for information regarding termination of Q-in-Q on 6500 and/or 7600 boxes. We only need plain termination on subinterfaces with IP (somewhere on Cisco called 'IPoQinQ') configured on; no EoMPLS, PPPoE or alike.

As usual Cisco's really annoying as no useful clear information is to be found, and as usual Feature Navigator seems to be missing working configurations (i.e. told me no Q-in-Q on 7200...).

All I could find out rather trustworthy is:

- ES20 and SIP for Local Vlan Significance
- ES20 supports Q-in-Q termination, a lot of tag rewrite functions etc.
- 12.2SR supports Q-in-Q termination (working on 7200)

I only need IP on a subinterface and have no need for all that fancy stuff the ES20 provide (and has to be payed for).

So the question is:

Can someone definitely confirm or reject due to tests or production setup whether Q-in-Q termination on a normal 67xx module (DFC installed) can be configured (encaps dot1q * second *) and by using which IOS ?

6500's running SXI and 7600's running SRx are the ones to look at I think as running SXF presumably won't work at all.

thanks,

Marcus

> -----Urspr?ngliche Nachricht-----
> Von: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von vince anton
> Gesendet: Dienstag, 10. Februar 2009 14:06
> An: cisco-nsp
> Betreff: [c-nsp] changes in 7600 with DFC3BXL
> 
> hey all,
> 
> Quick question for you, hope you can help me.
> 
> Im working on installing the DFCs in existing 67xx cards in our 7600s:
> 
> 7606 w/SUP720-3BXL
> 2 x 6748-GE-TX
> 1 x 6704
> 
> Im aware there are some differences in how the box reacts 
> when a DFC is
> installed (the PFC will no longer need to make all the 
> decisions, etc...).
> In particular this seems to change the beahviour for qos 
> policers as well as
> L2 etherchannels.  Im using both of these, but I cant seem to find any
> definite documentation on CCO explaining the exact changes 
> and perhaps any
> recommendations.  Of course I need to know how the box will 
> behave in order
> to plan for this as part of the DFC upgrade, and so far all I 
> found was an
> FAQ at
> http://www.cisco.com/en/US/products/hw/switches/ps708/products
> _qanda_item09186a00809a7673.shtmlwhich
> doesn't give so much detail, and a few items in the archives of the
> list which touched the surface but didnt dig deep.
> 
> would appreciate if anyone can share any detailed info as to 
> how qos and
> etherchannel behaviour changes in PFC vs DFCX3BXL
> 
> thanks,
> 
> anton
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From avayner at cisco.com  Tue Feb 10 08:54:47 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 10 Feb 2009 14:54:47 +0100
Subject: [c-nsp] changes in 7600 with DFC3BXL
In-Reply-To: <87e0d3ae0902100505k55a55b0cg76f87369abe6f49f@mail.gmail.com>
References: <87e0d3ae0902100505k55a55b0cg76f87369abe6f49f@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D72E2D6F@xmb-ams-331.emea.cisco.com>

Anton,

With regards to policing, what would happen is that each DFC would have
its own policers, so if you a policy applied for a VLAN which has ports
on different module, each module would have its own policer with the
configured rate. This means that if you set a 10Mbps policer, but you
have ports on 2 separate cards, each card would apply a separate 10Mbps
policer (allowing in total a potential 20Mbps rate).
The same, BTW, applies to aggregate policers.

The only change I can remember right now with regards to Etherchannel is
the optional capability of specifying a load balancing algorithm per
module.

Arie



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vince anton
Sent: Tuesday, February 10, 2009 15:06
To: cisco-nsp
Subject: [c-nsp] changes in 7600 with DFC3BXL

hey all,

Quick question for you, hope you can help me.

Im working on installing the DFCs in existing 67xx cards in our 7600s:

7606 w/SUP720-3BXL
2 x 6748-GE-TX
1 x 6704

Im aware there are some differences in how the box reacts when a DFC is
installed (the PFC will no longer need to make all the decisions,
etc...).
In particular this seems to change the beahviour for qos policers as
well as
L2 etherchannels.  Im using both of these, but I cant seem to find any
definite documentation on CCO explaining the exact changes and perhaps
any
recommendations.  Of course I need to know how the box will behave in
order
to plan for this as part of the DFC upgrade, and so far all I found was
an
FAQ at
http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_ite
m09186a00809a7673.shtmlwhich
doesn't give so much detail, and a few items in the archives of the
list which touched the surface but didnt dig deep.

would appreciate if anyone can share any detailed info as to how qos and
etherchannel behaviour changes in PFC vs DFCX3BXL

thanks,

anton
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From peter at rathlev.dk  Tue Feb 10 09:08:16 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 10 Feb 2009 15:08:16 +0100
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <20090210124019.GA8143@lboro.ac.uk>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk>  <20090210124019.GA8143@lboro.ac.uk>
Message-ID: <1234274896.3416.51.camel@localhost.localdomain>

On Tue, 2009-02-10 at 12:40 +0000, A.L.M.Buxey at lboro.ac.uk wrote:
...
> Feb 10 12:31:54: SP: Critical error processing rpf ltl index change event (0100.5b07.0076, XXX, 0xBBF)
> 
> hmm. very nice . XXX represents a VLAN number. if done simple
> obfuscation of the MAC and this info just because of policy - however,
> those MACs *do* start with 0100 which is multicast L2 ....so currently
> I've got a feeling that this is a problem with TTL=1 (and being
> dropped - eg ghost or rubbish multicast app) and its hitting the RPF
> MLS  - what say you all?

I don't think it has anything to do with TTL, since that's a L3 thing.
This is the switch processor complaining. It could very well seem
multicast related, considering the "rpf", "oif" and "ltl" TLAs.

Considering the "index change event", could it be related to some
multicast registration of some kind going wrong?

Regards,
Peter


From A.L.M.Buxey at lboro.ac.uk  Tue Feb 10 09:14:13 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Tue, 10 Feb 2009 14:14:13 +0000
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <1234274896.3416.51.camel@localhost.localdomain>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk> <20090210124019.GA8143@lboro.ac.uk>
	<1234274896.3416.51.camel@localhost.localdomain>
Message-ID: <20090210141413.GB8209@lboro.ac.uk>

Hi,

> I don't think it has anything to do with TTL, since that's a L3 thing.
> This is the switch processor complaining. It could very well seem
> multicast related, considering the "rpf", "oif" and "ltl" TLAs.
> 
> Considering the "index change event", could it be related to some
> multicast registration of some kind going wrong?

it certainly is - multicast has gone very wrong and wonky.
no longer receive SAPs from the rest of the world (isnt that
a blessing?) , internal SAPs are flappy and IGMP joins to watch 
a stream are non deterministic.  not good.

alan

From achatz at forthnet.gr  Tue Feb 10 09:16:26 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Tue, 10 Feb 2009 16:16:26 +0200
Subject: [c-nsp] Q-in-Q termination on 6500/7600
In-Reply-To: <227142482560EF458FF1F7E784E26AB82C3129@FLBVEXCH01.versatel.local>
References: <227142482560EF458FF1F7E784E26AB82C3129@FLBVEXCH01.versatel.local>
Message-ID: <49918C3A.1030708@forthnet.gr>


Been there, done that....you need the ES cards (get the new ES+ if you decide to use these).
Alternatively (as long as you traffic demands are low), use a much-cheaper-external-router-based solution for IP QinQ 
termination (7200 with 31SB works fine).

--
Tassos

Marcus.Gerdon wrote on 10/02/2009 15:51:
> Hi @all,
> 
> I'm looking for information regarding termination of Q-in-Q on 6500 and/or 7600 boxes. We only need plain termination on subinterfaces with IP (somewhere on Cisco called 'IPoQinQ') configured on; no EoMPLS, PPPoE or alike.
> 
> As usual Cisco's really annoying as no useful clear information is to be found, and as usual Feature Navigator seems to be missing working configurations (i.e. told me no Q-in-Q on 7200...).
> 
> All I could find out rather trustworthy is:
> 
> - ES20 and SIP for Local Vlan Significance
> - ES20 supports Q-in-Q termination, a lot of tag rewrite functions etc.
> - 12.2SR supports Q-in-Q termination (working on 7200)
> 
> I only need IP on a subinterface and have no need for all that fancy stuff the ES20 provide (and has to be payed for).
> 
> So the question is:
> 
> Can someone definitely confirm or reject due to tests or production setup whether Q-in-Q termination on a normal 67xx module (DFC installed) can be configured (encaps dot1q * second *) and by using which IOS ?
> 
> 6500's running SXI and 7600's running SRx are the ones to look at I think as running SXF presumably won't work at all.
> 
> thanks,
> 
> Marcus
> 

From pete at bytemark.co.uk  Tue Feb 10 09:36:06 2009
From: pete at bytemark.co.uk (Peter Taphouse)
Date: Tue, 10 Feb 2009 14:36:06 +0000
Subject: [c-nsp] temporary static routes
In-Reply-To: <4963A31E.3000103@utc.edu>
References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com><d6966e4b0901060933u6970ad33t7e464471328f82fb@mail.gmail.com>	<A34003A5232DE744807D94D788E0751A81ED49@ASHEVS011.mcilink.com>	<FA1BA229357DB640B944218F3585FECA01C9AA2D@mspe2k1.cs.myharris.net>
	<4963A31E.3000103@utc.edu>
Message-ID: <499190D6.5000805@bytemark.co.uk>


> Of course the ultimate solution would be a BGP-peering feed of IPs to
> null that also did the timeouts for you, but as far as I know, that's
> still the great pie in the sky :-)

Probably not a complete solution, but my colleague implemented a basic
bgp feeder that can be integrated with our databases a lot more easily
than using quagga/openbgpd/ios .

(hg clone) http://src.bytemark.co.uk/trac/bgpfeeder

-- 
Peter Taphouse

Bytemark Hosting
http://www.bytemark.co.uk/
tel. +44 (0) 845 004 3 004

From nicotine at warningg.com  Tue Feb 10 09:50:06 2009
From: nicotine at warningg.com (Brandon Ewing)
Date: Tue, 10 Feb 2009 08:50:06 -0600
Subject: [c-nsp] temporary static routes
In-Reply-To: <4963A31E.3000103@utc.edu>
References: <A34003A5232DE744807D94D788E0751A81ED49@ASHEVS011.mcilink.com>
	<FA1BA229357DB640B944218F3585FECA01C9AA2D@mspe2k1.cs.myharris.net>
	<4963A31E.3000103@utc.edu>
Message-ID: <20090210145006.GC28738@biological.warningg.com>

On Tue, Jan 06, 2009 at 01:29:50PM -0500, Jeff Kell wrote:
> 
> Of course the ultimate solution would be a BGP-peering feed of IPs to
> null that also did the timeouts for you, but as far as I know, that's
> still the great pie in the sky :-)
> 

clogin/RANCID + Quagga + crontab + <INSERT YOUR FAVORITE LANGUAGE HERE> +
Apache = BGP nullroute server with self-expiry.

I use it regularly to allow non-network personnel to temporarily nullroute
troublesome IPs while I sleep.

Additional, it's put together in such a way that I can leverage flowstats
top talker reports to have limited success blocking non-spoofed DDoS attacks
at the network edge via loose-mode RPF. Identify the hosts doing an order of
magnitude more [packets | bits | connections] than the rest of your traffic
stream, pipe it through awk, and feed it into your nullroute machine.

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090210/1668711f/attachment.bin>

From rocker.rockerfeller at gmail.com  Tue Feb 10 09:53:41 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Tue, 10 Feb 2009 17:53:41 +0300
Subject: [c-nsp] Annoying POPups
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01E4DFAC@mspe2k1.cs.myharris.net>
References: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>
	<FA1BA229357DB640B944218F3585FECA01E4DFAC@mspe2k1.cs.myharris.net>
Message-ID: <2299bfcb0902100653w3a80c21ai1dfba931f43defe6@mail.gmail.com>

Well am thinking its kind of an attack since its the whole network.

Reason when I assign myself an ip on that range and check my ip address from
what is my ip.

It gives me the ip address of my cisco  router. where that ip range is from.


Appreciate any input.



On Tue, Feb 10, 2009 at 3:19 PM, Church, Charles <cchurc05 at harris.com>wrote:

> This isn't really Cisco related, but I'm guessing they're all infected
> with some kind of virus or spyware.  Make sure they're all patched
> (guessing they're Windows), then run something like AdAware or Spybot
> S&D on them to clean it up.  Then install Firefox on all machines.
>
> Chuck
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rocker Feller
> Sent: Tuesday, February 10, 2009 7:11 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Annoying POPups
>
>
> Hi,
>
> I have a group of ips on my network a /24 that when browsing are getting
> an
> annoying popup across the browser.
>
> This strange behaviour started last week when the same block could not
> access any http site.
>
> Later the problem resolved itself so I thought till today.
>
> Now the block can browse but the annoying pop up pops everytime the page
> is
> refreshed and browsing is annoyingly.
>
> Any advise assistance on how I can trace the loophole on my network and
> rectify will be much appreciated.
>
> Rocker.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jay at west.net  Tue Feb 10 10:19:10 2009
From: jay at west.net (Jay Hennigan)
Date: Tue, 10 Feb 2009 07:19:10 -0800
Subject: [c-nsp] Annoying POPups
In-Reply-To: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>
References: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>
Message-ID: <49919AEE.9070602@west.net>

Rocker Feller wrote:
> Hi,
> 
> I have a group of ips on my network a /24 that when browsing are getting an
> annoying popup across the browser.
> 
> This strange behaviour started last week when the same block could not
> access any http site.
> 
> Later the problem resolved itself so I thought till today.

This sounds like virus/spyware on the host or browser.  Does it happen 
to a Mac or Linux box running Firefox?

> Now the block can browse but the annoying pop up pops everytime the page is
> refreshed and browsing is annoyingly.
> 
> Any advise assistance on how I can trace the loophole on my network and
> rectify will be much appreciated.

Don't use Windows/IE/Outlook.  If you must, patch often and use 
antivirus software.  Ideally, take those hosts off of your network until 
they're disinfected.  In any case don't move them to another subnet 
until they're disinfected.


--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From schilling2006 at gmail.com  Tue Feb 10 10:22:36 2009
From: schilling2006 at gmail.com (schilling)
Date: Tue, 10 Feb 2009 10:22:36 -0500
Subject: [c-nsp] VRF and BGP ?
In-Reply-To: <000601c98b48$fbf407f0$f3dc17d0$@com>
References: <46AB14E5-3FC2-4033-B574-DD3972A520AA@princeton.edu>
	<4990B1E4.9040902@rainierconnect.net>
	<000601c98b48$fbf407f0$f3dc17d0$@com>
Message-ID: <bd3771a60902100722k214ad0caj36ed33c894b880fc@mail.gmail.com>

You could have a vrf for esnet, esnet routes could be in a headend/hub/pilot
router, your specific /22 would be in esnet vrf. You could inject a default
with ospf from your headend to other esnet vrf CEs.  In the headend, have a
staifc default to your loopback connection global side as JC described. So
all traffic in your /22 esnet vrf will go to esnet route if it exists,
otherwise, it goes to your global routing table.

The other way to the loopback cable is to use a routed VFW instance without
the ARP caveat. You could point your esnet vrf default to the VFW inside,
outside is connected to your global routing table. Basically, inside vlan
one end is in vrf esnet, the other is allocated to VFW as inside. The
outside vlan one end is in global routing table, the other is allocated to
VFW as outside. Some static routing configuration needed in the VFW since
multi context FWSM only support static route.

Schilling

On Tue, Feb 10, 2009 at 1:29 AM, JH Cockburn <ccie15385 at gmail.com> wrote:

> Hi All,
> We had a similar situation where we had to create an "internet" vrf and
> "leak/connect" that to the global routing table.
> So we had a couple of interfaces belonging to the internet vrf of which one
> connected back to the same device on an interface in the global network. We
> had ospf as IGP to exchange infrastructure/loopback addresses and BGP for
> Internet addresses. The problem was that OSPF did come up at first, so the
> problem on the 6500's/7600's is that they use the same MAC address for all
> L3 interfaces. Change the one side's MAC to a MAC of your choice and up
> comes OSPF and after that BGP can do its thing.
> So when we implemented this on our GSRs/7206's it still didn't work... So
> after a bit of ol debugging I came to the conclusion that the following
> happens:
> The router (either VRF of global) wants to connect to the (OSPF) neighbor,
> needs to do a arp for the address but then sees it already has an attached
> interface with that IP/MAC pair so it never sends the arp and goes into a
> loop of sorts. (Maybe some real propeller head can give the real reasons..)
> So the OSPF never comes up. I added static arp entries (see below) and
> jippeee, OSPF comes up etc...
>
> -----
> arp 10.241.0.66 001f.26e0.d419 ARPA
> arp vrf internet 10.241.0.65 001f.26e0.d41a ARPA
> -----
>
> I hope this helps and gives you some idea what to look for when you need
> this..
>
> Cheers
> JC
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen
> Sent: Tuesday, February 10, 2009 12:45 AM
> To: Jeff Fitzwater
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] VRF and BGP ?
>
> I use VRF's quite a bit on 7600 and other platforms with internal OSPF
> neighbors.  So long as the interfaces you are connecting with (dot1q
> vlan's in my case most of the time) are associated with that vrf, you
> should be able to do so, although, I've never tried to leak routes from
> the global routing table into a VRF, or use BGP (in OSPF there is a vrf
> tag you must use if I remember correctly).  Using VRF's will give you a
> seperate routing table isolated from your global routing table however.
> I'm not an expert on this subject so if anyone has corrections, please
> chime in.
>
> Jeff Fitzwater wrote:
> > I am running 12.2.SXI on a 6500 with sup-720
> >
> >
> > I currently have 3 full BGP peers with two on I1 and one on I2.
> >
> > I now need a fourth peer with ESNet (gov ISP) but only allow  two /22
> > net from Princeton U. access to ESNet.
> >
> > My dilemma is how to only let the two nets see the additional ESNet
> > routes so that no other host on campus will try and use the ESNET
> > routes and fail.
> >
> > I have not used the VRF feature yet, but it appears that it might do
> > the trick if I can create a separate routing domain with just ESNet
> > routes, and then point only the two nets to the VRF so they check the
> > ESNet table first and if not present fall thru to the global table.
> > I should be able to use a ROUTE-MAP to accomplish this.
> >
> > From the doc it states that I can create a VRF and import routes from
> > the global table but that means everybody will still see the routes to
> > ESNet ( I would guess anyway).
> >
> >  Can I peer directly with the VRF without doing an import from the
> > global table so only it has the ESNet routes?
> >
> > Does anybody have any suggestions on this issue?
> >
> >
> > Thanks for any help.
> >
> >
> >
> > Jeff Fitzwater
> > OIT Network Systems
> > Princeton University
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rodunn at cisco.com  Tue Feb 10 11:12:24 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 10 Feb 2009 11:12:24 -0500
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <20090210124019.GA8143@lboro.ac.uk>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk> <20090210124019.GA8143@lboro.ac.uk>
Message-ID: <20090210161224.GD7623@rtp-cse-489.cisco.com>

I only see the matches in the entire bug database for the message.

One I found is:

CSCsx26182
Console unusable with criitcal error msgs after ISSU LV/RV in mVPN setup

It was seen after they did an ISSU.

Did you do anything specific to the upgrade procedure when they
started showing up by chance?

Rodney


 

On Tue, Feb 10, 2009 at 12:40:19PM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
> hi,
> 
> okay - after fruitful time on the test/devel router and then
> a prolonged period on 2 select routers, we're now SXI across
> the board.... which has finally thrown up an error (of sorts!)
> hurrah! :-)
> 
> having exhausted my usual supply of cisco and google (and c-nsp ;-) )
> searches I thought I'd throw this one to the list before
> visiting my TAC friends for the 3rd time this week.
> 
> note: so far we only obsrve this error on systems with 2 Sup720's in
> SSO redundancy mode
> 
> this is whats being logged:
> 
> Feb 10 12:26:38: SP: Critical error processing oif ltl index change event (0100.5b00.073c, XXX, 0xB8B)
> Feb 10 12:30:32: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
> Feb 10 12:30:32: SP: Critical error processing oif ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
> Feb 10 12:30:48: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
> Feb 10 12:30:48: SP: Critical error processing oif ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
> Feb 10 12:31:54: SP: Critical error processing rpf ltl index change event (0100.5b07.0076, XXX, 0xBBF)
> 
> hmm. very nice . XXX represents a VLAN number. if done simple obfuscation
> of the MAC and this info just because of policy - however, those MACs *do* 
> start with 0100 which is multicast L2 ....so currently I've got a feeling
> that this is a problem with TTL=1 (and being dropped - eg ghost or rubbish
> multicast app) and its hitting the RPF MLS  - what say you all?
> 
> alan
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From rocker.rockerfeller at gmail.com  Tue Feb 10 11:19:57 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Tue, 10 Feb 2009 19:19:57 +0300
Subject: [c-nsp] Annoying POPups
In-Reply-To: <49919B51.1040104@west.net>
References: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>
	<FA1BA229357DB640B944218F3585FECA01E4DFAC@mspe2k1.cs.myharris.net>
	<2299bfcb0902100653w3a80c21ai1dfba931f43defe6@mail.gmail.com>
	<49919B51.1040104@west.net>
Message-ID: <2299bfcb0902100819o5fdc8657kce8e0c5590dc688b@mail.gmail.com>

No NAT these are all public ips.

Router 2811 is the terminating point for all these ips  which come in on
vlans on different subinterfaces.

Customers connect to me via this router and I have issued them public ips.

This router is connected direct to my uplink (Internet) provider.

Rocker



On Tue, Feb 10, 2009 at 6:20 PM, Jay Hennigan <jay at west.net> wrote:

> Rocker Feller wrote:
>
>> Well am thinking its kind of an attack since its the whole network.
>>
>> Reason when I assign myself an ip on that range and check my ip address
>> from
>> what is my ip.
>>
>> It gives me the ip address of my cisco  router. where that ip range is
>> from.
>>
>
> Is your Cisco router performing NAT?  If so, this is normal.
>
>
> --
> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
> Impulse Internet Service  -  http://www.impulse.net/
> Your local telephone and internet company - 805 884-6323 - WB6RDV
>

From davee925 at gmail.com  Tue Feb 10 11:39:23 2009
From: davee925 at gmail.com (Dave Edmondson)
Date: Tue, 10 Feb 2009 10:39:23 -0600
Subject: [c-nsp] Frame-relay to MLPPP traffic shaping and QoS?
Message-ID: <001401c98b9e$225b9250$371e0a0a@bonestroo.com>

Hello all,

I have inherited a network used for data, VoIP, and video conferencing. The
central site has a DS3 with a 12 mbps frame-relay interface into a
Juniper-based MPLS and a 12 mbps frame-relay interface to the Internet. 

The remote sites on the MPLS network have 2XT1 MLPPP interfaces, with all
Internet access via the central site. My central site has a Cisco 3845
(12.4(3f)) with an NM1-T3/E3 card, the remotes all have Cisco 1841
(12.3(10.3)T2).

We do video conferences between sites on the MPLS and FTP is used to move
multi-gigabyte files from the central site to the remote sites and from
remote site to remote site. Email servers are all at the main site. We are
moving toward central storage as well, so some backups are done from remote
sites to the central site. And they want to provide streaming media for
training...

We are not doing any BGP or OSPF, just static routes. Each site has a /16
assigned. 

                         3 meg MLPPP 1841, 10.20.X.X
                                                 |
                                                 |

3 meg MLPPP 1841, 10.20.X.X--- MPLS ---3 meg MLPPP 1841, 10.30.X.X

                                                 |
                                                 |
            DS3 w/12 meg frame relay PVC to 3845, 10.10.X.X 

My challenge: 

1) Shape traffic or rate limit to 3 megs from the central site to each of
the remote sites so I don't overrun the remote site bandwidth.

2) Apply QoS to traffic destined for each specific remote originating from
the central site, rate-limiting some protocols (like FTP). 

I am familiar with QoS configs on MLPPP bundles in Cisco, but I know nothing
about traffic shaping and QoS on frame relay interfaces. If ignorance is
bliss, I've been pretty happy until now....

Suggestions?


From rocker.rockerfeller at gmail.com  Tue Feb 10 11:57:12 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Tue, 10 Feb 2009 19:57:12 +0300
Subject: [c-nsp] Annoying POPups
In-Reply-To: <8852ac1c0902100843q3e50df3bte7022368134e2a61@mail.gmail.com>
References: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>
	<FA1BA229357DB640B944218F3585FECA01E4DFAC@mspe2k1.cs.myharris.net>
	<2299bfcb0902100653w3a80c21ai1dfba931f43defe6@mail.gmail.com>
	<49919B51.1040104@west.net>
	<2299bfcb0902100819o5fdc8657kce8e0c5590dc688b@mail.gmail.com>
	<8852ac1c0902100843q3e50df3bte7022368134e2a61@mail.gmail.com>
Message-ID: <2299bfcb0902100857p67621c2cq59ddb898984f4d4e@mail.gmail.com>

No.

They are all handled by the same DNS server and there is no proxy server
and  wccp is disabled  on that router.

On Tue, Feb 10, 2009 at 7:43 PM, Charles Klement <cjk at klement.org> wrote:

> do users on that subnet get handed a different DNS or proxy server ?
>
> On Tue, Feb 10, 2009 at 8:19 AM, Rocker Feller <
> rocker.rockerfeller at gmail.com> wrote:
>
>> No NAT these are all public ips.
>>
>> Router 2811 is the terminating point for all these ips  which come in on
>> vlans on different subinterfaces.
>>
>> Customers connect to me via this router and I have issued them public ips.
>>
>> This router is connected direct to my uplink (Internet) provider.
>>
>> Rocker
>>
>>
>>
>> On Tue, Feb 10, 2009 at 6:20 PM, Jay Hennigan <jay at west.net> wrote:
>>
>> > Rocker Feller wrote:
>> >
>> >> Well am thinking its kind of an attack since its the whole network.
>> >>
>> >> Reason when I assign myself an ip on that range and check my ip address
>> >> from
>> >> what is my ip.
>> >>
>> >> It gives me the ip address of my cisco  router. where that ip range is
>> >> from.
>> >>
>> >
>> > Is your Cisco router performing NAT?  If so, this is normal.
>> >
>> >
>> > --
>> > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
>> > Impulse Internet Service  -  http://www.impulse.net/
>> > Your local telephone and internet company - 805 884-6323 - WB6RDV
>> >
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From A.L.M.Buxey at lboro.ac.uk  Tue Feb 10 12:24:04 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Tue, 10 Feb 2009 17:24:04 +0000
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <20090210161224.GD7623@rtp-cse-489.cisco.com>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk> <20090210124019.GA8143@lboro.ac.uk>
	<20090210161224.GD7623@rtp-cse-489.cisco.com>
Message-ID: <20090210172404.GA10002@lboro.ac.uk>

Hi,

> I only see the matches in the entire bug database for the message.
> 
> One I found is:
> 
> CSCsx26182
> Console unusable with criitcal error msgs after ISSU LV/RV in mVPN setup
> 
> It was seen after they did an ISSU.
> 
> Did you do anything specific to the upgrade procedure when they
> started showing up by chance?

no - but I've narrowed the problem down massively - by removing
the second supervisor, the error messages stop totally.  Our
dual-sups are (or were ;-) ) in SSO config - now, i'm not sure
what nastiness might lurk in the SXI for this config. worked
fine for SXF (never did SXH on them due to oh so many! issues) 

anyway, TAC case hopefully opened via our support folk so
we'll see what happens.

of note, however, since the update to SXI, multicast is still
rather wierd....some IGMP joins are fine, others dont seem
to work - and all SAP has stopped coming through - all our
settings are the same.... (i also note 'ip sap listen' has gone
from the command line.....good ;-) ) - so I've still got some
issues with this..but hey, when does an upgrade (even planned)
go glass-smooth?

alan

From jeff-kell at utc.edu  Tue Feb 10 12:38:00 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Tue, 10 Feb 2009 12:38:00 -0500
Subject: [c-nsp] Cannot connect to ASA using ASDM software
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01E4DF4D@mspe2k1.cs.myharris.net>
References: <000001c98afe$7f9cab70$7ed60250$@com>	<FA1BA229357DB640B944218F3585FECA01E4DF2D@mspe2k1.cs.myharris.net>	<7aaaf7f0902091422j7e3a9392ya450f908238e4b0a@mail.gmail.com>
	<FA1BA229357DB640B944218F3585FECA01E4DF4D@mspe2k1.cs.myharris.net>
Message-ID: <4991BB78.8080004@utc.edu>

Church, Charles wrote:
> I'm still using 5.2.x ASDM, as the ASA is running 7.2.x still (both late
> interim releases).  Hoping for a newer ASDM soon.  5.2(4)50 still is
> broken. 

There is a 5.2(4)52 that works with 7.2, but you have to have TAC to a
custom file download (or at least you did when I ran across this).

There's a similar issue with the ASDM(F) for the FWSM.  6.1(2)F works
with both 3.2 (backward-compatible) and 4.x FWSM software.

Jeff

From jfitz at Princeton.EDU  Tue Feb 10 14:22:13 2009
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Tue, 10 Feb 2009 14:22:13 -0500
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
Message-ID: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>

We are running 12.2.SXI on sup-720-cxl

We use snmp getnext and getbulk to get the ARP table from a router  
that has ~16K entries and it takes about 10min to complete, with  
ROUTER CPU at 100%.   Our other routers have the same hardware and IOS  
but have <10K entries and work fine.

This is an old problem with CISCO and I thought they might have  
finally fixed it in SXI, but NOT.

The problem is the ARP entries are stored internally in a hashed  
format and SNMP needs them in an ordered format, so for every snmp PDU  
the CPU must get the entire ARP table and crunch it to create the  
ordered PDU response.  This will take place for as many PDUs as it  
takes to retrieve the entire table.   There does appear to be a point   
(size of ARP table) at which it takes very long to retrieve the whole  
table which seems to be around 12K but with a 16K table it takes  
forever.

In the attached PDF from CISCO they explain the problem and also state  
the if you turn on CEF (has always been on for long time) that it is  
much faster since the FIB is already in a lexical order that snmp  
likes.   Since CEF is always on, why does it still take so long.

-------------- next part --------------



At this point we basically cannot do any retrieval of the ARP  tables.



Their must be many other groups that have this same problem or I have  
really missed something.


I will open up a ticket with CISCO if nobody out there has an answer.

Currently we use an expect script to get the table via CLI which is  
much faster but it doesn't help tools that must use snmp.


Thanks for any help.


Jeff Fitzwater
OIT Network Systems
Princeton University

From jared at puck.nether.net  Tue Feb 10 14:27:49 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Tue, 10 Feb 2009 14:27:49 -0500
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
In-Reply-To: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
Message-ID: <20090210192749.GC70058@puck.nether.net>

On Tue, Feb 10, 2009 at 02:22:13PM -0500, Jeff Fitzwater wrote:
> We are running 12.2.SXI on sup-720-cxl
>
> We use snmp getnext and getbulk to get the ARP table from a router that 
> has ~16K entries and it takes about 10min to complete, with ROUTER CPU at 
> 100%.   Our other routers have the same hardware and IOS but have <10K 
> entries and work fine.

	When you say getnext/getbulk, I presume you mean a snmp v2c bulkwalk?
Or are you using snmp V1?

> This is an old problem with CISCO and I thought they might have finally 
> fixed it in SXI, but NOT.
>
> The problem is the ARP entries are stored internally in a hashed format 
> and SNMP needs them in an ordered format, so for every snmp PDU the CPU 
> must get the entire ARP table and crunch it to create the ordered PDU 
> response.  This will take place for as many PDUs as it takes to retrieve 
> the entire table.   There does appear to be a point  (size of ARP table) 
> at which it takes very long to retrieve the whole table which seems to be 
> around 12K but with a 16K table it takes forever.
>
> In the attached PDF from CISCO they explain the problem and also state  
> the if you turn on CEF (has always been on for long time) that it is  
> much faster since the FIB is already in a lexical order that snmp likes.  
>  Since CEF is always on, why does it still take so long.

	(The list strips the pdf files, you can email them to me to
post on puck, or give a pointer to the pdf on cisco.com)

>
>
>
> At this point we basically cannot do any retrieval of the ARP  tables.
>
>
>
> Their must be many other groups that have this same problem or I have  
> really missed something.
>
>
> I will open up a ticket with CISCO if nobody out there has an answer.
>
> Currently we use an expect script to get the table via CLI which is much 
> faster but it doesn't help tools that must use snmp.
>
>
> Thanks for any help.
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University

> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

From graham at g-rock.net  Tue Feb 10 14:42:05 2009
From: graham at g-rock.net (Graham Wooden)
Date: Tue, 10 Feb 2009 14:42:05 -0500
Subject: [c-nsp] 7606 with SPA-2xT3, hot insert - reboot required?
In-Reply-To: <20090210192749.GC70058@puck.nether.net>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
	<20090210192749.GC70058@puck.nether.net>
Message-ID: <20090210144205.oq9bo02bnocg44c0@webmail.iamforeverme.com>

Hi fellas,

I have a 7606 and I inserted (hot) a SPA-2xT3 card into my SIP400  
subslot (2/1), from which it shows up in various "show" commands  
jst... but I doesn't give me the ability to actually config the  
interfaces on it.  Does it require a reboot for the serial interfaces  
to come up?

7606, with dual 720's.  Running c7600s72033-adventerprisek9-mz.122-33.SRC.bin.
 From the module guide, this is the first supported rev of this card  
in the slot.
Any known issues, or does the box need to take a reboot?

Thanks in advance,

-graham


Feb  9 14:54:56 CST: %DIAG-SP-6-RUN_MINIMUM: Module 2/1: Running  
Minimal Diagnostics...
Feb  9 14:54:57 CST: %DIAG-SP-6-DIAG_OK: Module 2/1: Passed Online Diagnostics
Feb  9 14:54:57 CST: %SPA_OIR-6-ONLINECARD: SPA (SPA-2XT3/E3) online  
in subslot 2/1


#show hw-module subslot all oir
Module        Model                Operational Status
------------- -------------------- ------------------------
subslot 2/0   SPA-1XOC12-ATM       ok
subslot 2/1   SPA-2XT3/E3          ok


#show hw-module subslot 2/1 fpd

==== ====================== ======  
=============================================
                              H/W   Field Programmable   Current    
Min. Required
Slot Card Type               Ver.  Device: "ID-Name"    Version      Version
==== ====================== ====== ================== ===========  
==============
  2/1 SPA-2XT3/E3             1.1   1-ROMMON               2.12        2.12
                                    2-I/O FPGA             1.0         1.0
                                    3-E3 FPGA              1.4         1.4
                                    4-T3 FPGA              1.4         1.4
==== ====================== ======  
=============================================








From robbie.jacka at regions.com  Tue Feb 10 14:48:19 2009
From: robbie.jacka at regions.com (robbie.jacka at regions.com)
Date: Tue, 10 Feb 2009 13:48:19 -0600
Subject: [c-nsp] 7606 with SPA-2xT3, hot insert - reboot required?
In-Reply-To: <20090210144205.oq9bo02bnocg44c0@webmail.iamforeverme.com>
Message-ID: <OF5827B74E.15CAD5E2-ON86257559.006CBDA6-86257559.006CCB67@corp.rgbk.com>

Have you set "card type t3 2 1"?
--
robbie




                                                                           
             Graham Wooden                                                 
             <graham at g-rock.ne                                             
             t>                                                         To 
             Sent by:                  cisco-nsp at puck.nether.net           
             cisco-nsp-bounces                                          cc 
             @puck.nether.net                                              
                                                                   Subject 
                                       [c-nsp] 7606 with SPA-2xT3, hot     
             02/10/2009 01:43          insert - reboot required?           
             PM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi fellas,

I have a 7606 and I inserted (hot) a SPA-2xT3 card into my SIP400
subslot (2/1), from which it shows up in various "show" commands
jst... but I doesn't give me the ability to actually config the
interfaces on it.  Does it require a reboot for the serial interfaces
to come up?

7606, with dual 720's.  Running
c7600s72033-adventerprisek9-mz.122-33.SRC.bin.
 From the module guide, this is the first supported rev of this card
in the slot.
Any known issues, or does the box need to take a reboot?

Thanks in advance,

-graham


Feb  9 14:54:56 CST: %DIAG-SP-6-RUN_MINIMUM: Module 2/1: Running
Minimal Diagnostics...
Feb  9 14:54:57 CST: %DIAG-SP-6-DIAG_OK: Module 2/1: Passed Online
Diagnostics
Feb  9 14:54:57 CST: %SPA_OIR-6-ONLINECARD: SPA (SPA-2XT3/E3) online
in subslot 2/1


#show hw-module subslot all oir
Module        Model                Operational Status
------------- -------------------- ------------------------
subslot 2/0   SPA-1XOC12-ATM       ok
subslot 2/1   SPA-2XT3/E3          ok


#show hw-module subslot 2/1 fpd

==== ====================== ======
=============================================
                              H/W   Field Programmable   Current
Min. Required
Slot Card Type               Ver.  Device: "ID-Name"    Version
Version
==== ====================== ====== ================== ===========
==============
  2/1 SPA-2XT3/E3             1.1   1-ROMMON               2.12        2.12
                                    2-I/O FPGA             1.0         1.0
                                    3-E3 FPGA              1.4         1.4
                                    4-T3 FPGA              1.4         1.4
==== ====================== ======
=============================================







_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From jfitz at Princeton.EDU  Tue Feb 10 14:53:28 2009
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Tue, 10 Feb 2009 14:53:28 -0500
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
In-Reply-To: <20090210192749.GC70058@puck.nether.net>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
	<20090210192749.GC70058@puck.nether.net>
Message-ID: <EB183E03-FE7C-491E-8536-2C87E5FD0694@Princeton.EDU>

Hello Jared,

We use only snmp V2.

Here is the URL  http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml


Jeff
On Feb 10, 2009, at 2:27 PM, Jared Mauch wrote:

> On Tue, Feb 10, 2009 at 02:22:13PM -0500, Jeff Fitzwater wrote:
>> We are running 12.2.SXI on sup-720-cxl
>>
>> We use snmp getnext and getbulk to get the ARP table from a router  
>> that
>> has ~16K entries and it takes about 10min to complete, with ROUTER  
>> CPU at
>> 100%.   Our other routers have the same hardware and IOS but have  
>> <10K
>> entries and work fine.
>
> 	When you say getnext/getbulk, I presume you mean a snmp v2c bulkwalk?
> Or are you using snmp V1?
>
>> This is an old problem with CISCO and I thought they might have  
>> finally
>> fixed it in SXI, but NOT.
>>
>> The problem is the ARP entries are stored internally in a hashed  
>> format
>> and SNMP needs them in an ordered format, so for every snmp PDU the  
>> CPU
>> must get the entire ARP table and crunch it to create the ordered PDU
>> response.  This will take place for as many PDUs as it takes to  
>> retrieve
>> the entire table.   There does appear to be a point  (size of ARP  
>> table)
>> at which it takes very long to retrieve the whole table which seems  
>> to be
>> around 12K but with a 16K table it takes forever.
>>
>> In the attached PDF from CISCO they explain the problem and also  
>> state
>> the if you turn on CEF (has always been on for long time) that it is
>> much faster since the FIB is already in a lexical order that snmp  
>> likes.
>> Since CEF is always on, why does it still take so long.
>
> 	(The list strips the pdf files, you can email them to me to
> post on puck, or give a pointer to the pdf on cisco.com)
>
>>
>>
>>
>> At this point we basically cannot do any retrieval of the ARP   
>> tables.
>>
>>
>>
>> Their must be many other groups that have this same problem or I have
>> really missed something.
>>
>>
>> I will open up a ticket with CISCO if nobody out there has an answer.
>>
>> Currently we use an expect script to get the table via CLI which is  
>> much
>> faster but it doesn't help tools that must use snmp.
>>
>>
>> Thanks for any help.
>>
>>
>> Jeff Fitzwater
>> OIT Network Systems
>> Princeton University
>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> -- 
> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> clue++;      | http://puck.nether.net/~jared/  My statements are  
> only mine.


From graham at g-rock.net  Tue Feb 10 14:56:43 2009
From: graham at g-rock.net (Graham Wooden)
Date: Tue, 10 Feb 2009 14:56:43 -0500
Subject: [c-nsp] 7606 with SPA-2xT3, hot insert - reboot required?
In-Reply-To: <OF5827B74E.15CAD5E2-ON86257559.006CBDA6-86257559.006CCB67@corp.rgbk.com>
References: <OF5827B74E.15CAD5E2-ON86257559.006CBDA6-86257559.006CCB67@corp.rgbk.com>
Message-ID: <20090210145643.ueye4j8l4w00kogo@webmail.iamforeverme.com>

Bah ... that was the trick.  Thanks Robbie.

-graham

> Have you set "card type t3 2 1"?
> --
> robbie
>
>
>
>
>
>              Graham Wooden
>              <graham at g-rock.ne
>              t>                                                         To
>              Sent by:                  cisco-nsp at puck.nether.net
>              cisco-nsp-bounces                                          cc
>              @puck.nether.net
>                                                                    Subject
>                                        [c-nsp] 7606 with SPA-2xT3, hot
>              02/10/2009 01:43          insert - reboot required?
>              PM
>
>
>
>
>
>
>
>
>
> Hi fellas,
>
> I have a 7606 and I inserted (hot) a SPA-2xT3 card into my SIP400
> subslot (2/1), from which it shows up in various "show" commands
> jst... but I doesn't give me the ability to actually config the
> interfaces on it.  Does it require a reboot for the serial interfaces
> to come up?
>
> 7606, with dual 720's.  Running
> c7600s72033-adventerprisek9-mz.122-33.SRC.bin.
>  From the module guide, this is the first supported rev of this card
> in the slot.
> Any known issues, or does the box need to take a reboot?
>
> Thanks in advance,
>
> -graham
>
>
> Feb  9 14:54:56 CST: %DIAG-SP-6-RUN_MINIMUM: Module 2/1: Running
> Minimal Diagnostics...
> Feb  9 14:54:57 CST: %DIAG-SP-6-DIAG_OK: Module 2/1: Passed Online
> Diagnostics
> Feb  9 14:54:57 CST: %SPA_OIR-6-ONLINECARD: SPA (SPA-2XT3/E3) online
> in subslot 2/1
>
>
> #show hw-module subslot all oir
> Module        Model                Operational Status
> ------------- -------------------- ------------------------
> subslot 2/0   SPA-1XOC12-ATM       ok
> subslot 2/1   SPA-2XT3/E3          ok
>
>
> #show hw-module subslot 2/1 fpd
>
> ==== ====================== ======
> =============================================
>                               H/W   Field Programmable   Current
> Min. Required
> Slot Card Type               Ver.  Device: "ID-Name"    Version
> Version
> ==== ====================== ====== ================== ===========
> ==============
>   2/1 SPA-2XT3/E3             1.1   1-ROMMON               2.12        2.12
>                                     2-I/O FPGA             1.0         1.0
>                                     3-E3 FPGA              1.4         1.4
>                                     4-T3 FPGA              1.4         1.4
> ==== ====================== ======
> =============================================
>
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>




From kwoody at citytel.net  Tue Feb 10 14:02:41 2009
From: kwoody at citytel.net (Keith)
Date: Tue, 10 Feb 2009 11:02:41 -0800 (PST)
Subject: [c-nsp] VTP domain.
Message-ID: <20090210102330.K55176@pop.citytel.net>


Have a 3560 I am configuring to replace a 3550. Somehow the 3560 grabbed a
vtp domain name when it was connected to another switch in our lab rack.
The switch is not part of any domain, it just pushes packets.

The 3550 being replaced has no vtp domain name. Is it possible to remove
the vtp domain name without deleting the vlan.dat file? I have looked over
the TAC but see nothing really regarding removing a vtp domain name. Lots
about adding one, not about removing one.

There are two routed connections to two other switches, I don't have to
worry about any vlan advertisments being sent from the 3560 as long as
there are no trunks between switches correct? I'm very afraid of swapping
out the switches and having vlan data overwritten...

Thanks for any info.

From RTeller at deltadentalwa.com  Tue Feb 10 15:43:52 2009
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 10 Feb 2009 12:43:52 -0800
Subject: [c-nsp] VTP domain.
In-Reply-To: <20090210102330.K55176@pop.citytel.net>
References: <20090210102330.K55176@pop.citytel.net>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA134117A8@tiger.deltadentalwa.com>

What is the current vtp mode of the switch?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Keith
Sent: Tuesday, February 10, 2009 11:03 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VTP domain.


Have a 3560 I am configuring to replace a 3550. Somehow the 3560 grabbed
a
vtp domain name when it was connected to another switch in our lab rack.
The switch is not part of any domain, it just pushes packets.

The 3550 being replaced has no vtp domain name. Is it possible to remove
the vtp domain name without deleting the vlan.dat file? I have looked
over
the TAC but see nothing really regarding removing a vtp domain name.
Lots
about adding one, not about removing one.

There are two routed connections to two other switches, I don't have to
worry about any vlan advertisments being sent from the 3560 as long as
there are no trunks between switches correct? I'm very afraid of
swapping
out the switches and having vlan data overwritten...

Thanks for any info.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From kwoody at citytel.net  Tue Feb 10 15:49:23 2009
From: kwoody at citytel.net (Keith)
Date: Tue, 10 Feb 2009 12:49:23 -0800 (PST)
Subject: [c-nsp] VTP domain.
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA134117A8@tiger.deltadentalwa.com>
References: <20090210102330.K55176@pop.citytel.net>
	<06C1E76E03FE9C4B85BFA9C75365D9DA134117A8@tiger.deltadentalwa.com>
Message-ID: <20090210124831.K55176@pop.citytel.net>

On Tue, 10 Feb 2009, Teller, Robert wrote:

|->What is the current vtp mode of the switch?
|->
|->Have a 3560 I am configuring to replace a 3550. Somehow the 3560 grabbed
|->a
|->vtp domain name when it was connected to another switch in our lab rack.
|->The switch is not part of any domain, it just pushes packets.
|->
|->The 3550 being replaced has no vtp domain name. Is it possible to remove
|->the vtp domain name without deleting the vlan.dat file? I have looked
|->over
|->the TAC but see nothing really regarding removing a vtp domain name.
|->Lots
|->about adding one, not about removing one.
|->
|->There are two routed connections to two other switches, I don't have to
|->worry about any vlan advertisments being sent from the 3560 as long as
|->there are no trunks between switches correct? I'm very afraid of
|->swapping
|->out the switches and having vlan data overwritten...

Sorry should have posted that. VTP mode is server...

From peter at rathlev.dk  Tue Feb 10 15:56:18 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 10 Feb 2009 21:56:18 +0100
Subject: [c-nsp] VTP domain.
In-Reply-To: <20090210102330.K55176@pop.citytel.net>
References: <20090210102330.K55176@pop.citytel.net>
Message-ID: <1234299378.7862.4.camel@localhost.localdomain>

On Tue, 2009-02-10 at 11:02 -0800, Keith wrote:
> Have a 3560 I am configuring to replace a 3550. Somehow the 3560 grabbed a
> vtp domain name when it was connected to another switch in our lab rack.
> The switch is not part of any domain, it just pushes packets.
> 
> The 3550 being replaced has no vtp domain name. Is it possible to remove
> the vtp domain name without deleting the vlan.dat file? I have looked over
> the TAC but see nothing really regarding removing a vtp domain name. Lots
> about adding one, not about removing one.
> 
> There are two routed connections to two other switches, I don't have to
> worry about any vlan advertisments being sent from the 3560 as long as
> there are no trunks between switches correct? I'm very afraid of swapping
> out the switches and having vlan data overwritten...

Don't rely on different VTP domains (or even passwords) for this kind of
seperation. Instead set the device to use "vtp mode transparent". This
way it will not send or recieve VTP messages.

About the questions: AFAIK there's no way to explicitly set a "null"
name for the VTP domain when it has already been set. And AFAIK you're
right about VTP not being carried across access ports.

But do use transparent VTP mode if you need the switch to stay out of
VTP.

Regards,
Peter



From kwoody at citytel.net  Tue Feb 10 16:31:10 2009
From: kwoody at citytel.net (Keith)
Date: Tue, 10 Feb 2009 13:31:10 -0800 (PST)
Subject: [c-nsp] VTP domain.
In-Reply-To: <1234299378.7862.4.camel@localhost.localdomain>
References: <20090210102330.K55176@pop.citytel.net>
	<1234299378.7862.4.camel@localhost.localdomain>
Message-ID: <20090210125825.D55176@pop.citytel.net>

On Tue, 10 Feb 2009, Peter Rathlev wrote:

|->On Tue, 2009-02-10 at 11:02 -0800, Keith wrote:
|->> Have a 3560 I am configuring to replace a 3550. Somehow the 3560 grabbed a
|->> vtp domain name when it was connected to another switch in our lab rack.
|->> The switch is not part of any domain, it just pushes packets.
|->>
|->> The 3550 being replaced has no vtp domain name. Is it possible to remove
|->> the vtp domain name without deleting the vlan.dat file? I have looked over
|->> the TAC but see nothing really regarding removing a vtp domain name. Lots
|->> about adding one, not about removing one.
|->>
|->> There are two routed connections to two other switches, I don't have to
|->> worry about any vlan advertisments being sent from the 3560 as long as
|->> there are no trunks between switches correct? I'm very afraid of swapping
|->> out the switches and having vlan data overwritten...
|->
|->Don't rely on different VTP domains (or even passwords) for this kind of
|->seperation. Instead set the device to use "vtp mode transparent". This
|->way it will not send or recieve VTP messages.
|->
|->About the questions: AFAIK there's no way to explicitly set a "null"
|->name for the VTP domain when it has already been set. And AFAIK you're
|->right about VTP not being carried across access ports.
|->
|->But do use transparent VTP mode if you need the switch to stay out of
|->VTP.

We don't use VTP here at all. We keep vlans seperate on each switch. I
have not really thought about VTP much until going over all the things
that can go wrong with this switch swap. All our switches do routing, so
any links between switches are set no switchport and assigned IP's.

I will change it to transparent mode just to make sure no vlan info is
carried over the two links to the other switches.

Also thanks for the answer to the question regarding vtp domain names. I'm
guessing the domain name that is there now and having the switch in
tranparent mode will not affect anything since it is not sending or
recieving VTP messages?

Thanks again,
Keith


From mduksa at gmail.com  Tue Feb 10 17:23:29 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Tue, 10 Feb 2009 14:23:29 -0800
Subject: [c-nsp] itu/c DWDM
Message-ID: <a89d89ac0902101423l64c7dc29x299c087b11f33698@mail.gmail.com>

Hi - can anyone explain  difference between 'tunable optics' and DWDM
capable cards on Cisco routers (7600, 12K and CRS), or is this the same?

Also, can in essence a  4-10GE-ITU/C  (4x10G C-band DWDM PLIM on CRS) do the
same thing as SPA-1x10GE-L-ITUC (1x10G C-Band spa) on 12K (port capacity put
aside)?

Does this mean that I can have a single physical port (on a DWDM enabled
7600/12K/CRS cards/PLIMs) carrying traffic at various speeds over
different wavelengths(BW totaling 10G for example for a 10G physical port)?
For example, I can create  one channel with oc-12 speed over one wavelength,
another channel with oc-48 speed on another channel and then bind those
channels to a sub-interface? Is this how this is done?

With  IPoDWDM optical integration they talk about eliminating transponders,
but I'm not sure what those transponders would do anyway, before they drop
traffic to an (RO)ADM?

Can anyone shed some light on this please.
Thanks,
Marlon

From swmike at swm.pp.se  Tue Feb 10 17:36:48 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 10 Feb 2009 23:36:48 +0100 (CET)
Subject: [c-nsp] itu/c DWDM
In-Reply-To: <a89d89ac0902101423l64c7dc29x299c087b11f33698@mail.gmail.com>
References: <a89d89ac0902101423l64c7dc29x299c087b11f33698@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0902102332030.16135@uplift.swm.pp.se>

On Tue, 10 Feb 2009, Marlon Duksa wrote:

> Hi - can anyone explain  difference between 'tunable optics' and DWDM
> capable cards on Cisco routers (7600, 12K and CRS), or is this the same?

Yes, that is the same.

> Also, can in essence a  4-10GE-ITU/C  (4x10G C-band DWDM PLIM on CRS) do the
> same thing as SPA-1x10GE-L-ITUC (1x10G C-Band spa) on 12K (port capacity put
> aside)?

It's my understanding that they can.

> Does this mean that I can have a single physical port (on a DWDM enabled
> 7600/12K/CRS cards/PLIMs) carrying traffic at various speeds over
> different wavelengths(BW totaling 10G for example for a 10G physical port)?
> For example, I can create  one channel with oc-12 speed over one wavelength,
> another channel with oc-48 speed on another channel and then bind those
> channels to a sub-interface? Is this how this is done?

No, it's single wavelength at any given time, and it's 10G only, and it's 
single point to point link over that single DWDM wave. You can of course 
have multiple ports in your router and thus achieve multiple waves, but 
each port only outputs single wave.

> With  IPoDWDM optical integration they talk about eliminating transponders,
> but I'm not sure what those transponders would do anyway, before they drop
> traffic to an (RO)ADM?

A DWDM transponder converts your 1310nm light into C-band single 
wavelength light and might add Forward Error Correction (FEC), plus 
supplies the people who run the DWDM with an administrative interface to 
monitor, both the DWDM side and the local tributary side.

With the above router linecards you basically put the transponder into the 
router so the router outputs the C-band light and does FEC, and then you 
put this light via a variable attenuator into the DWDM system without any 
further Optical-Electrical-Optical conversion.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From chris at chrisserafin.com  Tue Feb 10 17:44:04 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Tue, 10 Feb 2009 16:44:04 -0600
Subject: [c-nsp] Sprint & AT&T BGP multihoming
Message-ID: <49920334.6040306@chrisserafin.com>

I am planning on multi-homing a client's Internet connection for 
redundancy, and wanted to know if anyone is doing this with Sprint 
and/or AT&T and has any pointers or 'gotchas' they have run into.

I'm still months out from doing this and will most likely want to KEEP 
the existing subnets that they gave us (a /23 and /24), without the need 
for rebuilding a bunch or VPNs, re-IP'ing externally facing devices, and 
DNS changes for externally available web presence.

Ideas? Comments? Concerns? Flames?

Thanks,

Chris Serafin
chris at chrisserafin.com

From dwcarder at wisc.edu  Tue Feb 10 18:10:46 2009
From: dwcarder at wisc.edu (Dale W. Carder)
Date: Tue, 10 Feb 2009 17:10:46 -0600
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
In-Reply-To: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
Message-ID: <1D21D11C-D7DC-4315-9B06-EBCCC10AA563@wisc.edu>


To answer your subject: no.

On Feb 10, 2009, at 1:22 PM, Jeff Fitzwater wrote:
>
> We use snmp getnext and getbulk to get the ARP table from a router  
> that has ~16K entries and it takes about 10min to complete, with  
> ROUTER CPU at 100%.   Our other routers have the same hardware and  
> IOS but have <10K entries and work fine.

Same here.  It's been that way for what seems like a long time though.

> In the attached PDF from CISCO they explain the problem and also  
> state the if you turn on CEF (has always been on for long time) that  
> it is much faster since the FIB is already in a lexical order that  
> snmp likes.   Since CEF is always on, why does it still take so long.

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml

That document seems pretty dated and/or doesn't fit tcam based
architectures.

The solution could come in a couple of different forms:
- a processor faster than what shipped in my cell phone
(perhaps you would have had an rsp720 by now on 6500 had the
6500/7600 customer alienation not occurred, yada yada, Gert
takes a deep breath)
- maintaining a new datastructure in memory just to speed up
these sorts of things.
- finding a better sorting algorithm.
- create a new mib that returns the values in hardware order.

> At this point we basically cannot do any retrieval of the ARP  tables.

> Currently we use an expect script to get the table via CLI which is  
> much faster

That's what we do too, and we also scrape the ipv6 neighbor cache.
This all gets stuffed into sql.

> but it doesn't help tools that must use snmp.

I'm guessing you're referring to something that wants to use
the arp table to help with topology discovery?  I'll admit we
gave up on that long ago, too.

Dale


From mduksa at gmail.com  Tue Feb 10 18:33:12 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Tue, 10 Feb 2009 15:33:12 -0800
Subject: [c-nsp] itu/c DWDM
In-Reply-To: <alpine.DEB.1.10.0902102332030.16135@uplift.swm.pp.se>
References: <a89d89ac0902101423l64c7dc29x299c087b11f33698@mail.gmail.com>
	<alpine.DEB.1.10.0902102332030.16135@uplift.swm.pp.se>
Message-ID: <a89d89ac0902101533v43d131b2ldb183d1f821e341e@mail.gmail.com>

Got it. This help a lot. Thanks.Marlon

On Tue, Feb 10, 2009 at 2:36 PM, Mikael Abrahamsson <swmike at swm.pp.se>wrote:

> On Tue, 10 Feb 2009, Marlon Duksa wrote:
>
>  Hi - can anyone explain  difference between 'tunable optics' and DWDM
>> capable cards on Cisco routers (7600, 12K and CRS), or is this the same?
>>
>
> Yes, that is the same.
>
>  Also, can in essence a  4-10GE-ITU/C  (4x10G C-band DWDM PLIM on CRS) do
>> the
>> same thing as SPA-1x10GE-L-ITUC (1x10G C-Band spa) on 12K (port capacity
>> put
>> aside)?
>>
>
> It's my understanding that they can.
>
>  Does this mean that I can have a single physical port (on a DWDM enabled
>> 7600/12K/CRS cards/PLIMs) carrying traffic at various speeds over
>> different wavelengths(BW totaling 10G for example for a 10G physical
>> port)?
>> For example, I can create  one channel with oc-12 speed over one
>> wavelength,
>> another channel with oc-48 speed on another channel and then bind those
>> channels to a sub-interface? Is this how this is done?
>>
>
> No, it's single wavelength at any given time, and it's 10G only, and it's
> single point to point link over that single DWDM wave. You can of course
> have multiple ports in your router and thus achieve multiple waves, but each
> port only outputs single wave.
>
>  With  IPoDWDM optical integration they talk about eliminating
>> transponders,
>> but I'm not sure what those transponders would do anyway, before they drop
>> traffic to an (RO)ADM?
>>
>
> A DWDM transponder converts your 1310nm light into C-band single wavelength
> light and might add Forward Error Correction (FEC), plus supplies the people
> who run the DWDM with an administrative interface to monitor, both the DWDM
> side and the local tributary side.
>
> With the above router linecards you basically put the transponder into the
> router so the router outputs the C-band light and does FEC, and then you put
> this light via a variable attenuator into the DWDM system without any
> further Optical-Electrical-Optical conversion.
>
> --
> Mikael Abrahamsson    email: swmike at swm.pp.se
>

From mtinka at globaltransit.net  Tue Feb 10 18:54:18 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 11 Feb 2009 07:54:18 +0800
Subject: [c-nsp] VTP domain.
In-Reply-To: <20090210102330.K55176@pop.citytel.net>
References: <20090210102330.K55176@pop.citytel.net>
Message-ID: <200902110754.27311.mtinka@globaltransit.net>

On Wednesday 11 February 2009 03:02:41 am Keith wrote:

> The 3550 being replaced has no vtp domain name. Is it
> possible to remove the vtp domain name without deleting
> the vlan.dat file? I have looked over the TAC but see
> nothing really regarding removing a vtp domain name. Lots
> about adding one, not about removing one.

No clear way to do this, today, without deleting the 
'vlan.dat' file. Wish that could be fixed.

But like you and others have said, maintaining VTP 
Transparent mode will ensure it stays away from VTP.

We used to "manually" clear VTP domain names, but recently 
found a batch of switches that had them configured. It's too 
much work to clear that, but we just say "no" to VTP anyway.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/c5cc97ae/attachment.bin>

From kwoody at citytel.net  Tue Feb 10 20:05:48 2009
From: kwoody at citytel.net (Keith)
Date: Tue, 10 Feb 2009 17:05:48 -0800 (PST)
Subject: [c-nsp] VTP domain.
In-Reply-To: <200902110754.27311.mtinka@globaltransit.net>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
Message-ID: <20090210161624.I98205@pop.citytel.net>

On Wed, 11 Feb 2009, Mark Tinka wrote:

|->On Wednesday 11 February 2009 03:02:41 am Keith wrote:
|->
|->> The 3550 being replaced has no vtp domain name. Is it
|->> possible to remove the vtp domain name without deleting
|->> the vlan.dat file? I have looked over the TAC but see
|->> nothing really regarding removing a vtp domain name. Lots
|->> about adding one, not about removing one.
|->
|->No clear way to do this, today, without deleting the
|->'vlan.dat' file. Wish that could be fixed.
|->
|->But like you and others have said, maintaining VTP
|->Transparent mode will ensure it stays away from VTP.
|->
|->We used to "manually" clear VTP domain names, but recently
|->found a batch of switches that had them configured. It's too
|->much work to clear that, but we just say "no" to VTP anyway.

Yes, not being able to delete a vtp domain name seems like something that
should be able to be done from the command line, but there must be a good
reason for it. I have only played with vtp in our lab rack of gear, never
used it in a real network.

Looking through the archives of this list, I see some have had some bad
experiences with vtp. Something I wish to avoid.

I have put the switch in transparent mode so it will not send/recieve vtp
updates, just in case.

Thanks,
Keith


From dale.shaw+cisco-nsp at gmail.com  Tue Feb 10 20:16:18 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Wed, 11 Feb 2009 12:16:18 +1100
Subject: [c-nsp] VTP domain.
In-Reply-To: <200902110754.27311.mtinka@globaltransit.net>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
Message-ID: <3329cbb40902101716r6c75a13bmdca1acde9b687b6@mail.gmail.com>

Hi,

On Wed, Feb 11, 2009 at 10:54 AM, Mark Tinka <mtinka at globaltransit.net> wrote:
> No clear way to do this, today, without deleting the
> 'vlan.dat' file. Wish that could be fixed.

Anyone out there sadistic enough to have tried copying out vlan.dat,
nullifying the VTP domain with a hex editor, then copying it back in?
I wonder if that works at all.

The VTP domain name string can be up to 32 characters. It starts at
position 0xA (10) and goes through to 0x29 (41). I suppose there's a
strong possibility other parts of the file (other than the domain name
string) are changed with a domain name change.

SW1(config)#vtp domain ABCDEFGHIJKLMNOPQRSTUVWXYZABCABCABCABC
Domain name is truncated to 32 characters, maximum VTP domain name length.
Changing VTP domain name from ZAZAZAZAZAZAZAZAZAZAZAZAZAZAZAZ to
ABCDEFGHIJKLMNOPQRSTUVWXYZABCABC
SW1(config)#end
SW1#more /binary vlan.dat
00000000:  BADB100D 00000002 03204142 43444546    :[.. .... . AB CDEF
00000010:  4748494A 4B4C4D4E 4F505152 53545556    GHIJ KLMN OPQR STUV
00000020:  5758595A 41424341 42430000 00000000    WXYZ ABCA BC.. ....
[...]

So many silly ideas, so little time..

cheers,
Dale

From kwoody at citytel.net  Tue Feb 10 22:51:58 2009
From: kwoody at citytel.net (Keith)
Date: Tue, 10 Feb 2009 19:51:58 -0800 (PST)
Subject: [c-nsp] VTP domain.
In-Reply-To: <3329cbb40902101716r6c75a13bmdca1acde9b687b6@mail.gmail.com>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
	<3329cbb40902101716r6c75a13bmdca1acde9b687b6@mail.gmail.com>
Message-ID: <20090210194714.X30335@pop.citytel.net>

On Wed, 11 Feb 2009, Dale Shaw wrote:

|->Hi,
|->
|->On Wed, Feb 11, 2009 at 10:54 AM, Mark Tinka <mtinka at globaltransit.net> wrote:
|->> No clear way to do this, today, without deleting the
|->> 'vlan.dat' file. Wish that could be fixed.
|->
|->Anyone out there sadistic enough to have tried copying out vlan.dat,
|->nullifying the VTP domain with a hex editor, then copying it back in?
|->I wonder if that works at all.
|->
|->The VTP domain name string can be up to 32 characters. It starts at
|->position 0xA (10) and goes through to 0x29 (41). I suppose there's a
|->strong possibility other parts of the file (other than the domain name
|->string) are changed with a domain name change.
|->
|->SW1(config)#vtp domain ABCDEFGHIJKLMNOPQRSTUVWXYZABCABCABCABC
|->Domain name is truncated to 32 characters, maximum VTP domain name length.
|->Changing VTP domain name from ZAZAZAZAZAZAZAZAZAZAZAZAZAZAZAZ to
|->ABCDEFGHIJKLMNOPQRSTUVWXYZABCABC
|->SW1(config)#end
|->SW1#more /binary vlan.dat
|->00000000:  BADB100D 00000002 03204142 43444546    :[.. .... . AB CDEF
|->00000010:  4748494A 4B4C4D4E 4F505152 53545556    GHIJ KLMN OPQR STUV
|->00000020:  5758595A 41424341 42430000 00000000    WXYZ ABCA BC.. ....
|->[...]
|->
|->So many silly ideas, so little time..

A while back I took a vlan.dat file from a 24 port 3550 lab switch and
moved it to a 48 port 3560 to see what would happen (and to see if it
would save me time, in that I would not have to enter in the vlan info
again) but the 3560 went into a continuous reboot. Had to go into boot
mode and delete the vlan.dat. So much for a shortcut...



From cmadams at hiwaay.net  Tue Feb 10 22:55:55 2009
From: cmadams at hiwaay.net (Chris Adams)
Date: Tue, 10 Feb 2009 21:55:55 -0600
Subject: [c-nsp] VTP domain.
In-Reply-To: <3329cbb40902101716r6c75a13bmdca1acde9b687b6@mail.gmail.com>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
	<3329cbb40902101716r6c75a13bmdca1acde9b687b6@mail.gmail.com>
Message-ID: <20090211035554.GC1439943@hiwaay.net>

Once upon a time, Dale Shaw <dale.shaw+cisco-nsp at gmail.com> said:
> The VTP domain name string can be up to 32 characters. It starts at
> position 0xA (10) and goes through to 0x29 (41). I suppose there's a
> strong possibility other parts of the file (other than the domain name
> string) are changed with a domain name change.

The byte before that is the length of the domain name, so you'd have to
change that too.

I don't know if this is documented anywhere, but I figured out most of
the interesting (for me anyway) contents of vlan.dat:

off len description
  8   1 VTP Version
  9   1 VTP Domain Name length
 10   - VTP Domain Name (length from offset 9)
 44   4 Configuration Revision
 48   4 Last modified from this IP
 56   2 Last modified time - 2 digit year (not Y2K!)
 58   2 Last modified time - month
 60   2 Last modified time - day
 62   2 Last modified time - hour
 64   2 Last modified time - minute
 66   2 Last modified time - second
148   4 Number of existing VLANs

Starting at offset 160, there is an array of 60 byte entries for each
defined VLAN (number of entries from offset 148):

off len description
  0   1 VLAN name length
  1   - VLAN name (length from offset 0)
 34   1 VLAN type
 36   2 VLAN MTU
 38   2 VLAN ID
 40   2 VLAN SAID

I'm sure there's more in there that is useful, but that was enough for
my home-grown config saver to store a text config in CVS instead of a
binary vlan.dat.
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

From gert at greenie.muc.de  Wed Feb 11 02:48:11 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 11 Feb 2009 08:48:11 +0100
Subject: [c-nsp] VTP domain.
In-Reply-To: <20090210125825.D55176@pop.citytel.net>
References: <20090210102330.K55176@pop.citytel.net>
	<1234299378.7862.4.camel@localhost.localdomain>
	<20090210125825.D55176@pop.citytel.net>
Message-ID: <20090211074811.GE290@greenie.muc.de>

Hi,

On Tue, Feb 10, 2009 at 01:31:10PM -0800, Keith wrote:
> We don't use VTP here at all. 

In that case: make sure you actually turn it off ("vtp mode transparent"
or "vtp mode off").

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/76218c9b/attachment.bin>

From mvanton at gmail.com  Wed Feb 11 02:49:48 2009
From: mvanton at gmail.com (vince anton)
Date: Wed, 11 Feb 2009 08:49:48 +0100
Subject: [c-nsp] changes in 7600 with DFC3BXL
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D72E2D6F@xmb-ams-331.emea.cisco.com>
References: <87e0d3ae0902100505k55a55b0cg76f87369abe6f49f@mail.gmail.com>
	<78C984F8939D424697B15E4B1C1BB3D72E2D6F@xmb-ams-331.emea.cisco.com>
Message-ID: <87e0d3ae0902102349o50134258w7052fff362c7d023@mail.gmail.com>

Arie,

thanks - is there any cisco document that goes into some detail about the
various changes in behaviour/options between pfc and dfc, or should I open a
case with TAC ?


thanks

Mark

2009/2/10 Arie Vayner (avayner) <avayner at cisco.com>

> Anton,
>
> With regards to policing, what would happen is that each DFC would have
> its own policers, so if you a policy applied for a VLAN which has ports
> on different module, each module would have its own policer with the
> configured rate. This means that if you set a 10Mbps policer, but you
> have ports on 2 separate cards, each card would apply a separate 10Mbps
> policer (allowing in total a potential 20Mbps rate).
> The same, BTW, applies to aggregate policers.
>
> The only change I can remember right now with regards to Etherchannel is
> the optional capability of specifying a load balancing algorithm per
> module.
>
> Arie
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vince anton
> Sent: Tuesday, February 10, 2009 15:06
> To: cisco-nsp
> Subject: [c-nsp] changes in 7600 with DFC3BXL
>
> hey all,
>
> Quick question for you, hope you can help me.
>
> Im working on installing the DFCs in existing 67xx cards in our 7600s:
>
> 7606 w/SUP720-3BXL
> 2 x 6748-GE-TX
> 1 x 6704
>
> Im aware there are some differences in how the box reacts when a DFC is
> installed (the PFC will no longer need to make all the decisions,
> etc...).
> In particular this seems to change the beahviour for qos policers as
> well as
> L2 etherchannels.  Im using both of these, but I cant seem to find any
> definite documentation on CCO explaining the exact changes and perhaps
> any
> recommendations.  Of course I need to know how the box will behave in
> order
> to plan for this as part of the DFC upgrade, and so far all I found was
> an
> FAQ at
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_ite
> m09186a00809a7673.shtmlwhich
> doesn't give so much detail, and a few items in the archives of the
> list which touched the surface but didnt dig deep.
>
> would appreciate if anyone can share any detailed info as to how qos and
> etherchannel behaviour changes in PFC vs DFCX3BXL
>
> thanks,
>
> anton
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 

Thanks,

anton

From gert at greenie.muc.de  Wed Feb 11 02:55:16 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 11 Feb 2009 08:55:16 +0100
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
In-Reply-To: <1D21D11C-D7DC-4315-9B06-EBCCC10AA563@wisc.edu>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
	<1D21D11C-D7DC-4315-9B06-EBCCC10AA563@wisc.edu>
Message-ID: <20090211075516.GF290@greenie.muc.de>

Hi,

On Tue, Feb 10, 2009 at 05:10:46PM -0600, Dale W. Carder wrote:
> - a processor faster than what shipped in my cell phone
> (perhaps you would have had an rsp720 by now on 6500 had the
> 6500/7600 customer alienation not occurred, yada yada, Gert
> takes a deep breath)

This is getting sort of a running gag, isn't it...? :)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/86f5931c/attachment.bin>

From gert at greenie.muc.de  Wed Feb 11 03:29:11 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 11 Feb 2009 09:29:11 +0100
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49908448.6080300@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
	<49907FAE.4050006@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>
	<49908448.6080300@justinshore.com>
Message-ID: <20090211082911.GH290@greenie.muc.de>

Hi,

this is turning religious, but still...

On Mon, Feb 09, 2009 at 01:30:16PM -0600, Justin Shore wrote:
> One thing on my to do list is to figure out how to always reject lease 
> extension requests to force the CPE to pull a new IP every time a lease 
> expires.  This would prevent many of the less technical users from 
> trying to run a publicly-accessible server.

... I think the current state of IP end-to-end connectivity is bad enough,
as it goes (NAT, dynamic addressing, etc.).

It would be much better to invest work to *return* to a proper Internet,
where people can *reach* other people, instead of trying to break things
even further.

If your business side of things is messed up (otherwise, why would you 
care what sort of IP application the client runs?  they pay for "Internet
access" not for "client access", no?) and you need to break your clients' 
servers, block outgoing SYNs to ports <1024...


But as I said: this is not really a technical issue, more layer 8 to 10
("financial, political, religious").

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/a28da62c/attachment.bin>

From Steven.Glogger at swisscom.com  Wed Feb 11 03:31:42 2009
From: Steven.Glogger at swisscom.com (Steven.Glogger at swisscom.com)
Date: Wed, 11 Feb 2009 09:31:42 +0100
Subject: [c-nsp] VTP domain.
In-Reply-To: <200902110754.27311.mtinka@globaltransit.net>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
Message-ID: <1FC8A0BAFBBD9749BB1F06010D23C8A552FFE7E0@sg000035.corproot.net>

VTP transparent switches DO forward vtp messages (if using version 2). see:
"VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2, transparent switches do forward VTP advertisements that they receive from other switches from their trunk interfaces. "

dont forget: the VTP domain can be learned if NO domain is given - the switch takes the first domain he sees in a VTP message.

make sure that you put switches in transparent mode if you want to prevent disasters. we all know that the highest revision number in a domain wins. a client can overwrite all other switches (incl. server) if the revision number is highter and if he has the same domain name.... 

vtp is evil as we all know ,-)

to remove the domain name just set another one. 

-steven


ps: your guide for any VTP questions:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swvtp.html 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
Sent: Wednesday, February 11, 2009 12:54 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VTP domain.

On Wednesday 11 February 2009 03:02:41 am Keith wrote:

> The 3550 being replaced has no vtp domain name. Is it possible to 
> remove the vtp domain name without deleting the vlan.dat file? I have 
> looked over the TAC but see nothing really regarding removing a vtp 
> domain name. Lots about adding one, not about removing one.

No clear way to do this, today, without deleting the 'vlan.dat' file. Wish that could be fixed.

But like you and others have said, maintaining VTP Transparent mode will ensure it stays away from VTP.

We used to "manually" clear VTP domain names, but recently found a batch of switches that had them configured. It's too much work to clear that, but we just say "no" to VTP anyway.

Cheers,

Mark.

From paul.cosgrove at heanet.ie  Wed Feb 11 05:43:12 2009
From: paul.cosgrove at heanet.ie (Paul Cosgrove)
Date: Wed, 11 Feb 2009 10:43:12 +0000
Subject: [c-nsp] VTP domain.
In-Reply-To: <1FC8A0BAFBBD9749BB1F06010D23C8A552FFE7E0@sg000035.corproot.net>
References: <20090210102330.K55176@pop.citytel.net>	<200902110754.27311.mtinka@globaltransit.net>
	<1FC8A0BAFBBD9749BB1F06010D23C8A552FFE7E0@sg000035.corproot.net>
Message-ID: <4992ABC0.7050100@heanet.ie>

The behaviour regarding forwarding vtp messages is identical between 
transparent mode in either VTP versions;  if the domain name is null all 
VTP messages are forwarded, while if it is set only messages for that 
domain are forwarded. Apparently this changed sometime in the distant 
past but the documentation was not updated (at least it wasn't the last 
time I looked).  You can find more information about this here:-
  http://www.groupstudy.com/archives/ccielab/200704/msg01533.html

You can see that there is also a mention there, apparently from a member 
of cisco TAC, that a capability to set a VTP domain name to Null had 
been considered but a decision was made not to implement it.

To stop any VTP messages being forwarded, if you really need to, you can 
use mac acls matching the destination address(0100.0ccc.cccc) and 
ethertype (0x2003).  If on the other hand you need the VTP messages to 
be forwarded for multiple domains, without affecting this switch, then 
you may need to delete the vlan.dat, change to transparent mode and reload.

Paul.

Steven.Glogger at swisscom.com wrote:
> VTP transparent switches DO forward vtp messages (if using version 2). see:
> "VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2, transparent switches do forward VTP advertisements that they receive from other switches from their trunk interfaces. "
>
> dont forget: the VTP domain can be learned if NO domain is given - the switch takes the first domain he sees in a VTP message.
>
> make sure that you put switches in transparent mode if you want to prevent disasters. we all know that the highest revision number in a domain wins. a client can overwrite all other switches (incl. server) if the revision number is highter and if he has the same domain name.... 
>
> vtp is evil as we all know ,-)
>
> to remove the domain name just set another one. 
>
> -steven
>
>
> ps: your guide for any VTP questions:
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swvtp.html 
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
> Sent: Wednesday, February 11, 2009 12:54 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] VTP domain.
>
> On Wednesday 11 February 2009 03:02:41 am Keith wrote:
>
>   
>> The 3550 being replaced has no vtp domain name. Is it possible to 
>> remove the vtp domain name without deleting the vlan.dat file? I have 
>> looked over the TAC but see nothing really regarding removing a vtp 
>> domain name. Lots about adding one, not about removing one.
>>     
>
> No clear way to do this, today, without deleting the 'vlan.dat' file. Wish that could be fixed.
>
> But like you and others have said, maintaining VTP Transparent mode will ensure it stays away from VTP.
>
> We used to "manually" clear VTP domain names, but recently found a batch of switches that had them configured. It's too much work to clear that, but we just say "no" to VTP anyway.
>
> Cheers,
>
> Mark.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   


From avayner at cisco.com  Wed Feb 11 06:22:28 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 11 Feb 2009 12:22:28 +0100
Subject: [c-nsp] changes in 7600 with DFC3BXL
In-Reply-To: <87e0d3ae0902102349o50134258w7052fff362c7d023@mail.gmail.com>
References: <87e0d3ae0902100505k55a55b0cg76f87369abe6f49f@mail.gmail.com>
	<78C984F8939D424697B15E4B1C1BB3D72E2D6F@xmb-ams-331.emea.cisco.com>
	<87e0d3ae0902102349o50134258w7052fff362c7d023@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D734B502@xmb-ams-331.emea.cisco.com>

Vince,

 

TAC is not the right place for this... TAC is meant to deal with break
and fix situations...

 

The best places I would look for information would be the configuration
guides (just search for the word DFC inside the docs using the browser):

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con
figuration/guide/book.html

 

A good pointer to understand what PFC/DFC support is affecting:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con
figuration/guide/intro.html#wp1029188

 

Arie

 

 

From: vince anton [mailto:mvanton at gmail.com] 
Sent: Wednesday, February 11, 2009 09:50
To: Arie Vayner (avayner)
Cc: cisco-nsp
Subject: Re: [c-nsp] changes in 7600 with DFC3BXL

 

Arie,

thanks - is there any cisco document that goes into some detail about
the various changes in behaviour/options between pfc and dfc, or should
I open a case with TAC ?


thanks

Mark

2009/2/10 Arie Vayner (avayner) <avayner at cisco.com>

Anton,

With regards to policing, what would happen is that each DFC would have
its own policers, so if you a policy applied for a VLAN which has ports
on different module, each module would have its own policer with the
configured rate. This means that if you set a 10Mbps policer, but you
have ports on 2 separate cards, each card would apply a separate 10Mbps
policer (allowing in total a potential 20Mbps rate).
The same, BTW, applies to aggregate policers.

The only change I can remember right now with regards to Etherchannel is
the optional capability of specifying a load balancing algorithm per
module.

Arie




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vince anton
Sent: Tuesday, February 10, 2009 15:06
To: cisco-nsp
Subject: [c-nsp] changes in 7600 with DFC3BXL

hey all,

Quick question for you, hope you can help me.

Im working on installing the DFCs in existing 67xx cards in our 7600s:

7606 w/SUP720-3BXL
2 x 6748-GE-TX
1 x 6704

Im aware there are some differences in how the box reacts when a DFC is
installed (the PFC will no longer need to make all the decisions,
etc...).
In particular this seems to change the beahviour for qos policers as
well as
L2 etherchannels.  Im using both of these, but I cant seem to find any
definite documentation on CCO explaining the exact changes and perhaps
any
recommendations.  Of course I need to know how the box will behave in
order
to plan for this as part of the DFC upgrade, and so far all I found was
an
FAQ at
http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_ite
m09186a00809a7673.shtmlwhich
doesn't give so much detail, and a few items in the archives of the
list which touched the surface but didnt dig deep.

would appreciate if anyone can share any detailed info as to how qos and
etherchannel behaviour changes in PFC vs DFCX3BXL

thanks,

anton

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




-- 

Thanks,

anton


From john.douglas at gmail.com  Wed Feb 11 08:36:14 2009
From: john.douglas at gmail.com (john douglas)
Date: Wed, 11 Feb 2009 23:36:14 +1000
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
Message-ID: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>

Hi All,

I am hoping someone may have some guidance.

We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
3560 switch, dot1q trunking with a few Vlans. I find on the 7301
router whenever I try to drive a given gigabit sub interface beyond
about 200mbps I begin to see Input Errors (Overruns) incrementing on
the physical interface and begin exhibiting packet loss. Under the
show controller information I see rx_overrun and rx_int_drop
incrementing - all other Rx error values under "Statistics" section
are zero. On the switch I see pause input incrementing, but no errors.
Cpu is 40%.

I have read other postings about this being attributed to microburst
of traffic but I am still a little unclear I am trying to work out

1) Does the G1 correctly support pause frames?

2) Are there any knobs we can tweak - or we simply hitting the limits
of the silicon?

The short term solution has been to spread the vlan sub interfaces
over the 3 gig interfaces however this leaves me in a situation where
I cannot really use EEM to migrate sub interface config from one
gigabit interface to another should there be a failure, as the target
interface will being exhibiting overruns and loss.

Any advice appreciated,

Kind regards,

John

From vedlabs at gmail.com  Wed Feb 11 08:37:37 2009
From: vedlabs at gmail.com (Ved Labs)
Date: Wed, 11 Feb 2009 19:07:37 +0530
Subject: [c-nsp] Intercos Bursting
Message-ID: <7db92dcc0902110537t7dac2dcahf9463b7e9ddc1368@mail.gmail.com>

What is intercos bursting and purpose does it solve in QoS

From llc at dansketelecom.com  Wed Feb 11 08:47:34 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Wed, 11 Feb 2009 14:47:34 +0100
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
In-Reply-To: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
References: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
Message-ID: <44417CD2F19FEA4F885088340A71D33201B4F774@mail.office.dansketelecom.com>

Hi John

We had the same issue a few years ago on a Cisco 7204VXR with the NPE-G1 processor. I believe we were told, that we had hit the max capacity of the router.

______________________________________

Med venlig hilsen / Kind regards

Lars Lystrup Christensen 
Director of Engineering, CCIE(tm) #20292

Danske Telecom A/S
Sundkrogsgade 13, 4 
2100 K?benhavn ? 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of john douglas
Sent: 11. februar 2009 14:36
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns

Hi All,

I am hoping someone may have some guidance.

We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
3560 switch, dot1q trunking with a few Vlans. I find on the 7301
router whenever I try to drive a given gigabit sub interface beyond
about 200mbps I begin to see Input Errors (Overruns) incrementing on
the physical interface and begin exhibiting packet loss. Under the
show controller information I see rx_overrun and rx_int_drop
incrementing - all other Rx error values under "Statistics" section
are zero. On the switch I see pause input incrementing, but no errors.
Cpu is 40%.

I have read other postings about this being attributed to microburst
of traffic but I am still a little unclear I am trying to work out

1) Does the G1 correctly support pause frames?

2) Are there any knobs we can tweak - or we simply hitting the limits
of the silicon?

The short term solution has been to spread the vlan sub interfaces
over the 3 gig interfaces however this leaves me in a situation where
I cannot really use EEM to migrate sub interface config from one
gigabit interface to another should there be a failure, as the target
interface will being exhibiting overruns and loss.

Any advice appreciated,

Kind regards,

John
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From rodunn at cisco.com  Wed Feb 11 08:51:19 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 11 Feb 2009 08:51:19 -0500
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
In-Reply-To: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
References: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
Message-ID: <20090211135119.GJ18683@rtp-cse-489.cisco.com>

Whenver you reference load it's always best to specify both
bps and pps because it's the pps that drives the switching
capacity of the box to it's limits the fastest. It has to do
the work on every packet.

It's software forwarding only.

You would be better off with an ASR1000.

I forget the PAUSE frame scneario with it.

Rodney

On Wed, Feb 11, 2009 at 11:36:14PM +1000, john douglas wrote:
> Hi All,
> 
> I am hoping someone may have some guidance.
> 
> We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
> 3560 switch, dot1q trunking with a few Vlans. I find on the 7301
> router whenever I try to drive a given gigabit sub interface beyond
> about 200mbps I begin to see Input Errors (Overruns) incrementing on
> the physical interface and begin exhibiting packet loss. Under the
> show controller information I see rx_overrun and rx_int_drop
> incrementing - all other Rx error values under "Statistics" section
> are zero. On the switch I see pause input incrementing, but no errors.
> Cpu is 40%.
> 
> I have read other postings about this being attributed to microburst
> of traffic but I am still a little unclear I am trying to work out
> 
> 1) Does the G1 correctly support pause frames?
> 
> 2) Are there any knobs we can tweak - or we simply hitting the limits
> of the silicon?
> 
> The short term solution has been to spread the vlan sub interfaces
> over the 3 gig interfaces however this leaves me in a situation where
> I cannot really use EEM to migrate sub interface config from one
> gigabit interface to another should there be a failure, as the target
> interface will being exhibiting overruns and loss.
> 
> Any advice appreciated,
> 
> Kind regards,
> 
> John
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From maillist at webjogger.net  Wed Feb 11 08:58:30 2009
From: maillist at webjogger.net (Adam Greene)
Date: Wed, 11 Feb 2009 08:58:30 -0500
Subject: [c-nsp] Sprint & AT&T BGP multihoming
References: <49920334.6040306@chrisserafin.com>
Message-ID: <C19DF62A855F497391CBE5F53F52ED5C@GINKGO>

Had a good experience multihoming to AT&T, including fixing an issue with 
balancing traffic between the two providers, which we solved through 
advertisement of community strings. The engineer I spoke with was extremely 
knowledgable.

This was already a few years ago, though ...

----- Original Message ----- 
From: "ChrisSerafin" <chris at chrisserafin.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, February 10, 2009 5:44 PM
Subject: [c-nsp] Sprint & AT&T BGP multihoming


>I am planning on multi-homing a client's Internet connection for 
>redundancy, and wanted to know if anyone is doing this with Sprint and/or 
>AT&T and has any pointers or 'gotchas' they have run into.
>
> I'm still months out from doing this and will most likely want to KEEP the 
> existing subnets that they gave us (a /23 and /24), without the need for 
> rebuilding a bunch or VPNs, re-IP'ing externally facing devices, and DNS 
> changes for externally available web presence.
>
> Ideas? Comments? Concerns? Flames?
>
> Thanks,
>
> Chris Serafin
> chris at chrisserafin.com
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 



From maillist at webjogger.net  Wed Feb 11 09:04:54 2009
From: maillist at webjogger.net (Adam Greene)
Date: Wed, 11 Feb 2009 09:04:54 -0500
Subject: [c-nsp] VTP domain.
References: <20090210102330.K55176@pop.citytel.net>	<200902110754.27311.mtinka@globaltransit.net><1FC8A0BAFBBD9749BB1F06010D23C8A552FFE7E0@sg000035.corproot.net>
	<4992ABC0.7050100@heanet.ie>
Message-ID: <76EDD0CB80234F5CB478CC01858AC161@GINKGO>

In light of all the disasters that can happen with VTP, do people in general 
think it's worth the risk of deploying?

We're getting pretty tired of adding / removing VLANs manually throughout 
various parts of our network, and find that it is prone to sloppiness (i.e. 
vlans being left on links where they don't belong).

Not sure which is the greater evil ....

----- Original Message ----- 
From: "Paul Cosgrove" <paul.cosgrove at heanet.ie>
To: <Steven.Glogger at swisscom.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, February 11, 2009 5:43 AM
Subject: Re: [c-nsp] VTP domain.


> The behaviour regarding forwarding vtp messages is identical between 
> transparent mode in either VTP versions;  if the domain name is null all 
> VTP messages are forwarded, while if it is set only messages for that 
> domain are forwarded. Apparently this changed sometime in the distant past 
> but the documentation was not updated (at least it wasn't the last time I 
> looked).  You can find more information about this here:-
>  http://www.groupstudy.com/archives/ccielab/200704/msg01533.html
>
> You can see that there is also a mention there, apparently from a member 
> of cisco TAC, that a capability to set a VTP domain name to Null had been 
> considered but a decision was made not to implement it.
>
> To stop any VTP messages being forwarded, if you really need to, you can 
> use mac acls matching the destination address(0100.0ccc.cccc) and 
> ethertype (0x2003).  If on the other hand you need the VTP messages to be 
> forwarded for multiple domains, without affecting this switch, then you 
> may need to delete the vlan.dat, change to transparent mode and reload.
>
> Paul.
>
> Steven.Glogger at swisscom.com wrote:
>> VTP transparent switches DO forward vtp messages (if using version 2). 
>> see:
>> "VTP transparent switches do not participate in VTP. A VTP transparent 
>> switch does not advertise its VLAN configuration and does not synchronize 
>> its VLAN configuration based on received advertisements. However, in VTP 
>> version 2, transparent switches do forward VTP advertisements that they 
>> receive from other switches from their trunk interfaces. "
>>
>> dont forget: the VTP domain can be learned if NO domain is given - the 
>> switch takes the first domain he sees in a VTP message.
>>
>> make sure that you put switches in transparent mode if you want to 
>> prevent disasters. we all know that the highest revision number in a 
>> domain wins. a client can overwrite all other switches (incl. server) if 
>> the revision number is highter and if he has the same domain name....
>> vtp is evil as we all know ,-)
>>
>> to remove the domain name just set another one.
>> -steven
>>
>>
>> ps: your guide for any VTP questions:
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swvtp.html
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net 
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
>> Sent: Wednesday, February 11, 2009 12:54 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] VTP domain.
>>
>> On Wednesday 11 February 2009 03:02:41 am Keith wrote:
>>
>>
>>> The 3550 being replaced has no vtp domain name. Is it possible to remove 
>>> the vtp domain name without deleting the vlan.dat file? I have looked 
>>> over the TAC but see nothing really regarding removing a vtp domain 
>>> name. Lots about adding one, not about removing one.
>>>
>>
>> No clear way to do this, today, without deleting the 'vlan.dat' file. 
>> Wish that could be fixed.
>>
>> But like you and others have said, maintaining VTP Transparent mode will 
>> ensure it stays away from VTP.
>>
>> We used to "manually" clear VTP domain names, but recently found a batch 
>> of switches that had them configured. It's too much work to clear that, 
>> but we just say "no" to VTP anyway.
>>
>> Cheers,
>>
>> Mark.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 



From almidoster at gmail.com  Wed Feb 11 09:20:40 2009
From: almidoster at gmail.com (almidoster at gmail.com)
Date: Wed, 11 Feb 2009 09:20:40 -0500
Subject: [c-nsp] Dynamic Vlan with 3750
Message-ID: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>

Hi list,

I have one switch 3750 and five 3560 switches in my LAN, the central
switch is 3750, I have a access point DLINK in permanent place, I have
configured Wireless use other vlan, but I have some access points that
we have to move their position into the building,  I want to deploy
dynamic vlan, it is posible to deploy with these models, I heart that
I would have buy a 6500.

Regards

From rodunn at cisco.com  Wed Feb 11 09:24:11 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 11 Feb 2009 09:24:11 -0500
Subject: [c-nsp] Frame-relay to MLPPP traffic shaping and QoS?
In-Reply-To: <001401c98b9e$225b9250$371e0a0a@bonestroo.com>
References: <001401c98b9e$225b9250$371e0a0a@bonestroo.com>
Message-ID: <20090211142411.GM18683@rtp-cse-489.cisco.com>

This is a common question when the SP QOS isn't being used.

Your only option is to use what we call hierarchical shaping
at the hub to create a "fake" congestion point there to do the
QOS before it's sent to the cloud.

It looks like this sorta:


policy-map spokeqos
 class spoke1
   policy-map spoke1
 class spoke2
   policy-map spoke2
 ...


Then you define a class for each spoke to match on it's
ip subnet:

class-map match-any spoke1
 match ip address 101

access-list 101 permit ip any <spoke1subnet>

...



Then for your spoke QOS policy you shape it down and do the QOS
for the traffic.

 On Tue, Feb 10, 2009 at 10:39:23AM -0600, Dave Edmondson wrote:

ie:

class-map match-all data
 match ip precedence 4 
class-map match-any spoke2
 match access-group 102
class-map match-any spoke1
 match access-group 101
class-map match-all voice
 match ip precedence 5 
!
!
policy-map spokecbwfq
 class voice
  priority 200
 class data
  bandwidth 200
policy-map spokeqos
 class spoke1
  shape average 3000000
  service-policy spokecbwfq
 class spoke2
  shape average 3000000
  service-policy spokecbwfq


...

R2_#sh policy-map int e0/0
 Ethernet0/0 

  Service-policy output: spokeqos

    Class-map: spoke1 (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 101
        0 packets, 0 bytes
        5 minute rate 0 bps
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)  
          3000000/3000000   18750  75000     75000     25        9375     

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         0         0         0         0         no

      Service-policy : spokecbwfq

        Class-map: voice (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: ip precedence 5 
          Queueing
            Strict Priority
            Output Queue: Conversation 136 
            Bandwidth 200 (kbps) Burst 5000 (Bytes)
            (pkts matched/bytes matched) 0/0
            (total drops/bytes drops) 0/0

        Class-map: data (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: ip precedence 4 
          Queueing
            Output Queue: Conversation 137 
            Bandwidth 200 (kbps)Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

        Class-map: class-default (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any 
          
    Class-map: spoke2 (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 102
        0 packets, 0 bytes
        5 minute rate 0 bps
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)  
          3000000/3000000   18750  75000     75000     25        9375     

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         0         0         0         0         no

      Service-policy : spokecbwfq

        Class-map: voice (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: ip precedence 5 
          Queueing
            Strict Priority
            Output Queue: Conversation 136 
            Bandwidth 200 (kbps) Burst 5000 (Bytes)
            (pkts matched/bytes matched) 0/0
            (total drops/bytes drops) 0/0

        Class-map: data (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: ip precedence 4 
          Queueing
            Output Queue: Conversation 137 
            Bandwidth 200 (kbps)Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

        Class-map: class-default (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any 

    Class-map: class-default (match-any)
      37 packets, 3872 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 

...


the problem though is I can't remember if we could support a two level
shaper such that you could do shaping at the top parent level
to control burst above the 12Mbps limit.

Rodney




> Hello all,
> 
> I have inherited a network used for data, VoIP, and video conferencing. The
> central site has a DS3 with a 12 mbps frame-relay interface into a
> Juniper-based MPLS and a 12 mbps frame-relay interface to the Internet. 
> 
> The remote sites on the MPLS network have 2XT1 MLPPP interfaces, with all
> Internet access via the central site. My central site has a Cisco 3845
> (12.4(3f)) with an NM1-T3/E3 card, the remotes all have Cisco 1841
> (12.3(10.3)T2).
> 
> We do video conferences between sites on the MPLS and FTP is used to move
> multi-gigabyte files from the central site to the remote sites and from
> remote site to remote site. Email servers are all at the main site. We are
> moving toward central storage as well, so some backups are done from remote
> sites to the central site. And they want to provide streaming media for
> training...
> 
> We are not doing any BGP or OSPF, just static routes. Each site has a /16
> assigned. 
> 
>                          3 meg MLPPP 1841, 10.20.X.X
>                                                  |
>                                                  |
> 
> 3 meg MLPPP 1841, 10.20.X.X--- MPLS ---3 meg MLPPP 1841, 10.30.X.X
> 
>                                                  |
>                                                  |
>             DS3 w/12 meg frame relay PVC to 3845, 10.10.X.X 
> 
> My challenge: 
> 
> 1) Shape traffic or rate limit to 3 megs from the central site to each of
> the remote sites so I don't overrun the remote site bandwidth.
> 
> 2) Apply QoS to traffic destined for each specific remote originating from
> the central site, rate-limiting some protocols (like FTP). 
> 
> I am familiar with QoS configs on MLPPP bundles in Cisco, but I know nothing
> about traffic shaping and QoS on frame relay interfaces. If ignorance is
> bliss, I've been pretty happy until now....
> 
> Suggestions?
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From achatz at forthnet.gr  Wed Feb 11 09:26:07 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Wed, 11 Feb 2009 16:26:07 +0200
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
In-Reply-To: <44417CD2F19FEA4F885088340A71D33201B4F774@mail.office.dansketelecom.com>
References: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F774@mail.office.dansketelecom.com>
Message-ID: <4992DFFF.9070508@forthnet.gr>

We had a similar case with microbursts and lots of small packets and after moving to NPE-G2, we're very happy with it.
Traffic goes up, CPU is blocked at 75%, still no sign of drops.

Regarding the pause frames, i'm too very confused about them being supported.
http://markmail.org/message/y7bjuudmbrfofp6z

--
Tassos

Lars Lystrup Christensen wrote on 11/02/2009 15:47:
> Hi John
> 
> We had the same issue a few years ago on a Cisco 7204VXR with the NPE-G1 processor. I believe we were told, that we had hit the max capacity of the router.
> 
> ______________________________________
> 
> Med venlig hilsen / Kind regards
> 
> Lars Lystrup Christensen 
> Director of Engineering, CCIE(tm) #20292
> 
> Danske Telecom A/S
> Sundkrogsgade 13, 4 
> 2100 K?benhavn ? 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of john douglas
> Sent: 11. februar 2009 14:36
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
> 
> Hi All,
> 
> I am hoping someone may have some guidance.
> 
> We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
> 3560 switch, dot1q trunking with a few Vlans. I find on the 7301
> router whenever I try to drive a given gigabit sub interface beyond
> about 200mbps I begin to see Input Errors (Overruns) incrementing on
> the physical interface and begin exhibiting packet loss. Under the
> show controller information I see rx_overrun and rx_int_drop
> incrementing - all other Rx error values under "Statistics" section
> are zero. On the switch I see pause input incrementing, but no errors.
> Cpu is 40%.
> 
> I have read other postings about this being attributed to microburst
> of traffic but I am still a little unclear I am trying to work out
> 
> 1) Does the G1 correctly support pause frames?
> 
> 2) Are there any knobs we can tweak - or we simply hitting the limits
> of the silicon?
> 
> The short term solution has been to spread the vlan sub interfaces
> over the 3 gig interfaces however this leaves me in a situation where
> I cannot really use EEM to migrate sub interface config from one
> gigabit interface to another should there be a failure, as the target
> interface will being exhibiting overruns and loss.
> 
> Any advice appreciated,
> 
> Kind regards,
> 
> John
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From rodunn at cisco.com  Wed Feb 11 09:47:54 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 11 Feb 2009 09:47:54 -0500
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
In-Reply-To: <4992DFFF.9070508@forthnet.gr>
References: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F774@mail.office.dansketelecom.com>
	<4992DFFF.9070508@forthnet.gr>
Message-ID: <20090211144754.GP18683@rtp-cse-489.cisco.com>

On Wed, Feb 11, 2009 at 04:26:07PM +0200, Tassos Chatzithomaoglou wrote:
> We had a similar case with microbursts and lots of small packets and 
> after moving to NPE-G2, we're very happy with it.
> Traffic goes up, CPU is blocked at 75%, still no sign of drops.

Good to know. It all depends on the load.

The direction forward is hw based forwarding for gige line rate
traffic (ASR1000, 76xx, etc..)


> 
> Regarding the pause frames, i'm too very confused about them being 
> supported.
> http://markmail.org/message/y7bjuudmbrfofp6z

I've done some research and there appears to be some issues on
how the MAC chip can account for the pause frames sent/received
although it does appear to support flow control.

But my *opinion* on that is flow control is a wasted effort becaus
you can't quantify the burst and therefore you just buffer on the
other side and risk drops there.

Rodney

> 
> --
> Tassos
> 
> Lars Lystrup Christensen wrote on 11/02/2009 15:47:
> >Hi John
> >
> >We had the same issue a few years ago on a Cisco 7204VXR with the 
> >NPE-G1 processor. I believe we were told, that we had hit the max 
> >capacity of the router.
> >
> >______________________________________
> >
> >Med venlig hilsen / Kind regards
> >
> >Lars Lystrup Christensen 
> >Director of Engineering, CCIE(tm) #20292
> >
> >Danske Telecom A/S
> >Sundkrogsgade 13, 4 
> >2100 K?benhavn ? 
> >
> >-----Original Message-----
> >From: cisco-nsp-bounces at puck.nether.net 
> >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of john douglas
> >Sent: 11. februar 2009 14:36
> >To: cisco-nsp at puck.nether.net
> >Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
> >
> >Hi All,
> >
> >I am hoping someone may have some guidance.
> >
> >We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
> >3560 switch, dot1q trunking with a few Vlans. I find on the 7301
> >router whenever I try to drive a given gigabit sub interface beyond
> >about 200mbps I begin to see Input Errors (Overruns) incrementing on
> >the physical interface and begin exhibiting packet loss. Under the
> >show controller information I see rx_overrun and rx_int_drop
> >incrementing - all other Rx error values under "Statistics" section
> >are zero. On the switch I see pause input incrementing, but no 
> >errors.
> >Cpu is 40%.
> >
> >I have read other postings about this being attributed to microburst
> >of traffic but I am still a little unclear I am trying to work out
> >
> >1) Does the G1 correctly support pause frames?
> >
> >2) Are there any knobs we can tweak - or we simply hitting the limits
> >of the silicon?
> >
> >The short term solution has been to spread the vlan sub interfaces
> >over the 3 gig interfaces however this leaves me in a situation where
> >I cannot really use EEM to migrate sub interface config from one
> >gigabit interface to another should there be a failure, as the target
> >interface will being exhibiting overruns and loss.
> >
> >Any advice appreciated,
> >
> >Kind regards,
> >
> >John
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From kratzers at ctinetworks.com  Wed Feb 11 10:05:39 2009
From: kratzers at ctinetworks.com (Stephen Kratzer)
Date: Wed, 11 Feb 2009 10:05:39 -0500
Subject: [c-nsp] Sprint & AT&T BGP multihoming
In-Reply-To: <C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
References: <49920334.6040306@chrisserafin.com>
	<C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
Message-ID: <200902111005.39980.kratzers@ctinetworks.com>

Deleted the original post, so I'll reply to this leaf...

ATT is fine. Make sure that Sprint, at that particular location, has multiple 
transit providers. We are multihomed at one location with Embarq and Level3. 
As it turns out, Embarq's sole transit provider at that location IS Level3 
making the Embarq connection all but useless as far as diverse, load-balanced 
routing is concerned.

Stephen Kratzer
Network Engineer
CTI Networks, Inc.

On Wednesday 11 February 2009 08:58:30 Adam Greene wrote:
> Had a good experience multihoming to AT&T, including fixing an issue with
> balancing traffic between the two providers, which we solved through
> advertisement of community strings. The engineer I spoke with was extremely
> knowledgable.
>
> This was already a few years ago, though ...
>
> ----- Original Message -----
> From: "ChrisSerafin" <chris at chrisserafin.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Tuesday, February 10, 2009 5:44 PM
> Subject: [c-nsp] Sprint & AT&T BGP multihoming
>
> >I am planning on multi-homing a client's Internet connection for
> >redundancy, and wanted to know if anyone is doing this with Sprint and/or
> >AT&T and has any pointers or 'gotchas' they have run into.
> >
> > I'm still months out from doing this and will most likely want to KEEP
> > the existing subnets that they gave us (a /23 and /24), without the need
> > for rebuilding a bunch or VPNs, re-IP'ing externally facing devices, and
> > DNS changes for externally available web presence.
> >
> > Ideas? Comments? Concerns? Flames?
> >
> > Thanks,
> >
> > Chris Serafin
> > chris at chrisserafin.com


From peter at rathlev.dk  Wed Feb 11 10:27:01 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 11 Feb 2009 16:27:01 +0100
Subject: [c-nsp] VTP domain.
In-Reply-To: <76EDD0CB80234F5CB478CC01858AC161@GINKGO>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
	<1FC8A0BAFBBD9749BB1F06010D23C8A552FFE7E0@sg000035.corproot.net>
	<4992ABC0.7050100@heanet.ie> <76EDD0CB80234F5CB478CC01858AC161@GINKGO>
Message-ID: <1234366021.14934.3.camel@localhost.localdomain>

On Wed, 2009-02-11 at 09:04 -0500, Adam Greene wrote:
> In light of all the disasters that can happen with VTP, do people in
> general think it's worth the risk of deploying?
> 
> We're getting pretty tired of adding / removing VLANs manually
> throughout various parts of our network, and find that it is prone to
> sloppiness (i.e. vlans being left on links where they don't belong).
> 
> Not sure which is the greater evil ....

VTP is the greater evil, no question in my eyes. We roll out
configurations with a bash-script using SNMP og netConfigSet, and
pushing it to many switches is no problem this way. We have scripts
comparing running configurations with exptected parameters for various
things, so we know where we have mis-configurations. (Getting around to
fixing it is another matter.)

So if the network is large enough for chores like this to be tedious you
probably have/want a general configuration tool anyway.

Regards,
Peter



From antonio.soares at convex.pt  Wed Feb 11 10:36:16 2009
From: antonio.soares at convex.pt (Antonio M. Soares)
Date: Wed, 11 Feb 2009 15:36:16 -0000
Subject: [c-nsp] BGP MSS=576 bytes
Message-ID: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>

Hello group,

I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an
example:

++++++++++++++++++++++++++
6500>sh ip bgp neighbors x.x.x.x

...

Datagrams (max data segment is 536 bytes):

Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes: 94316052

Sent: 296303 (retransmit: 727), with data: 35046, total data bytes: 994215

6500>
++++++++++++++++++++++++++

The documentation says that PMTUD is enabled by default so this should not be happening:

++++++++++++++++++++++++++
BGP Neighbor Session TCP PMTUD

TCP path MTU discovery is enabled by default for all BGP neighbor sessions, but there are situations when you may want to disable
TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD works well for larger transmission links (for example,
Packet over Sonet links), a badly configured TCP implementation or a firewall may slow or stop the TCP connections from forwarding
any packets. In this type of situation, you may need to disable TCP path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later releases, configuration options were introduced to permit
TCP path MTU discovery to be disabled, or subsequently reenabled, either for a single BGP neighbor session or for all BGP sessions.
To disable the TCP path MTU discovery globally for all BGP neighbors, use the no bgp transport path-mtu-discovery command under
router configuration mode. To disable the TCP path MTU discovery for a single neighbor, use the no neighbor transport
path-mtu-discovery command under router or address family configuration modes. 
++++++++++++++++++++++++++

I have for example a direct eBGP peering over TenGiga interfaces where i see the same problem:

++++++++++++++++++++++++++
6500>sh int tenGigabitEthernet x/x | inc MTU
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
6500>
6500>
6500>sh ip int tenGigabitEthernet x/x | inc MTU
  MTU is 1500 bytes
6500>
++++++++++++++++++++++++++



Any explanation to this strange behavior ?


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt


From skoal at skoal.name  Wed Feb 11 10:46:17 2009
From: skoal at skoal.name (Gergely Antal)
Date: Wed, 11 Feb 2009 16:46:17 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
Message-ID: <4992F2C9.2000009@skoal.name>

is "ip mtu 1500" set on the interfaces?

Antonio M. Soares wrote:
> Hello group,
> 
> I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> example:
> 
> ++++++++++++++++++++++++++
> 6500>sh ip bgp neighbors x.x.x.x
> 
> ...
> 
> Datagrams (max data segment is 536 bytes):
> 
> Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes: 94316052
> 
> Sent: 296303 (retransmit: 727), with data: 35046, total data bytes: 994215
> 
> 6500>
> ++++++++++++++++++++++++++
> 
> The documentation says that PMTUD is enabled by default so this should not be happening:
> 
> ++++++++++++++++++++++++++
> BGP Neighbor Session TCP PMTUD
> 
> TCP path MTU discovery is enabled by default for all BGP neighbor sessions, but there are situations when you may want to disable
> TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD works well for larger transmission links (for example,
> Packet over Sonet links), a badly configured TCP implementation or a firewall may slow or stop the TCP connections from forwarding
> any packets. In this type of situation, you may need to disable TCP path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
> 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later releases, configuration options were introduced to permit
> TCP path MTU discovery to be disabled, or subsequently reenabled, either for a single BGP neighbor session or for all BGP sessions.
> To disable the TCP path MTU discovery globally for all BGP neighbors, use the no bgp transport path-mtu-discovery command under
> router configuration mode. To disable the TCP path MTU discovery for a single neighbor, use the no neighbor transport
> path-mtu-discovery command under router or address family configuration modes. 
> ++++++++++++++++++++++++++
> 
> I have for example a direct eBGP peering over TenGiga interfaces where i see the same problem:
> 
> ++++++++++++++++++++++++++
> 6500>sh int tenGigabitEthernet x/x | inc MTU
>   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
> 6500>
> 6500>
> 6500>sh ip int tenGigabitEthernet x/x | inc MTU
>   MTU is 1500 bytes
> 6500>
> ++++++++++++++++++++++++++
> 
> 
> 
> Any explanation to this strange behavior ?
> 
> 
> Thanks.
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/947c3b99/attachment.bin>

From jared at puck.nether.net  Wed Feb 11 10:49:22 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Wed, 11 Feb 2009 10:49:22 -0500
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <4992F2C9.2000009@skoal.name>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<4992F2C9.2000009@skoal.name>
Message-ID: <20090211154922.GA17422@puck.nether.net>

	You want to enable

	'ip tcp path-mtu-discovery'

	globally.  This will allow it to scale outside the default 536, and
if you are using jumbo mtu, may cause significantly reduced convergence
times since it takes fewer packets to send those bgp updates.

	- Jared


On Wed, Feb 11, 2009 at 04:46:17PM +0100, Gergely Antal wrote:
> is "ip mtu 1500" set on the interfaces?
> 
> Antonio M. Soares wrote:
> > Hello group,
> > 
> > I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> > example:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh ip bgp neighbors x.x.x.x
> > 
> > ...
> > 
> > Datagrams (max data segment is 536 bytes):
> > 
> > Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes: 94316052
> > 
> > Sent: 296303 (retransmit: 727), with data: 35046, total data bytes: 994215
> > 
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > The documentation says that PMTUD is enabled by default so this should not be happening:
> > 
> > ++++++++++++++++++++++++++
> > BGP Neighbor Session TCP PMTUD
> > 
> > TCP path MTU discovery is enabled by default for all BGP neighbor sessions, but there are situations when you may want to disable
> > TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD works well for larger transmission links (for example,
> > Packet over Sonet links), a badly configured TCP implementation or a firewall may slow or stop the TCP connections from forwarding
> > any packets. In this type of situation, you may need to disable TCP path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
> > 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later releases, configuration options were introduced to permit
> > TCP path MTU discovery to be disabled, or subsequently reenabled, either for a single BGP neighbor session or for all BGP sessions.
> > To disable the TCP path MTU discovery globally for all BGP neighbors, use the no bgp transport path-mtu-discovery command under
> > router configuration mode. To disable the TCP path MTU discovery for a single neighbor, use the no neighbor transport
> > path-mtu-discovery command under router or address family configuration modes. 
> > ++++++++++++++++++++++++++
> > 
> > I have for example a direct eBGP peering over TenGiga interfaces where i see the same problem:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh int tenGigabitEthernet x/x | inc MTU
> >   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
> > 6500>
> > 6500>
> > 6500>sh ip int tenGigabitEthernet x/x | inc MTU
> >   MTU is 1500 bytes
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > 
> > 
> > Any explanation to this strange behavior ?
> > 
> > 
> > Thanks.
> > 
> > Regards,
> > 
> > Antonio Soares, CCIE #18473 (R&S)
> > amsoares at netcabo.pt
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

From cchurc05 at harris.com  Wed Feb 11 10:50:27 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Wed, 11 Feb 2009 09:50:27 -0600
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
Message-ID: <FA1BA229357DB640B944218F3585FECA01EDB6FB@mspe2k1.cs.myharris.net>

Is  "ip tcp path-mtu-discovery"  in the global config? 


Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio M.
Soares
Sent: Wednesday, February 11, 2009 10:36 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] BGP MSS=576 bytes


Hello group,

I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the
BGP sessions have negotiated a MSS of 536 bytes. Here's an
example:

++++++++++++++++++++++++++
6500>sh ip bgp neighbors x.x.x.x

...

Datagrams (max data segment is 536 bytes):

Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes:
94316052

Sent: 296303 (retransmit: 727), with data: 35046, total data bytes:
994215

6500>
++++++++++++++++++++++++++

The documentation says that PMTUD is enabled by default so this should
not be happening:

++++++++++++++++++++++++++
BGP Neighbor Session TCP PMTUD

TCP path MTU discovery is enabled by default for all BGP neighbor
sessions, but there are situations when you may want to disable
TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD
works well for larger transmission links (for example,
Packet over Sonet links), a badly configured TCP implementation or a
firewall may slow or stop the TCP connections from forwarding
any packets. In this type of situation, you may need to disable TCP path
MTU discovery. In Cisco IOS Release 12.2(33)SRA,
12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later
releases, configuration options were introduced to permit
TCP path MTU discovery to be disabled, or subsequently reenabled, either
for a single BGP neighbor session or for all BGP sessions.
To disable the TCP path MTU discovery globally for all BGP neighbors,
use the no bgp transport path-mtu-discovery command under
router configuration mode. To disable the TCP path MTU discovery for a
single neighbor, use the no neighbor transport
path-mtu-discovery command under router or address family configuration
modes. 
++++++++++++++++++++++++++

I have for example a direct eBGP peering over TenGiga interfaces where i
see the same problem:

++++++++++++++++++++++++++
6500>sh int tenGigabitEthernet x/x | inc MTU
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
6500>
6500>
6500>sh ip int tenGigabitEthernet x/x | inc MTU
  MTU is 1500 bytes
6500>
++++++++++++++++++++++++++



Any explanation to this strange behavior ?


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From paul.cosgrove at heanet.ie  Wed Feb 11 10:51:08 2009
From: paul.cosgrove at heanet.ie (Paul Cosgrove)
Date: Wed, 11 Feb 2009 15:51:08 +0000
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
Message-ID: <4992F3EC.9000207@heanet.ie>

TCP sessions normally use 536 if they are established between IPs which 
are not directly connected.  You may see the same on MSDP peerings.  
Enabling Path MTU Discovery allows the actual end to end MSS to be 
determined, provided the ICMP type 3 code 4 messages are not blocked 
along the way.

Paul.

Antonio M. Soares wrote:
> Hello group,
>
> I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> example:
>
> ++++++++++++++++++++++++++
> 6500>sh ip bgp neighbors x.x.x.x
>
> ...
>
> Datagrams (max data segment is 536 bytes):
>
> Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes: 94316052
>
> Sent: 296303 (retransmit: 727), with data: 35046, total data bytes: 994215
>
> 6500>
> ++++++++++++++++++++++++++
>
> The documentation says that PMTUD is enabled by default so this should not be happening:
>
> ++++++++++++++++++++++++++
> BGP Neighbor Session TCP PMTUD
>
> TCP path MTU discovery is enabled by default for all BGP neighbor sessions, but there are situations when you may want to disable
> TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD works well for larger transmission links (for example,
> Packet over Sonet links), a badly configured TCP implementation or a firewall may slow or stop the TCP connections from forwarding
> any packets. In this type of situation, you may need to disable TCP path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
> 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later releases, configuration options were introduced to permit
> TCP path MTU discovery to be disabled, or subsequently reenabled, either for a single BGP neighbor session or for all BGP sessions.
> To disable the TCP path MTU discovery globally for all BGP neighbors, use the no bgp transport path-mtu-discovery command under
> router configuration mode. To disable the TCP path MTU discovery for a single neighbor, use the no neighbor transport
> path-mtu-discovery command under router or address family configuration modes. 
> ++++++++++++++++++++++++++
>
> I have for example a direct eBGP peering over TenGiga interfaces where i see the same problem:
>
> ++++++++++++++++++++++++++
> 6500>sh int tenGigabitEthernet x/x | inc MTU
>   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
> 6500>
> 6500>
> 6500>sh ip int tenGigabitEthernet x/x | inc MTU
>   MTU is 1500 bytes
> 6500>
> ++++++++++++++++++++++++++
>
>
>
> Any explanation to this strange behavior ?
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   


From schilling2006 at gmail.com  Wed Feb 11 11:24:43 2009
From: schilling2006 at gmail.com (schilling)
Date: Wed, 11 Feb 2009 11:24:43 -0500
Subject: [c-nsp] Cisco Hard Copy Configuration Guides and Command References
Message-ID: <bd3771a60902110824n528a2a0ev58f83229174477bf@mail.gmail.com>

How to obtain Cisco Hard Copy materials? For example Cisco IOS 12.4
mainline. I read some old emaisl in this mailing list, somebody said
smartnet will qualify the printed materials. Our account manager was saying
that hard copy materials only come with new purchase. Is it still possilbe
to get printed materials from Cisco with no charge given that we have a lot
of cisco equipments and smartnet?

Thanks.

Schilling

From leonardo.souza at nec.com.br  Wed Feb 11 11:09:28 2009
From: leonardo.souza at nec.com.br (Leonardo Gama Souza)
Date: Wed, 11 Feb 2009 14:09:28 -0200
Subject: [c-nsp] RES:  BGP MSS=576 bytes
In-Reply-To: <20090211154922.GA17422@puck.nether.net>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt><4992F2C9.2000009@skoal.name>
	<20090211154922.GA17422@puck.nether.net>
Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>

Wasn't it supposed to be enabled by default for all BGP neighbors?
I think that's the point...
 
-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Jared Mauch
Enviada em: quarta-feira, 11 de fevereiro de 2009 13:49
Para: Gergely Antal
Cc: Antonio M. Soares; cisco-nsp at puck.nether.net
Assunto: Re: [c-nsp] BGP MSS=576 bytes

	You want to enable

	'ip tcp path-mtu-discovery'

	globally.  This will allow it to scale outside the default 536,
and
if you are using jumbo mtu, may cause significantly reduced convergence
times since it takes fewer packets to send those bgp updates.

	- Jared


On Wed, Feb 11, 2009 at 04:46:17PM +0100, Gergely Antal wrote:
> is "ip mtu 1500" set on the interfaces?
> 
> Antonio M. Soares wrote:
> > Hello group,
> > 
> > I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of
the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> > example:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh ip bgp neighbors x.x.x.x
> > 
> > ...
> > 
> > Datagrams (max data segment is 536 bytes):
> > 
> > Rcvd: 439340 (out of order: 252), with data: 406672, total data
bytes: 94316052
> > 
> > Sent: 296303 (retransmit: 727), with data: 35046, total data bytes:
994215
> > 
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > The documentation says that PMTUD is enabled by default so this
should not be happening:
> > 
> > ++++++++++++++++++++++++++
> > BGP Neighbor Session TCP PMTUD
> > 
> > TCP path MTU discovery is enabled by default for all BGP neighbor
sessions, but there are situations when you may want to disable
> > TCP path MTU discovery for one or all BGP neighbor sessions. While
PMTUD works well for larger transmission links (for example,
> > Packet over Sonet links), a badly configured TCP implementation or a
firewall may slow or stop the TCP connections from forwarding
> > any packets. In this type of situation, you may need to disable TCP
path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
> > 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and
later releases, configuration options were introduced to permit
> > TCP path MTU discovery to be disabled, or subsequently reenabled,
either for a single BGP neighbor session or for all BGP sessions.
> > To disable the TCP path MTU discovery globally for all BGP
neighbors, use the no bgp transport path-mtu-discovery command under
> > router configuration mode. To disable the TCP path MTU discovery for
a single neighbor, use the no neighbor transport
> > path-mtu-discovery command under router or address family
configuration modes. 
> > ++++++++++++++++++++++++++
> > 
> > I have for example a direct eBGP peering over TenGiga interfaces
where i see the same problem:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh int tenGigabitEthernet x/x | inc MTU
> >   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
> > 6500>
> > 6500>
> > 6500>sh ip int tenGigabitEthernet x/x | inc MTU
> >   MTU is 1500 bytes
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > 
> > 
> > Any explanation to this strange behavior ?
> > 
> > 
> > Thanks.
> > 
> > Regards,
> > 
> > Antonio Soares, CCIE #18473 (R&S)
> > amsoares at netcabo.pt
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only
mine.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From tvarriale at comcast.net  Wed Feb 11 12:03:37 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Wed, 11 Feb 2009 11:03:37 -0600
Subject: [c-nsp] RES:  BGP MSS=576 bytes
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt><4992F2C9.2000009@skoal.name><20090211154922.GA17422@puck.nether.net>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
Message-ID: <519F7C23AF574961827919376015128E@flamdt01>

I always enable this command (as well as a couple others) explicitly when 
doing BGP.

I'm looking at a 6500 with SHX1 right now and the command is in there...as 
in not default.

I also show all peers with a MSS of 1440 (2 internal, 2 external/ISP).

tv
----- Original Message ----- 
From: "Leonardo Gama Souza" <leonardo.souza at nec.com.br>
To: "cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Wednesday, February 11, 2009 10:09 AM
Subject: [c-nsp] RES: BGP MSS=576 bytes


> Wasn't it supposed to be enabled by default for all BGP neighbors?
> I think that's the point...
>
> -----Mensagem original-----
> De: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Jared Mauch
> Enviada em: quarta-feira, 11 de fevereiro de 2009 13:49
> Para: Gergely Antal
> Cc: Antonio M. Soares; cisco-nsp at puck.nether.net
> Assunto: Re: [c-nsp] BGP MSS=576 bytes
>
> You want to enable
>
> 'ip tcp path-mtu-discovery'
>
> globally.  This will allow it to scale outside the default 536,
> and
> if you are using jumbo mtu, may cause significantly reduced convergence
> times since it takes fewer packets to send those bgp updates.
>
> - Jared
>
>
> On Wed, Feb 11, 2009 at 04:46:17PM +0100, Gergely Antal wrote:
>> is "ip mtu 1500" set on the interfaces?
>>
>> Antonio M. Soares wrote:
>> > Hello group,
>> >
>> > I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of
> the BGP sessions have negotiated a MSS of 536 bytes. Here's an
>> > example:
>> >
>> > ++++++++++++++++++++++++++
>> > 6500>sh ip bgp neighbors x.x.x.x
>> >
>> > ...
>> >
>> > Datagrams (max data segment is 536 bytes):
>> >
>> > Rcvd: 439340 (out of order: 252), with data: 406672, total data
> bytes: 94316052
>> >
>> > Sent: 296303 (retransmit: 727), with data: 35046, total data bytes:
> 994215
>> >
>> > 6500>
>> > ++++++++++++++++++++++++++
>> >
>> > The documentation says that PMTUD is enabled by default so this
> should not be happening:
>> >
>> > ++++++++++++++++++++++++++
>> > BGP Neighbor Session TCP PMTUD
>> >
>> > TCP path MTU discovery is enabled by default for all BGP neighbor
> sessions, but there are situations when you may want to disable
>> > TCP path MTU discovery for one or all BGP neighbor sessions. While
> PMTUD works well for larger transmission links (for example,
>> > Packet over Sonet links), a badly configured TCP implementation or a
> firewall may slow or stop the TCP connections from forwarding
>> > any packets. In this type of situation, you may need to disable TCP
> path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
>> > 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and
> later releases, configuration options were introduced to permit
>> > TCP path MTU discovery to be disabled, or subsequently reenabled,
> either for a single BGP neighbor session or for all BGP sessions.
>> > To disable the TCP path MTU discovery globally for all BGP
> neighbors, use the no bgp transport path-mtu-discovery command under
>> > router configuration mode. To disable the TCP path MTU discovery for
> a single neighbor, use the no neighbor transport
>> > path-mtu-discovery command under router or address family
> configuration modes.
>> > ++++++++++++++++++++++++++
>> >
>> > I have for example a direct eBGP peering over TenGiga interfaces
> where i see the same problem:
>> >
>> > ++++++++++++++++++++++++++
>> > 6500>sh int tenGigabitEthernet x/x | inc MTU
>> >   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,
>> > 6500>
>> > 6500>
>> > 6500>sh ip int tenGigabitEthernet x/x | inc MTU
>> >   MTU is 1500 bytes
>> > 6500>
>> > ++++++++++++++++++++++++++
>> >
>> >
>> >
>> > Any explanation to this strange behavior ?
>> >
>> >
>> > Thanks.
>> >
>> > Regards,
>> >
>> > Antonio Soares, CCIE #18473 (R&S)
>> > amsoares at netcabo.pt
>> >
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> -- 
> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> clue++;      | http://puck.nether.net/~jared/  My statements are only
> mine.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From dudepron at gmail.com  Wed Feb 11 12:29:10 2009
From: dudepron at gmail.com (Aaron)
Date: Wed, 11 Feb 2009 12:29:10 -0500
Subject: [c-nsp] Sprint & AT&T BGP multihoming
In-Reply-To: <200902111005.39980.kratzers@ctinetworks.com>
References: <49920334.6040306@chrisserafin.com>
	<C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
	<200902111005.39980.kratzers@ctinetworks.com>
Message-ID: <480dad640902110929sf27873h69c40ad2e6f3b474@mail.gmail.com>

Sprint has a world wide network. They do not  by transit from anybody.

Aaron

On Wed, Feb 11, 2009 at 10:05, Stephen Kratzer <kratzers at ctinetworks.com>wrote:

> Deleted the original post, so I'll reply to this leaf...
>
> ATT is fine. Make sure that Sprint, at that particular location, has
> multiple
> transit providers. We are multihomed at one location with Embarq and
> Level3.
> As it turns out, Embarq's sole transit provider at that location IS Level3
> making the Embarq connection all but useless as far as diverse,
> load-balanced
> routing is concerned.
>
> Stephen Kratzer
> Network Engineer
> CTI Networks, Inc.
>
> On Wednesday 11 February 2009 08:58:30 Adam Greene wrote:
> > Had a good experience multihoming to AT&T, including fixing an issue with
> > balancing traffic between the two providers, which we solved through
> > advertisement of community strings. The engineer I spoke with was
> extremely
> > knowledgable.
> >
> > This was already a few years ago, though ...
> >
> > ----- Original Message -----
> > From: "ChrisSerafin" <chris at chrisserafin.com>
> > To: <cisco-nsp at puck.nether.net>
> > Sent: Tuesday, February 10, 2009 5:44 PM
> > Subject: [c-nsp] Sprint & AT&T BGP multihoming
> >
> > >I am planning on multi-homing a client's Internet connection for
> > >redundancy, and wanted to know if anyone is doing this with Sprint
> and/or
> > >AT&T and has any pointers or 'gotchas' they have run into.
> > >
> > > I'm still months out from doing this and will most likely want to KEEP
> > > the existing subnets that they gave us (a /23 and /24), without the
> need
> > > for rebuilding a bunch or VPNs, re-IP'ing externally facing devices,
> and
> > > DNS changes for externally available web presence.
> > >
> > > Ideas? Comments? Concerns? Flames?
> > >
> > > Thanks,
> > >
> > > Chris Serafin
> > > chris at chrisserafin.com
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From paul at paulstewart.org  Wed Feb 11 12:31:51 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Wed, 11 Feb 2009 12:31:51 -0500
Subject: [c-nsp] RES:  BGP MSS=576 bytes
In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt><4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
Message-ID: <000001c98c6e$a18a33d0$e49e9b70$@org>

I just checked some peers at random here on 6500 and 7600's - they all
defaulted to 1440 in an Ethernet environment...

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leonardo Gama Souza
Sent: Wednesday, February 11, 2009 11:09 AM
To: cisco-nsp
Subject: [c-nsp] RES: BGP MSS=576 bytes

Wasn't it supposed to be enabled by default for all BGP neighbors?
I think that's the point...
 
-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Jared Mauch
Enviada em: quarta-feira, 11 de fevereiro de 2009 13:49
Para: Gergely Antal
Cc: Antonio M. Soares; cisco-nsp at puck.nether.net
Assunto: Re: [c-nsp] BGP MSS=576 bytes

	You want to enable

	'ip tcp path-mtu-discovery'

	globally.  This will allow it to scale outside the default 536,
and
if you are using jumbo mtu, may cause significantly reduced convergence
times since it takes fewer packets to send those bgp updates.

	- Jared


On Wed, Feb 11, 2009 at 04:46:17PM +0100, Gergely Antal wrote:
> is "ip mtu 1500" set on the interfaces?
> 
> Antonio M. Soares wrote:
> > Hello group,
> > 
> > I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of
the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> > example:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh ip bgp neighbors x.x.x.x
> > 
> > ...
> > 
> > Datagrams (max data segment is 536 bytes):
> > 
> > Rcvd: 439340 (out of order: 252), with data: 406672, total data
bytes: 94316052
> > 
> > Sent: 296303 (retransmit: 727), with data: 35046, total data bytes:
994215
> > 
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > The documentation says that PMTUD is enabled by default so this
should not be happening:
> > 
> > ++++++++++++++++++++++++++
> > BGP Neighbor Session TCP PMTUD
> > 
> > TCP path MTU discovery is enabled by default for all BGP neighbor
sessions, but there are situations when you may want to disable
> > TCP path MTU discovery for one or all BGP neighbor sessions. While
PMTUD works well for larger transmission links (for example,
> > Packet over Sonet links), a badly configured TCP implementation or a
firewall may slow or stop the TCP connections from forwarding
> > any packets. In this type of situation, you may need to disable TCP
path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
> > 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and
later releases, configuration options were introduced to permit
> > TCP path MTU discovery to be disabled, or subsequently reenabled,
either for a single BGP neighbor session or for all BGP sessions.
> > To disable the TCP path MTU discovery globally for all BGP
neighbors, use the no bgp transport path-mtu-discovery command under
> > router configuration mode. To disable the TCP path MTU discovery for
a single neighbor, use the no neighbor transport
> > path-mtu-discovery command under router or address family
configuration modes. 
> > ++++++++++++++++++++++++++
> > 
> > I have for example a direct eBGP peering over TenGiga interfaces
where i see the same problem:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh int tenGigabitEthernet x/x | inc MTU
> >   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
> > 6500>
> > 6500>
> > 6500>sh ip int tenGigabitEthernet x/x | inc MTU
> >   MTU is 1500 bytes
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > 
> > 
> > Any explanation to this strange behavior ?
> > 
> > 
> > Thanks.
> > 
> > Regards,
> > 
> > Antonio Soares, CCIE #18473 (R&S)
> > amsoares at netcabo.pt
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only
mine.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From brian at meganet.net  Wed Feb 11 12:24:07 2009
From: brian at meganet.net (Brian Wallingford)
Date: Wed, 11 Feb 2009 12:24:07 -0500 (EST)
Subject: [c-nsp] Sprint & AT&T BGP multihoming
In-Reply-To: <480dad640902110929sf27873h69c40ad2e6f3b474@mail.gmail.com>
References: <49920334.6040306@chrisserafin.com>
	<C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
	<200902111005.39980.kratzers@ctinetworks.com>
	<480dad640902110929sf27873h69c40ad2e6f3b474@mail.gmail.com>
Message-ID: <Pine.GSO.4.58.0902111222560.20146@evccyr>

They don't what?

On Wed, 11 Feb 2009, Aaron wrote:

:Sprint has a world wide network. They do not  by transit from anybody.
:
:Aaron
:
:On Wed, Feb 11, 2009 at 10:05, Stephen Kratzer <kratzers at ctinetworks.com>wrote:
:
:> Deleted the original post, so I'll reply to this leaf...
:>
:> ATT is fine. Make sure that Sprint, at that particular location, has
:> multiple
:> transit providers. We are multihomed at one location with Embarq and
:> Level3.
:> As it turns out, Embarq's sole transit provider at that location IS Level3
:> making the Embarq connection all but useless as far as diverse,
:> load-balanced
:> routing is concerned.
:>
:> Stephen Kratzer
:> Network Engineer
:> CTI Networks, Inc.
:>
:> On Wednesday 11 February 2009 08:58:30 Adam Greene wrote:
:> > Had a good experience multihoming to AT&T, including fixing an issue with
:> > balancing traffic between the two providers, which we solved through
:> > advertisement of community strings. The engineer I spoke with was
:> extremely
:> > knowledgable.
:> >
:> > This was already a few years ago, though ...
:> >
:> > ----- Original Message -----
:> > From: "ChrisSerafin" <chris at chrisserafin.com>
:> > To: <cisco-nsp at puck.nether.net>
:> > Sent: Tuesday, February 10, 2009 5:44 PM
:> > Subject: [c-nsp] Sprint & AT&T BGP multihoming
:> >
:> > >I am planning on multi-homing a client's Internet connection for
:> > >redundancy, and wanted to know if anyone is doing this with Sprint
:> and/or
:> > >AT&T and has any pointers or 'gotchas' they have run into.
:> > >
:> > > I'm still months out from doing this and will most likely want to KEEP
:> > > the existing subnets that they gave us (a /23 and /24), without the
:> need
:> > > for rebuilding a bunch or VPNs, re-IP'ing externally facing devices,
:> and
:> > > DNS changes for externally available web presence.
:> > >
:> > > Ideas? Comments? Concerns? Flames?
:> > >
:> > > Thanks,
:> > >
:> > > Chris Serafin
:> > > chris at chrisserafin.com
:>
:> _______________________________________________
:> cisco-nsp mailing list  cisco-nsp at puck.nether.net
:> https://puck.nether.net/mailman/listinfo/cisco-nsp
:> archive at http://puck.nether.net/pipermail/cisco-nsp/

From avayner at cisco.com  Wed Feb 11 12:45:06 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 11 Feb 2009 18:45:06 +0100
Subject: [c-nsp] Dynamic Vlan with 3750
In-Reply-To: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
References: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D734B76C@xmb-ams-331.emea.cisco.com>

Hi,

Can you please explain what is the behavior you expect from the "Dynamic
VLAN" feature?

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
almidoster at gmail.com
Sent: Wednesday, February 11, 2009 16:21
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Dynamic Vlan with 3750

Hi list,

I have one switch 3750 and five 3560 switches in my LAN, the central
switch is 3750, I have a access point DLINK in permanent place, I have
configured Wireless use other vlan, but I have some access points that
we have to move their position into the building,  I want to deploy
dynamic vlan, it is posible to deploy with these models, I heart that
I would have buy a 6500.

Regards
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From chloekcy2000 at yahoo.ca  Wed Feb 11 12:45:17 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Wed, 11 Feb 2009 12:45:17 -0500 (EST)
Subject: [c-nsp] any hints about this error
Message-ID: <622593.88401.qm@web57405.mail.re1.yahoo.com>

Hi all
   
  I got the syslog about this error
   
  any idea and how can I solve it?
   
  1w0d: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/0 TDR=1, TRC=0
   
  Thank you

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          

From cisco-nsp at slepicka.net  Wed Feb 11 12:51:54 2009
From: cisco-nsp at slepicka.net (James Slepicka)
Date: Wed, 11 Feb 2009 11:51:54 -0600
Subject: [c-nsp] any hints about this error
In-Reply-To: <622593.88401.qm@web57405.mail.re1.yahoo.com>
References: <622593.88401.qm@web57405.mail.re1.yahoo.com>
Message-ID: <4993103A.6060309@slepicka.net>

1. google.com
2. AMDP2_FE-6-EXCESSCOLL site:cisco.com
3. I'm Feeling Lucky

chloe K wrote:
> Hi all
>    
>   I got the syslog about this error
>    
>   any idea and how can I solve it?
>    
>   1w0d: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/0 TDR=1, TRC=0
>    
>   Thank you
>
>        
>  
>               
> ---------------------------------
>     
>        
> Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From brian at meganet.net  Wed Feb 11 12:44:09 2009
From: brian at meganet.net (Brian Wallingford)
Date: Wed, 11 Feb 2009 12:44:09 -0500 (EST)
Subject: [c-nsp] any hints about this error
In-Reply-To: <622593.88401.qm@web57405.mail.re1.yahoo.com>
References: <622593.88401.qm@web57405.mail.re1.yahoo.com>
Message-ID: <Pine.GSO.4.58.0902111243210.20146@evccyr>

Examine speed/duplex on both ends.

On Wed, 11 Feb 2009, chloe K wrote:

:Hi all
:
:  I got the syslog about this error
:
:  any idea and how can I solve it?
:
:  1w0d: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/0 TDR=1, TRC=0
:
:  Thank you

From kev.edmunds at googlemail.com  Wed Feb 11 12:55:15 2009
From: kev.edmunds at googlemail.com (Kevin Edmunds)
Date: Wed, 11 Feb 2009 17:55:15 +0000
Subject: [c-nsp] 3750, EIGRP, and passive-interface
Message-ID: <e29dedbf0902110955y4c390897g82ec81e45fa9f3f0@mail.gmail.com>

Hi list,

I have a L3 3750, it has a 10MB circuit attached to one of its routed ports
which connects to another L3 3750 (again routed port).

I've started getting into the habit of using EIGRP instances to monitor
these type of circuits to see when the line goes down and up, however on a
3750 I don't want EIGRP broadcasting out on the rest of the ports, to my
knowledge i can suppress these with the passive-interface command but add a
few more circuits for other customers on there and the config will be
massive! is there a smarter way to surpress the updates on everything but
the port I want or is it something I need to put up with?

Thanks for your time.

Kev

From sethm at rollernet.us  Wed Feb 11 12:56:34 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 11 Feb 2009 09:56:34 -0800
Subject: [c-nsp] Sprint & AT&T BGP multihoming
In-Reply-To: <200902111005.39980.kratzers@ctinetworks.com>
References: <49920334.6040306@chrisserafin.com>	<C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
	<200902111005.39980.kratzers@ctinetworks.com>
Message-ID: <49931152.20306@rollernet.us>

Stephen Kratzer wrote:
> Deleted the original post, so I'll reply to this leaf...
> 
> ATT is fine. Make sure that Sprint, at that particular location, has multiple 
> transit providers. We are multihomed at one location with Embarq and Level3. 
> As it turns out, Embarq's sole transit provider at that location IS Level3 
> making the Embarq connection all but useless as far as diverse, load-balanced 
> routing is concerned.
> 

Sprint is Sprint, they don't purchase transit. See AS1239.

~Seth

From sethm at rollernet.us  Wed Feb 11 12:59:37 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 11 Feb 2009 09:59:37 -0800
Subject: [c-nsp] any hints about this error
In-Reply-To: <4993103A.6060309@slepicka.net>
References: <622593.88401.qm@web57405.mail.re1.yahoo.com>
	<4993103A.6060309@slepicka.net>
Message-ID: <49931209.3010103@rollernet.us>

James Slepicka wrote:
> 1. google.com
> 2. AMDP2_FE-6-EXCESSCOLL site:cisco.com
> 3. I'm Feeling Lucky
> 

Now now, don't go suggesting crazy ideas like that.

~Seth

From achatz at forthnet.gr  Wed Feb 11 13:32:17 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Wed, 11 Feb 2009 20:32:17 +0200
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
In-Reply-To: <20090211144754.GP18683@rtp-cse-489.cisco.com>
References: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F774@mail.office.dansketelecom.com>
	<4992DFFF.9070508@forthnet.gr>
	<20090211144754.GP18683@rtp-cse-489.cisco.com>
Message-ID: <499319B1.8080201@forthnet.gr>

Regarding pause frames, there is some extra info on CCO about 7201, which makes it even more interesting by 
distinguishing the functionality between the GE ports.

http://www.cisco.com/en/US/docs/routers/7200/install_and_upgrade/7201_install_config/11364a.html#wp1013455

Too bad there isn't a way on these routers (like in switches) to disable flow-control but keep auto-negotiation on.

--
Tassos

Rodney Dunn wrote on 11/02/2009 16:47:
> On Wed, Feb 11, 2009 at 04:26:07PM +0200, Tassos Chatzithomaoglou wrote:
>> We had a similar case with microbursts and lots of small packets and 
>> after moving to NPE-G2, we're very happy with it.
>> Traffic goes up, CPU is blocked at 75%, still no sign of drops.
> 
> Good to know. It all depends on the load.
> 
> The direction forward is hw based forwarding for gige line rate
> traffic (ASR1000, 76xx, etc..)
> 
> 
>> Regarding the pause frames, i'm too very confused about them being 
>> supported.
>> http://markmail.org/message/y7bjuudmbrfofp6z
> 
> I've done some research and there appears to be some issues on
> how the MAC chip can account for the pause frames sent/received
> although it does appear to support flow control.
> 
> But my *opinion* on that is flow control is a wasted effort becaus
> you can't quantify the burst and therefore you just buffer on the
> other side and risk drops there.
> 
> Rodney
> 
>> --
>> Tassos
>>
>> Lars Lystrup Christensen wrote on 11/02/2009 15:47:
>>> Hi John
>>>
>>> We had the same issue a few years ago on a Cisco 7204VXR with the 
>>> NPE-G1 processor. I believe we were told, that we had hit the max 
>>> capacity of the router.
>>>
>>> ______________________________________
>>>
>>> Med venlig hilsen / Kind regards
>>>
>>> Lars Lystrup Christensen 
>>> Director of Engineering, CCIE(tm) #20292
>>>
>>> Danske Telecom A/S
>>> Sundkrogsgade 13, 4 
>>> 2100 K?benhavn ? 
>>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net 
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of john douglas
>>> Sent: 11. februar 2009 14:36
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
>>>
>>> Hi All,
>>>
>>> I am hoping someone may have some guidance.
>>>
>>> We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
>>> 3560 switch, dot1q trunking with a few Vlans. I find on the 7301
>>> router whenever I try to drive a given gigabit sub interface beyond
>>> about 200mbps I begin to see Input Errors (Overruns) incrementing on
>>> the physical interface and begin exhibiting packet loss. Under the
>>> show controller information I see rx_overrun and rx_int_drop
>>> incrementing - all other Rx error values under "Statistics" section
>>> are zero. On the switch I see pause input incrementing, but no 
>>> errors.
>>> Cpu is 40%.
>>>
>>> I have read other postings about this being attributed to microburst
>>> of traffic but I am still a little unclear I am trying to work out
>>>
>>> 1) Does the G1 correctly support pause frames?
>>>
>>> 2) Are there any knobs we can tweak - or we simply hitting the limits
>>> of the silicon?
>>>
>>> The short term solution has been to spread the vlan sub interfaces
>>> over the 3 gig interfaces however this leaves me in a situation where
>>> I cannot really use EEM to migrate sub interface config from one
>>> gigabit interface to another should there be a failure, as the target
>>> interface will being exhibiting overruns and loss.
>>>
>>> Any advice appreciated,
>>>
>>> Kind regards,
>>>
>>> John
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From steve at ibctech.ca  Wed Feb 11 13:55:37 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 11 Feb 2009 13:55:37 -0500
Subject: [c-nsp] 3750, EIGRP, and passive-interface
In-Reply-To: <e29dedbf0902110955y4c390897g82ec81e45fa9f3f0@mail.gmail.com>
References: <e29dedbf0902110955y4c390897g82ec81e45fa9f3f0@mail.gmail.com>
Message-ID: <49931F29.9030800@ibctech.ca>

Kevin Edmunds wrote:
> Hi list,
> 
> I have a L3 3750, it has a 10MB circuit attached to one of its routed ports
> which connects to another L3 3750 (again routed port).
> 
> I've started getting into the habit of using EIGRP instances to monitor
> these type of circuits to see when the line goes down and up, however on a
> 3750 I don't want EIGRP broadcasting out on the rest of the ports, to my
> knowledge i can suppress these with the passive-interface command but add a
> few more circuits for other customers on there and the config will be
> massive! is there a smarter way to surpress the updates on everything but
> the port I want or is it something I need to put up with?

I don't know much about EIGRP, but perhaps it has a function like OSPF
to allow one, and deny the rest:

passive-interface default
no passive-interface x/x

Steve

From gert at greenie.muc.de  Wed Feb 11 14:08:05 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 11 Feb 2009 20:08:05 +0100
Subject: [c-nsp] VTP domain.
In-Reply-To: <76EDD0CB80234F5CB478CC01858AC161@GINKGO>
References: <20090210102330.K55176@pop.citytel.net>
	<4992ABC0.7050100@heanet.ie>
	<76EDD0CB80234F5CB478CC01858AC161@GINKGO>
Message-ID: <20090211190805.GO290@greenie.muc.de>

Hi,

On Wed, Feb 11, 2009 at 09:04:54AM -0500, Adam Greene wrote:
> In light of all the disasters that can happen with VTP, do people in 
> general think it's worth the risk of deploying?

VTP 1 or 2, no.  VTP 3, maybe.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/544062cd/attachment.bin>

From peter at rathlev.dk  Wed Feb 11 14:07:16 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 11 Feb 2009 20:07:16 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <000001c98c6e$a18a33d0$e49e9b70$@org>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
	<000001c98c6e$a18a33d0$e49e9b70$@org>
Message-ID: <1234379236.18450.4.camel@localhost.localdomain>

On Wed, 2009-02-11 at 12:31 -0500, Paul Stewart wrote:
> I just checked some peers at random here on 6500 and 7600's - they all
> defaulted to 1440 in an Ethernet environment...

And they're not directly connected eBGP peers? Those default to using
the interface MTU. Internal neighbors should default to 536 (or 516 or
thereabout) AFAIK. At least that's how it's been for our 6500s running
SXF for years.

Strange though if the OP example of an eBGP peer is directly connected,
yet still uses 536 as default MTU.

Regards,
Peter



From gert at greenie.muc.de  Wed Feb 11 14:10:30 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 11 Feb 2009 20:10:30 +0100
Subject: [c-nsp] 3750, EIGRP, and passive-interface
In-Reply-To: <49931F29.9030800@ibctech.ca>
References: <e29dedbf0902110955y4c390897g82ec81e45fa9f3f0@mail.gmail.com>
	<49931F29.9030800@ibctech.ca>
Message-ID: <20090211191030.GP290@greenie.muc.de>

Hi,

On Wed, Feb 11, 2009 at 01:55:37PM -0500, Steve Bertrand wrote:
> I don't know much about EIGRP, but perhaps it has a function like OSPF
> to allow one, and deny the rest:
> 
> passive-interface default
> no passive-interface x/x

It will work and do exactly this :)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/30685393/attachment.bin>

From ygauteron at gmail.com  Wed Feb 11 14:12:21 2009
From: ygauteron at gmail.com (Yann Gauteron)
Date: Wed, 11 Feb 2009 20:12:21 +0100
Subject: [c-nsp] any hints about this error
In-Reply-To: <622593.88401.qm@web57405.mail.re1.yahoo.com>
References: <622593.88401.qm@web57405.mail.re1.yahoo.com>
Message-ID: <8097baf0902111112pe1522bcg2c122bbda3723d8f@mail.gmail.com>

What chassis and line cards do you run? Is the Ethernet0/0 a physical
interface or an internal (virtual) interface.

This error can be due to real collisions on physical interfaces due to
duplex mismatch.

But I also met this error condition on internal (virtual) interface on an
uBR10012 chassis (a Cable Modem Termination System based on a 10000
architecture) of one of my customers. In that chassis, the Ethernet0/0
interface is in fact a kind of internal bus used for the PRE to communicate
with the line cards. When I noticed this problem on the above mentionned
10012 chassis, we also had other problems (line card reboots). After long
(very long) analysis with the TAC without success, we finally proceeded with
a RMA. Since then, I saw this collision condition only after the boot/reload
of the equipment.

From justin at justinshore.com  Wed Feb 11 14:24:24 2009
From: justin at justinshore.com (Justin Shore)
Date: Wed, 11 Feb 2009 13:24:24 -0600
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <1234379236.18450.4.camel@localhost.localdomain>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>
	<1234379236.18450.4.camel@localhost.localdomain>
Message-ID: <499325E8.3060304@justinshore.com>

Peter Rathlev wrote:
> On Wed, 2009-02-11 at 12:31 -0500, Paul Stewart wrote:
>> I just checked some peers at random here on 6500 and 7600's - they all
>> defaulted to 1440 in an Ethernet environment...
> 
> And they're not directly connected eBGP peers? Those default to using
> the interface MTU. Internal neighbors should default to 536 (or 516 or
> thereabout) AFAIK. At least that's how it's been for our 6500s running
> SXF for years.
> 
> Strange though if the OP example of an eBGP peer is directly connected,
> yet still uses 536 as default MTU.

My external peers are 1440.  Almost all of my internal peers are 516 or 
536.  There are a few exceptions though.  I have one pair of 7600s that 
are 1440, me ME3750 that's also 1440, and one ME6524 that's 9132 (the 
other ME6524 is 516 for some reason).  Perplexing.

So how do one force iBGP sessions to choose a larger datagram size?  Do 
you have to do it in the BGP config with 'neighbor a.b.c.d transport 
path-mtu-discovery' or is there a more automatic solution?

Justin


From elparis at cisco.com  Tue Feb 10 16:43:06 2009
From: elparis at cisco.com (Eloy Paris)
Date: Tue, 10 Feb 2009 16:43:06 -0500
Subject: [c-nsp] BGP Session Teardown due to AS_CONFED_SEQUENCE in
	AS4_PATH
Message-ID: <20090210214306.GA16029@cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rob,

Eloy Paris from the Cisco PSIRT here. Please see below (inline) for
some comments regarding the issue you brought up in your email to the
cisco-nsp and nanog mailing lists this past Jan. 16th:

On Fri Jan 16 07:57:52 2009, Rob Shakir wrote:

> Strict RFC 4893 (4-byte ASN support) BGP4 implementations are
> vulnerable to a session reset by distant (not directly connected)
> ASes. This vulnerability is a feature of the standard, and unless
> immediate action is taken an increasingly significant number of
> networks will be open to attack. Accidental triggering of this
> vulnerability has already been seen in the wild, although the limited
> number of RFC 4893 deployments has limited its effect.
>
> Summary:
> It is possible to cause BGP sessions to remotely reset by injecting
> invalid data into the AS4_PATH attribute provided to store 4-byte ASN
> paths. Since AS4_PATH is an optional transitive attribute, the invalid
> data will be transited through many intermediate ASes which will not
> examine the content. To be vulnerable, an operator does not have to
> be actively using 4-byte AS support. This problem was first reported
> by Andy Davidson on NANOG in December 2008 [0], furthermore we have
> been able to demonstrate that a device running Cisco IOS release
> 12.0(32)S12 behaves as per this description.
>
> Details:

[...]

Cisco Bug CSCsx10140 was filed for Cisco IOS. Cisco IOS behaves exactly
as you described - upon receipt of AS_CONFED_SEQUENCE data in the
AS4_PATH attribute IOS will send a NOTIFICATION message to the peer,
which causes a termination of the BGP session. After the fix for this
bug IOS will ignore AS_CONFED_SEQUENCE data in the AS4_PATH attribute of
received BGP UPDATE messages and continue to process the UPDATE. This is
the new behavior that the revised RFC 4893 will require.

CSCsx18598 was filed for Cisco IOS XR. Cisco IOS XR doesn't reset the
session but accepts and forwards the invalid AS4_PATH data, so this bug
was filed to change this behavior.

CSCsx23179 was filed for Cisco NX-OS (for the Nexus switches.) Cisco
NX-OS behaves like IOS (it will reset the BGP session when it sees
AS_CONFED_SEQUENCE data in the AS4_PATH attribute), and this bug was
filed to change this and have the BGP implementation in Cisco NX-OS
follow the revised RFC 4893.

The Release Notes for each bug may have some additional
information. These are available via the Bug Toolkit on cisco.com
(http://tools.cisco.com/Support/BugToolKit)

To date, the only version of Cisco IOS that supports 4-byte AS numbers
is 12.0(32)S12, released in late December. A fix to the 12.0(32)Sxx
branch has been committed so the next 12.0(32)S-based release will have
the fix. 12.0(32)SY8 is coming out soon, and it will also have support
for 4-byte AS numbers, as well as the fix for the problem.

Thanks for bringing attention to this issue and for working with us,
specifically with the Cisco TAC, to get to the bottom of it and test
the proposed fix.

Cheers,

- -- 

Eloy Paris
Cisco PSIRT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmR9OoACgkQagjTfAtNY9jv5ACgg3fKuuWKv38h8F8d8QHBML5J
CTsAnAnGMB/fBIQhk5z4E922JlhHVU5A
=FSOP
-----END PGP SIGNATURE-----

From dudepron at gmail.com  Wed Feb 11 14:48:29 2009
From: dudepron at gmail.com (Aaron)
Date: Wed, 11 Feb 2009 14:48:29 -0500
Subject: [c-nsp] Sprint & AT&T BGP multihoming
In-Reply-To: <Pine.GSO.4.58.0902111222560.20146@evccyr>
References: <49920334.6040306@chrisserafin.com>
	<C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
	<200902111005.39980.kratzers@ctinetworks.com>
	<480dad640902110929sf27873h69c40ad2e6f3b474@mail.gmail.com>
	<Pine.GSO.4.58.0902111222560.20146@evccyr>
Message-ID: <480dad640902111148m3239b6fdq671cb3559e2b9485@mail.gmail.com>

 .....do not buy transit.
You should have been able to figure out the misspelling of "by" vs "buy"

On Wed, Feb 11, 2009 at 12:24, Brian Wallingford <brian at meganet.net> wrote:

> They don't what?
>
> On Wed, 11 Feb 2009, Aaron wrote:
>
> :Sprint has a world wide network. They do not  by transit from anybody.
> :
> :Aaron
> :
> :On Wed, Feb 11, 2009 at 10:05, Stephen Kratzer <kratzers at ctinetworks.com
> >wrote:
> :
> :> Deleted the original post, so I'll reply to this leaf...
> :>
> :> ATT is fine. Make sure that Sprint, at that particular location, has
> :> multiple
> :> transit providers. We are multihomed at one location with Embarq and
> :> Level3.
> :> As it turns out, Embarq's sole transit provider at that location IS
> Level3
> :> making the Embarq connection all but useless as far as diverse,
> :> load-balanced
> :> routing is concerned.
> :>
> :> Stephen Kratzer
> :> Network Engineer
> :> CTI Networks, Inc.
> :>
> :> On Wednesday 11 February 2009 08:58:30 Adam Greene wrote:
> :> > Had a good experience multihoming to AT&T, including fixing an issue
> with
> :> > balancing traffic between the two providers, which we solved through
> :> > advertisement of community strings. The engineer I spoke with was
> :> extremely
> :> > knowledgable.
> :> >
> :> > This was already a few years ago, though ...
> :> >
> :> > ----- Original Message -----
> :> > From: "ChrisSerafin" <chris at chrisserafin.com>
> :> > To: <cisco-nsp at puck.nether.net>
> :> > Sent: Tuesday, February 10, 2009 5:44 PM
> :> > Subject: [c-nsp] Sprint & AT&T BGP multihoming
> :> >
> :> > >I am planning on multi-homing a client's Internet connection for
> :> > >redundancy, and wanted to know if anyone is doing this with Sprint
> :> and/or
> :> > >AT&T and has any pointers or 'gotchas' they have run into.
> :> > >
> :> > > I'm still months out from doing this and will most likely want to
> KEEP
> :> > > the existing subnets that they gave us (a /23 and /24), without the
> :> need
> :> > > for rebuilding a bunch or VPNs, re-IP'ing externally facing devices,
> :> and
> :> > > DNS changes for externally available web presence.
> :> > >
> :> > > Ideas? Comments? Concerns? Flames?
> :> > >
> :> > > Thanks,
> :> > >
> :> > > Chris Serafin
> :> > > chris at chrisserafin.com
> :>
> :> _______________________________________________
> :> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> :> https://puck.nether.net/mailman/listinfo/cisco-nsp
> :> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From lukasz at bromirski.net  Wed Feb 11 15:36:48 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Wed, 11 Feb 2009 21:36:48 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <499325E8.3060304@justinshore.com>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>
	<499325E8.3060304@justinshore.com>
Message-ID: <499336E0.7090101@bromirski.net>

On 2009-02-11 20:24, Justin Shore wrote:

> So how do one force iBGP sessions to choose a larger datagram size? Do
> you have to do it in the BGP config with 'neighbor a.b.c.d transport
> path-mtu-discovery' or is there a more automatic solution?

'ip tcp path-mtu-discovery' global command or the one You mentioned
for per-neighbor tuning.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From conceicao.jose at gmail.com  Wed Feb 11 15:51:10 2009
From: conceicao.jose at gmail.com (Jose Conceicao)
Date: Wed, 11 Feb 2009 20:51:10 +0000
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <499336E0.7090101@bromirski.net>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<4992F2C9.2000009@skoal.name> <20090211154922.GA17422@puck.nether.net>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
	<000001c98c6e$a18a33d0$e49e9b70$@org>
	<1234379236.18450.4.camel@localhost.localdomain>
	<499325E8.3060304@justinshore.com> <499336E0.7090101@bromirski.net>
Message-ID: <6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>

After choosing whatever prefered method, wouldn't these BGP sessions need to
be re-established to take effect? (since MSS is only carried in SYN and
SYN/ACKs)
And shouldn't u account for TCP/IP overhead?
(just being lazy by not testing this in lab)

/Jose

2009/2/11 ?ukasz Bromirski <lukasz at bromirski.net>

> On 2009-02-11 20:24, Justin Shore wrote:
>
> So how do one force iBGP sessions to choose a larger datagram size? Do
>> you have to do it in the BGP config with 'neighbor a.b.c.d transport
>> path-mtu-discovery' or is there a more automatic solution?
>>
>
> 'ip tcp path-mtu-discovery' global command or the one You mentioned
> for per-neighbor tuning.
>
> --
> "Don't expect me to cry for all the     |               ?ukasz Bromirski
>  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jeremy at evilrouters.net  Wed Feb 11 16:00:35 2009
From: jeremy at evilrouters.net (Jeremy Gaddis)
Date: Wed, 11 Feb 2009 16:00:35 -0500
Subject: [c-nsp] any hints about this error
In-Reply-To: <4993103A.6060309@slepicka.net>
References: <622593.88401.qm@web57405.mail.re1.yahoo.com>
	<4993103A.6060309@slepicka.net>
Message-ID: <8623d07f0902111300k4bfbefh7a7beab8618f3a90@mail.gmail.com>

On Wed, Feb 11, 2009 at 12:51 PM, James Slepicka <cisco-nsp at slepicka.net> wrote:
> 1. google.com
> 2. AMDP2_FE-6-EXCESSCOLL site:cisco.com
> 3. I'm Feeling Lucky

Even better:

http://tinyurl.com/d6mtrj

-- 
Jeremy L. Gaddis
http://evilrouters.net/

From justin at justinshore.com  Wed Feb 11 16:08:48 2009
From: justin at justinshore.com (Justin Shore)
Date: Wed, 11 Feb 2009 15:08:48 -0600
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <499336E0.7090101@bromirski.net>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>
	<499325E8.3060304@justinshore.com> <499336E0.7090101@bromirski.net>
Message-ID: <49933E60.6060107@justinshore.com>

?ukasz Bromirski wrote:
> On 2009-02-11 20:24, Justin Shore wrote:
> 
>> So how do one force iBGP sessions to choose a larger datagram size? Do
>> you have to do it in the BGP config with 'neighbor a.b.c.d transport
>> path-mtu-discovery' or is there a more automatic solution?
> 
> 'ip tcp path-mtu-discovery' global command or the one You mentioned
> for per-neighbor tuning.

I set 'ip tcp path-mtu-discovery' on all my boxes by default, and the 
vast majority of them still assumed 516 or 536 MSS.  I tweaked the 
transport options in a few routers and that brought up the MSS.  It 
looks like the code on one of ME6524s won't let me set that option 
though so I guess an upgrade is in order.

Thanks
  Justin



From aaron at wsc.ma.edu  Wed Feb 11 16:26:08 2009
From: aaron at wsc.ma.edu (Childs, Aaron)
Date: Wed, 11 Feb 2009 16:26:08 -0500
Subject: [c-nsp] FWSM w/v4 code
Message-ID: <3760B7E1B344364AA0384B231FE7BA690139F55EEB@ex-be1.ads.wsc.ma.edu>

Good Afternoon,

 

A couple of months ago I upgraded our FWSM to version 4 of the code. I
applied a new access-list today and wanted to remove an old one.  To my
amazement "no access-list blah" is no longer a valid command.  I have tried
to ask the oracle of Google and Cisco, but I can't find an answer.  Could
someone please direct me to the proper documentation?

 

Thank you,

  Aaron

 

-------------
Aaron Childs
Assistant Director, Networking
Westfield State College
 <http://www.wsc.ma.edu/it/> http://www.wsc.ma.edu/it/

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3157 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/eaa8b226/attachment-0001.bin>

From jason at lixfeld.ca  Wed Feb 11 16:32:08 2009
From: jason at lixfeld.ca (Jason Lixfeld)
Date: Wed, 11 Feb 2009 16:32:08 -0500
Subject: [c-nsp] FWSM w/v4 code
In-Reply-To: <3760B7E1B344364AA0384B231FE7BA690139F55EEB@ex-be1.ads.wsc.ma.edu>
References: <3760B7E1B344364AA0384B231FE7BA690139F55EEB@ex-be1.ads.wsc.ma.edu>
Message-ID: <9BD991D9-72E0-41C0-A240-E613E40935B4@lixfeld.ca>

Try 'clear configure access-list blah'.

I don't think the issue is that the command is invalid (going from  
memory here), rather you can only 'no' out an access-list line by line.

So, while this will work:

no access-list blah extended permit ip host 1.1.1.1 host 2.2.2.2
no access-list blah extended permit ip host 3.3.3.3 host 4.4.4.4

And this won't:

no access-list blah

This should work to get rid of the access-list:

clear configure access-list blah

On 11-Feb-09, at 4:26 PM, Childs, Aaron wrote:

> Good Afternoon,
>
>
>
> A couple of months ago I upgraded our FWSM to version 4 of the code. I
> applied a new access-list today and wanted to remove an old one.  To  
> my
> amazement "no access-list blah" is no longer a valid command.  I  
> have tried
> to ask the oracle of Google and Cisco, but I can't find an answer.   
> Could
> someone please direct me to the proper documentation?
>
>
>
> Thank you,
>
>  Aaron
>
>
>
> -------------
> Aaron Childs
> Assistant Director, Networking
> Westfield State College
> <http://www.wsc.ma.edu/it/> http://www.wsc.ma.edu/it/
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From moua0100 at umn.edu  Wed Feb 11 16:32:59 2009
From: moua0100 at umn.edu (Ge Moua)
Date: Wed, 11 Feb 2009 15:32:59 -0600
Subject: [c-nsp] FWSM w/v4 code
In-Reply-To: <3760B7E1B344364AA0384B231FE7BA690139F55EEB@ex-be1.ads.wsc.ma.edu>
References: <3760B7E1B344364AA0384B231FE7BA690139F55EEB@ex-be1.ads.wsc.ma.edu>
Message-ID: <4993440B.4060901@umn.edu>

That command is deprecated.  New syntax is:
"clear configure <acl_name>"

you can continue to use the old syntax to remove a particular ACE from 
an ACL, use the above to blow away the ACL completely.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Childs, Aaron wrote:
> Good Afternoon,
>
>  
>
> A couple of months ago I upgraded our FWSM to version 4 of the code. I
> applied a new access-list today and wanted to remove an old one.  To my
> amazement "no access-list blah" is no longer a valid command.  I have tried
> to ask the oracle of Google and Cisco, but I can't find an answer.  Could
> someone please direct me to the proper documentation?
>
>  
>
> Thank you,
>
>   Aaron
>
>  
>
> -------------
> Aaron Childs
> Assistant Director, Networking
> Westfield State College
>  <http://www.wsc.ma.edu/it/> http://www.wsc.ma.edu/it/
>
>  
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From lukasz at bromirski.net  Wed Feb 11 18:36:45 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Thu, 12 Feb 2009 00:36:45 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <49933E60.6060107@justinshore.com>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>
	<499325E8.3060304@justinshore.com> <499336E0.7090101@bromirski.net>
	<49933E60.6060107@justinshore.com>
Message-ID: <4993610D.3060608@bromirski.net>

On 2009-02-11 22:08, Justin Shore wrote:

 > I set 'ip tcp path-mtu-discovery' on all my boxes by default, and the
 >  vast majority of them still assumed 516 or 536 MSS.

Then something is messing up PMTUD.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From lukasz at bromirski.net  Wed Feb 11 18:39:52 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Thu, 12 Feb 2009 00:39:52 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name>
	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>	<499325E8.3060304@justinshore.com>
	<499336E0.7090101@bromirski.net>
	<6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>
Message-ID: <499361C8.4060305@bromirski.net>

On 2009-02-11 21:51, Jose Conceicao wrote:
> After choosing whatever prefered method, wouldn't these BGP sessions
> need to be re-established to take effect? (since MSS is only carried
> in SYN and SYN/ACKs)

Sure.

> And shouldn't u account for TCP/IP overhead? (just being lazy by not
> testing this in lab)

TCP/IP overhead of what actually?

Here's a whitepaper on PMTUD/MSS:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

And there's CSCef52888 for all of You pre 12.2(18)SXF12 guys which
doesn't actually have PMTUD do it's work.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From brett at looney.id.au  Wed Feb 11 18:27:52 2009
From: brett at looney.id.au (Brett Looney)
Date: Thu, 12 Feb 2009 08:27:52 +0900
Subject: [c-nsp] Dynamic Vlan with 3750
In-Reply-To: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
References: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
Message-ID: <002101c98ca0$6169cef0$243d6cd0$@id.au>

> I have one switch 3750 and five 3560 switches in my LAN, the
> central switch is 3750,
<snip>
> I want to deploy dynamic vlan, it is posible to deploy with
> these models, I heart that I would have buy a 6500.

If you're referring to VMPS the 3560/3750 do support it but only in client
mode so you'll need to set up a VMPS server. You can get a 6500 to be a VMPS
server but only with CatOS so your best bet is an external server - Google
VMPS server and there are a few to choose from. I've done this and it works
well.

Alternately, you can do dynamic VLAN membership with 802.1x as well but that
will still require a back-end RADIUS server somewhere.

B.


From amsoares at netcabo.pt  Wed Feb 11 19:49:09 2009
From: amsoares at netcabo.pt (Antonio Soares)
Date: Thu, 12 Feb 2009 00:49:09 -0000
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <499361C8.4060305@bromirski.net>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name><20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>	<499325E8.3060304@justinshore.com><499336E0.7090101@bromirski.net><6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>
	<499361C8.4060305@bromirski.net>
Message-ID: <1ACA22C9F233408EA1689A5F17121869@int.convex.pt>

The documentation says that Path MTU discovery is enabled by default for all BGP neighbor sessions:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bgp_neighor.html#wp1054165

So enabling "ip tcp path-mtu-discovery" should not be necessary.

But i made some tests with 12.0S and it seems the documentation is not accurate:

- In the same 1500 bytes MTU ethernet segment, without that command the SYN packet is sent with MSS=536 bytes.
- With that command, the SYN packet is sent with MSS=1460 bytes.

This seems buggy to me :(


Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lukasz Bromirski
Sent: quarta-feira, 11 de Fevereiro de 2009 23:40
To: Jose Conceicao
Cc: cisco-nsp
Subject: Re: [c-nsp] BGP MSS=576 bytes

On 2009-02-11 21:51, Jose Conceicao wrote:
> After choosing whatever prefered method, wouldn't these BGP sessions 
> need to be re-established to take effect? (since MSS is only carried 
> in SYN and SYN/ACKs)

Sure.

> And shouldn't u account for TCP/IP overhead? (just being lazy by not 
> testing this in lab)

TCP/IP overhead of what actually?

Here's a whitepaper on PMTUD/MSS:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

And there's CSCef52888 for all of You pre 12.2(18)SXF12 guys which doesn't actually have PMTUD do it's work.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From dale.shaw+cisco-nsp at gmail.com  Wed Feb 11 20:44:58 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Thu, 12 Feb 2009 12:44:58 +1100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <1ACA22C9F233408EA1689A5F17121869@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<20090211154922.GA17422@puck.nether.net>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
	<000001c98c6e$a18a33d0$e49e9b70$@org>
	<1234379236.18450.4.camel@localhost.localdomain>
	<499325E8.3060304@justinshore.com> <499336E0.7090101@bromirski.net>
	<6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>
	<499361C8.4060305@bromirski.net>
	<1ACA22C9F233408EA1689A5F17121869@int.convex.pt>
Message-ID: <3329cbb40902111744r54310c15j72331c6ebf36a261@mail.gmail.com>

Hi,

2009/2/12 Antonio Soares <amsoares at netcabo.pt>:
> This seems buggy to me :(

Bad documentation, at least. The IOS 12.4 *mainline* command reference
and config guide waffle on and on about 'bgp transport' yet the
command (BGP router config mode or per-neighbour) doesn't even exist
in that train.

I suspect when it does exist (allegedly in 12.2(33)SRA, 12.2(31)SB,
and 12.2(33)SXH and 12.4(20)T), the behaviour is as described -- BGP
uses the BGP-specific TCP MSS settings. Without it, it uses the global
default (PMTUD off), and you need the 'ip tcp path-mtu-discovery'
global command to make it work.

I've tested it on IOS 12.4 mainline and even for directly connected
neighbours, MSS is 516 bytes. Once 'ip tcp path-mtu-discovery' is
switched on (on both peers), MSS is 1440 bytes.

cheers,
Dale

From juxiangt at yahoo.com  Wed Feb 11 20:08:33 2009
From: juxiangt at yahoo.com (judy teng)
Date: Wed, 11 Feb 2009 17:08:33 -0800 (PST)
Subject: [c-nsp] How to change I, and MS bits in OSPF DBD
Message-ID: <849281.15779.qm@web90604.mail.mud.yahoo.com>

Hello list,

I?tried to set up an ospf connection between?one access Cisco router (CE) and Redback routers (PE) in lab. But the It stucks in Exchange state. 

Debug messages?shows??EXCHANGE - OPTIONS/INIT not match

The Pcap shows DBD bits mismatch.??Any idea to change I and MS bis in Cisco router 1841.


cisco
DB Description: 0x02 (M)
.... 0... = R: OOBResync bit is NOT set0
.... .0.. = I: Init bit is NOT set
.... ..1. = M: More bit is SET
.... ...0 = MS: Master/Slave bit is NOT set

Redback
DB Description: 0x07 (I, M, MS)
.... 0... = R: OOBResync bit is NOT set
.... .1.. = I: Init bit is SET
.... ..1. = M: More bit is SET
.... ...1 = MS: Master/Slave bit is SET

Thanks,

Judy


      

From sethm at rollernet.us  Wed Feb 11 21:33:39 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 11 Feb 2009 18:33:39 -0800
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <3329cbb40902111744r54310c15j72331c6ebf36a261@mail.gmail.com>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>	<499325E8.3060304@justinshore.com>
	<499336E0.7090101@bromirski.net>	<6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>	<499361C8.4060305@bromirski.net>	<1ACA22C9F233408EA1689A5F17121869@int.convex.pt>
	<3329cbb40902111744r54310c15j72331c6ebf36a261@mail.gmail.com>
Message-ID: <49938A83.10203@rollernet.us>

Dale Shaw wrote:
> Hi,
> 
> 2009/2/12 Antonio Soares <amsoares at netcabo.pt>:
>> This seems buggy to me :(
> 
> Bad documentation, at least. The IOS 12.4 *mainline* command reference
> and config guide waffle on and on about 'bgp transport' yet the
> command (BGP router config mode or per-neighbour) doesn't even exist
> in that train.
> 
> I suspect when it does exist (allegedly in 12.2(33)SRA, 12.2(31)SB,
> and 12.2(33)SXH and 12.4(20)T), the behaviour is as described -- BGP
> uses the BGP-specific TCP MSS settings. Without it, it uses the global
> default (PMTUD off), and you need the 'ip tcp path-mtu-discovery'
> global command to make it work.
> 
> I've tested it on IOS 12.4 mainline and even for directly connected
> neighbours, MSS is 516 bytes. Once 'ip tcp path-mtu-discovery' is
> switched on (on both peers), MSS is 1440 bytes.
> 

Just for fun I looked at my BGP mesh and found the following:

* Directly connected neighbors MTU=516
* Transit to upstreams MTU=1440 or 1460

This is under 12.4(16) and I've never touched 'ip tcp 
path-mtu-discovery' or per-neighbor MTU settings.

~Seth

From mtinka at globaltransit.net  Wed Feb 11 22:13:47 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 12 Feb 2009 11:13:47 +0800
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <49938A83.10203@rollernet.us>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<3329cbb40902111744r54310c15j72331c6ebf36a261@mail.gmail.com>
	<49938A83.10203@rollernet.us>
Message-ID: <200902121113.51512.mtinka@globaltransit.net>

On Thursday 12 February 2009 10:33:39 am Seth Mattinen 
wrote:

> Just for fun I looked at my BGP mesh and found the
> following:
>
> * Directly connected neighbors MTU=516
> * Transit to upstreams MTU=1440 or 1460
>
> This is under 12.4(16) and I've never touched 'ip tcp
> path-mtu-discovery' or per-neighbor MTU settings.

From our busier route reflectors (7201's), we are seeing:

* For v4, some of our IOS routers are agreeing on 1,440
  bytes, while others on 8,916 bytes. Need to look into
  the difference here - I recall we recently replaced a
  defective route reflector, which is the one registering
  the higher MTU.

* For v6, all our IOS routers are agreeing on 8,896 bytes.

Interface MTU is 9,000 bytes on all router interfaces. IOS 
code is 12.2(33)SRC3.

We have nearly similar values for our JunOS routers peering 
with the route reflectors, but not sure that's relevant 
here.

Suffice it to say that 'ip tcp path-mtu-discovery' isn't 
configured, although it is enabled by default for BGP:

#sh ip bgp neighbors
<snip>
Transport(tcp) path-mtu-discovery is enabled

#sh bgp ipv6 unicast neighbors
<snip>
Transport(tcp) path-mtu-discovery is enabled

For routers where we've configured 'no bgp transport path-
mtu-discovery' under the BGP process (for 
troubleshooting/testing), we've registered an agreed value 
of 516 bytes.

eBGP sessions to downstreams is at 1,440 bytes.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090212/0067bc11/attachment.bin>

From mtinka at globaltransit.net  Wed Feb 11 23:59:12 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 12 Feb 2009 12:59:12 +0800
Subject: [c-nsp] VTP domain.
In-Reply-To: <76EDD0CB80234F5CB478CC01858AC161@GINKGO>
References: <20090210102330.K55176@pop.citytel.net>
	<4992ABC0.7050100@heanet.ie>
	<76EDD0CB80234F5CB478CC01858AC161@GINKGO>
Message-ID: <200902121259.12955.mtinka@globaltransit.net>

On Wednesday 11 February 2009 10:04:54 pm Adam Greene wrote:

> We're getting pretty tired of adding / removing VLANs
> manually throughout various parts of our network, and
> find that it is prone to sloppiness (i.e. vlans being
> left on links where they don't belong).

In our case, VLAN's (and their associated VLAN ID's) start 
and end on the router-switch pair.

The Layer 2 backbone is driven by an MPLS control plane.

We have negligible situations where customers span multiple 
switches and need to maintain the same VLAN ID, so we're 
handling this manually for the time being.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090212/96347339/attachment.bin>

From chris.garzon at gmail.com  Thu Feb 12 01:52:02 2009
From: chris.garzon at gmail.com (Dracul)
Date: Thu, 12 Feb 2009 14:52:02 +0800
Subject: [c-nsp] IOS and 4 byte ASNs
Message-ID: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>

Hi List,

does the current 12-4  IOS versions support 4 byte ASNs? Or do i need to
upgrade my routers to IOS-XR

Best regards,
Chris

From swmike at swm.pp.se  Thu Feb 12 01:58:51 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 12 Feb 2009 07:58:51 +0100 (CET)
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0902120756100.16135@uplift.swm.pp.se>

On Thu, 12 Feb 2009, Dracul wrote:

> does the current 12-4 IOS versions support 4 byte ASNs? Or do i need to 
> upgrade my routers to IOS-XR

No, 12.4 does not support this.

12.0S is getting 32bit ASN in 12.0(32)SY8 and 12.0(32)S12 has it (but with 
the undesireable feature regarding confereation and session teardown) but 
S13 will have this behaviour changed if I understood correctly (and it's 
already "right" in SY8).

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From chris.garzon at gmail.com  Thu Feb 12 03:56:40 2009
From: chris.garzon at gmail.com (Dracul)
Date: Thu, 12 Feb 2009 16:56:40 +0800
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <alpine.DEB.1.10.0902120756100.16135@uplift.swm.pp.se>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
	<alpine.DEB.1.10.0902120756100.16135@uplift.swm.pp.se>
Message-ID: <876789290902120056g7049c39dm4e2ede31316710b0@mail.gmail.com>

Thanks Mik,

But does that mean in order for a supported IOS (for the 4 byte ASN) I will
have to compromise some features that i get from
12-4?

regards,
chris

On Thu, Feb 12, 2009 at 2:58 PM, Mikael Abrahamsson <swmike at swm.pp.se>wrote:

> On Thu, 12 Feb 2009, Dracul wrote:
>
>  does the current 12-4 IOS versions support 4 byte ASNs? Or do i need to
>> upgrade my routers to IOS-XR
>>
>
> No, 12.4 does not support this.
>
> 12.0S is getting 32bit ASN in 12.0(32)SY8 and 12.0(32)S12 has it (but with
> the undesireable feature regarding confereation and session teardown) but
> S13 will have this behaviour changed if I understood correctly (and it's
> already "right" in SY8).
>
> --
> Mikael Abrahamsson    email: swmike at swm.pp.se
>

From llc at dansketelecom.com  Thu Feb 12 04:06:16 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Thu, 12 Feb 2009 10:06:16 +0100
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
Message-ID: <44417CD2F19FEA4F885088340A71D33201B4F82B@mail.office.dansketelecom.com>

Hi Chris

4 byte ASNs will be supported on most platforms throughout this year. IOS-XR should already support it.

However, in the mean time you can setup peerings using the AS23456 as your neighbouring AS.

ASR1000 should have it in RLS 3 and 7600/7200 should have it in 12.2(33)SRE. 

______________________________________

Med venlig hilsen / Kind regards

Lars Lystrup Christensen 
Director of Engineering, CCIE(tm) #20292

Danske Telecom A/S
Sundkrogsgade 13, 4 
2100 K?benhavn ? 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul
Sent: 12. februar 2009 07:52
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IOS and 4 byte ASNs

Hi List,

does the current 12-4  IOS versions support 4 byte ASNs? Or do i need to
upgrade my routers to IOS-XR

Best regards,
Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From shivlu.jain at gmail.com  Thu Feb 12 05:26:48 2009
From: shivlu.jain at gmail.com (Shivlu Jain)
Date: Thu, 12 Feb 2009 15:56:48 +0530
Subject: [c-nsp] Weird Issue 12.2 31 SB Internet Issue In MPLS
Message-ID: <be2a1c900902120226g7d94bd2fib7a475460ca9d6c6@mail.gmail.com>

We upgraded the core PE 7200 router to SB 13 ios. The weird issue we faced
is that if the vrf internet which is having default route is configured on
that PE and the custmer is serving from its vrf by vrf leaking on the same
router is not able to access the internet. If we migrate the default route
on any other router then it works fine. Does anyone have visibilty for the
problem?

-- 
Thanks & Regards
shivlu jain

From elmi at 4ever.de  Thu Feb 12 06:07:11 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Thu, 12 Feb 2009 12:07:11 +0100
Subject: [c-nsp] Cisco SLB on 7201s - custom probes?
Message-ID: <20090212110710.GA27070@ronin.4ever.de>

Hi gents,

maybe someone can give me a hint on where to look.

Newer Cisco SLB (server load balancing) documents
mention the "ip slb probe..." command, which I'd
like to use - I want to balance not web servers
or firewalls, but DNS...

My 7201, running some 12.4(15)T3, doesn't know about
"ip slb probe". The software advisor doesn't list
any feature that comes closer than "SLB: Ping Probes"
which doesn't help here.

My questions:

  - is there some IOS for 7201s that does custom probes?
  - how can I find it?

Thanks for your help,
			Elmar.

From swmike at swm.pp.se  Thu Feb 12 06:09:09 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 12 Feb 2009 12:09:09 +0100 (CET)
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <876789290902120056g7049c39dm4e2ede31316710b0@mail.gmail.com>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
	<alpine.DEB.1.10.0902120756100.16135@uplift.swm.pp.se>
	<876789290902120056g7049c39dm4e2ede31316710b0@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0902121207370.16135@uplift.swm.pp.se>

On Thu, 12 Feb 2009, Dracul wrote:

> But does that mean in order for a supported IOS (for the 4 byte ASN) I 
> will have to compromise some features that i get from 12-4?

Yes, 12.0S lacks a lot of what you probably use in 12.4.

If you need 32bit ASN I guess the most compatible version of IOS which 
might get 32bit ASN (I don't have any concrete info though) would be 
12.2SR-something or 12.4T.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From sandmaier at schlund.net  Thu Feb 12 07:26:50 2009
From: sandmaier at schlund.net (sandmaier at schlund.net)
Date: Thu, 12 Feb 2009 13:26:50 +0100
Subject: [c-nsp] OSM-1OC48-POS-SS(+) for 7600/6500
Message-ID: <4994158A.1070605@schlund.net>

Hi all,

does anybody know what the differences are between OSM-1OC48-POS-SS and 
OSM-1OC48-POS-SS+ ?

AFAIK the differences only concern QoS.

I'm not sure if my assumptions are true:

The OSM has a 8 GBps uplink in the Sup-SF and use the PFC for the 
forwarding decision (IPv4/6/MPLS) and QoS marking/policing, while PXF is 
used for queuing/scheduling. Not sure if LLQ, CBWFQ, WRED is completely 
unsupported on the !+ or if there are only limitations.

Is this historically with the exception of the queuing/scheduling stuff?:
OSR were originally designed for the 7600OSR and used this PXF (parallel 
xpress forwarding) directly on the linecard for forwarding and 
everything else. The enhanced version has for PXF double Route Table 
Memory and Packet Processing Memory and 4 times Backet Buffer, 6Mpps to 
3Mpps throughput, more queues and VRFs and enhanced QoS (LLQ, CBWFQ, WRED).

Thanks,
Jan


From almidoster at gmail.com  Thu Feb 12 09:04:57 2009
From: almidoster at gmail.com (almidoster at gmail.com)
Date: Thu, 12 Feb 2009 09:04:57 -0500
Subject: [c-nsp] Dynamic Vlan with 3750
In-Reply-To: <002101c98ca0$6169cef0$243d6cd0$@id.au>
References: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
	<002101c98ca0$6169cef0$243d6cd0$@id.au>
Message-ID: <fd3f95910902120604l4ea13bd6yf70e25f306752b64@mail.gmail.com>

I have found some programs opensource to deploy a VMPS server, I will
be trying setting up on linux server. If you know another program,
please notify me. Thanks.

http://sourceforge.net/projects/vmps
http://kobesearch.cpan.org/htdocs/VMPS-Server/

Regards



2009/2/11 Brett Looney <brett at looney.id.au>:
>> I have one switch 3750 and five 3560 switches in my LAN, the
>> central switch is 3750,
> <snip>
>> I want to deploy dynamic vlan, it is posible to deploy with
>> these models, I heart that I would have buy a 6500.
>
> If you're referring to VMPS the 3560/3750 do support it but only in client
> mode so you'll need to set up a VMPS server. You can get a 6500 to be a VMPS
> server but only with CatOS so your best bet is an external server - Google
> VMPS server and there are a few to choose from. I've done this and it works
> well.
>
> Alternately, you can do dynamic VLAN membership with 802.1x as well but that
> will still require a back-end RADIUS server somewhere.
>
> B.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From A.L.M.Buxey at lboro.ac.uk  Thu Feb 12 09:26:12 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Thu, 12 Feb 2009 14:26:12 +0000
Subject: [c-nsp] Dynamic Vlan with 3750
In-Reply-To: <fd3f95910902120604l4ea13bd6yf70e25f306752b64@mail.gmail.com>
References: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
	<002101c98ca0$6169cef0$243d6cd0$@id.au>
	<fd3f95910902120604l4ea13bd6yf70e25f306752b64@mail.gmail.com>
Message-ID: <20090212142612.GB12420@lboro.ac.uk>

Hi,
> I have found some programs opensource to deploy a VMPS server, I will
> be trying setting up on linux server. If you know another program,
> please notify me. Thanks.

FreeRADIUS. very very fast at doing VMPS - we use it

alan

From achatz at forthnet.gr  Thu Feb 12 10:34:12 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 12 Feb 2009 17:34:12 +0200
Subject: [c-nsp] how to clear the counters of the policy-map under the
	control-plane
Message-ID: <49944174.3000206@forthnet.gr>

Any idea how to clear the counters of the policy-map under the control-plane on a 7200 (31SB12)?

I have tried all of the following, but nothing works.

clear control-plane
clear control-plane *
clear counters


--
Tassos

From steve.mcnamara at gmail.com  Thu Feb 12 11:30:53 2009
From: steve.mcnamara at gmail.com (Steve McNamara)
Date: Thu, 12 Feb 2009 16:30:53 +0000
Subject: [c-nsp] WS-SVC-IDSM-2 visio icon
Message-ID: <494a4f80902120830y1d9f055elaf506f3a737ce4da@mail.gmail.com>

Hello All,

I'm looking for a Visio icon for a WS-SVC-IDSM-2 icon without any
luck. I've downloaded the complete Viso icon zip from
http://www.cisco.com/en/US/products/prod_visio_icon_list.html, but
there's no icon for this module? There are other service modules such
as NAM1 & 2 in the 6500 shape stencil, but not this one. Does anyone
know where it can be found or have any other suggestions?

Thanks
Steve

From chris at chrisserafin.com  Thu Feb 12 12:22:04 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Thu, 12 Feb 2009 11:22:04 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
Message-ID: <49945ABC.7020706@chrisserafin.com>

Anyone deal with these? They look to have basic IOS functions like all 
other IOS based Cisco devices, but for some reason, I cannot get one 
switch to talk to another switch by connecting a straight through cable 
from the external switch ports of one to another. I'm looking for just 
basic native VLAN connectivity between the two for today, and then to 
also have a pair of 2960's upstream to provide data center redundancy.

Google is failing me :(

Thanks,

Chris Serafin
chris at chrisserafin.com

From jason at lixfeld.ca  Thu Feb 12 12:31:01 2009
From: jason at lixfeld.ca (Jason Lixfeld)
Date: Thu, 12 Feb 2009 12:31:01 -0500
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <49945ABC.7020706@chrisserafin.com>
References: <49945ABC.7020706@chrisserafin.com>
Message-ID: <E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>

Not sure if the CIGESMs in the eServer BladeCenters are the same  
thing, but with those, connectivity between two modules in the same  
chassis is provided by one of the internal mgmt interfaces.  It's  
Gi0/15 in my case.  I think there's some stuff you have to tweak in  
the MM gui, but it should be pretty easy to find, although I can't  
recall off the top of my head.

On 12-Feb-09, at 12:22 PM, ChrisSerafin wrote:

> Anyone deal with these? They look to have basic IOS functions like  
> all other IOS based Cisco devices, but for some reason, I cannot get  
> one switch to talk to another switch by connecting a straight  
> through cable from the external switch ports of one to another. I'm  
> looking for just basic native VLAN connectivity between the two for  
> today, and then to also have a pair of 2960's upstream to provide  
> data center redundancy.
>
> Google is failing me :(
>
> Thanks,
>
> Chris Serafin
> chris at chrisserafin.com
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


From streiner at cluebyfour.org  Thu Feb 12 12:43:23 2009
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Thu, 12 Feb 2009 12:43:23 -0500 (EST)
Subject: [c-nsp] WS-SVC-IDSM-2 visio icon
In-Reply-To: <494a4f80902120830y1d9f055elaf506f3a737ce4da@mail.gmail.com>
References: <494a4f80902120830y1d9f055elaf506f3a737ce4da@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0902121242360.32680@whammy.cluebyfour.org>

On Thu, 12 Feb 2009, Steve McNamara wrote:

> I'm looking for a Visio icon for a WS-SVC-IDSM-2 icon without any
> luck. I've downloaded the complete Viso icon zip from
> http://www.cisco.com/en/US/products/prod_visio_icon_list.html, but
> there's no icon for this module? There are other service modules such
> as NAM1 & 2 in the 6500 shape stencil, but not this one. Does anyone
> know where it can be found or have any other suggestions?

If it comes down to it, you can always make one on your own.  I've had to 
do that in several cases.

jms

From mcpick at us.net  Thu Feb 12 12:46:51 2009
From: mcpick at us.net (McLean Pickett)
Date: Thu, 12 Feb 2009 12:46:51 -0500
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>
References: <49945ABC.7020706@chrisserafin.com>
	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>
Message-ID: <74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>


Chris -

The CIGESM's are expensive and have limited feature support based on the way
they are deployed in the chassis (you can't channel the NICs on the blades).
They are additional devices to support and every time the server guys reboot
the chassis spanning tree is impacted.

Go with the pass-through modules and connect the blade NIC's to an external
switch.

-McLean

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Lixfeld
Sent: Thursday, February 12, 2009 12:31 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?

Not sure if the CIGESMs in the eServer BladeCenters are the same  
thing, but with those, connectivity between two modules in the same  
chassis is provided by one of the internal mgmt interfaces.  It's  
Gi0/15 in my case.  I think there's some stuff you have to tweak in  
the MM gui, but it should be pretty easy to find, although I can't  
recall off the top of my head.

On 12-Feb-09, at 12:22 PM, ChrisSerafin wrote:

> Anyone deal with these? They look to have basic IOS functions like  
> all other IOS based Cisco devices, but for some reason, I cannot get  
> one switch to talk to another switch by connecting a straight  
> through cable from the external switch ports of one to another. I'm  
> looking for just basic native VLAN connectivity between the two for  
> today, and then to also have a pair of 2960's upstream to provide  
> data center redundancy.
>
> Google is failing me :(
>
> Thanks,
>
> Chris Serafin
> chris at chrisserafin.com
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From chris at chrisserafin.com  Thu Feb 12 12:57:47 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Thu, 12 Feb 2009 11:57:47 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>
	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
Message-ID: <4994631B.3060800@chrisserafin.com>

Weird thing the ports do not light up with either a x-over or straight 
through cable.

The client is opposed to using the external nics for anything but 
uplinks to switches... :(

McLean Pickett wrote:
> Chris -
>
> The CIGESM's are expensive and have limited feature support based on the way
> they are deployed in the chassis (you can't channel the NICs on the blades).
> They are additional devices to support and every time the server guys reboot
> the chassis spanning tree is impacted.
>
> Go with the pass-through modules and connect the blade NIC's to an external
> switch.
>
> -McLean
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Lixfeld
> Sent: Thursday, February 12, 2009 12:31 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
>
> Not sure if the CIGESMs in the eServer BladeCenters are the same  
> thing, but with those, connectivity between two modules in the same  
> chassis is provided by one of the internal mgmt interfaces.  It's  
> Gi0/15 in my case.  I think there's some stuff you have to tweak in  
> the MM gui, but it should be pretty easy to find, although I can't  
> recall off the top of my head.
>
> On 12-Feb-09, at 12:22 PM, ChrisSerafin wrote:
>
>   
>> Anyone deal with these? They look to have basic IOS functions like  
>> all other IOS based Cisco devices, but for some reason, I cannot get  
>> one switch to talk to another switch by connecting a straight  
>> through cable from the external switch ports of one to another. I'm  
>> looking for just basic native VLAN connectivity between the two for  
>> today, and then to also have a pair of 2960's upstream to provide  
>> data center redundancy.
>>
>> Google is failing me :(
>>
>> Thanks,
>>
>> Chris Serafin
>> chris at chrisserafin.com
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>     
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.234 / Virus Database: 270.10.23/1949 - Release Date: 02/11/09 18:11:00
>
>   


From Gregori.Parker at theplatform.com  Thu Feb 12 13:31:27 2009
From: Gregori.Parker at theplatform.com (Gregori Parker)
Date: Thu, 12 Feb 2009 10:31:27 -0800
Subject: [c-nsp] WS-SVC-IDSM-2 visio icon
In-Reply-To: <Pine.LNX.4.64.0902121242360.32680@whammy.cluebyfour.org>
References: <494a4f80902120830y1d9f055elaf506f3a737ce4da@mail.gmail.com>
	<Pine.LNX.4.64.0902121242360.32680@whammy.cluebyfour.org>
Message-ID: <1A9866F953006D45AEE0166066114E09159929F7@TPMAIL02.corp.theplatform.com>

If you're after a physical icon, just doctor the FWSM, there's not much
difference.

If you're after a logical icon, the generally accepted icon for IDS (at
least in my world) is the one called "SwitchProbe" in the Cisco logical
shapes list - it's the cube with a magnifying glass on it.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M.
Streiner
Sent: Thursday, February 12, 2009 9:43 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WS-SVC-IDSM-2 visio icon

On Thu, 12 Feb 2009, Steve McNamara wrote:

> I'm looking for a Visio icon for a WS-SVC-IDSM-2 icon without any
> luck. I've downloaded the complete Viso icon zip from
> http://www.cisco.com/en/US/products/prod_visio_icon_list.html, but
> there's no icon for this module? There are other service modules such
> as NAM1 & 2 in the 6500 shape stencil, but not this one. Does anyone
> know where it can be found or have any other suggestions?

If it comes down to it, you can always make one on your own.  I've had
to 
do that in several cases.

jms
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From David at Hughes.com.au  Thu Feb 12 17:08:41 2009
From: David at Hughes.com.au (David Hughes)
Date: Fri, 13 Feb 2009 08:08:41 +1000
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
References: <49945ABC.7020706@chrisserafin.com>
	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>
	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
Message-ID: <B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>


On 13/02/2009, at 3:46 AM, McLean Pickett wrote:

> The CIGESM's are expensive and have limited feature support based on  
> the way
> they are deployed in the chassis (you can't channel the NICs on the  
> blades).
> They are additional devices to support and every time the server  
> guys reboot
> the chassis spanning tree is impacted.

We have lots of IBM chassis with CIGESMs deployed in the wild and are  
pretty happy with them.  The addition of the L3 Fa port in the 3012  
and Protected Mode removes all the strange "chassis module" behavior  
and makes them a pretty normal switch.

 From my perspective, the blade chassis is an enclosure that contains  
servers, a couple of GigE switches and a couple of FC switches.   
Conceptually, you can view the enclosure as a small rack.  Having  
server guys just randomly rebooting a chassis would be like having a  
server guy randomly power cycling a rack.  They would not have a happy  
day.  Using passthrough module removes the advantages of using the  
blade chassis IMHO.


David
...

From KPowers at canvassystems.com  Thu Feb 12 17:10:37 2009
From: KPowers at canvassystems.com (Powers, Kenny)
Date: Thu, 12 Feb 2009 17:10:37 -0500
Subject: [c-nsp] SUP upgrade when moving from Gig to 10gig
Message-ID: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>


I have a client that has a SUP720-3BXL in his core and is moving from gige blades to 6708-10G-3C cards.  Does he need VS-S720-10G-3C engines to get full capabilities out of the 6708s?  or would the 3BXLs be okay?

Kenny

************************************************************************************

Except for those software products specifically listed by Canvas on a sales quote, Customer acknowledges and agrees that Canvas does not provide any operating system software or software right-to-use licenses with the equipment it sells. Customer is responsible for registering any software it uses or obtains with the applicable licensor and for complying with all software licensing policies of such licensor.   

The information contained in this message and any attachments is confidential and proprietary.  It is intended only for the named recipient(s).  If you received this message in error, please notify us immediately and be aware that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited.

From sethm at rollernet.us  Thu Feb 12 18:13:00 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 12 Feb 2009 15:13:00 -0800
Subject: [c-nsp] SUP upgrade when moving from Gig to 10gig
In-Reply-To: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
References: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
Message-ID: <4994ACFC.9070803@rollernet.us>

Powers, Kenny wrote:
> I have a client that has a SUP720-3BXL in his core and is moving from gige blades to 6708-10G-3C cards.  Does he need VS-S720-10G-3C engines to get full capabilities out of the 6708s?  or would the 3BXLs be okay?
> 

The VS supervisors are for the virtual switching system (VSS), if I'm
not mistaken.

~Seth

From lukasz at bromirski.net  Thu Feb 12 18:44:44 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Fri, 13 Feb 2009 00:44:44 +0100
Subject: [c-nsp] SUP upgrade when moving from Gig to 10gig
In-Reply-To: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
References: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
Message-ID: <4994B46C.8040804@bromirski.net>

On 2009-02-12 23:10, Powers, Kenny wrote:
> I have a client that has a SUP720-3BXL in his core and is moving from
> gige blades to 6708-10G-3C cards.  Does he need VS-S720-10G-3C
> engines to get full capabilities out of the 6708s? or would the 3BXLs
> be okay?

This is rolled-over on this list at least once a week.

For 6500 you have an option to do distributed processing/forwarding
by use of DFCs - which are essentially a copy of PFC that's on the
Supervisor. To be able to get full functionality of the system,
you need to match the PFC type with DFC type.

So, VS-S720-10G-3C uses PFC3C for processing. Essentially, PFC3C/CXL
have better MAC scalability (96k vs 64k) and some bugs fixed over
PFC3B/BXL.

If You'll use Sup720BXL (which means - PFC3-BXL) with the 6708
equipped with DFC3C, the system will 'downgrade' the DFCs 3C to 3B
level as lowest common denominator[1].

So yes, it is okay and will work but with above limitation.

[1].https://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/prod_bulletin0900aecd806ee29a.html

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From gert at greenie.muc.de  Thu Feb 12 19:27:47 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 13 Feb 2009 01:27:47 +0100
Subject: [c-nsp] SUP upgrade when moving from Gig to 10gig
In-Reply-To: <4994ACFC.9070803@rollernet.us>
References: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
	<4994ACFC.9070803@rollernet.us>
Message-ID: <20090213002746.GX290@greenie.muc.de>

Hi,

On Thu, Feb 12, 2009 at 03:13:00PM -0800, Seth Mattinen wrote:
> The VS supervisors are for the virtual switching system (VSS), if I'm
> not mistaken.

The VS supervisors are a strict requirement to *have* if you want to use
VSS - but you can use them as a "fast Sup with 10G ports" just fine, with
no VSS.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090213/8653e39e/attachment.bin>

From David at Hughes.com.au  Thu Feb 12 20:27:00 2009
From: David at Hughes.com.au (David Hughes)
Date: Fri, 13 Feb 2009 11:27:00 +1000
Subject: [c-nsp] SUP upgrade when moving from Gig to 10gig
In-Reply-To: <4994ACFC.9070803@rollernet.us>
References: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
	<4994ACFC.9070803@rollernet.us>
Message-ID: <AD5D8922-8600-4311-8DB7-33C75FDC468E@Hughes.com.au>


On 13/02/2009, at 9:13 AM, Seth Mattinen wrote:

> The VS supervisors are for the virtual switching system (VSS), if I'm
> not mistaken.

The VS sup's are sup's that can also do VSS.  We are running them in a  
few boxes for their onboard 10GigE ports without using VSS.  All is  
good.


David
...

From llc at dansketelecom.com  Fri Feb 13 04:59:51 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Fri, 13 Feb 2009 10:59:51 +0100
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <20090213093233.GH21570@f17.dmitry.net>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F82B@mail.office.dansketelecom.com>
	<20090213093233.GH21570@f17.dmitry.net>
Message-ID: <44417CD2F19FEA4F885088340A71D33201B4F985@mail.office.dansketelecom.com>

Hi Dmitry

Well... It depends on whether you have been given a 4-byte ASN or it is
your neighbor, who has the 4-byte ASN.

Have a look at
http://as4.cluepon.net/index.php/Example_Configurations#Cisco_IOS

To be honest, I haven't done any setups yet with the 4-byte ASN, but it
may be interesting to do some testing...

Regards,
Lars Christensen

CCIE #20292

-----Original Message-----
From: Dmitry Kiselev [mailto:dmitry at dmitry.net] 
Sent: 13. februar 2009 10:33
To: Lars Lystrup Christensen
Cc: Dracul; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IOS and 4 byte ASNs

Hello!

On Thu, Feb 12, 2009 at 10:06:16AM +0100, Lars Lystrup Christensen
wrote:

> Hi Chris
> 
> 4 byte ASNs will be supported on most platforms throughout this year.
> IOS-XR should already support it.
> 
> However, in the mean time you can setup peerings using the AS23456 as
your neighbouring AS.
> 
> ASR1000 should have it in RLS 3 and 7600/7200 should have it in
12.2(33)SRE. 

 

Does its mean that I should configure "router bgp 23456" if already have
32-bit ASN?
And what I should do if my eBGP neighbor have 32-bit ASN too and run
this fine
software called "IOS"?
 router bgp 23456
  neighbor X.X.X.X remote-as 23456
  neighbor X.X.X.X allowas-in
?


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul
> Sent: 12. februar 2009 07:52
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IOS and 4 byte ASNs
> 
> Hi List,
> 
> does the current 12-4  IOS versions support 4 byte ASNs? Or do i need
to
> upgrade my routers to IOS-XR
> 
> Best regards,
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Dmitry Kiselev

From dmitry at dmitry.net  Fri Feb 13 04:32:33 2009
From: dmitry at dmitry.net (Dmitry Kiselev)
Date: Fri, 13 Feb 2009 11:32:33 +0200
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <44417CD2F19FEA4F885088340A71D33201B4F82B@mail.office.dansketelecom.com>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F82B@mail.office.dansketelecom.com>
Message-ID: <20090213093233.GH21570@f17.dmitry.net>

Hello!

On Thu, Feb 12, 2009 at 10:06:16AM +0100, Lars Lystrup Christensen wrote:

> Hi Chris
> 
> 4 byte ASNs will be supported on most platforms throughout this year.
> IOS-XR should already support it.
> 
> However, in the mean time you can setup peerings using the AS23456 as your neighbouring AS.
> 
> ASR1000 should have it in RLS 3 and 7600/7200 should have it in 12.2(33)SRE. 

 

Does its mean that I should configure "router bgp 23456" if already have 32-bit ASN?
And what I should do if my eBGP neighbor have 32-bit ASN too and run this fine
software called "IOS"?
 router bgp 23456
  neighbor X.X.X.X remote-as 23456
  neighbor X.X.X.X allowas-in
?


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul
> Sent: 12. februar 2009 07:52
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IOS and 4 byte ASNs
> 
> Hi List,
> 
> does the current 12-4  IOS versions support 4 byte ASNs? Or do i need to
> upgrade my routers to IOS-XR
> 
> Best regards,
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Dmitry Kiselev

From gert at greenie.muc.de  Fri Feb 13 05:38:40 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 13 Feb 2009 11:38:40 +0100
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <20090213093233.GH21570@f17.dmitry.net>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F82B@mail.office.dansketelecom.com>
	<20090213093233.GH21570@f17.dmitry.net>
Message-ID: <20090213103840.GD290@greenie.muc.de>

Hi,

On Fri, Feb 13, 2009 at 11:32:33AM +0200, Dmitry Kiselev wrote:
> Does its mean that I should configure "router bgp 23456" if already have 32-bit ASN?

If *you* have a 32bit-ASN, you need a 32bit-ASN-capable router OS.

> And what I should do if my eBGP neighbor have 32-bit ASN too and run this fine
> software called "IOS"?
>  router bgp 23456
>   neighbor X.X.X.X remote-as 23456
>   neighbor X.X.X.X allowas-in
> ?

... if your neighbours have 32-bit ASNs, and your router software cannot
do it yet, configure "remote-as 23456" on your side, yes.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090213/5ad99c35/attachment.bin>

From AMcglinchey at wiseman-dairies.co.uk  Fri Feb 13 11:02:40 2009
From: AMcglinchey at wiseman-dairies.co.uk (Alun Mcglinchey)
Date: Fri, 13 Feb 2009 16:02:40 +0000
Subject: [c-nsp] Alun Mcglinchey is out of the office.
Message-ID: <OFEEDD36AA.5847DF31-ON8025755C.005822B1-8025755C.005822B1@wiseman-dairies.co.uk>


I will be out of the office starting  06/02/2009 and will not return until
16/02/2009.

I will respond to your message when I return, if your query is urgent
please contact the IT servicedesk team on 6634 or email Cameron McKinnon
(cmckinnon at wiseman-dairies.co.uk)



*********************************************************************************
Disclaimer: This electronic mail, together with any attachments, is for the exclusive and confidential use of the recipient addressee. Any other distribution, use or reproduction without our prior consent is unauthorised and strictly prohibited. If you have received this message in error, please delete it immediately and contact the sender directly or the Robert Wiseman & Sons Ltd IT Helpdesk on +44 (0)1355 270634. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Robert Wiseman & Sons Ltd or of any of its associated companies. No reliance may be placed on this message without written confirmation from an authorised representative of the company.

Robert Wiseman & Sons Limited reserves the right to monitor all e-mail communications through its network.

This message has been checked for viruses but the recipient is strongly advised to re-scan the message before opening any attachments or attached executable files.

ROBERT WISEMAN & SONS LIMITED
Registered Number: 87376 Scotland
Registered Office: 159 Glasgow Road,
East Kilbride, Glasgow, G74 4PA

********************************************************************************

From chris at chrisserafin.com  Fri Feb 13 11:52:16 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Fri, 13 Feb 2009 10:52:16 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
Message-ID: <4995A540.5010007@chrisserafin.com>

So how do you have this implemented? I see the L3 fa0 port connects to 
the internal 'virtual switch chassis' and the rest is L2.....

I'm trying to setup Citrix XEN VM Server on the blades and thinking this 
is how I will do it:

I will have a pair of 2960's upstream that will have 2 bonded 
etherchannels going into each switch blade from each 2960. The 
etherchannels will be trunk links and then I will configure the internal 
virtual switchports as trunks going into the XEN Server....XEN is just 
like VMware/ESX...... the server tags the VLANs depending on what 
network they need to be on.


Make sense at all? I've been google'ing until my eyes bleed trying to 
get up to speed on these devices.


David Hughes wrote:
>
> On 13/02/2009, at 3:46 AM, McLean Pickett wrote:
>
>> The CIGESM's are expensive and have limited feature support based on 
>> the way
>> they are deployed in the chassis (you can't channel the NICs on the 
>> blades).
>> They are additional devices to support and every time the server guys 
>> reboot
>> the chassis spanning tree is impacted.
>
> We have lots of IBM chassis with CIGESMs deployed in the wild and are 
> pretty happy with them.  The addition of the L3 Fa port in the 3012 
> and Protected Mode removes all the strange "chassis module" behavior 
> and makes them a pretty normal switch.
>
> From my perspective, the blade chassis is an enclosure that contains 
> servers, a couple of GigE switches and a couple of FC switches.  
> Conceptually, you can view the enclosure as a small rack.  Having 
> server guys just randomly rebooting a chassis would be like having a 
> server guy randomly power cycling a rack.  They would not have a happy 
> day.  Using passthrough module removes the advantages of using the 
> blade chassis IMHO.
>
>
> David
> ...
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.234 / Virus Database: 270.10.23/1949 - Release Date: 02/12/09 11:34:00
>
>   


From lgeyer at gmail.com  Fri Feb 13 12:02:10 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 12:02:10 -0500
Subject: [c-nsp] EoMPLS - port mode to vlan mode
Message-ID: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>

Hey there.

Does anybody here happen to have any experience working with pseudo
wires that are port-tunneled on one side and vlan-tunneled on the
other? Having a bear of a time trying to figure out why I cannot pass
any traffic over a vc that's configured in this fashion.

Switch A (7609/rsp720-3cxl-10ge) ------ MPLS ------ Switch B
(7609/rsp720-3cxl-10ge)

Both switches have LAN cards only (no SIP or FlexWAN here) and run 12.2(33)SRC3

Switch A
-------------
interface GigabitEthernet2/1
 mtu 9216
 no ip address
 load-interval
 speed nonegotiate
 xconnect <Switch B IP> 100 encapsulation mpls
end


Switch B
-------------
interface TenGigabitEthernet3/1
 mtu 9216
 no ip address
 load-interval 30
end

interface TenGigabitEthernet3/1.100
 encapsulation dot1Q 100
 xconnect <Switch A IP> 100 encapsulation mpls
end


The VC comes up fine on both sides, but the only way I can get any
traffic to pass is if I'm either vlan-tunneled or port-tunneled on
both sides.

So far I'm hearing conflicting things from TAC on whether this will
work or not. The maddening part is that we already have VCs in place
where type 4 to type 5 VCs work just fine. The difference in at least
one of the working cases is that the port-tunneled VC is on a 6500
running 12.2(18)SXF9.

I'm a bit apprehensive about debugging this issue in production right
now and TAC has been slow to get back with me so I'd appreciate any
feedback.

Thanks,

Laurent

From justin at justinshore.com  Fri Feb 13 12:10:18 2009
From: justin at justinshore.com (Justin Shore)
Date: Fri, 13 Feb 2009 11:10:18 -0600
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
Message-ID: <4995A97A.2060800@justinshore.com>

Laurent Geyer wrote:
> interface TenGigabitEthernet3/1.100
>  encapsulation dot1Q 100
>  xconnect <Switch A IP> 100 encapsulation mpls
> end

Are you sure that you're not getting any traffic out of Te3/1.100?  My 
thought would be that you're inputing untagged traffic on Gi2/1 but 
tagged traffic on Te3/1.100.  I would expect to see traffic coming out 
of either int that's being discarded by the device on either side but 
that's just my thought.  I don't have many L2VPNs in place at this time. 
  I always heard though that the VLAN tag had to match on both sides if 
it existed at all.

Justin


From lgeyer at gmail.com  Fri Feb 13 12:44:51 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 12:44:51 -0500
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <4995A97A.2060800@justinshore.com>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
	<4995A97A.2060800@justinshore.com>
Message-ID: <39647f4d0902130944r3105113bx10a0c955b0b892f1@mail.gmail.com>

On Fri, Feb 13, 2009 at 12:10 PM, Justin Shore <justin at justinshore.com> wrote:
> Laurent Geyer wrote:
>>
>> interface TenGigabitEthernet3/1.100
>>  encapsulation dot1Q 100
>>  xconnect <Switch A IP> 100 encapsulation mpls
>> end
>
> Are you sure that you're not getting any traffic out of Te3/1.100?  My
> thought would be that you're inputing untagged traffic on Gi2/1 but tagged
> traffic on Te3/1.100.  I would expect to see traffic coming out of either
> int that's being discarded by the device on either side but that's just my
> thought.  I don't have many L2VPNs in place at this time.  I always heard
> though that the VLAN tag had to match on both sides if it existed at all.

I'm absolutely positive unfortunately.

>From what I understand, and anybody correct me if I'm wrong please,
the dot1q tag in the header is only need for the label imposition on
the ingress side.

The egress interface for the traffic is determined by a LFIB lookup
not by information that's part of the original ethernet frame, so it
shouldn't really matter that one side is untagged.

- Laurent

From saku+cisco-nsp at ytti.fi  Fri Feb 13 13:25:28 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Fri, 13 Feb 2009 20:25:28 +0200
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
Message-ID: <20090213182528.GA9212@mx.ytti.net>

On (2009-02-13 12:02 -0500), Laurent Geyer wrote:

> Does anybody here happen to have any experience working with pseudo
> wires that are port-tunneled on one side and vlan-tunneled on the
> other? Having a bear of a time trying to figure out why I cannot pass

You need to configure interworking. Instead of encap mpls, 
use pw-class foo and configure foo as ethernet interworking.

-- 
  ++ytti

From lgeyer at gmail.com  Fri Feb 13 13:50:43 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 13:50:43 -0500
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <20090213182528.GA9212@mx.ytti.net>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
	<20090213182528.GA9212@mx.ytti.net>
Message-ID: <39647f4d0902131050ye5116fcnd91b82eed6bf3de5@mail.gmail.com>

On Fri, Feb 13, 2009 at 1:25 PM, Saku Ytti <saku+cisco-nsp at ytti.fi> wrote:
> On (2009-02-13 12:02 -0500), Laurent Geyer wrote:
>
>> Does anybody here happen to have any experience working with pseudo
>> wires that are port-tunneled on one side and vlan-tunneled on the
>> other? Having a bear of a time trying to figure out why I cannot pass
>
> You need to configure interworking. Instead of encap mpls,
> use pw-class foo and configure foo as ethernet interworking.

Ok, so ethernet interworking defines the pseudo wire type, you still
have to configure mpls encapsulation.

I can see why you would have to define that in a pseudo wire class,
but if you're configuring the encapsulation on an interface the VC
type should be implicit.

Any reason why you believe I need to use pseudo wire classes here?

- Laurent

From rmcconner at gmail.com  Fri Feb 13 14:05:50 2009
From: rmcconner at gmail.com (Ross McConner)
Date: Fri, 13 Feb 2009 14:05:50 -0500
Subject: [c-nsp] untagged to QinQ switch ports
Message-ID: <44f77d120902131105l2bc06ea2q75f26975806c9145@mail.gmail.com>

Maybe I'm just hitting my head against a wall and therefore can't see the
answer..

I'm looking for a way to take a non-trunked ethernet port and encapsulate
any of the L2 packets into a double-tagged dot1q vlan.

Basically my provider gives me a single circuit with 802.1q and then tunnels
vlans to different destinations (most likely via xconnects).  At this
(small) location I don't need to have all the vlans in use, just specific
ones - so I'm looking for a way to do it without installing a 2nd switch in
front of the cisco just to create the inner vlan tags, which is what all of
cisco's documentation assumes.

In psuedo IOS - what I'd like to do:

!
interface FastEthernet 0/0
  switchport access vlan 10 20
!
interface FastEthernet 0/1
  switchport access vlan 50 60
!
interface FastEthernet 1/0
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 20,60
!

Is this possible at all?

From lgeyer at gmail.com  Fri Feb 13 14:12:28 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 14:12:28 -0500
Subject: [c-nsp] untagged to QinQ switch ports
In-Reply-To: <44f77d120902131105l2bc06ea2q75f26975806c9145@mail.gmail.com>
References: <44f77d120902131105l2bc06ea2q75f26975806c9145@mail.gmail.com>
Message-ID: <39647f4d0902131112g20d3a05en75408ba66c60336e@mail.gmail.com>

On Fri, Feb 13, 2009 at 2:05 PM, Ross McConner <rmcconner at gmail.com> wrote:
> Maybe I'm just hitting my head against a wall and therefore can't see the
> answer..
>
> I'm looking for a way to take a non-trunked ethernet port and encapsulate
> any of the L2 packets into a double-tagged dot1q vlan.
>
> Basically my provider gives me a single circuit with 802.1q and then tunnels
> vlans to different destinations (most likely via xconnects).  At this
> (small) location I don't need to have all the vlans in use, just specific
> ones - so I'm looking for a way to do it without installing a 2nd switch in
> front of the cisco just to create the inner vlan tags, which is what all of
> cisco's documentation assumes.

Here is something I've seen working before.

interface fa0/1
  switchport
  switchport access vlan <Provider VLAN>
  switchport mode dot1q-tunnel

interface fa0/1
   switchport

From lgeyer at gmail.com  Fri Feb 13 14:17:25 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 14:17:25 -0500
Subject: [c-nsp] untagged to QinQ switch ports
In-Reply-To: <44f77d120902131105l2bc06ea2q75f26975806c9145@mail.gmail.com>
References: <44f77d120902131105l2bc06ea2q75f26975806c9145@mail.gmail.com>
Message-ID: <39647f4d0902131117w7f7eacffm230262dd405ceb83@mail.gmail.com>

On Fri, Feb 13, 2009 at 2:05 PM, Ross McConner <rmcconner at gmail.com> wrote:
> Maybe I'm just hitting my head against a wall and therefore can't see the
> answer..
>
> I'm looking for a way to take a non-trunked ethernet port and encapsulate
> any of the L2 packets into a double-tagged dot1q vlan.
>
> Basically my provider gives me a single circuit with 802.1q and then tunnels
> vlans to different destinations (most likely via xconnects).  At this
> (small) location I don't need to have all the vlans in use, just specific
> ones - so I'm looking for a way to do it without installing a 2nd switch in
> front of the cisco just to create the inner vlan tags, which is what all of
> cisco's documentation assumes.

Sorry for the previous mail, hit some weird gmail keyboard shortcut.

Here is what I've seen work before.

interface fa0/1
  switchport
  switchport access vlan <provider vlan>
  switchport mode dot1q-tunnel
end

interface fa0/2
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 50, 60
  switchport mode trunk
end

interface fa0/3
  switchport
  switchport access vlan <provider vlan>
  switchport mode access
end


Connect a crossover cable between fa0/1 and fa0/2 and put the access
ports you want double tagged over the provider link the respective
access vlan.

Of course your layer2 path will have to have the necessary MTU size to
carry the double tagged frames.

- Laurent

From paul at paulstewart.org  Fri Feb 13 14:21:46 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 13 Feb 2009 14:21:46 -0500
Subject: [c-nsp] 7600 SVI + Subinterface Question
Message-ID: <000001c98e10$4ffc5e50$eff51af0$@org>

Hi folks...

I believe the answer is no but worth asking... we have a large VLAN database
on some 6500's with VTP running.  On one of these 7600's we have many SVI
interfaces which in turn are trunked on GigE's to other layer2 switches...

We have a client coming onboard that we need to possibly send about 60
layer3 connections over a GigE trunk connection but the requested VLAN
numbers are mostly already in use on the 7600.  Without getting into other
options can I do the following??

Interface vlan 300
Descr test test
Ip address 10.10.10.1 255.255.255.248

Interface GigE9/1
Switchport mode trunk
Switchport trunk allowed vlan 300

Interface GigE9/8.300
Descr Another customer
IP address 192.168.0.1 255.255.255.240

I realize this gets mapped to internal VLAN's but in this case will those
VLAN's co-exist or conflict?

Thanks,

Paul




From MLouis at nwnit.com  Fri Feb 13 14:24:35 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Fri, 13 Feb 2009 14:24:35 -0500
Subject: [c-nsp] 6500 VTP and VLANs disappearing
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25C24804096@mncmx1.NWNIT.CORP>

Hey all,

I just ran across an issue I have never seen before. We have a switch configured with about 250 VLANs and SVIs. The switch is configured in VTP transparent mode. Everything has been working fine until this morning we added a couple more vlans. After that we noticed that all but about 80 of the VLANs in the VTP database were missing. Somehow they got erased. No one was in the device since this happened and its configured in trans mode. Any ideas what could have happened? We put the VLANs back in and everything came up fine for now.

Anyone ever heard of something like this happening? Is there a max number of L3 interfaces for 6500?


Mike Louis
Senior Solutions Architect
CCIE  #17082 (R&S)
NWN, Inc
mobile:336.253.5247
mlouis at nwnit.com


________________________________
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.

From peter at rathlev.dk  Fri Feb 13 15:49:12 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 13 Feb 2009 21:49:12 +0100
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <000001c98e10$4ffc5e50$eff51af0$@org>
References: <000001c98e10$4ffc5e50$eff51af0$@org>
Message-ID: <1234558152.5766.7.camel@localhost.localdomain>

On Fri, 2009-02-13 at 14:21 -0500, Paul Stewart wrote:
> I believe the answer is no but worth asking... we have a large VLAN database
> on some 6500's with VTP running.  On one of these 7600's we have many SVI
> interfaces which in turn are trunked on GigE's to other layer2 switches...
> 
> We have a client coming onboard that we need to possibly send about 60
> layer3 connections over a GigE trunk connection but the requested VLAN
> numbers are mostly already in use on the 7600.  Without getting into other
> options can I do the following??
> 
> Interface vlan 300
> Descr test test
> Ip address 10.10.10.1 255.255.255.248
> 
> Interface GigE9/1
> Switchport mode trunk
> Switchport trunk allowed vlan 300
> 
> Interface GigE9/8.300
> Descr Another customer
> IP address 192.168.0.1 255.255.255.240
> 
> I realize this gets mapped to internal VLAN's but in this case will those
> VLAN's co-exist or conflict?

If you also want to use "encapsulation dot1q 300" on Gi9/8.300 it will
not work. The box will complain that VLAN 300 is already in use.

Furthermore you cannot use VTP and dot1q subinterfaces together. You
need to use transparent VTP mode for that.

You might use VLAN Mapping in order to provide services for their VLANs
but with your numbering.

Regards,
Peter



From avayner at cisco.com  Fri Feb 13 16:16:38 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Fri, 13 Feb 2009 22:16:38 +0100
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <000001c98e10$4ffc5e50$eff51af0$@org>
References: <000001c98e10$4ffc5e50$eff51af0$@org>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D734C0C1@xmb-ams-331.emea.cisco.com>

Paul,

The best option for using local VLAN significance is to use the more
advanced ES20 modules on the 7600:
http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sh
eet0900aecd8057f3ad.html

Another thing you can take a look at is VLAN Translation:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/gu
ide/vlans.html#wp1044990

Arie


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Friday, February 13, 2009 21:22
To: 'Cisco-nsp'
Subject: [c-nsp] 7600 SVI + Subinterface Question

Hi folks...

I believe the answer is no but worth asking... we have a large VLAN
database
on some 6500's with VTP running.  On one of these 7600's we have many
SVI
interfaces which in turn are trunked on GigE's to other layer2
switches...

We have a client coming onboard that we need to possibly send about 60
layer3 connections over a GigE trunk connection but the requested VLAN
numbers are mostly already in use on the 7600.  Without getting into
other
options can I do the following??

Interface vlan 300
Descr test test
Ip address 10.10.10.1 255.255.255.248

Interface GigE9/1
Switchport mode trunk
Switchport trunk allowed vlan 300

Interface GigE9/8.300
Descr Another customer
IP address 192.168.0.1 255.255.255.240

I realize this gets mapped to internal VLAN's but in this case will
those
VLAN's co-exist or conflict?

Thanks,

Paul



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From saku+cisco-nsp at ytti.fi  Fri Feb 13 16:36:20 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Fri, 13 Feb 2009 23:36:20 +0200
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <39647f4d0902131050ye5116fcnd91b82eed6bf3de5@mail.gmail.com>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
	<20090213182528.GA9212@mx.ytti.net>
	<39647f4d0902131050ye5116fcnd91b82eed6bf3de5@mail.gmail.com>
Message-ID: <20090213213620.GA10607@mx.ytti.net>

On (2009-02-13 13:50 -0500), Laurent Geyer wrote:
 
> Any reason why you believe I need to use pseudo wire classes here?

Because you need to dig out ethernet frame out from mismatching headers
in each end-point.
For all IOS cares, other side could be ATM in this case, it simply
does not match to the other side.

-- 
  ++ytti

From saku+cisco-nsp at ytti.fi  Fri Feb 13 16:45:16 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Fri, 13 Feb 2009 23:45:16 +0200
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D734C0C1@xmb-ams-331.emea.cisco.com>
References: <000001c98e10$4ffc5e50$eff51af0$@org>
	<78C984F8939D424697B15E4B1C1BB3D734C0C1@xmb-ams-331.emea.cisco.com>
Message-ID: <20090213214516.GB10607@mx.ytti.net>

On (2009-02-13 22:16 +0100), Arie Vayner (avayner) wrote:

> The best option for using local VLAN significance is to use the more
> advanced ES20 modules on the 7600:
> http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sh
> eet0900aecd8057f3ad.html

ES20 cards do not have vlan local significance, while toasters are
capable of doing it, you guys opted not to do it (perhaps due to
toaster+microcode evilness when compared to ezcip+c?)

giga2/0/1.42 
  encap dot1q 42
giga2/0/2.42
  encap dot1q 42

Is not and will not be (non-technical reasons) possible in ES20.
OP should rather consider ES+ cards, which are completely different
cards and will do this.
Sure you can workaround this through EVC in ES20 but that is another
bag of worms. I would strongly advice against anyone buying ES20,
as ES+ costs the same.

(Of course you still can't escape the 4k VLAN limit in the platfor)


-- 
  ++ytti

From lgeyer at gmail.com  Fri Feb 13 17:04:58 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 17:04:58 -0500
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <20090213213620.GA10607@mx.ytti.net>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
	<20090213182528.GA9212@mx.ytti.net>
	<39647f4d0902131050ye5116fcnd91b82eed6bf3de5@mail.gmail.com>
	<20090213213620.GA10607@mx.ytti.net>
Message-ID: <39647f4d0902131404j16b1d9b4v3824aba1d4f3e439@mail.gmail.com>

O

On Fri, Feb 13, 2009 at 4:36 PM, Saku Ytti <saku+cisco-nsp at ytti.fi> wrote:
> On (2009-02-13 13:50 -0500), Laurent Geyer wrote:
>
>> Any reason why you believe I need to use pseudo wire classes here?
>
> Because you need to dig out ethernet frame out from mismatching headers
> in each end-point.
> For all IOS cares, other side could be ATM in this case, it simply
> does not match to the other side.

Ok, I see what you're saying.

Still, you cannot define a networking type for a pseudo wire until
mpls encapsulation is enabled.

I just tested what you suggested and the output for `show mpls
l2transport vc 821 detail' is the same whether I use a pseudo wire
class like you suggested, or I simply define encapsulation mpls on the
interface level.

pseudowire-class vltun-ethtun
 encapsulation mpls
 interworking ethernet

interface GigabitEthernet2/20
 mtu 9216
 no ip address
 speed nonegotiate
 xconnect <remote IP> 821 pw-class vltun-ethtun
end

show mpls l2transport vc 821 detail
Local interface: Gi2/20 up, line protocol up, Ethernet up
  Destination address: <remote IP>, VC ID: 821, VC status: up
    Output interface: Vl2, imposed label stack {291 209}
    Preferred path: not configured
    Default path: active
    Next hop: <next hop>
  Create time: 00:00:06, last status change time: 00:00:06
  Signaling protocol: LDP, peer <remote IP>:0 up
    Targeted Hello: <lo IP> (LDP Id) -> <remote IP>
    Status TLV support (local/remote)   : enabled/supported
      Label/status state machine        : established, LruRru
      Last local dataplane   status rcvd: no fault
      Last local SSS circuit status rcvd: no fault
      Last local SSS circuit status sent: no fault
      Last local  LDP TLV    status sent: no fault
      Last remote LDP TLV    status rcvd: no fault
    MPLS VC labels: local 604, remote 209
    Group ID: local 0, remote 0
    MTU: local 9216, remote 9216
    Remote interface description:
  Sequencing: receive disabled, send disabled
  VC statistics:
    packet totals: receive 0, send 0
    byte totals:   receive 0, send 0
    packet drops:  receive 0, seq error 0, send 0

interface GigabitEthernet2/20
 mtu 9216
 no ip address
 speed nonegotiate
 xconnect <remote IP> 821 encapsulation mpls
end

show mpls l2transport vc 821 detail
Local interface: Gi2/20 up, line protocol up, Ethernet up
  Destination address: <remote IP>, VC ID: 821, VC status: up
    Output interface: Vl2, imposed label stack {291 209}
    Preferred path: not configured
    Default path: active
    Next hop: <next hop IP>
  Create time: 00:00:22, last status change time: 00:00:22
  Signaling protocol: LDP, peer <remote IP>:0 up
    Targeted Hello: <local IP>(LDP Id) -> <remote IP>
    Status TLV support (local/remote)   : enabled/supported
      Label/status state machine        : established, LruRru
      Last local dataplane   status rcvd: no fault
      Last local SSS circuit status rcvd: no fault
      Last local SSS circuit status sent: no fault
      Last local  LDP TLV    status sent: no fault
      Last remote LDP TLV    status rcvd: no fault
    MPLS VC labels: local 603, remote 209
    Group ID: local 0, remote 0
    MTU: local 9216, remote 9216
    Remote interface description:
  Sequencing: receive disabled, send disabled
  VC statistics:
    packet totals: receive 6, send 7
    byte totals:   receive 732, send 1214
    packet drops:  receive 0, seq error 0, send 0

From gert at greenie.muc.de  Fri Feb 13 17:40:09 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 13 Feb 2009 23:40:09 +0100
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <000001c98e10$4ffc5e50$eff51af0$@org>
References: <000001c98e10$4ffc5e50$eff51af0$@org>
Message-ID: <20090213224009.GF290@greenie.muc.de>

Hi,

On Fri, Feb 13, 2009 at 02:21:46PM -0500, Paul Stewart wrote:
> I realize this gets mapped to internal VLAN's but in this case will those
> VLAN's co-exist or conflict?

With "normal" (= affordable) LAN cards, it will conflict.  

There will be no translation - that is, if you have

 "encaps dot1q 300"

on a GigE subif, it will use "VLAN 300" for that.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090213/78d74f9a/attachment.bin>

From cphillips at wbsconnect.com  Fri Feb 13 17:54:58 2009
From: cphillips at wbsconnect.com (Chris Phillips)
Date: Fri, 13 Feb 2009 14:54:58 -0800
Subject: [c-nsp] 6500 VTP and VLANs disappearing
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25C24804096@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25C24804096@mncmx1.NWNIT.CORP>
Message-ID: <4995FA42.9040102@wbsconnect.com>

Mike,

I've had this happen twice.  Both times we were running VTP transparent, 
both times on 6509s with SUP720-3BXL and both times on 12.2.18-SXF*. 
We've not had this happen again since moving to 12.2.33-SXI.

Mike Louis wrote:
> Hey all,
> 
> I just ran across an issue I have never seen before. We have a switch configured with about 250 VLANs and SVIs. The switch is configured in VTP transparent mode. Everything has been working fine until this morning we added a couple more vlans. After that we noticed that all but about 80 of the VLANs in the VTP database were missing. Somehow they got erased. No one was in the device since this happened and its configured in trans mode. Any ideas what could have happened? We put the VLANs back in and everything came up fine for now.
> 
> Anyone ever heard of something like this happening? Is there a max number of L3 interfaces for 6500?
> 
> 
> Mike Louis
> Senior Solutions Architect
> CCIE  #17082 (R&S)
> NWN, Inc
> mobile:336.253.5247
> mlouis at nwnit.com
> 
> 
> ________________________________
> Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Chris Phillips

From ney25 at hotmail.com  Fri Feb 13 19:31:38 2009
From: ney25 at hotmail.com (Jack)
Date: Sat, 14 Feb 2009 08:31:38 +0800
Subject: [c-nsp] 6500 VTP and VLANs disappearing
In-Reply-To: <4995FA42.9040102@wbsconnect.com>
References: <CBBF2C7B2547D14A910A349B58810AC25C24804096@mncmx1.NWNIT.CORP>
	<4995FA42.9040102@wbsconnect.com>
Message-ID: <BAY126-DS770D945E085DD8DF6D634BAB90@phx.gbl>

Hi Chris,

Did you check the VTP version ? I have a incident before but it was due to 
the VTP version 1 and 2 , new IOS loaded to my Cat6 but some how the VTP 
automatically became version 1, therefore most of my access layer cant 
communicate to the Core layer.

it is no harm to check vtp version as well .

Regards,
Jack

--------------------------------------------------
From: "Chris Phillips" <cphillips at wbsconnect.com>
Sent: Saturday, 14 February, 2009 6:54 AM
To: "Mike Louis" <MLouis at nwnit.com>
Cc: <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] 6500 VTP and VLANs disappearing

> Mike,
>
> I've had this happen twice.  Both times we were running VTP transparent, 
> both times on 6509s with SUP720-3BXL and both times on 12.2.18-SXF*. We've 
> not had this happen again since moving to 12.2.33-SXI.
>
> Mike Louis wrote:
>> Hey all,
>>
>> I just ran across an issue I have never seen before. We have a switch 
>> configured with about 250 VLANs and SVIs. The switch is configured in VTP 
>> transparent mode. Everything has been working fine until this morning we 
>> added a couple more vlans. After that we noticed that all but about 80 of 
>> the VLANs in the VTP database were missing. Somehow they got erased. No 
>> one was in the device since this happened and its configured in trans 
>> mode. Any ideas what could have happened? We put the VLANs back in and 
>> everything came up fine for now.
>>
>> Anyone ever heard of something like this happening? Is there a max number 
>> of L3 interfaces for 6500?
>>
>>
>> Mike Louis
>> Senior Solutions Architect
>> CCIE  #17082 (R&S)
>> NWN, Inc
>> mobile:336.253.5247
>> mlouis at nwnit.com
>>
>>
>> ________________________________
>> Note: This message and any attachments is intended solely for the use of 
>> the individual or entity to which it is addressed and may contain 
>> information that is non-public, proprietary, legally privileged, 
>> confidential, and/or exempt from disclosure. If you are not the intended 
>> recipient, you are hereby notified that any use, dissemination, 
>> distribution, or copying of this communication is strictly prohibited. If 
>> you have received this communication in error, please notify the original 
>> sender immediately by telephone or return email and destroy or delete 
>> this message along with any attachments immediately.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> -- 
> Chris Phillips
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From MLouis at nwnit.com  Fri Feb 13 19:41:39 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Fri, 13 Feb 2009 19:41:39 -0500
Subject: [c-nsp] 6500 VTP and VLANs disappearing
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25C24841E75@mncmx1.NWNIT.CORP>

Well we are running sxi so its happening in that rev as well. Any idea why or when it happens. If its a bug its a terrible one.

-----Original Message-----
From: Chris Phillips <cphillips at wbsconnect.com>
Sent: Friday, February 13, 2009 5:54 PM
To: Mike Louis <MLouis at nwnit.com>
Cc: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] 6500 VTP and VLANs disappearing


Mike,

I've had this happen twice.  Both times we were running VTP transparent,
both times on 6509s with SUP720-3BXL and both times on 12.2.18-SXF*.
We've not had this happen again since moving to 12.2.33-SXI.

Mike Louis wrote:
> Hey all,
>
> I just ran across an issue I have never seen before. We have a switch configured with about 250 VLANs and SVIs. The switch is configured in VTP transparent mode. Everything has been working fine until this morning we added a couple more vlans. After that we noticed that all but about 80 of the VLANs in the VTP database were missing. Somehow they got erased. No one was in the device since this happened and its configured in trans mode. Any ideas what could have happened? We put the VLANs back in and everything came up fine for now.
>
> Anyone ever heard of something like this happening? Is there a max number of L3 interfaces for 6500?
>
>
> Mike Louis
> Senior Solutions Architect
> CCIE  #17082 (R&S)
> NWN, Inc
> mobile:336.253.5247
> mlouis at nwnit.com
>
>
> ________________________________
> Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

--
Chris Phillips


Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.


From David at hughes.com.au  Fri Feb 13 21:42:19 2009
From: David at hughes.com.au (David Hughes)
Date: Sat, 14 Feb 2009 12:42:19 +1000
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <4995A540.5010007@chrisserafin.com>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
	<4995A540.5010007@chrisserafin.com>
Message-ID: <AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>



On 14/02/2009, at 2:52 AM, ChrisSerafin wrote:

> I will have a pair of 2960's upstream that will have 2 bonded  
> etherchannels going into each switch blade from each 2960. The  
> etherchannels will be trunk links and then I will configure the  
> internal virtual switchports as trunks going into the XEN  
> Server....XEN is just like VMware/ESX...... the server tags the  
> VLANs depending on what network they need to be on.
>
>
> Make sense at all? I've been google'ing until my eyes bleed trying  
> to get up to speed on these devices.

Yup, that makes perfect sense and is similar to our architecture (if  
you substitute 6500 for 2960 you'd pretty much have our standard  
setup).  We run nodes of ESX farms on blades in this configuration.   
If you are planning on dense virtualisation or multi-node farms then  
you'll need to be running MST for your spanning tree.  Running any  
form of per vlan STP will have you running out of STP instances before  
you run out of vlans you need to trunk to your ESX / Xen boxes.


Thanks

David
...

From madunix at gmail.com  Sat Feb 14 01:59:07 2009
From: madunix at gmail.com (Mad Unix)
Date: Sat, 14 Feb 2009 08:59:07 +0200
Subject: [c-nsp] CCIE Lab
Message-ID: <4d3f56c90902132259o364ff05fr69ae58c865f119bc@mail.gmail.com>

Can you please tell me, what *you* did to master Ccie Lab?

your iput really appreciated.

-- 
"UNIX is basically a simple operating system, but you have to be a
genius to understand the simplicity."
Dennis Ritchie.

From saku+cisco-nsp at ytti.fi  Sat Feb 14 03:47:31 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Sat, 14 Feb 2009 10:47:31 +0200
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <39647f4d0902131404j16b1d9b4v3824aba1d4f3e439@mail.gmail.com>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
	<20090213182528.GA9212@mx.ytti.net>
	<39647f4d0902131050ye5116fcnd91b82eed6bf3de5@mail.gmail.com>
	<20090213213620.GA10607@mx.ytti.net>
	<39647f4d0902131404j16b1d9b4v3824aba1d4f3e439@mail.gmail.com>
Message-ID: <20090214084731.GB14923@mx.ytti.net>

On (2009-02-13 17:04 -0500), Laurent Geyer wrote:
 
> Still, you cannot define a networking type for a pseudo wire until
> mpls encapsulation is enabled.

I'm sorry if yo understood my connect that way, I was simply trying
to explain you don't specify it in the xconnect line, but instead
use pw-class where you can (also) define interworking.

> I just tested what you suggested and the output for `show mpls
> l2transport vc 821 detail' is the same whether I use a pseudo wire
> class like you suggested, or I simply define encapsulation mpls on the
> interface level.

Did you configure it on both sides? Configuration is OK now.

-- 
  ++ytti

From cphillips at wbsconnect.com  Sat Feb 14 04:10:40 2009
From: cphillips at wbsconnect.com (Chris Phillips)
Date: Sat, 14 Feb 2009 01:10:40 -0800
Subject: [c-nsp] 6500 VTP and VLANs disappearing
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25C24841E75@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25C24841E75@mncmx1.NWNIT.CORP>
Message-ID: <49968A90.7000106@wbsconnect.com>

Have no idea why it happened.  I assumed it was a bug in the SXF train. 
  It hasn't happened to us again, luckily.

One other characteristic that I remember about it is that it only 
deleted non-extended VLANs.  Was that similar to what happened to you?

Mike Louis wrote:
> Well we are running sxi so its happening in that rev as well. Any idea why or when it happens. If its a bug its a terrible one.
> 
> -----Original Message-----
> From: Chris Phillips <cphillips at wbsconnect.com>
> Sent: Friday, February 13, 2009 5:54 PM
> To: Mike Louis <MLouis at nwnit.com>
> Cc: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] 6500 VTP and VLANs disappearing
> 
> 
> Mike,
> 
> I've had this happen twice.  Both times we were running VTP transparent,
> both times on 6509s with SUP720-3BXL and both times on 12.2.18-SXF*.
> We've not had this happen again since moving to 12.2.33-SXI.
> 
> Mike Louis wrote:
>> Hey all,
>>
>> I just ran across an issue I have never seen before. We have a switch configured with about 250 VLANs and SVIs. The switch is configured in VTP transparent mode. Everything has been working fine until this morning we added a couple more vlans. After that we noticed that all but about 80 of the VLANs in the VTP database were missing. Somehow they got erased. No one was in the device since this happened and its configured in trans mode. Any ideas what could have happened? We put the VLANs back in and everything came up fine for now.
>>
>> Anyone ever heard of something like this happening? Is there a max number of L3 interfaces for 6500?
>>
>>
>> Mike Louis
>> Senior Solutions Architect
>> CCIE  #17082 (R&S)
>> NWN, Inc
>> mobile:336.253.5247
>> mlouis at nwnit.com
>>
>>
>> ________________________________
>> Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> --
> Chris Phillips
> 
> 
> Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
> 

-- 
Chris Phillips


From clanjones1 at yahoo.com  Sat Feb 14 09:34:00 2009
From: clanjones1 at yahoo.com (Mike Jones)
Date: Sat, 14 Feb 2009 06:34:00 -0800 (PST)
Subject: [c-nsp] 6500 VTP and VLANs disappearing
In-Reply-To: <49968A90.7000106@wbsconnect.com>
Message-ID: <362994.77947.qm@web36903.mail.mud.yahoo.com>

I have never come across this, however, if I recall correctly, the Supervisor MSFC should be able to handle at least 3000 IDBs running 12.2 IOS. A physical interface will take 1 IDB, and a logical interface (VLAN or subinterface) will take another IDB. I highly doubt you ran into an IDB limitation on your SUP.Mike J <><

--- On Sat, 2/14/09, Chris Phillips <cphillips at wbsconnect.com> wrote:
From: Chris Phillips <cphillips at wbsconnect.com>
Subject: Re: [c-nsp] 6500 VTP and VLANs disappearing
To: "Mike Louis" <MLouis at nwnit.com>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Date: Saturday, February 14, 2009, 3:10 AM

Have no idea why it happened.  I assumed it was a bug in the SXF train. 
  It hasn't happened to us again, luckily.

One other characteristic that I remember about it is that it only 
deleted non-extended VLANs.  Was that similar to what happened to you?

Mike Louis wrote:
> Well we are running sxi so its happening in that rev as well. Any idea why
or when it happens. If its a bug its a terrible one.
> 
> -----Original Message-----
> From: Chris Phillips <cphillips at wbsconnect.com>
> Sent: Friday, February 13, 2009 5:54 PM
> To: Mike Louis <MLouis at nwnit.com>
> Cc: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] 6500 VTP and VLANs disappearing
> 
> 
> Mike,
> 
> I've had this happen twice.  Both times we were running VTP
transparent,
> both times on 6509s with SUP720-3BXL and both times on 12.2.18-SXF*.
> We've not had this happen again since moving to 12.2.33-SXI.
> 
> Mike Louis wrote:
>> Hey all,
>>
>> I just ran across an issue I have never seen before. We have a switch
configured with about 250 VLANs and SVIs. The switch is configured in VTP
transparent mode. Everything has been working fine until this morning we added a
couple more vlans. After that we noticed that all but about 80 of the VLANs in
the VTP database were missing. Somehow they got erased. No one was in the device
since this happened and its configured in trans mode. Any ideas what could have
happened? We put the VLANs back in and everything came up fine for now.
>>
>> Anyone ever heard of something like this happening? Is there a max
number of L3 interfaces for 6500?
>>
>>
>> Mike Louis
>> Senior Solutions Architect
>> CCIE  #17082 (R&S)
>> NWN, Inc
>> mobile:336.253.5247
>> mlouis at nwnit.com
>>
>>
>> ________________________________
>> Note: This message and any attachments is intended solely for the use
of the individual or entity to which it is addressed and may contain information
that is non-public, proprietary, legally privileged, confidential, and/or exempt
from disclosure. If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this communication is
strictly prohibited. If you have received this communication in error, please
notify the original sender immediately by telephone or return email and destroy
or delete this message along with any attachments immediately.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> --
> Chris Phillips
> 
> 
> Note: This message and any attachments is intended solely for the use of
the individual or entity to which it is addressed and may contain information
that is non-public, proprietary, legally privileged, confidential, and/or exempt
from disclosure.  If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this communication is
strictly prohibited.  If you have received this communication in error, please
notify the original sender immediately by telephone or return email and destroy
or delete this message along with any attachments immediately.
> 

-- 
Chris Phillips

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From dwinkworth at att.net  Sat Feb 14 10:53:32 2009
From: dwinkworth at att.net (Derick Winkworth)
Date: Sat, 14 Feb 2009 09:53:32 -0600
Subject: [c-nsp] OT: CCIE Lab
In-Reply-To: <4d3f56c90902132259o364ff05fr69ae58c865f119bc@mail.gmail.com>
References: <4d3f56c90902132259o364ff05fr69ae58c865f119bc@mail.gmail.com>
Message-ID: <4996E8FC.8000307@att.net>

You should subscribe to the CCIE groupstudy list.  See
http://www.groupstudy.com/

Studying.  Practice.  Lots of practice.  I purchased the
InternetworkExpert end-to-end program and I completed all 30 of the
practice labs plus a couple of mock labs (Brian and Brian were great!). 
I did the live on-line classes and I watched the prerecorded ones
repeatedly.  I listened to the audio classes repeatedly. I also took the
first week of the NetMasterClass training.  Bruce, Val, and Bob are great!

I took notes in several different forms.  I used a tool called freemind
to make a massive mind-map.  I took traditional notes and highlighted
items in various texts.  I made close to one thousand flashcards for
particular items I needed help remembering.

All said, I spent 8 months, 4-12 hours a day, 5-6 days a week preparing
for the lab.  Then I took and passed the lab.

Personally the one thing that helped me the most, more than anything,
was to admit that I knew far less about networking than I previously
thought.  I humbled myself greatly and I approached every topic as if I
was learning it anew.  I had a lot of false notions about how things
actually worked.   Also, you will realize during the actual hands-on
application of the various topics... that there are a lot of dead trees
in the form of books (including CiscoPress books) that are written very
poorly or are just plain wrong.  Even Cisco's documentation is very poor
or wrong in a lot of places.  The only way to really wrap your head
around some things is to read from multiple sources about it AND to then
build it in a lab and debug it.. in various scenarios and environments. 
A particularly enlightening exercise to try and reduce any scenario or
functionality to the absolute minimum amount of commands needed to do
it.  Then think carefully on what you removed and what the actual
purpose of it is.

Then take copious notes.

The end.

Mad Unix wrote:
> Can you please tell me, what *you* did to master Ccie Lab?
>
> your iput really appreciated.
>
>   
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.10.23/1952 - Release Date: 02/13/09 18:29:00
>
>   

From avayner at cisco.com  Sat Feb 14 11:05:23 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sat, 14 Feb 2009 17:05:23 +0100
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <20090213214516.GB10607@mx.ytti.net>
References: <000001c98e10$4ffc5e50$eff51af0$@org><78C984F8939D424697B15E4B1C1BB3D734C0C1@xmb-ams-331.emea.cisco.com>
	<20090213214516.GB10607@mx.ytti.net>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D734C118@xmb-ams-331.emea.cisco.com>

Ytti,

You can do it on regular ES20's with EVC.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Friday, February 13, 2009 23:45
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 7600 SVI + Subinterface Question

On (2009-02-13 22:16 +0100), Arie Vayner (avayner) wrote:

> The best option for using local VLAN significance is to use the more
> advanced ES20 modules on the 7600:
>
http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sh
> eet0900aecd8057f3ad.html

ES20 cards do not have vlan local significance, while toasters are
capable of doing it, you guys opted not to do it (perhaps due to
toaster+microcode evilness when compared to ezcip+c?)

giga2/0/1.42 
  encap dot1q 42
giga2/0/2.42
  encap dot1q 42

Is not and will not be (non-technical reasons) possible in ES20.
OP should rather consider ES+ cards, which are completely different
cards and will do this.
Sure you can workaround this through EVC in ES20 but that is another
bag of worms. I would strongly advice against anyone buying ES20,
as ES+ costs the same.

(Of course you still can't escape the 4k VLAN limit in the platfor)


-- 
  ++ytti
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From saku+cisco-nsp at ytti.fi  Sat Feb 14 11:24:25 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Sat, 14 Feb 2009 18:24:25 +0200
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D734C118@xmb-ams-331.emea.cisco.com>
References: <20090213214516.GB10607@mx.ytti.net>
	<78C984F8939D424697B15E4B1C1BB3D734C118@xmb-ams-331.emea.cisco.com>
Message-ID: <20090214162425.GA20342@mx.ytti.net>

On (2009-02-14 17:05 +0100), Arie Vayner (avayner) wrote:

> You can do it on regular ES20's with EVC.

>> Sure you can workaround this through EVC in ES20 but that is another
>> bag of worms. I would strongly advice against anyone buying ES20,
>> as ES+ costs the same.

The bag of worms I was referring to, means e.g. you can only match
to CoS or class-default in EVC MQC. ACL is not available.
So simple requirement of policing all traffic means you do class-default,
instead of correct solution of ACL of 'any'. With class-default you
lose ability to use VPN CAM and in L3 MPLS VPN environment you increase
your VLAN usage (and reduce the amount of customers you can terminate).

Also one could argue higher configuration overhead to use EVC + SVI, more 
cruft in config. Many people don't like seeing lot and lot of SVI's when
subinterface suffices.
It would be nice, if EVC would optionally implement SVI internally, so
you could simply add IP address to EVC when you only have one interface
for given connection.

-- 
  ++ytti

From scott at labyrinth.org  Sat Feb 14 21:13:27 2009
From: scott at labyrinth.org (Scott Keoseyan)
Date: Sat, 14 Feb 2009 21:13:27 -0500
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49906CFE.7040407@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
Message-ID: <C40E8F0C-0A67-45B9-9A3E-374AA3FC0390@labyrinth.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Didn't Infoblox just announce a module for the ISR for DNS/DHCP/NTP?   
That might be more appropriate somehow...


Scott

On Feb 9, 2009, at 12:50 PM, Justin Shore wrote:

> Manaf Al Oqlah wrote:
>> Hi all,
>> I am configuring a Cisco 7600 router as DHCP server for my  
>> broadband clients. I am using DHCP snooping and ARP inspection for  
>> security reasons and the leased time expiration is set for 30  
>> minutes and no excluded-address is configured. The problem is that  
>> I still can see  some clients IP addresses lease expiration are  
>> Infinite in the DHCP binding! what could be the reason for this  
>> behavior and could be this some sort of attack!!
>
> I get them too.  I never have figured out what causes them.  So far  
> it hasn't been a big deal for me.
>
> BTW, I'd recommend not using the IOS DHCP server for anything that  
> more than convenience at a very small site.  I would highly  
> recommend deploying a server-based DHCP server like ISC DHCPd.  Lots  
> more bells a whistles to work with.  Plus you can have redundancy  
> with the server-based solution.  The IOS DHCP server is a fairly  
> stripped down implementation.  I don't think it was intended to be  
> used in large environments like a SP's broadband network.
>
> Justin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkmXekcACgkQA7TpMPAlvEfWSwCfY6wmZItxj+YacfiZI1Vshe2M
o0UAoIHZ4FIXXIfMa6fhwUItDfsOEVsM
=9amM
-----END PGP SIGNATURE-----

From scott at labyrinth.org  Sat Feb 14 21:58:44 2009
From: scott at labyrinth.org (Scott Keoseyan)
Date: Sat, 14 Feb 2009 21:58:44 -0500
Subject: [c-nsp] Dynamic Vlan with 3750
In-Reply-To: <20090212142612.GB12420@lboro.ac.uk>
References: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
	<002101c98ca0$6169cef0$243d6cd0$@id.au>
	<fd3f95910902120604l4ea13bd6yf70e25f306752b64@mail.gmail.com>
	<20090212142612.GB12420@lboro.ac.uk>
Message-ID: <EB8FFA55-3CFE-4282-9E68-802C02861CB7@labyrinth.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Umm, if you're going thru the effort of running RADIUS anyways, why  
not just use MAC-Auth Bypass with 802.1x instead?  It's going to be a  
lot more scalable and extensible.

Scott

On Feb 12, 2009, at 9:26 AM, A.L.M.Buxey at lboro.ac.uk wrote:

> Hi,
>> I have found some programs opensource to deploy a VMPS server, I will
>> be trying setting up on linux server. If you know another program,
>> please notify me. Thanks.
>
> FreeRADIUS. very very fast at doing VMPS - we use it
>
> alan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkmXhOQACgkQA7TpMPAlvEfQOACfavFkdWeIFCx9y6ujVwTKU9hf
ZkIAn33HzEFLoUi/yP1ussJnQ7v1BRH6
=uJua
-----END PGP SIGNATURE-----

From gtb at slac.stanford.edu  Sun Feb 15 00:51:53 2009
From: gtb at slac.stanford.edu (Buhrmaster, Gary)
Date: Sat, 14 Feb 2009 21:51:53 -0800
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <200902092022.14601.lowen@pari.edu>
References: <49906CFE.7040407@justinshore.com>
	<200902092022.14601.lowen@pari.edu>
Message-ID: <D0D0330CBD07114D85B70B784E80C2F2022FCFB6@exch-mail2.win.slac.stanford.edu>

 

> 
> BOOTP.
> 

Have not used the IOS dhcp server in a long
time (the ISC dhcp server is far more capable),
but when I did, I vaguely recall adding these
commands which eliminated the infinite lease
times in my specific environment (which were
all traced down to bootp requests):

  no ip bootp server
  ip dhcp bootp ignore


From p.mayers at imperial.ac.uk  Sun Feb 15 06:34:54 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sun, 15 Feb 2009 11:34:54 +0000
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <20090210124019.GA8143@lboro.ac.uk>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk> <20090210124019.GA8143@lboro.ac.uk>
Message-ID: <20090215113454.GA24043@wildfire.net.ic.ac.uk>

On Tue, Feb 10, 2009 at 12:40:19PM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
>hi,
>
>okay - after fruitful time on the test/devel router and then
>a prolonged period on 2 select routers, we're now SXI across
>the board.... which has finally thrown up an error (of sorts!)
>hurrah! :-)
>
>having exhausted my usual supply of cisco and google (and c-nsp ;-) )
>searches I thought I'd throw this one to the list before
>visiting my TAC friends for the 3rd time this week.
>
>note: so far we only obsrve this error on systems with 2 Sup720's in
>SSO redundancy mode
>
>this is whats being logged:
>
>Feb 10 12:26:38: SP: Critical error processing oif ltl index change event (0100.5b00.073c, XXX, 0xB8B)
>Feb 10 12:30:32: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
>Feb 10 12:30:32: SP: Critical error processing oif ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
>Feb 10 12:30:48: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
>Feb 10 12:30:48: SP: Critical error processing oif ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
>Feb 10 12:31:54: SP: Critical error processing rpf ltl index change event (0100.5b07.0076, XXX, 0xBBF)

I haven't seen that one, but interestingly, I'm getting messages related 
to multicast on SXI too:

%MLSM-6-LC_SCP_FAILURE: NMP encountered internal communication failure 
for (s,g,vlan),  flow will be software switched

We're getting them *very* infrequently, but we are getting them. TAC 
tell me this only happens after an SSO or OIR, however the last SSO/OIR 
was days (in some cases a week or more) before the most recent messages.

We've also got some messages related to ISSU which were triggered by a 
bad chassis, so my perception is the logging verbosity is a bit higher 
in SXI generally.

From p.mayers at imperial.ac.uk  Sun Feb 15 06:52:35 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sun, 15 Feb 2009 11:52:35 +0000
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
Message-ID: <49980203.70803@imperial.ac.uk>

Antonio M. Soares wrote:
> Hello group,
> 
> I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an

I think you need a newer IOS. Certainly under SXI I see:

ac-core#sh ip bgp neighbors  | inc path-mtu|max data seg
   Transport(tcp) path-mtu-discovery is enabled
Datagrams (max data segment is 536 bytes):
   Transport(tcp) path-mtu-discovery is enabled
Datagrams (max data segment is 1460 bytes):
   Transport(tcp) path-mtu-discovery is enabled
Datagrams (max data segment is 9060 bytes):
   Transport(tcp) path-mtu-discovery is enabled
Datagrams (max data segment is 536 bytes):

...depending on whether the neighbor is similarly equipped to be 
jumbo-framed and PMTU.

From p.mayers at imperial.ac.uk  Sun Feb 15 07:02:32 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sun, 15 Feb 2009 12:02:32 +0000
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
In-Reply-To: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
Message-ID: <49980458.4080201@imperial.ac.uk>

Jeff Fitzwater wrote:
> We are running 12.2.SXI on sup-720-cxl

Short answer: no, it's just slow.

My advice, and the solution we adopted - fetch the ARP table using an 
expect script via the CLI, which does not have this problem - we had 
mean RP CPU use drop a *huge* amount when I implemented that.

If I ever get the "netconf" interface working for CLI, it'll become an 
even more attractive solution.

You'd probably need an RFE to get the SNMP method "fixed", and I am not 
optimistic about your chances of success.

> 
> We use snmp getnext and getbulk to get the ARP table from a router  
> that has ~16K entries and it takes about 10min to complete, with  
> ROUTER CPU at 100%.   Our other routers have the same hardware and IOS  
> but have <10K entries and work fine.
> 
> This is an old problem with CISCO and I thought they might have  
> finally fixed it in SXI, but NOT.
> 
> The problem is the ARP entries are stored internally in a hashed  
> format and SNMP needs them in an ordered format, so for every snmp PDU  
> the CPU must get the entire ARP table and crunch it to create the  
> ordered PDU response.  This will take place for as many PDUs as it  
> takes to retrieve the entire table.   There does appear to be a point   
> (size of ARP table) at which it takes very long to retrieve the whole  
> table which seems to be around 12K but with a 16K table it takes  
> forever.

Yep - it's an exponential slowdown.

You could try the cseCefFib MIB (CISCO-SWITCH-ENGINE-MIB) but in our 
environment it was only ~10% faster, with an even higher CPU usage.

> 
> In the attached PDF from CISCO they explain the problem and also state  
> the if you turn on CEF (has always been on for long time) that it is  
> much faster since the FIB is already in a lexical order that snmp  
> likes.   Since CEF is always on, why does it still take so long.

The explanation cisco offer has two problems:

  1. it really dates from the days of CPU routers where the CEF 
structure lives primarily in CPU RAM, as opposed to the 6500s where it's 
formatted to be optimal for the hardware

  2. the CEF table may be "in order" but you still have to do some 
sorting - namely for the ifIndex, because the ipNetToMedia table is 
indexed by:

ifIndex.ip0.ip1.ip2.ip3

From peter at whole-uk.com  Sun Feb 15 13:14:41 2009
From: peter at whole-uk.com (Pete Barnwell)
Date: Sun, 15 Feb 2009 18:14:41 +0000
Subject: [c-nsp] Router requirement
Message-ID: <49985B91.6060706@whole-uk.com>

Hi,

Wonder if anybody can help me with selecting the right router for CPE?
It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
QoS and a few ACLs but no dynamic routing protocols.

Thanks

Pete


From dwinkworth at att.net  Sun Feb 15 14:16:56 2009
From: dwinkworth at att.net (Derick Winkworth)
Date: Sun, 15 Feb 2009 13:16:56 -0600
Subject: [c-nsp] Router requirement
In-Reply-To: <49985B91.6060706@whole-uk.com>
References: <49985B91.6060706@whole-uk.com>
Message-ID: <49986A28.4050003@att.net>

7200vxr

Pete Barnwell wrote:
> Hi,
>
> Wonder if anybody can help me with selecting the right router for CPE?
> It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
> QoS and a few ACLs but no dynamic routing protocols.
>
> Thanks
>
> Pete
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.10.23/1953 - Release Date: 02/14/09 18:01:00
>
>   

From sthaug at nethelp.no  Sun Feb 15 16:03:04 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Sun, 15 Feb 2009 22:03:04 +0100 (CET)
Subject: [c-nsp] Router requirement
In-Reply-To: <49986A28.4050003@att.net>
References: <49985B91.6060706@whole-uk.com>
	<49986A28.4050003@att.net>
Message-ID: <20090215.220304.74692549.sthaug@nethelp.no>

> 7200vxr

Well, if the QoS requirements aren't too advanced, something like a
3560 switch used as a router should work just fine.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

> 
> Pete Barnwell wrote:
> > Hi,
> >
> > Wonder if anybody can help me with selecting the right router for CPE?
> > It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
> > QoS and a few ACLs but no dynamic routing protocols.
> >
> > Thanks
> >
> > Pete
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > ------------------------------------------------------------------------
> >
> >
> > No virus found in this incoming message.
> > Checked by AVG - www.avg.com 
> > Version: 8.0.237 / Virus Database: 270.10.23/1953 - Release Date: 02/14/09 18:01:00
> >
> >   
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From rubensk at gmail.com  Sun Feb 15 16:22:49 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Sun, 15 Feb 2009 18:22:49 -0300
Subject: [c-nsp] Router requirement
In-Reply-To: <49985B91.6060706@whole-uk.com>
References: <49985B91.6060706@whole-uk.com>
Message-ID: <6bb5f5b10902151322w2d016d04x5f84b03591f3de28@mail.gmail.com>

Consider using this one:
ME-3400G-2CS-A with METROBASE IOS

Be aware that it doesn't have routing capabilities, but you can move
the routing part to the PE, if (and that's a you need to verify it
"if") you can ACL/QoS the broadcast and non-IP traffic to not leave
the CPE.

See http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6580/prod_qas0900aecd8034fefb.html
for this one.

Rubens



On Sun, Feb 15, 2009 at 3:14 PM, Pete Barnwell <peter at whole-uk.com> wrote:
> Hi,
>
> Wonder if anybody can help me with selecting the right router for CPE?
> It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
> QoS and a few ACLs but no dynamic routing protocols.
>
> Thanks
>
> Pete
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at whole-uk.com  Sun Feb 15 17:53:38 2009
From: peter at whole-uk.com (Pete Barnwell)
Date: Sun, 15 Feb 2009 22:53:38 +0000
Subject: [c-nsp] Router requirement
In-Reply-To: <6bb5f5b10902151443n7df6fa10g263b24f21e9ea44e@mail.gmail.com>
References: <49985B91.6060706@whole-uk.com>	
	<6bb5f5b10902151322w2d016d04x5f84b03591f3de28@mail.gmail.com>	
	<4998973C.9070008@whole-uk.com>
	<6bb5f5b10902151443n7df6fa10g263b24f21e9ea44e@mail.gmail.com>
Message-ID: <49989CF2.4020107@whole-uk.com>


> 
> The good thing about METROIPACCESS is the routing and OAM features
> (OAM features are also available on METROACCESS, the middle ground
> between BASE and IPACCESS), the bad thing about METROIPACCES is its
> cost. I don't know the cost structure or profit margins of your
> service, but cash is known to be useful nowadays...
> 
> If you could post the results of the lab testing to the list, it would be nice.

I will do once completed.

To answer your queries on cost - I can live with METROIPACCESS if I need 
it, but as you identify if I can 'get away' with the cheaper feature set 
it'd be nice...

Regards

Pete

From illcritikz at gmail.com  Sun Feb 15 20:30:50 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 16 Feb 2009 12:00:50 +1030
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <4422cf660902090132x7bc04294s5446e10007298e0c@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
	<1234170440.3420.13.camel@localhost.localdomain>
	<4422cf660902090132x7bc04294s5446e10007298e0c@mail.gmail.com>
Message-ID: <4422cf660902151730k4ed9e2c4yf8fca23e667cd3df@mail.gmail.com>

For those interested I put the SFM's in last night without a hitch, in
fact it didn't even drop a packet(1s ping intervals) it just did the usual
OIR Bus pause and one packet went up to 1600ms then everything went back to
normal except packets were now using the new crossbar fabric(no reboot
required), very smooth.
Running 12.2(18)SXF4

Before:

router#sh fab swi
Global switching mode is Flow through
dCEF mode is not enforced for system to operate
Fabric module is not  required for system to operate
Modules are allowed to operate in bus mode
Truncated mode is not allowed unless threshold is met
Threshold for truncated mode operation is 2 SFM-capable cards

Module Slot     Switching Mode
    1                      Bus
    3                      Bus
    5                      Bus

After:

router#sh fab swi
Global switching mode is Compact
dCEF mode is not enforced for system to operate
Fabric module is not  required for system to operate
Modules are allowed to operate in bus mode
Truncated mode is not allowed unless threshold is met
Threshold for truncated mode operation is 2 SFM-capable cards

Module Slot     Switching Mode
    1                     dCEF
    3                 Crossbar
    5                 Crossbar
    6            No Interfaces

router#sh fab util

 slot    channel  Ingress %   Egress %

    1          0          0          0

    3          0          5          1

    5          0          1          5


Ben

On Mon, Feb 9, 2009 at 8:02 PM, Ben Steele <illcritikz at gmail.com> wrote:

> Thanks for all the replies, personally i'm thinking it will be a few second
> hiccup like you often get with OIR then on its way again but the fact i'm
> changing how the underlying switch fabric works with this makes it more
> interesting... i've scheduled an outage for this Sunday evening so I will
> let you all know how it goes.
> Cheers
>
> Ben
>
>
> On Mon, Feb 9, 2009 at 7:37 PM, Peter Rathlev <peter at rathlev.dk> wrote:
>
>> On Mon, 2009-02-09 at 10:26 +1030, Ben Steele wrote:
>> > I'm looking for some info on the insertion of a SFM into a live
>> 6500(Sup2
>> > obviously), can't seem to find any info on Cisco as to the consequences
>> this
>> > may have to traffic flowing through the Bus at the time(ie dropped
>> packet
>> > rates),
>>
>> Just to chime in with more non-certain knowlegde: When doing OIR the box
>> does a "bus stall" AFAIK. This happens between when the pins start
>> connecting and when all pins are connected.
>>
>> If this were to not cause any lost packets, the modules would have to
>> buffer while the bus stall is in effect and retransmit whatever was on
>> the wire when it happened. I don't think they do.
>>
>> Regards,
>> Peter
>>
>>
>

From gkg at gmx.de  Mon Feb 16 00:14:19 2009
From: gkg at gmx.de (Garry)
Date: Mon, 16 Feb 2009 06:14:19 +0100
Subject: [c-nsp] Router requirement
In-Reply-To: <49985B91.6060706@whole-uk.com>
References: <49985B91.6060706@whole-uk.com>
Message-ID: <4998F62B.6070105@gmx.de>

Pete Barnwell wrote:
> Hi,
> 
> Wonder if anybody can help me with selecting the right router for CPE?
> It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
> QoS and a few ACLs but no dynamic routing protocols.

If you can live with a worst-case scenario of 87MBit, a 2821 might be
decent choice, too. Typical throughput, even with moderate QoS/ACL
should be well over 100M (maybe even with a 2811). Otherwise, a 3825
with its two 1G interfaces built in would be a real good alternative to
the rather pricey 72k ...

-garry

From andy.saykao at staff.netspace.net.au  Mon Feb 16 00:31:20 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 16 Feb 2009 16:31:20 +1100
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654BF9@vic-cr-ex1.staff.netspace.net.au>

 Is it possible to aggregate and then load balance unequal ethernet
circuits like so:

I have two ethenet circuits on my Cisco router. Both have equal costs to
the next hop.

Ethernet Circuit #1- 200M
Ethernet Circuit #2 - 100M

Can I aggregate both ethernet circuits so that the total amount of
bandwidth available to the next hop is is 300M? 
Can I then load balance it so both circuits are equally utilized?

For example...

* If I have 150M of traffic flowing to the next hop then the router
would spread the load across both links like so:

100M through Ethernet Circuit #1.
50M through Ethernet Circuit #2.

* The formula to use for this would be something like:

Utilization / Total Bandwidth = percentage of utilization required per
link
150/300 = 0.5

0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M

* If there was a total of 250M of traffic flowing to the next hop, and
applying the formula above, the router would work out that the load
distributed across both ethernet links would be:

166M through Ethernet Circuit #1.
84M through Ethernet Circuit #2.

Any ideas???

Thanks.

Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From illcritikz at gmail.com  Mon Feb 16 01:32:29 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 16 Feb 2009 17:02:29 +1030
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <4422cf660902152229m1549f3c6ma804332630aa2f1d@mail.gmail.com>
References: <56F211C5E3F24F47B103EA1B253822BE03654BF9@vic-cr-ex1.staff.netspace.net.au>
	<4422cf660902152229m1549f3c6ma804332630aa2f1d@mail.gmail.com>
Message-ID: <4422cf660902152232i13b4f261h5efa5697971b1b53@mail.gmail.com>

Woops meant to reply all in case someone else wants to chime in.

On Mon, Feb 16, 2009 at 4:59 PM, Ben Steele <illcritikz at gmail.com> wrote:

> You could do this with variance in eigrp, just add variance 2 into the
> eigrp config and it will load balance on a 2:1 ratio, if your links are
> equally matched in terms of latency you can look at enabling per-packet load
> sharing on the 2 egress interfaces to get an even more granular
> distribution, this can wreck some havoc with unequal paths and out of
> sequence packets though, however if equally similar in characteristics then
> performance is usually very good.
> Ben
>
>
> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao <
> andy.saykao at staff.netspace.net.au> wrote:
>
>>  Is it possible to aggregate and then load balance unequal ethernet
>> circuits like so:
>>
>> I have two ethenet circuits on my Cisco router. Both have equal costs to
>> the next hop.
>>
>> Ethernet Circuit #1- 200M
>> Ethernet Circuit #2 - 100M
>>
>> Can I aggregate both ethernet circuits so that the total amount of
>> bandwidth available to the next hop is is 300M?
>> Can I then load balance it so both circuits are equally utilized?
>>
>> For example...
>>
>> * If I have 150M of traffic flowing to the next hop then the router
>> would spread the load across both links like so:
>>
>> 100M through Ethernet Circuit #1.
>> 50M through Ethernet Circuit #2.
>>
>> * The formula to use for this would be something like:
>>
>> Utilization / Total Bandwidth = percentage of utilization required per
>> link
>> 150/300 = 0.5
>>
>> 0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
>> 0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
>>
>> * If there was a total of 250M of traffic flowing to the next hop, and
>> applying the formula above, the router would work out that the load
>> distributed across both ethernet links would be:
>>
>> 166M through Ethernet Circuit #1.
>> 84M through Ethernet Circuit #2.
>>
>> Any ideas???
>>
>> Thanks.
>>
>> Andy
>>
>> This email and any files transmitted with it are confidential and intended
>>  solely for the use of the individual or entity to whom they are
>> addressed.
>> Please notify the sender immediately by email if you have received this
>> email by mistake and delete this email from your system. Please note that
>>  any views or opinions presented in this email are solely those of the
>>  author and do not necessarily represent those of the organisation.
>> Finally, the recipient should check this email and any attachments for
>> the presence of viruses. The organisation accepts no liability for any
>> damage caused by any virus transmitted by this email.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From andy.saykao at staff.netspace.net.au  Mon Feb 16 01:39:29 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 16 Feb 2009 17:39:29 +1100
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654BFA@vic-cr-ex1.staff.netspace.net.au>

Hi Ben,
 
When I googled around, there were many discussions abvout using the
variance command with eigrp but we don't run eigrp internally as our
IGP. 
 
This is a typical setup where we need to upgrade some of our links, so
we might upgrade 50M on the second leg and end up with a situation where
the first leg is100M and the second leg is 150M. As you may know, some
providers aren't so flexible so you can't just upgrade 25M on each leg
because they increment by 50M per leg only. Hence my question if it was
possible to load balance across unequal ethernet circuits without buying
additional bandwidth for both circuits.
 
Thanks.
 
Andy

 
________________________________

From: Ben Steele [mailto:illcritikz at gmail.com] 
Sent: Monday, 16 February 2009 5:29 PM
To: Andy Saykao
Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth


You could do this with variance in eigrp, just add variance 2 into the
eigrp config and it will load balance on a 2:1 ratio, if your links are
equally matched in terms of latency you can look at enabling per-packet
load sharing on the 2 egress interfaces to get an even more granular
distribution, this can wreck some havoc with unequal paths and out of
sequence packets though, however if equally similar in characteristics
then performance is usually very good. 

Ben


On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
<andy.saykao at staff.netspace.net.au> wrote:


	 Is it possible to aggregate and then load balance unequal
ethernet
	circuits like so:
	
	I have two ethenet circuits on my Cisco router. Both have equal
costs to
	the next hop.
	
	Ethernet Circuit #1- 200M
	Ethernet Circuit #2 - 100M
	
	Can I aggregate both ethernet circuits so that the total amount
of
	bandwidth available to the next hop is is 300M?
	Can I then load balance it so both circuits are equally
utilized?
	
	For example...
	
	* If I have 150M of traffic flowing to the next hop then the
router
	would spread the load across both links like so:
	
	100M through Ethernet Circuit #1.
	50M through Ethernet Circuit #2.
	
	* The formula to use for this would be something like:
	
	Utilization / Total Bandwidth = percentage of utilization
required per
	link
	150/300 = 0.5
	
	0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
	0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
	
	* If there was a total of 250M of traffic flowing to the next
hop, and
	applying the formula above, the router would work out that the
load
	distributed across both ethernet links would be:
	
	166M through Ethernet Circuit #1.
	84M through Ethernet Circuit #2.
	
	Any ideas???
	
	Thanks.
	
	Andy
	
	This email and any files transmitted with it are confidential
and intended
	 solely for the use of the individual or entity to whom they are
addressed.
	Please notify the sender immediately by email if you have
received this
	email by mistake and delete this email from your system. Please
note that
	 any views or opinions presented in this email are solely those
of the
	 author and do not necessarily represent those of the
organisation.
	Finally, the recipient should check this email and any
attachments for
	the presence of viruses. The organisation accepts no liability
for any
	damage caused by any virus transmitted by this email.
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/
	



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


From illcritikz at gmail.com  Mon Feb 16 01:44:18 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 16 Feb 2009 17:14:18 +1030
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654BFA@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03654BFA@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <4422cf660902152244y5ec215b5h595668bfbc25f78c@mail.gmail.com>

So are these links your WAN links to your provider you are referring to? If
so are you running BGP over them or just a static default?

On Mon, Feb 16, 2009 at 5:09 PM, Andy Saykao <
andy.saykao at staff.netspace.net.au> wrote:

>  Hi Ben,
>
> When I googled around, there were many discussions abvout using the
> variance command with eigrp but we don't run eigrp internally as our IGP.
>
> This is a typical setup where we need to upgrade some of our links, so we
> might upgrade 50M on the second leg and end up with a situation where the
> first leg is100M and the second leg is 150M. As you may know, some providers
> aren't so flexible so you can't just upgrade 25M on each leg because they
> increment by 50M per leg only. Hence my question if it was possible to load
> balance across unequal ethernet circuits without buying additional bandwidth
> for both circuits.
>
> Thanks.
>
> Andy
>
>
>  ------------------------------
> *From:* Ben Steele [mailto:illcritikz at gmail.com]
> *Sent:* Monday, 16 February 2009 5:29 PM
> *To:* Andy Saykao
> *Subject:* Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
>
> You could do this with variance in eigrp, just add variance 2 into the
> eigrp config and it will load balance on a 2:1 ratio, if your links are
> equally matched in terms of latency you can look at enabling per-packet load
> sharing on the 2 egress interfaces to get an even more granular
> distribution, this can wreck some havoc with unequal paths and out of
> sequence packets though, however if equally similar in characteristics then
> performance is usually very good.
> Ben
>
> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao <
> andy.saykao at staff.netspace.net.au> wrote:
>
>>  Is it possible to aggregate and then load balance unequal ethernet
>> circuits like so:
>>
>> I have two ethenet circuits on my Cisco router. Both have equal costs to
>> the next hop.
>>
>> Ethernet Circuit #1- 200M
>> Ethernet Circuit #2 - 100M
>>
>> Can I aggregate both ethernet circuits so that the total amount of
>> bandwidth available to the next hop is is 300M?
>> Can I then load balance it so both circuits are equally utilized?
>>
>> For example...
>>
>> * If I have 150M of traffic flowing to the next hop then the router
>> would spread the load across both links like so:
>>
>> 100M through Ethernet Circuit #1.
>> 50M through Ethernet Circuit #2.
>>
>> * The formula to use for this would be something like:
>>
>> Utilization / Total Bandwidth = percentage of utilization required per
>> link
>> 150/300 = 0.5
>>
>> 0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
>> 0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
>>
>> * If there was a total of 250M of traffic flowing to the next hop, and
>> applying the formula above, the router would work out that the load
>> distributed across both ethernet links would be:
>>
>> 166M through Ethernet Circuit #1.
>> 84M through Ethernet Circuit #2.
>>
>> Any ideas???
>>
>> Thanks.
>>
>> Andy
>>
>> This email and any files transmitted with it are confidential and intended
>>  solely for the use of the individual or entity to whom they are
>> addressed.
>> Please notify the sender immediately by email if you have received this
>> email by mistake and delete this email from your system. Please note that
>>  any views or opinions presented in this email are solely those of the
>>  author and do not necessarily represent those of the organisation.
>> Finally, the recipient should check this email and any attachments for
>> the presence of viruses. The organisation accepts no liability for any
>> damage caused by any virus transmitted by this email.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> Please notify the sender immediately by email if you have received this
> email by mistake and delete this email from your system. Please note that
> any views or opinions presented in this email are solely those of the author
> and do not necessarily represent those of the organisation. Finally, the
> recipient should check this email and any attachments for the presence of
> viruses. The organisation accepts no liability for any damage caused by any
> virus transmitted by this email.
>

From td_miles at yahoo.com  Mon Feb 16 02:02:05 2009
From: td_miles at yahoo.com (Tony)
Date: Sun, 15 Feb 2009 23:02:05 -0800 (PST)
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654BFA@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <994486.58791.qm@web110103.mail.gq1.yahoo.com>


Hi Andy,

What do you run as IGP then so that we can help you out ?

If static routes, then you can do it using by having multiple routes that are to the same destination.

eg. on 2x serial links you might have:

serial1 = 200Mbps (10.1.1.1/30)
serial2 = 100Mbps (10.1.1.5/3)

You would then add static routes like this:
 ip route x y serial1
 ip route x y 10.1.1.2
 ip route x y serial2 

This way when you do "show ip route x" you would see something like:

* directly connected via serial1
      Route metric is 0, traffic share count is 1
* directly connected via serial2
      Route metric is 0, traffic share count is 1
*  10.1.1.2
      Route metric is 0, traffic share count is 1

Your router would then divide the traffic into three with one third going to each of the destinations configured. The fact that two of those destinations are the same link means that two thirds will go down your 200Mbps link and one third down your 100Mbps link.

This is fairly basic and doesn't scale very well, but will work.


regards,
Tony.


--- On Mon, 16/2/09, Andy Saykao <andy.saykao at staff.netspace.net.au> wrote:

> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
> To: "Ben Steele" <illcritikz at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Date: Monday, 16 February, 2009, 5:39 PM
> Hi Ben,
>  
> When I googled around, there were many discussions abvout
> using the
> variance command with eigrp but we don't run eigrp
> internally as our
> IGP. 
>  
> This is a typical setup where we need to upgrade some of
> our links, so
> we might upgrade 50M on the second leg and end up with a
> situation where
> the first leg is100M and the second leg is 150M. As you may
> know, some
> providers aren't so flexible so you can't just
> upgrade 25M on each leg
> because they increment by 50M per leg only. Hence my
> question if it was
> possible to load balance across unequal ethernet circuits
> without buying
> additional bandwidth for both circuits.
>  
> Thanks.
>  
> Andy
> 
>  
> ________________________________
> 
> From: Ben Steele [mailto:illcritikz at gmail.com] 
> Sent: Monday, 16 February 2009 5:29 PM
> To: Andy Saykao
> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
> Bandwidth
> 
> 
> You could do this with variance in eigrp, just add variance
> 2 into the
> eigrp config and it will load balance on a 2:1 ratio, if
> your links are
> equally matched in terms of latency you can look at
> enabling per-packet
> load sharing on the 2 egress interfaces to get an even more
> granular
> distribution, this can wreck some havoc with unequal paths
> and out of
> sequence packets though, however if equally similar in
> characteristics
> then performance is usually very good. 
> 
> Ben
> 
> 
> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
> <andy.saykao at staff.netspace.net.au> wrote:
> 
> 
> 	 Is it possible to aggregate and then load balance unequal
> ethernet
> 	circuits like so:
> 	
> 	I have two ethenet circuits on my Cisco router. Both have
> equal
> costs to
> 	the next hop.
> 	
> 	Ethernet Circuit #1- 200M
> 	Ethernet Circuit #2 - 100M
> 	
> 	Can I aggregate both ethernet circuits so that the total
> amount
> of
> 	bandwidth available to the next hop is is 300M?
> 	Can I then load balance it so both circuits are equally
> utilized?
> 	
> 	For example...
> 	
> 	* If I have 150M of traffic flowing to the next hop then
> the
> router
> 	would spread the load across both links like so:
> 	
> 	100M through Ethernet Circuit #1.
> 	50M through Ethernet Circuit #2.
> 	
> 	* The formula to use for this would be something like:
> 	
> 	Utilization / Total Bandwidth = percentage of utilization
> required per
> 	link
> 	150/300 = 0.5
> 	
> 	0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
> 	0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
> 	
> 	* If there was a total of 250M of traffic flowing to the
> next
> hop, and
> 	applying the formula above, the router would work out that
> the
> load
> 	distributed across both ethernet links would be:
> 	
> 	166M through Ethernet Circuit #1.
> 	84M through Ethernet Circuit #2.
> 	
> 	Any ideas???
> 	
> 	Thanks.
> 	
> 	Andy



      


From illcritikz at gmail.com  Mon Feb 16 02:06:19 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 16 Feb 2009 17:36:19 +1030
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <994486.58791.qm@web110103.mail.gq1.yahoo.com>
References: <56F211C5E3F24F47B103EA1B253822BE03654BFA@vic-cr-ex1.staff.netspace.net.au>
	<994486.58791.qm@web110103.mail.gq1.yahoo.com>
Message-ID: <4422cf660902152306o502d9d7du338317c80cd8e946@mail.gmail.com>

Alternatively if you are using BGP, have a look at BGP Link Bandwidth
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftbgplb.html

On Mon, Feb 16, 2009 at 5:32 PM, Tony <td_miles at yahoo.com> wrote:

>
> Hi Andy,
>
> What do you run as IGP then so that we can help you out ?
>
> If static routes, then you can do it using by having multiple routes that
> are to the same destination.
>
> eg. on 2x serial links you might have:
>
> serial1 = 200Mbps (10.1.1.1/30)
> serial2 = 100Mbps (10.1.1.5/3)
>
> You would then add static routes like this:
>  ip route x y serial1
>  ip route x y 10.1.1.2
>  ip route x y serial2
>
> This way when you do "show ip route x" you would see something like:
>
> * directly connected via serial1
>      Route metric is 0, traffic share count is 1
> * directly connected via serial2
>      Route metric is 0, traffic share count is 1
> *  10.1.1.2
>      Route metric is 0, traffic share count is 1
>
> Your router would then divide the traffic into three with one third going
> to each of the destinations configured. The fact that two of those
> destinations are the same link means that two thirds will go down your
> 200Mbps link and one third down your 100Mbps link.
>
> This is fairly basic and doesn't scale very well, but will work.
>
>
> regards,
> Tony.
>
>
> --- On Mon, 16/2/09, Andy Saykao <andy.saykao at staff.netspace.net.au>
> wrote:
>
> > From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> > Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
> > To: "Ben Steele" <illcritikz at gmail.com>
> > Cc: cisco-nsp at puck.nether.net
> > Date: Monday, 16 February, 2009, 5:39 PM
> > Hi Ben,
> >
> > When I googled around, there were many discussions abvout
> > using the
> > variance command with eigrp but we don't run eigrp
> > internally as our
> > IGP.
> >
> > This is a typical setup where we need to upgrade some of
> > our links, so
> > we might upgrade 50M on the second leg and end up with a
> > situation where
> > the first leg is100M and the second leg is 150M. As you may
> > know, some
> > providers aren't so flexible so you can't just
> > upgrade 25M on each leg
> > because they increment by 50M per leg only. Hence my
> > question if it was
> > possible to load balance across unequal ethernet circuits
> > without buying
> > additional bandwidth for both circuits.
> >
> > Thanks.
> >
> > Andy
> >
> >
> > ________________________________
> >
> > From: Ben Steele [mailto:illcritikz at gmail.com]
> > Sent: Monday, 16 February 2009 5:29 PM
> > To: Andy Saykao
> > Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
> > Bandwidth
> >
> >
> > You could do this with variance in eigrp, just add variance
> > 2 into the
> > eigrp config and it will load balance on a 2:1 ratio, if
> > your links are
> > equally matched in terms of latency you can look at
> > enabling per-packet
> > load sharing on the 2 egress interfaces to get an even more
> > granular
> > distribution, this can wreck some havoc with unequal paths
> > and out of
> > sequence packets though, however if equally similar in
> > characteristics
> > then performance is usually very good.
> >
> > Ben
> >
> >
> > On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
> > <andy.saykao at staff.netspace.net.au> wrote:
> >
> >
> >        Is it possible to aggregate and then load balance unequal
> > ethernet
> >       circuits like so:
> >
> >       I have two ethenet circuits on my Cisco router. Both have
> > equal
> > costs to
> >       the next hop.
> >
> >       Ethernet Circuit #1- 200M
> >       Ethernet Circuit #2 - 100M
> >
> >       Can I aggregate both ethernet circuits so that the total
> > amount
> > of
> >       bandwidth available to the next hop is is 300M?
> >       Can I then load balance it so both circuits are equally
> > utilized?
> >
> >       For example...
> >
> >       * If I have 150M of traffic flowing to the next hop then
> > the
> > router
> >       would spread the load across both links like so:
> >
> >       100M through Ethernet Circuit #1.
> >       50M through Ethernet Circuit #2.
> >
> >       * The formula to use for this would be something like:
> >
> >       Utilization / Total Bandwidth = percentage of utilization
> > required per
> >       link
> >       150/300 = 0.5
> >
> >       0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
> >       0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
> >
> >       * If there was a total of 250M of traffic flowing to the
> > next
> > hop, and
> >       applying the formula above, the router would work out that
> > the
> > load
> >       distributed across both ethernet links would be:
> >
> >       166M through Ethernet Circuit #1.
> >       84M through Ethernet Circuit #2.
> >
> >       Any ideas???
> >
> >       Thanks.
> >
> >       Andy
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From andy.saykao at staff.netspace.net.au  Mon Feb 16 02:39:55 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 16 Feb 2009 18:39:55 +1100
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654BFC@vic-cr-ex1.staff.netspace.net.au>

Hi Tony,

Thanks for that.

Yeah I saw at an example of that at:

http://blog.ioshints.info/2007/02/unequal-load-split-with-static-routes.
html

It's a nice trick to know. Although when one link goes down, I believe
you'll lose packets (or they may be delayed or resent) as the
load-sharing algorithm uses round-robin to distribute the load and
doesn't take into account whether the link has gone down or not.

Cheers.

Andy 

-----Original Message-----
From: Tony [mailto:td_miles at yahoo.com] 
Sent: Monday, 16 February 2009 6:02 PM
To: Andy Saykao
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth


Hi Andy,

What do you run as IGP then so that we can help you out ?

If static routes, then you can do it using by having multiple routes
that are to the same destination.

eg. on 2x serial links you might have:

serial1 = 200Mbps (10.1.1.1/30)
serial2 = 100Mbps (10.1.1.5/3)

You would then add static routes like this:
 ip route x y serial1
 ip route x y 10.1.1.2
 ip route x y serial2 

This way when you do "show ip route x" you would see something like:

* directly connected via serial1
      Route metric is 0, traffic share count is 1
* directly connected via serial2
      Route metric is 0, traffic share count is 1
*  10.1.1.2
      Route metric is 0, traffic share count is 1

Your router would then divide the traffic into three with one third
going to each of the destinations configured. The fact that two of those
destinations are the same link means that two thirds will go down your
200Mbps link and one third down your 100Mbps link.

This is fairly basic and doesn't scale very well, but will work.


regards,
Tony.


--- On Mon, 16/2/09, Andy Saykao <andy.saykao at staff.netspace.net.au>
wrote:

> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
> To: "Ben Steele" <illcritikz at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Date: Monday, 16 February, 2009, 5:39 PM Hi Ben,
>  
> When I googled around, there were many discussions abvout using the 
> variance command with eigrp but we don't run eigrp internally as our 
> IGP.
>  
> This is a typical setup where we need to upgrade some of our links, so

> we might upgrade 50M on the second leg and end up with a situation 
> where the first leg is100M and the second leg is 150M. As you may 
> know, some providers aren't so flexible so you can't just upgrade 25M 
> on each leg because they increment by 50M per leg only. Hence my 
> question if it was possible to load balance across unequal ethernet 
> circuits without buying additional bandwidth for both circuits.
>  
> Thanks.
>  
> Andy
> 
>  
> ________________________________
> 
> From: Ben Steele [mailto:illcritikz at gmail.com]
> Sent: Monday, 16 February 2009 5:29 PM
> To: Andy Saykao
> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
> 
> 
> You could do this with variance in eigrp, just add variance
> 2 into the
> eigrp config and it will load balance on a 2:1 ratio, if
> your links are
> equally matched in terms of latency you can look at
> enabling per-packet
> load sharing on the 2 egress interfaces to get an even more
> granular
> distribution, this can wreck some havoc with unequal paths
> and out of
> sequence packets though, however if equally similar in
> characteristics
> then performance is usually very good. 
> 
> Ben
> 
> 
> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
> <andy.saykao at staff.netspace.net.au> wrote:
> 
> 
> 	 Is it possible to aggregate and then load balance unequal
> ethernet
> 	circuits like so:
> 	
> 	I have two ethenet circuits on my Cisco router. Both have
> equal
> costs to
> 	the next hop.
> 	
> 	Ethernet Circuit #1- 200M
> 	Ethernet Circuit #2 - 100M
> 	
> 	Can I aggregate both ethernet circuits so that the total
> amount
> of
> 	bandwidth available to the next hop is is 300M?
> 	Can I then load balance it so both circuits are equally
> utilized?
> 	
> 	For example...
> 	
> 	* If I have 150M of traffic flowing to the next hop then
> the
> router
> 	would spread the load across both links like so:
> 	
> 	100M through Ethernet Circuit #1.
> 	50M through Ethernet Circuit #2.
> 	
> 	* The formula to use for this would be something like:
> 	
> 	Utilization / Total Bandwidth = percentage of utilization
> required per
> 	link
> 	150/300 = 0.5
> 	
> 	0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
> 	0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
> 	
> 	* If there was a total of 250M of traffic flowing to the
> next
> hop, and
> 	applying the formula above, the router would work out that
> the
> load
> 	distributed across both ethernet links would be:
> 	
> 	166M through Ethernet Circuit #1.
> 	84M through Ethernet Circuit #2.
> 	
> 	Any ideas???
> 	
> 	Thanks.
> 	
> 	Andy



      


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From andy.saykao at staff.netspace.net.au  Mon Feb 16 02:47:13 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 16 Feb 2009 18:47:13 +1100
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654BFD@vic-cr-ex1.staff.netspace.net.au>

Tony - we run OSPF as our IGP.
 
Ben - on our WAN link we run BGP. We also have ethernet circuits between
our POPS in each capital city which we run OSPF over.
 
I'll give that link a read. Thanks

________________________________

From: Ben Steele [mailto:illcritikz at gmail.com] 
Sent: Monday, 16 February 2009 6:06 PM
To: td_miles at yahoo.com
Cc: Andy Saykao; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth


Alternatively if you are using BGP, have a look at BGP Link Bandwidth
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftbgplb.h
tml 


On Mon, Feb 16, 2009 at 5:32 PM, Tony <td_miles at yahoo.com> wrote:



	Hi Andy,
	
	What do you run as IGP then so that we can help you out ?
	
	If static routes, then you can do it using by having multiple
routes that are to the same destination.
	
	eg. on 2x serial links you might have:
	
	serial1 = 200Mbps (10.1.1.1/30)
	serial2 = 100Mbps (10.1.1.5/3)
	
	You would then add static routes like this:
	 ip route x y serial1
	 ip route x y 10.1.1.2
	 ip route x y serial2
	
	This way when you do "show ip route x" you would see something
like:
	
	* directly connected via serial1
	     Route metric is 0, traffic share count is 1
	* directly connected via serial2
	     Route metric is 0, traffic share count is 1
	*  10.1.1.2
	     Route metric is 0, traffic share count is 1
	
	Your router would then divide the traffic into three with one
third going to each of the destinations configured. The fact that two of
those destinations are the same link means that two thirds will go down
your 200Mbps link and one third down your 100Mbps link.
	
	This is fairly basic and doesn't scale very well, but will work.
	
	
	regards,
	Tony.
	
	
	--- On Mon, 16/2/09, Andy Saykao
<andy.saykao at staff.netspace.net.au> wrote:
	
	> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
	
	> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
Bandwidth
	
	> To: "Ben Steele" <illcritikz at gmail.com>
	> Cc: cisco-nsp at puck.nether.net
	> Date: Monday, 16 February, 2009, 5:39 PM
	
	> Hi Ben,
	>
	> When I googled around, there were many discussions abvout
	> using the
	> variance command with eigrp but we don't run eigrp
	> internally as our
	> IGP.
	>
	> This is a typical setup where we need to upgrade some of
	> our links, so
	> we might upgrade 50M on the second leg and end up with a
	> situation where
	> the first leg is100M and the second leg is 150M. As you may
	> know, some
	> providers aren't so flexible so you can't just
	> upgrade 25M on each leg
	> because they increment by 50M per leg only. Hence my
	> question if it was
	> possible to load balance across unequal ethernet circuits
	> without buying
	> additional bandwidth for both circuits.
	>
	> Thanks.
	>
	> Andy
	>
	>
	> ________________________________
	>
	> From: Ben Steele [mailto:illcritikz at gmail.com]
	> Sent: Monday, 16 February 2009 5:29 PM
	> To: Andy Saykao
	> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
	> Bandwidth
	>
	>
	> You could do this with variance in eigrp, just add variance
	> 2 into the
	> eigrp config and it will load balance on a 2:1 ratio, if
	> your links are
	> equally matched in terms of latency you can look at
	> enabling per-packet
	> load sharing on the 2 egress interfaces to get an even more
	> granular
	> distribution, this can wreck some havoc with unequal paths
	> and out of
	> sequence packets though, however if equally similar in
	> characteristics
	> then performance is usually very good.
	>
	> Ben
	>
	>
	> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
	> <andy.saykao at staff.netspace.net.au> wrote:
	>
	>
	>        Is it possible to aggregate and then load balance
unequal
	> ethernet
	>       circuits like so:
	>
	>       I have two ethenet circuits on my Cisco router. Both
have
	> equal
	> costs to
	>       the next hop.
	>
	>       Ethernet Circuit #1- 200M
	>       Ethernet Circuit #2 - 100M
	>
	>       Can I aggregate both ethernet circuits so that the total
	> amount
	> of
	>       bandwidth available to the next hop is is 300M?
	>       Can I then load balance it so both circuits are equally
	> utilized?
	>
	>       For example...
	>
	>       * If I have 150M of traffic flowing to the next hop then
	> the
	> router
	>       would spread the load across both links like so:
	>
	>       100M through Ethernet Circuit #1.
	>       50M through Ethernet Circuit #2.
	>
	>       * The formula to use for this would be something like:
	>
	>       Utilization / Total Bandwidth = percentage of
utilization
	> required per
	>       link
	>       150/300 = 0.5
	>
	>       0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
	>       0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
	>
	>       * If there was a total of 250M of traffic flowing to the
	> next
	> hop, and
	>       applying the formula above, the router would work out
that
	> the
	> load
	>       distributed across both ethernet links would be:
	>
	>       166M through Ethernet Circuit #1.
	>       84M through Ethernet Circuit #2.
	>
	>       Any ideas???
	>
	>       Thanks.
	>
	>       Andy
	
	
	
	
	
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/
	



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From td_miles at yahoo.com  Mon Feb 16 04:03:33 2009
From: td_miles at yahoo.com (Tony)
Date: Mon, 16 Feb 2009 01:03:33 -0800 (PST)
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654BFC@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <250176.21315.qm@web110109.mail.gq1.yahoo.com>


Hi Andy,

What happens when one link goes down depends on a few variables. In the simplest case it works as you would expect. Eg:


ip route 0.0.0.0 0.0.0.0 ATM0.1 5
ip route 0.0.0.0 0.0.0.0 Tunnel0 5

router#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "static", distance 5, metric 0 (connected), candidate default path
  Routing Descriptor Blocks:
  * directly connected, via ATM0.1
      Route metric is 0, traffic share count is 1
    directly connected, via Tunnel0
      Route metric is 0, traffic share count is 1


router#conf t
router(config)#int tun0
router(config-if)#shut
router#sho ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "static", distance 5, metric 0 (connected), candidate default path
  Routing Descriptor Blocks:
  * directly connected, via ATM0.1
      Route metric is 0, traffic share count is 1


In this case shutting down the tunnel0 interface removed the route to that interface from the list of valid routes and there is no load sharing anymore.



regards,
Tony.

--- On Mon, 16/2/09, Andy Saykao <andy.saykao at staff.netspace.net.au> wrote:

> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> Subject: RE: Load Balancing of Unequal Ethernet Bandwidth
> To: td_miles at yahoo.com
> Cc: cisco-nsp at puck.nether.net
> Date: Monday, 16 February, 2009, 6:39 PM
> Hi Tony,
> 
> Thanks for that.
> 
> Yeah I saw at an example of that at:
> 
> http://blog.ioshints.info/2007/02/unequal-load-split-with-static-routes.
> html
> 
> It's a nice trick to know. Although when one link goes
> down, I believe
> you'll lose packets (or they may be delayed or resent)
> as the
> load-sharing algorithm uses round-robin to distribute the
> load and
> doesn't take into account whether the link has gone
> down or not.
> 
> Cheers.
> 
> Andy 
> 
> -----Original Message-----
> From: Tony [mailto:td_miles at yahoo.com] 
> Sent: Monday, 16 February 2009 6:02 PM
> To: Andy Saykao
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
> Bandwidth
> 
> 
> Hi Andy,
> 
> What do you run as IGP then so that we can help you out ?
> 
> If static routes, then you can do it using by having
> multiple routes
> that are to the same destination.
> 
> eg. on 2x serial links you might have:
> 
> serial1 = 200Mbps (10.1.1.1/30)
> serial2 = 100Mbps (10.1.1.5/3)
> 
> You would then add static routes like this:
>  ip route x y serial1
>  ip route x y 10.1.1.2
>  ip route x y serial2 
> 
> This way when you do "show ip route x" you would
> see something like:
> 
> * directly connected via serial1
>       Route metric is 0, traffic share count is 1
> * directly connected via serial2
>       Route metric is 0, traffic share count is 1
> *  10.1.1.2
>       Route metric is 0, traffic share count is 1
> 
> Your router would then divide the traffic into three with
> one third
> going to each of the destinations configured. The fact that
> two of those
> destinations are the same link means that two thirds will
> go down your
> 200Mbps link and one third down your 100Mbps link.
> 
> This is fairly basic and doesn't scale very well, but
> will work.
> 
> 
> regards,
> Tony.
> 
> 
> --- On Mon, 16/2/09, Andy Saykao
> <andy.saykao at staff.netspace.net.au>
> wrote:
> 
> > From: Andy Saykao
> <andy.saykao at staff.netspace.net.au>
> > Subject: Re: [c-nsp] Load Balancing of Unequal
> Ethernet Bandwidth
> > To: "Ben Steele"
> <illcritikz at gmail.com>
> > Cc: cisco-nsp at puck.nether.net
> > Date: Monday, 16 February, 2009, 5:39 PM Hi Ben,
> >  
> > When I googled around, there were many discussions
> abvout using the 
> > variance command with eigrp but we don't run eigrp
> internally as our 
> > IGP.
> >  
> > This is a typical setup where we need to upgrade some
> of our links, so
> 
> > we might upgrade 50M on the second leg and end up with
> a situation 
> > where the first leg is100M and the second leg is 150M.
> As you may 
> > know, some providers aren't so flexible so you
> can't just upgrade 25M 
> > on each leg because they increment by 50M per leg
> only. Hence my 
> > question if it was possible to load balance across
> unequal ethernet 
> > circuits without buying additional bandwidth for both
> circuits.
> >  
> > Thanks.
> >  
> > Andy
> > 
> >  
> > ________________________________
> > 
> > From: Ben Steele [mailto:illcritikz at gmail.com]
> > Sent: Monday, 16 February 2009 5:29 PM
> > To: Andy Saykao
> > Subject: Re: [c-nsp] Load Balancing of Unequal
> Ethernet Bandwidth
> > 
> > 
> > You could do this with variance in eigrp, just add
> variance
> > 2 into the
> > eigrp config and it will load balance on a 2:1 ratio,
> if
> > your links are
> > equally matched in terms of latency you can look at
> > enabling per-packet
> > load sharing on the 2 egress interfaces to get an even
> more
> > granular
> > distribution, this can wreck some havoc with unequal
> paths
> > and out of
> > sequence packets though, however if equally similar in
> > characteristics
> > then performance is usually very good. 
> > 
> > Ben
> > 
> > 
> > On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
> > <andy.saykao at staff.netspace.net.au> wrote:
> > 
> > 
> > 	 Is it possible to aggregate and then load balance
> unequal
> > ethernet
> > 	circuits like so:
> > 	
> > 	I have two ethenet circuits on my Cisco router. Both
> have
> > equal
> > costs to
> > 	the next hop.
> > 	
> > 	Ethernet Circuit #1- 200M
> > 	Ethernet Circuit #2 - 100M
> > 	
> > 	Can I aggregate both ethernet circuits so that the
> total
> > amount
> > of
> > 	bandwidth available to the next hop is is 300M?
> > 	Can I then load balance it so both circuits are
> equally
> > utilized?
> > 	
> > 	For example...
> > 	
> > 	* If I have 150M of traffic flowing to the next hop
> then
> > the
> > router
> > 	would spread the load across both links like so:
> > 	
> > 	100M through Ethernet Circuit #1.
> > 	50M through Ethernet Circuit #2.
> > 	
> > 	* The formula to use for this would be something
> like:
> > 	
> > 	Utilization / Total Bandwidth = percentage of
> utilization
> > required per
> > 	link
> > 	150/300 = 0.5
> > 	
> > 	0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
> > 	0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
> > 	
> > 	* If there was a total of 250M of traffic flowing to
> the
> > next
> > hop, and
> > 	applying the formula above, the router would work out
> that
> > the
> > load
> > 	distributed across both ethernet links would be:
> > 	
> > 	166M through Ethernet Circuit #1.
> > 	84M through Ethernet Circuit #2.
> > 	
> > 	Any ideas???
> > 	
> > 	Thanks.
> > 	
> > 	Andy
> 
> 
> 
>       
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email
> Security System.
> For more information please visit
> http://www.messagelabs.com/email 
> ______________________________________________________________________
> 
> This email and any files transmitted with it are
> confidential and intended
>  solely for the use of the individual or entity to whom
> they are addressed. 
> Please notify the sender immediately by email if you have
> received this 
> email by mistake and delete this email from your system.
> Please note that
>  any views or opinions presented in this email are solely
> those of the
>  author and do not necessarily represent those of the
> organisation. 
> Finally, the recipient should check this email and any
> attachments for 
> the presence of viruses. The organisation accepts no
> liability for any 
> damage caused by any virus transmitted by this email.


      


From avayner at cisco.com  Mon Feb 16 07:58:15 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 16 Feb 2009 13:58:15 +0100
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654BFD@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03654BFD@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D73AA10F@xmb-ams-331.emea.cisco.com>

One trick you could do is to use VLANs to virtualized the links...
On the 100M link run a single VLAN while on the 200M link run 2 sub
interfaces, each on a different VLAN.

This would create 3 equal cost paths (well, you need to set the cost
manually to be the same) and you would get automatic load sharing.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Saykao
Sent: Monday, February 16, 2009 09:47
To: Ben Steele; td_miles at yahoo.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth

Tony - we run OSPF as our IGP.
 
Ben - on our WAN link we run BGP. We also have ethernet circuits between
our POPS in each capital city which we run OSPF over.
 
I'll give that link a read. Thanks

________________________________

From: Ben Steele [mailto:illcritikz at gmail.com] 
Sent: Monday, 16 February 2009 6:06 PM
To: td_miles at yahoo.com
Cc: Andy Saykao; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth


Alternatively if you are using BGP, have a look at BGP Link Bandwidth
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftbgplb.h
tml 


On Mon, Feb 16, 2009 at 5:32 PM, Tony <td_miles at yahoo.com> wrote:



	Hi Andy,
	
	What do you run as IGP then so that we can help you out ?
	
	If static routes, then you can do it using by having multiple
routes that are to the same destination.
	
	eg. on 2x serial links you might have:
	
	serial1 = 200Mbps (10.1.1.1/30)
	serial2 = 100Mbps (10.1.1.5/3)
	
	You would then add static routes like this:
	 ip route x y serial1
	 ip route x y 10.1.1.2
	 ip route x y serial2
	
	This way when you do "show ip route x" you would see something
like:
	
	* directly connected via serial1
	     Route metric is 0, traffic share count is 1
	* directly connected via serial2
	     Route metric is 0, traffic share count is 1
	*  10.1.1.2
	     Route metric is 0, traffic share count is 1
	
	Your router would then divide the traffic into three with one
third going to each of the destinations configured. The fact that two of
those destinations are the same link means that two thirds will go down
your 200Mbps link and one third down your 100Mbps link.
	
	This is fairly basic and doesn't scale very well, but will work.
	
	
	regards,
	Tony.
	
	
	--- On Mon, 16/2/09, Andy Saykao
<andy.saykao at staff.netspace.net.au> wrote:
	
	> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
	
	> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
Bandwidth
	
	> To: "Ben Steele" <illcritikz at gmail.com>
	> Cc: cisco-nsp at puck.nether.net
	> Date: Monday, 16 February, 2009, 5:39 PM
	
	> Hi Ben,
	>
	> When I googled around, there were many discussions abvout
	> using the
	> variance command with eigrp but we don't run eigrp
	> internally as our
	> IGP.
	>
	> This is a typical setup where we need to upgrade some of
	> our links, so
	> we might upgrade 50M on the second leg and end up with a
	> situation where
	> the first leg is100M and the second leg is 150M. As you may
	> know, some
	> providers aren't so flexible so you can't just
	> upgrade 25M on each leg
	> because they increment by 50M per leg only. Hence my
	> question if it was
	> possible to load balance across unequal ethernet circuits
	> without buying
	> additional bandwidth for both circuits.
	>
	> Thanks.
	>
	> Andy
	>
	>
	> ________________________________
	>
	> From: Ben Steele [mailto:illcritikz at gmail.com]
	> Sent: Monday, 16 February 2009 5:29 PM
	> To: Andy Saykao
	> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
	> Bandwidth
	>
	>
	> You could do this with variance in eigrp, just add variance
	> 2 into the
	> eigrp config and it will load balance on a 2:1 ratio, if
	> your links are
	> equally matched in terms of latency you can look at
	> enabling per-packet
	> load sharing on the 2 egress interfaces to get an even more
	> granular
	> distribution, this can wreck some havoc with unequal paths
	> and out of
	> sequence packets though, however if equally similar in
	> characteristics
	> then performance is usually very good.
	>
	> Ben
	>
	>
	> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
	> <andy.saykao at staff.netspace.net.au> wrote:
	>
	>
	>        Is it possible to aggregate and then load balance
unequal
	> ethernet
	>       circuits like so:
	>
	>       I have two ethenet circuits on my Cisco router. Both
have
	> equal
	> costs to
	>       the next hop.
	>
	>       Ethernet Circuit #1- 200M
	>       Ethernet Circuit #2 - 100M
	>
	>       Can I aggregate both ethernet circuits so that the total
	> amount
	> of
	>       bandwidth available to the next hop is is 300M?
	>       Can I then load balance it so both circuits are equally
	> utilized?
	>
	>       For example...
	>
	>       * If I have 150M of traffic flowing to the next hop then
	> the
	> router
	>       would spread the load across both links like so:
	>
	>       100M through Ethernet Circuit #1.
	>       50M through Ethernet Circuit #2.
	>
	>       * The formula to use for this would be something like:
	>
	>       Utilization / Total Bandwidth = percentage of
utilization
	> required per
	>       link
	>       150/300 = 0.5
	>
	>       0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
	>       0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
	>
	>       * If there was a total of 250M of traffic flowing to the
	> next
	> hop, and
	>       applying the formula above, the router would work out
that
	> the
	> load
	>       distributed across both ethernet links would be:
	>
	>       166M through Ethernet Circuit #1.
	>       84M through Ethernet Circuit #2.
	>
	>       Any ideas???
	>
	>       Thanks.
	>
	>       Andy
	
	
	
	
	
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/
	



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


This email and any files transmitted with it are confidential and
intended
 solely for the use of the individual or entity to whom they are
addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note
that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From avayner at cisco.com  Mon Feb 16 07:59:32 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 16 Feb 2009 13:59:32 +0100
Subject: [c-nsp] Router requirement
In-Reply-To: <49985B91.6060706@whole-uk.com>
References: <49985B91.6060706@whole-uk.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D73AA110@xmb-ams-331.emea.cisco.com>

Pete,

You are looking for a CPE and not a service aggregation point, right?
Can you provide a bit more info about what kind of services this CPE
would be terminating?

What kind of interfaces do you need to support? (copper/fiber? FE/GE?)

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pete Barnwell
Sent: Sunday, February 15, 2009 20:15
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Router requirement

Hi,

Wonder if anybody can help me with selecting the right router for CPE?
It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
QoS and a few ACLs but no dynamic routing protocols.

Thanks

Pete

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From avayner at cisco.com  Mon Feb 16 11:24:03 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 16 Feb 2009 17:24:03 +0100
Subject: [c-nsp] Router requirement
In-Reply-To: <4999924C.6060708@whole-uk.com>
References: <49985B91.6060706@whole-uk.com>
	<78C984F8939D424697B15E4B1C1BB3D73AA110@xmb-ams-331.emea.cisco.com>
	<4999924C.6060708@whole-uk.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D73AA23C@xmb-ams-331.emea.cisco.com>

Peter,

So would something like the ME3400 would be relevant:
http://www.cisco.com/en/US/products/ps6580/index.html

Note that there is a small model with only 2 ports, which is supposed to
take a CPE role: ME-3400G-2CS-A

Arie

-----Original Message-----
From: Pete Barnwell [mailto:peter at whole-uk.com] 
Sent: Monday, February 16, 2009 18:20
To: Arie Vayner (avayner)
Subject: Re: [c-nsp] Router requirement

Arie Vayner (avayner) wrote:
> Pete,
> 
> You are looking for a CPE and not a service aggregation point, right?
> Can you provide a bit more info about what kind of services this CPE
> would be terminating?
> 
> What kind of interfaces do you need to support? (copper/fiber? FE/GE?)

Hi Arie,

Yes, CPE. It's to terminate a LAN extension that is handed off as Copper
FE to us by the Telco. We need to handle a mix of data & voice - inm
this particular instance a fair chunk of the bandwidth is VPN, but
that's terminated on an existing device. We just need to be able to
priority queue the voice traffic, really.

Regards

Pete


From vegasnetman at gmail.com  Mon Feb 16 11:55:31 2009
From: vegasnetman at gmail.com (Ozar)
Date: Mon, 16 Feb 2009 08:55:31 -0800
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
Message-ID: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>

I am starting to see random BGP neighbor messages from multiple neighbors on
different boxes.

%BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or corrupt
AS path) 516 bytes

I dont see much documentation on this, and we are in the process of opening
a TAC case, just curious if anyone else has seen these and may be able to
shed some light.


Thanks

From Grzegorz at Janoszka.pl  Mon Feb 16 12:14:08 2009
From: Grzegorz at Janoszka.pl (Grzegorz Janoszka)
Date: Mon, 16 Feb 2009 18:14:08 +0100
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
Message-ID: <49999EE0.20001@Janoszka.pl>

Ozar wrote:
> I am starting to see random BGP neighbor messages from multiple neighbors on
> different boxes.
> 
> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or corrupt
> AS path) 516 bytes
> 
> I dont see much documentation on this, and we are in the process of opening
> a TAC case, just curious if anyone else has seen these and may be able to
> shed some light.

No, it is not software error, it is extremly long as-path:

AS path: 3356 29113 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 I

-- 
Grzegorz Janoszka

From zeusdadog at gmail.com  Mon Feb 16 12:27:35 2009
From: zeusdadog at gmail.com (Jay Nakamura)
Date: Mon, 16 Feb 2009 12:27:35 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
Message-ID: <9418aca70902160927o6dcb7d29x313aaa1615f8e55e@mail.gmail.com>

(Forgot to CC c-nsp)

Someone is advertising a block with insane long prepend.  We added it to our
filter list and it seems most providers have filtered out that route by now.

Our 28xx decided to flip out with IBGP.  IOS 12.4(21).  Is this a bug?  Is
there a bugID on this or a workaround to filter insane route?  Can I filter
prefix by how big it is?

It's this route.

#sh ip bgp 94.125.216.0
BGP routing table entry for 94.125.216.0/21, version 92436
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Not advertised to any peer

    x.x.x.x from y.y.y.y (z.z.z.z)
      Origin IGP, metric 10, localpref 100, valid, external, best
      Community: 13697912 13697913
  209 1299 29113 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 4

On Mon, Feb 16, 2009 at 11:55 AM, Ozar <vegasnetman at gmail.com> wrote:

> I am starting to see random BGP neighbor messages from multiple neighbors
> on
> different boxes.
>
> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
> corrupt
> AS path) 516 bytes
>
> I dont see much documentation on this, and we are in the process of opening
> a TAC case, just curious if anyone else has seen these and may be able to
> shed some light.
>
>
> Thanks
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jzp-cnsp at rsuc.gweep.net  Mon Feb 16 13:07:19 2009
From: jzp-cnsp at rsuc.gweep.net (Joe Provo)
Date: Mon, 16 Feb 2009 13:07:19 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <49999EE0.20001@Janoszka.pl>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl>
Message-ID: <20090216180719.GA54362@gweep.net>

On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
> Ozar wrote:
> >I am starting to see random BGP neighbor messages from multiple neighbors 
> >on
> >different boxes.
> >
> >%BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or 
> >corrupt
> >AS path) 516 bytes
[snip]
> No, it is not software error, it is extremly long as-path:

The message itself, correct.  The flapping sessions observed on some
code, the long path is indeed triggering some bug. It is immaterial 
if it is the revival of an ld bug or a new one, there are folks 
flapping over this (and related) paths.  Providers without some level 
of sanity filters (really need many-multiples the current diameter of 
the net?) should be shamed into limiting their customer's prepends.

-- 
             RSUC / GweepNet / Spunk / FnB / Usenix / SAGE

From tomas at caslavsky.cz  Mon Feb 16 13:07:01 2009
From: tomas at caslavsky.cz (Tomas Caslavsky)
Date: Mon, 16 Feb 2009 19:07:01 +0100
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <9418aca70902160927o6dcb7d29x313aaa1615f8e55e@mail.gmail.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<9418aca70902160927o6dcb7d29x313aaa1615f8e55e@mail.gmail.com>
Message-ID: <4999AB45.6080006@caslavsky.cz>

Hello,

I have spoken with AS29113 admin and they will fix( block or what  ) 
issue with their customer AS47868

Regards

Tomas


Jay Nakamura wrote:
> (Forgot to CC c-nsp)
>
> Someone is advertising a block with insane long prepend.  We added it to our
> filter list and it seems most providers have filtered out that route by now.
>
> Our 28xx decided to flip out with IBGP.  IOS 12.4(21).  Is this a bug?  Is
> there a bugID on this or a workaround to filter insane route?  Can I filter
> prefix by how big it is?
>
> It's this route.
>
> #sh ip bgp 94.125.216.0
> BGP routing table entry for 94.125.216.0/21, version 92436
> Paths: (2 available, best #1, table Default-IP-Routing-Table)
> Flag: 0x820
>   Not advertised to any peer
>
>     x.x.x.x from y.y.y.y (z.z.z.z)
>       Origin IGP, metric 10, localpref 100, valid, external, best
>       Community: 13697912 13697913
>   209 1299 29113 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 4
>
> On Mon, Feb 16, 2009 at 11:55 AM, Ozar <vegasnetman at gmail.com> wrote:
>
>   
>> I am starting to see random BGP neighbor messages from multiple neighbors
>> on
>> different boxes.
>>
>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
>> corrupt
>> AS path) 516 bytes
>>
>> I dont see much documentation on this, and we are in the process of opening
>> a TAC case, just curious if anyone else has seen these and may be able to
>> shed some light.
>>
>>
>> Thanks
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From rodunn at cisco.com  Mon Feb 16 13:51:01 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 16 Feb 2009 13:51:01 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <4999AB45.6080006@caslavsky.cz>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<9418aca70902160927o6dcb7d29x313aaa1615f8e55e@mail.gmail.com>
	<4999AB45.6080006@caslavsky.cz>
Message-ID: <20090216185101.GA6184@rtp-cse-489.cisco.com>

I've got a few questions I'm still trying to answer in my head
on this one.

a) Why it got down the udpate path so far if the default maxas limit is 75?

b) Were the notifications to tear the sessions down only on really old IOS
   code that doesn't have the changes to just mark them invalid.


Does anyone have the 'sh ip bgp nei <x.x.x.>' output from a router
that ***SENT*** a notification on receiving the update?

If so, what was the upstream code version that propagated the update
to you.

Rodney



On Mon, Feb 16, 2009 at 07:07:01PM +0100, Tomas Caslavsky wrote:
> Hello,
> 
> I have spoken with AS29113 admin and they will fix( block or what  ) 
> issue with their customer AS47868
> 
> Regards
> 
> Tomas
> 
> 
> Jay Nakamura wrote:
> >(Forgot to CC c-nsp)
> >
> >Someone is advertising a block with insane long prepend.  We added it to 
> >our
> >filter list and it seems most providers have filtered out that route by 
> >now.
> >
> >Our 28xx decided to flip out with IBGP.  IOS 12.4(21).  Is this a bug?  Is
> >there a bugID on this or a workaround to filter insane route?  Can I filter
> >prefix by how big it is?
> >
> >It's this route.
> >
> >#sh ip bgp 94.125.216.0
> >BGP routing table entry for 94.125.216.0/21, version 92436
> >Paths: (2 available, best #1, table Default-IP-Routing-Table)
> >Flag: 0x820
> >  Not advertised to any peer
> >
> >    x.x.x.x from y.y.y.y (z.z.z.z)
> >      Origin IGP, metric 10, localpref 100, valid, external, best
> >      Community: 13697912 13697913
> >  209 1299 29113 47868 47868 47868 47868 47868 47868 47868 47868 47868 
> >  47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 4
> >
> >On Mon, Feb 16, 2009 at 11:55 AM, Ozar <vegasnetman at gmail.com> wrote:
> >
> >  
> >>I am starting to see random BGP neighbor messages from multiple neighbors
> >>on
> >>different boxes.
> >>
> >>%BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
> >>corrupt
> >>AS path) 516 bytes
> >>
> >>I dont see much documentation on this, and we are in the process of 
> >>opening
> >>a TAC case, just curious if anyone else has seen these and may be able to
> >>shed some light.
> >>
> >>
> >>Thanks
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>    
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From tdonahue at vonsystems.com  Mon Feb 16 13:25:32 2009
From: tdonahue at vonsystems.com (Tim Donahue)
Date: Mon, 16 Feb 2009 13:25:32 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090216180719.GA54362@gweep.net>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>	<49999EE0.20001@Janoszka.pl>
	<20090216180719.GA54362@gweep.net>
Message-ID: <4999AF9C.5070800@vonsystems.com>

Joe Provo wrote:
> On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
>> Ozar wrote:
>>> I am starting to see random BGP neighbor messages from multiple neighbors 
>>> on
>>> different boxes.
>>>
>>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or 
>>> corrupt
>>> AS path) 516 bytes
> [snip]
>> No, it is not software error, it is extremly long as-path:
> 
> The message itself, correct.  The flapping sessions observed on some
> code, the long path is indeed triggering some bug. It is immaterial 
> if it is the revival of an ld bug or a new one, there are folks 
> flapping over this (and related) paths.  Providers without some level 
> of sanity filters (really need many-multiples the current diameter of 
> the net?) should be shamed into limiting their customer's prepends.
> 

According to the NANOG thread on this, it would seem that the bug would
be CSCdr54230.

Tim

From rodunn at cisco.com  Mon Feb 16 14:07:38 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 16 Feb 2009 14:07:38 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <4999AF9C.5070800@vonsystems.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
Message-ID: <20090216190738.GC6184@rtp-cse-489.cisco.com>

That would have to be *real* old code.

That was fixed back in the 12.1(4) 

and 12.0(10)S3 days.

On Mon, Feb 16, 2009 at 01:25:32PM -0500, Tim Donahue wrote:
> Joe Provo wrote:
> > On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
> >> Ozar wrote:
> >>> I am starting to see random BGP neighbor messages from multiple neighbors 
> >>> on
> >>> different boxes.
> >>>
> >>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or 
> >>> corrupt
> >>> AS path) 516 bytes
> > [snip]
> >> No, it is not software error, it is extremly long as-path:
> > 
> > The message itself, correct.  The flapping sessions observed on some
> > code, the long path is indeed triggering some bug. It is immaterial 
> > if it is the revival of an ld bug or a new one, there are folks 
> > flapping over this (and related) paths.  Providers without some level 
> > of sanity filters (really need many-multiples the current diameter of 
> > the net?) should be shamed into limiting their customer's prepends.
> > 
> 
> According to the NANOG thread on this, it would seem that the bug would
> be CSCdr54230.
> 
> Tim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From chris at chrisserafin.com  Mon Feb 16 14:21:09 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Mon, 16 Feb 2009 13:21:09 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
	<4995A540.5010007@chrisserafin.com>
	<AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>
Message-ID: <4999BCA5.9070003@chrisserafin.com>

David Hughes wrote:
>
>
> On 14/02/2009, at 2:52 AM, ChrisSerafin wrote:
>
>> I will have a pair of 2960's upstream that will have 2 bonded 
>> etherchannels going into each switch blade from each 2960. The 
>> etherchannels will be trunk links and then I will configure the 
>> internal virtual switchports as trunks going into the XEN 
>> Server....XEN is just like VMware/ESX...... the server tags the VLANs 
>> depending on what network they need to be on.
>>
>>
>> Make sense at all? I've been google'ing until my eyes bleed trying to 
>> get up to speed on these devices.
>
> Yup, that makes perfect sense and is similar to our architecture (if 
> you substitute 6500 for 2960 you'd pretty much have our standard 
> setup).  We run nodes of ESX farms on blades in this configuration.  
> If you are planning on dense virtualisation or multi-node farms then 
> you'll need to be running MST for your spanning tree.  Running any 
> form of per vlan STP will have you running out of STP instances before 
> you run out of vlans you need to trunk to your ESX / Xen boxes.
>
That brings up a good point about STP. If I have 1 etherchannel going 
from each switch blade to each upstream switch, will the switches detect 
the loops or do I need to manually configure this? Thanks for your comments!

--chris

From musmanashraf at gmail.com  Mon Feb 16 14:41:34 2009
From: musmanashraf at gmail.com (M Usman Ashraf)
Date: Tue, 17 Feb 2009 00:41:34 +0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090216190738.GC6184@rtp-cse-489.cisco.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
Message-ID: <9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>

Hi List,

We have just experience the same problem on SRC but with a different reason,

%BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 3/11 (invalid or corrupt AS
path) 518 bytes 50020202 02009531 23012306 71B9BAFC BA

23w4d: BGP: X.X.X.X Bad attributes

Feb 16 21:26:04.918 pst: %BGP-4-MSGDUMP: unsupported or mal-formatted
message received from X.X.X.X:
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 022C 0200 0002 1140 0101 0050 0202
0202
0095 3123 0123 0671 B9BA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA
FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA
FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA
FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA
FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA
FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA--

Any idea of reason? or what can be a bad message for BGP that can tear down
adjacency ?

Regards,

M Usman Ashraf



On Tue, Feb 17, 2009 at 12:07 AM, Rodney Dunn <rodunn at cisco.com> wrote:

> That would have to be *real* old code.
>
> That was fixed back in the 12.1(4)
>
> and 12.0(10)S3 days.
>
> On Mon, Feb 16, 2009 at 01:25:32PM -0500, Tim Donahue wrote:
> > Joe Provo wrote:
> > > On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
> > >> Ozar wrote:
> > >>> I am starting to see random BGP neighbor messages from multiple
> neighbors
> > >>> on
> > >>> different boxes.
> > >>>
> > >>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
> > >>> corrupt
> > >>> AS path) 516 bytes
> > > [snip]
> > >> No, it is not software error, it is extremly long as-path:
> > >
> > > The message itself, correct.  The flapping sessions observed on some
> > > code, the long path is indeed triggering some bug. It is immaterial
> > > if it is the revival of an ld bug or a new one, there are folks
> > > flapping over this (and related) paths.  Providers without some level
> > > of sanity filters (really need many-multiples the current diameter of
> > > the net?) should be shamed into limiting their customer's prepends.
> > >
> >
> > According to the NANOG thread on this, it would seem that the bug would
> > be CSCdr54230.
> >
> > Tim
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rodunn at cisco.com  Mon Feb 16 15:32:11 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 16 Feb 2009 15:32:11 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
Message-ID: <20090216203211.GK9203@rtp-cse-489.cisco.com>

We are working on that. I'll let you know once I have more.

Rodney

On Tue, Feb 17, 2009 at 12:41:34AM +0500, M Usman Ashraf wrote:
> Hi List,
> 
> We have just experience the same problem on SRC but with a different reason,
> 
> %BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 3/11 (invalid or corrupt AS path)
> 518 bytes 50020202 02009531 23012306 71B9BAFC BA
> 
> 23w4d: BGP: X.X.X.X Bad attributes
> 
> Feb 16 21:26:04.918 pst: %BGP-4-MSGDUMP: unsupported or mal-formatted message
> received from X.X.X.X:
> FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 022C 0200 0002 1140 0101 0050 0202 0202
> 0095 3123 0123 0671 B9BA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA--
> 
> Any idea of reason? or what can be a bad message for BGP that can tear down
> adjacency ?
> 
> Regards,
> 
> M Usman Ashraf
> 
> 
> 
> On Tue, Feb 17, 2009 at 12:07 AM, Rodney Dunn <rodunn at cisco.com> wrote:
> 
>     That would have to be *real* old code.
>    
>     That was fixed back in the 12.1(4)
>    
>     and 12.0(10)S3 days.
>    
>     On Mon, Feb 16, 2009 at 01:25:32PM -0500, Tim Donahue wrote:
>     > Joe Provo wrote:
>     > > On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
>     > >> Ozar wrote:
>     > >>> I am starting to see random BGP neighbor messages from multiple
>     neighbors
>     > >>> on
>     > >>> different boxes.
>     > >>>
>     > >>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
>     > >>> corrupt
>     > >>> AS path) 516 bytes
>     > > [snip]
>     > >> No, it is not software error, it is extremly long as-path:
>     > >
>     > > The message itself, correct.  The flapping sessions observed on some
>     > > code, the long path is indeed triggering some bug. It is immaterial
>     > > if it is the revival of an ld bug or a new one, there are folks
>     > > flapping over this (and related) paths.  Providers without some level
>     > > of sanity filters (really need many-multiples the current diameter of
>     > > the net?) should be shamed into limiting their customer's prepends.
>     > >
>     >
>     > According to the NANOG thread on this, it would seem that the bug would
>     > be CSCdr54230.
>     >
>     > Tim
>     > _______________________________________________
>     > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>     > https://puck.nether.net/mailman/listinfo/cisco-nsp
>     > archive at http://puck.nether.net/pipermail/cisco-nsp/
>     _______________________________________________
>     cisco-nsp mailing list  cisco-nsp at puck.nether.net
>     https://puck.nether.net/mailman/listinfo/cisco-nsp
>     archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> 
> 

From steve.mcnamara at gmail.com  Mon Feb 16 15:46:03 2009
From: steve.mcnamara at gmail.com (Steve McNamara)
Date: Mon, 16 Feb 2009 20:46:03 +0000
Subject: [c-nsp] WS-SVC-IDSM-2 visio icon
In-Reply-To: <1A9866F953006D45AEE0166066114E09159929F7@TPMAIL02.corp.theplatform.com>
References: <494a4f80902120830y1d9f055elaf506f3a737ce4da@mail.gmail.com>
	<Pine.LNX.4.64.0902121242360.32680@whammy.cluebyfour.org>
	<1A9866F953006D45AEE0166066114E09159929F7@TPMAIL02.corp.theplatform.com>
Message-ID: <494a4f80902161246mf50868aofb4b3c0f7da9fc@mail.gmail.com>

Apologies for the delay in replying, romantic weekends always get in the way :-)

Thanks for the replies, I recognise the FWSM icon is very similar, I
was more concerned that I couldn't find it in the Cisco complete Visio
zip and though there might be another location I could get it from.

Cheers
Steve

On Thu, Feb 12, 2009 at 18:31, Gregori Parker
<Gregori.Parker at theplatform.com> wrote:
> If you're after a physical icon, just doctor the FWSM, there's not much
> difference.
>
> If you're after a logical icon, the generally accepted icon for IDS (at
> least in my world) is the one called "SwitchProbe" in the Cisco logical
> shapes list - it's the cube with a magnifying glass on it.
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M.
> Streiner
> Sent: Thursday, February 12, 2009 9:43 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] WS-SVC-IDSM-2 visio icon
>
> On Thu, 12 Feb 2009, Steve McNamara wrote:
>
>> I'm looking for a Visio icon for a WS-SVC-IDSM-2 icon without any
>> luck. I've downloaded the complete Viso icon zip from
>> http://www.cisco.com/en/US/products/prod_visio_icon_list.html, but
>> there's no icon for this module? There are other service modules such
>> as NAM1 & 2 in the 6500 shape stencil, but not this one. Does anyone
>> know where it can be found or have any other suggestions?
>
> If it comes down to it, you can always make one on your own.  I've had
> to
> do that in several cases.
>
> jms
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From markom at markom.info  Mon Feb 16 16:00:02 2009
From: markom at markom.info (Marko Milivojevic)
Date: Mon, 16 Feb 2009 21:00:02 +0000
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090216203211.GK9203@rtp-cse-489.cisco.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
Message-ID: <d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>

On Mon, Feb 16, 2009 at 20:32, Rodney Dunn <rodunn at cisco.com> wrote:
> We are working on that. I'll let you know once I have more.

We've got one of these on our node running SRB3. It was trigerred on
only one session when being announced to a customer.

From rodunn at cisco.com  Mon Feb 16 16:05:37 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 16 Feb 2009 16:05:37 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
	<d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>
Message-ID: <20090216210537.GS9203@rtp-cse-489.cisco.com>

One of those what?

All I want is:

sh ver
sh log
sh ip bgp <nei>

on a box that SENT the BGP notification on receipt of the update.

Don't send it if the BGP session when down because the notification
was received.

rodney

On Mon, Feb 16, 2009 at 09:00:02PM +0000, Marko Milivojevic wrote:
> On Mon, Feb 16, 2009 at 20:32, Rodney Dunn <rodunn at cisco.com> wrote:
> > We are working on that. I'll let you know once I have more.
> 
> We've got one of these on our node running SRB3. It was trigerred on
> only one session when being announced to a customer.

From justin at justinshore.com  Mon Feb 16 16:45:29 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 16 Feb 2009 15:45:29 -0600
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090216210537.GS9203@rtp-cse-489.cisco.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>	<49999EE0.20001@Janoszka.pl>
	<20090216180719.GA54362@gweep.net>	<4999AF9C.5070800@vonsystems.com>	<20090216190738.GC6184@rtp-cse-489.cisco.com>	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>	<20090216203211.GK9203@rtp-cse-489.cisco.com>	<d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>
	<20090216210537.GS9203@rtp-cse-489.cisco.com>
Message-ID: <4999DE79.8020508@justinshore.com>

I don't know if it's related or not but one of my borders and another 
nearly identical box much further into the network logged these with 18 
seconds of each other:

Feb 16 10:23:38 10.64.0.1 968577: 968585: Feb 16 10:23:37 CST: 
%BGP-6-BIGCHUNK: Big chunk pool request (522) for aspath. Replenishing 
with malloc

Both are running 12.4(15)Tn releases.

Justin



Rodney Dunn wrote:
> One of those what?
> 
> All I want is:
> 
> sh ver
> sh log
> sh ip bgp <nei>
> 
> on a box that SENT the BGP notification on receipt of the update.
> 
> Don't send it if the BGP session when down because the notification
> was received.
> 
> rodney
> 
> On Mon, Feb 16, 2009 at 09:00:02PM +0000, Marko Milivojevic wrote:
>> On Mon, Feb 16, 2009 at 20:32, Rodney Dunn <rodunn at cisco.com> wrote:
>>> We are working on that. I'll let you know once I have more.
>> We've got one of these on our node running SRB3. It was trigerred on
>> only one session when being announced to a customer.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From euang+cisco-nsp at lists.eusahues.co.uk  Mon Feb 16 16:58:50 2009
From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway)
Date: Mon, 16 Feb 2009 21:58:50 +0000
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <4999DE79.8020508@justinshore.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
	<d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>
	<20090216210537.GS9203@rtp-cse-489.cisco.com>
	<4999DE79.8020508@justinshore.com>
Message-ID: <20090216215850.GA9884@hyperion.eusahues.co.uk>

On Mon, Feb 16, 2009 at 03:45:29PM -0600, Justin Shore wrote:
> I don't know if it's related or not but one of my borders and another 
> nearly identical box much further into the network logged these with 18 
> seconds of each other:
> Feb 16 10:23:38 10.64.0.1 968577: 968585: Feb 16 10:23:37 CST: 
> %BGP-6-BIGCHUNK: Big chunk pool request (522) for aspath. Replenishing with 
> malloc

Related, but that's just an informational "I've had to go and do a rather
unexpectedly large request for memory, but I have, just thought I would
mention it" message.

-- 
Euan Galloway

From ibrahim.abozaid at gmail.com  Mon Feb 16 17:00:17 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 17 Feb 2009 00:00:17 +0200
Subject: [c-nsp] VRF-Lite and VRF Source-select
Message-ID: <a48927f70902161400l4075a92at7a7553ed768f79c9@mail.gmail.com>

Hi All

I was reading about VRF Source-select feature and want to know is this this
supported with VRF-Lite or needs MPLS-VPN backbone ?

best regards
--Ibrahim

From David at hughes.com.au  Mon Feb 16 16:52:44 2009
From: David at hughes.com.au (David Hughes)
Date: Tue, 17 Feb 2009 07:52:44 +1000
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <4999BCA5.9070003@chrisserafin.com>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
	<4995A540.5010007@chrisserafin.com>
	<AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>
	<4999BCA5.9070003@chrisserafin.com>
Message-ID: <3DF1BB5A-9A67-43A1-9F2F-0C6D712912DA@hughes.com.au>


On 17/02/2009, at 5:21 AM, ChrisSerafin wrote:

> That brings up a good point about STP. If I have 1 etherchannel  
> going from each switch blade to each upstream switch, will the  
> switches detect the loops or do I need to manually configure this?  
> Thanks for your comments!

The blade switches operate as separate switches and can be viewed as  
if they were your normal 29xx or 35xx access switch depending on the  
CIGESM you buy (well, with a couple of caveats about their management  
interfaces).  If the switches are connected to your network via a  
single etherchannel then there's no possibility of a loop - other than  
a mis-configured etherchannel.  You don't get loops but you don't get  
any redundancy at the network layer.  In this setup I assume you are  
using some form of NIC teaming and failover on the blades themselves  
for redundancy.  That's not going to pick up a failed uplink on your  
primary switching path as most teaming drivers only look at link state  
on the NIC.

If you are following a "normal" dual attached model where each access  
switch (be it a top of rack switch or a blade switch module) is  
uplinked to 2 different switches then you get link redundancy but  
naturally need STP.  If you are running dense virtualisation or vm  
server farms then the STP you should be running is MST.


Thanks

David
...

From rodunn at cisco.com  Mon Feb 16 20:20:52 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 16 Feb 2009 20:20:52 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <4999DE79.8020508@justinshore.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
	<d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>
	<20090216210537.GS9203@rtp-cse-489.cisco.com>
	<4999DE79.8020508@justinshore.com>
Message-ID: <20090217012052.GG11958@rtp-cse-489.cisco.com>

That's fine. It just means we fell back to malloc a block that could
hold it.

On Mon, Feb 16, 2009 at 03:45:29PM -0600, Justin Shore wrote:
> I don't know if it's related or not but one of my borders and another 
> nearly identical box much further into the network logged these with 
> 18 seconds of each other:
> 
> Feb 16 10:23:38 10.64.0.1 968577: 968585: Feb 16 10:23:37 CST: 
> %BGP-6-BIGCHUNK: Big chunk pool request (522) for aspath. 
> Replenishing with malloc
> 
> Both are running 12.4(15)Tn releases.
> 
> Justin
> 
> 
> 
> Rodney Dunn wrote:
> >One of those what?
> >
> >All I want is:
> >
> >sh ver
> >sh log
> >sh ip bgp <nei>
> >
> >on a box that SENT the BGP notification on receipt of the update.
> >
> >Don't send it if the BGP session when down because the notification
> >was received.
> >
> >rodney
> >
> >On Mon, Feb 16, 2009 at 09:00:02PM +0000, Marko Milivojevic wrote:
> >>On Mon, Feb 16, 2009 at 20:32, Rodney Dunn <rodunn at cisco.com> wrote:
> >>>We are working on that. I'll let you know once I have more.
> >>We've got one of these on our node running SRB3. It was trigerred on
> >>only one session when being announced to a customer.
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/

From cayers at ena.com  Mon Feb 16 21:30:36 2009
From: cayers at ena.com (Cory Ayers)
Date: Mon, 16 Feb 2009 20:30:36 -0600
Subject: [c-nsp] Router requirement
In-Reply-To: <4998F62B.6070105@gmx.de>
References: <49985B91.6060706@whole-uk.com> <4998F62B.6070105@gmx.de>
Message-ID: <A7B0A9F02975A74A845FE85D0B95B8FA0C5B13C6@misex01.ena.com>

We have a 2801 that holds at ~35% CPU while pushing 70Mbps+ from port to
port day in/out:  basic QOS, BGP for default origination only, 12.4(1c)
Advanced IP Services K9.  Naturally if you add NAT, NBAR, extensive QOS,
etc. these numbers will change dramatically.  IMO a 2821 would
definitely do the job and provide copper Gigabit capabilities, although
not wire speed.  However, depending on what you're trying to do, the
ME3400-2CS-A might be the best choice with both optical and electrical
hand-offs and scalability to Gigabit.  We typically prefer a 2800 at the
edge for links <100Mbps for features like NAT, and go with a switch for
anything >100Mbps.

Cory


>>Pete Barnwell wrote:
>> Hi,
>> 
>> Wonder if anybody can help me with selecting the right router for
CPE?
>> It needs to be able to handle 100Mb/s delivered over FE, doing a bit
of
>> QoS and a few ACLs but no dynamic routing protocols.
>
>If you can live with a worst-case scenario of 87MBit, a 2821 might be
>decent choice, too. Typical throughput, even with moderate QoS/ACL
>should be well over 100M (maybe even with a 2811). Otherwise, a 3825
>with its two 1G interfaces built in would be a real good alternative to
>the rather pricey 72k ...

>-garry

From kwbales at kwbales.net  Mon Feb 16 23:52:26 2009
From: kwbales at kwbales.net (Kurt Bales)
Date: Tue, 17 Feb 2009 15:52:26 +1100
Subject: [c-nsp] VPDN Multihop
Message-ID: <b1ce0b8d0902162052q244ffecbla755d8e03c15e576@mail.gmail.com>

Hi All,

There is probably an obvious answer to this, but I am failing to make
it work the way I want so I'm asking the resident experts.

We are a wholesale ISP taking DSL tails as L2TP from carriers.

We have an LNS which is currently setup to switch these sessions to
downstream channel partners based on match against the domain/REALM.

For one of the realms on which we receive L2TP sessions, we would like
to select a destination (either locally terminated or
switched-to-channel-partner) on a per-account basis. These currently
are switched to us on a per-account basis by our upstream provider
doing per-account authentication and A/V pairs to forward the
sessions. Their A/V pairs are setting a tunnel-id for these.


We thought was to leverage the "multihop-hostname" command under a
request-dialin configured VPDN-group.

The documentation on CCO seems to imply that it can be used to match
against a VPDN tunnel-id, but we could not get that to work.

"multihop-hostname

To enable a tunnel switch to initiate a tunnel based on the hostname
or tunnel ID associated with an ingress tunnel, use the
multihop-hostname command in VPDN request-dialin subgroup
configuration mode. To disable this option, use the no form of this
command."

We tried configuring up a vpdn-group with a multihop
hostname/initiate-to/local name/l2tp tunnel password, surely that
would be enough to correctly match and therefore switch the session
across to the downstream LNS?

Unfortunately we could not get it to work, the error coming back was
complaining that it could not assign a virtual-template to the
session, which would seem to imply an attempt to terminate the session
locally

Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize
action (1 pending sessions) Feb 17 12:14:18: SSS PM
[uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb
17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for
registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need
More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need
More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD)
IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN
uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17
12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18:
L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18:
L2TUN APP: uid:606handle/665997Stopping service selection Feb 17
12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP
_____:06839:000070B5:
Feb 17 12:14:18: L2TP _____:06839:000070B5: Shutting down session
Feb 17 12:14:18: L2TP _____:06839:000070B5:   Result Code
Feb 17 12:14:18: L2TP _____:06839:000070B5:     Call disconnected,
refer to error msg (2)
Feb 17 12:14:18: L2TP _____:06839:000070B5:   Error Code
Feb 17 12:14:18: L2TP _____:06839:000070B5:     Insufficient resources (4)
Feb 17 12:14:18: L2TP _____:06839:000070B5:   Vendor Error
Feb 17 12:14:18: L2TP _____:06839:000070B5:     None (0)
Feb 17 12:14:18: L2TP _____:06839:000070B5:   Optional Message
Feb 17 12:14:18: L2TP _____:06839:000070B5:     "No virtual-template specified"
Feb 17 12:14:18: L2TP _____:06839:000070B5:



vpdn enable
vpdn multihop
vpdn aaa attribute nas-port vpdn-nas
vpdn redirect
vpdn logging
vpdn logging local
vpdn logging tunnel-drop
vpdn history failure table-size 50
vpdn session-limit 2048
vpdn search-order multihop-hostname domain
vpdn domain-delimiter @ suffix
vpdn domain-delimiter / prefix !
vpdn-group customer3
request-dialin
 protocol l2tp
 multihop hostname <tunnel-name>
initiate-to ip <downstream LNS IP> priority 1
local name <my hostname>
l2tp tunnel password 0 <mumble> !




Any thoughts/suggestions?


Regards,

Kurt Bales

From illcritikz at gmail.com  Tue Feb 17 00:17:12 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Tue, 17 Feb 2009 15:47:12 +1030
Subject: [c-nsp] VPDN Multihop
In-Reply-To: <b1ce0b8d0902162052q244ffecbla755d8e03c15e576@mail.gmail.com>
References: <b1ce0b8d0902162052q244ffecbla755d8e03c15e576@mail.gmail.com>
Message-ID: <4422cf660902162117n208606c4n2f3858ba32dd643e@mail.gmail.com>

Try it with "vpdn authen-before-forward"
Ben

On Tue, Feb 17, 2009 at 3:22 PM, Kurt Bales <kwbales at kwbales.net> wrote:

> Hi All,
>
> There is probably an obvious answer to this, but I am failing to make
> it work the way I want so I'm asking the resident experts.
>
> We are a wholesale ISP taking DSL tails as L2TP from carriers.
>
> We have an LNS which is currently setup to switch these sessions to
> downstream channel partners based on match against the domain/REALM.
>
> For one of the realms on which we receive L2TP sessions, we would like
> to select a destination (either locally terminated or
> switched-to-channel-partner) on a per-account basis. These currently
> are switched to us on a per-account basis by our upstream provider
> doing per-account authentication and A/V pairs to forward the
> sessions. Their A/V pairs are setting a tunnel-id for these.
>
>
> We thought was to leverage the "multihop-hostname" command under a
> request-dialin configured VPDN-group.
>
> The documentation on CCO seems to imply that it can be used to match
> against a VPDN tunnel-id, but we could not get that to work.
>
> "multihop-hostname
>
> To enable a tunnel switch to initiate a tunnel based on the hostname
> or tunnel ID associated with an ingress tunnel, use the
> multihop-hostname command in VPDN request-dialin subgroup
> configuration mode. To disable this option, use the no form of this
> command."
>
> We tried configuring up a vpdn-group with a multihop
> hostname/initiate-to/local name/l2tp tunnel password, surely that
> would be enough to correctly match and therefore switch the session
> across to the downstream LNS?
>
> Unfortunately we could not get it to work, the error coming back was
> complaining that it could not assign a virtual-template to the
> session, which would seem to imply an attempt to terminate the session
> locally
>
> Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize
> action (1 pending sessions) Feb 17 12:14:18: SSS PM
> [uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb
> 17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for
> registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need
> More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need
> More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD)
> IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN
> uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17
> 12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18:
> L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18:
> L2TUN APP: uid:606handle/665997Stopping service selection Feb 17
> 12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP
> _____:06839:000070B5:
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Shutting down session
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Result Code
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     Call disconnected,
> refer to error msg (2)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Error Code
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     Insufficient resources (4)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Vendor Error
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     None (0)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Optional Message
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     "No virtual-template
> specified"
> Feb 17 12:14:18: L2TP _____:06839:000070B5:
>
>
>
> vpdn enable
> vpdn multihop
> vpdn aaa attribute nas-port vpdn-nas
> vpdn redirect
> vpdn logging
> vpdn logging local
> vpdn logging tunnel-drop
> vpdn history failure table-size 50
> vpdn session-limit 2048
> vpdn search-order multihop-hostname domain
> vpdn domain-delimiter @ suffix
> vpdn domain-delimiter / prefix !
> vpdn-group customer3
> request-dialin
>  protocol l2tp
>  multihop hostname <tunnel-name>
> initiate-to ip <downstream LNS IP> priority 1
> local name <my hostname>
> l2tp tunnel password 0 <mumble> !
>
>
>
>
> Any thoughts/suggestions?
>
>
> Regards,
>
> Kurt Bales
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From skeeve at skeeve.org  Tue Feb 17 05:53:03 2009
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Tue, 17 Feb 2009 21:53:03 +1100
Subject: [c-nsp] VPDN Multihop
In-Reply-To: <4422cf660902162117n208606c4n2f3858ba32dd643e@mail.gmail.com>
References: <b1ce0b8d0902162052q244ffecbla755d8e03c15e576@mail.gmail.com>
	<4422cf660902162117n208606c4n2f3858ba32dd643e@mail.gmail.com>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAAFxEgeYNE4FMuwARfYkzCTIBAAAAAA==@skeeve.org>

This is a global variable and will result in all services requiring auth
before being forwarded... if they have any VPDN groups which auto forward,
it will break them all.

...Skeeve

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele
Sent: Tuesday, 17 February 2009 4:17 PM
To: Kurt Bales
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VPDN Multihop

Try it with "vpdn authen-before-forward"
Ben

On Tue, Feb 17, 2009 at 3:22 PM, Kurt Bales <kwbales at kwbales.net> wrote:

> Hi All,
>
> There is probably an obvious answer to this, but I am failing to make
> it work the way I want so I'm asking the resident experts.
>
> We are a wholesale ISP taking DSL tails as L2TP from carriers.
>
> We have an LNS which is currently setup to switch these sessions to
> downstream channel partners based on match against the domain/REALM.
>
> For one of the realms on which we receive L2TP sessions, we would like
> to select a destination (either locally terminated or
> switched-to-channel-partner) on a per-account basis. These currently
> are switched to us on a per-account basis by our upstream provider
> doing per-account authentication and A/V pairs to forward the
> sessions. Their A/V pairs are setting a tunnel-id for these.
>
>
> We thought was to leverage the "multihop-hostname" command under a
> request-dialin configured VPDN-group.
>
> The documentation on CCO seems to imply that it can be used to match
> against a VPDN tunnel-id, but we could not get that to work.
>
> "multihop-hostname
>
> To enable a tunnel switch to initiate a tunnel based on the hostname
> or tunnel ID associated with an ingress tunnel, use the
> multihop-hostname command in VPDN request-dialin subgroup
> configuration mode. To disable this option, use the no form of this
> command."
>
> We tried configuring up a vpdn-group with a multihop
> hostname/initiate-to/local name/l2tp tunnel password, surely that
> would be enough to correctly match and therefore switch the session
> across to the downstream LNS?
>
> Unfortunately we could not get it to work, the error coming back was
> complaining that it could not assign a virtual-template to the
> session, which would seem to imply an attempt to terminate the session
> locally
>
> Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize
> action (1 pending sessions) Feb 17 12:14:18: SSS PM
> [uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb
> 17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for
> registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need
> More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need
> More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD)
> IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN
> uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17
> 12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18:
> L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18:
> L2TUN APP: uid:606handle/665997Stopping service selection Feb 17
> 12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP
> _____:06839:000070B5:
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Shutting down session
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Result Code
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     Call disconnected,
> refer to error msg (2)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Error Code
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     Insufficient resources (4)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Vendor Error
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     None (0)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Optional Message
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     "No virtual-template
> specified"
> Feb 17 12:14:18: L2TP _____:06839:000070B5:
>
>
>
> vpdn enable
> vpdn multihop
> vpdn aaa attribute nas-port vpdn-nas
> vpdn redirect
> vpdn logging
> vpdn logging local
> vpdn logging tunnel-drop
> vpdn history failure table-size 50
> vpdn session-limit 2048
> vpdn search-order multihop-hostname domain
> vpdn domain-delimiter @ suffix
> vpdn domain-delimiter / prefix !
> vpdn-group customer3
> request-dialin
>  protocol l2tp
>  multihop hostname <tunnel-name>
> initiate-to ip <downstream LNS IP> priority 1
> local name <my hostname>
> l2tp tunnel password 0 <mumble> !
>
>
>
>
> Any thoughts/suggestions?
>
>
> Regards,
>
> Kurt Bales
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From p.mayers at imperial.ac.uk  Tue Feb 17 07:12:09 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 17 Feb 2009 12:12:09 +0000
Subject: [c-nsp] 6500 "Failed SCP dnld"
Message-ID: <499AA999.2020504@imperial.ac.uk>

All,

We recently did an RPR+ upgrade of a 6509e from SXF to SXI. One of the 
linecards (in slot 1) didn't come back, reporting:

%ONLINE-SP-6-INITFAIL: Module 1: Failed to bring up DFC
%C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (Module  Failed 
SCP dnld)

That card worked in a different slot. A different card also failed in 
slot 1.

So we assumed the chassis was bad; however this morning a cold reboot of 
the entire chassis seems to have resolved the issue.

Should we be worried? It seems to pass the GOLD diags in that slot now.

From timothy.arnold at uksolutions.co.uk  Tue Feb 17 08:50:41 2009
From: timothy.arnold at uksolutions.co.uk (Timothy Arnold)
Date: Tue, 17 Feb 2009 13:50:41 +0000
Subject: [c-nsp] eBGP & backup static route
Message-ID: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local>

Hi All,

I?ve got a site with an ADSL connection, and an ISDN backup terminating in to a VRF. I am running an eBGP session across the ADSL link to advertise the local subnet.

#show ip route vrf XXX 10.101.0.0
Routing entry for 10.101.0.0/16
  Known via "bgp 20547", distance 20, metric 0
  Tag 65101, type external
  Last update from 172.31.255.2 00:00:03 ago
  Routing Descriptor Blocks:
  * 172.31.255.2, from 172.31.255.2, 00:00:03 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1

That works great. When the backup kicks in, radius inserts a framed route

#show ip route vrf XXX 10.101.0.0
Routing entry for 10.101.0.0/16
  Known via "static", distance 250, metric 0
  Redistributing via bgp 20547
  Advertised by bgp 20547
  Routing Descriptor Blocks:
  * 172.31.255.10
      Route metric is 0, traffic share count is 1

That works great too.

The issue I have is that it the static route is not replaced by the eBGP learned route when the ADSL returns, even though the distance is lower? It is only replaced when the backup link is terminated.

Any ideas?

Thanks
Tim



Timothy Arnold
Senior Engineer, Network & Security Group, UKSolutions

Telephone: 0845 004 1333, option 2
Email: timothy.arnold at uksolutions.co.uk
Web: http://www.uksolutions.co.uk/
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England Number 3036806
This email must be read in conjunction with the legal & service notices on http://www.uksolutions.co.uk/disclaimer


From saku+cisco-nsp at ytti.fi  Tue Feb 17 08:58:43 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Tue, 17 Feb 2009 15:58:43 +0200
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local>
References: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local>
Message-ID: <20090217135843.GA26612@mx.ytti.net>

On (2009-02-17 13:50 +0000), Timothy Arnold wrote:

> #show ip route vrf XXX 10.101.0.0
> Routing entry for 10.101.0.0/16
>   Known via "bgp 20547", distance 20, metric 0
> #show ip route vrf XXX 10.101.0.0
> Routing entry for 10.101.0.0/16
>   Known via "static", distance 250, metric 0
> 
> The issue I have is that it the static route is not replaced by the eBGP learned route when the ADSL returns, even though the distance is lower? It is only replaced when the backup link is terminated.

If those are different routers, you need to redistribute the static as
inferior BGP route, i.e. reduce local-pref to 80.

-- 
  ++ytti

From oboehmer at cisco.com  Tue Feb 17 09:21:23 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Tue, 17 Feb 2009 15:21:23 +0100
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <20090217135843.GA26612@mx.ytti.net>
References: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local>
	<20090217135843.GA26612@mx.ytti.net>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>

Saku Ytti <> wrote on Tuesday, February 17, 2009 14:59:

> On (2009-02-17 13:50 +0000), Timothy Arnold wrote:
> 
>> #show ip route vrf XXX 10.101.0.0
>> Routing entry for 10.101.0.0/16
>>   Known via "bgp 20547", distance 20, metric 0
>> #show ip route vrf XXX 10.101.0.0
>> Routing entry for 10.101.0.0/16
>>   Known via "static", distance 250, metric 0
>> 
>> The issue I have is that it the static route is not replaced by the
>> eBGP learned route when the ADSL returns, even though the distance
>> is lower? It is only replaced when the backup link is terminated.  
> 
> If those are different routers, you need to redistribute the static as
> inferior BGP route, i.e. reduce local-pref to 80.

don't think this will help as a locally-originated route is preferred
over almost anything due to the higher weight (32768, if I recall
correctly), so the eBGP path will not be installed (and would win over
the static due to admin distance). you need to set the weight on the
eBGP path to be the same (or higher) value or reduce it to zero (to
match the eBGP path) when redistributing the static (not 100% sure if
the latter works, I think it does)..

	oli

From deric.kwok2000 at gmail.com  Tue Feb 17 09:52:12 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Tue, 17 Feb 2009 09:52:12 -0500
Subject: [c-nsp] concept question
Message-ID: <40d8a95a0902170652w616e7abv266a66537a3c3be1@mail.gmail.com>

Hi All

I don't know about the vty concept and set valid time in access list

I saw the mailing list about vty 5 10?

Why don't setup vty 0 10?
and there is vty 0 4 and vty 5 10? Why?

and how to set valid time in access list

Thank you for your help

From tim at pelican.org  Tue Feb 17 09:54:17 2009
From: tim at pelican.org (Tim Franklin)
Date: Tue, 17 Feb 2009 14:54:17 -0000 (GMT)
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
References: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local>
	<20090217135843.GA26612@mx.ytti.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
Message-ID: <f55f987a404f512950a48a0cb1faeff9.squirrel@webmail.pelican.org>

On Tue, February 17, 2009 2:21 pm, Oliver Boehmer (oboehmer) wrote:

> don't think this will help as a locally-originated route is preferred
> over almost anything due to the higher weight (32768, if I recall
> correctly), so the eBGP path will not be installed (and would win over
> the static due to admin distance). you need to set the weight on the
> eBGP path to be the same (or higher) value or reduce it to zero (to
> match the eBGP path) when redistributing the static (not 100% sure if
> the latter works, I think it does)..

It does indeed.  'set weight 0 / set local-pref less-than-default' is in
the route-map for pretty much all our redistributing back-up routing
protocols into BGP.

Regards,
Tim.



From timothy.arnold at uksolutions.co.uk  Tue Feb 17 10:53:02 2009
From: timothy.arnold at uksolutions.co.uk (Timothy Arnold)
Date: Tue, 17 Feb 2009 15:53:02 +0000
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
References: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local><20090217135843.GA26612@mx.ytti.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
Message-ID: <F547661C26C5364D9FA0C481D395CCCE105A2434BB@apps-1.uks.local>

> don't think this will help as a locally-originated route is preferred
> over almost anything due to the higher weight (32768, if I recall
> correctly), so the eBGP path will not be installed (and would win over
> the static due to admin distance). you need to set the weight on the
> eBGP path to be the same (or higher) value or reduce it to zero (to
> match the eBGP path) when redistributing the static (not 100% sure if
> the latter works, I think it does)..

Setting the weight to 32768 has solved the problem. I'm going to try and set the weight to 0 on redistributed static routes as that would be a better approach for me!

Thanks
Tim



Timothy Arnold
Senior Engineer, Network & Security Group, UKSolutions

Telephone: 0845 004 1333, option 2
Email: timothy.arnold at uksolutions.co.uk
Web: http://www.uksolutions.co.uk/
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England Number 3036806
This email must be read in conjunction with the legal & service notices on http://www.uksolutions.co.uk/disclaimer

From saku+cisco-nsp at ytti.fi  Tue Feb 17 11:16:41 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Tue, 17 Feb 2009 18:16:41 +0200
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <F547661C26C5364D9FA0C481D395CCCE105A2434BB@apps-1.uks.local>
References: <70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
	<F547661C26C5364D9FA0C481D395CCCE105A2434BB@apps-1.uks.local>
Message-ID: <20090217161641.GA28783@mx.ytti.net>

On (2009-02-17 15:53 +0000), Timothy Arnold wrote:

> > don't think this will help as a locally-originated route is preferred
> > over almost anything due to the higher weight (32768, if I recall
> > correctly), so the eBGP path will not be installed (and would win over
> > the static due to admin distance). you need to set the weight on the
> > eBGP path to be the same (or higher) value or reduce it to zero (to
> > match the eBGP path) when redistributing the static (not 100% sure if
> > the latter works, I think it does)..
> 
> Setting the weight to 32768 has solved the problem. I'm going to try and set the weight to 0 on redistributed static routes as that would be a better approach for me!

Is this one or more boxes? Weight does not travel. So if it is multiple
boxes, only thing you need to do, is to ensure that the backup route is
seen by network as worse as the primary route, when the primary route
comes back.
So if after outage is over, and primary is back on, primary PE still
uses the backup route, it is not because of weight, since the primary
does not experience the weight of the backup.
Only thing setting weight 0 on the backup does, is makes sure that
also local traffic behind backup PE, starts to flow via primary,
instead of choosing the local backup route.

If it is indeed same box (ouch, backup and primary in same box,
I hope not) then resetting weight is needed.
-- 
  ++ytti

From tim at pelican.org  Tue Feb 17 11:59:48 2009
From: tim at pelican.org (Tim Franklin)
Date: Tue, 17 Feb 2009 16:59:48 -0000 (GMT)
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <20090217161641.GA28783@mx.ytti.net>
References: <70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
	<F547661C26C5364D9FA0C481D395CCCE105A2434BB@apps-1.uks.local>
	<20090217161641.GA28783@mx.ytti.net>
Message-ID: <8a92ae07314b1b5460de9b5e1cf5b481.squirrel@webmail.pelican.org>

On Tue, February 17, 2009 4:16 pm, Saku Ytti wrote:

> Only thing setting weight 0 on the backup does, is makes sure that
> also local traffic behind backup PE, starts to flow via primary,
> instead of choosing the local backup route.

And also forces the backup PE to consider the primary route in his BGP
best-path selection.  If you leave the weight as 32768, the backup PE will
always select the redist-from-static route as the best path, and announce
it to the network, which means you still have to play with other knobs to
make sure the rest of the network picks the primary route (and you're
wasting resource sending the route around / forcing all the other boxes to
make that decision).

Weight 0 lets you contain the route on the backup PE (by decreased
localpref, increased localpref on the primary, whatever other magic) and
never announce it to other BGP speakers.

> If it is indeed same box (ouch, backup and primary in same box,
> I hope not) then resetting weight is needed.

Or if your PE split is on access-type rather than just role.  "DSL PE" is
common - if this site has DSL backup, but other sites in the VPN are DSL
primary, you can get the smaller sites all using the backup connection of
the larger site.

Regards,
Tim.



From vijay.ramcharan at verizonbusiness.com  Tue Feb 17 12:08:55 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Tue, 17 Feb 2009 17:08:55 +0000
Subject: [c-nsp] FWSM w/v4 code
In-Reply-To: <4993440B.4060901@umn.edu>
Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB316F1EB@ASHEVS006.mcilink.com>

Be very careful with "clear configure access-list".  
Running it without the ACL name will remove ALL access-lists, no
prompts, at least on the 3.x version that I ran it on. 

I know it's wishful thinking but it would be nice to be provided a
confirmation prompt for something as detrimental as removing all
access-lists. 
 
Vijay Ramcharan 
  
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ge Moua
Sent: February 11, 2009 16:33
To: Childs, Aaron
Cc: 'cisco-nsp at puck.nether.net'
Subject: Re: [c-nsp] FWSM w/v4 code

That command is deprecated.  New syntax is:
"clear configure <acl_name>"

you can continue to use the old syntax to remove a particular ACE from 
an ACL, use the above to blow away the ACL completely.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Childs, Aaron wrote:
> Good Afternoon,
>
>  
>
> A couple of months ago I upgraded our FWSM to version 4 of the code. I
> applied a new access-list today and wanted to remove an old one.  To
my
> amazement "no access-list blah" is no longer a valid command.  I have
tried
> to ask the oracle of Google and Cisco, but I can't find an answer.
Could
> someone please direct me to the proper documentation?
>
>  
>
> Thank you,
>
>   Aaron
>
>  
>
> -------------
> Aaron Childs
> Assistant Director, Networking
> Westfield State College
>  <http://www.wsc.ma.edu/it/> http://www.wsc.ma.edu/it/
>
>  
>
>   
>
------------------------------------------------------------------------
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From bennetb at gmail.com  Tue Feb 17 14:19:02 2009
From: bennetb at gmail.com (Brandon Bennett)
Date: Tue, 17 Feb 2009 12:19:02 -0700
Subject: [c-nsp] concept question
In-Reply-To: <40d8a95a0902170652w616e7abv266a66537a3c3be1@mail.gmail.com>
References: <40d8a95a0902170652w616e7abv266a66537a3c3be1@mail.gmail.com>
Message-ID: <d81b6b610902171119u3d66a1ebw41f185e70628def0@mail.gmail.com>

>
>
> Why don't setup vty 0 10?
> and there is vty 0 4 and vty 5 10? Why?
>
>
It's just a relic of older IOS's that didn't support more than 5 vtys.  So
you config would still work on these older versions as the first vty 0 4
would go through and 'vty 5 10' stanza would error out.  If it was just vty
'0 10' then no line configs would be passed down and possibly preventing you
from successfuling logging in leading to possible downtime to do a password
recovery or to roll a tech.

Does it matter to you?  No.  You can refer to it as vty 0 <max number here>
and be just fine when configuring your lines.  Just the config will display
in the Lowest Common Denominator and still split them up.

Not sure why so many people get hung up on this point.

-Brandon
CCIE #19406

From rodunn at cisco.com  Tue Feb 17 15:15:20 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 17 Feb 2009 15:15:20 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090216203211.GK9203@rtp-cse-489.cisco.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
Message-ID: <20090217201520.GQ17200@rtp-cse-489.cisco.com>

Here is my update to NANOG...

I'll post again once I have a further update.


Date: Tue, 17 Feb 2009 15:11:57 -0500                                           
From: Rodney Dunn <rodunn at cisco.com>                                            
To: Ivan Pepelnjak <ip at ioshints.info>                                           
Subject: Re: anyone else seeing very long AS paths?                             
Cc: nanog at nanog.org                                                             
                                                                                
Ivan,                                                                           
                                                                                
It is confusing but from what I have tested you have it correct.                
                                                                                
The confusing part comes from multiple issues.                                  
                                                                                
a) The documentation about the default maxas limit being 75 appears to be       
   incorrect. I'll get that fixed.                                              
                                                                                
b) Prior to CSCee30718 there was a hard limit of 255. After that fix            
   AS sets of more than 255 should work.                                        
                                                                                
c) CSCeh13489 implemented the maxas command to mark it as invalid and           
   not send.                                                                    
                                                                                
                                                                                
There does appear to be an issue when you cross the 255 boundary                
and the next hop router sends a notification back.                              
                                                                                
I've got it recreated in the lab and we are working to clearly understand       
why that is. I'll post an update once we have more.                             
                                                                                
The way to prevent it is the upstream device that crosses the 255 boundary      
on sending needs to use the maxas limit command to keep it less than 255.       
                                                                                
It doesn't work on the device that receives the update with the AS path         
larger than 255.                                                                
                                                                                
Rodney                                                                          
                  

-=-



On Mon, Feb 16, 2009 at 03:32:11PM -0500, Rodney Dunn wrote:
> We are working on that. I'll let you know once I have more.
> 
> Rodney
> 
> On Tue, Feb 17, 2009 at 12:41:34AM +0500, M Usman Ashraf wrote:
> > Hi List,
> > 
> > We have just experience the same problem on SRC but with a different reason,
> > 
> > %BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 3/11 (invalid or corrupt AS path)
> > 518 bytes 50020202 02009531 23012306 71B9BAFC BA
> > 
> > 23w4d: BGP: X.X.X.X Bad attributes
> > 
> > Feb 16 21:26:04.918 pst: %BGP-4-MSGDUMP: unsupported or mal-formatted message
> > received from X.X.X.X:
> > FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 022C 0200 0002 1140 0101 0050 0202 0202
> > 0095 3123 0123 0671 B9BA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA--
> > 
> > Any idea of reason? or what can be a bad message for BGP that can tear down
> > adjacency ?
> > 
> > Regards,
> > 
> > M Usman Ashraf
> > 
> > 
> > 
> > On Tue, Feb 17, 2009 at 12:07 AM, Rodney Dunn <rodunn at cisco.com> wrote:
> > 
> >     That would have to be *real* old code.
> >    
> >     That was fixed back in the 12.1(4)
> >    
> >     and 12.0(10)S3 days.
> >    
> >     On Mon, Feb 16, 2009 at 01:25:32PM -0500, Tim Donahue wrote:
> >     > Joe Provo wrote:
> >     > > On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
> >     > >> Ozar wrote:
> >     > >>> I am starting to see random BGP neighbor messages from multiple
> >     neighbors
> >     > >>> on
> >     > >>> different boxes.
> >     > >>>
> >     > >>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
> >     > >>> corrupt
> >     > >>> AS path) 516 bytes
> >     > > [snip]
> >     > >> No, it is not software error, it is extremly long as-path:
> >     > >
> >     > > The message itself, correct.  The flapping sessions observed on some
> >     > > code, the long path is indeed triggering some bug. It is immaterial
> >     > > if it is the revival of an ld bug or a new one, there are folks
> >     > > flapping over this (and related) paths.  Providers without some level
> >     > > of sanity filters (really need many-multiples the current diameter of
> >     > > the net?) should be shamed into limiting their customer's prepends.
> >     > >
> >     >
> >     > According to the NANOG thread on this, it would seem that the bug would
> >     > be CSCdr54230.
> >     >
> >     > Tim
> >     > _______________________________________________
> >     > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >     > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >     > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >     _______________________________________________
> >     cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >     https://puck.nether.net/mailman/listinfo/cisco-nsp
> >     archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > 
> > 
> > 
> > 

From justin at justinshore.com  Tue Feb 17 15:41:33 2009
From: justin at justinshore.com (Justin Shore)
Date: Tue, 17 Feb 2009 14:41:33 -0600
Subject: [c-nsp] Cat 2350 switches vs everything else
Message-ID: <499B20FD.9040800@justinshore.com>

Does anyone have any comparison docs that cover the new Cat 2350, 3560E 
and 4948-10GE?  I mention those specifically since they all have 10G 
support.  One nice thing I noted about the 2350 is that it has DC power 
support.  I don't know if it has dual PSUs but at least it can run on 
DC.  Prior to that the lowest DC switch I could get was a 4948 (old 
2900s had DC options too I think but those are ancient).

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10116/data_sheet_c78-521169.html

For those not wanting to follow the link, the 2350 supports the TwinGig 
modules in the 10G bays just like the 3560E, 3750E, 4900M and the Sup6E 
in the 4500s.  I also see jumbo frame support on the list.  All good so far.

Justin


From danletkeman at gmail.com  Tue Feb 17 22:35:56 2009
From: danletkeman at gmail.com (Dan Letkeman)
Date: Tue, 17 Feb 2009 21:35:56 -0600
Subject: [c-nsp] ip dns server load information
Message-ID: <dcbb85870902171935v507c5dbcw6f08a82846adf707@mail.gmail.com>

Hello,

I'm interested in using a cisco router as a DNS server and I was
wondering if anyone has real world experience or documentation that
could inform me as to how many users/clients could one router handle
if it were the primary dns server.

Also, i'm wondering if there is a way to have a router act as a slave
dns server?  Or would there be a way to cluster them?

Thanks,
Dan.

From brett at looney.id.au  Wed Feb 18 01:49:58 2009
From: brett at looney.id.au (Brett Looney)
Date: Wed, 18 Feb 2009 15:49:58 +0900
Subject: [c-nsp] ip dns server load information
In-Reply-To: <dcbb85870902171935v507c5dbcw6f08a82846adf707@mail.gmail.com>
References: <dcbb85870902171935v507c5dbcw6f08a82846adf707@mail.gmail.com>
Message-ID: <000001c99195$23564220$6a02c660$@id.au>

> I'm interested in using a cisco router as a DNS server and I was
> wondering if anyone has real world experience or documentation that
> could inform me as to how many users/clients could one router handle
> if it were the primary dns server.

Don't do that for any reasonable number of users. In my experience it is
fine as a SOHO type DNS server (sub 20 users maybe) but under any load it
fails rapidly and unpredictably. If you are using it in a small environment,
make sure the upstream DNS servers are rock solid.

B.


From adrian at creative.net.au  Wed Feb 18 02:33:24 2009
From: adrian at creative.net.au (Adrian Chadd)
Date: Wed, 18 Feb 2009 16:33:24 +0900
Subject: [c-nsp] ip dns server load information
In-Reply-To: <000001c99195$23564220$6a02c660$@id.au>
References: <dcbb85870902171935v507c5dbcw6f08a82846adf707@mail.gmail.com>
	<000001c99195$23564220$6a02c660$@id.au>
Message-ID: <20090218073324.GG14136@skywalker.creative.net.au>

On Wed, Feb 18, 2009, Brett Looney wrote:
> > I'm interested in using a cisco router as a DNS server and I was
> > wondering if anyone has real world experience or documentation that
> > could inform me as to how many users/clients could one router handle
> > if it were the primary dns server.
> 
> Don't do that for any reasonable number of users. In my experience it is
> fine as a SOHO type DNS server (sub 20 users maybe) but under any load it
> fails rapidly and unpredictably. If you are using it in a small environment,
> make sure the upstream DNS servers are rock solid.

Hm, does it still exhibit that weird "will only handle 1 outstanding DNS
request at a time" behaviour that I swore I saw when debugging issues?




Adrian


From gert at greenie.muc.de  Wed Feb 18 11:04:00 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 18 Feb 2009 17:04:00 +0100
Subject: [c-nsp] TestSPRPInbandPing...?
Message-ID: <20090218160400.GY290@greenie.muc.de>

Hi,

should I be worried...??

Feb 18 16:44:38: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
Feb 18 16:45:15: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
Feb 18 16:45:51: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
Feb 18 16:46:28: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
Feb 18 16:47:43: %CONST_DIAG-SP-6-HM_TEST_RECOVERED: Module 5 TestSPRPInbandPing recovered after 9 consecutive failure(s)

(this is on a 6506, Sup720-10G, SXH3a code)

Besides the syslog messages, everything seems well-behaved...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090218/2a7e558f/attachment.bin>

From chris at chrisserafin.com  Wed Feb 18 11:06:50 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Wed, 18 Feb 2009 10:06:50 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <3DF1BB5A-9A67-43A1-9F2F-0C6D712912DA@hughes.com.au>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
	<4995A540.5010007@chrisserafin.com>
	<AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>
	<4999BCA5.9070003@chrisserafin.com>
	<3DF1BB5A-9A67-43A1-9F2F-0C6D712912DA@hughes.com.au>
Message-ID: <499C321A.6@chrisserafin.com>

What MST config do you suggest and on what if not all of the switches?

The docs from Cisco go into crazy configurations, and I only need basic 
STP functions: 2 core switches with an etherchannel link from each of 
them to each blade switch.




David Hughes wrote:
>
> On 17/02/2009, at 5:21 AM, ChrisSerafin wrote:
>
>> That brings up a good point about STP. If I have 1 etherchannel going 
>> from each switch blade to each upstream switch, will the switches 
>> detect the loops or do I need to manually configure this? Thanks for 
>> your comments!
>
> The blade switches operate as separate switches and can be viewed as 
> if they were your normal 29xx or 35xx access switch depending on the 
> CIGESM you buy (well, with a couple of caveats about their management 
> interfaces).  If the switches are connected to your network via a 
> single etherchannel then there's no possibility of a loop - other than 
> a mis-configured etherchannel.  You don't get loops but you don't get 
> any redundancy at the network layer.  In this setup I assume you are 
> using some form of NIC teaming and failover on the blades themselves 
> for redundancy.  That's not going to pick up a failed uplink on your 
> primary switching path as most teaming drivers only look at link state 
> on the NIC.
>
> If you are following a "normal" dual attached model where each access 
> switch (be it a top of rack switch or a blade switch module) is 
> uplinked to 2 different switches then you get link redundancy but 
> naturally need STP.  If you are running dense virtualisation or vm 
> server farms then the STP you should be running is MST.
>
>
> Thanks
>
> David
> ...
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.10.25/1957 - Release Date: 02/17/09 07:07:00
>
>   


From jcdarby at usgs.gov  Wed Feb 18 11:23:08 2009
From: jcdarby at usgs.gov (Justin C. Darby)
Date: Wed, 18 Feb 2009 10:23:08 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <499C321A.6@chrisserafin.com>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>	<4995A540.5010007@chrisserafin.com>	<AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>	<4999BCA5.9070003@chrisserafin.com>	<3DF1BB5A-9A67-43A1-9F2F-0C6D712912DA@hughes.com.au>
	<499C321A.6@chrisserafin.com>
Message-ID: <499C35EC.3030801@usgs.gov>

Hi Chris,

I strongly suggest if you want to keep a simple mode of operation you 
use a feature on these things that configures them independently of the 
Bladecenter Advanced Management Module.

It's hard to find in the docs, but, what you want is "platform 
chassis-management protected-mode". The AMM has to support it (the 
switch will tell you if it does not and then you need a firmware upgrade 
to the AMM), but if it does, you can change the settings the AMM is 
configuring your switch for involuntarily (which has been an issue for 
us in the past). If you configure using this, these things work just 
like the catalyst switches you'd expect, without mucking around with the 
AMM.

Good luck (I've got a lot of these things, you'll need it).

Justin

ChrisSerafin wrote:
> What MST config do you suggest and on what if not all of the switches?
>
> The docs from Cisco go into crazy configurations, and I only need 
> basic STP functions: 2 core switches with an etherchannel link from 
> each of them to each blade switch.
>
>
>
>
> David Hughes wrote:
>>
>> On 17/02/2009, at 5:21 AM, ChrisSerafin wrote:
>>
>>> That brings up a good point about STP. If I have 1 etherchannel 
>>> going from each switch blade to each upstream switch, will the 
>>> switches detect the loops or do I need to manually configure this? 
>>> Thanks for your comments!
>>
>> The blade switches operate as separate switches and can be viewed as 
>> if they were your normal 29xx or 35xx access switch depending on the 
>> CIGESM you buy (well, with a couple of caveats about their management 
>> interfaces).  If the switches are connected to your network via a 
>> single etherchannel then there's no possibility of a loop - other 
>> than a mis-configured etherchannel.  You don't get loops but you 
>> don't get any redundancy at the network layer.  In this setup I 
>> assume you are using some form of NIC teaming and failover on the 
>> blades themselves for redundancy.  That's not going to pick up a 
>> failed uplink on your primary switching path as most teaming drivers 
>> only look at link state on the NIC.
>>
>> If you are following a "normal" dual attached model where each access 
>> switch (be it a top of rack switch or a blade switch module) is 
>> uplinked to 2 different switches then you get link redundancy but 
>> naturally need STP.  If you are running dense virtualisation or vm 
>> server farms then the STP you should be running is MST.
>>
>>
>> Thanks
>>
>> David
>> ...
>> ------------------------------------------------------------------------
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 
>> 270.10.25/1957 - Release Date: 02/17/09 07:07:00
>>
>>   
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From p.mayers at imperial.ac.uk  Wed Feb 18 11:23:53 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 18 Feb 2009 16:23:53 +0000
Subject: [c-nsp] TestSPRPInbandPing...?
In-Reply-To: <20090218160400.GY290@greenie.muc.de>
References: <20090218160400.GY290@greenie.muc.de>
Message-ID: <499C3619.8050809@imperial.ac.uk>

Gert Doering wrote:
> Hi,
> 
> should I be worried...??
> 
> Feb 18 16:44:38: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
> Feb 18 16:45:15: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
> Feb 18 16:45:51: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
> Feb 18 16:46:28: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
> Feb 18 16:47:43: %CONST_DIAG-SP-6-HM_TEST_RECOVERED: Module 5 TestSPRPInbandPing recovered after 9 consecutive failure(s)
> 
> (this is on a 6506, Sup720-10G, SXH3a code)
> 
> Besides the syslog messages, everything seems well-behaved...
> 
> gert
> 

Hmm.

My rule of thumb has been that a diag "fail" is not definitive, but a 
"pass" is. SPRPInband is one of the periodic diags (run, IIRC, every 15 
seconds) so it's actually passed a lot of times since you've seen the error.

Was anything else going on at the time? Maybe the SP or RP were busy and 
thus dropped the pings? What does "remote command switch show log | inc 
Feb 18 16:" show?

However, at least on SXI, 10 consecutive failures is the max permitted, 
and in some redundancy modes that can trigger a SUP failover!

From chris at chrisserafin.com  Wed Feb 18 12:33:23 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Wed, 18 Feb 2009 11:33:23 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <499C35EC.3030801@usgs.gov>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>	<4995A540.5010007@chrisserafin.com>	<AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>	<4999BCA5.9070003@chrisserafin.com>	<3DF1BB5A-9A67-43A1-9F2F-0C6D712912DA@hughes.com.au>
	<499C321A.6@chrisserafin.com> <499C35EC.3030801@usgs.gov>
Message-ID: <499C4663.9000804@chrisserafin.com>

Thanks.....running into alot of issues with these devices....I have one 
2960 upstream with etherchannel trunks to each blade switch. I see 
connectivity loss between a server on a blade when all 4 etherchannels 
are up to the other 3 blades switches. When I shut down the other 3 
etherchannels to the other blade switches, the connectivity gets 
restored after a minute.....switching loop? Is the virtual backplane 
creating loops? Here are my configs:

2960:
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel1
 description [ Etherchannel Between 2960 Switches ]
 switchport mode trunk
!
interface Port-channel2
 description [ Etherchannel to BL01 ]
 switchport mode trunk
!
interface Port-channel3
 description { Etherchannel to BL02 ]
 switchport mode trunk
 shutdown
!
interface Port-channel4
 description [ Etherchannel to BL03 ]
 switchport mode trunk
 shutdown
!
interface Port-channel5
 description { Etherchannel to BL04 ]
 switchport mode trunk
 shutdown
!
interface GigabitEthernet0/1
 description [ Etherchannel to 2960-02 ]
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/2
 description [ Etherchannel to 2960-02 ]
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/3
 description [ Etherchannel to BL01 ]
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet0/4
 description [ Etherchannel to BL01 ]
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet0/5
 description [ Etherchannel to BL02 ]
 switchport mode trunk
 shutdown
 channel-group 3 mode on
!
interface GigabitEthernet0/6
 description [ Etherchannel to BL02 ]
 switchport mode trunk
 shutdown
 channel-group 3 mode on
!
interface GigabitEthernet0/7
 description [ Etherchannel to BL03 ]
 switchport mode trunk
 shutdown
 channel-group 4 mode on
!
interface GigabitEthernet0/8
 description [ Etherchannel to BL03 ]
 switchport mode trunk
 shutdown
 channel-group 4 mode on
!
interface GigabitEthernet0/9
 description [ Etherchannel to BL04 ]
 switchport mode trunk
 shutdown
 channel-group 5 mode on
!
interface GigabitEthernet0/10
 description [ Etherchannel to BL04 ]
 switchport mode trunk
 shutdown
 channel-group 5 mode on
!


And each blade is configured like this:
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface Port-channel2
 description [ Etherchannel to 2960-01 ]
 switchport mode trunk
!
interface FastEthernet0
 ip address 192.168.70.21 255.255.255.0
 no ip route-cache cef
 no ip route-cache
!
interface GigabitEthernet0/15
 description [ Etherchannel to 2960-01 ]
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet0/16
 description [ Etherchannel to 2960-01 ]
 switchport mode trunk
 channel-group 2 mode on
!
interface Vlan1
 ip address 10.90.91.21 255.255.255.0
!
ip default-gateway 10.90.91.1
ip classless
ip route 192.168.70.0 255.255.255.0 FastEthernet0
ip http server
!
!




Thanks for all your help on these guys!














































Justin C. Darby wrote:
> Hi Chris,
>
> I strongly suggest if you want to keep a simple mode of operation you 
> use a feature on these things that configures them independently of 
> the Bladecenter Advanced Management Module.
>
> It's hard to find in the docs, but, what you want is "platform 
> chassis-management protected-mode". The AMM has to support it (the 
> switch will tell you if it does not and then you need a firmware 
> upgrade to the AMM), but if it does, you can change the settings the 
> AMM is configuring your switch for involuntarily (which has been an 
> issue for us in the past). If you configure using this, these things 
> work just like the catalyst switches you'd expect, without mucking 
> around with the AMM.
>
> Good luck (I've got a lot of these things, you'll need it).
>
> Justin
>
> ChrisSerafin wrote:
>> What MST config do you suggest and on what if not all of the switches?
>>
>> The docs from Cisco go into crazy configurations, and I only need 
>> basic STP functions: 2 core switches with an etherchannel link from 
>> each of them to each blade switch.
>>
>>
>>
>>
>> David Hughes wrote:
>>>
>>> On 17/02/2009, at 5:21 AM, ChrisSerafin wrote:
>>>
>>>> That brings up a good point about STP. If I have 1 etherchannel 
>>>> going from each switch blade to each upstream switch, will the 
>>>> switches detect the loops or do I need to manually configure this? 
>>>> Thanks for your comments!
>>>
>>> The blade switches operate as separate switches and can be viewed as 
>>> if they were your normal 29xx or 35xx access switch depending on the 
>>> CIGESM you buy (well, with a couple of caveats about their 
>>> management interfaces).  If the switches are connected to your 
>>> network via a single etherchannel then there's no possibility of a 
>>> loop - other than a mis-configured etherchannel.  You don't get 
>>> loops but you don't get any redundancy at the network layer.  In 
>>> this setup I assume you are using some form of NIC teaming and 
>>> failover on the blades themselves for redundancy.  That's not going 
>>> to pick up a failed uplink on your primary switching path as most 
>>> teaming drivers only look at link state on the NIC.
>>>
>>> If you are following a "normal" dual attached model where each 
>>> access switch (be it a top of rack switch or a blade switch module) 
>>> is uplinked to 2 different switches then you get link redundancy but 
>>> naturally need STP.  If you are running dense virtualisation or vm 
>>> server farms then the STP you should be running is MST.
>>>
>>>
>>> Thanks
>>>
>>> David
>>> ...
>>> ------------------------------------------------------------------------ 
>>>
>>>
>>>
>>> No virus found in this incoming message.
>>> Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 
>>> 270.10.25/1957 - Release Date: 02/17/09 07:07:00
>>>
>>>   
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.10.25/1957 - Release Date: 02/17/09 07:07:00
>
>   


From cklam at ias.edu  Wed Feb 18 13:37:19 2009
From: cklam at ias.edu (Christina Klam)
Date: Wed, 18 Feb 2009 13:37:19 -0500
Subject: [c-nsp] %HA_EM-6-LOG: Mandatory.go_nondislp.tcl:
In-Reply-To: <mailman.1.1234976400.48195.cisco-nsp@puck.nether.net>
References: <mailman.1.1234976400.48195.cisco-nsp@puck.nether.net>
Message-ID: <9E9636B2F6649243B154AB4E53BD53000B0A90A3@hecto.itg.ias.edu>

My question is similar to Gert's.  A month ago I upgraded to SXH4 (and then to SXI to see if this was a bug to just SXH4), after which I started to see a ton of drop packets on multiple line cards.  The logs said:

%HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD EEM TCL policy for TestNonDisruptiveLoopback
Jan 13 21:17:00 172.16.4.158 107: Jan 13 21:16:59.655 EST: %HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD EEM TCL policy for TestNonDisruptiveLoopback
Jan 13 21:17:07 172.16.4.158 111: Jan 13 21:17:02.147 EST: %HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD EEM TCL policy for TestNonDisruptiveLoopback
Jan 13 21:17:07 172.16.4.158 112: Jan 13 21:17:03.415 EST: %HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD EEM TCL policy for TestNonDisruptiveLoopback

The only way to stop the line cards from dropping packets was to disable all diagnostic tests.  From that point on however, I have had no error messages in the logs nor any drop packets.  Cisco TAC claims I have a bent pin in one of my line cards or in the (two month old) 6513 chassis itself.  Has anyone else seen these errors?  And if so, how did you address it?  As this is a non-redundant, highly important, fully-populated, production switch, I am hoping that in reality this is software related.

Thank you,
Chris

From everton at lab.ipaccess.diveo.net.br  Wed Feb 18 13:54:26 2009
From: everton at lab.ipaccess.diveo.net.br (Everton da Silva Marques)
Date: Wed, 18 Feb 2009 15:54:26 -0300
Subject: [c-nsp] Mixing WRR with policing under PFC3BXL + CFC +
	WS-X6748-GE-TX
Message-ID: <20090218185426.GA13148@diveo.net.br>

Hi,

Can anyone please point any reference about
how WRR interacts with a policer under
7609 + PFC3BXL + CFC + WS-X6748-GE-TX ?

For instance, given the sample configuration
below, will the policer drop packets which
violate the policer's parameters (thus
preventing WRR from taking effect) ?

policy-map LAB_OUT
 class class-default
  police cir 1000000
!
interface GigabitEthernet1/5
 speed 1000
 wrr-queue bandwidth 1 2 7
 service-policy output LAB_OUT
end

If so, is there a way of instructing WRR to
serve queues at the policer's CIR (as
opposed to the physical link rate) ?

Thanks,
Everton

From avayner at cisco.com  Wed Feb 18 16:35:41 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 18 Feb 2009 22:35:41 +0100
Subject: [c-nsp] Mixing WRR with policing under PFC3BXL + CFC
	+WS-X6748-GE-TX
In-Reply-To: <20090218185426.GA13148@diveo.net.br>
References: <20090218185426.GA13148@diveo.net.br>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D73AAC27@xmb-ams-331.emea.cisco.com>

Everton,

Unfortunately, it would not work like you have described...
The policing is done before the egress queuing, which means that the
policer would be dropping traffic for all the classes equally, as it has
no way to know which traffic belongs to which queue.
This means that your priority traffic would be handled in the same way
as the best effort traffic on the policer.

You could have a separate class per traffic class, and use a separate
policer per class.

Still, this would not have an effect on the egress queuing in the sense
of setting the bandwidth budget.


If you need to have a proper hierarchical policy, with a shaper and some
child classes, you would need to use a SIP module (or ES20 on 7600)

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton da Silva
Marques
Sent: Wednesday, February 18, 2009 20:54
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Mixing WRR with policing under PFC3BXL + CFC
+WS-X6748-GE-TX

Hi,

Can anyone please point any reference about
how WRR interacts with a policer under
7609 + PFC3BXL + CFC + WS-X6748-GE-TX ?

For instance, given the sample configuration
below, will the policer drop packets which
violate the policer's parameters (thus
preventing WRR from taking effect) ?

policy-map LAB_OUT
 class class-default
  police cir 1000000
!
interface GigabitEthernet1/5
 speed 1000
 wrr-queue bandwidth 1 2 7
 service-policy output LAB_OUT
end

If so, is there a way of instructing WRR to
serve queues at the policer's CIR (as
opposed to the physical link rate) ?

Thanks,
Everton
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gmartine at ajax.opentransit.net  Wed Feb 18 16:17:10 2009
From: gmartine at ajax.opentransit.net (German Martinez)
Date: Wed, 18 Feb 2009 16:17:10 -0500
Subject: [c-nsp] BGP-6-ASPATH error messages
In-Reply-To: <5.1.0.14.2.20080330113036.00b13188@efes.iucc.ac.il>
References: <5.1.0.14.2.20080330113036.00b13188@efes.iucc.ac.il>
Message-ID: <20090218211710.GA15542@ajax.opentransit.net>

On Sun Mar 30, 2008, Hank Nussbacher wrote:

It seems this bug is still open.. perhaps is not that important :)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso47162

German


> This will be fixed via:
> 
> CSCso47162
> Externally found enhancement (Sev6) bug: New (N)
> BGP-6-ASPATH message should print offending prefix(es)
> 
> -Hank
> 
> >Is there a reason why when Cisco provides a %BGP-6-ASPATH error message
> >like:
> >
> >%BGP-6-ASPATH: Invalid AS path [chars] received from [int]: [chars]
> >%BGP-6-ASPATH: Long AS path aa bb cc dd  received from x.x.x.x: More than
> >configured MAXAS-LIMIT
> >
> >that they can't include the actual prefix causing the error message to
> >appear?  As is, the error message is not that helpful without the prefix.
> >
> >Is this something I have to open a TAC request for?
> >
> >Thanks,
> >Hank
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090218/006c7d66/attachment.bin>

From rodunn at cisco.com  Wed Feb 18 18:07:30 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 18 Feb 2009 18:07:30 -0500
Subject: [c-nsp] BGP-6-ASPATH error messages
In-Reply-To: <20090218211710.GA15542@ajax.opentransit.net>
References: <5.1.0.14.2.20080330113036.00b13188@efes.iucc.ac.il>
	<20090218211710.GA15542@ajax.opentransit.net>
Message-ID: <20090218230730.GI3397@rtp-cse-489.cisco.com>

I'll look at it but give me a bit. I'm finalizing the writeup for
the real issue.

On Wed, Feb 18, 2009 at 04:17:10PM -0500, German Martinez wrote:
> On Sun Mar 30, 2008, Hank Nussbacher wrote:
> 
> It seems this bug is still open.. perhaps is not that important :)
> 
> http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso47162
> 
> German
> 
> 
> > This will be fixed via:
> > 
> > CSCso47162
> > Externally found enhancement (Sev6) bug: New (N)
> > BGP-6-ASPATH message should print offending prefix(es)
> > 
> > -Hank
> > 
> > >Is there a reason why when Cisco provides a %BGP-6-ASPATH error message
> > >like:
> > >
> > >%BGP-6-ASPATH: Invalid AS path [chars] received from [int]: [chars]
> > >%BGP-6-ASPATH: Long AS path aa bb cc dd  received from x.x.x.x: More than
> > >configured MAXAS-LIMIT
> > >
> > >that they can't include the actual prefix causing the error message to
> > >appear?  As is, the error message is not that helpful without the prefix.
> > >
> > >Is this something I have to open a TAC request for?
> > >
> > >Thanks,
> > >Hank
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/



> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From nrauhauser at gmail.com  Wed Feb 18 20:54:42 2009
From: nrauhauser at gmail.com (neal rauhauser)
Date: Wed, 18 Feb 2009 19:54:42 -0600
Subject: [c-nsp] 7507s: which image for production? For IPv6?
Message-ID: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>

   I do believe we'll be seeing new code from Cisco before too long and I'm
starting to get ready for that. We've got 12.0S in the field now and I'm
bringing one machine up to 12.2.46a to see how it acts. I've got 256 meg
RSP4s, VIP 2-50 that are getting upgraded to VIP4-80 this week, OC3 and DS3
outside and just 100 mbit inside. The RSP4s work for me - no customers in
APNIC space so we refuse those routes. The fanciest thing we do is netflow -
which image train is most stable?

  I'm often unsupervised in the evening hours and I'm going to have a couple
of leftover machines with a full complement of the older VIPs once the
upgrade is complete. If I'm going to put up IPv6 as a test what's working
best these days?



-- 
mailto:Neal at layer3arts.com //
GoogleTalk: nrauhauser at gmail.com
IM: nealrauhauser

From atstake at gmail.com  Wed Feb 18 21:34:38 2009
From: atstake at gmail.com (Chris)
Date: Thu, 19 Feb 2009 13:34:38 +1100
Subject: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
Message-ID: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>

This switch has temperature sensor but I can't seem to get any
temperature related data out of it via snmp(walk). snmpwalk -c foo -v1
192.168.20.20 works fine and gives me a pile of information and
nothing related to temperature.

I also tried snmpwalk -o enterprises.9.9.13.1.3.1.6.1 and
1.3.6.1.4.1.9.9.13.1.3.1 and enterprises.9.9.13.1.3.1.6.1 and I get no
information.

Does anyone know how to get temperature information out of this box?

Thanks.

From ltd at cisco.com  Wed Feb 18 22:10:26 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Thu, 19 Feb 2009 14:10:26 +1100
Subject: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
In-Reply-To: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>
References: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>
Message-ID: <499CCDA2.7010700@cisco.com>

Chris wrote:
> This switch has temperature sensor but I can't seem to get any
> temperature related data out of it via snmp(walk). snmpwalk -c foo -v1
> 192.168.20.20 works fine and gives me a pile of information and
> nothing related to temperature.
>
> I also tried snmpwalk -o enterprises.9.9.13.1.3.1.6.1 and
> 1.3.6.1.4.1.9.9.13.1.3.1 and enterprises.9.9.13.1.3.1.6.1 and I get no
> information.
>
> Does anyone know how to get temperature information out of this box?
>   

if you're reffering to ENVMON-MIB, then try something like:
    snmpwalk -v2c -cpublic ltd-n7010-1 1.3.6.1.4.1.9.9.91.1.1.1.1.4



cheers,

lincoln.

From atstake at gmail.com  Wed Feb 18 22:42:16 2009
From: atstake at gmail.com (Chris)
Date: Thu, 19 Feb 2009 14:42:16 +1100
Subject: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
In-Reply-To: <499CCDA2.7010700@cisco.com>
References: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>
	<499CCDA2.7010700@cisco.com>
Message-ID: <8adc88580902181942m251817fblefd6ed53f6c82192@mail.gmail.com>

On Thu, Feb 19, 2009 at 2:10 PM, Lincoln Dale <ltd at cisco.com> wrote:
> Chris wrote:
>>
>> This switch has temperature sensor but I can't seem to get any
>> temperature related data out of it via snmp(walk). snmpwalk -c foo -v1
>> 192.168.20.20 works fine and gives me a pile of information and
>> nothing related to temperature.
>>
>> I also tried snmpwalk -o enterprises.9.9.13.1.3.1.6.1 and
>> 1.3.6.1.4.1.9.9.13.1.3.1 and enterprises.9.9.13.1.3.1.6.1 and I get no
>> information.
>>
>> Does anyone know how to get temperature information out of this box?
>>
>
> if you're reffering to ENVMON-MIB, then try something like:
>   snmpwalk -v2c -cpublic ltd-n7010-1 1.3.6.1.4.1.9.9.91.1.1.1.1.4

Thanks. When I try that I get an error: ltd-n7010-1: Unknown Object
Identifier (Sub-id not found: (top) -> ltd-n7010-1)

If I try: snmpwalk -v2c -cpublic 1.3.6.1.4.1.9.9.91.1.1.1.1.4, I get
an error: SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4 = No Such Object
available on this agent at this OID

Thanks for any further help.

From graham at g-rock.net  Wed Feb 18 23:07:47 2009
From: graham at g-rock.net (Graham Wooden)
Date: Wed, 18 Feb 2009 22:07:47 -0600
Subject: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
In-Reply-To: <8adc88580902181942m251817fblefd6ed53f6c82192@mail.gmail.com>
Message-ID: <C5C23733.124C6%graham@g-rock.net>

Chris, what Sup and IOS are you running?

I am running Sup2s with 12.2(18)SXF15a(ADVENTERPRISEK9_WAN-M)and get results
from that base OID.  Mind you, I haven't identified any of these yet ...

graham at snapcase ~]$ snmpwalk -v2c -c publicread nn.nn.nn.nn
1.3.6.1.4.1.9.9.91.1.1.1.1.4

SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.12 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.15 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.19 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.20 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.22 = INTEGER: 110
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.26 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.37 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.38 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.41 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.42 = INTEGER: 29
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.45 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.46 = INTEGER: 31
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.49 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.50 = INTEGER: 30
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.53 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.54 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.57 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.58 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1003 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1004 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1005 = INTEGER: 30
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1006 = INTEGER: 40
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1007 = INTEGER: 30
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1008 = INTEGER: 42
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1012 = INTEGER: 43
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1013 = INTEGER: 43
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1016 = INTEGER: 42
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1017 = INTEGER: 35
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2003 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2004 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2005 = INTEGER: 29
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2006 = INTEGER: 39
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2007 = INTEGER: 30
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2008 = INTEGER: 40
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2012 = INTEGER: 41
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2013 = INTEGER: 41
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2016 = INTEGER: 40
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2017 = INTEGER: 34
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.3001 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.3002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.3003 = INTEGER: 37
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.3004 = INTEGER: 32
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4001 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4003 = INTEGER: 37
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4004 = INTEGER: 34
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4005 = INTEGER: 37
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4006 = INTEGER: 40
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5001 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5003 = INTEGER: 40
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5004 = INTEGER: 38
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5005 = INTEGER: 35
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5006 = INTEGER: 37
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.6001 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.6002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.6003 = INTEGER: 45
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.6004 = INTEGER: 36



On 2/18/09 9:42 PM, "Chris" <atstake at gmail.com> wrote:

> On Thu, Feb 19, 2009 at 2:10 PM, Lincoln Dale <ltd at cisco.com> wrote:
>> Chris wrote:
>>> 
>>> This switch has temperature sensor but I can't seem to get any
>>> temperature related data out of it via snmp(walk). snmpwalk -c foo -v1
>>> 192.168.20.20 works fine and gives me a pile of information and
>>> nothing related to temperature.
>>> 
>>> I also tried snmpwalk -o enterprises.9.9.13.1.3.1.6.1 and
>>> 1.3.6.1.4.1.9.9.13.1.3.1 and enterprises.9.9.13.1.3.1.6.1 and I get no
>>> information.
>>> 
>>> Does anyone know how to get temperature information out of this box?
>>> 
>> 
>> if you're reffering to ENVMON-MIB, then try something like:
>>   snmpwalk -v2c -cpublic ltd-n7010-1 1.3.6.1.4.1.9.9.91.1.1.1.1.4
> 
> Thanks. When I try that I get an error: ltd-n7010-1: Unknown Object
> Identifier (Sub-id not found: (top) -> ltd-n7010-1)
> 
> If I try: snmpwalk -v2c -cpublic 1.3.6.1.4.1.9.9.91.1.1.1.1.4, I get
> an error: SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4 = No Such Object
> available on this agent at this OID
> 
> Thanks for any further help.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From dwcarder at wisc.edu  Wed Feb 18 23:58:16 2009
From: dwcarder at wisc.edu (Dale W. Carder)
Date: Wed, 18 Feb 2009 22:58:16 -0600
Subject: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
In-Reply-To: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>
References: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>
Message-ID: <A499DDC6-314A-45C8-8C87-B055E72E0F48@wisc.edu>


On Feb 18, 2009, at 8:34 PM, Chris wrote:
>
> I also tried snmpwalk -o enterprises.9.9.13.1.3.1.6.1 and
> 1.3.6.1.4.1.9.9.13.1.3.1 and enterprises.9.9.13.1.3.1.6.1 and I get no
> information.

What version are you running?  There's tons of stuff in the
ENVMON mib.

 > snmpwalk -v2c -c foo router.example.com envmon
<snip>
CISCO-ENVMON-MIB::ciscoEnvMonTemperatureStatusValue.1 = Gauge32: 33  
degrees Celsius
CISCO-ENVMON-MIB::ciscoEnvMonTemperatureStatusValue.2 = Gauge32: 29  
degrees Celsius
CISCO-ENVMON-MIB::ciscoEnvMonTemperatureStatusValue.3 = Gauge32: 29  
degrees Celsius
CISCO-ENVMON-MIB::ciscoEnvMonTemperatureStatusValue.4 = Gauge32: 32  
degrees Celsius
<snip>
CISCO-ENVMON-MIB::ciscoEnvMonTemperatureState.1 = INTEGER: normal(1)
CISCO-ENVMON-MIB::ciscoEnvMonTemperatureState.2 = INTEGER: normal(1)
CISCO-ENVMON-MIB::ciscoEnvMonTemperatureState.3 = INTEGER: normal(1)
and so on...

Dale

From ltd at cisco.com  Thu Feb 19 00:28:19 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Thu, 19 Feb 2009 16:28:19 +1100
Subject: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
In-Reply-To: <8adc88580902181942m251817fblefd6ed53f6c82192@mail.gmail.com>
References: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>	
	<499CCDA2.7010700@cisco.com>
	<8adc88580902181942m251817fblefd6ed53f6c82192@mail.gmail.com>
Message-ID: <499CEDF3.2010600@cisco.com>

Chris wrote:
>>> I also tried snmpwalk -o enterprises.9.9.13.1.3.1.6.1 and
>>> 1.3.6.1.4.1.9.9.13.1.3.1 and enterprises.9.9.13.1.3.1.6.1 and I get no
>>> information.
>>>
>>> Does anyone know how to get temperature information out of this box?
>>>
>>>       
>> if you're reffering to ENVMON-MIB, then try something like:
>>   snmpwalk -v2c -cpublic ltd-n7010-1 1.3.6.1.4.1.9.9.91.1.1.1.1.4
>>     
>
> Thanks. When I try that I get an error: ltd-n7010-1: Unknown Object
> Identifier (Sub-id not found: (top) -> ltd-n7010-1)
>   
LOL, replace "ltd-n7010-1" with the ip-address of your box.  (that is, 
ltd-n7010-1 refers to ltd-n7010-1.cisco.com which is obviously not 
accessable to you). :)

> If I try: snmpwalk -v2c -cpublic 1.3.6.1.4.1.9.9.91.1.1.1.1.4, I get
> an error: SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4 = No Such Object
> available on this agent at this OID
>   
is snmpv2c enablex on your box?  what did SNMP Object Navigator 
(http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en) say about 
the "supporting images"?  does the IOS you're running support it?


cheers,

lincoln.


From vitaliy.karlov at gmail.com  Thu Feb 19 02:22:23 2009
From: vitaliy.karlov at gmail.com (Vitaliy Karlov)
Date: Thu, 19 Feb 2009 08:22:23 +0100
Subject: [c-nsp] VRF-Lite and VRF Source-select
In-Reply-To: <a48927f70902161400l4075a92at7a7553ed768f79c9@mail.gmail.com>
References: <a48927f70902161400l4075a92at7a7553ed768f79c9@mail.gmail.com>
Message-ID: <A3BCA812-6147-445C-A4A1-4FA374C27803@gmail.com>

On Feb 16, 2009, at 11:00 PM, Ibrahim Abo Zaid wrote:

> Hi All

Hello.

> I was reading about VRF Source-select feature and want to know is  
> this this
> supported with VRF-Lite or needs MPLS-VPN backbone ?

There are couple ways to select VRF based on source IP: VRF selection  
based on source address and VRF selection using Policy based routing  
(PBR).  I tried to implement second one in 7600 (SRC), but it was  
complete unsupported in hardware and VRF selection was performed in  
software. Regarding you question in my test lab was no MPLS-VPN  
backbone, just plain VRF-Lite. I cannot tell you about VRF selection  
based on address, but I pretty sure you don't need MPLS-VPN backbone  
as well.

-kv


From gert at greenie.muc.de  Thu Feb 19 02:37:16 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 19 Feb 2009 08:37:16 +0100
Subject: [c-nsp] 7507s: which image for production? For IPv6?
In-Reply-To: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
References: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
Message-ID: <20090219073716.GB290@greenie.muc.de>

Hi,

On Wed, Feb 18, 2009 at 07:54:42PM -0600, neal rauhauser wrote:
>    I do believe we'll be seeing new code from Cisco before too long and I'm
> starting to get ready for that. 

For the 7500?  Unlikely.  You'll see maintenance releases in 12.0S and
12.2, but seeing "new code" would seriously surprise me.

> We've got 12.0S in the field now and I'm
> bringing one machine up to 12.2.46a to see how it acts. I've got 256 meg
> RSP4s, VIP 2-50 that are getting upgraded to VIP4-80 this week, OC3 and DS3
> outside and just 100 mbit inside. The RSP4s work for me - no customers in
> APNIC space so we refuse those routes. The fanciest thing we do is netflow -
> which image train is most stable?

Unless there is a feature in 12.2 that you want, or you have problems with
12.0S, I'd stick to 12.0S - it works.

>   I'm often unsupervised in the evening hours and I'm going to have a couple
> of leftover machines with a full complement of the older VIPs once the
> upgrade is complete. If I'm going to put up IPv6 as a test what's working
> best these days?

"Working best" and "working on 7500" are two very different things.

About the only way to get IPv6 on the 7500 at all is 12.2S* based trains
- we've used 12.2(18)S for a while, and 12.2(18)S13 works fine on our 
7200s.  

We have decommissioned our last 7500 about 3 years ago - due to "it's slow, 
it's old, it uses too much space and energy, it's too complex inside, and 
thus the IOS support for it is falling apart".

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090219/7cbcb619/attachment-0001.bin>

From swmike at swm.pp.se  Thu Feb 19 03:41:57 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 19 Feb 2009 09:41:57 +0100 (CET)
Subject: [c-nsp] 7507s: which image for production? For IPv6?
In-Reply-To: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
References: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0902190940591.16135@uplift.swm.pp.se>

On Wed, 18 Feb 2009, neal rauhauser wrote:

>  I'm often unsupervised in the evening hours and I'm going to have a 
> couple of leftover machines with a full complement of the older VIPs 
> once the upgrade is complete. If I'm going to put up IPv6 as a test 
> what's working best these days?

I believe 12.4 mainline should work well, I've used that in lab for IPv6 
on 7500 RSP1 and VIP2-50:s. It has DHCPv6-PD etc...

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From gert at greenie.muc.de  Thu Feb 19 04:00:12 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 19 Feb 2009 10:00:12 +0100
Subject: [c-nsp] 7507s: which image for production? For IPv6?
In-Reply-To: <alpine.DEB.1.10.0902190940591.16135@uplift.swm.pp.se>
References: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
	<alpine.DEB.1.10.0902190940591.16135@uplift.swm.pp.se>
Message-ID: <20090219090012.GC290@greenie.muc.de>

Hi,

On Thu, Feb 19, 2009 at 09:41:57AM +0100, Mikael Abrahamsson wrote:
> I believe 12.4 mainline should work well, I've used that in lab for IPv6 
> on 7500 RSP1 and VIP2-50:s. It has DHCPv6-PD etc...

Oh, indeed.  Dunno where I looked when writing my previous mail (or maybe
it was only ftp.cisco.com playing tricks with me) - but indeed, there is
12.3 and 12.4 available for 7500 as well.

So in that case, either should do for IPv6 testing - 12.3 is likely to be
a bit more robust, while 12.4 has more features...

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090219/8bd8a8dd/attachment.bin>

From ibrahim.abozaid at gmail.com  Thu Feb 19 05:34:06 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Thu, 19 Feb 2009 12:34:06 +0200
Subject: [c-nsp] IOS Trains differnces
Message-ID: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>

Hi All

I'd like to know the differneces between IOS trains according to your
experices with them

SXI , SXH , SXF and SXD

best regards
--Ibrahim

From p.mayers at imperial.ac.uk  Thu Feb 19 05:43:27 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 19 Feb 2009 10:43:27 +0000
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>
Message-ID: <20090219104326.GA8521@wildfire.net.ic.ac.uk>

On Thu, Feb 19, 2009 at 10:34:06AM +0000, Ibrahim Abo Zaid wrote:
>Hi All
>
>I'd like to know the differneces between IOS trains according to your
>experices with them
>
>SXI , SXH , SXF and SXD

Age.

Seriously though, that's a big question. Can you narrow it down a bit?  
If you really do want to know all the differences I suggest you google:

site:cisco.com 12.2sx release notes

...and spend an hour poring over the SX release notes, which document in 
great detail the new software and hardware features of each release.

But ignore SXD - there's no reason to be running it, it's years and 
filled with bugs.

From A.L.M.Buxey at lboro.ac.uk  Thu Feb 19 06:40:10 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Thu, 19 Feb 2009 11:40:10 +0000
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>
Message-ID: <20090219114010.GA25861@lboro.ac.uk>

Hi,
> Hi All
> 
> I'd like to know the differneces between IOS trains according to your
> experices with them
> 
> SXI , SXH , SXF and SXD

ouch. such a wide ranging  question!  as Phil says, look at the SX
release notes for particular features and capabilities, but basic run-through

SXD - old and buggy
SXF - 'current' mainline though missing new features
SXH - strange development release superceeded by SXI
SXI - new longterm support release with lots of new features (eg IPv6)

alan

From Marcus.Gerdon at versatel.de  Thu Feb 19 07:04:52 2009
From: Marcus.Gerdon at versatel.de (Marcus.Gerdon)
Date: Thu, 19 Feb 2009 13:04:52 +0100
Subject: [c-nsp] 7507s: which image for production? For IPv6?
Message-ID: <227142482560EF458FF1F7E784E26AB836BE8C@FLBVEXCH01.versatel.local>

Hi,

using 7513/RSP16/VIP2-50...4-80 IOS 12.3(23) is running fine including BGP v4/v6, IS-IS v4/v6 & multi-topology...

But AS32 won't come, as there'll be no 'new features' releases for 7500 according multiple Cisco guys.



Marcus
 

> -----Urspr?ngliche Nachricht-----
> Von: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von Gert Doering
> Gesendet: Donnerstag, 19. Februar 2009 10:00
> An: Mikael Abrahamsson
> Cc: cisco-nsp at puck.nether.net
> Betreff: Re: [c-nsp] 7507s: which image for production? For IPv6?
> 
> Hi,
> 
> On Thu, Feb 19, 2009 at 09:41:57AM +0100, Mikael Abrahamsson wrote:
> > I believe 12.4 mainline should work well, I've used that in 
> lab for IPv6 
> > on 7500 RSP1 and VIP2-50:s. It has DHCPv6-PD etc...
> 
> Oh, indeed.  Dunno where I looked when writing my previous 
> mail (or maybe
> it was only ftp.cisco.com playing tricks with me) - but 
> indeed, there is
> 12.3 and 12.4 available for 7500 as well.
> 
> So in that case, either should do for IPv6 testing - 12.3 is 
> likely to be
> a bit more robust, while 12.4 has more features...
> 
> gert
> 
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                            
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             
> gert at greenie.muc.de
> fax: +49-89-35655025                        
> gert at net.informatik.tu-muenchen.de
> 

From mmckillo at cisco.com  Thu Feb 19 07:58:04 2009
From: mmckillo at cisco.com (Mark Mckillop (mmckillo))
Date: Thu, 19 Feb 2009 13:58:04 +0100
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <20090219104326.GA8521@wildfire.net.ic.ac.uk>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>
	<20090219104326.GA8521@wildfire.net.ic.ac.uk>
Message-ID: <660CDBE9F5177645BF5FAE6EFE2D9BA406CA94CB@xmb-ams-332.emea.cisco.com>

Hi Ibrahim,

I suggest you check out Feature Navigator:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp (CCO Login Needed)

You can do a comparison of different trains of code to see which
features are overlapping and which are unique to each image. One very
useful thing is the ability to compare the feature sets, Base / Services
/ Advanced Enterprise etc..

Mark.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: 19 February 2009 10:43
To: Ibrahim Abo Zaid
Cc: cisco at groupstudy.com; cisco_nsp
Subject: Re: [c-nsp] IOS Trains differnces

On Thu, Feb 19, 2009 at 10:34:06AM +0000, Ibrahim Abo Zaid wrote:
>Hi All
>
>I'd like to know the differneces between IOS trains according to your
>experices with them
>
>SXI , SXH , SXF and SXD

Age.

Seriously though, that's a big question. Can you narrow it down a bit?  
If you really do want to know all the differences I suggest you google:

site:cisco.com 12.2sx release notes

...and spend an hour poring over the SX release notes, which document in

great detail the new software and hardware features of each release.

But ignore SXD - there's no reason to be running it, it's years and 
filled with bugs.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ibrahim.abozaid at gmail.com  Thu Feb 19 08:48:14 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Thu, 19 Feb 2009 15:48:14 +0200
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <660CDBE9F5177645BF5FAE6EFE2D9BA406CA94CB@xmb-ams-332.emea.cisco.com>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>
	<20090219104326.GA8521@wildfire.net.ic.ac.uk>
	<660CDBE9F5177645BF5FAE6EFE2D9BA406CA94CB@xmb-ams-332.emea.cisco.com>
Message-ID: <a48927f70902190548g22757b2bi8e3bcab47d580c01@mail.gmail.com>

Thanks all to your replies but my question was about the major differences
like is each train runs over spesific platforms ? standard supported
features sets ?
recommended deployment senarios , SP ,Data ceneter . etc ..





On Thu, Feb 19, 2009 at 2:58 PM, Mark Mckillop (mmckillo) <
mmckillo at cisco.com> wrote:

> Hi Ibrahim,
>
> I suggest you check out Feature Navigator:
> http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp (CCO Login Needed)
>
> You can do a comparison of different trains of code to see which
> features are overlapping and which are unique to each image. One very
> useful thing is the ability to compare the feature sets, Base / Services
> / Advanced Enterprise etc..
>
> Mark.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
> Sent: 19 February 2009 10:43
> To: Ibrahim Abo Zaid
> Cc: cisco at groupstudy.com; cisco_nsp
> Subject: Re: [c-nsp] IOS Trains differnces
>
> On Thu, Feb 19, 2009 at 10:34:06AM +0000, Ibrahim Abo Zaid wrote:
> >Hi All
> >
> >I'd like to know the differneces between IOS trains according to your
> >experices with them
> >
> >SXI , SXH , SXF and SXD
>
> Age.
>
> Seriously though, that's a big question. Can you narrow it down a bit?
> If you really do want to know all the differences I suggest you google:
>
> site:cisco.com 12.2sx release notes
>
> ...and spend an hour poring over the SX release notes, which document in
>
> great detail the new software and hardware features of each release.
>
> But ignore SXD - there's no reason to be running it, it's years and
> filled with bugs.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From A.L.M.Buxey at lboro.ac.uk  Thu Feb 19 08:58:38 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Thu, 19 Feb 2009 13:58:38 +0000
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <a48927f70902190548g22757b2bi8e3bcab47d580c01@mail.gmail.com>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>
	<20090219104326.GA8521@wildfire.net.ic.ac.uk>
	<660CDBE9F5177645BF5FAE6EFE2D9BA406CA94CB@xmb-ams-332.emea.cisco.com>
	<a48927f70902190548g22757b2bi8e3bcab47d580c01@mail.gmail.com>
Message-ID: <20090219135838.GB29294@lboro.ac.uk>

Hi,

> like is each train runs over spesific platforms ? standard supported
> features sets ?
> recommended deployment senarios , SP ,Data ceneter . etc ..

ah! well, if you are looking at different platforms and
scenarios then it isnt just a case of SX either - for example,
you've then got SR or SB or SC etc etc

alan

PS am i the only one to worry about the new red alert boxed
message at

http://www.cisco.com/kobayashi/sw-center/sw-ios.shtml

another 'new' download area? as bad as the rejig they gave it last time? :-(


From jared at puck.nether.net  Thu Feb 19 09:14:24 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Thu, 19 Feb 2009 09:14:24 -0500
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <20090219135838.GB29294@lboro.ac.uk>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>
	<20090219104326.GA8521@wildfire.net.ic.ac.uk>
	<660CDBE9F5177645BF5FAE6EFE2D9BA406CA94CB@xmb-ams-332.emea.cisco.com>
	<a48927f70902190548g22757b2bi8e3bcab47d580c01@mail.gmail.com>
	<20090219135838.GB29294@lboro.ac.uk>
Message-ID: <7FCD9A6E-C705-4FF7-A8AE-9780D980BC50@puck.nether.net>


On Feb 19, 2009, at 8:58 AM, A.L.M.Buxey at lboro.ac.uk wrote:

> Hi,
>
>> like is each train runs over spesific platforms ? standard supported
>> features sets ?
>> recommended deployment senarios , SP ,Data ceneter . etc ..
>
> ah! well, if you are looking at different platforms and
> scenarios then it isnt just a case of SX either - for example,
> you've then got SR or SB or SC etc etc
>
> alan
>
> PS am i the only one to worry about the new red alert boxed
> message at
>
> http://www.cisco.com/kobayashi/sw-center/sw-ios.shtml
>
> another 'new' download area? as bad as the rejig they gave it last  
> time? :-(

	"Worse"

	You now have to navigate a tree that may or may not tell you anything  
useful.

	- Jared

From p.mayers at imperial.ac.uk  Thu Feb 19 09:17:21 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 19 Feb 2009 14:17:21 +0000
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <a48927f70902190548g22757b2bi8e3bcab47d580c01@mail.gmail.com>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>	
	<20090219104326.GA8521@wildfire.net.ic.ac.uk>	
	<660CDBE9F5177645BF5FAE6EFE2D9BA406CA94CB@xmb-ams-332.emea.cisco.com>
	<a48927f70902190548g22757b2bi8e3bcab47d580c01@mail.gmail.com>
Message-ID: <499D69F1.8030606@imperial.ac.uk>

Ibrahim Abo Zaid wrote:
> Thanks all to your replies but my question was about the major differences
> like is each train runs over spesific platforms ? standard supported 
> features sets ?
> recommended deployment senarios , SP ,Data ceneter . etc ..

No.

They're all trains for the 6500. SXH and SXI are (I believe) sup720 
only. SXF is sup2 and 7600 also.

There are different feature sets, but these are orthogonal to the 
SXF/H/I classification.

From Ruben.Montes at eu.didata.com  Thu Feb 19 09:31:27 2009
From: Ruben.Montes at eu.didata.com (Ruben Montes (Europe))
Date: Thu, 19 Feb 2009 15:31:27 +0100
Subject: [c-nsp] UDLD is err-disabling EoMPLS VC
In-Reply-To: <mailman.4477.1235051986.2617.cisco-nsp@puck.nether.net>
References: <mailman.4477.1235051986.2617.cisco-nsp@puck.nether.net>
Message-ID: <67FB78EB09CB274DBEF2FE672B6404026374E5@EUBEBRUSVEX1.eu.didata.local>

Hi,

We have configured a new EoMPLS VC. After 3 or 5 pings, UDLD
err-disables one of the interfaces. We are using port mode, is it
recommended to run such a a feature in this type of connections? 

All the path has MPLS enabled and jumbo MTU enabled.

Thanks in advance,

Ruben

From knowhowccie at gmail.com  Thu Feb 19 09:51:50 2009
From: knowhowccie at gmail.com (fighter worker)
Date: Thu, 19 Feb 2009 16:51:50 +0200
Subject: [c-nsp] IPV6 over PPP with radius
Message-ID: <e52785920902190651i5bb40043k1b14e2460412633a@mail.gmail.com>

Dear all



iam trying to implement IPV6 over PPPOE and i need to know if there is any
modification to the PPPOE protocol as i know PPPOE is responsible only for
simulating p2p over ethernet and to provide authentication model over ethernet
and as far i know that PPP was modified to support IPv6 encapsulation, also
iam using a radius server for authentication and dont send any ip related
parameters in the radius replay as my BRAS is using pools for assiging IP for
each PPP session so do i need to make this radius support IPV6 also or the
normal radius server will work



appreciate your help

Regards

From mihai.todor at datanets.ro  Thu Feb 19 11:34:38 2009
From: mihai.todor at datanets.ro (Mihai Todor)
Date: Thu, 19 Feb 2009 18:34:38 +0200
Subject: [c-nsp] high cpu load not by processes
Message-ID: <006001c992af$f5648ef0$e02dacd0$@todor@datanets.ro>

Hello,

Do you have any ideea on how to see what interrups are loading a router's
CPU?

We're experiencing a high cpu load (60%) on a router, yet resources are not
consumed by processes. Some background info - the machine is a 7609-S router
with redundant SUP720-3BXL supervizors having a PE role.

Thanks!

Mihai



From Ruben.Montes at eu.didata.com  Thu Feb 19 11:42:51 2009
From: Ruben.Montes at eu.didata.com (Ruben Montes (Europe))
Date: Thu, 19 Feb 2009 17:42:51 +0100
Subject: [c-nsp] UDLD is err-disabling EoMPLS VC
In-Reply-To: <Pine.GSO.4.64.0902191657500.22837@mono>
References: <mailman.4477.1235051986.2617.cisco-nsp@puck.nether.net>
	<67FB78EB09CB274DBEF2FE672B6404026374E5@EUBEBRUSVEX1.eu.didata.local>
	<Pine.GSO.4.64.0902191657500.22837@mono>
Message-ID: <67FB78EB09CB274DBEF2FE672B6404026375EE@EUBEBRUSVEX1.eu.didata.local>

Hi,

We're already running 12.2(18)SXF11.

I have udld enabled for the whole box, do you mean that I must
explicitly disable udld in the interfaces on the PE switches where I
have created the VC with x-connect?

Thanks in advance,

Ruben

-----Original Message-----
From: BALLA Attila [mailto:atis at eik.bme.hu] 
Sent: jueves, 19 de febrero de 2009 17:00
To: Ruben Montes (Europe)
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] UDLD is err-disabling EoMPLS VC

I had the same issue, it must be CSCsh99351, it is fixed in
12.2(18)SXF11.
You should use udld on ce uplinks only.

BR, A.

On Thu, 19 Feb 2009, Ruben Montes (Europe) wrote:

> Hi,
>
> We have configured a new EoMPLS VC. After 3 or 5 pings, UDLD
> err-disables one of the interfaces. We are using port mode, is it
> recommended to run such a a feature in this type of connections?
>
> All the path has MPLS enabled and jumbo MTU enabled.
>
> Thanks in advance,
>
> Ruben
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From atis at eik.bme.hu  Thu Feb 19 10:59:34 2009
From: atis at eik.bme.hu (BALLA Attila)
Date: Thu, 19 Feb 2009 16:59:34 +0100 (CET)
Subject: [c-nsp] UDLD is err-disabling EoMPLS VC
In-Reply-To: <67FB78EB09CB274DBEF2FE672B6404026374E5@EUBEBRUSVEX1.eu.didata.local>
References: <mailman.4477.1235051986.2617.cisco-nsp@puck.nether.net>
	<67FB78EB09CB274DBEF2FE672B6404026374E5@EUBEBRUSVEX1.eu.didata.local>
Message-ID: <Pine.GSO.4.64.0902191657500.22837@mono>

I had the same issue, it must be CSCsh99351, it is fixed in 12.2(18)SXF11.
You should use udld on ce uplinks only.

BR, A.

On Thu, 19 Feb 2009, Ruben Montes (Europe) wrote:

> Hi,
>
> We have configured a new EoMPLS VC. After 3 or 5 pings, UDLD
> err-disables one of the interfaces. We are using port mode, is it
> recommended to run such a a feature in this type of connections?
>
> All the path has MPLS enabled and jumbo MTU enabled.
>
> Thanks in advance,
>
> Ruben
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From moua0100 at umn.edu  Thu Feb 19 12:04:46 2009
From: moua0100 at umn.edu (Ge Moua)
Date: Thu, 19 Feb 2009 11:04:46 -0600
Subject: [c-nsp] high cpu load not by processes
In-Reply-To: <006001c992af$f5648ef0$e02dacd0$@todor@datanets.ro>
References: <006001c992af$f5648ef0$e02dacd0$@todor@datanets.ro>
Message-ID: <499D912E.3020301@umn.edu>

sh proc cpu | ex 0.00

sh proc cpu detailed [pid] | ex 0.00


Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services




Mihai Todor wrote:
> Hello,
>
> Do you have any ideea on how to see what interrups are loading a router's
> CPU?
>
> We're experiencing a high cpu load (60%) on a router, yet resources are not
> consumed by processes. Some background info - the machine is a 7609-S router
> with redundant SUP720-3BXL supervizors having a PE role.
>
> Thanks!
>
> Mihai
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From jp at saucer.midcoast.com  Thu Feb 19 11:47:42 2009
From: jp at saucer.midcoast.com (jp)
Date: Thu, 19 Feb 2009 11:47:42 -0500
Subject: [c-nsp] 7507s: which image for production? For IPv6?
In-Reply-To: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
References: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
Message-ID: <20090219164742.GA23202@saucer.midcoast.com>

I suspect the IOS upgrade you are planning will be a tight fit for 256MB and BGP. It 
will probably run out of memory and impact cef. No idea what to expect with the 
different VIPs and RSP.

On Wed, Feb 18, 2009 at 07:54:42PM -0600, neal rauhauser wrote:
>    I do believe we'll be seeing new code from Cisco before too long and I'm
> starting to get ready for that. We've got 12.0S in the field now and I'm
> bringing one machine up to 12.2.46a to see how it acts. I've got 256 meg
> RSP4s, VIP 2-50 that are getting upgraded to VIP4-80 this week, OC3 and DS3
> outside and just 100 mbit inside. The RSP4s work for me - no customers in
> APNIC space so we refuse those routes. The fanciest thing we do is netflow -
> which image train is most stable?
> 
>   I'm often unsupervised in the evening hours and I'm going to have a couple
> of leftover machines with a full complement of the older VIPs once the
> upgrade is complete. If I'm going to put up IPv6 as a test what's working
> best these days?
> 
> 
> 
> -- 
> mailto:Neal at layer3arts.com //
> GoogleTalk: nrauhauser at gmail.com
> IM: nealrauhauser
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
/*
Jason Philbrook   |   Midcoast Internet Solutions - Wireless and DSL
    KB1IOJ        |   Broadband Internet Access, Dialup, and Hosting 
 http://f64.nu/   |   for Midcoast Maine    http://www.midcoast.com/
*/

From musmanashraf at gmail.com  Thu Feb 19 12:35:49 2009
From: musmanashraf at gmail.com (M Usman Ashraf)
Date: Thu, 19 Feb 2009 22:35:49 +0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090217201520.GQ17200@rtp-cse-489.cisco.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
	<20090217201520.GQ17200@rtp-cse-489.cisco.com>
Message-ID: <9149d2410902190935j5159133an1ec3dd14c873d5d@mail.gmail.com>

Hi List,

Read this useful blog entry,

*http://www.renesys.com/blog/2009/02/the-flap-heard-around-the-worl.shtml*

It does not present a solution, but explains the cause in detail.

-- 
Regards,

M Usman Ashraf

On Wed, Feb 18, 2009 at 1:15 AM, Rodney Dunn <rodunn at cisco.com> wrote:

> Here is my update to NANOG...
>
> I'll post again once I have a further update.
>
>
> Date: Tue, 17 Feb 2009 15:11:57 -0500
> From: Rodney Dunn <rodunn at cisco.com>
> To: Ivan Pepelnjak <ip at ioshints.info>
> Subject: Re: anyone else seeing very long AS paths?
> Cc: nanog at nanog.org
>
> Ivan,
>
> It is confusing but from what I have tested you have it correct.
>
> The confusing part comes from multiple issues.
>
> a) The documentation about the default maxas limit being 75 appears to be
>   incorrect. I'll get that fixed.
>
> b) Prior to CSCee30718 there was a hard limit of 255. After that fix
>   AS sets of more than 255 should work.
>
> c) CSCeh13489 implemented the maxas command to mark it as invalid and
>   not send.
>
>
> There does appear to be an issue when you cross the 255 boundary
> and the next hop router sends a notification back.
>
> I've got it recreated in the lab and we are working to clearly understand
> why that is. I'll post an update once we have more.
>
> The way to prevent it is the upstream device that crosses the 255 boundary
> on sending needs to use the maxas limit command to keep it less than 255.
>
> It doesn't work on the device that receives the update with the AS path
> larger than 255.
>
> Rodney
>
>
> -=-
>
>
>
> On Mon, Feb 16, 2009 at 03:32:11PM -0500, Rodney Dunn wrote:
> > We are working on that. I'll let you know once I have more.
> >
> > Rodney
> >
> > On Tue, Feb 17, 2009 at 12:41:34AM +0500, M Usman Ashraf wrote:
> > > Hi List,
> > >
> > > We have just experience the same problem on SRC but with a different
> reason,
> > >
> > > %BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 3/11 (invalid or corrupt
> AS path)
> > > 518 bytes 50020202 02009531 23012306 71B9BAFC BA
> > >
> > > 23w4d: BGP: X.X.X.X Bad attributes
> > >
> > > Feb 16 21:26:04.918 pst: %BGP-4-MSGDUMP: unsupported or mal-formatted
> message
> > > received from X.X.X.X:
> > > FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 022C 0200 0002 1140 0101 0050
> 0202 0202
> > > 0095 3123 0123 0671 B9BA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA
> > > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA
> > > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA
> > > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA
> > > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA
> > > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA
> > > FCBA--
> > >
> > > Any idea of reason? or what can be a bad message for BGP that can tear
> down
> > > adjacency ?
> > >
> > > Regards,
> > >
> > > M Usman Ashraf
> > >
> > >
> > >
> > > On Tue, Feb 17, 2009 at 12:07 AM, Rodney Dunn <rodunn at cisco.com>
> wrote:
> > >
> > >     That would have to be *real* old code.
> > >
> > >     That was fixed back in the 12.1(4)
> > >
> > >     and 12.0(10)S3 days.
> > >
> > >     On Mon, Feb 16, 2009 at 01:25:32PM -0500, Tim Donahue wrote:
> > >     > Joe Provo wrote:
> > >     > > On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka
> wrote:
> > >     > >> Ozar wrote:
> > >     > >>> I am starting to see random BGP neighbor messages from
> multiple
> > >     neighbors
> > >     > >>> on
> > >     > >>> different boxes.
> > >     > >>>
> > >     > >>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11
> (invalid or
> > >     > >>> corrupt
> > >     > >>> AS path) 516 bytes
> > >     > > [snip]
> > >     > >> No, it is not software error, it is extremly long as-path:
> > >     > >
> > >     > > The message itself, correct.  The flapping sessions observed on
> some
> > >     > > code, the long path is indeed triggering some bug. It is
> immaterial
> > >     > > if it is the revival of an ld bug or a new one, there are folks
> > >     > > flapping over this (and related) paths.  Providers without some
> level
> > >     > > of sanity filters (really need many-multiples the current
> diameter of
> > >     > > the net?) should be shamed into limiting their customer's
> prepends.
> > >     > >
> > >     >
> > >     > According to the NANOG thread on this, it would seem that the bug
> would
> > >     > be CSCdr54230.
> > >     >
> > >     > Tim
> > >     > _______________________________________________
> > >     > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > >     > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >     > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >     _______________________________________________
> > >     cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > >     https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >     archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > >
> > >
> > >
> > >
>

From amsoares at netcabo.pt  Thu Feb 19 12:37:59 2009
From: amsoares at netcabo.pt (Antonio Soares)
Date: Thu, 19 Feb 2009 17:37:59 -0000
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <49980203.70803@imperial.ac.uk>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<49980203.70803@imperial.ac.uk>
Message-ID: <541E156EBB05458492867DB5D8E6A72C@int.convex.pt>

This is what i got with 12.2(18)SXF15a and "ip tcp path-mtu-discovery" enabled:

6500#sh ip bgp neighbors 1.1.1.1 | inc (path-mtu|max data)   
Datagrams (max data segment is 536 bytes):
6500#
6500#
6500#sh ip bgp neighbors 10.10.10.1 | inc (path-mtu|max data)
Datagrams (max data segment is 1460 bytes):
6500#

MSS=1460 for directly connected peerings and MSS=536 for non-directly connected peerings. Got the same behavior for iBGP and eBGP.

So basically it didn't work as i was expecting. It seems SXI puts some order here.


Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: domingo, 15 de Fevereiro de 2009 11:53
To: Antonio M. Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] BGP MSS=576 bytes

Antonio M. Soares wrote:
> Hello group,
> 
> I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of 
> the BGP sessions have negotiated a MSS of 536 bytes. Here's an

I think you need a newer IOS. Certainly under SXI I see:

ac-core#sh ip bgp neighbors  | inc path-mtu|max data seg
   Transport(tcp) path-mtu-discovery is enabled Datagrams (max data segment is 536 bytes):
   Transport(tcp) path-mtu-discovery is enabled Datagrams (max data segment is 1460 bytes):
   Transport(tcp) path-mtu-discovery is enabled Datagrams (max data segment is 9060 bytes):
   Transport(tcp) path-mtu-discovery is enabled Datagrams (max data segment is 536 bytes):

...depending on whether the neighbor is similarly equipped to be jumbo-framed and PMTU.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From p.mayers at imperial.ac.uk  Thu Feb 19 12:57:49 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 19 Feb 2009 17:57:49 +0000
Subject: [c-nsp] high cpu load not by processes
In-Reply-To: <006001c992af$f5648ef0$e02dacd0$@todor@datanets.ro>
References: <006001c992af$f5648ef0$e02dacd0$@todor@datanets.ro>
Message-ID: <499D9D9D.2030605@imperial.ac.uk>

Mihai Todor wrote:
> Hello,
> 
> Do you have any ideea on how to see what interrups are loading a router's
> CPU?

It is (tediously) difficult to break down interrupt CPU use.

The best approach is to SPAN the RP or SP CPU ports:

http://cisco.cluepon.net/index.php/6500_SPAN_the_RP

...and see if you're getting a lot of packets.

You can try doing:

sh ip traffic

...and comparing snapshots a few seconds apart to see if you're getting 
e.g. a lot of packets causing time-exceeded or ICMP unreachables.

From peter at rathlev.dk  Thu Feb 19 13:11:23 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Thu, 19 Feb 2009 19:11:23 +0100
Subject: [c-nsp] UDLD is err-disabling EoMPLS VC
In-Reply-To: <67FB78EB09CB274DBEF2FE672B6404026374E5@EUBEBRUSVEX1.eu.didata.local>
References: <mailman.4477.1235051986.2617.cisco-nsp@puck.nether.net>
	<67FB78EB09CB274DBEF2FE672B6404026374E5@EUBEBRUSVEX1.eu.didata.local>
Message-ID: <1235067083.3609.2.camel@localhost.localdomain>

On Thu, 2009-02-19 at 15:31 +0100, Ruben Montes (Europe) wrote:
> We have configured a new EoMPLS VC. After 3 or 5 pings, UDLD
> err-disables one of the interfaces. We are using port mode, is it
> recommended to run such a a feature in this type of connections? 

We run UDLD through several port mode EoMPLS links with no problems,
though all switches are at least SXF13.

Does other traffic flow fine? Is it just UDLD disabling the link?

Regards,
Peter


From oboehmer at cisco.com  Thu Feb 19 14:31:37 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 19 Feb 2009 20:31:37 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <541E156EBB05458492867DB5D8E6A72C@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt><49980203.70803@imperial.ac.uk>
	<541E156EBB05458492867DB5D8E6A72C@int.convex.pt>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406EA33A6@xmb-ams-333.emea.cisco.com>

Antonio Soares <> wrote on Thursday, February 19, 2009 18:38:

> This is what i got with 12.2(18)SXF15a and "ip tcp
> path-mtu-discovery" enabled: 
> 
> 6500#sh ip bgp neighbors 1.1.1.1 | inc (path-mtu|max data)
> Datagrams (max data segment is 536 bytes):
> 6500#
> 6500#
> 6500#sh ip bgp neighbors 10.10.10.1 | inc (path-mtu|max data)
> Datagrams (max data segment is 1460 bytes):
> 6500#
> 
> MSS=1460 for directly connected peerings and MSS=536 for non-directly
> connected peerings. Got the same behavior for iBGP and eBGP. 

did you enable it on both ends and did you reset the session?

> So basically it didn't work as i was expecting. It seems SXI puts
> some order here. 
 
As far as I know, SXI allows to enable/disable PMTUD per BGP neighbor,
and defaults to PMTUD being enabled..

	oli


> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers 
> Sent: domingo, 15 de Fevereiro de 2009 11:53
> To: Antonio M. Soares
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP MSS=576 bytes
> 
> Antonio M. Soares wrote:
>> Hello group,
>> 
>> I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of
>> the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> 
> I think you need a newer IOS. Certainly under SXI I see:
> 
> ac-core#sh ip bgp neighbors  | inc path-mtu|max data seg
>    Transport(tcp) path-mtu-discovery is enabled Datagrams (max data
>    segment is 536 bytes): Transport(tcp) path-mtu-discovery is
>    enabled Datagrams (max data segment is 1460 bytes): Transport(tcp)
>    path-mtu-discovery is enabled Datagrams (max data segment is 9060
> bytes): Transport(tcp) path-mtu-discovery is enabled Datagrams (max
> data segment is 536 bytes):  
> 
> ...depending on whether the neighbor is similarly equipped to be
> jumbo-framed and PMTU. _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From todd at newfrontierssolutions.com  Thu Feb 19 14:59:52 2009
From: todd at newfrontierssolutions.com (Todd Shipway)
Date: Thu, 19 Feb 2009 14:59:52 -0500
Subject: [c-nsp] Unexplainable Output drops on serial interfaces
Message-ID: <1235073592.8676.45.camel@booger>

Hi,

We have multiple T1 interfaces across different cards and different type
of cards in a 7513.  Many interfaces are showing output drops and I
can't pinpoint why.  The interfaces are spread throughout the system and
I can't pinpoint a single point that could be causing the drops.  Below
is 2 interfaces showing the drops.

The bandwidth is very low when the drops are occurring, these 2
interfaces are part of a multilink interface which shows no drops.  Any
ideas as to what I should look for that could be causing this?

Serial9/0/0:12 is up, line protocol is up 
  Hardware is cyBus T3
  Description: Bonded T1
  MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec, 
     reliability 255/255, txload 11/255, rxload 5/255
  Encapsulation PPP, LCP Open, multilink Open
  Link is a member of Multilink bundle Multilink66, crc 16, loopback not
set
  Keepalive set (10 sec)
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 6d03h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
4050
  Queueing strategy: fifo
  Output queue: 0/100 (size/max)
  5 minute input rate 33000 bits/sec, 19 packets/sec
  5 minute output rate 68000 bits/sec, 18 packets/sec
     3121597 packets input, 667733893 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     2929740 packets output, 1363133541 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions no alarm present
  Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
  non-inverted data

Serial9/0/0:11 is up, line protocol is up 
  Hardware is cyBus T3
  Description: Bonded T1
  MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec, 
     reliability 255/255, txload 10/255, rxload 5/255
  Encapsulation PPP, LCP Open, multilink Open
  Link is a member of Multilink bundle Multilink66, crc 16, loopback not
set
  Keepalive set (10 sec)
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 6d03h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
4085
  Queueing strategy: fifo
  Output queue: 0/100 (size/max)
  5 minute input rate 31000 bits/sec, 19 packets/sec
  5 minute output rate 65000 bits/sec, 17 packets/sec
     3122847 packets input, 668516220 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     2930011 packets output, 1364226428 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions no alarm present
  Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
  non-inverted data

Multilink interface for the T1's above:
Multilink66 is up, line protocol is up 
  Hardware is multilink group interface
  Description: Bonded T1
  Internet address is 10.10.56.1/30
  MTU 1500 bytes, BW 3080 Kbit, DLY 100000 usec, 
     reliability 255/255, txload 11/255, rxload 4/255
  Encapsulation PPP, LCP Open, multilink Open
  Open: IPCP, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 2 seconds on reset
  Last input 00:00:30, output never, output hang never
  Last clearing of "show interface" counters 1w0d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: Class-based queueing
  Output queue: 0/40 (size/max)
  5 minute input rate 58000 bits/sec, 47 packets/sec
  5 minute output rate 139000 bits/sec, 49 packets/sec
     7075294 packets input, 1705142684 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     7483773 packets output, 3524642362 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions

Any help would be appreciated.  As I said earlier, this scenario is
happening on multiple interfaces throughout the system.  A Channelized
DS3 card has been swapped out as a test as well as the output queue
raised from 40 to 100 with no change in drops.

-Todd

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090219/405a9954/attachment-0001.bin>

From david.freedman at uk.clara.net  Thu Feb 19 15:05:09 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Thu, 19 Feb 2009 20:05:09 +0000
Subject: [c-nsp] Unexplainable Output drops on serial interfaces
In-Reply-To: <1235073592.8676.45.camel@booger>
References: <1235073592.8676.45.camel@booger>
Message-ID: <499DBB75.6010806@uk.clara.net>

Todd, do you have any kind of shaping / QoS on these circuits?

Drops by traffic management configurations are frequently shown as
interface drops.

Dave.


Todd Shipway wrote:
> Hi,
> 
> We have multiple T1 interfaces across different cards and different type
> of cards in a 7513.  Many interfaces are showing output drops and I
> can't pinpoint why.  The interfaces are spread throughout the system and
> I can't pinpoint a single point that could be causing the drops.  Below
> is 2 interfaces showing the drops.
> 
> The bandwidth is very low when the drops are occurring, these 2
> interfaces are part of a multilink interface which shows no drops.  Any
> ideas as to what I should look for that could be causing this?
> 
> Serial9/0/0:12 is up, line protocol is up 
>   Hardware is cyBus T3
>   Description: Bonded T1
>   MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec, 
>      reliability 255/255, txload 11/255, rxload 5/255
>   Encapsulation PPP, LCP Open, multilink Open
>   Link is a member of Multilink bundle Multilink66, crc 16, loopback not
> set
>   Keepalive set (10 sec)
>   Last input 00:00:00, output 00:00:00, output hang never
>   Last clearing of "show interface" counters 6d03h
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
> 4050
>   Queueing strategy: fifo
>   Output queue: 0/100 (size/max)
>   5 minute input rate 33000 bits/sec, 19 packets/sec
>   5 minute output rate 68000 bits/sec, 18 packets/sec
>      3121597 packets input, 667733893 bytes, 0 no buffer
>      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>      2929740 packets output, 1363133541 bytes, 0 underruns
>      0 output errors, 0 collisions, 0 interface resets
>      0 output buffer failures, 0 output buffers swapped out
>      0 carrier transitions no alarm present
>   Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
>   non-inverted data
> 
> Serial9/0/0:11 is up, line protocol is up 
>   Hardware is cyBus T3
>   Description: Bonded T1
>   MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec, 
>      reliability 255/255, txload 10/255, rxload 5/255
>   Encapsulation PPP, LCP Open, multilink Open
>   Link is a member of Multilink bundle Multilink66, crc 16, loopback not
> set
>   Keepalive set (10 sec)
>   Last input 00:00:00, output 00:00:00, output hang never
>   Last clearing of "show interface" counters 6d03h
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
> 4085
>   Queueing strategy: fifo
>   Output queue: 0/100 (size/max)
>   5 minute input rate 31000 bits/sec, 19 packets/sec
>   5 minute output rate 65000 bits/sec, 17 packets/sec
>      3122847 packets input, 668516220 bytes, 0 no buffer
>      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>      2930011 packets output, 1364226428 bytes, 0 underruns
>      0 output errors, 0 collisions, 0 interface resets
>      0 output buffer failures, 0 output buffers swapped out
>      0 carrier transitions no alarm present
>   Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
>   non-inverted data
> 
> Multilink interface for the T1's above:
> Multilink66 is up, line protocol is up 
>   Hardware is multilink group interface
>   Description: Bonded T1
>   Internet address is 10.10.56.1/30
>   MTU 1500 bytes, BW 3080 Kbit, DLY 100000 usec, 
>      reliability 255/255, txload 11/255, rxload 4/255
>   Encapsulation PPP, LCP Open, multilink Open
>   Open: IPCP, loopback not set
>   Keepalive set (10 sec)
>   DTR is pulsed for 2 seconds on reset
>   Last input 00:00:30, output never, output hang never
>   Last clearing of "show interface" counters 1w0d
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>   Queueing strategy: Class-based queueing
>   Output queue: 0/40 (size/max)
>   5 minute input rate 58000 bits/sec, 47 packets/sec
>   5 minute output rate 139000 bits/sec, 49 packets/sec
>      7075294 packets input, 1705142684 bytes, 0 no buffer
>      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>      7483773 packets output, 3524642362 bytes, 0 underruns
>      0 output errors, 0 collisions, 0 interface resets
>      0 output buffer failures, 0 output buffers swapped out
>      0 carrier transitions
> 
> Any help would be appreciated.  As I said earlier, this scenario is
> happening on multiple interfaces throughout the system.  A Channelized
> DS3 card has been swapped out as a test as well as the output queue
> raised from 40 to 100 with no change in drops.
> 
> -Todd
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From rodunn at cisco.com  Thu Feb 19 15:06:36 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Thu, 19 Feb 2009 15:06:36 -0500
Subject: [c-nsp] Invalid Formatted BGP update with AS prepending update
In-Reply-To: <20090217201520.GQ17200@rtp-cse-489.cisco.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
	<20090217201520.GQ17200@rtp-cse-489.cisco.com>
Message-ID: <20090219200636.GT10344@rtp-cse-489.cisco.com>

Here is the bug that the fix will be provided under:


CSCsx73770
Invalid BGP formatted update causes peer reset with AS prepending

*Note: The title may show up as:
BGP peer resets when receiving update with > 255 AS hops

since I just changed it to be more accurate.

I just updaed the Release-note:


 Cisco IOS device that receives a BGP update message and as a result of AS
prepending needs to send an update downstream that would have over 255 AS hops
will send an invalid formatted update. This update when received by a
downstream BGP speaker triggers a NOTIFICATION back to the sender which results
in the BGP session being reset.
 
 <B>Conditions:</B>
 
 This problem is seen when a Cisco IOS device receives a BGP update and
 due to a combination of either inbound, outbound, or both AS prepending it
needs to send an update downstream that has more than 255 AS hops.
 
 <B>Workaround:</B>
 
 The workaround is to implement <CmdBold> bgp maxas-limit X <NoCmdBold> on the
device that after prepending would need to send an update with over 255 AS
hops. Since IOS limits the inbound prepending value to 10 the most that
could be added iss 11 AS hops (10 on ingress, 10 on egress, and 1 for normal
eBGP AS hop addition). Therefore, a conservative value to configure would be
200 to prevent this condition.
 
 



On Tue, Feb 17, 2009 at 03:15:20PM -0500, Rodney Dunn wrote:
> Here is my update to NANOG...
> 
> I'll post again once I have a further update.
> 
> 
> Date: Tue, 17 Feb 2009 15:11:57 -0500                                           
> From: Rodney Dunn <rodunn at cisco.com>                                            
> To: Ivan Pepelnjak <ip at ioshints.info>                                           
> Subject: Re: anyone else seeing very long AS paths?                             
> Cc: nanog at nanog.org                                                             
>                                                                                 
> Ivan,                                                                           
>                                                                                 
> It is confusing but from what I have tested you have it correct.                
>                                                                                 
> The confusing part comes from multiple issues.                                  
>                                                                                 
> a) The documentation about the default maxas limit being 75 appears to be       
>    incorrect. I'll get that fixed.                                              
>                                                                                 
> b) Prior to CSCee30718 there was a hard limit of 255. After that fix            
>    AS sets of more than 255 should work.                                        
>                                                                                 
> c) CSCeh13489 implemented the maxas command to mark it as invalid and           
>    not send.                                                                    
>                                                                                 
>                                                                                 
> There does appear to be an issue when you cross the 255 boundary                
> and the next hop router sends a notification back.                              
>                                                                                 
> I've got it recreated in the lab and we are working to clearly understand       
> why that is. I'll post an update once we have more.                             
>                                                                                 
> The way to prevent it is the upstream device that crosses the 255 boundary      
> on sending needs to use the maxas limit command to keep it less than 255.       
>                                                                                 
> It doesn't work on the device that receives the update with the AS path         
> larger than 255.                                                                
>                                                                                 
> Rodney                                                                          
>                   
> 
> -=-
> 
> 
> 
> On Mon, Feb 16, 2009 at 03:32:11PM -0500, Rodney Dunn wrote:
> > We are working on that. I'll let you know once I have more.
> > 
> > Rodney
> > 
> > On Tue, Feb 17, 2009 at 12:41:34AM +0500, M Usman Ashraf wrote:
> > > Hi List,
> > > 
> > > We have just experience the same problem on SRC but with a different reason,
> > > 
> > > %BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 3/11 (invalid or corrupt AS path)
> > > 518 bytes 50020202 02009531 23012306 71B9BAFC BA
> > > 
> > > 23w4d: BGP: X.X.X.X Bad attributes
> > > 
> > > Feb 16 21:26:04.918 pst: %BGP-4-MSGDUMP: unsupported or mal-formatted message
> > > received from X.X.X.X:
> > > FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 022C 0200 0002 1140 0101 0050 0202 0202
> > > 0095 3123 0123 0671 B9BA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > > FCBA--
> > > 
> > > Any idea of reason? or what can be a bad message for BGP that can tear down
> > > adjacency ?
> > > 
> > > Regards,
> > > 
> > > M Usman Ashraf
> > > 
> > > 
> > > 
> > > On Tue, Feb 17, 2009 at 12:07 AM, Rodney Dunn <rodunn at cisco.com> wrote:
> > > 
> > >     That would have to be *real* old code.
> > >    
> > >     That was fixed back in the 12.1(4)
> > >    
> > >     and 12.0(10)S3 days.
> > >    
> > >     On Mon, Feb 16, 2009 at 01:25:32PM -0500, Tim Donahue wrote:
> > >     > Joe Provo wrote:
> > >     > > On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
> > >     > >> Ozar wrote:
> > >     > >>> I am starting to see random BGP neighbor messages from multiple
> > >     neighbors
> > >     > >>> on
> > >     > >>> different boxes.
> > >     > >>>
> > >     > >>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
> > >     > >>> corrupt
> > >     > >>> AS path) 516 bytes
> > >     > > [snip]
> > >     > >> No, it is not software error, it is extremly long as-path:
> > >     > >
> > >     > > The message itself, correct.  The flapping sessions observed on some
> > >     > > code, the long path is indeed triggering some bug. It is immaterial
> > >     > > if it is the revival of an ld bug or a new one, there are folks
> > >     > > flapping over this (and related) paths.  Providers without some level
> > >     > > of sanity filters (really need many-multiples the current diameter of
> > >     > > the net?) should be shamed into limiting their customer's prepends.
> > >     > >
> > >     >
> > >     > According to the NANOG thread on this, it would seem that the bug would
> > >     > be CSCdr54230.
> > >     >
> > >     > Tim
> > >     > _______________________________________________
> > >     > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > >     > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >     > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >     _______________________________________________
> > >     cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > >     https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >     archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > 
> > > 
> > > 
> > > 
> > > 

From todd at newfrontierssolutions.com  Thu Feb 19 15:11:45 2009
From: todd at newfrontierssolutions.com (Todd Shipway)
Date: Thu, 19 Feb 2009 15:11:45 -0500
Subject: [c-nsp] Unexplainable Output drops on serial interfaces
In-Reply-To: <499DBB75.6010806@uk.clara.net>
References: <1235073592.8676.45.camel@booger> <499DBB75.6010806@uk.clara.net>
Message-ID: <238F0B01-2488-4AE2-A314-A03BC00E3CEE@newfrontierssolutions.com>

The multilink interface had qos setup but not on the individual serial  
interfaces.  However I am seeing these drops on interfaces with no qos  
or shaping on them as well.


On Feb 19, 2009, at 3:03 PM, "David Freedman" <david.freedman at uk.clara.net 
 > wrote:

> Todd, do you have any kind of shaping / QoS on these circuits?
>
> Drops by traffic management configurations are frequently shown as
> interface drops.
>
> Dave.
>
>
> Todd Shipway wrote:
>> Hi,
>>
>> We have multiple T1 interfaces across different cards and different  
>> type
>> of cards in a 7513.  Many interfaces are showing output drops and I
>> can't pinpoint why.  The interfaces are spread throughout the  
>> system and
>> I can't pinpoint a single point that could be causing the drops.   
>> Below
>> is 2 interfaces showing the drops.
>>
>> The bandwidth is very low when the drops are occurring, these 2
>> interfaces are part of a multilink interface which shows no drops.   
>> Any
>> ideas as to what I should look for that could be causing this?
>>
>> Serial9/0/0:12 is up, line protocol is up
>>  Hardware is cyBus T3
>>  Description: Bonded T1
>>  MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec,
>>     reliability 255/255, txload 11/255, rxload 5/255
>>  Encapsulation PPP, LCP Open, multilink Open
>>  Link is a member of Multilink bundle Multilink66, crc 16, loopback  
>> not
>> set
>>  Keepalive set (10 sec)
>>  Last input 00:00:00, output 00:00:00, output hang never
>>  Last clearing of "show interface" counters 6d03h
>>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
>> 4050
>>  Queueing strategy: fifo
>>  Output queue: 0/100 (size/max)
>>  5 minute input rate 33000 bits/sec, 19 packets/sec
>>  5 minute output rate 68000 bits/sec, 18 packets/sec
>>     3121597 packets input, 667733893 bytes, 0 no buffer
>>     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>>     2929740 packets output, 1363133541 bytes, 0 underruns
>>     0 output errors, 0 collisions, 0 interface resets
>>     0 output buffer failures, 0 output buffers swapped out
>>     0 carrier transitions no alarm present
>>  Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
>>  non-inverted data
>>
>> Serial9/0/0:11 is up, line protocol is up
>>  Hardware is cyBus T3
>>  Description: Bonded T1
>>  MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec,
>>     reliability 255/255, txload 10/255, rxload 5/255
>>  Encapsulation PPP, LCP Open, multilink Open
>>  Link is a member of Multilink bundle Multilink66, crc 16, loopback  
>> not
>> set
>>  Keepalive set (10 sec)
>>  Last input 00:00:00, output 00:00:00, output hang never
>>  Last clearing of "show interface" counters 6d03h
>>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
>> 4085
>>  Queueing strategy: fifo
>>  Output queue: 0/100 (size/max)
>>  5 minute input rate 31000 bits/sec, 19 packets/sec
>>  5 minute output rate 65000 bits/sec, 17 packets/sec
>>     3122847 packets input, 668516220 bytes, 0 no buffer
>>     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>>     2930011 packets output, 1364226428 bytes, 0 underruns
>>     0 output errors, 0 collisions, 0 interface resets
>>     0 output buffer failures, 0 output buffers swapped out
>>     0 carrier transitions no alarm present
>>  Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
>>  non-inverted data
>>
>> Multilink interface for the T1's above:
>> Multilink66 is up, line protocol is up
>>  Hardware is multilink group interface
>>  Description: Bonded T1
>>  Internet address is 10.10.56.1/30
>>  MTU 1500 bytes, BW 3080 Kbit, DLY 100000 usec,
>>     reliability 255/255, txload 11/255, rxload 4/255
>>  Encapsulation PPP, LCP Open, multilink Open
>>  Open: IPCP, loopback not set
>>  Keepalive set (10 sec)
>>  DTR is pulsed for 2 seconds on reset
>>  Last input 00:00:30, output never, output hang never
>>  Last clearing of "show interface" counters 1w0d
>>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output  
>> drops: 0
>>  Queueing strategy: Class-based queueing
>>  Output queue: 0/40 (size/max)
>>  5 minute input rate 58000 bits/sec, 47 packets/sec
>>  5 minute output rate 139000 bits/sec, 49 packets/sec
>>     7075294 packets input, 1705142684 bytes, 0 no buffer
>>     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>>     7483773 packets output, 3524642362 bytes, 0 underruns
>>     0 output errors, 0 collisions, 0 interface resets
>>     0 output buffer failures, 0 output buffers swapped out
>>     0 carrier transitions
>>
>> Any help would be appreciated.  As I said earlier, this scenario is
>> happening on multiple interfaces throughout the system.  A  
>> Channelized
>> DS3 card has been swapped out as a test as well as the output queue
>> raised from 40 to 100 with no change in drops.
>>
>> -Todd
>>
>>
>>
>> --- 
>> ---------------------------------------------------------------------
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From todd at newfrontierssolutions.com  Thu Feb 19 15:22:52 2009
From: todd at newfrontierssolutions.com (Todd Shipway)
Date: Thu, 19 Feb 2009 15:22:52 -0500
Subject: [c-nsp] Unexplainable Output drops on serial interfaces
In-Reply-To: <499DBE4B.50802@uk.clara.net>
References: <1235073592.8676.45.camel@booger> <499DBB75.6010806@uk.clara.net>
	<238F0B01-2488-4AE2-A314-A03BC00E3CEE@newfrontierssolutions.com>
	<499DBE4B.50802@uk.clara.net>
Message-ID: <8828A128-890A-4A0F-82E1-304BDFCDBC09@newfrontierssolutions.com>

No. I don't graph each card VIP usage. But that is actually my weekend  
project.

Card 9 (channelized ds3) has the most int with drops and I've got more  
VIP memory to put in it. But average usage is low. Other cards have  
128mb memory and low amount of interfaces being used but still show  
drops. I'll check CPU usage once again when I get back to the office.



On Feb 19, 2009, at 3:15 PM, "David Freedman" <david.freedman at uk.clara.net 
 > wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> What about the VIP CPU load on these VIPs? do you graph it?
>
> Todd Shipway wrote:
>> The multilink interface had qos setup but not on the individual  
>> serial
>> interfaces.  However I am seeing these drops on interfaces with no  
>> qos
>> or shaping on them as well.
>>
>>
>> On Feb 19, 2009, at 3:03 PM, "David Freedman"
>> <david.freedman at uk.clara.net> wrote:
>>
>>> Todd, do you have any kind of shaping / QoS on these circuits?
>>>
>>> Drops by traffic management configurations are frequently shown as
>>> interface drops.
>>>
>>> Dave.
>>>
>>>
>>> Todd Shipway wrote:
>>>> Hi,
>>>>
>>>> We have multiple T1 interfaces across different cards and  
>>>> different type
>>>> of cards in a 7513.  Many interfaces are showing output drops and I
>>>> can't pinpoint why.  The interfaces are spread throughout the  
>>>> system and
>>>> I can't pinpoint a single point that could be causing the drops.   
>>>> Below
>>>> is 2 interfaces showing the drops.
>>>>
>>>> The bandwidth is very low when the drops are occurring, these 2
>>>> interfaces are part of a multilink interface which shows no  
>>>> drops.  Any
>>>> ideas as to what I should look for that could be causing this?
>>>>
>>>> Serial9/0/0:12 is up, line protocol is up
>>>> Hardware is cyBus T3
>>>> Description: Bonded T1
>>>> MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec,
>>>>    reliability 255/255, txload 11/255, rxload 5/255
>>>> Encapsulation PPP, LCP Open, multilink Open
>>>> Link is a member of Multilink bundle Multilink66, crc 16,  
>>>> loopback not
>>>> set
>>>> Keepalive set (10 sec)
>>>> Last input 00:00:00, output 00:00:00, output hang never
>>>> Last clearing of "show interface" counters 6d03h
>>>> Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
>>>> 4050
>>>> Queueing strategy: fifo
>>>> Output queue: 0/100 (size/max)
>>>> 5 minute input rate 33000 bits/sec, 19 packets/sec
>>>> 5 minute output rate 68000 bits/sec, 18 packets/sec
>>>>    3121597 packets input, 667733893 bytes, 0 no buffer
>>>>    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>>>>    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>>>>    2929740 packets output, 1363133541 bytes, 0 underruns
>>>>    0 output errors, 0 collisions, 0 interface resets
>>>>    0 output buffer failures, 0 output buffers swapped out
>>>>    0 carrier transitions no alarm present
>>>> Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
>>>> non-inverted data
>>>>
>>>> Serial9/0/0:11 is up, line protocol is up
>>>> Hardware is cyBus T3
>>>> Description: Bonded T1
>>>> MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec,
>>>>    reliability 255/255, txload 10/255, rxload 5/255
>>>> Encapsulation PPP, LCP Open, multilink Open
>>>> Link is a member of Multilink bundle Multilink66, crc 16,  
>>>> loopback not
>>>> set
>>>> Keepalive set (10 sec)
>>>> Last input 00:00:00, output 00:00:00, output hang never
>>>> Last clearing of "show interface" counters 6d03h
>>>> Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
>>>> 4085
>>>> Queueing strategy: fifo
>>>> Output queue: 0/100 (size/max)
>>>> 5 minute input rate 31000 bits/sec, 19 packets/sec
>>>> 5 minute output rate 65000 bits/sec, 17 packets/sec
>>>>    3122847 packets input, 668516220 bytes, 0 no buffer
>>>>    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>>>>    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>>>>    2930011 packets output, 1364226428 bytes, 0 underruns
>>>>    0 output errors, 0 collisions, 0 interface resets
>>>>    0 output buffer failures, 0 output buffers swapped out
>>>>    0 carrier transitions no alarm present
>>>> Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
>>>> non-inverted data
>>>>
>>>> Multilink interface for the T1's above:
>>>> Multilink66 is up, line protocol is up
>>>> Hardware is multilink group interface
>>>> Description: Bonded T1
>>>> Internet address is 10.10.56.1/30
>>>> MTU 1500 bytes, BW 3080 Kbit, DLY 100000 usec,
>>>>    reliability 255/255, txload 11/255, rxload 4/255
>>>> Encapsulation PPP, LCP Open, multilink Open
>>>> Open: IPCP, loopback not set
>>>> Keepalive set (10 sec)
>>>> DTR is pulsed for 2 seconds on reset
>>>> Last input 00:00:30, output never, output hang never
>>>> Last clearing of "show interface" counters 1w0d
>>>> Input queue: 0/75/0/0 (size/max/drops/flushes); Total output  
>>>> drops: 0
>>>> Queueing strategy: Class-based queueing
>>>> Output queue: 0/40 (size/max)
>>>> 5 minute input rate 58000 bits/sec, 47 packets/sec
>>>> 5 minute output rate 139000 bits/sec, 49 packets/sec
>>>>    7075294 packets input, 1705142684 bytes, 0 no buffer
>>>>    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>>>>    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>>>>    7483773 packets output, 3524642362 bytes, 0 underruns
>>>>    0 output errors, 0 collisions, 0 interface resets
>>>>    0 output buffer failures, 0 output buffers swapped out
>>>>    0 carrier transitions
>>>>
>>>> Any help would be appreciated.  As I said earlier, this scenario is
>>>> happening on multiple interfaces throughout the system.  A  
>>>> Channelized
>>>> DS3 card has been swapped out as a test as well as the output queue
>>>> raised from 40 to 100 with no change in drops.
>>>>
>>>> -Todd
>>>>
>>>>
>>>>
>>>> --- 
>>>> --- 
>>>> ------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkmdvksACgkQtFWeqpgEZrKCJwCgvpRWCkJtH6GXQC6aCUOpU56i
> //sAoI8gGHocPm5w3IzgXC6sYMDZfKM5
> =uXGq
> -----END PGP SIGNATURE-----

From gtb at slac.stanford.edu  Thu Feb 19 15:30:38 2009
From: gtb at slac.stanford.edu (Buhrmaster, Gary)
Date: Thu, 19 Feb 2009 12:30:38 -0800
Subject: [c-nsp] 7507s: which image for production? For IPv6?
In-Reply-To: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
References: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
Message-ID: <D0D0330CBD07114D85B70B784E80C2F2022FCFF5@exch-mail2.win.slac.stanford.edu>


> which image train is most stable?

The 7500's make Swiss army knives feel inadequate. 
There are just too many possibilities of hardware
and feature combinations to say anything absolutely.

That said, my recollection is that Rodney has
been pretty consistent about suggesting 12.0S or
12.4 (mainline) depending on the exact features
you need.  Avoid 12.2S.  Since you want IPv6,
that would mean you would be looking at 12.4.
I am not sure a 256MB RSP4 will fit full BGP
table(s) (although others may have experience).

(Apologies to Rodney if I have mischaracterized
his recommendations).

From david.freedman at uk.clara.net  Thu Feb 19 15:17:15 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Thu, 19 Feb 2009 20:17:15 +0000
Subject: [c-nsp] Unexplainable Output drops on serial interfaces
In-Reply-To: <238F0B01-2488-4AE2-A314-A03BC00E3CEE@newfrontierssolutions.com>
References: <1235073592.8676.45.camel@booger> <499DBB75.6010806@uk.clara.net>
	<238F0B01-2488-4AE2-A314-A03BC00E3CEE@newfrontierssolutions.com>
Message-ID: <499DBE4B.50802@uk.clara.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What about the VIP CPU load on these VIPs? do you graph it?

Todd Shipway wrote:
> The multilink interface had qos setup but not on the individual serial
> interfaces.  However I am seeing these drops on interfaces with no qos
> or shaping on them as well.
> 
> 
> On Feb 19, 2009, at 3:03 PM, "David Freedman"
> <david.freedman at uk.clara.net> wrote:
> 
>> Todd, do you have any kind of shaping / QoS on these circuits?
>>
>> Drops by traffic management configurations are frequently shown as
>> interface drops.
>>
>> Dave.
>>
>>
>> Todd Shipway wrote:
>>> Hi,
>>>
>>> We have multiple T1 interfaces across different cards and different type
>>> of cards in a 7513.  Many interfaces are showing output drops and I
>>> can't pinpoint why.  The interfaces are spread throughout the system and
>>> I can't pinpoint a single point that could be causing the drops.  Below
>>> is 2 interfaces showing the drops.
>>>
>>> The bandwidth is very low when the drops are occurring, these 2
>>> interfaces are part of a multilink interface which shows no drops.  Any
>>> ideas as to what I should look for that could be causing this?
>>>
>>> Serial9/0/0:12 is up, line protocol is up
>>>  Hardware is cyBus T3
>>>  Description: Bonded T1
>>>  MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec,
>>>     reliability 255/255, txload 11/255, rxload 5/255
>>>  Encapsulation PPP, LCP Open, multilink Open
>>>  Link is a member of Multilink bundle Multilink66, crc 16, loopback not
>>> set
>>>  Keepalive set (10 sec)
>>>  Last input 00:00:00, output 00:00:00, output hang never
>>>  Last clearing of "show interface" counters 6d03h
>>>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
>>> 4050
>>>  Queueing strategy: fifo
>>>  Output queue: 0/100 (size/max)
>>>  5 minute input rate 33000 bits/sec, 19 packets/sec
>>>  5 minute output rate 68000 bits/sec, 18 packets/sec
>>>     3121597 packets input, 667733893 bytes, 0 no buffer
>>>     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>>>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>>>     2929740 packets output, 1363133541 bytes, 0 underruns
>>>     0 output errors, 0 collisions, 0 interface resets
>>>     0 output buffer failures, 0 output buffers swapped out
>>>     0 carrier transitions no alarm present
>>>  Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
>>>  non-inverted data
>>>
>>> Serial9/0/0:11 is up, line protocol is up
>>>  Hardware is cyBus T3
>>>  Description: Bonded T1
>>>  MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec,
>>>     reliability 255/255, txload 10/255, rxload 5/255
>>>  Encapsulation PPP, LCP Open, multilink Open
>>>  Link is a member of Multilink bundle Multilink66, crc 16, loopback not
>>> set
>>>  Keepalive set (10 sec)
>>>  Last input 00:00:00, output 00:00:00, output hang never
>>>  Last clearing of "show interface" counters 6d03h
>>>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
>>> 4085
>>>  Queueing strategy: fifo
>>>  Output queue: 0/100 (size/max)
>>>  5 minute input rate 31000 bits/sec, 19 packets/sec
>>>  5 minute output rate 65000 bits/sec, 17 packets/sec
>>>     3122847 packets input, 668516220 bytes, 0 no buffer
>>>     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>>>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>>>     2930011 packets output, 1364226428 bytes, 0 underruns
>>>     0 output errors, 0 collisions, 0 interface resets
>>>     0 output buffer failures, 0 output buffers swapped out
>>>     0 carrier transitions no alarm present
>>>  Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
>>>  non-inverted data
>>>
>>> Multilink interface for the T1's above:
>>> Multilink66 is up, line protocol is up
>>>  Hardware is multilink group interface
>>>  Description: Bonded T1
>>>  Internet address is 10.10.56.1/30
>>>  MTU 1500 bytes, BW 3080 Kbit, DLY 100000 usec,
>>>     reliability 255/255, txload 11/255, rxload 4/255
>>>  Encapsulation PPP, LCP Open, multilink Open
>>>  Open: IPCP, loopback not set
>>>  Keepalive set (10 sec)
>>>  DTR is pulsed for 2 seconds on reset
>>>  Last input 00:00:30, output never, output hang never
>>>  Last clearing of "show interface" counters 1w0d
>>>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>>>  Queueing strategy: Class-based queueing
>>>  Output queue: 0/40 (size/max)
>>>  5 minute input rate 58000 bits/sec, 47 packets/sec
>>>  5 minute output rate 139000 bits/sec, 49 packets/sec
>>>     7075294 packets input, 1705142684 bytes, 0 no buffer
>>>     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>>>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>>>     7483773 packets output, 3524642362 bytes, 0 underruns
>>>     0 output errors, 0 collisions, 0 interface resets
>>>     0 output buffer failures, 0 output buffers swapped out
>>>     0 carrier transitions
>>>
>>> Any help would be appreciated.  As I said earlier, this scenario is
>>> happening on multiple interfaces throughout the system.  A Channelized
>>> DS3 card has been swapped out as a test as well as the output queue
>>> raised from 40 to 100 with no change in drops.
>>>
>>> -Todd
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmdvksACgkQtFWeqpgEZrKCJwCgvpRWCkJtH6GXQC6aCUOpU56i
//sAoI8gGHocPm5w3IzgXC6sYMDZfKM5
=uXGq
-----END PGP SIGNATURE-----

From david.freedman at uk.clara.net  Thu Feb 19 15:05:09 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Thu, 19 Feb 2009 20:05:09 +0000
Subject: [c-nsp] Unexplainable Output drops on serial interfaces
In-Reply-To: <1235073592.8676.45.camel@booger>
References: <1235073592.8676.45.camel@booger>
Message-ID: <499DBB75.6010806@uk.clara.net>

Todd, do you have any kind of shaping / QoS on these circuits?

Drops by traffic management configurations are frequently shown as
interface drops.

Dave.


Todd Shipway wrote:
> Hi,
> 
> We have multiple T1 interfaces across different cards and different type
> of cards in a 7513.  Many interfaces are showing output drops and I
> can't pinpoint why.  The interfaces are spread throughout the system and
> I can't pinpoint a single point that could be causing the drops.  Below
> is 2 interfaces showing the drops.
> 
> The bandwidth is very low when the drops are occurring, these 2
> interfaces are part of a multilink interface which shows no drops.  Any
> ideas as to what I should look for that could be causing this?
> 
> Serial9/0/0:12 is up, line protocol is up 
>   Hardware is cyBus T3
>   Description: Bonded T1
>   MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec, 
>      reliability 255/255, txload 11/255, rxload 5/255
>   Encapsulation PPP, LCP Open, multilink Open
>   Link is a member of Multilink bundle Multilink66, crc 16, loopback not
> set
>   Keepalive set (10 sec)
>   Last input 00:00:00, output 00:00:00, output hang never
>   Last clearing of "show interface" counters 6d03h
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
> 4050
>   Queueing strategy: fifo
>   Output queue: 0/100 (size/max)
>   5 minute input rate 33000 bits/sec, 19 packets/sec
>   5 minute output rate 68000 bits/sec, 18 packets/sec
>      3121597 packets input, 667733893 bytes, 0 no buffer
>      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>      2929740 packets output, 1363133541 bytes, 0 underruns
>      0 output errors, 0 collisions, 0 interface resets
>      0 output buffer failures, 0 output buffers swapped out
>      0 carrier transitions no alarm present
>   Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
>   non-inverted data
> 
> Serial9/0/0:11 is up, line protocol is up 
>   Hardware is cyBus T3
>   Description: Bonded T1
>   MTU 1500 bytes, BW 1540 Kbit, DLY 20000 usec, 
>      reliability 255/255, txload 10/255, rxload 5/255
>   Encapsulation PPP, LCP Open, multilink Open
>   Link is a member of Multilink bundle Multilink66, crc 16, loopback not
> set
>   Keepalive set (10 sec)
>   Last input 00:00:00, output 00:00:00, output hang never
>   Last clearing of "show interface" counters 6d03h
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
> 4085
>   Queueing strategy: fifo
>   Output queue: 0/100 (size/max)
>   5 minute input rate 31000 bits/sec, 19 packets/sec
>   5 minute output rate 65000 bits/sec, 17 packets/sec
>      3122847 packets input, 668516220 bytes, 0 no buffer
>      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>      2930011 packets output, 1364226428 bytes, 0 underruns
>      0 output errors, 0 collisions, 0 interface resets
>      0 output buffer failures, 0 output buffers swapped out
>      0 carrier transitions no alarm present
>   Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
>   non-inverted data
> 
> Multilink interface for the T1's above:
> Multilink66 is up, line protocol is up 
>   Hardware is multilink group interface
>   Description: Bonded T1
>   Internet address is 10.10.56.1/30
>   MTU 1500 bytes, BW 3080 Kbit, DLY 100000 usec, 
>      reliability 255/255, txload 11/255, rxload 4/255
>   Encapsulation PPP, LCP Open, multilink Open
>   Open: IPCP, loopback not set
>   Keepalive set (10 sec)
>   DTR is pulsed for 2 seconds on reset
>   Last input 00:00:30, output never, output hang never
>   Last clearing of "show interface" counters 1w0d
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>   Queueing strategy: Class-based queueing
>   Output queue: 0/40 (size/max)
>   5 minute input rate 58000 bits/sec, 47 packets/sec
>   5 minute output rate 139000 bits/sec, 49 packets/sec
>      7075294 packets input, 1705142684 bytes, 0 no buffer
>      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>      7483773 packets output, 3524642362 bytes, 0 underruns
>      0 output errors, 0 collisions, 0 interface resets
>      0 output buffer failures, 0 output buffers swapped out
>      0 carrier transitions
> 
> Any help would be appreciated.  As I said earlier, this scenario is
> happening on multiple interfaces throughout the system.  A Channelized
> DS3 card has been swapped out as a test as well as the output queue
> raised from 40 to 100 with no change in drops.
> 
> -Todd
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From petelists at templin.org  Thu Feb 19 15:37:13 2009
From: petelists at templin.org (Pete Templin)
Date: Thu, 19 Feb 2009 14:37:13 -0600
Subject: [c-nsp] 7507s: which image for production? For IPv6?
In-Reply-To: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
References: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>
Message-ID: <499DC2F9.4030808@templin.org>

neal rauhauser wrote:
>    I do believe we'll be seeing new code from Cisco before too long and I'm
> starting to get ready for that. We've got 12.0S in the field now and I'm
> bringing one machine up to 12.2.46a to see how it acts. I've got 256 meg
> RSP4s, VIP 2-50 that are getting upgraded to VIP4-80 this week, OC3 and DS3
> outside and just 100 mbit inside. The RSP4s work for me - no customers in
> APNIC space so we refuse those routes. The fanciest thing we do is netflow -
> which image train is most stable?

We're trying desperately to torpedo every last 7507 we've got, but 
current choices are:

12.0(27)S5 for T1 aggregation
12.0(32)S10 for (small POP) core routers

I tried 12.0(32) in the hopes of gaining some production experience with 
the version, so we'd know if it was safe down the road and we ever felt 
we'd need to advance past 12.0(27)S5.  We also had some MPLS TE issues 
with mixed IOS versions, but we've since decided that MPLS TE is simply 
No-Go on 7500s for us, unfortunately.  We had horrible packet loss with 
12.0(30) and 12.0(31), and stayed away from those like the plague.

I foresee some light testing with 12.4 someday, unless/until I get a 
clear roadmap for replacing them completely.

pt


From kka at netuse.de  Thu Feb 19 15:04:20 2009
From: kka at netuse.de (Klaus Kastens)
Date: Thu, 19 Feb 2009 21:04:20 +0100
Subject: [c-nsp] Cat 2350 switches vs everything else
In-Reply-To: <499B20FD.9040800@justinshore.com>
References: <499B20FD.9040800@justinshore.com>
Message-ID: <20090219200420.GB11939@boss.intern.netuse.de>

Hi Justin,

> http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10116/data_sheet_c78-521169.html
> 
> For those not wanting to follow the link, the 2350 supports the TwinGig 
> modules in the 10G bays just like the 3560E, 3750E, 4900M and the Sup6E 
> in the 4500s.  I also see jumbo frame support on the list.  All good so far.

Judging from the limited documentation currently available (Release
Notes 12.2(46)EY, data sheet) no support for SMF fiber tranceivers,
only "short range" 10GBASE-SR/CX4/LRM, not even 1000BASE-LX SFP for
the TwinGig.


 Klaus

-- 
Klaus Kastens                                               NetUSE AG
Dr.-Hell-Str. 6, D-24107 Kiel,                                Germany
Fon: +49 431 2390 400 (06:00 UTC - 16:00 UTC)
Fax: +49 431 2390 499











Vorstand: Andreas Seeger (Vorsitz), Dr. Roland Kaltefleiter, Dr. Joerg Posewang
Aufsichtsrat: Detlev Huebner (Vorsitz)
Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942

Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.

The information contained in this message is confidential or protected by
law. Any unauthorised copying of this message or unauthorised distribution
of the information contained herein is prohibited.


From everton at lab.ipaccess.diveo.net.br  Thu Feb 19 15:38:57 2009
From: everton at lab.ipaccess.diveo.net.br (Everton da Silva Marques)
Date: Thu, 19 Feb 2009 17:38:57 -0300
Subject: [c-nsp] Unexplainable Output drops on serial interfaces
In-Reply-To: <1235073592.8676.45.camel@booger>
References: <1235073592.8676.45.camel@booger>
Message-ID: <20090219203857.GA2831@diveo.net.br>

On Thu, Feb 19, 2009 at 02:59:52PM -0500, Todd Shipway wrote:
> 
> We have multiple T1 interfaces across different cards and different type
> of cards in a 7513.  Many interfaces are showing output drops and I
> can't pinpoint why.  The interfaces are spread throughout the system and
> I can't pinpoint a single point that could be causing the drops.  Below
> is 2 interfaces showing the drops.
> 
> The bandwidth is very low when the drops are occurring, these 2
> interfaces are part of a multilink interface which shows no drops.  Any
> ideas as to what I should look for that could be causing this?

Check Rx-Side Buffering:

http://www.cisco.com/en/US/products/hw/modules/ps3088/products_tech_note09186a0080094345.shtml
http://www.cisco.com/warp/public/63/vip_cpu_rxbuffering.html

Everton

From atis at eik.bme.hu  Thu Feb 19 16:25:49 2009
From: atis at eik.bme.hu (BALLA Attila)
Date: Thu, 19 Feb 2009 22:25:49 +0100 (CET)
Subject: [c-nsp] UDLD is err-disabling EoMPLS VC
In-Reply-To: <67FB78EB09CB274DBEF2FE672B6404026375EE@EUBEBRUSVEX1.eu.didata.local>
References: <mailman.4477.1235051986.2617.cisco-nsp@puck.nether.net>
	<67FB78EB09CB274DBEF2FE672B6404026374E5@EUBEBRUSVEX1.eu.didata.local>
	<Pine.GSO.4.64.0902191657500.22837@mono>
	<67FB78EB09CB274DBEF2FE672B6404026375EE@EUBEBRUSVEX1.eu.didata.local>
Message-ID: <Pine.GSO.4.64.0902192222020.8562@mono>

Hello,

   UDLD is a Layer2 protocol, so EoMPLS transports all UDLD frames coming 
from CE. You should disable udld PE's interfaces connected to CE devices.

BR, A.

On Thu, 19 Feb 2009, Ruben Montes (Europe) wrote:

> Hi,
>
> We're already running 12.2(18)SXF11.
>
> I have udld enabled for the whole box, do you mean that I must
> explicitly disable udld in the interfaces on the PE switches where I
> have created the VC with x-connect?
>
> Thanks in advance,
>
> Ruben
>
> -----Original Message-----
> From: BALLA Attila [mailto:atis at eik.bme.hu]
> Sent: jueves, 19 de febrero de 2009 17:00
> To: Ruben Montes (Europe)
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] UDLD is err-disabling EoMPLS VC
>
> I had the same issue, it must be CSCsh99351, it is fixed in
> 12.2(18)SXF11.
> You should use udld on ce uplinks only.
>
> BR, A.
>
> On Thu, 19 Feb 2009, Ruben Montes (Europe) wrote:
>
>> Hi,
>>
>> We have configured a new EoMPLS VC. After 3 or 5 pings, UDLD
>> err-disables one of the interfaces. We are using port mode, is it
>> recommended to run such a a feature in this type of connections?
>>
>> All the path has MPLS enabled and jumbo MTU enabled.
>>
>> Thanks in advance,
>>
>> Ruben
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From justin at justinshore.com  Thu Feb 19 18:49:47 2009
From: justin at justinshore.com (Justin Shore)
Date: Thu, 19 Feb 2009 17:49:47 -0600
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <7FCD9A6E-C705-4FF7-A8AE-9780D980BC50@puck.nether.net>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>	<20090219104326.GA8521@wildfire.net.ic.ac.uk>	<660CDBE9F5177645BF5FAE6EFE2D9BA406CA94CB@xmb-ams-332.emea.cisco.com>	<a48927f70902190548g22757b2bi8e3bcab47d580c01@mail.gmail.com>	<20090219135838.GB29294@lboro.ac.uk>
	<7FCD9A6E-C705-4FF7-A8AE-9780D980BC50@puck.nether.net>
Message-ID: <499DF01B.6010108@justinshore.com>

Jared Mauch wrote:
>> another 'new' download area? as bad as the rejig they gave it last 
>> time? :-(
> 
>     "Worse"
> 
>     You now have to navigate a tree that may or may not tell you 
> anything useful.

Yeah, it's awful.  And you can't sort by mainline release for all 
platforms anymore.  I can't find many of the cross-over types of 
devices.  I'm really not a fan of it.  I sure hope that one can still 
download directly without having to use the messy GUI.  It's bad enough 
having to agree to the crypto export form every single time you download 
any file.  PITA.

Justin


From gtb at slac.stanford.edu  Thu Feb 19 20:55:47 2009
From: gtb at slac.stanford.edu (Buhrmaster, Gary)
Date: Thu, 19 Feb 2009 17:55:47 -0800
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <499DF01B.6010108@justinshore.com>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>	<20090219104326.GA8521@wildfire.net.ic.ac.uk>	<660CDBE9F5177645BF5FAE6EFE2D9BA406CA94CB@xmb-ams-332.emea.cisco.com>	<a48927f70902190548g22757b2bi8e3bcab47d580c01@mail.gmail.com>	<20090219135838.GB29294@lboro.ac.uk><7FCD9A6E-C705-4FF7-A8AE-9780D980BC50@puck.nether.net>
	<499DF01B.6010108@justinshore.com>
Message-ID: <D0D0330CBD07114D85B70B784E80C2F2022FCFFB@exch-mail2.win.slac.stanford.edu>


> Yeah, it's awful.  

I am thinking that there is belief that customers
need "wizards" to assist them.  I presume Cisco
has spent a lot of money on focus group studies
to decide that we are all idiots and want and
need their assistance with downloads (and do
not mind that it takes five times longer to get
to where we want to be, or to get the information
you want, as long as we can point and click to get
there).  It is form over substance.  I hate it
(but then I still hate the new Cisco logo too,
along with the font that the Cisco name is in).

Gary

From amsoares at netcabo.pt  Fri Feb 20 08:22:31 2009
From: amsoares at netcabo.pt (Antonio Soares)
Date: Fri, 20 Feb 2009 13:22:31 -0000
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406EA33A6@xmb-ams-333.emea.cisco.com>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt><49980203.70803@imperial.ac.uk>
	<541E156EBB05458492867DB5D8E6A72C@int.convex.pt>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406EA33A6@xmb-ams-333.emea.cisco.com>
Message-ID: <7767599E2E824775ABA9B38943AAC1E9@int.convex.pt>

Yes, enabling "ip tcp path-mtu-discovey" in the other end solves this:


1) The 6500 initiates the session and has "ip tcp path-mtu-discovey". The other end does not:

6500#
00:13:01: %SEC-6-IPACCESSLOGP: list bgp-control denied tcp 1.1.1.1(11002) -> 7.7.7.7(179), 1 packet
00:13:04: %SEC-6-IPACCESSLOGP: list bgp-control denied tcp 10.10.10.1(11003) -> 10.10.10.7(179), 1 packet
6500#
00:13:05: %BGP-5-ADJCHANGE: neighbor 10.10.10.1 Up 
00:13:05: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up 
6500#
6500#
6500#sh ip bgp neighbors 10.10.10.1 | inc (path-mtu|max data)
Datagrams (max data segment is 1460 bytes):
6500#
6500#sh ip bgp neighbors 1.1.1.1 | inc (path-mtu|max data)   
Datagrams (max data segment is 536 bytes):
6500#
6500#

2) "ip tcp path-mtu-discovey" was configured in the other end and the sessions were cleared:

00:14:19: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer closed the session
00:14:19: %BGP-5-ADJCHANGE: neighbor 10.10.10.1 Down Peer closed the session
6500#
6500#
6500#
00:14:45: %SEC-6-IPACCESSLOGP: list bgp-control denied tcp 10.10.10.1(11004) -> 10.10.10.7(179), 1 packet
00:14:47: %BGP-5-ADJCHANGE: neighbor 10.10.10.1 Up 
6500#
00:14:47: %SEC-6-IPACCESSLOGP: list bgp-control denied tcp 1.1.1.1(11005) -> 7.7.7.7(179), 1 packet
00:14:48: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up 
6500#
6500#
6500#
6500#sh ip bgp neighbors 1.1.1.1 | inc (path-mtu|max data)   
Datagrams (max data segment is 1460 bytes):
6500#
6500#sh ip bgp neighbors 10.10.10.1 | inc (path-mtu|max data)
Datagrams (max data segment is 1460 bytes):
6500# 


Valid for both iBGP and eBGP.

Thanks.

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com] 
Sent: quinta-feira, 19 de Fevereiro de 2009 19:32
To: Antonio Soares; Phil Mayers
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] BGP MSS=576 bytes

Antonio Soares <> wrote on Thursday, February 19, 2009 18:38:

> This is what i got with 12.2(18)SXF15a and "ip tcp path-mtu-discovery" 
> enabled:
> 
> 6500#sh ip bgp neighbors 1.1.1.1 | inc (path-mtu|max data) Datagrams 
> (max data segment is 536 bytes):
> 6500#
> 6500#
> 6500#sh ip bgp neighbors 10.10.10.1 | inc (path-mtu|max data) 
> Datagrams (max data segment is 1460 bytes):
> 6500#
> 
> MSS=1460 for directly connected peerings and MSS=536 for non-directly 
> connected peerings. Got the same behavior for iBGP and eBGP.

did you enable it on both ends and did you reset the session?

> So basically it didn't work as i was expecting. It seems SXI puts some 
> order here.
 
As far as I know, SXI allows to enable/disable PMTUD per BGP neighbor, and defaults to PMTUD being enabled..

	oli


> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
> Sent: domingo, 15 de Fevereiro de 2009 11:53
> To: Antonio M. Soares
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP MSS=576 bytes
> 
> Antonio M. Soares wrote:
>> Hello group,
>> 
>> I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of 
>> the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> 
> I think you need a newer IOS. Certainly under SXI I see:
> 
> ac-core#sh ip bgp neighbors  | inc path-mtu|max data seg
>    Transport(tcp) path-mtu-discovery is enabled Datagrams (max data
>    segment is 536 bytes): Transport(tcp) path-mtu-discovery is
>    enabled Datagrams (max data segment is 1460 bytes): Transport(tcp)
>    path-mtu-discovery is enabled Datagrams (max data segment is 9060
> bytes): Transport(tcp) path-mtu-discovery is enabled Datagrams (max 
> data segment is 536 bytes):
> 
> ...depending on whether the neighbor is similarly equipped to be 
> jumbo-framed and PMTU. _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From MLouis at nwnit.com  Fri Feb 20 12:45:24 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Fri, 20 Feb 2009 12:45:24 -0500
Subject: [c-nsp] Cisco Refurbished Equipment Program
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>

In this economy, we are all looking for ways to save $$. I am curious if anyone on this list has had any experience with purchasing product from the Cisco Refurbished Equipment Program. Any issues or concerns? Did it work as expected? Any issues with getting smartnet coverage on qualified product?

Thanks

Mike


________________________________
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.

From walter.keen at RainierConnect.net  Fri Feb 20 13:03:00 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Fri, 20 Feb 2009 10:03:00 -0800
Subject: [c-nsp] Cisco 7600 WS6724-SFP link doesn't come up without
	intervention
Message-ID: <499EF054.70903@rainierconnect.net>

Greetings, has anyone seen the following condition?

WS-6724SFP with multiple LH , SX, and T connections, that operate
normally when a link fails and is restored (meaning, either through
far-end failure or shutdown command on that interface, then
failure-resolution or 'no shut'), but one ZX-connected link that will
not come back up if there is a loss of sync, until you physically unplug
the fiber jumper, and plug it back in.  We've tried many ZX gbics with
no change, and the distance is approximately 38km.  Other ZX connected
devices (at a distance of about 22km) do not show this behavior.  The
far end of this troubled link is a metro-ethernet provider who indicates
there is no configuration problems on their end, nor any errors they can
detect.


From chloekcy2000 at yahoo.ca  Fri Feb 20 14:08:21 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Fri, 20 Feb 2009 14:08:21 -0500 (EST)
Subject: [c-nsp] need  help about switch cisco 4 9 4 8
Message-ID: <237794.76542.qm@web57409.mail.re1.yahoo.com>

Hi 
   
  I have problems in this switch 49 48
   
  1/ I can't setup the management interface.
  I have another same modeul. I can see there is Fasthernet to set it up as management port.
   
  2/ After reload, I lost configuration. I did copy run start
  It said that it can't find the Valid boot environment
   
   config-register = 0x2142
 Autobooting using BOOT variable specified file.....
   Could not find a valid file in BOOT environment variable.
rommon 1 >
   
  Please help

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          

From mhuff at ox.com  Fri Feb 20 14:28:56 2009
From: mhuff at ox.com (Matthew Huff)
Date: Fri, 20 Feb 2009 14:28:56 -0500
Subject: [c-nsp] need  help about switch cisco 4 9 4 8
In-Reply-To: <237794.76542.qm@web57409.mail.re1.yahoo.com>
References: <237794.76542.qm@web57409.mail.re1.yahoo.com>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9B5BB3DC513@PUR-EXCH07.ox.com>

config register 2142 means boot without config

in the rommon set config-register to "0x2102" and type "restart"

I'm not up on the 4948 management interface. 

----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of chloe K
> Sent: Friday, February 20, 2009 2:08 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] need help about switch cisco 4 9 4 8
> 
> Hi
> 
>   I have problems in this switch 49 48
> 
>   1/ I can't setup the management interface.
>   I have another same modeul. I can see there is Fasthernet to set it
> up as management port.
> 
>   2/ After reload, I lost configuration. I did copy run start
>   It said that it can't find the Valid boot environment
> 
>    config-register = 0x2142
>  Autobooting using BOOT variable specified file.....
>    Could not find a valid file in BOOT environment variable.
> rommon 1 >
> 
>   Please help
> 
> 
> 
> 
> ---------------------------------
> 
> 
> Yahoo!         Canada Toolbar : Search from anywhere on         the web
> and bookmark your favourite sites. Download it now!
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4229 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090220/a458f4e9/attachment.bin>

From MLouis at nwnit.com  Fri Feb 20 13:59:56 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Fri, 20 Feb 2009 13:59:56 -0500
Subject: [c-nsp] Netflow VRF Command Support in SXI
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25C249AE8FB@mncmx1.NWNIT.CORP>

I can't use

ip flow-export destination x.x.x.x 9995 vrf VRFNAME

command in SXI. I have heard it was available in SXH? Did it get left out in 12.2(33)SXI?


________________________________
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.

From cisco-nsp at slepicka.net  Fri Feb 20 14:34:02 2009
From: cisco-nsp at slepicka.net (James Slepicka)
Date: Fri, 20 Feb 2009 13:34:02 -0600
Subject: [c-nsp] need  help about switch cisco 4 9 4 8
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9B5BB3DC513@PUR-EXCH07.ox.com>
References: <237794.76542.qm@web57409.mail.re1.yahoo.com>
	<483E6B0272B0284BA86D7596C40D29F9B5BB3DC513@PUR-EXCH07.ox.com>
Message-ID: <499F05AA.80908@slepicka.net>

the management port on a 4948 only works in rommon mode.

Matthew Huff wrote:
> config register 2142 means boot without config
>
> in the rommon set config-register to "0x2102" and type "restart"
>
> I'm not up on the 4948 management interface. 
>
> ----
> Matthew Huff       | One Manhattanville Rd
> OTA Management LLC | Purchase, NY 10577
> http://www.ox.com  | Phone: 914-460-4039
> aim: matthewbhuff  | Fax:   914-460-4139
>
>
>
>   
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of chloe K
>> Sent: Friday, February 20, 2009 2:08 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] need help about switch cisco 4 9 4 8
>>
>> Hi
>>
>>   I have problems in this switch 49 48
>>
>>   1/ I can't setup the management interface.
>>   I have another same modeul. I can see there is Fasthernet to set it
>> up as management port.
>>
>>   2/ After reload, I lost configuration. I did copy run start
>>   It said that it can't find the Valid boot environment
>>
>>    config-register = 0x2142
>>  Autobooting using BOOT variable specified file.....
>>    Could not find a valid file in BOOT environment variable.
>> rommon 1 >
>>
>>   Please help
>>
>>
>>
>>
>> ---------------------------------
>>
>>
>> Yahoo!         Canada Toolbar : Search from anywhere on         the web
>> and bookmark your favourite sites. Download it now!
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>     
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/

From sethm at rollernet.us  Fri Feb 20 14:34:59 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Fri, 20 Feb 2009 11:34:59 -0800
Subject: [c-nsp] need  help about switch cisco 4 9 4 8
In-Reply-To: <237794.76542.qm@web57409.mail.re1.yahoo.com>
References: <237794.76542.qm@web57409.mail.re1.yahoo.com>
Message-ID: <499F05E3.8080409@rollernet.us>

chloe K wrote:
> Hi 
>    
>   I have problems in this switch 49 48
>    
>   1/ I can't setup the management interface.
>   I have another same modeul. I can see there is Fasthernet to set it up as management port.
>    
>   2/ After reload, I lost configuration. I did copy run start
>   It said that it can't find the Valid boot environment
>    
>    config-register = 0x2142
>  Autobooting using BOOT variable specified file.....
>    Could not find a valid file in BOOT environment variable.
> rommon 1 >
>    
>   Please help
> 

Have you tried reading the documentation on cisco.com on how to do this?
If you don't want to put that much effort into it, you could just copy
the config from the other 4948.

~Seth

From chloekcy2000 at yahoo.ca  Fri Feb 20 14:41:01 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Fri, 20 Feb 2009 14:41:01 -0500 (EST)
Subject: [c-nsp] need  help about switch cisco 4 9 4 8
In-Reply-To: <499F05AA.80908@slepicka.net>
Message-ID: <583682.71915.qm@web57401.mail.re1.yahoo.com>

Hi James
   
  Can you give me more info?
   
  I have another switch 4948. I can see this FastEthernet1 in sh running or sh int
  When I configure ip in this interface, it can work in my management port 
   
  interface FastEthernet1
 ip address  x.x.x.x y.y.y.y
 speed auto
 duplex auto
   
  But I can't see this FastEthernet1 in that switch in sh running config or sh int.
  I am so confused.
   
  Do you have idea?
   
  Thank you
   
  

James Slepicka <cisco-nsp at slepicka.net> wrote:
  the management port on a 4948 only works in rommon mode.

Matthew Huff wrote:   
config register 2142 means boot without config    in the rommon set config-register to "0x2102" and type "restart"    I'm not up on the 4948 management interface.     ----  Matthew Huff       | One Manhattanville Rd  OTA Management LLC | Purchase, NY 10577  http://www.ox.com  | Phone: 914-460-4039  aim: matthewbhuff  | Fax:   914-460-4139          
  
-----Original Message-----  From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-  bounces at puck.nether.net] On Behalf Of chloe K  Sent: Friday, February 20, 2009 2:08 PM  To: cisco-nsp at puck.nether.net  Subject: [c-nsp] need help about switch cisco 4 9 4 8    Hi      I have problems in this switch 49 48      1/ I can't setup the management interface.    I have another same modeul. I can see there is Fasthernet to set it  up as management port.      2/ After reload, I lost configuration. I did copy run start    It said that it can't find the Valid boot environment       config-register = 0x2142   Autobooting using BOOT variable specified file.....     Could not find a valid file in BOOT environment variable.  rommon 1 >      Please help          ---------------------------------      Yahoo!         Canada Toolbar : Search from anywhere on         the web  and bookmark your favourite sites. Download it now!  _______________________________________________  cisco-nsp
 mailing list  cisco-nsp at puck.nether.net  https://puck.nether.net/mailman/listinfo/cisco-nsp  archive at http://puck.nether.net/pipermail/cisco-nsp/      


---------------------------------
  _______________________________________________  cisco-nsp mailing list  cisco-nsp at puck.nether.net  https://puck.nether.net/mailman/listinfo/cisco-nsp  archive at http://puck.nether.net/pipermail/cisco-nsp/


       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          

From chloekcy2000 at yahoo.ca  Fri Feb 20 14:35:17 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Fri, 20 Feb 2009 14:35:17 -0500 (EST)
Subject: [c-nsp] need help about switch cisco 4 9 4 8
In-Reply-To: <3e4b8fe10902201123r1a544a84wecaf3175c66cf7e9@mail.gmail.com>
Message-ID: <751175.20438.qm@web57407.mail.re1.yahoo.com>

Hi Rich
   
  Thank you so much for your fast response.
   
  for the 1st quesiton, what is "config-register = 0x1"?
   
  for the 2nd question, I have same model switch
   
  there is int "FastEthernet1" to let me to configure the management int

  interface FastEthernet1
 no ip address 
 speed auto
 duplex auto
   
  But in this switch, I can't see this int in show running config so that I can't configure it for the management port
   
  Do you have any idea?
   
  Thank you


   
  Rich Davies <rich.davies at gmail.com> wrote:
  Chloe,

The config-register of 0x2142 is usually configured when someone does password recovery on the device.  You need to change it back to 0x2102 then reset the switch:

confreg 0x2102
reset

This should cause switch to boot up with config register of 0x2102 which tells it to load the configuration from NVRAM (normal default operation).   Once the Cisco IOS is booted and you can get in to do configuration on the switch you will want to setup a management IP address.    Traditionally switches have a "Vlan1" interface which is the interface you should put your management IP on.

example shown assumes the following:
x.x.x.x = management IP
y.y.y.y = management IP subnet mask
z.z.z.z = default gateway (.1 or whatever you are using for the subnet).


config term
!
!
  interface vlan 1
  ip address x.x.x.x y.y.y.y
!
ip default-gateway z.z.z.z
!
!
end
wr mem


Hope this helps!


-Rich

  On Fri, Feb 20, 2009 at 2:08 PM, chloe K <chloekcy2000 at yahoo.ca> wrote:
  Hi

 I have problems in this switch 49 48

 1/ I can't setup the management interface.
 I have another same modeul. I can see there is Fasthernet to set it up as management port.

 2/ After reload, I lost configuration. I did copy run start
 It said that it can't find the Valid boot environment

  config-register = 0x2142
 Autobooting using BOOT variable specified file.....
  Could not find a valid file in BOOT environment variable.
rommon 1 >

 Please help




---------------------------------


Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




       
---------------------------------
Instant message from any web browser! Try the new  Yahoo! Canada Messenger for the Web BETA

From Moens at carrier2carrier.com  Fri Feb 20 14:52:59 2009
From: Moens at carrier2carrier.com (Martin Moens)
Date: Fri, 20 Feb 2009 20:52:59 +0100
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <499DF01B.6010108@justinshore.com>
Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905F77@bilbo.bdhz.c2c.local>

On Friday, 20 February, 2009 00:50 Justin Shore <> wrote:

> Jared Mauch wrote:
>>> another 'new' download area? as bad as the rejig they gave it last
>>> time? :-(
>> 
>>     "Worse"
>> 
>>     You now have to navigate a tree that may or may not tell you
>> anything useful.
> 
> Yeah, it's awful.  And you can't sort by mainline release for all
> platforms anymore.  I can't find many of the cross-over types of
> devices.  I'm really not a fan of it.  I sure hope that one can still
> download directly without having to use the messy GUI.  It's bad
> enough having to agree to the crypto export form every single time
> you download any file.  PITA.
> 
> Justin


Just had a look at that 'wonderfull' new interface...

OMG! 

Cisco, ***PLEASE*** don't do this to us! Leave the original interface intact!
Apart from Justin's remarks, it is so very slow....

Martin 


From amsoares at netcabo.pt  Fri Feb 20 15:13:38 2009
From: amsoares at netcabo.pt (Antonio Soares)
Date: Fri, 20 Feb 2009 20:13:38 -0000
Subject: [c-nsp] need  help about switch cisco 4 9 4 8
In-Reply-To: <237794.76542.qm@web57409.mail.re1.yahoo.com>
References: <237794.76542.qm@web57409.mail.re1.yahoo.com>
Message-ID: <753ED4F9715A45ABADBDB9DC23C1FCA8@int.convex.pt>

There are IOS releases that do not support the Management Interface. I know that 12.2.46SG supports it. So compare your 4948's and
check the IOS releases.

You need a config-register=0x2101. With 0x2142, the switch won't load the startup config and needs a "boot system flash" statement
to load the IOS image. 


Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
Sent: sexta-feira, 20 de Fevereiro de 2009 19:08
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] need help about switch cisco 4 9 4 8

Hi 
   
  I have problems in this switch 49 48
   
  1/ I can't setup the management interface.
  I have another same modeul. I can see there is Fasthernet to set it up as management port.
   
  2/ After reload, I lost configuration. I did copy run start
  It said that it can't find the Valid boot environment
   
   config-register = 0x2142
 Autobooting using BOOT variable specified file.....
   Could not find a valid file in BOOT environment variable.
rommon 1 >
   
  Please help

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From hazard at francoudi.com  Fri Feb 20 14:58:19 2009
From: hazard at francoudi.com (Vladimir Ivashchenko)
Date: Fri, 20 Feb 2009 21:58:19 +0200
Subject: [c-nsp] UUFRL support on SUP720-3B?
Message-ID: <1235159899.14251.14.camel@hazard2.francoudi.com>

Hi All,

Does anybody if Cisco plans to support UUFRL (unknown unicast flood
rate-limiting) on anything apart from SUP720-10GE ?

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/blocking.html#wp1050604

-- 
Best Regards,
Vladimir Ivashchenko
Chief Technology Officer
PrimeTel PLC, Cyprus - www.prime-tel.com
Tel: +357 25 100100 Fax: +357 2210 2211



From A.L.M.Buxey at lboro.ac.uk  Fri Feb 20 15:35:31 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Fri, 20 Feb 2009 20:35:31 +0000
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <20090210124019.GA8143@lboro.ac.uk>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk> <20090210124019.GA8143@lboro.ac.uk>
Message-ID: <20090220203531.GC2407@lboro.ac.uk>

hi,

just thought I'd post an update.... it seems that we hit 3(!)
bugs in the upgrade process. 2 of them are now documented
and one is in the process of being documented.

fundamentally, SXI has a new default line added to the
config...which meant that our second supervisor couldnt
come up....we fixed this by removing the offending line
in the working sup720 - but by this time, it was too
late - the system thought there was a failure and
then attempted to use ISSU to recover the previous image.
ah..oh. we upgraded from SXF15a so there wasnt
ISSU activity....(this also affects upgrades from SXH).
anyway, this is where the oif and ltl came from - what
had now happened is that any multicast groups that were
being joined got their IGMP join locked in the MLS
switching fabric...stuck.... never to work. only groups
that hadnt been borked during the dual sup720s being
present would work.  

the instant fix was to switch off hardware switching of
multicast to flush these stuck registers etc and then
very quickly(! ;-) ) turn it back on. 

we await resolution of the dual 720 bug that we hit..but
a reload is needed as part of that..so has to wait a little
longer.

thanks to Cisco engineers involved in looking at this case.
it was certainly 'interesting'

alan

From chloekcy2000 at yahoo.ca  Fri Feb 20 15:59:39 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Fri, 20 Feb 2009 15:59:39 -0500 (EST)
Subject: [c-nsp] need  help about switch cisco 4 9 4 8
In-Reply-To: <753ED4F9715A45ABADBDB9DC23C1FCA8@int.convex.pt>
Message-ID: <28011.1317.qm@web57404.mail.re1.yahoo.com>

Thank you
   
  Now I change it to 0x2102
  but it can't boot properly
   
  Can you help?
   
  Thank you
   
  ******** The system will autoboot now ********
  
 config-register = 0x2102
 Autobooting using BOOT variable specified file.....
   Could not find a valid file in BOOT environment variable.
 BOOT variable can be set from IOS. To find currently set
 Rom Monitor variables, please type 'set' command.
   For help on choosing a boot method,  type 'confreg' command.

Antonio Soares <amsoares at netcabo.pt> wrote:
  There are IOS releases that do not support the Management Interface. I know that 12.2.46SG supports it. So compare your 4948's and
check the IOS releases.

You need a config-register=0x2101. With 0x2142, the switch won't load the startup config and needs a "boot system flash" statement
to load the IOS image. 


Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
Sent: sexta-feira, 20 de Fevereiro de 2009 19:08
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] need help about switch cisco 4 9 4 8

Hi 

I have problems in this switch 49 48

1/ I can't setup the management interface.
I have another same modeul. I can see there is Fasthernet to set it up as management port.

2/ After reload, I lost configuration. I did copy run start
It said that it can't find the Valid boot environment

config-register = 0x2142
Autobooting using BOOT variable specified file.....
Could not find a valid file in BOOT environment variable.
rommon 1 >

Please help




---------------------------------


Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now!

_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          

From amsoares at netcabo.pt  Fri Feb 20 16:48:29 2009
From: amsoares at netcabo.pt (Antonio Soares)
Date: Fri, 20 Feb 2009 21:48:29 -0000
Subject: [c-nsp] need  help about switch cisco 4 9 4 8
In-Reply-To: <28011.1317.qm@web57404.mail.re1.yahoo.com>
References: <753ED4F9715A45ABADBDB9DC23C1FCA8@int.convex.pt>
	<28011.1317.qm@web57404.mail.re1.yahoo.com>
Message-ID: <5E3C7A341C9C41F5BD5FE75FC12704B1@int.convex.pt>

Since you don't have a "boot system flash" statement in your config, you need a config-register = 0x2101. This way it will load the
first available image in the bootflash.
 

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt


 

  _____  

From: chloe K [mailto:chloekcy2000 at yahoo.ca] 
Sent: sexta-feira, 20 de Fevereiro de 2009 21:00
To: Antonio Soares; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] need help about switch cisco 4 9 4 8


Thank you
 
Now I change it to 0x2102
but it can't boot properly
 
Can you help?
 
Thank you
 
******** The system will autoboot now ********

 config-register = 0x2102
 Autobooting using BOOT variable specified file.....
 Could not find a valid file in BOOT environment variable.
 BOOT variable can be set from IOS. To find currently set
 Rom Monitor variables, please type 'set' command.
 For help on choosing a boot method,  type 'confreg' command.

Antonio Soares <amsoares at netcabo.pt> wrote:

There are IOS releases that do not support the Management Interface. I know that 12.2.46SG supports it. So compare your 4948's and
check the IOS releases.

You need a config-register=0x2101. With 0x2142, the switch won't load the startup config and needs a "boot system flash" statement
to load the IOS image. 


Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
Sent: sexta-feira, 20 de Fevereiro de 2009 19:08
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] need help about switch cisco 4 9 4 8

Hi 

I have problems in this switch 49 48

1/ I can't setup the management interface.
I have another same modeul. I can see there is Fasthernet to set it up as management port.

2/ After reload, I lost configuration. I did copy run start
It said that it can't find the Valid boot environment

config-register = 0x2142
Autobooting using BOOT variable specified file.....
Could not find a valid file in BOOT environment variable.
rommon 1 >

Please help




---------------------------------


Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now!

_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/






  _____  

  <http://us.i1.yimg.com/us.yimg.com/i/ca/iotg_search.jpg>  <http://ca.toolbar.yahoo.com/> Yahoo! Canada Toolbar : Search from
anywhere on the web and bookmark your favourite sites. Download it now! 


From mhuff at ox.com  Fri Feb 20 16:55:12 2009
From: mhuff at ox.com (Matthew Huff)
Date: Fri, 20 Feb 2009 16:55:12 -0500
Subject: [c-nsp] need  help about switch cisco 4 9 4 8
In-Reply-To: <28011.1317.qm@web57404.mail.re1.yahoo.com>
References: <753ED4F9715A45ABADBDB9DC23C1FCA8@int.convex.pt>
	<28011.1317.qm@web57404.mail.re1.yahoo.com>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9B5BB3DC515@PUR-EXCH07.ox.com>

it may be that your flash is corrupt, is missing a ios image, etc...

My rommon memory is a bit fuzy atm, but you should be able to do a "dir
flash:" or "dir /all" and see what images are there. Then do a "boot
<imagename>"

----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of chloe K
> Sent: Friday, February 20, 2009 4:00 PM
> To: Antonio Soares; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] need help about switch cisco 4 9 4 8
> 
> Thank you
> 
>   Now I change it to 0x2102
>   but it can't boot properly
> 
>   Can you help?
> 
>   Thank you
> 
>   ******** The system will autoboot now ********
> 
>  config-register = 0x2102
>  Autobooting using BOOT variable specified file.....
>    Could not find a valid file in BOOT environment variable.
>  BOOT variable can be set from IOS. To find currently set
>  Rom Monitor variables, please type 'set' command.
>    For help on choosing a boot method,  type 'confreg' command.
> 
> Antonio Soares <amsoares at netcabo.pt> wrote:
>   There are IOS releases that do not support the Management Interface.
> I know that 12.2.46SG supports it. So compare your 4948's and
> check the IOS releases.
> 
> You need a config-register=0x2101. With 0x2142, the switch won't load
> the startup config and needs a "boot system flash" statement
> to load the IOS image.
> 
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of chloe K
> Sent: sexta-feira, 20 de Fevereiro de 2009 19:08
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] need help about switch cisco 4 9 4 8
> 
> Hi
> 
> I have problems in this switch 49 48
> 
> 1/ I can't setup the management interface.
> I have another same modeul. I can see there is Fasthernet to set it up
> as management port.
> 
> 2/ After reload, I lost configuration. I did copy run start
> It said that it can't find the Valid boot environment
> 
> config-register = 0x2142
> Autobooting using BOOT variable specified file.....
> Could not find a valid file in BOOT environment variable.
> rommon 1 >
> 
> Please help
> 
> 
> 
> 
> ---------------------------------
> 
> 
> Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark
> your favourite sites. Download it now!
> 
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> 
> 
> 
> ---------------------------------
> 
> 
> Yahoo!         Canada Toolbar : Search from anywhere on         the web
> and bookmark your favourite sites. Download it now!
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4229 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090220/cac3faad/attachment.bin>

From chris at netops.t3com.net  Fri Feb 20 16:54:09 2009
From: chris at netops.t3com.net (Chris Wallace)
Date: Fri, 20 Feb 2009 16:54:09 -0500
Subject: [c-nsp] Cisco Refurbished Equipment Program
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
Message-ID: <49675E3E-2AB4-40CC-8466-5F733861B6F8@netops.t3com.net>

We purchased a Cisco 6509 through this program a couple years ago.   
When we first got it up and running we found out it had a failed fan  
tray, just opened a TAC case for the RMA and got a new one right  
away.  No complaints here!

---Chris



On Feb 20, 2009, at 12:45 PM, Mike Louis wrote:

> In this economy, we are all looking for ways to save $$. I am  
> curious if anyone on this list has had any experience with  
> purchasing product from the Cisco Refurbished Equipment Program. Any  
> issues or concerns? Did it work as expected? Any issues with getting  
> smartnet coverage on qualified product?
>
> Thanks
>
> Mike
>
>
> ________________________________
> Note: This message and any attachments is intended solely for the  
> use of the individual or entity to which it is addressed and may  
> contain information that is non-public, proprietary, legally  
> privileged, confidential, and/or exempt from disclosure. If you are  
> not the intended recipient, you are hereby notified that any use,  
> dissemination, distribution, or copying of this communication is  
> strictly prohibited. If you have received this communication in  
> error, please notify the original sender immediately by telephone or  
> return email and destroy or delete this message along with any  
> attachments immediately.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From gert at greenie.muc.de  Fri Feb 20 18:03:59 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 21 Feb 2009 00:03:59 +0100
Subject: [c-nsp] Cisco Refurbished Equipment Program
In-Reply-To: <49675E3E-2AB4-40CC-8466-5F733861B6F8@netops.t3com.net>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
	<49675E3E-2AB4-40CC-8466-5F733861B6F8@netops.t3com.net>
Message-ID: <20090220230359.GU290@greenie.muc.de>

OHi,

On Fri, Feb 20, 2009 at 04:54:09PM -0500, Chris Wallace wrote:
> We purchased a Cisco 6509 through this program a couple years ago.   
> When we first got it up and running we found out it had a failed fan  
> tray, just opened a TAC case for the RMA and got a new one right  
> away.  No complaints here!

Well - if it's all nicely refurbished, I wonder why it had a failed
fan in the first place.

But maybe that's just me...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090221/e1c51f10/attachment.bin>

From dudepron at gmail.com  Fri Feb 20 21:22:22 2009
From: dudepron at gmail.com (Aaron)
Date: Fri, 20 Feb 2009 21:22:22 -0500
Subject: [c-nsp] Cisco Refurbished Equipment Program
In-Reply-To: <20090220230359.GU290@greenie.muc.de>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
	<49675E3E-2AB4-40CC-8466-5F733861B6F8@netops.t3com.net>
	<20090220230359.GU290@greenie.muc.de>
Message-ID: <480dad640902201822u5367e511vf5c821fb36913984@mail.gmail.com>

Bad timing?

On Fri, Feb 20, 2009 at 18:03, Gert Doering <gert at greenie.muc.de> wrote:

> OHi,
>
> On Fri, Feb 20, 2009 at 04:54:09PM -0500, Chris Wallace wrote:
> > We purchased a Cisco 6509 through this program a couple years ago.
> > When we first got it up and running we found out it had a failed fan
> > tray, just opened a TAC case for the RMA and got a new one right
> > away.  No complaints here!
>
> Well - if it's all nicely refurbished, I wonder why it had a failed
> fan in the first place.
>
> But maybe that's just me...
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //
> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From steve at ibctech.ca  Fri Feb 20 22:28:49 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Fri, 20 Feb 2009 22:28:49 -0500
Subject: [c-nsp] Security question regarding VTP in a L2 shared environment
Message-ID: <499F74F1.4070101@ibctech.ca>

I have a shared L2 environment with a local company, in which we have
numerous VLANs over fibre. I'm in the process of moving to transparent
on all of my switches, and during the work, I'm checking things out.

Doing a "sh vlan" produces output that includes VLANs that I shouldn't see:

230   xxxOFFICExxx                     active
240   xxxSECURITYxxx                   active
250   xxxDMZx                          active

...etc.

The VLANs shown above belong to the network that I am connected to. They
are completely outside of my security boundary.

Hypothetically, if there is no L2 or L3 security in place, would it be
as simple as creating a "sw acc vlan 230", and allowing 230 on the trunk
port on my switch to start scoping about at the other end?

Of course I am not going to do anything of the sort, hence why I am
asking here. I'm sure I know the answer already, but if I don't get any
feedback from the list, I'm going to lab it up internally and do some
educational testing for my own knowledge.

Steve

From p.mayers at imperial.ac.uk  Sat Feb 21 06:30:52 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sat, 21 Feb 2009 11:30:52 +0000
Subject: [c-nsp] Netflow VRF Command Support in SXI
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25C249AE8FB@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8FB@mncmx1.NWNIT.CORP>
Message-ID: <20090221113051.GC32519@wildfire.net.ic.ac.uk>

On Fri, Feb 20, 2009 at 06:59:56PM +0000, Mike Louis wrote:
>I can't use
>
>ip flow-export destination x.x.x.x 9995 vrf VRFNAME
>
>command in SXI. I have heard it was available in SXH? Did it get left out in 12.2(33)SXI?

It seems so - I tested it in SXH but it's not present in SXI for me 
either.

HOWEVER - when I tested it in SXH, it was useless - only 
software-switched flows were exported, it did not seem to work for 
hardware-switches flows. Perhaps that's why it was removed - maybe it 
was an unintentional inclusion in SXH?

From p.mayers at imperial.ac.uk  Sat Feb 21 06:34:54 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sat, 21 Feb 2009 11:34:54 +0000
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <42F0C766A9A8DB47B5E86CA64738DC8B01905F77@bilbo.bdhz.c2c.local>
References: <499DF01B.6010108@justinshore.com>
	<42F0C766A9A8DB47B5E86CA64738DC8B01905F77@bilbo.bdhz.c2c.local>
Message-ID: <20090221113454.GD32519@wildfire.net.ic.ac.uk>

On Fri, Feb 20, 2009 at 07:52:59PM +0000, Martin Moens wrote:
>On Friday, 20 February, 2009 00:50 Justin Shore <> wrote:
>
>> Jared Mauch wrote:
>>>> another 'new' download area? as bad as the rejig they gave it last
>>>> time? :-(
>>> 
>>>     "Worse"
>>> 
>>>     You now have to navigate a tree that may or may not tell you
>>> anything useful.
>> 
>> Yeah, it's awful.  And you can't sort by mainline release for all
>> platforms anymore.  I can't find many of the cross-over types of
>> devices.  I'm really not a fan of it.  I sure hope that one can still
>> download directly without having to use the messy GUI.  It's bad
>> enough having to agree to the crypto export form every single time
>> you download any file.  PITA.
>> 
>> Justin
>
>
>Just had a look at that 'wonderfull' new interface...
>
>OMG! 
>
>Cisco, ***PLEASE*** don't do this to us! Leave the original interface intact!
>Apart from Justin's remarks, it is so very slow....

I must be the only person in the world who quite likes the new one!

From lambert at psc.edu  Sat Feb 21 07:41:26 2009
From: lambert at psc.edu (Michael Lambert)
Date: Sat, 21 Feb 2009 07:41:26 -0500
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <D0D0330CBD07114D85B70B784E80C2F2022FCFFB@exch-mail2.win.slac.stanford.edu>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>	<20090219104326.GA8521@wildfire.net.ic.ac.uk>	<660CDBE9F5177645BF5FAE6EFE2D9BA406CA94CB@xmb-ams-332.emea.cisco.com>	<a48927f70902190548g22757b2bi8e3bcab47d580c01@mail.gmail.com>	<20090219135838.GB29294@lboro.ac.uk><7FCD9A6E-C705-4FF7-A8AE-9780D980BC50@puck.nether.net>
	<499DF01B.6010108@justinshore.com>
	<D0D0330CBD07114D85B70B784E80C2F2022FCFFB@exch-mail2.win.slac.stanford.edu>
Message-ID: <E0FE40E7-535F-4A29-9859-79C421890416@psc.edu>

On 19 Feb 2009, at 20:55, Buhrmaster, Gary wrote:

> I am thinking that there is belief that customers
> need "wizards" to assist them.

Agreed.  Anyone who is responsible for, say, 7200s and above should be  
able to download images using FTP (or find a new line of work).

Michael


From elmi at 4ever.de  Sat Feb 21 08:36:19 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Sat, 21 Feb 2009 14:36:19 +0100
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <E0FE40E7-535F-4A29-9859-79C421890416@psc.edu>
References: <a48927f70902190234q41962beyc342eb2eac32e404@mail.gmail.com>
	<20090219104326.GA8521@wildfire.net.ic.ac.uk>
	<660CDBE9F5177645BF5FAE6EFE2D9BA406CA94CB@xmb-ams-332.emea.cisco.com>
	<a48927f70902190548g22757b2bi8e3bcab47d580c01@mail.gmail.com>
	<499DF01B.6010108@justinshore.com>
	<D0D0330CBD07114D85B70B784E80C2F2022FCFFB@exch-mail2.win.slac.stanford.edu>
	<E0FE40E7-535F-4A29-9859-79C421890416@psc.edu>
Message-ID: <20090221133619.GP27070@ronin.4ever.de>

lambert at psc.edu (Michael Lambert) wrote:

> On 19 Feb 2009, at 20:55, Buhrmaster, Gary wrote:
> 
> >I am thinking that there is belief that customers
> >need "wizards" to assist them.
> 
> Agreed.  Anyone who is responsible for, say, 7200s and above should be  
> able to download images using FTP (or find a new line of work).

Not really, since "law" (not mine, but Cisco's) requires downloaders
to explicitly agree to export regulations for IOS images with any
crypto (basically all of them you'd want to use).

So yes, the admin might be capable of using FTP, yet he mustn't.
To further overcomplicate the downloading process with wizards
(which, btw, don't always work; try an ASR1002 in the software
advisor - the hardware list page always gives an error and doesn't
let you through), is of course idiocy and Cisco is to blame for that.

Yours,
	Elmi.


From sengork at gmail.com  Sat Feb 21 08:49:10 2009
From: sengork at gmail.com (Sengor)
Date: Sun, 22 Feb 2009 00:49:10 +1100
Subject: [c-nsp] Cisco MDS
Message-ID: <8417e52e0902210549s34f938e8l86de19d8f815c2ca@mail.gmail.com>

Hi guys,

Would this list be appropriate for posting Cisco MDS 9000 related
discussion?

Thanks.

-- 
sengork

From MLouis at nwnit.com  Sat Feb 21 09:58:45 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Sat, 21 Feb 2009 09:58:45 -0500
Subject: [c-nsp] Netflow VRF Command Support in SXI
In-Reply-To: <20090221113051.GC32519@wildfire.net.ic.ac.uk>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8FB@mncmx1.NWNIT.CORP>,
	<20090221113051.GC32519@wildfire.net.ic.ac.uk>
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25C24841EC6@mncmx1.NWNIT.CORP>

When you tested it in SXH were you using the /vrf  switch command or just normal netflow? Did you have your mls flow mask set to something other than null?

________________________________________
From: Phil Mayers [p.mayers at imperial.ac.uk]
Sent: Saturday, February 21, 2009 6:30 AM
To: Mike Louis
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Netflow VRF Command Support in SXI

On Fri, Feb 20, 2009 at 06:59:56PM +0000, Mike Louis wrote:
>I can't use
>
>ip flow-export destination x.x.x.x 9995 vrf VRFNAME
>
>command in SXI. I have heard it was available in SXH? Did it get left out in 12.2(33)SXI?

It seems so - I tested it in SXH but it's not present in SXI for me
either.

HOWEVER - when I tested it in SXH, it was useless - only
software-switched flows were exported, it did not seem to work for
hardware-switches flows. Perhaps that's why it was removed - maybe it
was an unintentional inclusion in SXH?

Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.


From tdurack at gmail.com  Sat Feb 21 11:42:20 2009
From: tdurack at gmail.com (Tim Durack)
Date: Sat, 21 Feb 2009 11:42:20 -0500
Subject: [c-nsp] PBACL
Message-ID: <9e246b4d0902210842n4344cc68nbddbdeb8a64ec617@mail.gmail.com>

Anyone tinkered with PBACLs (object-groups)?

Kind of cool. Now I can have "friendly" names in my ACLs, and can group
ip/ports. I just refactored a bunch of ACLs to use this as it makes them
more maintainable.

Suprised you can't nest object-groups though. Perhaps it was a deliberate
omission so users wouldn't start using it as a stateless firewall.

Tim:>

From ml at kenweb.org  Sat Feb 21 11:50:49 2009
From: ml at kenweb.org (ML)
Date: Sat, 21 Feb 2009 11:50:49 -0500
Subject: [c-nsp] need  help about switch cisco 4 9 4 8
In-Reply-To: <5E3C7A341C9C41F5BD5FE75FC12704B1@int.convex.pt>
References: <753ED4F9715A45ABADBDB9DC23C1FCA8@int.convex.pt>	<28011.1317.qm@web57404.mail.re1.yahoo.com>
	<5E3C7A341C9C41F5BD5FE75FC12704B1@int.convex.pt>
Message-ID: <49A030E9.5040009@kenweb.org>

Antonio Soares wrote:
> Since you don't have a "boot system flash" statement in your config, you need a config-register = 0x2101. This way it will load the
> first available image in the bootflash.
>  
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
>
>   


Just recently we had an issue where a 4924 wouldn't load our desired IOS 
image under any combination of "boot system {flash:|bootflash:} commands 
we could think of.  Only solution was to erase all but the desired image.
It was a roll the dice hope you don't critically fail situation.

Config register 0x2101.




From p.mayers at imperial.ac.uk  Sat Feb 21 11:52:15 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sat, 21 Feb 2009 16:52:15 +0000
Subject: [c-nsp] Netflow VRF Command Support in SXI
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25C24841EC6@mncmx1.NWNIT.CORP>
References: <20090221113051.GC32519@wildfire.net.ic.ac.uk>
	<CBBF2C7B2547D14A910A349B58810AC25C24841EC6@mncmx1.NWNIT.CORP>
Message-ID: <20090221165215.GA2800@wildfire.net.ic.ac.uk>

On Sat, Feb 21, 2009 at 02:58:45PM +0000, Mike Louis wrote:
>When you tested it in SXH were you using the /vrf  switch command or just normal netflow? Did you have your mls flow mask set to something other than null?
>

Sorry, what I mean was:

When I tested netflow export *to a VRF destination* it only exported 
software flows.

I was able to specify a destination without a VRF and all flows were 
exported, with all other settings the same.

The flowmask was set (as on all of our boxes) to interface-full.

So I'm pretty sure it was the "vrf" bit of "export to a VRF" that wasn't 
working for hardware (PFC/DFC) flows.

It might have been MPLS related - the netflow destination next-hop would 
have been an LSP, maybe it would work with vrf-lite but we don't use it 
so I didn't test it.

From mtinka at globaltransit.net  Sat Feb 21 23:14:26 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sun, 22 Feb 2009 12:14:26 +0800
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <42F0C766A9A8DB47B5E86CA64738DC8B01905F77@bilbo.bdhz.c2c.local>
References: <42F0C766A9A8DB47B5E86CA64738DC8B01905F77@bilbo.bdhz.c2c.local>
Message-ID: <200902221214.27305.mtinka@globaltransit.net>

On Saturday 21 February 2009 03:52:59 am Martin Moens wrote:

> Cisco, ***PLEASE*** don't do this to us! Leave the
> original interface intact! Apart from Justin's remarks,
> it is so very slow....

If they can also fix the search dialog box on the homepage, 
that would be great.

When you try to search for something and type it in, it 
think it knows what you are thinking, and tries to auto-
complete it for you. If you're like me and type fast, 
hitting the space bar as you make more entries wipes out 
what you've already done, and it's easy to keep doing this 3 
or 4 times wondering what the heck's going on.

Please fix it. Besides, the options it tries to guess you're 
looking for are not quite that comprehensive. I've never had 
to use them.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090222/8bfff10c/attachment.bin>

From mtinka at globaltransit.net  Sun Feb 22 00:57:02 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sun, 22 Feb 2009 13:57:02 +0800
Subject: [c-nsp] IS-IS LSP Generation/Expiry + Database Optimization - Issue
Message-ID: <200902221357.04134.mtinka@globaltransit.net>

Hello all.

We have a query that begs operational feedback from folk 
here re: IS-IS, particularly, the 'max-lsp-lifetime' and 
'lsp-refresh-interval' features that Cisco recommend as good 
practice for IS-IS deployments.

In our experience using 'max-lsp-lifetime 65535' and 'lsp-
refresh-interval 65000' as encouraged, we have encountered a 
couple of issues as regards recovering/restarting routers, 
and wonder whether this is a bug or feature as part of IOS's 
implementation of the IS-IS protocol.

We have seen that routers that return to operational status 
(either from a software crash or normal reload) may have 
some of their v4/v6 Loopback addresses not present in the 
IS-IS routing tables of the other routers in the network. 
This would lead to failure of iBGP to establish.

What's more interesting is that as all routers in the 
network are dual-homed to the core, each with 2x iBGP 
sessions to 2x route reflectors, we have found that both 
sessions may be up for v4, but only one for v6, where the v6 
session that's down is because the other route reflector 
doesn't see the recovered router's v6 Loopback address in 
it's IS-IS routing table. In other cases, the reverse is 
true, i.e., both v6 sessions are up, but only one or none of 
the v4 sessions is up - this issue can occur in various 
permutations, but you get the point.

To resolve this issue, we have seen that resetting the IS-IS 
process on the recovered router fixes the problem. In other 
cases, doing this on the DIS also solves the problem, but 
since the DIS is the Pseudonode for the rest of the network, 
we try to avoid doing it here unless really necessary.

Further, we have seen a somewhat similar issue with our 
backup DIS, where updates current on our DIS are sometimes 
not seen on the backup DIS.

We are wondering whether this is a function of the 'max-lsp-
lifetime' and 'lsp-refresh-interval' features we have 
enabled, or whether this is a bug. We are inclined to have 
more aggressive values for these features, than what Cisco 
recommend, because we can afford the "chatter" in our 
Level-1 areas (Gig-E or 10-Gig-E backbone), and CPU really 
isn't a big problem (the IS-IS database is very lean, 
Loopbacks + infrastructure only, and the CPU's are very 
fast).

We are running 12.2(33)SRC3 for all IS's, and our DIS and 
backup DIS are running 12.2(33)SXH3.

We've opened a case with TAC to figure out whether this is 
still recommended practice. 

Suffice it to say, we've had recovering JunOS-based routers, 
but haven't seen this issue (they still talk to SUP720-3BXL-
based DIS's).

Appreciate any (operational) feedback.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090222/3358ec0c/attachment.bin>

From avayner at cisco.com  Sun Feb 22 03:48:20 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sun, 22 Feb 2009 09:48:20 +0100
Subject: [c-nsp] Cisco MDS
In-Reply-To: <8417e52e0902210549s34f938e8l86de19d8f815c2ca@mail.gmail.com>
References: <8417e52e0902210549s34f938e8l86de19d8f815c2ca@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D740BBF4@xmb-ams-331.emea.cisco.com>

Yes.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sengor
Sent: Saturday, February 21, 2009 15:49
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco MDS

Hi guys,

Would this list be appropriate for posting Cisco MDS 9000 related
discussion?

Thanks.

-- 
sengork
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From dwinkworth at att.net  Sun Feb 22 02:50:53 2009
From: dwinkworth at att.net (Derick Winkworth)
Date: Sun, 22 Feb 2009 01:50:53 -0600
Subject: [c-nsp] EIGRP router-id in VRF
Message-ID: <1235289053.17198.3.camel@R2D2>

All:

We went to production with a solution that we labbed, but now we are
seeing some odd behavior.

We added VRFs to our configuration and the EIGRP router-id for routes
redistributing into EIGRP from BGP was always the highest IP address in
the *VRF*, not the loopback interface in the global routing table.  In
fact, I see this is the behavior now for the initial customers we turned
up.

We turn up a third customer in the same fashion as far as I can tell,
but now the router-id is the loopback in the global routing table.

Can someone clarify what the deal is here?




From vedlabs at gmail.com  Sun Feb 22 04:27:12 2009
From: vedlabs at gmail.com (Ved Labs)
Date: Sun, 22 Feb 2009 14:57:12 +0530
Subject: [c-nsp] Cisco Refurbished Equipment Program
In-Reply-To: <480dad640902201822u5367e511vf5c821fb36913984@mail.gmail.com>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
	<49675E3E-2AB4-40CC-8466-5F733861B6F8@netops.t3com.net>
	<20090220230359.GU290@greenie.muc.de>
	<480dad640902201822u5367e511vf5c821fb36913984@mail.gmail.com>
Message-ID: <7db92dcc0902220127t47c66d51w20b53df79e2e863e@mail.gmail.com>

What I believe is most of the parts would be refurbished , even for
the first buy.

Even when you do RMA , you get refurbished parts.

How do you make sure that the part is a new one or refurbished.

Biddu.

On 2/21/09, Aaron <dudepron at gmail.com> wrote:
> Bad timing?
>
> On Fri, Feb 20, 2009 at 18:03, Gert Doering <gert at greenie.muc.de> wrote:
>
>> OHi,
>>
>> On Fri, Feb 20, 2009 at 04:54:09PM -0500, Chris Wallace wrote:
>> > We purchased a Cisco 6509 through this program a couple years ago.
>> > When we first got it up and running we found out it had a failed fan
>> > tray, just opened a TAC case for the RMA and got a new one right
>> > away.  No complaints here!
>>
>> Well - if it's all nicely refurbished, I wonder why it had a failed
>> fan in the first place.
>>
>> But maybe that's just me...
>>
>> gert
>> --
>> USENET is *not* the non-clickable part of WWW!
>>                                                           //
>> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
>> Gert Doering - Munich, Germany
>> gert at greenie.muc.de
>> fax: +49-89-35655025
>> gert at net.informatik.tu-muenchen.de
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From oboehmer at cisco.com  Sun Feb 22 05:41:35 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Sun, 22 Feb 2009 11:41:35 +0100
Subject: [c-nsp] IS-IS LSP Generation/Expiry + Database Optimization -
	Issue
In-Reply-To: <200902221357.04134.mtinka@globaltransit.net>
References: <200902221357.04134.mtinka@globaltransit.net>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406EA3A1C@xmb-ams-333.emea.cisco.com>

Mark Tinka <> wrote on Sunday, February 22, 2009 06:57:

[..]
> In our experience using 'max-lsp-lifetime 65535' and 'lsp-
> refresh-interval 65000' as encouraged, we have encountered a
> couple of issues as regards recovering/restarting routers,
> and wonder whether this is a bug or feature as part of IOS's
> implementation of the IS-IS protocol.
> 
> We have seen that routers that return to operational status
> (either from a software crash or normal reload) may have
> some of their v4/v6 Loopback addresses not present in the
> IS-IS routing tables of the other routers in the network.
> This would lead to failure of iBGP to establish.
[..]
> We are wondering whether this is a function of the 'max-lsp-
> lifetime' and 'lsp-refresh-interval' features we have
> enabled, or whether this is a bug.

I've "worked" with the increased lifetime/refresh intervals in several
large networks for the last 8 years, and I've not seen an issue with it.
Do you have any indication that the problem you've been experiencing is
caused by "corrupt" LSPs? It is strange that you only seem to see the
problem on some routers, and not on others, which makes a "corrupt" LSP
advertised by the restarting router a bit unlikely..

I would still recommend the higher lifetime values, however the original
reason (reducing the "chatter") is certainly much less important these
days with high-speed CPU and links, so I'm not passionate about it..

	oli

From mtinka at globaltransit.net  Sun Feb 22 10:30:42 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sun, 22 Feb 2009 23:30:42 +0800
Subject: [c-nsp] IS-IS LSP Generation/Expiry + Database Optimization -
	Issue
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406EA3A1C@xmb-ams-333.emea.cisco.com>
References: <200902221357.04134.mtinka@globaltransit.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406EA3A1C@xmb-ams-333.emea.cisco.com>
Message-ID: <200902222330.46372.mtinka@globaltransit.net>

On Sunday 22 February 2009 06:41:35 pm Oliver Boehmer 
(oboehmer) wrote:

Appreciate the feedback, Oli.

Comments inline.

> I've "worked" with the increased lifetime/refresh
> intervals in several large networks for the last 8 years,
> and I've not seen an issue with it. Do you have any
> indication that the problem you've been experiencing is
> caused by "corrupt" LSPs?

Admittedly, we haven't sat down to really analyze and debug 
the flow of LSP's (or lack thereof), as each time it 
happens, we can't afford this luxury; the router has to be 
online in the shortest time possible (and I can't replicate 
this exactly in the lab as we don't have enough of the exact 
spare kit to do so at the moment).

That said, we only see the issue on recovering routers. We 
do not see it on new routers that are being connected to the 
network for the first time (i.e., they didn't have pre-
existing LSP's in the DIS's link state database), which 
makes sense.

One would imagine that a recovering router is tantamount to 
hard resetting the IS-IS process, thereby flooding fresh 
copies of the LSP's to the DIS, but this seems NOT to be the 
case. A manual hard reset is still required to update the 
local link state database.

> It is strange that you only
> seem to see the problem on some routers, and not on
> others, which makes a "corrupt" LSP advertised by the
> restarting router a bit unlikely..

We've only seen the issue on recovering routers that were 
previously part of the IS-IS domain. As mentioned, routers 
that are new to the domain come up fine the first time.

The consistency of whether it will be a v4 address or v6 
address missing from the network is not certain (it's 
random). But the consistency that any of the recovering 
routers will have a problem establishing all 4 iBGP sessions 
to the route reflectors (2x for v4 + 2x for v6) is certain, 
so far.

Suffice it to say, all IS's and DIS's are running the same 
code. When we see the issue, it's almost always that only 
75% of the iBGP sessions have formed - either one v4 session 
or one v6 session is down, due to lack of reachability 
information for it in IS-IS.

> I would still recommend the higher lifetime values,
> however the original reason (reducing the "chatter") is
> certainly much less important these days with high-speed
> CPU and links, so I'm not passionate about it..

Clearly, even though we did reduce the lifetime and refresh 
timers, we would still need to wait "that long" before the 
link database is cleaned out. And since we need the 
restarting router to be firing on all cylinders when it 
returns to the network, it doesn't matter whether the 
database will be refreshed in 18 minutes or 18 hours - we 
need uptime the moment the router is able to start 
processing frames/packets.

So in that respect, keeping these values at "where ever" 
they need to be to scale IS-IS is fine. We just need to 
figure out why the recovering router does not "properly" 
signal the DIS to refresh it's link state database upon a 
successful initialization of the IS-IS process.

I will say that we have the 'ignore-lsp-errors' feature 
enabled. Given its purpose, could that have an adverse 
effect on a recovering router's capability to effectively 
get its new LSP's out to the DIS?

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090222/ba1c3097/attachment-0001.bin>

From kev.edmunds at googlemail.com  Sun Feb 22 14:50:00 2009
From: kev.edmunds at googlemail.com (Kevin Edmunds)
Date: Sun, 22 Feb 2009 19:50:00 +0000
Subject: [c-nsp] setting up QoS on DSL based on src ip?
Message-ID: <e29dedbf0902221150l28856a6crba30e44dcfb56e35@mail.gmail.com>

Hi,

I have a 1700 running 12.4 with a DSL interface on it.

I would like to give priority to one box behind it for all connections its
trying to make/accept, I'm not entirely bothered about bandwidth its just
more the latency side of things as it harms the applications that run on it
if latency gets high.

Could someone give me a brief overview on how to set it up?

Thanks for your time.

Kev.

From andy.saykao at staff.netspace.net.au  Sun Feb 22 19:30:48 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 23 Feb 2009 11:30:48 +1100
Subject: [c-nsp] Help with debug commands to diagnose ADSL subscribers not
	connecting to a non-existent VRF
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654C22@vic-cr-ex1.staff.netspace.net.au>

Hi There,
 
I'm trying to debug ppp packets on our LNS (NAS) for ADSL subscribers
when the VRF is not yet configured on the LNS.
 
When I set a bogus (non-existent) VRF in the Radius flat file, I woud
like to see what debug error messages appear on the LNS (if any).
 
vpntest3          Password = "network"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Address = 10.15.100.4,
        Framed-Netmask = 255.255.255.255,
        cisco-avpair="ip:vrf-id=Avpn-dummy",
        cisco-avpair="ip:ip-unnumbered=lo100684",
        cisco-avpair="ip:route=vrf Avpn-dummy 192.168.1.0 255.255.255.0
10.15.100.4"

Here we've got a VRF Avpn-dummy that has not been configured on the LNS
which results in the ADSL connection failing to connect.
 
I've got the follow debug running on the LNS.
 
lns5-mel#sh debug
PPP:
  PPP protocol errors debugging is on
  PPP protocol negotiation debugging is on
  PPP packet display debugging is on
Radius protocol debugging is on
Radius packet protocol debugging is on
 
Condition 1: username vpntest3 at dbtest (0 flags triggered)

lns5-mel#
Feb 23 11:12:10.618 AEDT: vpntest3 at dbtest Debug: Condition 1, username
vpntest3 at dbtest triggered, count 1
Feb 23 11:12:10.630 AEDT: vpntest3 at dbtest Debug: Condition 1, username
vpntest3 at dbtest cleared, count 0
 
I am seeing the condition being met, but obviously I would like more
information as to what the error is. 
 
I would have thought a "debug ppp negotiation" would help me out, but
it's not displaying anything.
 
Are there any other debug commands I've missed ??? 
 
Thanks,
 
Andy


This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From zhassan at gmx.net  Sun Feb 22 20:09:44 2009
From: zhassan at gmx.net (Zahid Hassan)
Date: Mon, 23 Feb 2009 01:09:44 -0000
Subject: [c-nsp] CUPC integration to UCCM
Message-ID: <4A0D214416764959A20A1C817EAE09B1@xp1>

Dear All,

Is it possible to integrate CUPC directly to UCCM without CUPS ?
Also, any pointer or information on how to integrate CUPC/CUPS with OCS/MOC
?
I will be really grateful for input on this. 

Thanking you in advance.


ZH 


From td_miles at yahoo.com  Sun Feb 22 20:46:16 2009
From: td_miles at yahoo.com (Tony)
Date: Sun, 22 Feb 2009 17:46:16 -0800 (PST)
Subject: [c-nsp] Help with debug commands to diagnose ADSL subscribers
	not connecting to a non-existent VRF
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654C22@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <967629.24272.qm@web110102.mail.gq1.yahoo.com>


Hi Andy,

The commands I have used in the past to see which VRF DSL conections are going into are:

deb aaa authentication
deb aaa per-user
deb ppp authentication
deb ppp negotiation
deb vpdn event
deb vtemplate
deb radius


They're probably not all required, I suspect VPDN & vtemplate should show you what you need.



regards,
Tony.

--- On Mon, 23/2/09, Andy Saykao <andy.saykao at staff.netspace.net.au> wrote:

> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> Subject: [c-nsp] Help with debug commands to diagnose ADSL subscribers not connecting to a non-existent VRF
> To: cisco-nsp at puck.nether.net
> Date: Monday, 23 February, 2009, 11:30 AM
> Hi There,
>  
> I'm trying to debug ppp packets on our LNS (NAS) for
> ADSL subscribers
> when the VRF is not yet configured on the LNS.
>  
> When I set a bogus (non-existent) VRF in the Radius flat
> file, I woud
> like to see what debug error messages appear on the LNS (if
> any).
>  
> vpntest3          Password = "network"
>         Service-Type = Framed-User,
>         Framed-Protocol = PPP,
>         Framed-Address = 10.15.100.4,
>         Framed-Netmask = 255.255.255.255,
>         cisco-avpair="ip:vrf-id=Avpn-dummy",
>         cisco-avpair="ip:ip-unnumbered=lo100684",
>         cisco-avpair="ip:route=vrf Avpn-dummy
> 192.168.1.0 255.255.255.0
> 10.15.100.4"
> 
> Here we've got a VRF Avpn-dummy that has not been
> configured on the LNS
> which results in the ADSL connection failing to connect.
>  
> I've got the follow debug running on the LNS.
>  
> lns5-mel#sh debug
> PPP:
>   PPP protocol errors debugging is on
>   PPP protocol negotiation debugging is on
>   PPP packet display debugging is on
> Radius protocol debugging is on
> Radius packet protocol debugging is on
>  
> Condition 1: username vpntest3 at dbtest (0 flags triggered)
> 
> lns5-mel#
> Feb 23 11:12:10.618 AEDT: vpntest3 at dbtest Debug: Condition
> 1, username
> vpntest3 at dbtest triggered, count 1
> Feb 23 11:12:10.630 AEDT: vpntest3 at dbtest Debug: Condition
> 1, username
> vpntest3 at dbtest cleared, count 0
>  
> I am seeing the condition being met, but obviously I would
> like more
> information as to what the error is. 
>  
> I would have thought a "debug ppp negotiation"
> would help me out, but
> it's not displaying anything.
>  
> Are there any other debug commands I've missed ??? 
>  
> Thanks,
>  
> Andy
> 
> 


      


From deric.kwok2000 at gmail.com  Mon Feb 23 07:05:04 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Mon, 23 Feb 2009 07:05:04 -0500
Subject: [c-nsp] vlan question
Message-ID: <40d8a95a0902230405p40eb82f2xaf865faf7b7aedbb@mail.gmail.com>

Hi

I configure router's ethernet1 to support 4 vlans and each vlans will have
/28

I have 48 ports switch. I will configure a truck port in port2 and also
configure
eg:
port 3 - port 16  vlan2
port 17 - port 33  vlan3
port 34 - port 48  vlan4

Now I have question:

1/ how is the last vlan (vlan5)?

2/ I have one more switch.  how can I put the vlan5 in this switch

3/ ls it good for this configuration?

Thank you for your help

From KPowers at canvassystems.com  Mon Feb 23 09:34:56 2009
From: KPowers at canvassystems.com (Powers, Kenny)
Date: Mon, 23 Feb 2009 09:34:56 -0500
Subject: [c-nsp] Cisco Refurbished Equipment Program
In-Reply-To: <7db92dcc0902220127t47c66d51w20b53df79e2e863e@mail.gmail.com>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
	<49675E3E-2AB4-40CC-8466-5F733861B6F8@netops.t3com.net>
	<20090220230359.GU290@greenie.muc.de>
	<480dad640902201822u5367e511vf5c821fb36913984@mail.gmail.com>
	<7db92dcc0902220127t47c66d51w20b53df79e2e863e@mail.gmail.com>
Message-ID: <D08EAB1C8EE2F840B2A951213F02D3F1136BC2AE85@cormsx02.corp.local>


When you RMA a part back to Cisco refurb, they send you another refurbished part back.  I am myself a provider of secondary market hardware and have gone through Cisco refurb a few times for my clients.  My opinion on it would be that Cisco does not put a whole lot of emphasis on this program and can sometimes have shoddy product and not great service at high prices.  If you are looking to save some money, find a company that specializes in off lease asset redistribution (of course I prefer to say use mine, but there are several good companies out there, most better than Cisco' program).  A good provider like this should be cheaper and give you a better warranty.  Please let me know if you all have any other questions you would like answered,

Kenny


Kenny Powers
Direct: 678-969-3396  Fax: 678-969-3397  Mobile: 678-591-3022
* Enterprise Storage, Servers, Networking Equipment
* Data Center Consolidations / Relocations
* Asset Remarketing / Disposition Services



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ved Labs
Sent: Sunday, February 22, 2009 4:27 AM
To: Aaron
Cc: Gert Doering; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco Refurbished Equipment Program

What I believe is most of the parts would be refurbished , even for
the first buy.

Even when you do RMA , you get refurbished parts.

How do you make sure that the part is a new one or refurbished.

Biddu.

On 2/21/09, Aaron <dudepron at gmail.com> wrote:
> Bad timing?
>
> On Fri, Feb 20, 2009 at 18:03, Gert Doering <gert at greenie.muc.de> wrote:
>
>> OHi,
>>
>> On Fri, Feb 20, 2009 at 04:54:09PM -0500, Chris Wallace wrote:
>> > We purchased a Cisco 6509 through this program a couple years ago.
>> > When we first got it up and running we found out it had a failed fan
>> > tray, just opened a TAC case for the RMA and got a new one right
>> > away.  No complaints here!
>>
>> Well - if it's all nicely refurbished, I wonder why it had a failed
>> fan in the first place.
>>
>> But maybe that's just me...
>>
>> gert
>> --
>> USENET is *not* the non-clickable part of WWW!
>>                                                           //
>> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
>> Gert Doering - Munich, Germany
>> gert at greenie.muc.de
>> fax: +49-89-35655025
>> gert at net.informatik.tu-muenchen.de
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
************************************************************************************

Except for those software products specifically listed by Canvas on a sales quote, Customer acknowledges and agrees that Canvas does not provide any operating system software or software right-to-use licenses with the equipment it sells. Customer is responsible for registering any software it uses or obtains with the applicable licensor and for complying with all software licensing policies of such licensor.   

The information contained in this message and any attachments is confidential and proprietary.  It is intended only for the named recipient(s).  If you received this message in error, please notify us immediately and be aware that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited.

From chris at netops.t3com.net  Mon Feb 23 10:09:26 2009
From: chris at netops.t3com.net (Chris Wallace)
Date: Mon, 23 Feb 2009 10:09:26 -0500
Subject: [c-nsp] Cisco Refurbished Equipment Program
In-Reply-To: <20090220230359.GU290@greenie.muc.de>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
	<49675E3E-2AB4-40CC-8466-5F733861B6F8@netops.t3com.net>
	<20090220230359.GU290@greenie.muc.de>
Message-ID: <AB03F99E-4A51-437B-95B1-44F9123783ED@netops.t3com.net>

Probably just a fluke, it happened to be that one of the 9 or so fans  
wasn't spinning at the proper RPM's.

---Chris



On Feb 20, 2009, at 6:03 PM, Gert Doering wrote:

> OHi,
>
> On Fri, Feb 20, 2009 at 04:54:09PM -0500, Chris Wallace wrote:
>> We purchased a Cisco 6509 through this program a couple years ago.
>> When we first got it up and running we found out it had a failed fan
>> tray, just opened a TAC case for the RMA and got a new one right
>> away.  No complaints here!
>
> Well - if it's all nicely refurbished, I wonder why it had a failed
> fan in the first place.
>
> But maybe that's just me...
>
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                           //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


From gert at greenie.muc.de  Mon Feb 23 10:18:48 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 23 Feb 2009 16:18:48 +0100
Subject: [c-nsp] Cisco Refurbished Equipment Program
In-Reply-To: <AB03F99E-4A51-437B-95B1-44F9123783ED@netops.t3com.net>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
	<49675E3E-2AB4-40CC-8466-5F733861B6F8@netops.t3com.net>
	<20090220230359.GU290@greenie.muc.de>
	<AB03F99E-4A51-437B-95B1-44F9123783ED@netops.t3com.net>
Message-ID: <20090223151848.GG290@greenie.muc.de>

Hi,

On Mon, Feb 23, 2009 at 10:09:26AM -0500, Chris Wallace wrote:
> Probably just a fluke, it happened to be that one of the 9 or so fans  
> wasn't spinning at the proper RPM's.

Which is exactly my point - the fans are monitored very well by the onboard
diagnostics, and I find it surprising that a "refurbished" router (which 
should be checked for defects, or near-defects) should have fan tray
that's already near-failed...

In my experience with 6500 FANs, they only complain when one of the fans
is really defective, as in "you take out the try, 8 fans will continue to
spin for 30 seconds, the 9th will stop after 3 seconds".

But we're not using Cisco refurb any way - as has been said: they seem
to be doing this to show "good will" and stop customers from getting 
their hardware elsewhere - but all they do is demonstrate lack of 
interest.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090223/70dbd308/attachment-0001.bin>

From jfitz at Princeton.EDU  Mon Feb 23 10:55:49 2009
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Mon, 23 Feb 2009 10:55:49 -0500
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
Message-ID: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>

This question was posted earlier, before I opened ticket with CISCO.

Router is 6500 with 720-CXL running SXI code.


1.  I have router "A" which is used to connect to our three ISPs ( two  
I1s and  one I2 connection with full BGP), and also receives all our  
internal campus traffic via RIP default path.    Router "A" announces  
default to campus.

2. I now need to add a new special ESNET.GOV ISP which cannot be used  
by the majority of our campus except for two subnets.   These two  
subnets will still have access to the other three ISPs for normal path  
selection but have the option of choosing an ESNET route if needed.

3. So the original thinking was to create the VRF for ESNET which  
would have its own ESNET route table and tell the two special subnets  
(using route-map match subs, set vrf ) to check the ESNET table first  
and if route is not in table then fall thru to global.

4. I can't just have one route table that includes the ESNET routes,  
because ESNET announces some more specific routes and there may be  
hosts that normally use the I1 path to these DSTs, but now see a more  
specific path and try to use it and fail because it is not allowed by  
ESNET outbound ACL.



I have BGP peering working in VRF ( can see prefixes from ESNET in VRF  
table), but cannot announce our two subnet prefixes because they do  
not show up in VRF route table.  So getting static back to global  
would fix this and other issue with DEFAULT to global.   When I try to  
add static routes they never show up because the next hop is not  
present in VRF table or the command fails stating that...  "Invalid  
next-hop address (it's this router)".



I was hoping that just adding a static DEFAULT in VRF pointing to  
global would do everything I needed, but cannot get it to work even  
after trying all permutations of the command.  "ip route vrf vrf-esnet  
0.0.0.0 0.0.0.0 0.0.0.0 global"



Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3  
10.10.10.10 global"   Loopback3 was created with RFC-1918 IP and had  
"vrf forwarding" added on this loopback.  This also failed.


Creating an internal path between the VRF router and the global router  
is stopping all this from working.

I have a ticket open with CISCO but they are saying I have to add an  
external link with two physical ports on vrf.   This will not work for  
us.


Does anybody know how to get statics working between VRF and global  
table,  if its even possible.


Really stuck!



Jeff Fitzwater
OIT Network Systems
Princeton University


From rni at umn.edu  Mon Feb 23 11:59:55 2009
From: rni at umn.edu (Richard N. Ingram)
Date: Mon, 23 Feb 2009 10:59:55 -0600
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
In-Reply-To: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
Message-ID: <49A2D60B.3030209@umn.edu>

Jeff Fitzwater wrote:
> This question was posted earlier, before I opened ticket with CISCO.
> 
> Router is 6500 with 720-CXL running SXI code.
> 
> 
> 1.  I have router "A" which is used to connect to our three ISPs ( two 
> I1s and  one I2 connection with full BGP), and also receives all our 
> internal campus traffic via RIP default path.    Router "A" announces 
> default to campus.
> 
> 2. I now need to add a new special ESNET.GOV ISP which cannot be used by 
> the majority of our campus except for two subnets.   These two subnets 
> will still have access to the other three ISPs for normal path selection 
> but have the option of choosing an ESNET route if needed.
> 
> 3. So the original thinking was to create the VRF for ESNET which would 
> have its own ESNET route table and tell the two special subnets (using 
> route-map match subs, set vrf ) to check the ESNET table first and if 
> route is not in table then fall thru to global.
> 
> 4. I can't just have one route table that includes the ESNET routes, 
> because ESNET announces some more specific routes and there may be hosts 
> that normally use the I1 path to these DSTs, but now see a more specific 
> path and try to use it and fail because it is not allowed by ESNET 
> outbound ACL.
> 
> 
> 
> I have BGP peering working in VRF ( can see prefixes from ESNET in VRF 
> table), but cannot announce our two subnet prefixes because they do not 
> show up in VRF route table.  So getting static back to global would fix 
> this and other issue with DEFAULT to global.   When I try to add static 
> routes they never show up because the next hop is not present in VRF 
> table or the command fails stating that...  "Invalid next-hop address 
> (it's this router)".
> 
> 
> 
> I was hoping that just adding a static DEFAULT in VRF pointing to global 
> would do everything I needed, but cannot get it to work even after 
> trying all permutations of the command.  "ip route vrf vrf-esnet 0.0.0.0 
> 0.0.0.0 0.0.0.0 global"
> 
> 
> 
> Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3 10.10.10.10 
> global"   Loopback3 was created with RFC-1918 IP and had "vrf 
> forwarding" added on this loopback.  This also failed.
> 
> 
> Creating an internal path between the VRF router and the global router 
> is stopping all this from working.
> 
> I have a ticket open with CISCO but they are saying I have to add an 
> external link with two physical ports on vrf.   This will not work for us.
> 
> 
> Does anybody know how to get statics working between VRF and global 
> table,  if its even possible.
> 
> 
> Really stuck!
> 
> 
> 
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> 

Apologies for not answering your question directly.  In your situation, 
something analogous to what we do would be (you've done some of this 
already):

Create a VRF ESNet on your border router.  Create a VRF ESNet on your 
campus routers.  The global table of your campus routers would be 
connected to the global table of your border router (via RIP).  The 
ESNet VRF of your campus routers would be connected to the global table 
of your border router (via RIP) in order to get a default route.  In 
addition, the ESNet VRF of your campus routers would be connected to the 
ESNet VRF of your border router in order to get the ESNet VRF prefixes.

If you run trunks between your border routers and campus routers, this 
can be accomplished with different VLANs for the different VRF-global 
and VRF-VRF connections.

In a poor attempt at ASCII art, this would look like:

   I1   I1   I2                ESNet
    |    |    |                  |
    |    |    |                  |
    |    |    |                  |
Border Global Table     Border ESNet VRF
         |           \           |
         |            \          |
         |             \         |
Campus Global Table     Campus ESNet VRF

So the hosts in the Campus ESNet VRF could use the default to get to I1 
and I2, or the more specific prefixes to get to ESNet.  In general, I 
tend to like this more than route-leaking between VRFs.  I believe 
multicast doesn't like route-leaking as it causes problems with RPF.  I 
can give you details of our setup offline if you're interested.

Hope that helps,
Rich Ingram
===========================================
Richard N. Ingram
Network Design Engineer
Networking and Telecommunications Services
Office of Information Technology
University of Minnesota
2218 University Avenue SE
Minneapolis, Minnesota 55414
Work Phone: 612-626-6626
Cell Phone: 612-802-8859
E-mail: rni at umn.edu
===========================================

From geoff at pendery.net  Mon Feb 23 12:09:46 2009
From: geoff at pendery.net (Geoffrey Pendery)
Date: Mon, 23 Feb 2009 11:09:46 -0600
Subject: [c-nsp] Security question regarding VTP in a L2 shared
	environment
In-Reply-To: <499F74F1.4070101@ibctech.ca>
References: <499F74F1.4070101@ibctech.ca>
Message-ID: <d6966e4b0902230909u5f8e6d5ekdce335e3141c95a2@mail.gmail.com>

"Hypothetically, if there is no L2 or L3 security in place, would it
be as simple as creating a "sw acc vlan 230", and allowing 230 on the
trunk port on my switch to start scoping about at the other end?"

Well, the L2 security in question is that on the other end of the
trunk, it *should* be configured to only allow the VLANs that you're
supposed to be sharing.
If that is not configured, then yes, you could add access ports to the
other VLANs, then add those VLANs to the trunk, and your access-port
hosts would be on that VLAN.

Since your intent is not to do that, you should configure your end of
the trunk to only allow the VLANs that you intend to share with your
layer-2 partner.


-Geoff


On Fri, Feb 20, 2009 at 9:28 PM, Steve Bertrand <steve at ibctech.ca> wrote:
> I have a shared L2 environment with a local company, in which we have
> numerous VLANs over fibre. I'm in the process of moving to transparent
> on all of my switches, and during the work, I'm checking things out.
>
> Doing a "sh vlan" produces output that includes VLANs that I shouldn't see:
>
> 230   xxxOFFICExxx                     active
> 240   xxxSECURITYxxx                   active
> 250   xxxDMZx                          active
>
> ...etc.
>
> The VLANs shown above belong to the network that I am connected to. They
> are completely outside of my security boundary.
>
> Hypothetically, if there is no L2 or L3 security in place, would it be
> as simple as creating a "sw acc vlan 230", and allowing 230 on the trunk
> port on my switch to start scoping about at the other end?
>
> Of course I am not going to do anything of the sort, hence why I am
> asking here. I'm sure I know the answer already, but if I don't get any
> feedback from the list, I'm going to lab it up internally and do some
> educational testing for my own knowledge.
>
> Steve
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From chloekcy2000 at yahoo.ca  Mon Feb 23 10:58:43 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Mon, 23 Feb 2009 10:58:43 -0500 (EST)
Subject: [c-nsp] what ip should be in switch?
Message-ID: <337815.98309.qm@web57402.mail.re1.yahoo.com>

Hi all
   
  I would like to know what is best way to setup ip in swtich
   
  If the switch ip is not in operation network eg: private ip, I can't see any operation ip in the port of the switch by sh arp. it is only showing all arp in management network 
   
  If I use this ip as same as operation network, it increases this switch in risk
   
  Can you teach me?
   
  Thank you

       
---------------------------------
Looking for the perfect gift? Give the gift of Flickr!

From steve at ibctech.ca  Mon Feb 23 12:58:41 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Mon, 23 Feb 2009 12:58:41 -0500
Subject: [c-nsp] Security question regarding VTP in a L2 shared
	environment
In-Reply-To: <d6966e4b0902230909u5f8e6d5ekdce335e3141c95a2@mail.gmail.com>
References: <499F74F1.4070101@ibctech.ca>
	<d6966e4b0902230909u5f8e6d5ekdce335e3141c95a2@mail.gmail.com>
Message-ID: <49A2E3D1.3070005@ibctech.ca>

Geoffrey Pendery wrote:
> "Hypothetically, if there is no L2 or L3 security in place, would it
> be as simple as creating a "sw acc vlan 230", and allowing 230 on the
> trunk port on my switch to start scoping about at the other end?"
> 
> Well, the L2 security in question is that on the other end of the
> trunk, it *should* be configured to only allow the VLANs that you're
> supposed to be sharing.
> If that is not configured, then yes, you could add access ports to the
> other VLANs, then add those VLANs to the trunk, and your access-port
> hosts would be on that VLAN.
> 
> Since your intent is not to do that, you should configure your end of
> the trunk to only allow the VLANs that you intend to share with your
> layer-2 partner.

My end is already configured to only allow the VLANs in use on this
connection.

I have other concerns regarding this setup. The connection in question
terminates within another company's facility. They aggregate numerous
fibre connected clients of ours, and then we provide the Internet
bandwidth via a VLAN per sub.

Since the only responsibility that the other company has is physical
connectivity, I'm going to request that I collocate my own switch inside
of their network that terminate all of our clients (and ourselves).

I don't really like the potential for MitM with the existing setup. I
highly doubt that this would ever happen, but in all reality, one never
knows for sure.

At least if I have my own switch in the other network, I'll be able to
ensure end-to-end integrity to a much higher degree.

Steve

From jay at west.net  Mon Feb 23 13:19:38 2009
From: jay at west.net (Jay Hennigan)
Date: Mon, 23 Feb 2009 10:19:38 -0800
Subject: [c-nsp] what ip should be in switch?
In-Reply-To: <337815.98309.qm@web57402.mail.re1.yahoo.com>
References: <337815.98309.qm@web57402.mail.re1.yahoo.com>
Message-ID: <49A2E8BA.20806@west.net>

chloe K wrote:
> Hi all
>    
>   I would like to know what is best way to setup ip in swtich
>    
>   If the switch ip is not in operation network eg: private ip, I can't see any operation ip in the port of the switch by sh arp. it is only showing all arp in management network 
>    
>   If I use this ip as same as operation network, it increases this switch in risk

Put the switch management on a secure network, put your customer traffic 
on a different VLAN or combination of VLANs depending on the complexity 
of your network.

For a layer 2 switch, "sh arp" will only display MAC and IP addresses 
associated with traffic to the switch, not through it.

You can use "sh mac-address-table" (on some some versions the command is 
"sh mac address-table") to identify layer 2 addresses associated with 
traffic going through the switch.

In addition, access-class ACLs on the VTY lines (and snmp and http, if 
you use them) are a good thing to limit management to trusted hosts.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From schilling2006 at gmail.com  Mon Feb 23 13:59:56 2009
From: schilling2006 at gmail.com (schilling)
Date: Mon, 23 Feb 2009 13:59:56 -0500
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
In-Reply-To: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
Message-ID: <bd3771a60902231059i8305521y463980748ae50a43@mail.gmail.com>

I am not clear about your "route-map match subs, set vrf". If your two
specific subnets are in one campus core, you need to put them in to VRF
ESNET by "ip forwarding vrf ESNET". If these two specific subnets are
distributed in your campus core, you need to use end-to-end vrf-lite or
MPLS, and put them in VRF ESNET.  One in the VRF ESNET, you can then
advertise them to your ESNET eBGP peering. If your have more specific subnet
within the two subnets, "ip route vrf ESNET yourTwoSubnet2ESNET null 0" will
populate a static route in your VRF ESNET, so you can advertise them to your
ESNET eBGP. Existing more specific traffic will be routed in your VRF ESNET,
and non specific are dropped.

Schilling

On Mon, Feb 23, 2009 at 10:55 AM, Jeff Fitzwater <jfitz at princeton.edu>wrote:

> This question was posted earlier, before I opened ticket with CISCO.
>
> Router is 6500 with 720-CXL running SXI code.
>
>
> 1.  I have router "A" which is used to connect to our three ISPs ( two I1s
> and  one I2 connection with full BGP), and also receives all our internal
> campus traffic via RIP default path.    Router "A" announces default to
> campus.
>
> 2. I now need to add a new special ESNET.GOV ISP which cannot be used by
> the majority of our campus except for two subnets.   These two subnets will
> still have access to the other three ISPs for normal path selection but have
> the option of choosing an ESNET route if needed.
>
> 3. So the original thinking was to create the VRF for ESNET which would
> have its own ESNET route table and tell the two special subnets (using
> route-map match subs, set vrf ) to check the ESNET table first and if route
> is not in table then fall thru to global.
>
> 4. I can't just have one route table that includes the ESNET routes,
> because ESNET announces some more specific routes and there may be hosts
> that normally use the I1 path to these DSTs, but now see a more specific
> path and try to use it and fail because it is not allowed by ESNET outbound
> ACL.
>
>
>
> I have BGP peering working in VRF ( can see prefixes from ESNET in VRF
> table), but cannot announce our two subnet prefixes because they do not show
> up in VRF route table.  So getting static back to global would fix this and
> other issue with DEFAULT to global.   When I try to add static routes they
> never show up because the next hop is not present in VRF table or the
> command fails stating that...  "Invalid next-hop address (it's this
> router)".
>
>
>
> I was hoping that just adding a static DEFAULT in VRF pointing to global
> would do everything I needed, but cannot get it to work even after trying
> all permutations of the command.  "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0
> 0.0.0.0 global"
>
>
>
> Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3 10.10.10.10
> global"   Loopback3 was created with RFC-1918 IP and had "vrf forwarding"
> added on this loopback.  This also failed.
>
>
> Creating an internal path between the VRF router and the global router is
> stopping all this from working.
>
> I have a ticket open with CISCO but they are saying I have to add an
> external link with two physical ports on vrf.   This will not work for us.
>
>
> Does anybody know how to get statics working between VRF and global table,
>  if its even possible.
>
>
> Really stuck!
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From luan at netcraftsmen.net  Mon Feb 23 14:24:06 2009
From: luan at netcraftsmen.net (Luan Nguyen)
Date: Mon, 23 Feb 2009 14:24:06 -0500
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
In-Reply-To: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
Message-ID: <037901c995ec$4ba3db60$e2eb9220$@net>

Instead of an external link with 2 physical ports, you could try to create a
GRE tunnel with 2 loopback interfaces.

interface Loopback0
 ip address 10.10.10.1 255.255.255.0
!
interface Loopback10
 ip address 10.10.100.1 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding NSP
 ip address 172.16.1.1 255.255.255.0
 tunnel source Loopback0
 tunnel destination 10.10.100.1
!
interface Tunnel2
 ip address 172.16.1.2 255.255.255.0
 tunnel source Loopback10
 tunnel destination 10.10.10.1


Then run OSPF...etc.  I haven't try static route, but pretty sure it would
work.

router ospf 100 vrf NSP
 router-id 10.10.10.1
 log-adjacency-changes
 redistribute bgp 65535 subnets
 network 10.10.10.1 0.0.0.0 area 0
 network 172.16.1.1 0.0.0.0 area 0
!
router ospf 1
 router-id 10.10.100.1
 log-adjacency-changes
 network 10.10.100.1 0.0.0.0 area 0
 network 172.16.1.2 0.0.0.0 area 0

Regards,

++++++++++++++++++++++++++++++++++++++++++++++++
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/
[Mobile] 703-953-9116
+++++++++++++++++++++++++++++++++++++++++++++++++

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater
Sent: Monday, February 23, 2009 10:56 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL

This question was posted earlier, before I opened ticket with CISCO.

Router is 6500 with 720-CXL running SXI code.


1.  I have router "A" which is used to connect to our three ISPs ( two  
I1s and  one I2 connection with full BGP), and also receives all our  
internal campus traffic via RIP default path.    Router "A" announces  
default to campus.

2. I now need to add a new special ESNET.GOV ISP which cannot be used  
by the majority of our campus except for two subnets.   These two  
subnets will still have access to the other three ISPs for normal path  
selection but have the option of choosing an ESNET route if needed.

3. So the original thinking was to create the VRF for ESNET which  
would have its own ESNET route table and tell the two special subnets  
(using route-map match subs, set vrf ) to check the ESNET table first  
and if route is not in table then fall thru to global.

4. I can't just have one route table that includes the ESNET routes,  
because ESNET announces some more specific routes and there may be  
hosts that normally use the I1 path to these DSTs, but now see a more  
specific path and try to use it and fail because it is not allowed by  
ESNET outbound ACL.



I have BGP peering working in VRF ( can see prefixes from ESNET in VRF  
table), but cannot announce our two subnet prefixes because they do  
not show up in VRF route table.  So getting static back to global  
would fix this and other issue with DEFAULT to global.   When I try to  
add static routes they never show up because the next hop is not  
present in VRF table or the command fails stating that...  "Invalid  
next-hop address (it's this router)".



I was hoping that just adding a static DEFAULT in VRF pointing to  
global would do everything I needed, but cannot get it to work even  
after trying all permutations of the command.  "ip route vrf vrf-esnet  
0.0.0.0 0.0.0.0 0.0.0.0 global"



Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3  
10.10.10.10 global"   Loopback3 was created with RFC-1918 IP and had  
"vrf forwarding" added on this loopback.  This also failed.


Creating an internal path between the VRF router and the global router  
is stopping all this from working.

I have a ticket open with CISCO but they are saying I have to add an  
external link with two physical ports on vrf.   This will not work for  
us.


Does anybody know how to get statics working between VRF and global  
table,  if its even possible.


Really stuck!



Jeff Fitzwater
OIT Network Systems
Princeton University

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From jfitz at Princeton.EDU  Mon Feb 23 14:41:53 2009
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Mon, 23 Feb 2009 14:41:53 -0500
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
In-Reply-To: <bd3771a60902231059i8305521y463980748ae50a43@mail.gmail.com>
References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
	<bd3771a60902231059i8305521y463980748ae50a43@mail.gmail.com>
Message-ID: <12CCCF65-821E-4C60-AC82-025ECB717D09@Princeton.EDU>


On Feb 23, 2009, at 1:59 PM, schilling wrote:

> I am not clear about your "route-map match subs, set vrf". If your  
> two specific subnets are in one campus core, you need to put them in  
> to VRF ESNET by "ip forwarding vrf ESNET". If these two specific  
> subnets are distributed in your campus core, you need to use end-to- 
> end vrf-lite or MPLS, and put them in VRF ESNET.  One in the VRF  
> ESNET, you can then advertise them to your ESNET eBGP peering. If  
> your have more specific subnet within the two subnets, "ip route vrf  
> ESNET yourTwoSubnet2ESNET null 0" will populate a static route in  
> your VRF ESNET, so you can advertise them to your ESNET eBGP.  
> Existing more specific traffic will be routed in your VRF ESNET, and  
> non specific are dropped.
>
   Maybe I am missing something about how to implement VRF.
The VRF is configured on our ISP edge router "A" , which is also the  
RIP default source for our other 3 core routers.  So router "A" has a  
vlan and physical port for each of the three core routers "B, C, D".    
On vlan interface to router "B", which receives traffic from the two  
subnets of interest (along with other subnet traffic, but not allowed  
to ESNET) , I thought that I could have a route-map that MATCHES an  
ACL for the two subnets, and SET VRF VFR-ESNET so that if the match is  
true it would send traffic to the VRF-ESNET to first check its route  
table.  Once there, if the DEST was not to ESNET , it would use a  
default to the global and be forwarded as usual.
	I didn't even get to the point of trying the route-map because I  
couldn't get statics in the VRF so the vrf bgp would announce the two  
subnets to esnet.  ( It's the next hop issue.  If the static next hop  
is not reachable then it does not get installed).

Well I thought it sounded good.


Jeff

>
> On Mon, Feb 23, 2009 at 10:55 AM, Jeff Fitzwater  
> <jfitz at princeton.edu> wrote:
> This question was posted earlier, before I opened ticket with CISCO.
>
> Router is 6500 with 720-CXL running SXI code.
>
>
> 1.  I have router "A" which is used to connect to our three ISPs  
> ( two I1s and  one I2 connection with full BGP), and also receives  
> all our internal campus traffic via RIP default path.    Router "A"  
> announces default to campus.
>
> 2. I now need to add a new special ESNET.GOV ISP which cannot be  
> used by the majority of our campus except for two subnets.   These  
> two subnets will still have access to the other three ISPs for  
> normal path selection but have the option of choosing an ESNET route  
> if needed.
>
> 3. So the original thinking was to create the VRF for ESNET which  
> would have its own ESNET route table and tell the two special  
> subnets (using route-map match subs, set vrf ) to check the ESNET  
> table first and if route is not in table then fall thru to global.
>
> 4. I can't just have one route table that includes the ESNET routes,  
> because ESNET announces some more specific routes and there may be  
> hosts that normally use the I1 path to these DSTs, but now see a  
> more specific path and try to use it and fail because it is not  
> allowed by ESNET outbound ACL.
>
>
>
> I have BGP peering working in VRF ( can see prefixes from ESNET in  
> VRF table), but cannot announce our two subnet prefixes because they  
> do not show up in VRF route table.  So getting static back to global  
> would fix this and other issue with DEFAULT to global.   When I try  
> to add static routes they never show up because the next hop is not  
> present in VRF table or the command fails stating that...  "Invalid  
> next-hop address (it's this router)".
>
>
>
> I was hoping that just adding a static DEFAULT in VRF pointing to  
> global would do everything I needed, but cannot get it to work even  
> after trying all permutations of the command.  "ip route vrf vrf- 
> esnet 0.0.0.0 0.0.0.0 0.0.0.0 global"
>
>
>
> Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3  
> 10.10.10.10 global"   Loopback3 was created with RFC-1918 IP and had  
> "vrf forwarding" added on this loopback.  This also failed.
>
>
> Creating an internal path between the VRF router and the global  
> router is stopping all this from working.
>
> I have a ticket open with CISCO but they are saying I have to add an  
> external link with two physical ports on vrf.   This will not work  
> for us.
>
>
> Does anybody know how to get statics working between VRF and global  
> table,  if its even possible.
>
>
> Really stuck!
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


From christian at errxtx.net  Mon Feb 23 16:04:10 2009
From: christian at errxtx.net (Christian Meutes)
Date: Mon, 23 Feb 2009 22:04:10 +0100
Subject: [c-nsp] Broadcast storm control
In-Reply-To: <4730A560.4080609@justinshore.com>
References: <79AF0C3901752A49881FE4CB31F7AA40C32BAC@abn-borg2.NETABN.LOCAL>
	<4730A560.4080609@justinshore.com>
Message-ID: <A38B8AC0968D5E0CA5A66DDE@jesk-laptop>

Hi,

--On Dienstag, November 06, 2007 11:33:20 -0600 Justin Shore
<justin at justinshore.com> wrote:

> The book discusses how to harden HSRP, VLANs, VTP and trunk ports and
> how to prevent ARP attacks, STP attacks, etc.  It has a good 802.1x
> section as well.  It's got a good amount of useful info.
>
> I think CoPP will help you out.  Identify the traffic that's causing the
> DoS right now and address it with CoPP.  There are a lot of CoPP users
> on C-NSP.  Then go back and harden the router later.

the original problem was as far as I remember "access switches with disabled
or not working spanning-tree created l2-loop and flooded PE edge port".

The sad truth is that even CoPP on PFC won't protect from HSRP or PIM
multicast storm. Even a DHCP broadcast storm would kill the control-plane.
The problem is that CoPP limits the rate to the listening processes like
PIM, HSRP or DHCP-relay, but unfortunately a multicast/broadcast storm ends
in a interrupt load of nearly 95% and issues OSPF, BGP and other flaps in
core protocols. This is what i just figured out when someone created a
l2-loop on a pair of access switches and the connected PEs (Sup720) werent
reachable anymore in cause of 98% CPU load and OSPF, BFD and BGP went down
although CoPP and some more mls h/w rate-limiter were configured.

In lab i found out that "mls qos protocol hsrp police" will overcome this
problem and curiously kept interrupt load down. For PIM i tried explicitely
"mls rate-limit multicast ipv4 pim" with the same effect of protecting CPU
from high interrupt load. CoPP with HSRP/PIM class and a policer of 32kbps
didnt help from the high interrupt load and only kept PIM/HSRP process load
down.

Can anyone explain the interaction in this stuff and why CoPP can't protect
from interrupts and mls h/w rate-limiter can. And why the hell isn't there
more than just a PIM, HSRP and ARP h/w rate-limiter? Every directly
connected device can kill PFC control-plane in sending multicast/broadcast
traffic at a rate of about 100Mbps. And no storm-control is no alternative
as storm-control would rate-limit multicast traffic entirely which is a
no-go when using multicast as a application.

cheers,
christian

From todd at newfrontierssolutions.com  Mon Feb 23 16:07:25 2009
From: todd at newfrontierssolutions.com (Todd Shipway)
Date: Mon, 23 Feb 2009 16:07:25 -0500
Subject: [c-nsp] Small routing issue
Message-ID: <1235423245.19742.12.camel@booger>

I'm working on a small issue that I just can't track down.  The
connection is 2 T1's bonded in a multilink interface.  Connection within
the core network is fine from the remote end, but the traffic will not
make it to the default route on the core 7513.

Hundreds of other connections are setup absolutely identical and work
fine.  Default route is fine and debugging doesn't show anything at all.

Config is below:

7513 (Core)
interface Multilink68
 ip address 10.10.58.1 255.255.255.252
 ppp chap hostname group68
 ppp multilink
 ppp multilink fragment disable
 ppp multilink group 68

interface Serial9/0/0:1
 no ip address
 encapsulation ppp
 ppp chap hostname group68
 ppp multilink
 ppp multilink group 68
!
interface Serial9/0/0:2
 no ip address
 no ip unreachables
 encapsulation ppp
 ppp chap hostname group68
 ppp multilink
 ppp multilink group 68

ip route 198.70.33.176 255.255.255.248 10.10.58.2


2651 (Remote End)
interface Multilink68
 ip address 10.10.58.2 255.255.255.252
 ppp chap hostname group68
 ppp multilink
 ppp multilink fragment disable
 ppp multilink group 68
!
interface FastEthernet0/0
 ip address 198.70.224.117 255.255.255.252
 duplex auto
 speed auto
!
interface Serial0/0
 bandwidth 1540
 no ip address
 encapsulation ppp
 fair-queue
 ppp chap hostname group68
 ppp multilink
 ppp multilink group 68

interface Serial0/1
 bandwidth 1540
 no ip address
 encapsulation ppp
 ppp chap hostname group68
 ppp multilink
 ppp multilink group 68

ip route 0.0.0.0 0.0.0.0 Multilink68


#ping 10.10.53.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.53.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

ping 74.125.45.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.45.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

trace 74.125.45.100

Type escape sequence to abort.
Tracing the route to yx-in-f100.google.com (74.125.45.100)

  1 10.10.58.1 4 msec 4 msec 4 msec
  2  *  *  *  

'debug ip icmp' shows nothing on 10.10.58.1 when pinging outside.


Core network is 10.10.x.x and remote end can ping anything within the
core network or anything within our infrastructure.  Will not ping
anything outside the network.  Seems like a routing issue, but I can't
seem to track it down.  Any idea as to what to look for or how to
pinpoint a deeper routing issue?

Any help would be appreciated.

-Todd


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090223/1f07901f/attachment.bin>

From rocker.rockerfeller at gmail.com  Mon Feb 23 16:51:38 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Tue, 24 Feb 2009 00:51:38 +0300
Subject: [c-nsp] Mpls Troubleshooting Question
Message-ID: <2299bfcb0902231351s22734d56k77f9d29104e6c395@mail.gmail.com>

Hi,

I work in an ISP environment and in it I found developed MPLS delivering ip
vpns.

There is one client with 5 branches.

All work fine except for 1.

This is the scenario.

The default route is derived from the corporate office (HQ). Its network
range is 172.16.0.0/16

Say branch with problem is branch Z ip range is 172.16.7.0/24

>From Z Lan I can ping HQ Lan ok

ping 172.16.1.1 source 172.16.7.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.7.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms

>From HQ I cannot ping Z apart from reaching the Z router.the lan

ping 172.16.7.1
PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data.
64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms

Any other connections are dropped from branch Z router

A trace reveals packets are dropped from the main MPLS PE router.

The PE router can reach the CE router but not any pc behind it.


Your input appreciated


Regards
Rocker

From schilling2006 at gmail.com  Mon Feb 23 17:00:09 2009
From: schilling2006 at gmail.com (schilling)
Date: Mon, 23 Feb 2009 17:00:09 -0500
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
In-Reply-To: <12CCCF65-821E-4C60-AC82-025ECB717D09@Princeton.EDU>
References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
	<bd3771a60902231059i8305521y463980748ae50a43@mail.gmail.com>
	<12CCCF65-821E-4C60-AC82-025ECB717D09@Princeton.EDU>
Message-ID: <bd3771a60902231400yf801c75ra5006bb10233659b@mail.gmail.com>

#core B
ip vrf ESNET
.
.
int vlan100
 desc no1 prefix for ESNET
 ip address 192.168.100.1 255.255.255.0
 ip forwarding vrf ESNET
int vlan101
 desc no2 prefix for ESNET
 ip address 192.168.101.1 255.255.255.0
 ip forwarding vrf ESNET
int vlan200
 desc VRF ESNET to edge A global
 ip address 192.168.200.1 255.255.255.252
 ip forwarding vrf ESNET
int vlan300
 desc VRF ESNET to edge A VRF ESNET
 ip address 192.168.300.1 255.255.255.252
 ip forwarding vrf ESNET

ip route vrf ESNET 0.0.0.0 0.0.0.0 192.168.200.2


#edge A
ip vrf ESNET
.
.
int vlan200
 desc global to core B VRF ESNET
 ip address 192.168.200.2 255.255.255.252
int vlan300
 desc VRF ESNET to core B VRF ESNET
 ip address 192.168.300.2 255.255.255.252
 ip forwarding vrf ESNET


ip route 192.168.100.0 255.255.254.0 192.168.200.1
ip route vrf ESNET 192.168.100.0 255.255.254.0 192.168.300.1


You also want to have a iBGP between edge A and core B over vlan300 to
propagate ESNET prefixes to core B.

sh ip route vrf ESNET on both core B and edge A should have all your
specific ESNET two network, ESNET BGP learned prefixes, and directly
connected networks.

Corresponding static routes could be done by RIP, concept should be the
same.

Schilling




On Mon, Feb 23, 2009 at 2:41 PM, Jeff Fitzwater <jfitz at princeton.edu> wrote:

>
> On Feb 23, 2009, at 1:59 PM, schilling wrote:
>
> I am not clear about your "route-map match subs, set vrf". If your two
> specific subnets are in one campus core, you need to put them in to VRF
> ESNET by "ip forwarding vrf ESNET". If these two specific subnets are
> distributed in your campus core, you need to use end-to-end vrf-lite or
> MPLS, and put them in VRF ESNET.  One in the VRF ESNET, you can then
> advertise them to your ESNET eBGP peering. If your have more specific subnet
> within the two subnets, "ip route vrf ESNET yourTwoSubnet2ESNET null 0" will
> populate a static route in your VRF ESNET, so you can advertise them to your
> ESNET eBGP. Existing more specific traffic will be routed in your VRF ESNET,
> and non specific are dropped.
>
>   Maybe I am missing something about how to implement VRF.
> The VRF is configured on our ISP edge router "A" , which is also the RIP
> default source for our other 3 core routers.  So router "A" has a vlan and
> physical port for each of the three core routers "B, C, D".   On vlan
> interface to router "B", which receives traffic from the two subnets of
> interest (along with other subnet traffic, but not allowed to ESNET) , I
> thought that I could have a route-map that MATCHES an ACL for the two
> subnets, and SET VRF VFR-ESNET so that if the match is true it would send
> traffic to the VRF-ESNET to first check its route table.  Once there, if the
> DEST was not to ESNET , it would use a default to the global and be
> forwarded as usual.
>  I didn't even get to the point of trying the route-map because I couldn't
> get statics in the VRF so the vrf bgp would announce the two subnets to
> esnet.  ( It's the next hop issue.  If the static next hop is not reachable
> then it does not get installed).
>
> Well I thought it sounded good.
>
>
> Jeff
>
>
> On Mon, Feb 23, 2009 at 10:55 AM, Jeff Fitzwater <jfitz at princeton.edu>wrote:
>
>> This question was posted earlier, before I opened ticket with CISCO.
>>
>> Router is 6500 with 720-CXL running SXI code.
>>
>>
>> 1.  I have router "A" which is used to connect to our three ISPs ( two I1s
>> and  one I2 connection with full BGP), and also receives all our internal
>> campus traffic via RIP default path.    Router "A" announces default to
>> campus.
>>
>> 2. I now need to add a new special ESNET.GOV ISP which cannot be used by
>> the majority of our campus except for two subnets.   These two subnets will
>> still have access to the other three ISPs for normal path selection but have
>> the option of choosing an ESNET route if needed.
>>
>> 3. So the original thinking was to create the VRF for ESNET which would
>> have its own ESNET route table and tell the two special subnets (using
>> route-map match subs, set vrf ) to check the ESNET table first and if route
>> is not in table then fall thru to global.
>>
>> 4. I can't just have one route table that includes the ESNET routes,
>> because ESNET announces some more specific routes and there may be hosts
>> that normally use the I1 path to these DSTs, but now see a more specific
>> path and try to use it and fail because it is not allowed by ESNET outbound
>> ACL.
>>
>>
>>
>> I have BGP peering working in VRF ( can see prefixes from ESNET in VRF
>> table), but cannot announce our two subnet prefixes because they do not show
>> up in VRF route table.  So getting static back to global would fix this and
>> other issue with DEFAULT to global.   When I try to add static routes they
>> never show up because the next hop is not present in VRF table or the
>> command fails stating that...  "Invalid next-hop address (it's this
>> router)".
>>
>>
>>
>> I was hoping that just adding a static DEFAULT in VRF pointing to global
>> would do everything I needed, but cannot get it to work even after trying
>> all permutations of the command.  "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0
>> 0.0.0.0 global"
>>
>>
>>
>> Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3 10.10.10.10
>> global"   Loopback3 was created with RFC-1918 IP and had "vrf forwarding"
>> added on this loopback.  This also failed.
>>
>>
>> Creating an internal path between the VRF router and the global router is
>> stopping all this from working.
>>
>> I have a ticket open with CISCO but they are saying I have to add an
>> external link with two physical ports on vrf.   This will not work for us.
>>
>>
>> Does anybody know how to get statics working between VRF and global table,
>>  if its even possible.
>>
>>
>> Really stuck!
>>
>>
>>
>> Jeff Fitzwater
>> OIT Network Systems
>> Princeton University
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>

From schilling2006 at gmail.com  Mon Feb 23 17:11:13 2009
From: schilling2006 at gmail.com (schilling)
Date: Mon, 23 Feb 2009 17:11:13 -0500
Subject: [c-nsp] Mpls Troubleshooting Question
In-Reply-To: <2299bfcb0902231351s22734d56k77f9d29104e6c395@mail.gmail.com>
References: <2299bfcb0902231351s22734d56k77f9d29104e6c395@mail.gmail.com>
Message-ID: <bd3771a60902231411h70fb64fcxdcb955bdd25e1de5@mail.gmail.com>

check no ip unreachable on the PE interface? I got bite once.

verify the LSP?

Ivan's blog for rescue :-)

http://wiki.nil.com/PE-to-PE_troubleshooting_in_MPLS_VPN_networks


Schilling

On Mon, Feb 23, 2009 at 4:51 PM, Rocker Feller <
rocker.rockerfeller at gmail.com> wrote:

> Hi,
>
> I work in an ISP environment and in it I found developed MPLS delivering ip
> vpns.
>
> There is one client with 5 branches.
>
> All work fine except for 1.
>
> This is the scenario.
>
> The default route is derived from the corporate office (HQ). Its network
> range is 172.16.0.0/16
>
> Say branch with problem is branch Z ip range is 172.16.7.0/24
>
> >From Z Lan I can ping HQ Lan ok
>
> ping 172.16.1.1 source 172.16.7.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
> Packet sent with a source address of 172.16.7.1
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms
>
> >From HQ I cannot ping Z apart from reaching the Z router.the lan
>
> ping 172.16.7.1
> PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data.
> 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms
>
> Any other connections are dropped from branch Z router
>
> A trace reveals packets are dropped from the main MPLS PE router.
>
> The PE router can reach the CE router but not any pc behind it.
>
>
> Your input appreciated
>
>
> Regards
> Rocker
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From todd at newfrontierssolutions.com  Mon Feb 23 18:07:36 2009
From: todd at newfrontierssolutions.com (Todd Shipway)
Date: Mon, 23 Feb 2009 18:07:36 -0500
Subject: [c-nsp] Small routing issue
In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D3253@LMC-MAIL2.exempla.org>
References: <1235423245.19742.12.camel@booger>
	<4288131ED5E3024C9CD4782CECCAD2C7065D3253@LMC-MAIL2.exempla.org>
Message-ID: <3C715EC7-AF39-4E76-99D4-92C56D9FE239@newfrontierssolutions.com>

I changed the ip as a test. There is a route for .224.117/30. I pasted  
the route for the old ip. My mistake.



On Feb 23, 2009, at 6:02 PM, "Matlock, Kenneth L"  
<MatlockK at exempla.org> wrote:

> The  F0/0 interface on the 2651 is configured for 198.70.224.117/30,  
> yet
> you're routing 198.70.33.176/29 to them. Is there NAT'ing going on, or
> did I miss something?
>
> Ken Matlock
> Network Analyst
> Exempla Healthcare
> (303) 467-4671
> matlockk at exempla.org
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Todd Shipway
> Sent: Monday, February 23, 2009 2:07 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Small routing issue
>
> I'm working on a small issue that I just can't track down.  The
> connection is 2 T1's bonded in a multilink interface.  Connection  
> within
> the core network is fine from the remote end, but the traffic will not
> make it to the default route on the core 7513.
>
> Hundreds of other connections are setup absolutely identical and work
> fine.  Default route is fine and debugging doesn't show anything at  
> all.
>
> Config is below:
>
> 7513 (Core)
> interface Multilink68
> ip address 10.10.58.1 255.255.255.252
> ppp chap hostname group68
> ppp multilink
> ppp multilink fragment disable
> ppp multilink group 68
>
> interface Serial9/0/0:1
> no ip address
> encapsulation ppp
> ppp chap hostname group68
> ppp multilink
> ppp multilink group 68
> !
> interface Serial9/0/0:2
> no ip address
> no ip unreachables
> encapsulation ppp
> ppp chap hostname group68
> ppp multilink
> ppp multilink group 68
>
> ip route 198.70.33.176 255.255.255.248 10.10.58.2
>
>
> 2651 (Remote End)
> interface Multilink68
> ip address 10.10.58.2 255.255.255.252
> ppp chap hostname group68
> ppp multilink
> ppp multilink fragment disable
> ppp multilink group 68
> !
> interface FastEthernet0/0
> ip address 198.70.224.117 255.255.255.252
> duplex auto
> speed auto
> !
> interface Serial0/0
> bandwidth 1540
> no ip address
> encapsulation ppp
> fair-queue
> ppp chap hostname group68
> ppp multilink
> ppp multilink group 68
>
> interface Serial0/1
> bandwidth 1540
> no ip address
> encapsulation ppp
> ppp chap hostname group68
> ppp multilink
> ppp multilink group 68
>
> ip route 0.0.0.0 0.0.0.0 Multilink68
>
>
> #ping 10.10.53.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.10.53.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
>
> ping 74.125.45.100
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 74.125.45.100, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
>
> trace 74.125.45.100
>
> Type escape sequence to abort.
> Tracing the route to yx-in-f100.google.com (74.125.45.100)
>
>  1 10.10.58.1 4 msec 4 msec 4 msec
>  2  *  *  *
>
> 'debug ip icmp' shows nothing on 10.10.58.1 when pinging outside.
>
>
> Core network is 10.10.x.x and remote end can ping anything within the
> core network or anything within our infrastructure.  Will not ping
> anything outside the network.  Seems like a routing issue, but I can't
> seem to track it down.  Any idea as to what to look for or how to
> pinpoint a deeper routing issue?
>
> Any help would be appreciated.
>
> -Todd
>
>

From justin at justinshore.com  Mon Feb 23 18:17:41 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 23 Feb 2009 17:17:41 -0600
Subject: [c-nsp] Broadcast storm control
In-Reply-To: <A38B8AC0968D5E0CA5A66DDE@jesk-laptop>
References: <79AF0C3901752A49881FE4CB31F7AA40C32BAC@abn-borg2.NETABN.LOCAL>
	<4730A560.4080609@justinshore.com>
	<A38B8AC0968D5E0CA5A66DDE@jesk-laptop>
Message-ID: <49A32E95.3030002@justinshore.com>

Christian Meutes wrote:
> Hi,
> 
> --On Dienstag, November 06, 2007 11:33:20 -0600 Justin Shore
> <justin at justinshore.com> wrote:
> 
> the original problem was as far as I remember "access switches with 
> disabled
> or not working spanning-tree created l2-loop and flooded PE edge port".

Replying to a question from 2 years ago?  I wish I had some of your free 
time in my pocket!  :-)

Justin

From A.L.M.Buxey at lboro.ac.uk  Mon Feb 23 18:25:36 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 23 Feb 2009 23:25:36 +0000
Subject: [c-nsp] Broadcast storm control
In-Reply-To: <49A32E95.3030002@justinshore.com>
References: <79AF0C3901752A49881FE4CB31F7AA40C32BAC@abn-borg2.NETABN.LOCAL>
	<4730A560.4080609@justinshore.com>
	<A38B8AC0968D5E0CA5A66DDE@jesk-laptop>
	<49A32E95.3030002@justinshore.com>
Message-ID: <20090223232536.GF12331@lboro.ac.uk>

Hi,
> Christian Meutes wrote:
>> Hi,
>>
>> --On Dienstag, November 06, 2007 11:33:20 -0600 Justin Shore
>> <justin at justinshore.com> wrote:
>>
>> the original problem was as far as I remember "access switches with  
>> disabled
>> or not working spanning-tree created l2-loop and flooded PE edge port".
>
> Replying to a question from 2 years ago?  I wish I had some of your free  
> time in my pocket!  :-)

surely so busy that its taken 2 years to reply? ;-)

(thats the sort of 'free time' I wouldnt be after! ;-) )

alan

From MatlockK at exempla.org  Mon Feb 23 18:04:47 2009
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Mon, 23 Feb 2009 16:04:47 -0700
Subject: [c-nsp] Small routing issue
In-Reply-To: <1235423245.19742.12.camel@booger>
References: <1235423245.19742.12.camel@booger>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3253@LMC-MAIL2.exempla.org>

The  F0/0 interface on the 2651 is configured for 198.70.224.117/30, yet
you're routing 198.70.33.176/29 to them. Is there NAT'ing going on, or
did I miss something?

Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlockk at exempla.org
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Todd Shipway
Sent: Monday, February 23, 2009 2:07 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Small routing issue

I'm working on a small issue that I just can't track down.  The
connection is 2 T1's bonded in a multilink interface.  Connection within
the core network is fine from the remote end, but the traffic will not
make it to the default route on the core 7513.

Hundreds of other connections are setup absolutely identical and work
fine.  Default route is fine and debugging doesn't show anything at all.

Config is below:

7513 (Core)
interface Multilink68
 ip address 10.10.58.1 255.255.255.252
 ppp chap hostname group68
 ppp multilink
 ppp multilink fragment disable
 ppp multilink group 68

interface Serial9/0/0:1
 no ip address
 encapsulation ppp
 ppp chap hostname group68
 ppp multilink
 ppp multilink group 68
!
interface Serial9/0/0:2
 no ip address
 no ip unreachables
 encapsulation ppp
 ppp chap hostname group68
 ppp multilink
 ppp multilink group 68

ip route 198.70.33.176 255.255.255.248 10.10.58.2


2651 (Remote End)
interface Multilink68
 ip address 10.10.58.2 255.255.255.252
 ppp chap hostname group68
 ppp multilink
 ppp multilink fragment disable
 ppp multilink group 68
!
interface FastEthernet0/0
 ip address 198.70.224.117 255.255.255.252
 duplex auto
 speed auto
!
interface Serial0/0
 bandwidth 1540
 no ip address
 encapsulation ppp
 fair-queue
 ppp chap hostname group68
 ppp multilink
 ppp multilink group 68

interface Serial0/1
 bandwidth 1540
 no ip address
 encapsulation ppp
 ppp chap hostname group68
 ppp multilink
 ppp multilink group 68

ip route 0.0.0.0 0.0.0.0 Multilink68


#ping 10.10.53.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.53.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

ping 74.125.45.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.45.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

trace 74.125.45.100

Type escape sequence to abort.
Tracing the route to yx-in-f100.google.com (74.125.45.100)

  1 10.10.58.1 4 msec 4 msec 4 msec
  2  *  *  *  

'debug ip icmp' shows nothing on 10.10.58.1 when pinging outside.


Core network is 10.10.x.x and remote end can ping anything within the
core network or anything within our infrastructure.  Will not ping
anything outside the network.  Seems like a routing issue, but I can't
seem to track it down.  Any idea as to what to look for or how to
pinpoint a deeper routing issue?

Any help would be appreciated.

-Todd



From rocker.rockerfeller at gmail.com  Mon Feb 23 19:11:03 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Tue, 24 Feb 2009 03:11:03 +0300
Subject: [c-nsp] Mpls Troubleshooting Question
In-Reply-To: <bd3771a60902231411h70fb64fcxdcb955bdd25e1de5@mail.gmail.com>
References: <2299bfcb0902231351s22734d56k77f9d29104e6c395@mail.gmail.com>
	<bd3771a60902231411h70fb64fcxdcb955bdd25e1de5@mail.gmail.com>
Message-ID: <2299bfcb0902231611r172dfdbah11b02bed0405c93f@mail.gmail.com>

Hi,

My full scenario

CE1 -------> PE1 -----------> PE2 -------------> CEZ

On the PE1 interface I have a tunnel to CEZ .

nb: PE2 is not mpls enabled.

CEZ has a ptp link to PE2

LSP - tunnel is up from  PE1---> CEZ and I can reach the CEZ router via the
tunnel ptp.

        - from the CEZ lan CE1 lan is reacheable.

It is only from the CE1 router  and from the PE1 that I cannot reach CEZ
lan.

Please note this customer has 6 other branches which are working well.

Thanks



On Tue, Feb 24, 2009 at 1:11 AM, schilling <schilling2006 at gmail.com> wrote:

> check no ip unreachable on the PE interface? I got bite once.
>
> verify the LSP?
>
> Ivan's blog for rescue :-)
>
> http://wiki.nil.com/PE-to-PE_troubleshooting_in_MPLS_VPN_networks
>
>
> Schilling
>
> On Mon, Feb 23, 2009 at 4:51 PM, Rocker Feller <
> rocker.rockerfeller at gmail.com> wrote:
>
>> Hi,
>>
>> I work in an ISP environment and in it I found developed MPLS delivering
>> ip
>> vpns.
>>
>> There is one client with 5 branches.
>>
>> All work fine except for 1.
>>
>> This is the scenario.
>>
>> The default route is derived from the corporate office (HQ). Its network
>> range is 172.16.0.0/16
>>
>> Say branch with problem is branch Z ip range is 172.16.7.0/24
>>
>> >From Z Lan I can ping HQ Lan ok
>>
>> ping 172.16.1.1 source 172.16.7.1
>>
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
>> Packet sent with a source address of 172.16.7.1
>> !!!!!
>> Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms
>>
>> >From HQ I cannot ping Z apart from reaching the Z router.the lan
>>
>> ping 172.16.7.1
>> PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data.
>> 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms
>>
>> Any other connections are dropped from branch Z router
>>
>> A trace reveals packets are dropped from the main MPLS PE router.
>>
>> The PE router can reach the CE router but not any pc behind it.
>>
>>
>> Your input appreciated
>>
>>
>> Regards
>> Rocker
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From RTeller at deltadentalwa.com  Mon Feb 23 20:34:19 2009
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Mon, 23 Feb 2009 17:34:19 -0800
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <498A4934.5090604@cisco.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
	<935ead450902041416k3d8f22aex4d7956ce2932b427@mail.gmail.com>
	<498A4934.5090604@cisco.com>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA134118BA@tiger.deltadentalwa.com>

When I was working on an application to post xml code to my ace modules
I found the xml info on the ace module, have you tried enabling
http/https and browsing to the device?


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lincoln Dale
Sent: Wednesday, February 04, 2009 6:05 PM
To: Jeffrey Ollie
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Netconf (over SSHv2) in SXI



Jeffrey Ollie wrote:
> On Mon, Feb 2, 2009 at 6:11 AM, Lincoln Dale <ltd at cisco.com> wrote:
>   
>> that is purely a guess - but checking the XML schema definition (XSD)
that
>> should also be posted on cisco.com will let you verify.
>>     
>
> Any clues on where to find the XSDs?  I can't seem to find them except
> inline in the documentation and that doesn't seem like the best way to
> get them.
>
>   
for NX-OS, where i spend most of my time, we post the NetConf XSD right 
alongside the software images.

i am not sure where XSDs are posted on cisco.com (or if they are at all)

for IOS images, but will ask internally.
to my mind they should be posted along side the images, or linked to 
from the release notes etc., because the schema would be unique to each 
image.


cheers,

lincoln.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From christian at errxtx.net  Tue Feb 24 01:43:25 2009
From: christian at errxtx.net (Christian Meutes)
Date: Tue, 24 Feb 2009 07:43:25 +0100
Subject: [c-nsp] Broadcast storm control
In-Reply-To: <20090223232536.GF12331@lboro.ac.uk>
References: <79AF0C3901752A49881FE4CB31F7AA40C32BAC@abn-borg2.NETABN.LOCAL>
	<4730A560.4080609@justinshore.com>
	<A38B8AC0968D5E0CA5A66DDE@jesk-laptop>
	<49A32E95.3030002@justinshore.com> <20090223232536.GF12331@lboro.ac.uk>
Message-ID: <0C328DEF0E6E4B89D8EF84B0@jesk-laptop>

Hi,

--On Montag, Februar 23, 2009 23:25:36 +0000 A.L.M.Buxey at lboro.ac.uk wrote:

>> Replying to a question from 2 years ago?  I wish I had some of your free
>>  time in my pocket!  :-)
>
> surely so busy that its taken 2 years to reply? ;-)
>
> (thats the sort of 'free time' I wouldnt be after! ;-) )

I believe people use the list also to search for information and use it
even if it's 2 years old. It's not only about discussing the days top
issues :-)

I just searched the list for content about control plane protection
and felt that its in my point of view uncomplete or rather not fully
clarified. I think people became the feeling that CoPP will help
to protect their control plane but unfortunately this isnt completely true
imho.

cheers,
christian




From ibrahim.abozaid at gmail.com  Tue Feb 24 02:54:52 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 24 Feb 2009 09:54:52 +0200
Subject: [c-nsp] Mpls Troubleshooting Question
In-Reply-To: <2299bfcb0902231611r172dfdbah11b02bed0405c93f@mail.gmail.com>
References: <2299bfcb0902231351s22734d56k77f9d29104e6c395@mail.gmail.com>
	<bd3771a60902231411h70fb64fcxdcb955bdd25e1de5@mail.gmail.com>
	<2299bfcb0902231611r172dfdbah11b02bed0405c93f@mail.gmail.com>
Message-ID: <a48927f70902232354q4fb7519dj4e4010b2a55e6a7d@mail.gmail.com>

Hi Rocker

that doesn't seem to me as MPLS VPN topology as both PE1 interfaces to CE1
and CEZ are non-MPLS interfaces , it is much like
local-switching scenario

try using CONNECT command



best regards
--Ibrahim

On Tue, Feb 24, 2009 at 2:11 AM, Rocker Feller <
rocker.rockerfeller at gmail.com> wrote:

> Hi,
>
> My full scenario
>
> CE1 -------> PE1 -----------> PE2 -------------> CEZ
>
> On the PE1 interface I have a tunnel to CEZ .
>
> nb: PE2 is not mpls enabled.
>
> CEZ has a ptp link to PE2
>
> LSP - tunnel is up from  PE1---> CEZ and I can reach the CEZ router via the
> tunnel ptp.
>
>        - from the CEZ lan CE1 lan is reacheable.
>
> It is only from the CE1 router  and from the PE1 that I cannot reach CEZ
> lan.
>
> Please note this customer has 6 other branches which are working well.
>
> Thanks
>
>
>
> On Tue, Feb 24, 2009 at 1:11 AM, schilling <schilling2006 at gmail.com>
> wrote:
>
> > check no ip unreachable on the PE interface? I got bite once.
> >
> > verify the LSP?
> >
> > Ivan's blog for rescue :-)
> >
> > http://wiki.nil.com/PE-to-PE_troubleshooting_in_MPLS_VPN_networks
> >
> >
> > Schilling
> >
> > On Mon, Feb 23, 2009 at 4:51 PM, Rocker Feller <
> > rocker.rockerfeller at gmail.com> wrote:
> >
> >> Hi,
> >>
> >> I work in an ISP environment and in it I found developed MPLS delivering
> >> ip
> >> vpns.
> >>
> >> There is one client with 5 branches.
> >>
> >> All work fine except for 1.
> >>
> >> This is the scenario.
> >>
> >> The default route is derived from the corporate office (HQ). Its network
> >> range is 172.16.0.0/16
> >>
> >> Say branch with problem is branch Z ip range is 172.16.7.0/24
> >>
> >> >From Z Lan I can ping HQ Lan ok
> >>
> >> ping 172.16.1.1 source 172.16.7.1
> >>
> >> Type escape sequence to abort.
> >> Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
> >> Packet sent with a source address of 172.16.7.1
> >> !!!!!
> >> Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms
> >>
> >> >From HQ I cannot ping Z apart from reaching the Z router.the lan
> >>
> >> ping 172.16.7.1
> >> PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data.
> >> 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms
> >>
> >> Any other connections are dropped from branch Z router
> >>
> >> A trace reveals packets are dropped from the main MPLS PE router.
> >>
> >> The PE router can reach the CE router but not any pc behind it.
> >>
> >>
> >> Your input appreciated
> >>
> >>
> >> Regards
> >> Rocker
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ibrahim.abozaid at gmail.com  Tue Feb 24 03:15:39 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 24 Feb 2009 10:15:39 +0200
Subject: [c-nsp] Mpls Troubleshooting Question
In-Reply-To: <a48927f70902232354q4fb7519dj4e4010b2a55e6a7d@mail.gmail.com>
References: <2299bfcb0902231351s22734d56k77f9d29104e6c395@mail.gmail.com>
	<bd3771a60902231411h70fb64fcxdcb955bdd25e1de5@mail.gmail.com>
	<2299bfcb0902231611r172dfdbah11b02bed0405c93f@mail.gmail.com>
	<a48927f70902232354q4fb7519dj4e4010b2a55e6a7d@mail.gmail.com>
Message-ID: <a48927f70902240015y2aecbe06s42bfb031ad4e2451@mail.gmail.com>

sorry as both sites have different networks so you can't use this technology




On Tue, Feb 24, 2009 at 9:54 AM, Ibrahim Abo Zaid <ibrahim.abozaid at gmail.com
> wrote:

> Hi Rocker
>
> that doesn't seem to me as MPLS VPN topology as both PE1 interfaces to CE1
> and CEZ are non-MPLS interfaces , it is much like
> local-switching scenario
>
> try using CONNECT command
>
>
>
> best regards
> --Ibrahim
>
> On Tue, Feb 24, 2009 at 2:11 AM, Rocker Feller <
> rocker.rockerfeller at gmail.com> wrote:
>
>> Hi,
>>
>> My full scenario
>>
>> CE1 -------> PE1 -----------> PE2 -------------> CEZ
>>
>> On the PE1 interface I have a tunnel to CEZ .
>>
>> nb: PE2 is not mpls enabled.
>>
>> CEZ has a ptp link to PE2
>>
>> LSP - tunnel is up from  PE1---> CEZ and I can reach the CEZ router via
>> the
>> tunnel ptp.
>>
>>        - from the CEZ lan CE1 lan is reacheable.
>>
>> It is only from the CE1 router  and from the PE1 that I cannot reach CEZ
>> lan.
>>
>> Please note this customer has 6 other branches which are working well.
>>
>> Thanks
>>
>>
>>
>> On Tue, Feb 24, 2009 at 1:11 AM, schilling <schilling2006 at gmail.com>
>> wrote:
>>
>> > check no ip unreachable on the PE interface? I got bite once.
>> >
>> > verify the LSP?
>> >
>> > Ivan's blog for rescue :-)
>> >
>> > http://wiki.nil.com/PE-to-PE_troubleshooting_in_MPLS_VPN_networks
>> >
>> >
>> > Schilling
>> >
>> > On Mon, Feb 23, 2009 at 4:51 PM, Rocker Feller <
>> > rocker.rockerfeller at gmail.com> wrote:
>> >
>> >> Hi,
>> >>
>> >> I work in an ISP environment and in it I found developed MPLS
>> delivering
>> >> ip
>> >> vpns.
>> >>
>> >> There is one client with 5 branches.
>> >>
>> >> All work fine except for 1.
>> >>
>> >> This is the scenario.
>> >>
>> >> The default route is derived from the corporate office (HQ). Its
>> network
>> >> range is 172.16.0.0/16
>> >>
>> >> Say branch with problem is branch Z ip range is 172.16.7.0/24
>> >>
>> >> >From Z Lan I can ping HQ Lan ok
>> >>
>> >> ping 172.16.1.1 source 172.16.7.1
>> >>
>> >> Type escape sequence to abort.
>> >> Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
>> >> Packet sent with a source address of 172.16.7.1
>> >> !!!!!
>> >> Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms
>> >>
>> >> >From HQ I cannot ping Z apart from reaching the Z router.the lan
>> >>
>> >> ping 172.16.7.1
>> >> PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data.
>> >> 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms
>> >>
>> >> Any other connections are dropped from branch Z router
>> >>
>> >> A trace reveals packets are dropped from the main MPLS PE router.
>> >>
>> >> The PE router can reach the CE router but not any pc behind it.
>> >>
>> >>
>> >> Your input appreciated
>> >>
>> >>
>> >> Regards
>> >> Rocker
>> >> _______________________________________________
>> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>
>> >
>> >
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From erik at infopact.nl  Tue Feb 24 03:23:44 2009
From: erik at infopact.nl (E. Versaevel)
Date: Tue, 24 Feb 2009 09:23:44 +0100
Subject: [c-nsp] Small routing issue
In-Reply-To: <49A3AE53.9090300@infopact.nl>
References: <1235423245.19742.12.camel@booger> <49A3AE53.9090300@infopact.nl>
Message-ID: <49A3AE90.1030303@infopact.nl>


Todd,

 Try pinging/tracing with the correct source adress,
 ping 74.125.45.100 source fa 0/0
 that would originate packets with the public source adress on that interface instead of the RFC1918 ip you're using at the moment.
 (default is to use the IP adress on the interface the packet leaves)

 Regards,

 Erik Versaevel




Erik Versaevel

From Steven.Glogger at swisscom.com  Tue Feb 24 04:54:00 2009
From: Steven.Glogger at swisscom.com (Steven.Glogger at swisscom.com)
Date: Tue, 24 Feb 2009 10:54:00 +0100
Subject: [c-nsp] Cisco Refurbished Equipment Program
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
Message-ID: <1FC8A0BAFBBD9749BB1F06010D23C8A553188D2B@sg000035.corproot.net>

we've bought some hardware from cisco refurbished.
as far as i can remember you get some warranty (1 year or so) and the stuff has been really in-depht tested. so working stuff ,-)

smartnet etc. i don't know if we've got that device in one of our contracts...

-steven 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Louis
Sent: Friday, February 20, 2009 6:45 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco Refurbished Equipment Program

In this economy, we are all looking for ways to save $$. I am curious if anyone on this list has had any experience with purchasing product from the Cisco Refurbished Equipment Program. Any issues or concerns? Did it work as expected? Any issues with getting smartnet coverage on qualified product?

Thanks

Mike


________________________________
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From jmaimon at ttec.com  Tue Feb 24 07:45:52 2009
From: jmaimon at ttec.com (Joe Maimon)
Date: Tue, 24 Feb 2009 07:45:52 -0500
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
In-Reply-To: <037901c995ec$4ba3db60$e2eb9220$@net>
References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
	<037901c995ec$4ba3db60$e2eb9220$@net>
Message-ID: <49A3EC00.3060109@ttec.com>

There are apparently three approaches to trafficking between VRF's.

- configuration route leakage, static routes, route-maps and whatnot

All hacks in my opinion.

- physical crossover between two devices, vrf A in device A becomes vrf 
B in device B

Which is actually a degenerate or optimized instance of the following:

- crossover in the same device

This can be done as per your tunnel example.

You can also do this with physical ports, with a l2/l3 switch 
architecture its not as conveniently done however, since you would need 
to cross connect one access port in one vlan to another access port in 
another vlan.

For router ports, you can use dot1q and have many different crossovers.

I have been doing this for quite some time, as some may note, there are 
issues you may run across that require static arp entries to workaround.

In my opinion, there is significant design benefits in using an 
interface to traffic between vrf's, such as using routing protocols, 
nat, firewall, security features and everything else designed to work at 
interface level.

However, the downside is processing the packet twice.

(if you use tunnels, you should try to ensure that the tunnel MTU allows 
1500 unfragmented)

I think it would be worthwhile to lab the two approaches, tunnel and 
physical crossover and compare it with configuration leaking to come up 
with some performance numbers.

<wishlisting>

In my opinion, this would be best served by a dedicated tunnel type, 
allowing the device to optimize the path but still providing the same 
benefits.

Something like:

ip vrf RED
ip vrf BLUE

int t0
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.252
tunnel source vrf RED
tunnel destination vrf BLUE
tunnel mode vrf-connect

int t1
ip vrf forwarding BLUE
ip address 10.1.1.2 255.255.255.252
tunnel source vrf BLUE
tunnel destination vrf RED
tunnel mode vrf-connect

Or Maybe:

ip vrf RED
rd 1:1
ip vrf BLUE
rf 1:2

int VRF1.1
ip address 10.1.1.1 255.255.255.252
xconnect vrf rd 1:1 rd 1:2
int VRF1.2
ip address 10.1.1.2 255.255.255.252
xconnect vrf rd 1:2 rd 1:1


Also, while in wishlisting mode, it would be nice if you could policy 
route in a vrf (the most likely reason why the software doesnt allow you 
to is that vrf processing is the same code/feature path as policy routing)

</wishlisting>

Joe


Luan Nguyen wrote:
> Instead of an external link with 2 physical ports, you could try to create a
> GRE tunnel with 2 loopback interfaces.
> 
> interface Loopback0
>  ip address 10.10.10.1 255.255.255.0
> !
> interface Loopback10
>  ip address 10.10.100.1 255.255.255.0
> !
> interface Tunnel1
>  ip vrf forwarding NSP
>  ip address 172.16.1.1 255.255.255.0
>  tunnel source Loopback0
>  tunnel destination 10.10.100.1
> !
> interface Tunnel2
>  ip address 172.16.1.2 255.255.255.0
>  tunnel source Loopback10
>  tunnel destination 10.10.10.1
> 
> 
> Then run OSPF...etc.  I haven't try static route, but pretty sure it would
> work.
> 
> router ospf 100 vrf NSP
>  router-id 10.10.10.1
>  log-adjacency-changes
>  redistribute bgp 65535 subnets
>  network 10.10.10.1 0.0.0.0 area 0
>  network 172.16.1.1 0.0.0.0 area 0
> !
> router ospf 1
>  router-id 10.10.100.1
>  log-adjacency-changes
>  network 10.10.100.1 0.0.0.0 area 0
>  network 172.16.1.2 0.0.0.0 area 0
> 
> Regards,
> 
> ++++++++++++++++++++++++++++++++++++++++++++++++
> Luan Nguyen
> Chesapeake NetCraftsmen, LLC.
> [Web] http://www.netcraftsmen.net
> [Blog] http://cnc-networksecurity.blogspot.com/
> [Mobile] 703-953-9116
> +++++++++++++++++++++++++++++++++++++++++++++++++
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater
> Sent: Monday, February 23, 2009 10:56 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
> 
> This question was posted earlier, before I opened ticket with CISCO.
> 
> Router is 6500 with 720-CXL running SXI code.
> 
> 
> 1.  I have router "A" which is used to connect to our three ISPs ( two  
> I1s and  one I2 connection with full BGP), and also receives all our  
> internal campus traffic via RIP default path.    Router "A" announces  
> default to campus.
> 
> 2. I now need to add a new special ESNET.GOV ISP which cannot be used  
> by the majority of our campus except for two subnets.   These two  
> subnets will still have access to the other three ISPs for normal path  
> selection but have the option of choosing an ESNET route if needed.
> 
> 3. So the original thinking was to create the VRF for ESNET which  
> would have its own ESNET route table and tell the two special subnets  
> (using route-map match subs, set vrf ) to check the ESNET table first  
> and if route is not in table then fall thru to global.
> 
> 4. I can't just have one route table that includes the ESNET routes,  
> because ESNET announces some more specific routes and there may be  
> hosts that normally use the I1 path to these DSTs, but now see a more  
> specific path and try to use it and fail because it is not allowed by  
> ESNET outbound ACL.
> 
> 
> 
> I have BGP peering working in VRF ( can see prefixes from ESNET in VRF  
> table), but cannot announce our two subnet prefixes because they do  
> not show up in VRF route table.  So getting static back to global  
> would fix this and other issue with DEFAULT to global.   When I try to  
> add static routes they never show up because the next hop is not  
> present in VRF table or the command fails stating that...  "Invalid  
> next-hop address (it's this router)".
> 
> 
> 
> I was hoping that just adding a static DEFAULT in VRF pointing to  
> global would do everything I needed, but cannot get it to work even  
> after trying all permutations of the command.  "ip route vrf vrf-esnet  
> 0.0.0.0 0.0.0.0 0.0.0.0 global"
> 
> 
> 
> Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3  
> 10.10.10.10 global"   Loopback3 was created with RFC-1918 IP and had  
> "vrf forwarding" added on this loopback.  This also failed.
> 
> 
> Creating an internal path between the VRF router and the global router  
> is stopping all this from working.
> 
> I have a ticket open with CISCO but they are saying I have to add an  
> external link with two physical ports on vrf.   This will not work for  
> us.
> 
> 
> Does anybody know how to get statics working between VRF and global  
> table,  if its even possible.
> 
> 
> Really stuck!
> 
> 
> 
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

From chris at chrisserafin.com  Tue Feb 24 10:41:49 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Tue, 24 Feb 2009 09:41:49 -0600
Subject: [c-nsp] Mpls Troubleshooting Question
In-Reply-To: <2299bfcb0902231351s22734d56k77f9d29104e6c395@mail.gmail.com>
References: <2299bfcb0902231351s22734d56k77f9d29104e6c395@mail.gmail.com>
Message-ID: <49A4153D.1040105@chrisserafin.com>

HQ Site think the traffic is local due to subnet differences?

Rocker Feller wrote:
> Hi,
>
> I work in an ISP environment and in it I found developed MPLS delivering ip
> vpns.
>
> There is one client with 5 branches.
>
> All work fine except for 1.
>
> This is the scenario.
>
> The default route is derived from the corporate office (HQ). Its network
> range is 172.16.0.0/16
>
> Say branch with problem is branch Z ip range is 172.16.7.0/24
>
> >From Z Lan I can ping HQ Lan ok
>
> ping 172.16.1.1 source 172.16.7.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
> Packet sent with a source address of 172.16.7.1
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms
>
> >From HQ I cannot ping Z apart from reaching the Z router.the lan
>
> ping 172.16.7.1
> PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data.
> 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms
>
> Any other connections are dropped from branch Z router
>
> A trace reveals packets are dropped from the main MPLS PE router.
>
> The PE router can reach the CE router but not any pc behind it.
>
>
> Your input appreciated
>
>
> Regards
> Rocker
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.11.3/1969 - Release Date: 02/24/09 06:43:00
>
>   


From david.freedman at uk.clara.net  Tue Feb 24 11:38:25 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Tue, 24 Feb 2009 16:38:25 +0000
Subject: [c-nsp] IOS BGP AS-PATH Reftable
Message-ID: <go17q2$45u$1@ger.gmane.org>

Does anybody know how exactly this is kept clean?

I would assume that when a prefix with a ref to the as-path reftable is
no longer in a rib , the refcount of the entry is decremented and at
zero the ref is cleaned up.

I seem to have stale data in mine, this example concerns a prefix leak
from AS30071 (a peer network) which is no longer happening (i.e, I do
not appear to see nor select these paths)

#sh ip bgp paths _30071_7018
Address    Hash Refcount Metric Path
0x52866F14  954        7     40 30071 7018 26415 i
0x556E1A78 1234        4     40 30071 7018 71 i
0x547CED9C 1234       37     40 30071 7018 71 i
0x54F383F8 2708       10     40 30071 7018 i
0x5E20558C 2885        4     40 30071 7018 40912 i

I see this across a GSR peering router running 12.0(SY),
a 7600 PE router running 12.2(33)SRC1 and a 65K PE router
running 12.2(33)SXH2a.

is this intended behaviour (not to decrement refcounts)
or a bug?

and if so, what constraints exist to prevent this reftable consuming
huge amounts of RAM (i.e , if somebody were to spam it with multiple
bogus AS-paths) ?

Thoughts?

Dave.


From damin at nacs.net  Tue Feb 24 14:52:05 2009
From: damin at nacs.net (Gregory Boehnlein)
Date: Tue, 24 Feb 2009 14:52:05 -0500
Subject: [c-nsp] PA-GE - Incrementing Ignored and Overrun Errors
Message-ID: <041401c996b9$5e573720$1b05a560$@net>

Hello,
	We have a 7507 w/ Dual RSP-4's running 122-25.S12. It's been up and
working w/out a problem for 50 weeks at this point. Over the past few days,
our Gig-E fiber trunk to Level-3 has been exhibiting an unusual amount of
packet loss when our BGP sessions are up. From a traffic perspective, we are
only sending/receiving about 30 Megabits / second across this interface.
When we drop the BGP session w/ X/O and ping across to their BGP peer,
everything is fine. When we have BGP enabled, there are no input errors, but
we do see incrementing numbers in the Overrun and Ignored fields. According
to the Cisco Ethernet troubleshooting documentation, this means the
following:

Overrun Errors
--------------
Description: The number of times the receiver hardware was unable to hand
received data to a hardware buffer.
Common Cause: The input rate of traffic exceeded the receiver's ability to
handle the data.

And..

Ignored Errors
--------------
Description: Cisco IOS sh interfaces counter. The number of received packets
ignored by the interface because the interface hardware ran low on internal
buffers.
Common Causes: Broadcast storms and bursts of noise can cause the ignored
count to be increased.

Any suggestions on where to look? Level 3 is dispatching to do end-to-end
testing on their Fiber interconnect. I'd like to get an idea of what sort of
broadcast traffic I might be seeing on the port...


From damin at nacs.net  Tue Feb 24 14:59:48 2009
From: damin at nacs.net (Gregory Boehnlein)
Date: Tue, 24 Feb 2009 14:59:48 -0500
Subject: [c-nsp] PA-GE - Incrementing Ignored and Overrun Errors
In-Reply-To: <041401c996b9$5e573720$1b05a560$@net>
References: <041401c996b9$5e573720$1b05a560$@net>
Message-ID: <041e01c996ba$725b4f80$5711ee80$@net>

> When we drop the BGP session w/ X/O and ping across to their BGP peer,
> everything is fine.

Err.. meant to say Level 3 there. When we drop the Level 3 peering session,
and no traffic is flowing, things are fine. :)



From rodunn at cisco.com  Tue Feb 24 15:52:39 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 24 Feb 2009 15:52:39 -0500
Subject: [c-nsp] PA-GE - Incrementing Ignored and Overrun Errors
In-Reply-To: <041401c996b9$5e573720$1b05a560$@net>
References: <041401c996b9$5e573720$1b05a560$@net>
Message-ID: <20090224205239.GB1890@rtp-cse-489.cisco.com>

What does 'sh diag' say?

We don't support putting a GE PA in a VIP.

You had to buy a full slot card which was either a GEIP or
GEIP+.

Those old cards can't do linerate GIGE (ie: high microburst on a GIGE port).

Been a while...the GEIP was vip2-50 based and the + was VIP4-80 based
IIRC. Latter is much faster.

Rodney




On Tue, Feb 24, 2009 at 02:52:05PM -0500, Gregory Boehnlein wrote:
> Hello,
> 	We have a 7507 w/ Dual RSP-4's running 122-25.S12. It's been up and
> working w/out a problem for 50 weeks at this point. Over the past few days,
> our Gig-E fiber trunk to Level-3 has been exhibiting an unusual amount of
> packet loss when our BGP sessions are up. From a traffic perspective, we are
> only sending/receiving about 30 Megabits / second across this interface.
> When we drop the BGP session w/ X/O and ping across to their BGP peer,
> everything is fine. When we have BGP enabled, there are no input errors, but
> we do see incrementing numbers in the Overrun and Ignored fields. According
> to the Cisco Ethernet troubleshooting documentation, this means the
> following:
> 
> Overrun Errors
> --------------
> Description: The number of times the receiver hardware was unable to hand
> received data to a hardware buffer.
> Common Cause: The input rate of traffic exceeded the receiver's ability to
> handle the data.
> 
> And..
> 
> Ignored Errors
> --------------
> Description: Cisco IOS sh interfaces counter. The number of received packets
> ignored by the interface because the interface hardware ran low on internal
> buffers.
> Common Causes: Broadcast storms and bursts of noise can cause the ignored
> count to be increased.
> 
> Any suggestions on where to look? Level 3 is dispatching to do end-to-end
> testing on their Fiber interconnect. I'd like to get an idea of what sort of
> broadcast traffic I might be seeing on the port...
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From Jay.Murphy at state.nm.us  Tue Feb 24 15:36:55 2009
From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH)
Date: Tue, 24 Feb 2009 13:36:55 -0700
Subject: [c-nsp] Cisco Refurbished Equipment Program
In-Reply-To: <1FC8A0BAFBBD9749BB1F06010D23C8A553188D2B@sg000035.corproot.net>
References: <CBBF2C7B2547D14A910A349B58810AC25C249AE8B4@mncmx1.NWNIT.CORP>
	<1FC8A0BAFBBD9749BB1F06010D23C8A553188D2B@sg000035.corproot.net>
Message-ID: <A925AC5C659BD64FBA4E84EC34968873080C8C20@CEXMB4.nmes.lcl>

Truly, Cisco performs when they provide refurbs for sale or warranty.
As the previous thread articulated, they regress test enough to back
their product. Solid for today's economy, no pun intended!


Jay Murphy 
IP Network Specialist 
NM Department of Health 
ITSD - IP Network Operations 
Santa Fe, New Mexico 87502 
Bus. Ph.: 505.827.2851

"We move the information that moves your world." 






-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Steven.Glogger at swisscom.com
Sent: Tuesday, February 24, 2009 2:54 AM
To: MLouis at nwnit.com; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco Refurbished Equipment Program

we've bought some hardware from cisco refurbished.
as far as i can remember you get some warranty (1 year or so) and the
stuff has been really in-depht tested. so working stuff ,-)

smartnet etc. i don't know if we've got that device in one of our
contracts...

-steven 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Louis
Sent: Friday, February 20, 2009 6:45 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco Refurbished Equipment Program

In this economy, we are all looking for ways to save $$. I am curious if
anyone on this list has had any experience with purchasing product from
the Cisco Refurbished Equipment Program. Any issues or concerns? Did it
work as expected? Any issues with getting smartnet coverage on qualified
product?

Thanks

Mike


________________________________
Note: This message and any attachments is intended solely for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, legally privileged,
confidential, and/or exempt from disclosure. If you are not the intended
recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify the
original sender immediately by telephone or return email and destroy or
delete this message along with any attachments immediately.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This inbound email has been scanned by the MessageLabs Email Security
System.
______________________________________________________________________


Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System. 




From damin at nacs.net  Tue Feb 24 16:30:16 2009
From: damin at nacs.net (Gregory Boehnlein)
Date: Tue, 24 Feb 2009 16:30:16 -0500
Subject: [c-nsp] PA-GE - Incrementing Ignored and Overrun Errors
In-Reply-To: <20090224205239.GB1890@rtp-cse-489.cisco.com>
References: <041401c996b9$5e573720$1b05a560$@net>
	<20090224205239.GB1890@rtp-cse-489.cisco.com>
Message-ID: <046c01c996c7$159849d0$40c8dd70$@net>

> What does 'sh diag' say?

Slot 4:
        Physical slot 4, ~physical slot 0xB, logical slot 4, CBus 0
        Microcode Status 0x4
        Master Enable, LED, WCS Loaded
        Board is analyzed 
        Pending I/O Status: None
        EEPROM format version 1
        GEIP controller, FRU: GEIP, HW rev 2.02, board revision A0
        Serial number: 12310777  Part number: 73-2167-05
        Test history: 0x00        RMA number: 00-00-00
        Flags: cisco 7000 board; 7500 compatible

        EEPROM contents (hex):
          0x20: 01 21 02 02 00 BB D8 F9 49 08 77 05 00 00 00 00
          0x30: 50 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00
          
        Slot database information:
        Flags: 0x4      Insertion time: 0x38A0 (50w4d ago)
          
        Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM
          
        PA Bay 0 Information:
                Gigabit-Ethernet PA, 1 ports
                EEPROM format version 1
                HW rev 1.00, Board revision A0
                Serial number: 11029618  Part number: 73-3144-03 
          
        --Boot log begin--
Cisco IOS Software, VIP Software (SVIP-CDW-M), Version 12.2(25)S12, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 07-Feb-07 22:47 by kellythw
Image text-base: 0x60010DC8, data-base: 0x606C0000
        --Boot log end--

> We don't support putting a GE PA in a VIP.
> 
> You had to buy a full slot card which was either a GEIP or
> GEIP+.


My bad.. it's a GEIP.. not a GEIP+
 
> Those old cards can't do linerate GIGE (ie: high microburst on a GIGE
> port).

Fine, but the thing should be able to easily handle 100 megabits / second of
traffic, right?

> Been a while...the GEIP was vip2-50 based and the + was VIP4-80 based
> IIRC. Latter is much faster.
> 
> Rodney
> 
> 
> 
> 
> On Tue, Feb 24, 2009 at 02:52:05PM -0500, Gregory Boehnlein wrote:
> > Hello,
> > 	We have a 7507 w/ Dual RSP-4's running 122-25.S12. It's been up
> and
> > working w/out a problem for 50 weeks at this point. Over the past few
> days,
> > our Gig-E fiber trunk to Level-3 has been exhibiting an unusual
> amount of
> > packet loss when our BGP sessions are up. From a traffic perspective,
> we are
> > only sending/receiving about 30 Megabits / second across this
> interface.
> > When we drop the BGP session w/ X/O and ping across to their BGP
> peer,
> > everything is fine. When we have BGP enabled, there are no input
> errors, but
> > we do see incrementing numbers in the Overrun and Ignored fields.
> According
> > to the Cisco Ethernet troubleshooting documentation, this means the
> > following:
> >
> > Overrun Errors
> > --------------
> > Description: The number of times the receiver hardware was unable to
> hand
> > received data to a hardware buffer.
> > Common Cause: The input rate of traffic exceeded the receiver's
> ability to
> > handle the data.
> >
> > And..
> >
> > Ignored Errors
> > --------------
> > Description: Cisco IOS sh interfaces counter. The number of received
> packets
> > ignored by the interface because the interface hardware ran low on
> internal
> > buffers.
> > Common Causes: Broadcast storms and bursts of noise can cause the
> ignored
> > count to be increased.
> >
> > Any suggestions on where to look? Level 3 is dispatching to do end-
> to-end
> > testing on their Fiber interconnect. I'd like to get an idea of what
> sort of
> > broadcast traffic I might be seeing on the port...
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> --
> This message has been scanned for viruses and
> dangerous content by N2Net Mailshield, and is
> believed to be clean.


From gert at greenie.muc.de  Tue Feb 24 16:57:38 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 24 Feb 2009 22:57:38 +0100
Subject: [c-nsp] PA-GE - Incrementing Ignored and Overrun Errors
In-Reply-To: <046c01c996c7$159849d0$40c8dd70$@net>
References: <041401c996b9$5e573720$1b05a560$@net>
	<20090224205239.GB1890@rtp-cse-489.cisco.com>
	<046c01c996c7$159849d0$40c8dd70$@net>
Message-ID: <20090224215738.GZ290@greenie.muc.de>

Hi,

On Tue, Feb 24, 2009 at 04:30:16PM -0500, Gregory Boehnlein wrote:
> > Those old cards can't do linerate GIGE (ie: high microburst on a GIGE
> > port).
> 
> Fine, but the thing should be able to easily handle 100 megabits / second of
> traffic, right?

"handle", maybe - if it's not too bursty and packets are big.  

"easily", no - the router performance PDF lists 46-71 Mbit/s for the VIP2-50
(for minimum sized packets), and GEIP is a VIP2-50.

This is *old* hardware.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090224/b76a8fac/attachment.bin>

From rodunn at cisco.com  Tue Feb 24 18:35:28 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 24 Feb 2009 18:35:28 -0500
Subject: [c-nsp] PA-GE - Incrementing Ignored and Overrun Errors
In-Reply-To: <046c01c996c7$159849d0$40c8dd70$@net>
References: <041401c996b9$5e573720$1b05a560$@net>
	<20090224205239.GB1890@rtp-cse-489.cisco.com>
	<046c01c996c7$159849d0$40c8dd70$@net>
Message-ID: <20090224233528.GA2842@rtp-cse-489.cisco.com>

> > 
> > You had to buy a full slot card which was either a GEIP or
> > GEIP+.
> 
> 
> My bad.. it's a GEIP.. not a GEIP+
>  
> > Those old cards can't do linerate GIGE (ie: high microburst on a GIGE
> > port).
> 
> Fine, but the thing should be able to easily handle 100 megabits / second of
> traffic, right?

Sustained with larger packets and no features at all in the switching
vector maybe.

Real world with microburst and features and smaller packets probably
not.

Rodney

> 
> > Been a while...the GEIP was vip2-50 based and the + was VIP4-80 based
> > IIRC. Latter is much faster.
> > 
> > Rodney
> > 
> > 
> > 
> > 
> > On Tue, Feb 24, 2009 at 02:52:05PM -0500, Gregory Boehnlein wrote:
> > > Hello,
> > > 	We have a 7507 w/ Dual RSP-4's running 122-25.S12. It's been up
> > and
> > > working w/out a problem for 50 weeks at this point. Over the past few
> > days,
> > > our Gig-E fiber trunk to Level-3 has been exhibiting an unusual
> > amount of
> > > packet loss when our BGP sessions are up. From a traffic perspective,
> > we are
> > > only sending/receiving about 30 Megabits / second across this
> > interface.
> > > When we drop the BGP session w/ X/O and ping across to their BGP
> > peer,
> > > everything is fine. When we have BGP enabled, there are no input
> > errors, but
> > > we do see incrementing numbers in the Overrun and Ignored fields.
> > According
> > > to the Cisco Ethernet troubleshooting documentation, this means the
> > > following:
> > >
> > > Overrun Errors
> > > --------------
> > > Description: The number of times the receiver hardware was unable to
> > hand
> > > received data to a hardware buffer.
> > > Common Cause: The input rate of traffic exceeded the receiver's
> > ability to
> > > handle the data.
> > >
> > > And..
> > >
> > > Ignored Errors
> > > --------------
> > > Description: Cisco IOS sh interfaces counter. The number of received
> > packets
> > > ignored by the interface because the interface hardware ran low on
> > internal
> > > buffers.
> > > Common Causes: Broadcast storms and bursts of noise can cause the
> > ignored
> > > count to be increased.
> > >
> > > Any suggestions on where to look? Level 3 is dispatching to do end-
> > to-end
> > > testing on their Fiber interconnect. I'd like to get an idea of what
> > sort of
> > > broadcast traffic I might be seeing on the port...
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > --
> > This message has been scanned for viruses and
> > dangerous content by N2Net Mailshield, and is
> > believed to be clean.

From David at Hughes.com.au  Tue Feb 24 18:44:27 2009
From: David at Hughes.com.au (David Hughes)
Date: Wed, 25 Feb 2009 09:44:27 +1000
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <AB8391FC-B2E2-4A65-B9CA-365A73D1357E@hughes.com.au>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
	<20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
	<45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
	<1233758875.6907.22.camel@mauritzlewies>
	<C2EE3B72-ADD2-4ADF-B7E1-F00D25F974DB@Hughes.com.au>
	<20090205072426.GU290@greenie.muc.de>
	<AB8391FC-B2E2-4A65-B9CA-365A73D1357E@hughes.com.au>
Message-ID: <421D9299-9DCE-43D2-8582-A126C85B546F@Hughes.com.au>



On 06/02/2009, at 7:31 AM, David Hughes wrote:

> Thanks Gert.  That's not the news I was hoping for.  I'll take it up  
> with Cisco and find out what "UDLD Enhancements" are actually in  
> SXI.  I appreciate your help.


Ok, I think I've got the scoop.

The word is that UDLD 2.0 on 6500 is being looked at but there's no  
current plan for it on the road map.  As for what extra functionality  
we get with the new "Enhanced UDLD" feature in SXI, well, that still a  
mystery.

This really is amazing.  I appreciate that doing sub second timers on  
a box with a potentially huge number of physical and logical  
interfaces is difficult, but functionality is being limited due to  
worst case scenario.  I simply want to run aggressive UDLD over a PAgP  
link that's being carried over an EoMPLS VC.  That's UDLD on 4  
interfaces on the entire box.  I know a Sup720 can handle that.  Not  
being able to use the capabilities of these boxes because of lazy  
software implementation decisions is getting very annoying.


David
...

From mduksa at gmail.com  Tue Feb 24 21:08:01 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Tue, 24 Feb 2009 18:08:01 -0800
Subject: [c-nsp] show mBGP vpn advertized routes
Message-ID: <a89d89ac0902241808p687b564cq6ad8105c70ad042@mail.gmail.com>

Hi,Is there any way to show some meaningful info on what  Cisco is
advertising to its vpnv4 peers.

This is what I have:
router_1 #show bgp vpnv4 unicast all neighbors 192.1.0.2 advertised-routes
BGP table version is 1926, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:0 (default for vrf ipvpn_1) VRF Router ID 191.1.0.1
*> 191.1.0.0/24     0.0.0.0                  0         32768 ?


I'd like to see the label that is advertised along with this route.
For example this route is advertised from a CE side to the PE, and it's
label is 20 and also the next hop is 1.1.1.1 (and not 0.0.0.0 as it is shown
here - is this a bug?).

Juniper has such nice output for a similar command, a lots of details on
what is getting advertised.

Anyone knows?
Thanks,
Marlon

From sdanelli at gmail.com  Tue Feb 24 21:42:24 2009
From: sdanelli at gmail.com (Sergio D.)
Date: Tue, 24 Feb 2009 19:42:24 -0700
Subject: [c-nsp] show mBGP vpn advertized routes
Message-ID: <aa2d13130902241842me60c1b7o5f83b301c38be61@mail.gmail.com>

You can look at the BGP rib to see what label is assigned:
7200-UT02>sh bgp vpnv4 unicast vrf vrfData x.x.x.x/29
BGP routing table entry for 100:1:x.x.x.x/29, version 916
Paths: (2 available, best #1, table vrfData)
  Advertised to update-groups:
     1          2          3
  Local
    10.128.90.2 from 0.0.0.0 (10.0.0.5)
      Origin incomplete, metric 20, localpref 100, weight 32768,
valid, sourced, best
      Extended Community: RT:100:1 OSPF DOMAIN ID:0x0005:0x000000650200
        OSPF RT:0.0.0.0:5:1 OSPF ROUTER ID:x.x.x.x:0
      mpls labels in/out *335*/nolabel




====================================================================================================================================================================

Hi,Is there any way to show some meaningful info on what  Cisco is
advertising to its vpnv4 peers.

This is what I have:
router_1 #show bgp vpnv4 unicast all neighbors 192.1.0.2 advertised-routes
BGP table version is 1926, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:0 (default for vrf ipvpn_1) VRF Router ID 191.1.0.1
*> 191.1.0.0/24     0.0.0.0                  0         32768 ?


I'd like to see the label that is advertised along with this route.
For example this route is advertised from a CE side to the PE, and it's
label is 20 and also the next hop is 1.1.1.1 (and not 0.0.0.0 as it is shown
here - is this a bug?).

Juniper has such nice output for a similar command, a lots of details on
what is getting advertised.

Anyone knows?
Thanks,
Marlon



-- 
Sergio Danelli
JNCIE #170

From pshem.k at gmail.com  Tue Feb 24 22:36:11 2009
From: pshem.k at gmail.com (Pshem Kowalczyk)
Date: Wed, 25 Feb 2009 16:36:11 +1300
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
In-Reply-To: <49A3EC00.3060109@ttec.com>
References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
	<037901c995ec$4ba3db60$e2eb9220$@net> <49A3EC00.3060109@ttec.com>
Message-ID: <20fe625b0902241936j4d6ada90m3b926202ad422706@mail.gmail.com>

Hi,


2009/2/25 Joe Maimon <jmaimon at ttec.com>

> There are apparently three approaches to trafficking between VRF's.
>
> - configuration route leakage, static routes, route-maps and whatnot
>
> All hacks in my opinion.
>
> - physical crossover between two devices, vrf A in device A becomes vrf B
> in device B
>
> Which is actually a degenerate or optimized instance of the following:
>
> - crossover in the same device
>
> This can be done as per your tunnel example.
>
> You can also do this with physical ports, with a l2/l3 switch architecture
> its not as conveniently done however, since you would need to cross connect
> one access port in one vlan to another access port in another vlan.
>

{cut}

I think that you're missing one other possibility  (which may or may not
suit you) - putting all of your routing into vrfs and doing the normal
leaking between the vrfs.  This way you can retain the level of granularity
you want (any particular interface might be either in the vrf that has only
the 'public' internet or in the 'special' vrf, that has access to the
premium routes).

For smaller installation you probably don't even need to run MPLS - simply
vlans or GRE tunnels can vrf lite should suffice.
Obviously you might have to keep full bgp feed in a vrf which some people
regard as a no-no.

kind regards
Pshem

From SazliBin.Ahmad at pacnet.com  Tue Feb 24 22:54:30 2009
From: SazliBin.Ahmad at pacnet.com (Ahmad, Sazli Bin)
Date: Wed, 25 Feb 2009 11:54:30 +0800
Subject: [c-nsp]  TCAM Errors on SIP-401 Engine 5 Linecard for E1 SPA.
Message-ID: <207A8FA83882D643BDA4398E6365CDDB0524C56D@W3HKEXCHVS1.asianetcom.com>

Good Day,

 

We have a problem with SIP-401 Engine 5 Linecard getting TCAM errors
when Qos is applied on an E1 SPA Card.  

 

This problem will happen when outgoing service-policy is applied on the
Serial Interface and it will generate TCAM errors and eventually will
crash the Linecard.

 

Below are the sample of the Qos configuration.

 

class-map match-all cpe-mgmt

  match access-group 2052

 

class-map match-all TrustPrecedence-cos4

  match ip precedence 4 

 

class-map match-all TrustPrecedence-cos2

  match ip precedence 2 

 

class-map match-any SIP-401-TESTING

  match access-group 2190

 

class-map match-all SIP-401-cos1

  match any 

 

class-map match-all SIP-401-cos3

  match  dscp 34 

 

policy-map SIP-401-child-out

 description Inbound Classification for SIP-401 Testing

  class TrustPrecedence-cos4

    priority

   police 1000000 200000 400000 conform-action transmit  exceed-action
drop 

  class SIP-401-TESTING

    bandwidth remaining percent 60

    random-detect

    random-detect precedence 3 3200 packets 4096 packets 1

   police 1000000 200000 400000 conform-action transmit  exceed-action
drop 

  class TrustPrecedence-cos2

    bandwidth remaining percent 25

    random-detect

    random-detect precedence 2 2000 packets 3200 packets 1

   police 1000000 200000 400000 conform-action transmit  exceed-action
drop 

  class SIP-401-cos3

    bandwidth remaining percent 10

    random-detect

    random-detect precedence 1 1000 packets 2000 packets 1

   police 1000000 200000 400000 conform-action transmit  exceed-action
drop 

  class SIP-401-cos1

    bandwidth remaining percent 4

    random-detect

    random-detect precedence 0 500 packets 1000 packets 1

   police 1000000 200000 400000 conform-action transmit  exceed-action
drop 

  class cpe-mgmt

    bandwidth remaining percent 1

    random-detect

    random-detect precedence 0 500 packets 1000 packets 1

   police 16000 3200 6400 conform-action transmit  exceed-action drop

  class class-default

    bandwidth remaining percent 1

    random-detect

    random-detect precedence 0 500 packets 1000 packets 1

   police 16000 3200 6400 conform-action transmit  exceed-action drop

 

 

policy-map SIP-401-out

 description Parent Outbound Policy for SIP-401 Testing

  class class-default

    shape average 1000000 200000 400000

   service-policy SIP-401-child-out

 

Can I have any advise on what could be the cause of the problem?  If the
problem is due to the Qos setting, what will be the recommended Qos
configuration in order to avoid any TCAM errors and Linecard crash?
Will there be another way of configuring the Qos in order for us to
achieve the same output as above? 

 

Regards

Sazli Ahmad


From hsa at ntt.net.id  Tue Feb 24 23:58:03 2009
From: hsa at ntt.net.id (Henry Sarumpaet)
Date: Wed, 25 Feb 2009 11:58:03 +0700
Subject: [c-nsp] TCAM Errors on SIP-401 Engine 5 Linecard for E1 SPA.
In-Reply-To: <207A8FA83882D643BDA4398E6365CDDB0524C56D@W3HKEXCHVS1.asianetcom.com>
References: <207A8FA83882D643BDA4398E6365CDDB0524C56D@W3HKEXCHVS1.asianetcom.com>
Message-ID: <49A4CFDB.10407@ntt.net.id>


hi there,
not exactly same, but we  have SIP-200 with SPA-8XCHT1/E1 running 
without any problem.
this one with : 122-33.SRC2 ( IOS & pkg ) unfortunately our qos config 
not complex as you are.
furher diagnostic it might be usefull to check the output of : "show 
plat hard capacity qos"
my $0.2


--
hsa

Ahmad, Sazli Bin wrote:
> Good Day,
>
>  
>
> We have a problem with SIP-401 Engine 5 Linecard getting TCAM errors
> when Qos is applied on an E1 SPA Card.  
>
>  
>
> This problem will happen when outgoing service-policy is applied on the
> Serial Interface and it will generate TCAM errors and eventually will
> crash the Linecard.
>
>  
>
> Below are the sample of the Qos configuration.
>
>  
>
> class-map match-all cpe-mgmt
>
>   match access-group 2052
>
>  
>
> class-map match-all TrustPrecedence-cos4
>
>   match ip precedence 4 
>
>  
>
> class-map match-all TrustPrecedence-cos2
>
>   match ip precedence 2 
>
>  
>
> class-map match-any SIP-401-TESTING
>
>   match access-group 2190
>
>  
>
> class-map match-all SIP-401-cos1
>
>   match any 
>
>  
>
> class-map match-all SIP-401-cos3
>
>   match  dscp 34 
>
>  
>
> policy-map SIP-401-child-out
>
>  description Inbound Classification for SIP-401 Testing
>
>   class TrustPrecedence-cos4
>
>     priority
>
>    police 1000000 200000 400000 conform-action transmit  exceed-action
> drop 
>
>   class SIP-401-TESTING
>
>     bandwidth remaining percent 60
>
>     random-detect
>
>     random-detect precedence 3 3200 packets 4096 packets 1
>
>    police 1000000 200000 400000 conform-action transmit  exceed-action
> drop 
>
>   class TrustPrecedence-cos2
>
>     bandwidth remaining percent 25
>
>     random-detect
>
>     random-detect precedence 2 2000 packets 3200 packets 1
>
>    police 1000000 200000 400000 conform-action transmit  exceed-action
> drop 
>
>   class SIP-401-cos3
>
>     bandwidth remaining percent 10
>
>     random-detect
>
>     random-detect precedence 1 1000 packets 2000 packets 1
>
>    police 1000000 200000 400000 conform-action transmit  exceed-action
> drop 
>
>   class SIP-401-cos1
>
>     bandwidth remaining percent 4
>
>     random-detect
>
>     random-detect precedence 0 500 packets 1000 packets 1
>
>    police 1000000 200000 400000 conform-action transmit  exceed-action
> drop 
>
>   class cpe-mgmt
>
>     bandwidth remaining percent 1
>
>     random-detect
>
>     random-detect precedence 0 500 packets 1000 packets 1
>
>    police 16000 3200 6400 conform-action transmit  exceed-action drop
>
>   class class-default
>
>     bandwidth remaining percent 1
>
>     random-detect
>
>     random-detect precedence 0 500 packets 1000 packets 1
>
>    police 16000 3200 6400 conform-action transmit  exceed-action drop
>
>  
>
>  
>
> policy-map SIP-401-out
>
>  description Parent Outbound Policy for SIP-401 Testing
>
>   class class-default
>
>     shape average 1000000 200000 400000
>
>    service-policy SIP-401-child-out
>
>  
>
> Can I have any advise on what could be the cause of the problem?  If the
> problem is due to the Qos setting, what will be the recommended Qos
> configuration in order to avoid any TCAM errors and Linecard crash?
> Will there be another way of configuring the Qos in order for us to
> achieve the same output as above? 
>
>  
>
> Regards
>
> Sazli Ahmad
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   


From jeff-kell at utc.edu  Wed Feb 25 05:24:26 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 25 Feb 2009 05:24:26 -0500
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
In-Reply-To: <20fe625b0902241936j4d6ada90m3b926202ad422706@mail.gmail.com>
References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>	<037901c995ec$4ba3db60$e2eb9220$@net>
	<49A3EC00.3060109@ttec.com>
	<20fe625b0902241936j4d6ada90m3b926202ad422706@mail.gmail.com>
Message-ID: <49A51C5A.7050701@utc.edu>

Pshem Kowalczyk wrote:
> I think that you're missing one other possibility  (which may or may not
> suit you) - putting all of your routing into vrfs and doing the normal
> leaking between the vrfs.  This way you can retain the level of granularity
> you want (any particular interface might be either in the vrf that has only
> the 'public' internet or in the 'special' vrf, that has access to the
> premium routes).

This is the most flexible with regard to import/export and route map 
control, but of course requires iBGP to work. 

It is very straightforward relative to VRF internal routing, but I've 
not yet tried meshing this with eBGP.  Still a little paranoid there and 
haven't "peered" my VRF-aware iBGP even with an internal iBGP peer.

Can you leak defaults between VRFs?  (Haven't actually tried that one 
either...)

Jeff

From nasir.shaikh at bt.com  Wed Feb 25 06:37:46 2009
From: nasir.shaikh at bt.com (nasir.shaikh at bt.com)
Date: Wed, 25 Feb 2009 11:37:46 -0000
Subject: [c-nsp] Interesting NAToverload  issue
Message-ID: <2B0ABDF9E4A1204AA7467F2007535456088EC3B6@E03MVZ4-UKDY.domain1.systemhost.net>

Hi,

I have a client who has moved their Microsoft Exchange servers to a service provider location (as part of a de-perimeterization strategy). These servers are reachable via the Internet. Thus, the client IP are NATted before they cross the corporate boundary.
There are about 45000 users.
Each user needs about 17-22 sessions (that's how MS Outlook works) and thus as many NAT entries
Therefore a NAT pool is used with overload.
It was working fine for more than a year now but suddenly the following phenomenon has been noticed.
- When a user session is being built up and he has let's say 10 NAT entries using the first IP in the NAT pool and the port numbers run out, the next IP in the NAT pool is used to complete the required number of sessions.
- Exchange server is apparently not happy with one client using 2 IP addresses and keeps (re-)building sessions untill all of them are using the same NATted IP. This can sometimes take upto 5 miniutes.

Is there a solution to this problem? There is one single destination global address. Is there a way to force the usage of the same IP from the NAT pool for all NAT requests from a particular source IP?
Platform is7206-vxr with NPE-G2

Thanks in advance


Nasir Shaikh 
This email contains information from BT Nederland N.V., which may be privileged or confidential. 
It's meant only for the individual(s) or entity named above. If you are not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited.  
If you have received this email in error, please let me know immediately on the email address above.
We monitor our systems, and may record your emails.

BT Nederland N.V. 
Registered office:  Offices Minerva and Mercurius, Herikerbergweg 2, 1101 CM Amsterdam
Registered at the Amsterdam Chamber of Commerce no:  33296214




From nasir.shaikh at bt.com  Wed Feb 25 06:58:31 2009
From: nasir.shaikh at bt.com (nasir.shaikh at bt.com)
Date: Wed, 25 Feb 2009 11:58:31 -0000
Subject: [c-nsp] Interesting NAToverload  issue
In-Reply-To: <alpine.WNT.2.00.0902251345270.1368@pckoug1.intranet.gr>
Message-ID: <2B0ABDF9E4A1204AA7467F2007535456088EC445@E03MVZ4-UKDY.domain1.systemhost.net>

Hi John,
That is indeed a good idea. But there are 2 routers doing this NAT and
the load towards them is being load-balanced by the choke router before
them. I will then have to configure NAT in such a way that each IP from
the NAT pool can only be used for about 32000 sessions (as I cannot
control which specific session will be routed to which NAT router by CEF
on the choke router).
But this is a good option.

Thanks


Nasir Shaikh 
This email contains information from BT Nederland N.V., which may be
privileged or confidential. 
It's meant only for the individual(s) or entity named above. If you are
not the intended recipient, note that disclosing, copying, distributing
or using this information is prohibited.  
If you have received this email in error, please let me know immediately
on the email address above.
We monitor our systems, and may record your emails.

BT Nederland N.V. 
Registered office:  Offices Minerva and Mercurius, Herikerbergweg 2,
1101 CM Amsterdam
Registered at the Amsterdam Chamber of Commerce no:  33296214



-----Original Message-----
From: John Kougoulos [mailto:koug at intracom.gr] 
Sent: 25 February 2009 12:49
To: Shaikh,NM,Nasir,JRS1 R
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Interesting NAToverload issue

Hello,

you could split the usage of nat pools based on statistics of the source
IP addresses eg use 1 ip/overloaded nat pool for even source IPs and
another IP for the odd source IPs

Best Regards,
John

On Wed, 25 Feb 2009, nasir.shaikh at bt.com wrote:

> Hi,
>
> I have a client who has moved their Microsoft Exchange servers to a 
> service provider location (as part of a de-perimeterization strategy).
> These servers are reachable via the Internet. Thus, the client IP are 
> NATted before they cross the corporate boundary. There are about 45000

> users. Each user needs about 17-22 sessions (that's how MS Outlook
> works) and thus as many NAT entries Therefore a NAT pool is used with 
> overload. It was working fine for more than a year now but suddenly 
> the following phenomenon has been noticed. - When a user session is 
> being built up and he has let's say 10 NAT entries using the first IP 
> in the NAT pool and the port numbers run out, the next IP in the NAT 
> pool is used to complete the required number of sessions. - Exchange 
> server is apparently not happy with one client using 2 IP addresses 
> and keeps (re-)building sessions untill all of them are using the same
NATted IP.
> This can sometimes take upto 5 miniutes.
>
> Is there a solution to this problem? There is one single destination 
> global address. Is there a way to force the usage of the same IP from 
> the NAT pool for all NAT requests from a particular source IP? 
> Platform is7206-vxr with NPE-G2
>
> Thanks in advance
>
>
> Nasir Shaikh
> This email contains information from BT Nederland N.V., which may be
privileged or confidential.
> It's meant only for the individual(s) or entity named above. If you
are not the intended recipient, note that disclosing, copying,
distributing or using this information is prohibited.
> If you have received this email in error, please let me know
immediately on the email address above.
> We monitor our systems, and may record your emails.
>
> BT Nederland N.V.
> Registered office:  Offices Minerva and Mercurius, Herikerbergweg 2, 
> 1101 CM Amsterdam Registered at the Amsterdam Chamber of Commerce no:

> 33296214
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From nasir.shaikh at bt.com  Wed Feb 25 07:01:02 2009
From: nasir.shaikh at bt.com (nasir.shaikh at bt.com)
Date: Wed, 25 Feb 2009 12:01:02 -0000
Subject: [c-nsp] EoMPLS restrictions
Message-ID: <2B0ABDF9E4A1204AA7467F2007535456088EC45D@E03MVZ4-UKDY.domain1.systemhost.net>

Hi,
Can someone shed some light on the following limitation of EoMPLS?
Layer 2 connection restrictions:
- You cannot have a direct Layer 2 connection between provider-edge routers with EoMPLS
Why is this?
I have a MAN running MPLS where my PE are directly connected. I need to do extend my datacenter LANs from location A to location B. I was thinking of using EoMPLS but this limitation is bothering me because I don't understand this limitation.
Anyone care to explain?
Topology as under:
CE--(trunk)dot1q(tunnel)-->PE--MPLS--PE--tunnel(dot1q)trunk-->CE
                                               |                     |
                                         MPLS           MPLS
                                               |                     |
CE--(trunk)dot1q(tunnel)-->PE--MPLS--PE--tunnel(dot1q)trunk-->CE

The CE on the right hand side are under my control and there is another cascaded CE device behind which the data center resides. So I could convert the CE to a PE to resolve this.
Any suggestions are welcome


Nasir Shaikh 

This email contains information from BT Nederland N.V., which may be privileged or confidential. 
It's meant only for the individual(s) or entity named above. If you are not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited.  
If you have received this email in error, please let me know immediately on the email address above.
We monitor our systems, and may record your emails.

BT Nederland N.V. 
Registered office:  Offices Minerva and Mercurius, Herikerbergweg 2, 1101 CM Amsterdam
Registered at the Amsterdam Chamber of Commerce no:  33296214




From koug at intracom.gr  Wed Feb 25 06:48:58 2009
From: koug at intracom.gr (John Kougoulos)
Date: Wed, 25 Feb 2009 13:48:58 +0200 (GTB Standard Time)
Subject: [c-nsp] Interesting NAToverload  issue
In-Reply-To: <2B0ABDF9E4A1204AA7467F2007535456088EC3B6@E03MVZ4-UKDY.domain1.systemhost.net>
References: <2B0ABDF9E4A1204AA7467F2007535456088EC3B6@E03MVZ4-UKDY.domain1.systemhost.net>
Message-ID: <alpine.WNT.2.00.0902251345270.1368@pckoug1.intranet.gr>

Hello,

you could split the usage of nat pools based on statistics of the source 
IP addresses eg use 1 ip/overloaded nat pool for even source IPs and 
another IP for the odd source IPs

Best Regards,
John

On Wed, 25 Feb 2009, nasir.shaikh at bt.com wrote:

> Hi,
>
> I have a client who has moved their Microsoft Exchange servers to a 
> service provider location (as part of a de-perimeterization strategy). 
> These servers are reachable via the Internet. Thus, the client IP are 
> NATted before they cross the corporate boundary. There are about 45000 
> users. Each user needs about 17-22 sessions (that's how MS Outlook 
> works) and thus as many NAT entries Therefore a NAT pool is used with 
> overload. It was working fine for more than a year now but suddenly the 
> following phenomenon has been noticed. - When a user session is being 
> built up and he has let's say 10 NAT entries using the first IP in the 
> NAT pool and the port numbers run out, the next IP in the NAT pool is 
> used to complete the required number of sessions. - Exchange server is 
> apparently not happy with one client using 2 IP addresses and keeps 
> (re-)building sessions untill all of them are using the same NATted IP. 
> This can sometimes take upto 5 miniutes.
>
> Is there a solution to this problem? There is one single destination 
> global address. Is there a way to force the usage of the same IP from 
> the NAT pool for all NAT requests from a particular source IP? Platform 
> is7206-vxr with NPE-G2
>
> Thanks in advance
>
>
> Nasir Shaikh
> This email contains information from BT Nederland N.V., which may be privileged or confidential.
> It's meant only for the individual(s) or entity named above. If you are not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited.
> If you have received this email in error, please let me know immediately on the email address above.
> We monitor our systems, and may record your emails.
>
> BT Nederland N.V.
> Registered office:  Offices Minerva and Mercurius, Herikerbergweg 2, 1101 CM Amsterdam
> Registered at the Amsterdam Chamber of Commerce no:  33296214
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From TOMAS.LYNCH at GlobalCrossing.com  Wed Feb 25 08:01:38 2009
From: TOMAS.LYNCH at GlobalCrossing.com (Lynch, Tomas)
Date: Wed, 25 Feb 2009 08:01:38 -0500
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU>
Message-ID: <5210A1C9084123478E12AA5924D1F253A2918B@w3usmia2.lat.gblxint.com>

I've been playing around with this command and the short answer with an
example is:

|CPE VRF|(11.0.0.2) ----Se1|PE ROUTER|POS2----(10.0.0.2) [Internet]
 1.1.1.1

PE ROUTER
---------
! whatever you need for VRF, mBGP, etc.
! to propagate your networks
! you may need to add the following:
router bgp $ASN
 address-family ipv4 vrf ESNET
  redistribute static
  default-information originate
!
ip route 1.1.1.1 255.255.255.255 Serial1
ip route vrf ESNET 0.0.0.0 0.0.0.0 POS2 10.0.0.2 global


Disclaimer: Blame me, not my company, if I misread your question.

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Jeff Fitzwater
> Sent: Monday, February 23, 2009 1:56 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
> 
> This question was posted earlier, before I opened ticket with CISCO.
> 
> Router is 6500 with 720-CXL running SXI code.
> 
> 
> 1.  I have router "A" which is used to connect to our three ISPs ( two
> I1s and  one I2 connection with full BGP), and also receives all our
> internal campus traffic via RIP default path.    Router "A" announces
> default to campus.
> 
> 2. I now need to add a new special ESNET.GOV ISP which cannot be used
> by the majority of our campus except for two subnets.   These two
> subnets will still have access to the other three ISPs for normal path
> selection but have the option of choosing an ESNET route if needed.
> 
> 3. So the original thinking was to create the VRF for ESNET which
> would have its own ESNET route table and tell the two special subnets
> (using route-map match subs, set vrf ) to check the ESNET table first
> and if route is not in table then fall thru to global.
> 
> 4. I can't just have one route table that includes the ESNET routes,
> because ESNET announces some more specific routes and there may be
> hosts that normally use the I1 path to these DSTs, but now see a more
> specific path and try to use it and fail because it is not allowed by
> ESNET outbound ACL.
> 
> 
> 
> I have BGP peering working in VRF ( can see prefixes from ESNET in VRF
> table), but cannot announce our two subnet prefixes because they do
> not show up in VRF route table.  So getting static back to global
> would fix this and other issue with DEFAULT to global.   When I try to
> add static routes they never show up because the next hop is not
> present in VRF table or the command fails stating that...  "Invalid
> next-hop address (it's this router)".
> 
> 
> 
> I was hoping that just adding a static DEFAULT in VRF pointing to
> global would do everything I needed, but cannot get it to work even
> after trying all permutations of the command.  "ip route vrf vrf-esnet
> 0.0.0.0 0.0.0.0 0.0.0.0 global"
> 
> 
> 
> Also tried "ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3
> 10.10.10.10 global"   Loopback3 was created with RFC-1918 IP and had
> "vrf forwarding" added on this loopback.  This also failed.
> 
> 
> Creating an internal path between the VRF router and the global router
> is stopping all this from working.
> 
> I have a ticket open with CISCO but they are saying I have to add an
> external link with two physical ports on vrf.   This will not work for
> us.
> 
> 
> Does anybody know how to get statics working between VRF and global
> table,  if its even possible.
> 
> 
> Really stuck!
> 
> 
> 
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From alexmoya at bellsouth.net  Wed Feb 25 08:29:15 2009
From: alexmoya at bellsouth.net (Alex Moya)
Date: Wed, 25 Feb 2009 08:29:15 -0500
Subject: [c-nsp] PIX-515e
Message-ID: <004d01c9974d$0e5e0b10$2b1a2130$@net>

I need help finding a unlock code for the PIX-515e to get I to a 3des
encryption. Does the unit have to be under TAC to get this?


From ed at edgeoc.net  Wed Feb 25 08:37:57 2009
From: ed at edgeoc.net (Edward Salonia)
Date: Wed, 25 Feb 2009 08:37:57 -0500
Subject: [c-nsp] PIX-515e
In-Reply-To: <004d01c9974d$0e5e0b10$2b1a2130$@net>
References: <004d01c9974d$0e5e0b10$2b1a2130$@net>
Message-ID: <d59dcc10902250537i62197416kb91cd4908b1c76d8@mail.gmail.com>

You should be able to get one for free.
https://tools.cisco.com/SWIFT/Licensing/jsp/formGenerator/Pix3DesMsgDisplay.jsp

- Ed

On Wed, Feb 25, 2009 at 8:29 AM, Alex Moya <alexmoya at bellsouth.net> wrote:

> I need help finding a unlock code for the PIX-515e to get I to a 3des
> encryption. Does the unit have to be under TAC to get this?
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From simon at pitwood.org  Wed Feb 25 08:37:57 2009
From: simon at pitwood.org (Simon)
Date: Wed, 25 Feb 2009 13:37:57 +0000
Subject: [c-nsp] PIX-515e
In-Reply-To: <004d01c9974d$0e5e0b10$2b1a2130$@net>
References: <004d01c9974d$0e5e0b10$2b1a2130$@net>
Message-ID: <D2FBECA3-BFD6-4533-B43E-4F713FE40A0D@pitwood.org>

You get the license from the Cisco website in the security section,  
you will need the serial number but the upgrade is free. They email it  
to you

Sent from my iPhone

On 25 Feb 2009, at 13:29, "Alex Moya" <alexmoya at bellsouth.net> wrote:

> I need help finding a unlock code for the PIX-515e to get I to a 3des
> encryption. Does the unit have to be under TAC to get this?
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From oiyankok at yahoo.ca  Wed Feb 25 10:06:48 2009
From: oiyankok at yahoo.ca (ann kok)
Date: Wed, 25 Feb 2009 07:06:48 -0800 (PST)
Subject: [c-nsp] show session nothing
Message-ID: <207251.34049.qm@web111308.mail.gq1.yahoo.com>


Hi

I am connecting to the router with telnet

sh sessions can't get any information

router#sh sessions
% No connections open

Why?

but I can get sh tcp vty 0

How can I know how many existing connections in the router?

and

How can I kill ideal connection?

Thank you


      __________________________________________________________________
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now at
http://ca.toolbar.yahoo.com.


From zivl at gilat.net  Wed Feb 25 10:16:42 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Wed, 25 Feb 2009 17:16:42 +0200
Subject: [c-nsp] show session nothing
In-Reply-To: <207251.34049.qm@web111308.mail.gq1.yahoo.com>
References: <207251.34049.qm@web111308.mail.gq1.yahoo.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622E1CE0B84@exch2k7.gilat.local>

The following commands may help you:
who
sh user
sh line

you'll see something like this:
    Line       User       Host(s)              Idle       Location
*  2 vty 0     xxx        idle                 00:00:00 xxx.xxx.xxx.xxx

You can make "clear line 2" to disconnect the session

Hope this helps
Ziv



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ann kok
Sent: Wednesday, February 25, 2009 5:07 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] show session nothing


Hi

I am connecting to the router with telnet

sh sessions can't get any information

router#sh sessions
% No connections open

Why?

but I can get sh tcp vty 0

How can I know how many existing connections in the router?

and

How can I kill ideal connection?

Thank you


      __________________________________________________________________
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now at
http://ca.toolbar.yahoo.com.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From elparis at cisco.com  Wed Feb 25 10:35:12 2009
From: elparis at cisco.com (Eloy Paris)
Date: Wed, 25 Feb 2009 10:35:12 -0500
Subject: [c-nsp] show session nothing
In-Reply-To: <207251.34049.qm@web111308.mail.gq1.yahoo.com>
References: <207251.34049.qm@web111308.mail.gq1.yahoo.com>
Message-ID: <20090225153512.GH14612@cisco.com>

Hi ann,

On Wed, Feb 25, 2009 at 07:06:48AM -0800, ann kok wrote:

> Hi
> 
> I am connecting to the router with telnet
> 
> sh sessions can't get any information
> 
> router#sh sessions
> % No connections open
> 
> Why?

"sh sessions" will tell you about connections established from the
device, i.e. outbound telnet or SSH, not inbound to the device.

> but I can get sh tcp vty 0
> 
> How can I know how many existing connections in the router?
> 
> and
> 
> How can I kill ideal connection?

If you have an outbound session you want to disconnect you can use the
"disconnect" command. If it is inbound the "clear line".

Cheers,

-- 

Eloy Paris
Cisco PSIRT
Ph: +1 919 392-9118

From psirt at cisco.com  Wed Feb 25 11:00:00 2009
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wednesday, 25 February 2009 10:00:00 -0600 
Subject: [c-nsp] Cisco Security Advisory: Cisco Unified MeetingPlace Web
	Conferencing Authentication Bypass Vulnerability
Message-ID: <200902251000.mtgplace@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Unified MeetingPlace Web Conferencing
Authentication Bypass Vulnerability

Advisory ID: cisco-sa-20090225-mtgplace

Revision 1.0

For Public Release 2009 February 25 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco Unified MeetingPlace Web Conferencing servers may contain an
authentication bypass vulnerability that could allow an
unauthenticated user to gain administrative access to the
MeetingPlace application. Cisco has released free software updates
that address this vulnerability.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20090225-mtgplace.shtml

Affected Products
=================

Cisco Unified MeetingPlace conferencing solution provides
functionality that allows organizations to host integrated voice,
video, and web conferencing. The solution is deployed on-network,
behind the firewall and integrated directly into an organization's
private voice/data networks and enterprise applications. Cisco
Unified MeetingPlace servers can be deployed so that the server is
accessible from the Internet, allowing external parties to
participate in meetings.

Vulnerable Products
+------------------

Cisco Unified MeetingPlace Web Conferencing servers running software
versions 6.0 and 7.0 may be affected by this vulnerability.

Products Confirmed Not Vulnerable
+--------------------------------

Cisco Unified MeetingPlace Web Conferencing servers not running 6.0
or 7.0 software are not affected by this vulnerability.

Cisco Unified MeetingPlace Express is not affected by this
vulnerability.

No other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

The Cisco Unified MeetingPlace Web Conferencing server may contain a
vulnerability that could allow an unauthenticated user to use a
crafted URL to bypass the authentication mechanisms of the server. If
successful, the user could gain full administrative access to the
Cisco Unified MeetingPlace application.

This vulnerability is documented in Cisco Bug ID CSCsv65815 and has
been assigned Common Vulnerability and Exposures (CVE) ID CVE-2009-0614.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

CSCsv65815 - Authentication Bypass in MeetingPlace Web Server

CVSS Base Score - 9

Access Vector           - Network
Access Complexity       - Low
Authentication          - None
Confidentiality Impact  - Partial
Integrity Impact        - Partial
Availability Impact     - Complete

CVSS Temporal Score - 7.4

Exploitability          - Functional
Remediation Level       - Official-Fix
Report Confidence       - Confirmed

Impact
======

Successful exploitation of the vulnerability may result in
unauthorized access to the administrative functions of the Cisco
Unified MeetingPlace application.

Software Versions and Fixes
===========================

This vulnerability is fixed in Cisco Unified MeetingPlace Web
Conferencing software version 6.0(517.0) also known as Maintenance
Release 4 (MR4) for the 6.0 release, and version 7.0(2) also known as
Maintenance Release 1 (MR1) for the 7.0 release.

The latest versions of Cisco MeetingPlace software can be downloaded
from:

http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278875240

The Cisco Unified MeetingPlace Web Server software is available at: 

http://tools.cisco.com/support/downloads/go/Model.x?mdfid=278816725&mdfLevel=Software%20Version/Option&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20MeetingPlace%20Web%20Conferencing&treeMdfId=278875240

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Workarounds
===========

There are no workarounds for this vulnerability.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:

http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html

or as otherwise set forth at Cisco.com Downloads at:

http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact psirt at cisco.com or security-alert at cisco.com for
software upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to:

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements
=====================================

This vulnerability was reported to Cisco by National Australia Bank's
Security Assurance team.

Cisco would like to thank the National Australia Bank's Security
Assurance team for the discovery and reporting of the vulnerability.

The Cisco PSIRT is not aware of any malicious use of the
vulnerability described in this advisory.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20090225-mtgplace.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
================

+---------------------------------------+
| Revision |                  | Initial |
| 1.0      | 2008-February-25 | public  |
|          |                  | release |
+---------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:

http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iD8DBQFJpWeb86n/Gc8U/uARAty+AKCIt9MQ0A+BzIMX+MBZHjiod59WBACeMUgH
rPsjG9qKmCDQlA6XlaLFMr0=
=6x6Q
-----END PGP SIGNATURE-----

From lowen at pari.edu  Wed Feb 25 11:15:25 2009
From: lowen at pari.edu (Lamar Owen)
Date: Wed, 25 Feb 2009 11:15:25 -0500
Subject: [c-nsp] PA-GE - Incrementing Ignored and Overrun Errors
In-Reply-To: <20090224215738.GZ290@greenie.muc.de>
References: <041401c996b9$5e573720$1b05a560$@net>
Message-ID: <200902251115.26071.lowen@pari.edu>

On Tuesday 24 February 2009 16:57:38 Gert Doering wrote:
> "easily", no - the router performance PDF lists 46-71 Mbit/s for the
> VIP2-50 (for minimum sized packets), and GEIP is a VIP2-50.

> This is *old* hardware.

Indeed.  We have a 7507 running a 12.4 IOS in production, and have both a GEIP 
and a GEIP+ in the box.  The GEIP is indeed a PA-GE in a VIP2-50 (in fact, 
that is how I got a GEIP, by putting a VIP2-50 and a PA-GE together.  The PA-
GE was out of a 7204 that was 'deceased' and I had some VIP2-50's lying 
around; I put the PA-GE from the 7200 into the VIP2-50 (didn't work with a 
VIP4-80) and it came up as a GEIP.).  The dual-width PA for the GEIP+ is an 
interesting beast; the archives of this list have lots of information on it.

The GEIP is used as a backup interface in my setup, with the GEIP+ handling 
the primary interfaces (several VLANs, and NAT going on), and I'm getting five 
minute averages over 100Mb/s with it.  The GEIP isn't being stressed, so don't 
have any data there.  The other interface in the box is a POS OC3, so I'm 
limited to 150Mb/s regardless.

I will say this: the 7401 that is paired with the 7507 is somewhat faster; the 
7507 is running RSP8's.  I don't, unfortunately, have any metrics on just how 
much faster the 7401 is, sorry.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu

From psirt at cisco.com  Wed Feb 25 11:15:00 2009
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed, 25 Feb 2009 17:15:00 +0100
Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in the
	Cisco ACE Application Control Engine Module and Cisco ACE
	4710 Application Control Engine
Message-ID: <200902251717.ace@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Multiple Vulnerabilities in the Cisco ACE
Application Control Engine Module and Cisco ACE 4710 Application
Control Engine

Document ID: 109450

Advisory ID: cisco-sa-20090225-ace

http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml

Revision 1.0

For Public Release 2009 February 25 1600 UTC (GMT)

- ---------------------------------------------------------------------

Summary
=======

The Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine Cisco ACE Module and Cisco ACE 4710
Application Control Engine contain multiple vulnerabilities that, if
exploited, can could result in any of the following impacts:

  * Administrative level access via default user names and passwords
  * Privilege escalation
  * A denial of service (DoS) condition

Cisco has released free software updates available for affected
customers. Workarounds that mitigate some of the vulnerabilities are
available.

Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml

Note: This advisory is being released simultaneously with a multiple
vulnerability disclosure advisory that impacts the Cisco 4700 Series
Application Control Engine Device Manager and Application Networking
Manager module software.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml

Affected Products
=================

Vulnerable Products
+------------------

The following table displays the products that are affected by each
vulnerability that is described within this advisory.

+-------------------------------------------------------------------+
|                                     | Products and Versions       |
|                                     | Affected                    |
|Vulnerability                        |-----------------------------|
|                                     | Cisco ACE    | Cisco ACE    |
|                                     | 4710         | Module       |
|                                     | Appliance    |              |
|-------------------------------------+--------------+--------------|
|                                     | All versions | All versions |
| Default Usernames and Passwords     | prior to A1  | prior to A2  |
|                                     | (8a)         | (1.1)        |
|-------------------------------------+--------------+--------------|
|                                     | All versions | All versions |
| Privilege Escalation Vulnerability  | prior to A1  | prior to A2  |
|                                     | (8a)         | (1.2)        |
|-------------------------------------+--------------+--------------|
|                                     | All versions | All versions |
| Crafted SSH Packet Vulnerability    | prior to A3  | prior to A2  |
|                                     | (2.1)        | (1.3)        |
|-------------------------------------+--------------+--------------|
| Crafted Simple Network Management   | All versions | All versions |
| Protocol version 2 (SNMPv2) Packet  | prior to A3  | prior to A2  |
| Vulnerability                       | (2.1)        | (1.3)        |
|-------------------------------------+--------------+--------------|
|                                     | All versions | All versions |
| Crafted SNMPv3 Packet Vulnerability | prior to A1  | prior to A2  |
|                                     | (8.0)        | (1.2)        |
+-------------------------------------------------------------------+

Determining Software Versions
+----------------------------

To display the version of system software that is currently running
on Cisco ACE Application Control Engine, use the show version
command. The following example displays the output of the show
version command on the Cisco ACE Application Control Engine software
version A3(1.0):

    ACE-4710/Admin# show version
    Cisco Application Control Software (ACSW)
    TAC support: http://www.cisco.com/tac
    Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html

    Software
      loader:    Version 0.95
      system:    Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0
      system image file: (nd)/192.168.65.31/scimitar.bin

      Device Manager version 1.1 (0) 20080805:0415

    ...
    <output truncated>

The following example displays the output of the show version command
on a Cisco ACE Application Control Engine module software version A1(1):

    ACE-mod/Admin# show version
    Cisco Application Control Software (ACSW)
    TAC support: http://www.cisco.com/tac
    Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html

    Software
      loader:    Version 12.2[117]
      system:    Version 3.0(0)A1(1) [build 3.0(0)A1(1) _01:26:21-2006/03/13_/auto/adbu-rel/ws/REL_3_0_0_A1_1]

      system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A1_1.bin
      licensed features: no feature license is installed
    ...
    <output truncated>

Products Confirmed Not Vulnerable
+--------------------------------

The Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall,
and the Cisco ACE GSS 4400 Series Global Site Selector Appliances are
not affected by any of the vulnerabilities that are described in this
advisory. No other Cisco products are currently known to be affected
by these vulnerabilities.

Details
=======

The Cisco ACE 4710 Application Control Engine appliance and the Cisco
ACE Application Control Engine Module for Cisco Catalyst 6500 Series
Switches and Cisco 7600 Series Routers are a load-balancing and
application-delivery solution for data centers. Multiple
vulnerabilities exist in both products. The following information
provides the details about each of the vulnerabilities that are
addressed in this advisory.

Default Usernames and Passwords
+------------------------------

Versions of the Cisco ACE 4710 Application Control Engine appliance
prior to software version A1(8a) use default administrator, web
management, and device management account credentials. Similarly,
software versions of the Cisco ACE Application Control Engine Module
prior to software version A2(1.1) use default administrator and web
management credentials. The appliance and module do not prompt users
to modify system account passwords during the initial configuration
process. An attacker with knowledge of these accounts could modify
the application configuration and, in certain instances, gain user
access to the host operating system.

This vulnerability is documented in the following Cisco Bug IDs and
have been assigned the following Common Vulnerability and Exposures
(CVE) IDs:

  * Cisco ACE Application Control Engine Module: CSCsq43828 (
    registered customers only) - CVE-2009-0620
  * Cisco ACE Application Control Engine Appliance: CSCsq43229 (
    registered customers only) - CVE-2009-0621

A third account is used for the Cisco 4700 Series Application Control
Engine Appliance Device Manager also uses default credentials. Only
the Cisco ACE 4710 Application Control Engine appliance is affected
by this vulnerability. This vulnerability is documented in Cisco Bug
ID CSCsq32379 ( registered customers only) and has also been assigned
the Common Vulnerability and Exposures (CVE) ID CVE-2009-0621.

Privilege Escalation Vulnerability
+---------------------------------

A vulnerability exists in versions of the Cisco ACE 4710 Application
Control Engine appliance prior to A1(8a) and the Cisco ACE
Application Control Engine Module prior to version A2(1.3). An
authenticated user could exploit this vulnerability to invoke
administrative commands via the device command line interface (CLI).

This vulnerability is documented in the following Cisco Bug IDs:

  * Cisco ACE Application Control Engine ModuleACE Module: CSCsq48546
    ( registered customers only)
  * Cisco ACE 4710 Application Control Engine Appliance: CSCsq09839 (
    registered customers only)

This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0622.

Crafted SSH Packet Vulnerability
+-------------------------------

A vulnerability exists in the Cisco ACE 4710 Application Control
Engine appliance prior to software version A3(2.1) and the Cisco ACE
Application Control Engine Module prior to software version A2(1.3).
An attacker could exploit this vulnerability to cause the device to
reload by sending a crafted SSH packet to it.

Note: SSH access must be configured on the affected device for it to
be vulnerable. SSH access is not enabled by default. A full TCP
three-way handshake is not necessary to trigger the effects of this
vulnerability.

This vulnerability is documented in the following Cisco Bug IDs:

  * Cisco ACE Application Control Engine Module: CSCsv01877 (
    registered customers only)
  * Cisco ACE 4710 Application Control Engine Appliance: CSCsv01738 (
    registered customers only)

This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0623.

Crafted SNMPv2c Packet Vulnerability
+-----------------------------------

A vulnerability exists in the Cisco ACE 4710 Application Control
Engine appliance prior to software version A3(2.1) and the Cisco ACE
Application Control Engine Module prior to software version A2(1.3).
An authenticated attacker could send a crafted SNMPv1 packet to an
affected device to cause it to reload.

Note: SNMPv2c must be explicitly configured in an affected device in
order to process any SNMPv2c transactions. SNMPv2c is not enabled by
default.

This vulnerability is documented in the following Cisco Bug IDs:

  * Cisco ACE Application Control Engine Module: CSCsu36038 (
    registered customers only)
  * Cisco ACE 4710 Application Control Engine Appliance: CSCsu47876 (
    registered customers only)

This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0624.

Crafted SNMPv3 Packet Vulnerability
+----------------------------------

A vulnerability exists in the Cisco ACE 4710 Application Control
Engine appliance prior to software version A1(8.0) and the Cisco ACE
Application Control Engine Module prior to software version A2(1.2).
An where an attacker may could cause the a device to reload by
sending a crafted SNMPv3 packet to it.

Note: SNMPv3 must be explicitly configured in an affected device in
order to process any SNMPv3 transactions. SNMPv3 is not enabled by
default.

This vulnerability is documented in the following Cisco Bug IDs:

  * Cisco ACE Application Control Engine Module: CSCsq45432 (
    registered customers only)
  * Cisco ACE 4710 Application Control Engine Appliance: CSCso83126 (
    registered customers only)

This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0625.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss

CSCsq43828 and CSCsq43229 - Default users and passwords on ACE module
                            and appliance 

CVSS Base Score - 10

 Access Vector           - Network
 Access Complexity       - Low
 Authentication          - None
 Confidentiality Impact  - Complete
 Integrity Impact        - Complete
 Availability Impact     - Complete

CVSS Temporal Score - 8.7

 Exploitability	         - High
 Remediation Level       - Official-Fix
 Report Confidence       - Confirmed


CSCsq32379 - DM Default Account Credentials

CVSS Base Score - 10   

 Access Vector           - Network
 Access Complexity       - Low
 Authentication          - None
 Confidentiality Impact  - Complete
 Integrity Impact        - Complete
 Availability Impact     - Complete

CVSS Temporal Score - 8.7

 Exploitability          - High
 Remediation Level       - Official-Fix
 Report Confidence       - Confirmed


CSCsq48546 and CSCsq09839 - Privilege escalation issue on ACE Module
                            and ACE Appliance

CVSS Base Score - 9 

 Access Vector           - Network
 Access Complexity       - Low
 Authentication          - Single
 Confidentiality Impact  - Complete
 Integrity Impact        - Complete
 Availability Impact     - Complete

CVSS Temporal Score - 7.4

 Exploitability          - Functional
 Remediation Level       - Official-Fix
 Report Confidence       - Confirmed


CSCsv01877 and CSCsv01738 - Crafted SSH packet may cause ACE module
                            or appliance to reload

CVSS Base Score - 7.8

 Access Vector           - Network
 Access Complexity       - Low
 Authentication          - None
 Confidentiality Impact  - None
 Integrity Impact        - None
 Availability Impact     - Complete

CVSS Temporal Score - 6.4

 Exploitability          - Functional
 Remediation Level       - Official-Fix
 Report Confidence       - Confirmed


CSCsu36038 and CSCsu47876 - Crafted SNMPv2c packet may crash ACE
                            module and appliance 

CVSS Base Score - 6.8

 Access Vector           - Network
 Access Complexity       - Single
 Authentication          - None
 Confidentiality Impact  - None
 Integrity Impact        - None
 Availability Impact     - Complete

CVSS Temporal Score - 5.6

 Exploitability          - Functional
 Remediation Level       - Official-Fix 
 Report Confidence       - Confirmed


CSCso83126 and CSCsq45432 - Crafted SNMPv3 packet may crash ACE
                            appliance                                      

CVSS Base Score - 7.8

 Access Vector           - Network
 Access Complexity       - Low
 Authentication          - None
 Confidentiality Impact  - None
 Integrity Impact        - None
 Availability Impact     - Complete

CVSS Temporal Score - 6.4

 Exploitability          - Functional
 Remediation Level       - Official-Fix
 Report Confidence       - Confirmed

Impact
======

An attacker with knowledge of the Default Usernames and Passwords
Vulnerability accounts could modify the device configuration and, in
certain instances, gain user access to the host operating system.

An exploit of the Privilege Escalation Vulnerability could allow an
authenticated attacker to execute host operating system
administrative commands.

Successful exploitation of the Crafted SSH Packet Vulnerability,
Crafted SNMPv2 Packet Vulnerability, and Crafted SNMPv3 Packet
Vulnerability may cause a reload of the affected device. Repeated
exploitation could result in a sustained DoS condition.

Software Versions and Fixes
===========================

When considering software upgrades, also consult 
http://www.cisco.com/go/psirt and any subsequent advisories to 
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Each row of the software table (below) describes the earliest
possible releases that contain the fix (along with the anticipated
date of availability for each, if applicable) are listed in the
"First Fixed Release" column of the table. The "Recommended Release"
column indicates the releases which have fixes for all the published
vulnerabilities at the time of this Advisory. A device running a
release in the given train that is earlier than the release in a
specific column (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Releases" column of the table.

+----------------------------------------------------------------------------------------------------------+
|                                    | Products and Versions Affected                                      |
|                                    |---------------------------------------------------------------------|
|                                    | Cisco ACE 4710 Appliance         | Cisco ACE Module                 |
|Vulnerability                       |----------------------------------+----------------------------------|
|                                    | First Fixed   | Recommended      | First      |                     |
|                                    | Release       | Release          | Fixed      | Recommended Release |
|                                    |               |                  | Release    |                     |
|------------------------------------+---------------+------------------+------------+---------------------|
| Default Usernames and Passwords    | A1(8a)        | A3(2.1)          | A2(1.1)    | A2(1.3)             |
|------------------------------------+---------------+------------------+------------+---------------------|
| Privilege Escalation Vulnerability | A1(8a)        | A3(2.1)          | A2(1.2)    | A2(1.3)             |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SSH Packet Vulnerability   | A3(2.1)       | A3(2.1)          | A2(1.3)    | A2(1.3)             |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SNMPv2 Packet              | A3(2.1)       | A3(2.1)          | A2(1.3)    | A2(1.3)             |
| Vulnerability                      |               |                  |            |                     |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SNMPv2 Packet              | A1(8.0)       | A3(2.1)          | A2(1.2)    | A2(1.3)             |
| Vulnerability                      |               |                  |            |                     |
+----------------------------------------------------------------------------------------------------------+

Cisco ACE module software can be downloaded from:

http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280557289

Cisco ACE 4710 Application Control Engine appliance software can be
downloaded from:

http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281222179

Workarounds
===========

This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities and their respective workarounds are
independent of each other.

Default Usernames and Passwords
+------------------------------

To change the default administrative password, use the username
command in configuration mode. The syntax of this command is as
follows:

    username admin [password [0 | 5] {password}]

The keywords, arguments, and options are:

admin--Specifies the default administrative user name.

password--(Optional) Keyword that indicates that a password follows.

0--(Optional) Specifies a clear text password.

5--(Optional) Specifies an MD5-hashed strong encryption password.

password--The password in clear text, encrypted text, or MD5 strong
encryption, depending on the numbered option (0 or 5) that you enter.
If you do not enter a numbered option, the password is in clear text
by default. Enter a password as an unquoted text string with a
maximum of 64 characters.

For example, to create a user named admin that uses the clear text
password my_super_secret_88312, enter the following command:

    ACE(config)# username admin password 0 my_super_secret_88312

Note: This process can also be followed to change the www user
account credentials. The dm user is for accessing the Device Manager
GUI and cannot be modified or deleted. The dm user is an internal
user required by the Device Manager GUI; it is hidden on the ACE CLI.
For more information refer to: 
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/config.html

Privilege Escalation Vulnerability
+---------------------------------

There are no workarounds for this vulnerability.

Crafted SSH Packet Vulnerability
+-------------------------------

SSH management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.

This Management Traffic Service example denies unauthorized SSH
packets that are sent to an affected device. In the following
example, 192.168.100.1 is considered a trusted source that requires
SSH access to the affected device. Care should be taken to allow all
required management access to the affected device. An attacker could
exploit this vulnerability using spoofed packets. This workaround
cannot provide complete protection against this vulnerability when
the attack comes from a trusted source address.

The following example demonstrates how SSH access to the ACE is only
allowed from the 192.168.100.1 host:


    !-- Configure a class to allow SSH from the trusted source
    !

    class-map type management match-all Permit_SSH_Class
     description Allow SSH from trusted sources Class
     match protocol ssh source-address 192.168.100.1 255.255.255.255

    !
    !-- Configure a management policy that allows ssh from the
    !--trusted source configured in the above class
    !

    policy-map type management first-match Permit_SSH_Policy
      description Allow SSH from trusted sources Policy
      class Permit_SSH_Class
        permit

    !
    !-- Apply the management policy globally
    !

    service-policy input Permit_SSH_Policy

Additional information about "Configuring SSH Management Sessions" is
available at:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/access.html#wp1049450

Additional information about "Configuring Class Maps and Policy Maps"
is available at:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html

warning Warning: It is possible to easily spoof the sender's IP
address, which may defeat class maps and access control lists (ACLs)
that permit communication to the device from trusted IP addresses.

Crafted SNMPv2 and SNMPv3 Packet Vulnerabilities
+-----------------------------------------------

SNMP management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.

This Management Traffic Service example denies unauthorized SNMP
packets on UDP port 161 that are sent to an affected device. In the
following example, 192.168.100.1 is considered a trusted source that
requires SNMP access to the affected device. Care should be taken to
allow all required management access to the affected device. An
attacker could exploit this vulnerability using spoofed packets. This
workaround cannot provide complete protection against this
vulnerability when the attack comes from a trusted source address.


    !-- Configure a class to allow SNMP from the trusted source
    !

    class-map type management match-all Permit_SNMP_Class
    description Allow SNMP from trusted sources Class
     2 match protocol snmp source-address 192.168.100.1 255.255.255.255


    !
    !-- Configure a management policy that allows snmp from the
    !--trusted source configured in the above class
    !

    policy-map type management first-match Permit_SNMP_Policy
      description Allow SNMP from trusted sources Policy
      class Permit_SNMP_Class
        permit

    !-- Apply the management policy globally
    !

    service-policy input Permit_SNMP_Policy

Additional information about "SNMP Management Traffic Services" is
available at:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/snmp.html#wp1034011

Additional information about "Configuring Class Maps and Policy Maps"
is available at:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html

Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:

http://www.cisco.com/warp/public/707/cisco-amb-20090225-ace.shtml

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at 
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at 
http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact psirt at cisco.com or security-alert at cisco.com for
software upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized 
telephone numbers, and instructions and e-mail addresses for use in 
various languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

These vulnerabilities were found during internal testing.

Status of this Notice: FINAL

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
================

+-------------------------------------------------------------------+
| Revision 1.0   | 2009-February-25    | Initial public release     |
+-------------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco 
security notices. All Cisco security advisories are available at 
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkmlbsoACgkQ86n/Gc8U/uA9egCgiM1YYI9hZhS8iZ5kbEw6vxaq
gM8AnjpFAJaZ/RK593w/5j/mRHxjkLVo
=rWBu
-----END PGP SIGNATURE-----

From Jay.Murphy at state.nm.us  Wed Feb 25 11:27:30 2009
From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH)
Date: Wed, 25 Feb 2009 09:27:30 -0700
Subject: [c-nsp] show session nothing
In-Reply-To: <207251.34049.qm@web111308.mail.gq1.yahoo.com>
References: <207251.34049.qm@web111308.mail.gq1.yahoo.com>
Message-ID: <A925AC5C659BD64FBA4E84EC3496887308143407@CEXMB4.nmes.lcl>

router#sh users

or

router#who


Jay Murphy 
IP Network Specialist 
NM Department of Health 
ITSD - IP Network Operations 
Santa Fe, New Mexico 87502 
Bus. Ph.: 505.827.2851

"We move the information that moves your world." 





-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ann kok
Sent: Wednesday, February 25, 2009 8:07 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] show session nothing


Hi

I am connecting to the router with telnet

sh sessions can't get any information

router#sh sessions
% No connections open

Why?

but I can get sh tcp vty 0

How can I know how many existing connections in the router?

and

How can I kill ideal connection?

Thank you


      __________________________________________________________________
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark
your favourite sites. Download it now at
http://ca.toolbar.yahoo.com.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This inbound email has been scanned by the MessageLabs Email Security
System.
______________________________________________________________________
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

From mtinka at globaltransit.net  Wed Feb 25 12:17:46 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 26 Feb 2009 01:17:46 +0800
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
Message-ID: <200902260117.47321.mtinka@globaltransit.net>

Hi all.

Is there anyone else still seeing this bug even with 
12.2(33)SRC3, where Cisco say they have it fixed?

We recently saw an NPE-G1 reboot because of this. We've 
since re-engaged the workaround (disabling BFD) until we 
hear more from TAC.

This bug is very annoying...

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090226/19f5086e/attachment.bin>

From psirt at cisco.com  Wed Feb 25 12:10:54 2009
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed, 25 Feb 2009 12:10:54 -0500
Subject: [c-nsp] Cisco Security Advisory: Cisco ACE Application Control
	Engine Device Manager and Application Networking Manager
	Vulnerabilities
Message-ID: <200902251215.anm@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco ACE Application Control Engine Device
Manager and Application Networking Manager Vulnerabilities

Advisory ID: cisco-sa-20090225-anm

http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml

Revision 1.0

For Public Release 2009 February 25 1600 UTC (GMT)

Summary
=======

Multiple vulnerabilities exist in the Cisco Application Networking
Manager (ANM) and Cisco Application Control Engine (ACE) Device
Manager applications. These vulnerabilities are independent of each
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access.

This security advisory identifies the following vulnerabilities:

  * ACE Device Manager and ANM invalid directory permissions
    vulnerability
  * ANM default user credentials vulnerability
  * ANM MySQL default credentials vulnerability
  * ANM Java agent privilege escalation

Cisco has released free software updates that address these
vulnerabilities. A workaround that mitigates one of the issues is
available.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml.

Note: This advisory is being released simultaneously with a multiple
vulnerabilities advisory impacting the ACE appliance and module
software, which is posted at

http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml.

Affected Products
=================

Vulnerable Products
- -------------------

The following are the products and versions affected by each
vulnerability described within this advisory.

+---------------------------------------+
| Vulnerability | Product  |  Version   |
|               | Affected |  Affected  |
|---------------+----------+------------|
| Invalid       | ACE      | All        |
| Directory     | Device   | versions   |
| Permissions   | Manager  | prior to   |
|               |          | A3(2.1)    |
|---------------+----------+------------|
| Invalid       |          | All        |
| Directory     | ANM      | versions   |
| Permissions   |          | prior to   |
|               |          | ANM 2.0    |
|---------------+----------+------------|
|               |          | All        |
| Default User  | ANM      | versions   |
| Credentials   |          | prior to   |
|               |          | ANM 2.0    |
|---------------+----------+------------|
|               |          | All        |
| MySQL Default | ANM      | versions   |
| Credentials   |          | prior to   |
|               |          | ANM 2.0    |
|---------------+----------+------------|
|               |          | All        |
| Java Agent    |          | versions   |
| Privilege     | ANM      | prior to   |
| Escalation    |          | ANM 2.0    |
|               |          | Update A   |
+---------------------------------------+

Determining ACE Device Manager Software Version
+----------------------------------------------

The ACE Device Manager is embedded with the ACE appliance software.

To display the version of system software that is currently running
on the device, use the "show version" command. The following example
includes the output of the "show version" command on a Cisco ACE
appliance running software version A3(2.1):

    ACE-4710/Admin# show version
    Cisco Application Control Software (ACSW)
    TAC support: http://www.cisco.com/tac
    Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html.

    Software
      loader:    Version 0.95
      system:    Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1]
      system image file: (nd)/192.168.65.32/scimitar.bin
      Device Manager version 1.1 (0) 20081113:2052
    ---

Determining ANM Software Version
+-------------------------------

To display the version of ANM software that is currently installed,
login to the ANM server and select the "About" keyword in the upper
right. An informational pop up window will be displayed. ANM Version 2.0
Update A is indicated in the example output below.

        Version: 2.0(0), Update: A
        Build Number: 709
        Build Timestamp: 20081031:1226

Products Confirmed Not Vulnerable
- ---------------------------------

The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400
Series and Cisco ACE Web Application Firewall are not affected by any of
these vulnerabilities.

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

ANM is a network management application that manages Cisco ACE modules
or appliances. ANM is installed on customer provided servers with a Red
Hat Enterprise Linux operating system. The ACE Device Manager provides
a browser-based interface for configuring and managing a single ACE
appliance. The ACE Device Manager resides in flash memory on the ACE
appliance. Multiple vulnerabilities exist in ANM and one in the ACE
Device Manager products. The following details are provided for each
vulnerability addressed in this security advisory.

Invalid Directory Permissions
+----------------------------

Versions of the Cisco ACE Device Manager prior to software version
A3(2.1) and Cisco ANM prior software version ANM 2.0 contain directory
traversal vulnerabilities. These vulnerabilities could allow
unauthorized access to ACE operating system and host operating system
files. To exploit these vulnerabilities authentication is required to
initially access either product.

This vulnerability is documented in the following Cisco Bug IDs:

  * CSCsv66063
  * CSCsv70130

This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0615.

Default User Credentials
+-----------------------

Versions of Cisco ANM prior to software version ANM 2.0 do not force
credential changes during installation. If these credentials are left
unchanged, this could allow unauthorized access to the ANM
application with default user credentials.

This vulnerability is documented in the following Cisco Bug ID:

  * CSCsu52724

This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0616.

MySQL Default Credentials
+------------------------

ANM versions prior to ANM 2.0 use a default MySQL root user password
during installation. The MySQL database is installed by default when
ANM is initially installed. This vulnerability can be exploited
remotely with default credential authentication and without end-user
interaction. Unauthorized access to the database may allow
modification of system files that could impact the function of ANM or
allow execution of commands on the underlying host operating system.
The ACE appliance and module device configuration files in the MySQL
database are encrypted.

This vulnerability is documented in the following Cisco Bug ID:

  * CSCsu52632

This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0617.

Java Agent Privilege Escalation
+------------------------------

ANM versions prior to ANM 2.0 Update A contain a remotely exploitable
vulnerability that could allow an attacker to view configuration
files and modify ANM processes including the capability to stop
services. Exploitation of this issue could result in system
information disclosure or denial of services.

This vulnerability is documented in the following Cisco Bug ID:

  * CSCsu73001

This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0618.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

* ACE Device Manager invalid directory permissions (CSCsv66063)

CVSS Base Score - 9.0
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           Single
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 7.4
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* ANM invalid directory permissions (CSCsv70130)

CVSS Base Score - 9.0
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           Single
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 7.4
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* ANM default user credentials during installation (CSCsu52724)

CVSS Base Score - 10.0
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 8.7
    Exploitability -           High
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* ANM embedded MySQL default credentials (CSCsu52632)

CVSS Base Score - 10.0
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 8.7
    Exploitability -           High
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* ANM Java agent privilege escalation (CSCsu73001)

CVSS Base Score - 8.5
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   Partial
    Integrity Impact -         None
    Availability Impact -      Complete

CVSS Temporal Score - 7.4
    Exploitability -           High
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

Impact
======

Successful exploitation of the ACE Device Manager and ANM invalid
directory permission vulnerabilities may allow unauthorized access to
view or modify the ACE Device Manager or ANM file system, including host
operating system files. Modification of some system files could result
in a denial of service condition.

Exploitation of the ANM default user credential and ANM MySQL database
default credential vulnerabilities may allow an attacker to gain
unauthorized system access. Modification of ANM settings with the
default user credentials could result in a denial of service condition.
Unauthorized access to the MySQL database may allow modification of
system files that could impact the function of ANM or allow execution of
commands on the underlying host operating system.

Successful exploitation of the ANM privilege escalation vulnerability
may result in unauthorized remote access to system processes and
services with the ability to modify. Modification of these services
could result in a denial of service condition.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Each row of the following software table identifies the earliest
possible software release that contains the fix listed in the "First
Fixed Release" column of the table. The "Recommended Release"
column indicates the release which have fixes for all the published
vulnerabilities at the time of this Advisory.

+---------------------------------------+
|               |  First  | Recommended |
| Vulnerability |  Fixed  |   Release   |
|               | Release |             |
|---------------+---------+-------------|
| ACE Device    |         |             |
| Manager       |         |             |
| Invalid       | A3(2.1) | A3(2.1)     |
| Directory     |         |             |
| Permissions   |         |             |
|---------------+---------+-------------|
| ANM Invalid   |         | ANM 2.0     |
| Directory     | ANM 2.0 | Update A    |
| Permissions   |         |             |
|---------------+---------+-------------|
| ANM Default   |         | ANM 2.0     |
| User          | ANM 2.0 | Update A    |
| Credentials   |         |             |
|---------------+---------+-------------|
| ANM MySQL     |         | ANM 2.0     |
| Default       | ANM 2.0 | Update A    |
| Credentials   |         |             |
|---------------+---------+-------------|
| ANM Java      | ANM 2.0 |             |
| Agent         | Update  | ANM 2.0     |
| Privilege     | A       | Update A    |
| Escalation    |         |             |
+---------------------------------------+

ANM 2.0 Update A can be downloaded from:

http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/netmgmt/anm/1.2/anm2.0-update-A.bin

ACE Device Manager A3(2.1) can be downloaded from:

http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/ans/DNSS/ace4710/c4710ace-mz.A3_2_1.bin

Workarounds
===========

While this Security Advisory describes multiple distinct
vulnerabilities, a workaround exists for only the following
vulnerability.

ANM Default User Credentials
+---------------------------

The ANM user "admin" account password may be modified after installation
by following the procedures documented for "Changing the Admin Password"
located in the ANM User Guide at:

http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_admin.html#wp1053216

Applied Mitigation Bulletin
+--------------------------

Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:

http://www.cisco.com/warp/public/707/cisco-amb-20090225-anm.shtml

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt at cisco.com or security-alert at cisco.com for software
upgrades.

Customers with Service Contracts
- --------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
- -------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.

Customers without Service Contracts
- -----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.

Acknowledgement to the National Australia Bank's Security Assurance team
for the discovery and reporting of the ACE Device Manager directory
permissions vulnerability.

The remaining vulnerabilities were identified through internal testing.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+------------------------------------------------------------+
| Revision 1.0 | 2009 February 25  | Initial public release  |
+------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: Feb 25, 2009                             Document ID: 109451
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmlezoACgkQ86n/Gc8U/uAexwCfYI7DnCQWq4XF2Id8o6bO4+zJ
a6IAn0r51YyfdsXPFgYII7OPUWLzJHLU
=xUPr
-----END PGP SIGNATURE-----

From Daniel.Peachey at sns.bskyb.com  Wed Feb 25 12:25:34 2009
From: Daniel.Peachey at sns.bskyb.com (Dan Peachey)
Date: Wed, 25 Feb 2009 17:25:34 -0000
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
References: <200902260117.47321.mtinka@globaltransit.net>
Message-ID: <25832F73CFADDD4F8291320FD507BA68018F829B@exch2-bllon.uk.easynet.corp>

> Hi all.
> 
> Is there anyone else still seeing this bug even with
> 12.2(33)SRC3, where Cisco say they have it fixed?
> 
> We recently saw an NPE-G1 reboot because of this. We've
> since re-engaged the workaround (disabling BFD) until we
> hear more from TAC.
> 
> This bug is very annoying...
> 
> Cheers,
> 
> Mark.

Hi Mark,

Do you have the bug ID for this? I am currently evaluating SRC2 and
would be interested in reading up on it.

Cheers,

Dan


Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trade marks of British Sky Broadcasting Group plc and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky Interactive Limited (Registration No. 3554332), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

From mtinka at globaltransit.net  Wed Feb 25 12:42:06 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 26 Feb 2009 01:42:06 +0800
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <25832F73CFADDD4F8291320FD507BA68018F829B@exch2-bllon.uk.easynet.corp>
References: <200902260117.47321.mtinka@globaltransit.net>
	<25832F73CFADDD4F8291320FD507BA68018F829B@exch2-bllon.uk.easynet.corp>
Message-ID: <200902260142.13371.mtinka@globaltransit.net>

On Thursday 26 February 2009 01:25:34 am Dan Peachey wrote:

> Do you have the bug ID for this?

CSCek75694 and CSCsq32269

> I am currently
> evaluating SRC2 and would be interested in reading up on
> it.

I'd recommend staying away from SRC2 - it's riddled with a 
number of "discovered" bugs. I'd suggest you consider SRC3 
instead, if you're looking at 12.2SR.

Just don't run BFD!

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090226/aaf68a07/attachment.bin>

From awain567 at yahoo.com  Wed Feb 25 11:46:28 2009
From: awain567 at yahoo.com (Alex Wa)
Date: Wed, 25 Feb 2009 08:46:28 -0800 (PST)
Subject: [c-nsp] flash disk problem
Message-ID: <489307.6197.qm@web58001.mail.re3.yahoo.com>

Hi guys
?
I copied a file to slavedisk0: on a 6513-sup II board. when? I try to use verify slaveslot0:filename?I get this error output
?
%Error verifying slaveslot0:c6sup22-jk2sv-mz.121-22.E2.bin (Bad file number)
?
the disk was formatted in this switch and the file copied? without problems. The issue is that i'm trying to upgrade the IOS to the new one in flash and it can't load. 
?
I also would like to know the difference between disk0: and slot0:, i don't fully understand it, if any.
?
thanks in advance
Alejandro 


      

From lowen at pari.edu  Wed Feb 25 12:54:33 2009
From: lowen at pari.edu (Lamar Owen)
Date: Wed, 25 Feb 2009 12:54:33 -0500
Subject: [c-nsp] IOS Trains differnces
In-Reply-To: <200902221214.27305.mtinka@globaltransit.net>
References: <42F0C766A9A8DB47B5E86CA64738DC8B01905F77@bilbo.bdhz.c2c.local>
Message-ID: <200902251254.33636.lowen@pari.edu>

On the original subject of Trains Difference, here's an obscure one for you.  

I'm running four routers on an OC3 WAN link, and am running 1+1 APS at both 
ends.  One end has a 12012 and a 7507; the other end has a 7507 and a 7401ASR.  
The 7401ASR and the 7507 on the far end are running 12.4 mainline, with the 
7507 and 12012 on the near end running 12.0S.

12.0S has a later version of the APS protocol, PGP, than 12.4 mainline does 
(version 3 for 12.0S, and version 1 for 12.4 mainline).  Go figure.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu

From cchurc05 at harris.com  Wed Feb 25 12:55:56 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Wed, 25 Feb 2009 11:55:56 -0600
Subject: [c-nsp] flash disk problem
In-Reply-To: <489307.6197.qm@web58001.mail.re3.yahoo.com>
References: <489307.6197.qm@web58001.mail.re3.yahoo.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01F70C36@mspe2k1.cs.myharris.net>

Does the Sup have Rommon 7.1(1) on it?  Otherwise, it won't understand the 64MB ATA card.  I believe that's the only one that shows up as disk0:.  The smaller ones aren't ATA, so they're linear and show up as slot0:.  Did you try verify slavedisk0:filename?

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alex Wa
Sent: Wednesday, February 25, 2009 11:46 AM
To: lista de correo de cisco
Subject: [c-nsp] flash disk problem


Hi guys
?
I copied a file to slavedisk0: on a 6513-sup II board. when? I try to use verify slaveslot0:filename?I get this error output
?
%Error verifying slaveslot0:c6sup22-jk2sv-mz.121-22.E2.bin (Bad file number)
?
the disk was formatted in this switch and the file copied? without problems. The issue is that i'm trying to upgrade the IOS to the new one in flash and it can't load. 
?
I also would like to know the difference between disk0: and slot0:, i don't fully understand it, if any.
?
thanks in advance
Alejandro 


      
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From mduksa at gmail.com  Wed Feb 25 13:45:01 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Wed, 25 Feb 2009 10:45:01 -0800
Subject: [c-nsp] show mBGP vpn advertized routes
In-Reply-To: <aa2d13130902241842me60c1b7o5f83b301c38be61@mail.gmail.com>
References: <aa2d13130902241842me60c1b7o5f83b301c38be61@mail.gmail.com>
Message-ID: <a89d89ac0902251045u775e4abej5ce590642de30f58@mail.gmail.com>

ok. Thanks.But the next hop is still not right. It shows  this below in red
when my advertised next hop is 1.1.1.1. I checked that by capturing BGP
Update message.
Does anyone know why would next hop be displayed as 0.0.0.0.

Thanks,
Marlon


7609s#show   bgp vpnv4 unicast vrf ipvpn_1 191.1.0.0/24
BGP routing table entry for 1:0:191.1.0.0/24, version 3
Paths: (1 available, best #1, table ipvpn_1)
  Advertised to update-groups:
     2          1
  Local
    0.0.0.0 from 0.0.0.0 (191.1.0.1)
      Origin incomplete, metric 0, localpref 100, weight 32768, valid,
sourced, best
      Extended Community: RT:1:0
      mpls labels in/out IPv4 VRF Aggr:20/nolabel(ipvpn_1)

On Tue, Feb 24, 2009 at 6:42 PM, Sergio D. <sdanelli at gmail.com> wrote:

> You can look at the BGP rib to see what label is assigned:
> 7200-UT02>sh bgp vpnv4 unicast vrf vrfData x.x.x.x/29
>
> BGP routing table entry for 100:1:x.x.x.x/29, version 916
> Paths: (2 available, best #1, table vrfData)
>
>   Advertised to update-groups:
>      1          2          3
>   Local
>     10.128.90.2 from 0.0.0.0 (10.0.0.5)
>       Origin incomplete, metric 20, localpref 100, weight 32768, valid, sourced, best
>       Extended Community: RT:100:1 OSPF DOMAIN ID:0x0005:0x000000650200
>
>
>         OSPF RT:0.0.0.0:5:1 OSPF ROUTER ID:x.x.x.x:0
>       mpls labels in/out *335*/nolabel
>
>
>
>
> ====================================================================================================================================================================
>
>
> Hi,Is there any way to show some meaningful info on what  Cisco is
> advertising to its vpnv4 peers.
>
> This is what I have:
> router_1 #show bgp vpnv4 unicast all neighbors 192.1.0.2 advertised-routes
> BGP table version is 1926, local router ID is 1.1.1.1
>
>
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
>               r RIB-failure, S Stale
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
>    Network          Next Hop            Metric LocPrf Weight Path
>
>
> Route Distinguisher: 1:0 (default for vrf ipvpn_1) VRF Router ID 191.1.0.1
> *> 191.1.0.0/24     0.0.0.0                  0         32768 ?
>
>
> I'd like to see the label that is advertised along with this route.
>
>
> For example this route is advertised from a CE side to the PE, and it's
> label is 20 and also the next hop is 1.1.1.1 (and not 0.0.0.0 as it is shown
> here - is this a bug?).
>
> Juniper has such nice output for a similar command, a lots of details on
>
>
> what is getting advertised.
>
> Anyone knows?
> Thanks,
> Marlon
>
>
>
> --
> Sergio Danelli
> JNCIE #170
>

From peter at rathlev.dk  Wed Feb 25 14:25:01 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 25 Feb 2009 20:25:01 +0100
Subject: [c-nsp] show mBGP vpn advertized routes
In-Reply-To: <a89d89ac0902251045u775e4abej5ce590642de30f58@mail.gmail.com>
References: <aa2d13130902241842me60c1b7o5f83b301c38be61@mail.gmail.com>
	<a89d89ac0902251045u775e4abej5ce590642de30f58@mail.gmail.com>
Message-ID: <1235589901.3552.139.camel@localhost.localdomain>

On Wed, 2009-02-25 at 10:45 -0800, Marlon Duksa wrote:
> ok. Thanks.But the next hop is still not right. It shows  this below in red

In red? On my monochrome display? ;-)

> when my advertised next hop is 1.1.1.1. I checked that by capturing BGP
> Update message.
> Does anyone know why would next hop be displayed as 0.0.0.0.

When you see "0.0.0.0" as next hop in the BGP table it means that the
prefix is originated on this router itself. Consult the RIP ("show ip
route vrf ipvpn_1 191.1.0.0") or FIB ("show ip cef vrf ipvpn_1
191.1.0.0") to find out exactly what routing decision the box makes.

> 7609s#show   bgp vpnv4 unicast vrf ipvpn_1 191.1.0.0/24
> BGP routing table entry for 1:0:191.1.0.0/24, version 3
> Paths: (1 available, best #1, table ipvpn_1)
>   Advertised to update-groups:
>      2          1
>   Local
>     0.0.0.0 from 0.0.0.0 (191.1.0.1)
>       Origin incomplete, metric 0, localpref 100, weight 32768, valid,
> sourced, best
>       Extended Community: RT:1:0
>       mpls labels in/out IPv4 VRF Aggr:20/nolabel(ipvpn_1)

So this prefix is from yourself ("7609s"). The prefix has been
redistributed maybe with "redistribute connected" in the configuration.
You announce an aggregate label for the whole VRF, which covers all
connected prefixes. (Aggregate labels will make you PFC do a FIB lookup
to find out where to send the packets.)

Regards,
Peter



From kgraham at industrial-marshmallow.com  Wed Feb 25 13:27:21 2009
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Wed, 25 Feb 2009 10:27:21 -0800 (PST)
Subject: [c-nsp] Interesting NAToverload  issue
References: <2B0ABDF9E4A1204AA7467F2007535456088EC3B6@E03MVZ4-UKDY.domain1.systemhost.net>
Message-ID: <290380.7519.qm@web905.biz.mail.mud.yahoo.com>



> Is there a solution to this problem? There is one single destination global 
> address. Is there a way to force the usage of the same IP from the NAT pool for 
> all NAT requests from a particular source IP?

As a short-term salve, have you looked at 'ip nat service fullrange'? Usage isn't
entirely clear (never used it as this seems to guarantee tickling bad filters in
the general case), but you should be able to then burn all 64k ports and alleviate
some impact.

From cchurc05 at harris.com  Wed Feb 25 14:39:51 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Wed, 25 Feb 2009 13:39:51 -0600
Subject: [c-nsp] flash disk problem
In-Reply-To: <990136.47982.qm@web58007.mail.re3.yahoo.com>
References: <FA1BA229357DB640B944218F3585FECA01F70C36@mspe2k1.cs.myharris.net>
	<990136.47982.qm@web58007.mail.re3.yahoo.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01F70C92@mspe2k1.cs.myharris.net>

Maybe the trick is the software supports it, but you can't actually boot
off it until it's 7.1(1).   Is this really a 64MB ATA card?  The Cisco
P/N is MEM-C6K-ATA-1-64M=.   That IOS you're running (or trying to run)
is pretty old (assuming it's that c6sup22-jk2sv-mz.121-22.E2.bin shown
below).  That might not support the card either.  Either way, I'd
definitely get the ROMMON 7.1(1) on there if it's a 64MB ATA, and see if
the issue goes away.

 

Chuck 

From: Alex Wa [mailto:awain567 at yahoo.com] 
Sent: Wednesday, February 25, 2009 2:31 PM
To: lista de correo de cisco; Church, Charles
Subject: RE: [c-nsp] flash disk problem

 

Thanks,charles

 

Firmware version is 6.1(3), see below output, but i don't undertand why
the Sw column is not showing the correct boostrap image that the switch
is loading. Now, if it has firmware below 7.1 how can i format and even
copy files to and fron the flash? besides when i type verify ? it
doesn't show me the disk0: option but I can copy to disk0: . the same
happens with slavedisk0:

 

Mod Ports Card Type                              Model
Serial No.
--- ----- -------------------------------------- ------------------
-----------
  1    2  Catalyst 6000 supervisor 2 (Standby)   WS-X6K-SUP2-2GE
SAL06230SDB
  2    2  Catalyst 6000 supervisor 2 (Active)    WS-X6K-S2U-MSFC2
SAD061503XZ
  3   48  48 port 10/100 mb RJ45                 WS-X6348-RJ-45
SAD04310F81
  4   48  48-port 10/100 mb RJ45                 WS-X6148-RJ-45
SAL0715BQZU
  5   48  48-port 10/100 mb RJ45                 WS-X6148-RJ-45
SAL0715BQZG
  6   48  48 port 10/100 mb RJ45                 WS-X6348-RJ-45
SAL062102WS
  7   48  48 port 10/100 mb RJ45                 WS-X6348-RJ-45
SAL04430GXS
  8   48  48-port 10/100 mb RJ45                 WS-X6148-RJ-45
SAL06447YF0
  9   48  48 port 10/100 mb RJ45                 WS-X6348-RJ-45
SAL0807UBZ5

Mod MAC addresses                       Hw    Fw           Sw
Status
--- ---------------------------------- ------ ------------ ------------
-------
  1  0005.7485.ff70 to 0005.7485.ff71   3.7    6.1(3)       7.5(0.6)HUB1
Ok      
  2  0001.6415.e122 to 0001.6415.e123   3.5   6.1(3)       7.5(0.6)HUB1
Ok      
  3  0001.9753.22b0 to 0001.9753.22df   1.1   5.4(2)       7.5(0.6)HUB1
Ok      
  4  000c.85cf.e2b0 to 000c.85cf.e2df   1.2   5.4(2)       7.5(0.6)HUB1
Ok      
  5  000c.85cf.e3d0 to 000c.85cf.e3ff   1.2   5.4(2)       7.5(0.6)HUB1
Ok      
  6  0009.1267.5d38 to 0009.1267.5d67   6.1   5.4(2)       7.5(0.6)HUB1
Ok      
  7  0003.6c2c.3d40 to 0003.6c2c.3d6f   2.2   5.4(2)       7.5(0.6)HUB1
Ok      
  8  000b.465d.5380 to 000b.465d.53af   1.1   5.4(2)       7.5(0.6)HUB1
Ok      
  9  000e.8481.33c0 to 000e.8481.33ef   7.5   5.4(2)       7.5(0.6)HUB1
Ok      

switch#verify ?
  /md5                 Compute an md5 signature for a file
  bootflash:           File to be verified
  flash:               File to be verified
  slavebootflash:      File to be verified
  slaveslot0:          File to be verified
  slavesup-bootflash:  File to be verified
  slot0:               File to be verified
  sup-bootflash:       File to be verified
  sup-slot0:           File to be verified

--- On Wed, 2/25/09, Church, Charles <cchurc05 at harris.com> wrote:

	From: Church, Charles <cchurc05 at harris.com>
	Subject: RE: [c-nsp] flash disk problem
	To: awain567 at yahoo.com, "lista de correo de cisco"
<cisco-nsp at puck.nether.net>
	Date: Wednesday, February 25, 2009, 9:55 AM

	Does the Sup have Rommon 7.1(1) on it?  Otherwise, it won't
understand the
	64MB ATA card.  I believe that's the only one that shows up as
disk0:.  The
	smaller ones aren't ATA, so they're linear and show up as
slot0:.  Did
	you try verify slavedisk0:filename?
	 
	Chuck 
	 
	-----Original Message-----
	From: cisco-nsp-bounces at puck.nether.net
	[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alex Wa
	Sent: Wednesday, February 25, 2009 11:46 AM
	To: lista de correo de cisco
	Subject: [c-nsp] flash disk problem
	 
	 
	Hi guys
	 
	I copied a file to slavedisk0: on a 6513-sup II board. when  I
try to use
	verify slaveslot0:filename I get this error output
	 
	%Error verifying slaveslot0:c6sup22-jk2sv-mz.121-22.E2.bin (Bad
file number)
	 
	the disk was formatted in this switch and the file copied
without problems.
	The issue is that i'm trying to upgrade the IOS to the new one
in flash and
	it can't load. 
	 
	I also would like to know the difference between disk0: and
slot0:, i don't
	fully understand it, if any.
	 
	thanks in advance
	Alejandro 
	 
	 
	      
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/

 


From DPinkard at accessline.com  Wed Feb 25 14:47:23 2009
From: DPinkard at accessline.com (Dan Pinkard)
Date: Wed, 25 Feb 2009 11:47:23 -0800
Subject: [c-nsp] PBR on a 6.5K
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654AF8@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03654AF8@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <C4C308A12A44EA4FABA72461FCBA807816EE15CF86@accmail.acc.accessline.com>


What are the resource limitations on policy routing on SUP720s/MSFC3? Are the flows ultimately process switched every time or will it draw from the route-cache?

We were toying with a very simple route-map that called for both a next-hop and a recursive next-hop route. A moderate (20mbps/14kpps) traffic level pegged the cpu and send IQD counters sky-high. Which leads to the basic question of what went wrong?

Any ideas or observations from your own tests?

Thanks!

From adrian at enfusion-group.com  Wed Feb 25 15:20:14 2009
From: adrian at enfusion-group.com (Adrian Chung)
Date: Wed, 25 Feb 2009 15:20:14 -0500
Subject: [c-nsp] PIX 525 compiled vs non-compiled ACLs.
Message-ID: <C5CB122E.15B29%adrian@enfusion-group.com>

Anyone have any idea of the performance impact (both latency and CPU wise)
if we were to move from turbo/compiled ACLs to non-compiled?

The outside ACL has about 15555 entries in it currently, and takes about 3-4
minutes to compile.  We?re suffering from packet loss and performance
problems as well during this compilation.

The CPU usage is averaging about 15% with 75Mbps of traffic aggregated.
Running 6.3.5(142) or some interim release.

I understand acesss-list search time for the initial packet in a new flow
might be exposed to longer latency, but is there also expected to be a huge
CPU impact just from disabling turbo/compiled ACLs?

-- 
Adrian Chung (adrian @ enfusion-group dot com)
  http://www.enfusion-group.com/~adrian/


From tstevens at cisco.com  Wed Feb 25 15:23:34 2009
From: tstevens at cisco.com (Tim Stevenson)
Date: Wed, 25 Feb 2009 12:23:34 -0800
Subject: [c-nsp] PBR on a 6.5K
In-Reply-To: <C4C308A12A44EA4FABA72461FCBA807816EE15CF86@accmail.acc.acc
	essline.com>
References: <56F211C5E3F24F47B103EA1B253822BE03654AF8@vic-cr-ex1.staff.netspace.net.au>
	<C4C308A12A44EA4FABA72461FCBA807816EE15CF86@accmail.acc.accessline.com>
Message-ID: <200902252023.n1PKNYof005139@sj-core-2.cisco.com>

IIRC, 6500 does not support PBR with the recursive next hops, you 
must specify a directly connected next hop that you have a resolved adj for.

Tim

At 11:47 AM 2/25/2009, Dan Pinkard stated:

>What are the resource limitations on policy routing on 
>SUP720s/MSFC3? Are the flows ultimately process switched every time 
>or will it draw from the route-cache?
>
>We were toying with a very simple route-map that called for both a 
>next-hop and a recursive next-hop route. A moderate (20mbps/14kpps) 
>traffic level pegged the cpu and send IQD counters sky-high. Which 
>leads to the basic question of what went wrong?
>
>Any ideas or observations from your own tests?
>
>Thanks!
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
><https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at 
><http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/




Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

From awain567 at yahoo.com  Wed Feb 25 14:31:26 2009
From: awain567 at yahoo.com (Alex Wa)
Date: Wed, 25 Feb 2009 11:31:26 -0800 (PST)
Subject: [c-nsp] flash disk problem
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01F70C36@mspe2k1.cs.myharris.net>
Message-ID: <990136.47982.qm@web58007.mail.re3.yahoo.com>

Thanks,charles
?
Firmware version is 6.1(3), see below output, but i don't undertand why the Sw column is not showing the correct boostrap image that the switch is loading. Now, if it has firmware below 7.1 how can i format and even copy files to and fron the flash? besides when i type verify ? it doesn't show me the disk0: option but?I can copy to disk0: . the same happens with slavedisk0:
?
Mod Ports Card Type????????????????????????????? Model????????????? Serial No.
--- ----- -------------------------------------- ------------------ -----------
? 1??? 2? Catalyst 6000 supervisor 2 (Standby)?? WS-X6K-SUP2-2GE??? SAL06230SDB
? 2??? 2? Catalyst 6000 supervisor 2 (Active)??? WS-X6K-S2U-MSFC2?? SAD061503XZ
? 3?? 48? 48 port 10/100 mb RJ45???????????????? WS-X6348-RJ-45???? SAD04310F81
? 4?? 48? 48-port 10/100 mb RJ45???????????????? WS-X6148-RJ-45???? SAL0715BQZU
? 5?? 48? 48-port 10/100 mb RJ45???????????????? WS-X6148-RJ-45???? SAL0715BQZG
? 6?? 48? 48 port 10/100 mb RJ45???????????????? WS-X6348-RJ-45???? SAL062102WS
? 7?? 48? 48 port 10/100 mb RJ45???????????????? WS-X6348-RJ-45???? SAL04430GXS
? 8?? 48? 48-port 10/100 mb RJ45???????????????? WS-X6148-RJ-45???? SAL06447YF0
? 9?? 48? 48 port 10/100 mb RJ45???????????????? WS-X6348-RJ-45???? SAL0807UBZ5
Mod MAC addresses?????????????????????? Hw??? Fw?????????? Sw?????????? Status
--- ---------------------------------- ------ ------------ ------------ -------
? 1? 0005.7485.ff70 to 0005.7485.ff71?? 3.7????6.1(3)?????? 7.5(0.6)HUB1 Ok????? 
? 2? 0001.6415.e122 to 0001.6415.e123?? 3.5?? 6.1(3)?????? 7.5(0.6)HUB1 Ok????? 
? 3? 0001.9753.22b0 to 0001.9753.22df?? 1.1?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 4? 000c.85cf.e2b0 to 000c.85cf.e2df?? 1.2?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 5? 000c.85cf.e3d0 to 000c.85cf.e3ff?? 1.2?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 6? 0009.1267.5d38 to 0009.1267.5d67?? 6.1?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 7? 0003.6c2c.3d40 to 0003.6c2c.3d6f?? 2.2?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 8? 000b.465d.5380 to 000b.465d.53af?? 1.1?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 9? 000e.8481.33c0 to 000e.8481.33ef?? 7.5?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 

switch#verify ?
? /md5???????????????? Compute an md5 signature for a file
? bootflash:?????????? File to be verified
? flash:?????????????? File to be verified
? slavebootflash:????? File to be verified
? slaveslot0:????????? File to be verified
? slavesup-bootflash:? File to be verified
? slot0:?????????????? File to be verified
? sup-bootflash:?????? File to be verified
? sup-slot0:?????????? File to be verified

--- On Wed, 2/25/09, Church, Charles <cchurc05 at harris.com> wrote:

From: Church, Charles <cchurc05 at harris.com>
Subject: RE: [c-nsp] flash disk problem
To: awain567 at yahoo.com, "lista de correo de cisco" <cisco-nsp at puck.nether.net>
Date: Wednesday, February 25, 2009, 9:55 AM

Does the Sup have Rommon 7.1(1) on it?  Otherwise, it won't understand the
64MB ATA card.  I believe that's the only one that shows up as disk0:.  The
smaller ones aren't ATA, so they're linear and show up as slot0:.  Did
you try verify slavedisk0:filename?

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alex Wa
Sent: Wednesday, February 25, 2009 11:46 AM
To: lista de correo de cisco
Subject: [c-nsp] flash disk problem


Hi guys
?
I copied a file to slavedisk0: on a 6513-sup II board. when? I try to use
verify slaveslot0:filename?I get this error output
?
%Error verifying slaveslot0:c6sup22-jk2sv-mz.121-22.E2.bin (Bad file number)
?
the disk was formatted in this switch and the file copied? without problems.
The issue is that i'm trying to upgrade the IOS to the new one in flash and
it can't load. 
?
I also would like to know the difference between disk0: and slot0:, i don't
fully understand it, if any.
?
thanks in advance
Alejandro 


      
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From awain567 at yahoo.com  Wed Feb 25 14:57:30 2009
From: awain567 at yahoo.com (Alex Wa)
Date: Wed, 25 Feb 2009 11:57:30 -0800 (PST)
Subject: [c-nsp] flash disk problem
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01F70C92@mspe2k1.cs.myharris.net>
Message-ID: <763997.65699.qm@web58006.mail.re3.yahoo.com>

Chuck,
?
Yes ,it's a 64 MB ATA card. It could be the case that the problem arises at boot time . I'll follow your advice and do the upgrade and retry,
?
thanks again
Alejandro
?

--- On Wed, 2/25/09, Church, Charles <cchurc05 at harris.com> wrote:

From: Church, Charles <cchurc05 at harris.com>
Subject: RE: [c-nsp] flash disk problem
To: awain567 at yahoo.com, "lista de correo de cisco" <cisco-nsp at puck.nether.net>
Date: Wednesday, February 25, 2009, 11:39 AM








Maybe the trick is the software supports it, but you can?t actually boot off it until it?s 7.1(1).?? Is this really a 64MB ATA card?? The Cisco P/N is MEM-C6K-ATA-1-64M=. ??That IOS you?re running (or trying to run) is pretty old (assuming it?s that c6sup22-jk2sv-mz.121-22.E2.bin shown below).? That might not support the card either.? Either way, I?d definitely get the ROMMON 7.1(1) on there if it?s a 64MB ATA, and see if the issue goes away.
?
Chuck 

From: Alex Wa [mailto:awain567 at yahoo.com] 
Sent: Wednesday, February 25, 2009 2:31 PM
To: lista de correo de cisco; Church, Charles
Subject: RE: [c-nsp] flash disk problem
?





Thanks,charles

?

Firmware version is 6.1(3), see below output, but i don't undertand why the Sw column is not showing the correct boostrap image that the switch is loading. Now, if it has firmware below 7.1 how can i format and even copy files to and fron the flash? besides when i type verify ? it doesn't show me the disk0: option but?I can copy to disk0: . the same happens with slavedisk0:

?

Mod Ports Card Type????????????????????????????? Model????????????? Serial No.
--- ----- -------------------------------------- ------------------ -----------
? 1??? 2? Catalyst 6000 supervisor 2 (Standby)?? WS-X6K-SUP2-2GE??? SAL06230SDB
? 2??? 2? Catalyst 6000 supervisor 2 (Active)??? WS-X6K-S2U-MSFC2?? SAD061503XZ
? 3?? 48? 48 port 10/100 mb RJ45???????????????? WS-X6348-RJ-45???? SAD04310F81
? 4?? 48? 48-port 10/100 mb RJ45???????????????? WS-X6148-RJ-45???? SAL0715BQZU
? 5?? 48? 48-port 10/100 mb RJ45???????????????? WS-X6148-RJ-45???? SAL0715BQZG
? 6?? 48? 48 port 10/100 mb RJ45???????????????? WS-X6348-RJ-45???? SAL062102WS
? 7?? 48? 48 port 10/100 mb RJ45???????????????? WS-X6348-RJ-45???? SAL04430GXS
? 8?? 48? 48-port 10/100 mb RJ45???????????????? WS-X6148-RJ-45???? SAL06447YF0
? 9?? 48? 48 port 10/100 mb RJ45???????????????? WS-X6348-RJ-45???? SAL0807UBZ5

Mod MAC addresses?????????????????????? Hw??? Fw?????????? Sw?????????? Status
--- ---------------------------------- ------ ------------ ------------ -------
? 1? 0005.7485.ff70 to 0005.7485.ff71?? 3.7????6.1(3)?????? 7.5(0.6)HUB1 Ok????? 
? 2? 0001.6415.e122 to 0001.6415.e123?? 3.5?? 6.1(3)?????? 7.5(0.6)HUB1 Ok????? 
? 3? 0001.9753.22b0 to 0001.9753.22df?? 1.1?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 4? 000c.85cf.e2b0 to 000c.85cf.e2df?? 1.2?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 5? 000c.85cf.e3d0 to 000c.85cf.e3ff?? 1.2?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 6? 0009.1267.5d38 to 0009.1267.5d67?? 6.1?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 7? 0003.6c2c.3d40 to 0003.6c2c.3d6f?? 2.2?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 8? 000b.465d.5380 to 000b.465d.53af?? 1.1?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 
? 9? 000e.8481.33c0 to 000e.8481.33ef?? 7.5?? 5.4(2)?????? 7.5(0.6)HUB1 Ok????? 

switch#verify ?
? /md5???????????????? Compute an md5 signature for a file
? bootflash:?????????? File to be verified
? flash:?????????????? File to be verified
? slavebootflash:????? File to be verified
? slaveslot0:????????? File to be verified
? slavesup-bootflash:? File to be verified
? slot0:?????????????? File to be verified
? sup-bootflash:?????? File to be verified
? sup-slot0:?????????? File to be verified

--- On Wed, 2/25/09, Church, Charles <cchurc05 at harris.com> wrote:

From: Church, Charles <cchurc05 at harris.com>
Subject: RE: [c-nsp] flash disk problem
To: awain567 at yahoo.com, "lista de correo de cisco" <cisco-nsp at puck.nether.net>
Date: Wednesday, February 25, 2009, 9:55 AMDoes the Sup have Rommon 7.1(1) on it?? Otherwise, it won't understand the64MB ATA card.? I believe that's the only one that shows up as disk0:.? Thesmaller ones aren't ATA, so they're linear and show up as slot0:.? Didyou try verify slavedisk0:filename? ?Chuck  ?-----Original Message-----From: cisco-nsp-bounces at puck.nether.net[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alex WaSent: Wednesday, February 25, 2009 11:46 AMTo: lista de correo de ciscoSubject: [c-nsp] flash disk problem ? ?Hi guys?I copied a file to slavedisk0: on a 6513-sup II board. when? I try to useverify slaveslot0:filename?I get this error output?%Error verifying slaveslot0:c6sup22-jk2sv-mz.121-22.E2.bin (Bad file number)?the disk was formatted in this switch and the file copied? without problems.The issue is that i'm trying to upgrade the IOS to the new one in flash andit can't load. ?I also would like to know the
 difference between disk0: and slot0:, i don'tfully understand it, if any.?thanks in advanceAlejandro  ? ?????? _______________________________________________cisco-nsp mailing list? cisco-nsp at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-nsparchive at http://puck.nether.net/pipermail/cisco-nsp/
?


      

From peter at rathlev.dk  Wed Feb 25 14:15:24 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 25 Feb 2009 20:15:24 +0100
Subject: [c-nsp] EoMPLS restrictions
In-Reply-To: <2B0ABDF9E4A1204AA7467F2007535456088EC45D@E03MVZ4-UKDY.domain1.systemhost.net>
References: <2B0ABDF9E4A1204AA7467F2007535456088EC45D@E03MVZ4-UKDY.domain1.systemhost.net>
Message-ID: <1235589323.3552.133.camel@localhost.localdomain>

Hi Nasir,

On Wed, 2009-02-25 at 12:01 +0000, nasir.shaikh at bt.com wrote:
> Can someone shed some light on the following limitation of EoMPLS?
> Layer 2 connection restrictions:
> - You cannot have a direct Layer 2 connection between provider-edge
> routers with EoMPLS
> Why is this?

The only place I can find this sentence is in the 3750 Metro
documentation. I too cannot figure out what it means exactly, but I have
no experience with the 3750 Metro.

> I have a MAN running MPLS where my PE are directly connected. I need
> to do extend my datacenter LANs from location A to location B. I was
> thinking of using EoMPLS but this limitation is bothering me because I
> don't understand this limitation.
> Anyone care to explain?

I you want to transport incoming traffic via an EoMPLS VC from one PE to
another, there should be no problem with this even if they're directly
connected. As long as the direct connection is an MPLS link and you have
a working LSP you should be fine. We do this with 6500 Sup720s in many
places. (I assume the 3750 Metro works in the same way.)

> Topology as under:
> CE--(trunk)dot1q(tunnel)-->PE--MPLS--PE--tunnel(dot1q)trunk-->CE
>                                                |                     |
>                                          MPLS           MPLS
>                                                |                     |
> CE--(trunk)dot1q(tunnel)-->PE--MPLS--PE--tunnel(dot1q)trunk-->CE
> 
> The CE on the right hand side are under my control and there is
> another cascaded CE device behind which the data center resides. So I
> could convert the CE to a PE to resolve this.
> Any suggestions are welcome

The MPLS terminology I know of defines a "PE" a a box imposing or
deposing labels. An MPLS enabled box is thus either a "P" or a "PE".

In my eyes "standard" EoMPLS service is between xconnected outwards
facing (sub-)interfaces on PE1 and PE2 in a topology like this:

           ||
           || (802.1q trunk)
           ||
      +----------+
      |   CE 1   |
      +----------+
           ||
     --->  || (802.1q trunk)
           ||
      +----------+
      |   PE 1   |
      +----------+
           |
           | (MPLS LSP)
           |
      +----------+
      |   PE 2   |
      +----------+
           ||
     --->  || (802.1q trunk)
           ||
      +----------+
      |   CE 2   |
      +----------+
           ||
           || (802.1q trunk)
           ||

The EoMPLS connection would be where the arrows are. As I understand
your diagram this would be possible, maybe even trivial, to implement.

Regards,
Peter


From deanperrine at gmail.com  Wed Feb 25 16:38:13 2009
From: deanperrine at gmail.com (Dean Perrine)
Date: Wed, 25 Feb 2009 13:38:13 -0800
Subject: [c-nsp] RSA Envision vs. Symantec SSIM
Message-ID: <2db25e4e0902251338i34d1c6br53594afb00979fce@mail.gmail.com>

Any thoughts on RSA Envision vs. Symantec SSIM?

Thanks,

Dean Perrine

From mduksa at gmail.com  Wed Feb 25 16:49:58 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Wed, 25 Feb 2009 13:49:58 -0800
Subject: [c-nsp] show mBGP vpn advertized routes
In-Reply-To: <1235589901.3552.139.camel@localhost.localdomain>
References: <aa2d13130902241842me60c1b7o5f83b301c38be61@mail.gmail.com>
	<a89d89ac0902251045u775e4abej5ce590642de30f58@mail.gmail.com>
	<1235589901.3552.139.camel@localhost.localdomain>
Message-ID: <a89d89ac0902251349g1f648816y3cc4a9116ee35641@mail.gmail.com>

ok. Thanks. Well, I just miss the way Juniper shows things, the level of
details. Juniper would display the next hop that it is carried in the BGP
Update message.Marlon

On Wed, Feb 25, 2009 at 11:25 AM, Peter Rathlev <peter at rathlev.dk> wrote:

> On Wed, 2009-02-25 at 10:45 -0800, Marlon Duksa wrote:
> > ok. Thanks.But the next hop is still not right. It shows  this below in
> red
>
> In red? On my monochrome display? ;-)
>
> > when my advertised next hop is 1.1.1.1. I checked that by capturing BGP
> > Update message.
> > Does anyone know why would next hop be displayed as 0.0.0.0.
>
> When you see "0.0.0.0" as next hop in the BGP table it means that the
> prefix is originated on this router itself. Consult the RIP ("show ip
> route vrf ipvpn_1 191.1.0.0") or FIB ("show ip cef vrf ipvpn_1
> 191.1.0.0") to find out exactly what routing decision the box makes.
>
> > 7609s#show   bgp vpnv4 unicast vrf ipvpn_1 191.1.0.0/24
> > BGP routing table entry for 1:0:191.1.0.0/24, version 3
> > Paths: (1 available, best #1, table ipvpn_1)
> >   Advertised to update-groups:
> >      2          1
> >   Local
> >     0.0.0.0 from 0.0.0.0 (191.1.0.1)
> >       Origin incomplete, metric 0, localpref 100, weight 32768, valid,
> > sourced, best
> >       Extended Community: RT:1:0
> >       mpls labels in/out IPv4 VRF Aggr:20/nolabel(ipvpn_1)
>
> So this prefix is from yourself ("7609s"). The prefix has been
> redistributed maybe with "redistribute connected" in the configuration.
> You announce an aggregate label for the whole VRF, which covers all
> connected prefixes. (Aggregate labels will make you PFC do a FIB lookup
> to find out where to send the packets.)
>
> Regards,
> Peter
>
>
>

From chris at chrisserafin.com  Wed Feb 25 17:22:41 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Wed, 25 Feb 2009 16:22:41 -0600
Subject: [c-nsp] RSA Envision vs. Symantec SSIM
In-Reply-To: <2db25e4e0902251338i34d1c6br53594afb00979fce@mail.gmail.com>
References: <2db25e4e0902251338i34d1c6br53594afb00979fce@mail.gmail.com>
Message-ID: <49A5C4B1.6050500@chrisserafin.com>

All SIM products suck unless you have full time dedicated staff assigned 
to them, IMHO. We use EIQ's SecureVUE and it promised everything, but 
left out that you need another employee full time just to manage it.


Dean Perrine wrote:
> Any thoughts on RSA Envision vs. Symantec SSIM?
>
> Thanks,
>
> Dean Perrine
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.11.3/1971 - Release Date: 02/25/09 06:40:00
>
>   


From sschade at tng.de  Wed Feb 25 16:57:21 2009
From: sschade at tng.de (Sven Schade)
Date: Wed, 25 Feb 2009 22:57:21 +0100
Subject: [c-nsp] SUP720 - not booting - hanging in a loop
Message-ID: <49A5BEC1.1040809@tng.de>

Hi,

I have a problem with a SUP720 in a CAT6509 Chassis.
SUP720 is rebooting and the console output is repeating a waiting 
message and is not starting.
I'm unable to break to rommon.

This SUP720 has a blank config, but we saw the same failure on a 2nd 
SUP720 which is fully configured.
After powering down the machine has restarted without a problem. I found 
no Info on google or cisco with this failure - did anyone saw this failure?
Am I doing something wrong? Both machines are run 12.2.33.SXI.
Maybe a problem with the flash? But this is not happening on every reboot.

Any hints?

BR

Svens


--------------------snip----------------------------
FRA3-NEW#reload
Proceed with reload? [confirm]

1w2d: %SYS-SP-3-LOGGER_FLUSHING: System pausing to ensure console 
debugging output.

1w2d: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor





***
*** --- SHUTDOWN NOW ---
***

1w2d: %SYS-SP-3-LOGGER_FLUSHING: System pausing to ensure console 
debugging output.

1w2d: %SYS-SP-5-RELOAD: Reload requested by Delayed Reload. Reload 
Reason: reload.
1w2d: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor



System Bootstrap, Version 8.5(2)
Copyright (c) 1994-2007 by cisco Systems, Inc.
Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory

Autoboot: failed, BOOT string is empty
Autoboot executing command: "boot "

Initializing ATA monitor library...
string is bootdisk:s72033-boot-mz.122-33.SXI.bin
Loading image, please wait ...


Initializing ATA monitor library...

Self extracting the image... [OK]
Self decompressing the image : 
############################################################################################################################################################################################# 
[OK]

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, s72033_sp Software (s72033_sp-BOOT-M), Version 
12.2(33)SXI, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 07-Nov-08 04:30 by prod_rel_team
Image text-base: 0x40101328, data-base: 0x421B0000


Waiting (slot 5) for supervisor to come online in other slot.  iteration 
= 0 
                 Next Retry will be done after 6 seconds
Waiting (slot 5) for supervisor to come online in other slot.  iteration 
= 1 
                 Next Retry will be done after 6 seconds

----------------------------snip-------------------------------


From oiyankok at yahoo.ca  Wed Feb 25 19:02:46 2009
From: oiyankok at yahoo.ca (ann kok)
Date: Wed, 25 Feb 2009 16:02:46 -0800 (PST)
Subject: [c-nsp] why disable ip cache and direct broadcast in switch
Message-ID: <558502.13663.qm@web111315.mail.gq1.yahoo.com>


Hi

I see there is setting in switch

why disable?

 no ip directed-broadcast
 no ip route-cache

What is good for this configuration?

Thank you


      __________________________________________________________________
Instant Messaging, free SMS, sharing photos and more... Try the new Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/


From jay at west.net  Wed Feb 25 19:28:14 2009
From: jay at west.net (Jay Hennigan)
Date: Wed, 25 Feb 2009 16:28:14 -0800
Subject: [c-nsp] why disable ip cache and direct broadcast in switch
In-Reply-To: <558502.13663.qm@web111315.mail.gq1.yahoo.com>
References: <558502.13663.qm@web111315.mail.gq1.yahoo.com>
Message-ID: <49A5E21E.7050900@west.net>

ann kok wrote:
> Hi
> 
> I see there is setting in switch

By switch, I assume you mean layer 3 switch or router.

> why disable?
> 
>  no ip directed-broadcast

"no ip directed-broadcast" is generally a good thing.  It blosks smurf 
DoS attacks.

>  no ip route-cache

This is generally NOT a good thing, other than for debugging during 
low-traffic scenarios.  It forces traffic to be process-switched and 
will cause high (or very high) router CPU utilization.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From steve at ibctech.ca  Wed Feb 25 19:34:03 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 25 Feb 2009 19:34:03 -0500
Subject: [c-nsp] why disable ip cache and direct broadcast in switch
In-Reply-To: <558502.13663.qm@web111315.mail.gq1.yahoo.com>
References: <558502.13663.qm@web111315.mail.gq1.yahoo.com>
Message-ID: <49A5E37B.2000807@ibctech.ca>

ann kok wrote:
> Hi
> 
> I see there is setting in switch
> 
> why disable?
> 
>  no ip directed-broadcast

Because this allows the switch to broadcast packets to a specific VLAN
(more specifically, to an IP subnet) from hosts outside of the VLAN.
Enabling this provides a nice vector for a specific denial-of-service
attack.

>  no ip route-cache

...which disables fast-forwarding due to the fact cef is enabled (or
should be).

> What is good for this configuration?

no ip directed-broadcast: mitigate denial of service
no ip route-cache: use cef (AFAIK, this is only cosmetic)

Steve

From steve at ibctech.ca  Wed Feb 25 19:42:54 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 25 Feb 2009 19:42:54 -0500
Subject: [c-nsp] why disable ip cache and direct broadcast in switch
In-Reply-To: <49A5E21E.7050900@west.net>
References: <558502.13663.qm@web111315.mail.gq1.yahoo.com>
	<49A5E21E.7050900@west.net>
Message-ID: <49A5E58E.7030609@ibctech.ca>

Jay Hennigan wrote:
> ann kok wrote:

>>  no ip route-cache
> 
> This is generally NOT a good thing, other than for debugging during
> low-traffic scenarios.  It forces traffic to be process-switched and
> will cause high (or very high) router CPU utilization.

...I had a misunderstanding about this then... I thought "no ip
route-cache" forced traffic to use cef where possible. Almost makes
sense that route-cache == cef :)

I've only seen the "no ip route-cache" in practise once. It was years
ago on a 3620 router on a PtP serial T1 link to MCI.

Steve

From David at Hughes.com.au  Wed Feb 25 20:02:07 2009
From: David at Hughes.com.au (David Hughes)
Date: Thu, 26 Feb 2009 11:02:07 +1000
Subject: [c-nsp] EoMPLS restrictions
In-Reply-To: <2B0ABDF9E4A1204AA7467F2007535456088EC45D@E03MVZ4-UKDY.domain1.systemhost.net>
References: <2B0ABDF9E4A1204AA7467F2007535456088EC45D@E03MVZ4-UKDY.domain1.systemhost.net>
Message-ID: <E7EF3BC0-B14E-4214-B139-AE0FA2704FDB@Hughes.com.au>


On 25/02/2009, at 10:01 PM, <nasir.shaikh at bt.com>  
<nasir.shaikh at bt.com> wrote:

> Hi,
> Can someone shed some light on the following limitation of EoMPLS?
> Layer 2 connection restrictions:
> - You cannot have a direct Layer 2 connection between provider-edge  
> routers with EoMPLS
> Why is this?
> I have a MAN running MPLS where my PE are directly connected. I need  
> to do extend my datacenter LANs from location A to location B. I was  
> thinking of using EoMPLS but this limitation is bothering me because  
> I don't understand this limitation.
> Anyone care to explain?

Can't see a problem with this and have implemented basically exactly  
what you have outlined.  We are running 2 pairs of 6500s providing  
redundant 10GigE paths between a couple of datacentres.  They act as  
PEs and provide port based EoMPLS xconnects to other 6500s at the  
DC's.  Those 6500s run dot1q over an etherchannel constructed from a  
bundle of these EoMPLS vc's.  Works very well.  Only issue is layer 2  
fault identification (see recent thread on Fast UDLD Timers for the  
ugly details).


David
...

From mpalatnik at wustl.edu  Wed Feb 25 20:10:51 2009
From: mpalatnik at wustl.edu (Max Palatnik)
Date: Wed, 25 Feb 2009 19:10:51 -0600
Subject: [c-nsp] why disable ip cache and direct broadcast in switch
In-Reply-To: <49A5E58E.7030609@ibctech.ca>
Message-ID: <C5CB483B.5DC4%mpalatnik@wustl.edu>

No ip-route cache with no keywords afterwards refers to the fast-switch
handling of packets.  CEF is usually enabled globally on the device (and
thus is enabled for each interface), so this forces the interface to use CEF
and ensures fast-switching is not enabled on the port.

More info: 
http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_i1.htm
l#wp1110844


On 2/25/09 6:42 PM, "Steve Bertrand" <steve at ibctech.ca> wrote:

> Jay Hennigan wrote:
>> ann kok wrote:
> 
>>>  no ip route-cache
>> 
>> This is generally NOT a good thing, other than for debugging during
>> low-traffic scenarios.  It forces traffic to be process-switched and
>> will cause high (or very high) router CPU utilization.
> 
> ...I had a misunderstanding about this then... I thought "no ip
> route-cache" forced traffic to use cef where possible. Almost makes
> sense that route-cache == cef :)
> 
> I've only seen the "no ip route-cache" in practise once. It was years
> ago on a 3620 router on a PtP serial T1 link to MCI.
> 
> Steve
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From steve at ibctech.ca  Wed Feb 25 20:15:31 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 25 Feb 2009 20:15:31 -0500
Subject: [c-nsp] why disable ip cache and direct broadcast in switch
In-Reply-To: <C5CB483B.5DC4%mpalatnik@wustl.edu>
References: <C5CB483B.5DC4%mpalatnik@wustl.edu>
Message-ID: <49A5ED33.60507@ibctech.ca>

Max Palatnik wrote:
> No ip-route cache with no keywords afterwards refers to the fast-switch
> handling of packets.  CEF is usually enabled globally on the device (and
> thus is enabled for each interface), so this forces the interface to use CEF
> and ensures fast-switching is not enabled on the port.

This is inline with what I originally understood.

Thanks for the link!

Steve

From ptchuba at live.com  Wed Feb 25 20:26:10 2009
From: ptchuba at live.com (Peter Chuba)
Date: Thu, 26 Feb 2009 02:26:10 +0100
Subject: [c-nsp] Router VPN server
Message-ID: <BLU105-DS710912BB2850A0BE0D9DEDAAD0@phx.gbl>

Hi,

I've setup a router to act as a vpn server according to the article
http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_
example09186a0080819289.shtml. What i'll like to know is the maximum number
of simultaneous user connections that can be supported.

Thanks
Peter


From td_miles at yahoo.com  Wed Feb 25 20:53:22 2009
From: td_miles at yahoo.com (Tony)
Date: Wed, 25 Feb 2009 17:53:22 -0800 (PST)
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL
In-Reply-To: <49A3EC00.3060109@ttec.com>
Message-ID: <137255.42589.qm@web110111.mail.gq1.yahoo.com>



--- On Tue, 24/2/09, Joe Maimon <jmaimon at ttec.com> wrote:
> From: Joe Maimon <jmaimon at ttec.com>
> Subject: Re: [c-nsp] VRF and STATIC ROUTE to GLOBAL
> To: "Luan Nguyen" <luan at netcraftsmen.net>
> Cc: cisco-nsp at puck.nether.net
> Date: Tuesday, 24 February, 2009, 11:45 PM
> 
> There are apparently three approaches to trafficking between
> VRF's.
> 
> - configuration route leakage, static routes, route-maps
> and whatnot
> 
> All hacks in my opinion.
> 
> - physical crossover between two devices, vrf A in device A
> becomes vrf B in device B
> 
> Which is actually a degenerate or optimized instance of the
> following:
> 
> - crossover in the same device
>
> This can be done as per your tunnel example.
> 
> You can also do this with physical ports, with a l2/l3
> switch architecture its not as conveniently done however,
> since you would need to cross connect one access port in one
> vlan to another access port in another vlan.
>

--snip--
 
> 
> Also, while in wishlisting mode, it would be nice if you
> could policy route in a vrf (the most likely reason why the
> software doesnt allow you to is that vrf processing is the
> same code/feature path as policy routing)
> 

I tried routing from global to VRF on a 3550-EMI switch a few months ago and did indeed run into performance issues.

With no VRF I was able to get line-speed (ie. near 100Mbps) routing performance, even using PBR. This is what we expect out of a 3550 switch.

I then set it up with a static route so that the next hop from the global route table was into a VRF via a CAT5 crossover cable connecting two physical ports in the same switch (one in the VRF, one not in VRF).  When I did this I found that traffic was being process switched. I could only get about 75Mbps throughput with 100% CPU (or near enough to 100%). I tried a couple of different IOS and found one would actually get up to 90Mbps but still max CPU (must be some optimisations in that IOS code).

I then changed the config so I was using PBR to route into the VRF and the performance dropped substantially. This time I was getting about 35Mbps with 100% CPU. Different code with this config was less variance, always somewhere 33-35Mbps.

I don't know how other platforms go, but that was my experience on a 3550 and shows that your assumption about VRF & PBR routing being the same feature/code path is quite likely (at least in 3550).

I was testing this for something we're trying to do in production, but had to give it up and do it differently due to the performance problems I ran into.


regards,
Tony.


      


From jeremy at evilrouters.net  Thu Feb 26 01:04:34 2009
From: jeremy at evilrouters.net (Jeremy Gaddis)
Date: Thu, 26 Feb 2009 01:04:34 -0500
Subject: [c-nsp] Router VPN server
In-Reply-To: <BLU105-DS710912BB2850A0BE0D9DEDAAD0@phx.gbl>
References: <AcmXsTRui27oxs12SNm4e21NzSxXCw==>
	<BLU105-DS710912BB2850A0BE0D9DEDAAD0@phx.gbl>
Message-ID: <8623d07f0902252204s611c782fs56c45b728459e0a6@mail.gmail.com>

On Wed, Feb 25, 2009 at 8:26 PM, Peter Chuba <ptchuba at live.com> wrote:
> I've setup a router to act as a vpn server according to the article
> http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_
> example09186a0080819289.shtml. What i'll like to know is the maximum number
> of simultaneous user connections that can be supported.

I believe the correct answer is:  "It depends".

-- 
Jeremy L. Gaddis
http://evilrouters.net/

From gert at greenie.muc.de  Thu Feb 26 02:24:41 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 26 Feb 2009 08:24:41 +0100
Subject: [c-nsp] why disable ip cache and direct broadcast in switch
In-Reply-To: <C5CB483B.5DC4%mpalatnik@wustl.edu>
References: <49A5E58E.7030609@ibctech.ca> <C5CB483B.5DC4%mpalatnik@wustl.edu>
Message-ID: <20090226072441.GC290@greenie.muc.de>

Hi,

On Wed, Feb 25, 2009 at 07:10:51PM -0600, Max Palatnik wrote:
> No ip-route cache with no keywords afterwards refers to the fast-switch
> handling of packets.  CEF is usually enabled globally on the device (and
> thus is enabled for each interface), so this forces the interface to use CEF
> and ensures fast-switching is not enabled on the port.

No.

"no ip route-cache" will force *process switching*, and that's a bad thing
(certain IOS versions needed this to get features not supported in the
fast path, like per-packet load balancing on parallel links - but that's
really something you should immediately forget again, process switching is
*bad*).

If you want CEF, configure "ip route-cache cef" (which is default on recent
IOS versions, so it might not be visible in the config).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090226/55aba959/attachment.bin>

From gert at greenie.muc.de  Thu Feb 26 02:30:39 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 26 Feb 2009 08:30:39 +0100
Subject: [c-nsp] flash disk problem
In-Reply-To: <489307.6197.qm@web58001.mail.re3.yahoo.com>
References: <489307.6197.qm@web58001.mail.re3.yahoo.com>
Message-ID: <20090226073039.GE290@greenie.muc.de>

Hi,

On Wed, Feb 25, 2009 at 08:46:28AM -0800, Alex Wa wrote:
> I also would like to know the difference between disk0: and slot0:, i don't fully understand it, if any.

disk0: - ATA disk, modern
slot0: - linear flash card, no "ATA" stuff, you don't wanna know

Just use "slavedisk0".

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090226/13b758b9/attachment.bin>

From iam at st-andrews.ac.uk  Thu Feb 26 02:31:09 2009
From: iam at st-andrews.ac.uk (Ian McDonald)
Date: Thu, 26 Feb 2009 07:31:09 +0000
Subject: [c-nsp] Router VPN server
In-Reply-To: <BLU105-DS710912BB2850A0BE0D9DEDAAD0@phx.gbl>
References: <BLU105-DS710912BB2850A0BE0D9DEDAAD0@phx.gbl>
Message-ID: <49A6453D.7010003@st-andrews.ac.uk>

Peter Chuba wrote:
> Hi,
> 
> I've setup a router to act as a vpn server according to the article
> http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_
> example09186a0080819289.shtml. What i'll like to know is the maximum number
> of simultaneous user connections that can be supported.
> 
> Thanks
> Peter
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

I would say it depends on one of the following

If you haven't got any sort of accelerator card, what encryption 
algorithm you're using, and how CPU intensive it is, balanced with how 
much CPU your router can afford to give it, before your other traffic 
suffers the results.

What sort of "accelerator" card/module you have in the router, and how 
much of what algorithms it supports offloading to itself.

-- 
ian

From gert at greenie.muc.de  Thu Feb 26 02:34:42 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 26 Feb 2009 08:34:42 +0100
Subject: [c-nsp] PA-GE - Incrementing Ignored and Overrun Errors
In-Reply-To: <200902251115.26071.lowen@pari.edu>
References: <20090224215738.GZ290@greenie.muc.de>
	<200902251115.26071.lowen@pari.edu>
Message-ID: <20090226073442.GF290@greenie.muc.de>

Hi,

On Wed, Feb 25, 2009 at 11:15:25AM -0500, Lamar Owen wrote:
> I will say this: the 7401 that is paired with the 7507 is somewhat faster; the 
> 7507 is running RSP8's.  I don't, unfortunately, have any metrics on just how 
> much faster the 7401 is, sorry.

With an RSP8 and only two active interface at a time, throughput of that 
box will likely be better (and less bug-prone) if you disable "distributed 
switching".

The RSP8 is documented to handle 240 mbit/s with 64-byte packets, while the
vip2-50 is at 46-71 mbit/s and the vip4-80 71-107 mbit/s.

(routerperformance.pdf)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090226/cb098efe/attachment.bin>

From steve at ibctech.ca  Thu Feb 26 02:45:01 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 26 Feb 2009 02:45:01 -0500
Subject: [c-nsp] why disable ip cache and direct broadcast in switch
In-Reply-To: <20090226072441.GC290@greenie.muc.de>
References: <49A5E58E.7030609@ibctech.ca> <C5CB483B.5DC4%mpalatnik@wustl.edu>
	<20090226072441.GC290@greenie.muc.de>
Message-ID: <49A6487D.7070503@ibctech.ca>

Gert Doering wrote:
> Hi,
> 
> On Wed, Feb 25, 2009 at 07:10:51PM -0600, Max Palatnik wrote:
>> No ip-route cache with no keywords afterwards refers to the fast-switch
>> handling of packets.  CEF is usually enabled globally on the device (and
>> thus is enabled for each interface), so this forces the interface to use CEF
>> and ensures fast-switching is not enabled on the port.
> 
> No.
> 
> "no ip route-cache" will force *process switching*, and that's a bad thing
> (certain IOS versions needed this to get features not supported in the
> fast path, like per-packet load balancing on parallel links - but that's
> really something you should immediately forget again, process switching is
> *bad*).

For my own understanding, is it fair to assume:

- "no ip route-cache" forces punting to the RP for proc-switch
- lack of "no ip route-cache" and without "ip cef" enabled (at all)
implies 'proc-switch once, then fast-switch'
- nothing explicitly set on an interface, but "ip cef" enabled globally
will always use the compiled FIB

...do I have this right?

Steve

From SazliBin.Ahmad at pacnet.com  Thu Feb 26 02:48:20 2009
From: SazliBin.Ahmad at pacnet.com (Ahmad, Sazli Bin)
Date: Thu, 26 Feb 2009 15:48:20 +0800
Subject: [c-nsp]  TCAM Errors on SIP-401 Engine 5 Linecard for E1 SPA.
Message-ID: <207A8FA83882D643BDA4398E6365CDDB0524C89D@W3HKEXCHVS1.asianetcom.com>

Hi,

 

The problem that I am seeing is on Cisco GSR 12406 with the IOS
12.0(32)SY5.

 

I need some advise if anyone have ever encounter this problem.

The problem is seems to the on the QOS configuration and if that is the
case, what will be the good QOS in order to overcome this TCAM Errors
and LC Crash?

 

Need some advise from the expert.

 

Regards

Sazli


From gert at greenie.muc.de  Thu Feb 26 02:55:57 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 26 Feb 2009 08:55:57 +0100
Subject: [c-nsp] why disable ip cache and direct broadcast in switch
In-Reply-To: <49A6487D.7070503@ibctech.ca>
References: <49A5E58E.7030609@ibctech.ca> <C5CB483B.5DC4%mpalatnik@wustl.edu>
	<20090226072441.GC290@greenie.muc.de> <49A6487D.7070503@ibctech.ca>
Message-ID: <20090226075557.GH290@greenie.muc.de>

Hi,

On Thu, Feb 26, 2009 at 02:45:01AM -0500, Steve Bertrand wrote:
> For my own understanding, is it fair to assume:
> 
> - "no ip route-cache" forces punting to the RP for proc-switch
> - lack of "no ip route-cache" and without "ip cef" enabled (at all)
> implies 'proc-switch once, then fast-switch'
> - nothing explicitly set on an interface, but "ip cef" enabled globally
> will always use the compiled FIB
> 
> ...do I have this right?

I think it should be that way for recent-enough IOS images.

Older versions required an explicit "ip route-cache cef" in the interface
config.  (And there were more options, like "ip route-cache optimal" or
"ip route-cache same-interface", etc. etc. which contribute to the
confusion).

Cisco is slowly moving into the right direction: drop all switching paths
except CEF and process.  Simplify the code, get rid of corner cases and
bugs.

(Maybe also rewrite all the interface counter stuff at the same time...)

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090226/e43b9666/attachment.bin>

From DPinkard at accessline.com  Thu Feb 26 03:29:19 2009
From: DPinkard at accessline.com (Dan Pinkard)
Date: Thu, 26 Feb 2009 00:29:19 -0800
Subject: [c-nsp] PBR on a 6.5K
In-Reply-To: <200902252023.n1PKNYof005139@sj-core-2.cisco.com>
References: <56F211C5E3F24F47B103EA1B253822BE03654AF8@vic-cr-ex1.staff.netspace.net.au>
	<C4C308A12A44EA4FABA72461FCBA807816EE15CF86@accmail.acc.accessline.com>
	<200902252023.n1PKNYof005139@sj-core-2.cisco.com>
Message-ID: <C4C308A12A44EA4FABA72461FCBA807816EE15D11A@accmail.acc.accessline.com>


Thanks!

It certainly happily accepts the command, and even does the right thing for the first few kpps. After that, not so much, which is where the whole question began. It just does so poorly that it never catches up...



________________________________
From: Tim Stevenson [mailto:tstevens at cisco.com]
Sent: Wednesday, February 25, 2009 12:24 PM
To: Dan Pinkard; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PBR on a 6.5K

IIRC, 6500 does not support PBR with the recursive next hops, you must specify a directly connected next hop that you have a resolved adj for.

Tim

At 11:47 AM 2/25/2009, Dan Pinkard stated:


What are the resource limitations on policy routing on SUP720s/MSFC3? Are the flows ultimately process switched every time or will it draw from the route-cache?

We were toying with a very simple route-map that called for both a next-hop and a recursive next-hop route. A moderate (20mbps/14kpps) traffic level pegged the cpu and send IQD counters sky-high. Which leads to the basic question of what went wrong?

Any ideas or observations from your own tests?

Thanks!
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
<http://www.cisco.com/>IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

From ivan.pepelnjak at zaplana.net  Thu Feb 26 04:17:30 2009
From: ivan.pepelnjak at zaplana.net (Ivan Pepelnjak)
Date: Thu, 26 Feb 2009 10:17:30 +0100
Subject: [c-nsp] show mBGP vpn advertized routes
In-Reply-To: <mailman.5566.1235610661.2617.cisco-nsp@puck.nether.net>
References: <mailman.5566.1235610661.2617.cisco-nsp@puck.nether.net>
Message-ID: <003c01c997f3$10ed15f0$0a00000a@nil.si>

> ok. Thanks. Well, I just miss the way Juniper shows things, 
> the level of details. Juniper would display the next hop that 
> it is carried in the BGP Update message.Marlon

Different EBGP neighbors might receive different next-hops in their updates.
Cisco IOS always displays what's in its BGP table, not what's sent to the
neighbors. What's "correct" is everyone's personal opinion :)

Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/


From oboehmer at cisco.com  Thu Feb 26 06:56:58 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 26 Feb 2009 12:56:58 +0100
Subject: [c-nsp] IS-IS LSP Generation/Expiry + Database Optimization -
	Issue
In-Reply-To: <200902222330.46372.mtinka@globaltransit.net>
References: <200902221357.04134.mtinka@globaltransit.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406EA3A1C@xmb-ams-333.emea.cisco.com>
	<200902222330.46372.mtinka@globaltransit.net>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406EFE053@xmb-ams-333.emea.cisco.com>

Mark Tinka <mailto:mtinka at globaltransit.net> wrote on Sunday, February
22, 2009 16:31:

>> I've "worked" with the increased lifetime/refresh
>> intervals in several large networks for the last 8 years,
>> and I've not seen an issue with it. Do you have any
>> indication that the problem you've been experiencing is
>> caused by "corrupt" LSPs?
> 
> Admittedly, we haven't sat down to really analyze and debug
> the flow of LSP's (or lack thereof), as each time it
> happens, we can't afford this luxury; the router has to be
> online in the shortest time possible (and I can't replicate
> this exactly in the lab as we don't have enough of the exact
> spare kit to do so at the moment).

Right.. But a "show isis database detail [xxxxx.yy-zz]" dump into a file
would have allowed more conclusions ;-)
 
>> It is strange that you only
>> seem to see the problem on some routers, and not on
>> others, which makes a "corrupt" LSP advertised by the
>> restarting router a bit unlikely..
> 
> We've only seen the issue on recovering routers that were
> previously part of the IS-IS domain. As mentioned, routers
> that are new to the domain come up fine the first time.

Well, I meant something different: If I understand your description
correctly, only some routers in your network have problems reaching the
restarting node, others can reach it just fine. Is this the case or not?
So if the issue is indeed a "wrong" LSP in the ISIS domain, I would
suspect that all nodes would see this "wrong" LSP?

> 
>> I would still recommend the higher lifetime values,
>> however the original reason (reducing the "chatter") is
>> certainly much less important these days with high-speed
>> CPU and links, so I'm not passionate about it..
> 
> Clearly, even though we did reduce the lifetime and refresh
> timers, we would still need to wait "that long" before the
> link database is cleaned out. And since we need the
> restarting router to be firing on all cylinders when it
> returns to the network, it doesn't matter whether the
> database will be refreshed in 18 minutes or 18 hours - we
> need uptime the moment the router is able to start
> processing frames/packets.

right..

> So in that respect, keeping these values at "where ever"
> they need to be to scale IS-IS is fine. We just need to
> figure out why the recovering router does not "properly"
> signal the DIS to refresh it's link state database upon a
> successful initialization of the IS-IS process.

I'm not sure if this is really the case:

1) we can generally assume that a reloading router will essential
advertise the same information it did before it crashed.. So even if the
restarting router didn't have a chance purging his LSPs before it went
down, the "stale" LSP will very likely still reflect the correct
information, so even if a remote node didn't receive the "new" LSP from
the recovering node, it would be able to reach the recovering node after
its neighbors started to advertise the adjacency.

2) If there are problems getting the new LSP out (for example after a
controlled reload where the router was able to purge the LSPs), we would
likely see most (if not all) nodes not being able to reach it.

> I will say that we have the 'ignore-lsp-errors' feature
> enabled. Given its purpose, could that have an adverse
> effect on a recovering router's capability to effectively
> get its new LSP's out to the DIS?

I don't think so..

you mention DIS: Is this only happening on broadcast segments?

But this is all a bit too speculative for me. We should really get a
complete database output from the recovering node and from one of the
nodes not being able to reach it (and possibly one from a node which is
able to reach it), and work from there.. "show ip route <...>" would
also help..

	oli

From lowen at pari.edu  Thu Feb 26 10:01:32 2009
From: lowen at pari.edu (Lamar Owen)
Date: Thu, 26 Feb 2009 10:01:32 -0500
Subject: [c-nsp] PA-GE - Incrementing Ignored and Overrun Errors
In-Reply-To: <20090226073442.GF290@greenie.muc.de>
References: <20090224215738.GZ290@greenie.muc.de>
Message-ID: <200902261001.32853.lowen@pari.edu>

On Thursday 26 February 2009 02:34:42 Gert Doering wrote:
> With an RSP8 and only two active interface at a time, throughput of that
> box will likely be better (and less bug-prone) if you disable "distributed
> switching".

Some of the features I'm using disable dCEF implicitly for packets touched by 
those features (Stateful NAT and CBAC, for instance, if I'm reading the docs 
right), but I have done that in the config anyway due to the performance 
benefits with few interfaces.  Even before explicitly disabling dCEF, I wasn't 
seeing but a handful of packets take that switching path according to 'show 
int stats'.  And, before anyone says it: I'm fully aware a 7200 with NPE-G1 or 
G2 would be a better choice for that feature mix, but I used what I had on 
hand to replace a failed 7400, and I don't currently own any 7200s.

Oddly enough, though, with the particular feature mix I'm using the 7400 is 
showing less CPU% used and getting better performance (it's documented to do 
153Mb/s using CEF according to the same routerperformance.pdf), but I'm seeing 
the PXF get involved on a few paths (haven't yet hit any PXF bugs that I know 
of, thankfully), but even then the percentage of packets taking the PXF path 
is a very small fraction.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu

From tstevens at cisco.com  Thu Feb 26 10:12:07 2009
From: tstevens at cisco.com (Tim Stevenson)
Date: Thu, 26 Feb 2009 07:12:07 -0800
Subject: [c-nsp] PBR on a 6.5K
In-Reply-To: <C4C308A12A44EA4FABA72461FCBA807816EE15D11A@accmail.acc.acc
	essline.com>
References: <56F211C5E3F24F47B103EA1B253822BE03654AF8@vic-cr-ex1.staff.netspace.net.au>
	<C4C308A12A44EA4FABA72461FCBA807816EE15CF86@accmail.acc.accessline.com>
	<200902252023.n1PKNYof005139@sj-core-2.cisco.com>
	<C4C308A12A44EA4FABA72461FCBA807816EE15D11A@accmail.acc.accessline.com>
Message-ID: <200902261512.n1QFC8Ln009996@sj-core-1.cisco.com>

My sentence should have continued: "..., if you 
want it to do hardware-switched PBR".

As Rodney pointed out, more recent s/w releases 
may have added this support, so could depend on 
what release you are running whether it is hw or sw switched.

Tim

At 12:29 AM 2/26/2009, Dan Pinkard stated:
>
>Thanks!
>
>It certainly happily accepts the command, and 
>even does the right thing for the first few 
>kpps. After that, not so much, which is where 
>the whole question began. It just does so poorly that it never catches up

>
>
>
>
>----------
>From: Tim Stevenson [mailto:tstevens at cisco.com]
>Sent: Wednesday, February 25, 2009 12:24 PM
>To: Dan Pinkard; cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] PBR on a 6.5K
>
>IIRC, 6500 does not support PBR with the 
>recursive next hops, you must specify a directly 
>connected next hop that you have a resolved adj for.
>
>Tim
>
>At 11:47 AM 2/25/2009, Dan Pinkard stated:
>
>
>What are the resource limitations on policy 
>routing on SUP720s/MSFC3? Are the flows 
>ultimately process switched every time or will it draw from the route-cache?
>
>We were toying with a very simple route-map that 
>called for both a next-hop and a recursive 
>next-hop route. A moderate (20mbps/14kpps) 
>traffic level pegged the cpu and send IQD 
>counters sky-high. Which leads to the basic question of what went wrong?
>
>Any ideas or observations from your own tests?
>
>Thanks!
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
><https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at 
><http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
>Tim Stevenson, tstevens at cisco.com
>Routing & Switching CCIE #5561
>Technical Marketing Engineer, Cisco Nexus 7000
>Cisco - http://www.cisco.com
>IP Phone: 408-526-6759
>********************************************************
>The contents of this message may be *Cisco Confidential*
>and are intended for the specified recipients only.




Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

From mtinka at globaltransit.net  Thu Feb 26 09:22:18 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 26 Feb 2009 22:22:18 +0800
Subject: [c-nsp] IS-IS LSP Generation/Expiry + Database Optimization -
	Issue
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406EFE053@xmb-ams-333.emea.cisco.com>
References: <200902221357.04134.mtinka@globaltransit.net>
	<200902222330.46372.mtinka@globaltransit.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406EFE053@xmb-ams-333.emea.cisco.com>
Message-ID: <200902262222.19451.mtinka@globaltransit.net>

On Thursday 26 February 2009 07:56:58 pm Oliver Boehmer 
(oboehmer) wrote:

> But this is all a bit too speculative for me. We should
> really get a complete database output from the recovering
> node and from one of the nodes not being able to reach it
> (and possibly one from a node which is able to reach it),
> and work from there.. "show ip route <...>" would also
> help..

Agree.

Let me get a little more work done here in our lab to try 
and definitively reproduce and document this problem 
(assuming TAC don't beat me to it).

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090226/c9c95e97/attachment-0001.bin>

From mtinka at globaltransit.net  Thu Feb 26 09:40:39 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 26 Feb 2009 22:40:39 +0800
Subject: [c-nsp] IS-IS LSP Generation/Expiry + Database Optimization -
	Issue - Update!
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406EFE053@xmb-ams-333.emea.cisco.com>
References: <200902221357.04134.mtinka@globaltransit.net>
	<200902222330.46372.mtinka@globaltransit.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406EFE053@xmb-ams-333.emea.cisco.com>
Message-ID: <200902262240.48233.mtinka@globaltransit.net>

Hi Oli.

So I've been able to reproduce the 75% iBGP session 
establishment with a graceful reload of a router in our lab, 
i.e., 2/2 v4 iBGP sessions are up, but ony 1/2 v6 iBGP 
sessions are up.

Will send you this data offline as it's confidential :-).

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090226/457fcbc2/attachment.bin>

From Steven.Raymond at integratelecom.com  Thu Feb 26 11:01:38 2009
From: Steven.Raymond at integratelecom.com (Raymond, Steven)
Date: Thu, 26 Feb 2009 08:01:38 -0800
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <200902260142.13371.mtinka@globaltransit.net>
References: <200902260117.47321.mtinka@globaltransit.net>
	<25832F73CFADDD4F8291320FD507BA68018F829B@exch2-bllon.uk.easynet.corp>
	<200902260142.13371.mtinka@globaltransit.net>
Message-ID: <775A75B5625C6B418FC01477094E0BCC2408923350@IDCMAILBOX1.ads.integratelecom.com>

BFD has became unusable for us with SRC3 (coming from SRB3).  It misfires and falsely reports the BFD neighbor down several times per hour, sending waves of disruption across the network.

Thus far the only workaround is to disable BFD.  We thought it may be a return of CSCek71050 which abused us in SRB1 and caused strikingly similar problems.  But TAC has assured me they must be different causes.

Are your BFD problems causing only reboots, or BFD bounces followed by worse behavior?

Thanks




> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Mark Tinka
> Sent: Wednesday, February 25, 2009 9:42 AM
> To: Dan Peachey
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
>
> On Thursday 26 February 2009 01:25:34 am Dan Peachey wrote:
>
> > Do you have the bug ID for this?
>
> CSCek75694 and CSCsq32269
>
> > I am currently
> > evaluating SRC2 and would be interested in reading up on
> > it.
>
> I'd recommend staying away from SRC2 - it's riddled with a
> number of "discovered" bugs. I'd suggest you consider SRC3
> instead, if you're looking at 12.2SR.
>
> Just don't run BFD!
>
> Cheers,
>
> Mark.

From mtinka at globaltransit.net  Thu Feb 26 11:14:26 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 27 Feb 2009 00:14:26 +0800
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <775A75B5625C6B418FC01477094E0BCC2408923350@IDCMAILBOX1.ads.integratelecom.com>
References: <200902260117.47321.mtinka@globaltransit.net>
	<200902260142.13371.mtinka@globaltransit.net>
	<775A75B5625C6B418FC01477094E0BCC2408923350@IDCMAILBOX1.ads.integratelecom.com>
Message-ID: <200902270014.27225.mtinka@globaltransit.net>

On Friday 27 February 2009 12:01:38 am Raymond, Steven 
wrote:

> BFD has became unusable for us with SRC3 (coming from
> SRB3).  It misfires and falsely reports the BFD neighbor
> down several times per hour, sending waves of disruption
> across the network.

What interval values are you using?

> Are your BFD problems causing only reboots, or BFD
> bounces followed by worse behavior?

Only reboots.

Our logs don't show any random BFD bounces, but then again 
we run 250ms both for the minimum interval and minimum 
receive interval.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090227/93852e60/attachment.bin>

From paul at paulstewart.org  Thu Feb 26 11:19:05 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Thu, 26 Feb 2009 11:19:05 -0500
Subject: [c-nsp] l2tpv3 config - MTU question
Message-ID: <000001c9982d$f2429590$d6c7c0b0$@org>

Hi folks.

 

I've setup a pair of 1841's back to back for testing l2tpv3 deployment for a
client..

 

FastE0/0 from each 1841 is connected to one another at 10.0.0.0/24 - each
router has a loopback of 192.168.254.1 and .2  - OSPF is running and am able
to successfully ping each other's loopback with redistributed subnets etc..

 

Configured each router to look like this:

 

pseudowire-class test

 encapsulation l2tpv3

 sequencing both

 ip local interface Loopback0

 

interface FastEthernet0/0

 ip address 10.0.0.2 255.255.255.0

 duplex auto

 speed auto

 

interface FastEthernet0/1

 no ip address

 duplex auto

 speed auto

 no cdp enable

 xconnect 192.168.254.2 1234 pw-class test

 

Have a notebook hooked up to each FastE0/1 port and assigned 172.16.0.1 and
.2 on them.  I can ping back and forth proving connectivity etc.

 

My problem/question is how to get a packet of 1500 bytes to transverse the
link - obviously fragmented but that's ok.    In the real-world deployment
of this setup we are limited to 1500 MTU in most situations and will presume
no mini-jumbo support anywhere (from a config perspective at least).

 

In my first config I had Path MTU discovery enabled and could only ping up
to 1440 bytes.  With that disabled I can now ping to 1472 but not beyond.  

 

With Path MTU turned on it looked like this:

 

site2#sh l2tun session all

 

%No active L2F tunnels

 

L2TP Session Information Total tunnels 1 sessions 1

 

Session id 53211 is up, tunnel id 32076

Call serial number is 1293300000

Remote tunnel name is site1

  Internet address is 192.168.254.1

  Session is L2TP signalled

  Session state is established, time since change 00:26:44

    114 Packets sent, 116 received

    30446 Bytes sent, 29032 received

  Last clearing of "show vpdn" counters never

    Receive packets dropped:

      out-of-order:             0

      total:                    0

    Send packets dropped:

      exceeded session MTU:     1

      total:                    1

  Session vcid is 1234

  Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1

  Circuit state is UP

    Remote session id is 22201, remote tunnel id 12358

  Session PMTU enabled, path MTU is 1500 bytes

  DF bit on, ToS reflect disabled, ToS value 0, TTL value 255

  No session cookie information available

  UDP checksums are disabled

  SSS switching enabled

  Sequencing is on

    Ns 114, Nr 116, 0 out of order packets received

  Unique ID is 1

 

%No active PPTP tunnels

 

 

Upon looking further I could see the DF bit on which I believe would explain
the 1440 byte limit I hit.  But with that disabled I am puzzled or missing
something as to why I cannot fragment packets up to full 1500?   What I am
missing here?  Do I need to make MTU adjustments towards the FastE0/1
interface to force fragmentation before the l2tpv3 tunnel?

 

Thanks in advance,

 

Paul


From Steven.Raymond at integratelecom.com  Thu Feb 26 11:27:14 2009
From: Steven.Raymond at integratelecom.com (Raymond, Steven)
Date: Thu, 26 Feb 2009 08:27:14 -0800
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <200902270014.27225.mtinka@globaltransit.net>
References: <200902260117.47321.mtinka@globaltransit.net>
	<200902260142.13371.mtinka@globaltransit.net>
	<775A75B5625C6B418FC01477094E0BCC2408923350@IDCMAILBOX1.ads.integratelecom.com>
	<200902270014.27225.mtinka@globaltransit.net>
Message-ID: <775A75B5625C6B418FC01477094E0BCC2408923351@IDCMAILBOX1.ads.integratelecom.com>

> What interval values are you using?

250ms

> > Are your BFD problems causing only reboots, or BFD
> > bounces followed by worse behavior?
>
> Only reboots.

Ah.  We haven't seen any reboots, but this is on sup720 not NPE.  We are probably experiencing different defects.



From moua0100 at umn.edu  Thu Feb 26 11:50:05 2009
From: moua0100 at umn.edu (Ge Moua)
Date: Thu, 26 Feb 2009 10:50:05 -0600
Subject: [c-nsp] l2tpv3 config - MTU question
In-Reply-To: <000001c9982d$f2429590$d6c7c0b0$@org>
References: <000001c9982d$f2429590$d6c7c0b0$@org>
Message-ID: <49A6C83D.7090704@umn.edu>

I was tackling a similar issue over here too, I think it may have to do 
with the fact that l2tpv3 and ethernet headers are taking some of the 
mtu allocation.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Paul Stewart wrote:
> Hi folks.
>
>  
>
> I've setup a pair of 1841's back to back for testing l2tpv3 deployment for a
> client..
>
>  
>
> FastE0/0 from each 1841 is connected to one another at 10.0.0.0/24 - each
> router has a loopback of 192.168.254.1 and .2  - OSPF is running and am able
> to successfully ping each other's loopback with redistributed subnets etc..
>
>  
>
> Configured each router to look like this:
>
>  
>
> pseudowire-class test
>
>  encapsulation l2tpv3
>
>  sequencing both
>
>  ip local interface Loopback0
>
>  
>
> interface FastEthernet0/0
>
>  ip address 10.0.0.2 255.255.255.0
>
>  duplex auto
>
>  speed auto
>
>  
>
> interface FastEthernet0/1
>
>  no ip address
>
>  duplex auto
>
>  speed auto
>
>  no cdp enable
>
>  xconnect 192.168.254.2 1234 pw-class test
>
>  
>
> Have a notebook hooked up to each FastE0/1 port and assigned 172.16.0.1 and
> .2 on them.  I can ping back and forth proving connectivity etc.
>
>  
>
> My problem/question is how to get a packet of 1500 bytes to transverse the
> link - obviously fragmented but that's ok.    In the real-world deployment
> of this setup we are limited to 1500 MTU in most situations and will presume
> no mini-jumbo support anywhere (from a config perspective at least).
>
>  
>
> In my first config I had Path MTU discovery enabled and could only ping up
> to 1440 bytes.  With that disabled I can now ping to 1472 but not beyond.  
>
>  
>
> With Path MTU turned on it looked like this:
>
>  
>
> site2#sh l2tun session all
>
>  
>
> %No active L2F tunnels
>
>  
>
> L2TP Session Information Total tunnels 1 sessions 1
>
>  
>
> Session id 53211 is up, tunnel id 32076
>
> Call serial number is 1293300000
>
> Remote tunnel name is site1
>
>   Internet address is 192.168.254.1
>
>   Session is L2TP signalled
>
>   Session state is established, time since change 00:26:44
>
>     114 Packets sent, 116 received
>
>     30446 Bytes sent, 29032 received
>
>   Last clearing of "show vpdn" counters never
>
>     Receive packets dropped:
>
>       out-of-order:             0
>
>       total:                    0
>
>     Send packets dropped:
>
>       exceeded session MTU:     1
>
>       total:                    1
>
>   Session vcid is 1234
>
>   Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1
>
>   Circuit state is UP
>
>     Remote session id is 22201, remote tunnel id 12358
>
>   Session PMTU enabled, path MTU is 1500 bytes
>
>   DF bit on, ToS reflect disabled, ToS value 0, TTL value 255
>
>   No session cookie information available
>
>   UDP checksums are disabled
>
>   SSS switching enabled
>
>   Sequencing is on
>
>     Ns 114, Nr 116, 0 out of order packets received
>
>   Unique ID is 1
>
>  
>
> %No active PPTP tunnels
>
>  
>
>  
>
> Upon looking further I could see the DF bit on which I believe would explain
> the 1440 byte limit I hit.  But with that disabled I am puzzled or missing
> something as to why I cannot fragment packets up to full 1500?   What I am
> missing here?  Do I need to make MTU adjustments towards the FastE0/1
> interface to force fragmentation before the l2tpv3 tunnel?
>
>  
>
> Thanks in advance,
>
>  
>
> Paul
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From James.Munroe at gnb.ca  Thu Feb 26 11:22:53 2009
From: James.Munroe at gnb.ca (Munroe, James   (DSS/MAS))
Date: Thu, 26 Feb 2009 12:22:53 -0400
Subject: [c-nsp] Q - Is there a way to rollback to the default Rommon Image
	on a SUP720?
Message-ID: <458B3EC21E4A3044998E917199AACB2F01A644C5@GNBEX02.gnb.ca>

Hello,

 

A recent Rommon upgrade on the SP/SP has left a SUP720-3B being unable
to read any CF Cards in Disk0 or Disk1 upon it's reboot.  Is there any
way to roll back to the default Rommon image from the rommon prompt
itself?  I know once the unit is active with IOS running it's easy to
invalid the upgradeable regions...but I've never had to attempt this
from rommon.

 

  The SUP720 loads up but complains about accessing any of the CF
slots...It was working fine beforehand.

 

Any info would be appreciated... 

 

 

Thank You,

 

 

James (Jim) Munroe

Wide Area Network - Project Lead

Corporate Information Management Services (Division)
Department of Supply and Services
4th Floor Marysville Place

P.O. Box 6000

Fredericton,  New Brunswick
E3B 5H1

 

Phone : (506) 444-6702
Cell : (506) 292-1692
Fax : (506) 444-4400
Email : james.munroe at gnb.ca
<blocked::blocked::blocked::mailto:james.munroe at gnb.ca> 

 


From paul at paulstewart.org  Thu Feb 26 11:59:58 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Thu, 26 Feb 2009 11:59:58 -0500
Subject: [c-nsp] l2tpv3 config - MTU question
In-Reply-To: <49A6C83D.7090704@umn.edu>
References: <000001c9982d$f2429590$d6c7c0b0$@org> <49A6C83D.7090704@umn.edu>
Message-ID: <000d01c99833$a84de100$f8e9a300$@org>

Thanks - yes, absolutely and I can figure that into the equation.  Been
reading a lot of discussions in archives and Google about this.  I want to
ensure that however/where we deploy this that we can provide a full 1500 MTU
*without* having desktops make MTU adjustments basically.... at the expense
of fragmentation and CPU (which we can account for).  No matter what I've
tried so far I can't get a ping through our pair of test routers larger than
1472 though yet....

This avoids websites being unreachable (Microsoft comes to mind) and other
MTU annoyances we've encountered over time...

Paul


-----Original Message-----
From: Ge Moua [mailto:moua0100 at umn.edu] 
Sent: Thursday, February 26, 2009 11:50 AM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] l2tpv3 config - MTU question

I was tackling a similar issue over here too, I think it may have to do 
with the fact that l2tpv3 and ethernet headers are taking some of the 
mtu allocation.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Paul Stewart wrote:
> Hi folks.
>
>  
>
> I've setup a pair of 1841's back to back for testing l2tpv3 deployment for
a
> client..
>
>  
>
> FastE0/0 from each 1841 is connected to one another at 10.0.0.0/24 - each
> router has a loopback of 192.168.254.1 and .2  - OSPF is running and am
able
> to successfully ping each other's loopback with redistributed subnets
etc..
>
>  
>
> Configured each router to look like this:
>
>  
>
> pseudowire-class test
>
>  encapsulation l2tpv3
>
>  sequencing both
>
>  ip local interface Loopback0
>
>  
>
> interface FastEthernet0/0
>
>  ip address 10.0.0.2 255.255.255.0
>
>  duplex auto
>
>  speed auto
>
>  
>
> interface FastEthernet0/1
>
>  no ip address
>
>  duplex auto
>
>  speed auto
>
>  no cdp enable
>
>  xconnect 192.168.254.2 1234 pw-class test
>
>  
>
> Have a notebook hooked up to each FastE0/1 port and assigned 172.16.0.1
and
> .2 on them.  I can ping back and forth proving connectivity etc.
>
>  
>
> My problem/question is how to get a packet of 1500 bytes to transverse the
> link - obviously fragmented but that's ok.    In the real-world deployment
> of this setup we are limited to 1500 MTU in most situations and will
presume
> no mini-jumbo support anywhere (from a config perspective at least).
>
>  
>
> In my first config I had Path MTU discovery enabled and could only ping up
> to 1440 bytes.  With that disabled I can now ping to 1472 but not beyond.

>
>  
>
> With Path MTU turned on it looked like this:
>
>  
>
> site2#sh l2tun session all
>
>  
>
> %No active L2F tunnels
>
>  
>
> L2TP Session Information Total tunnels 1 sessions 1
>
>  
>
> Session id 53211 is up, tunnel id 32076
>
> Call serial number is 1293300000
>
> Remote tunnel name is site1
>
>   Internet address is 192.168.254.1
>
>   Session is L2TP signalled
>
>   Session state is established, time since change 00:26:44
>
>     114 Packets sent, 116 received
>
>     30446 Bytes sent, 29032 received
>
>   Last clearing of "show vpdn" counters never
>
>     Receive packets dropped:
>
>       out-of-order:             0
>
>       total:                    0
>
>     Send packets dropped:
>
>       exceeded session MTU:     1
>
>       total:                    1
>
>   Session vcid is 1234
>
>   Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1
>
>   Circuit state is UP
>
>     Remote session id is 22201, remote tunnel id 12358
>
>   Session PMTU enabled, path MTU is 1500 bytes
>
>   DF bit on, ToS reflect disabled, ToS value 0, TTL value 255
>
>   No session cookie information available
>
>   UDP checksums are disabled
>
>   SSS switching enabled
>
>   Sequencing is on
>
>     Ns 114, Nr 116, 0 out of order packets received
>
>   Unique ID is 1
>
>  
>
> %No active PPTP tunnels
>
>  
>
>  
>
> Upon looking further I could see the DF bit on which I believe would
explain
> the 1440 byte limit I hit.  But with that disabled I am puzzled or missing
> something as to why I cannot fragment packets up to full 1500?   What I am
> missing here?  Do I need to make MTU adjustments towards the FastE0/1
> interface to force fragmentation before the l2tpv3 tunnel?
>
>  
>
> Thanks in advance,
>
>  
>
> Paul
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From moua0100 at umn.edu  Thu Feb 26 12:10:42 2009
From: moua0100 at umn.edu (Ge Moua)
Date: Thu, 26 Feb 2009 11:10:42 -0600
Subject: [c-nsp] l2tpv3 config - MTU question
In-Reply-To: <000d01c99833$a84de100$f8e9a300$@org>
References: <000001c9982d$f2429590$d6c7c0b0$@org> <49A6C83D.7090704@umn.edu>
	<000d01c99833$a84de100$f8e9a300$@org>
Message-ID: <49A6CD12.50806@umn.edu>

We've got about a half-dozen sites deployed on this, with about 1000 
user base total, and it's running most fine, caveats:
* watch out for VTP as thiere may be some out of order packets that 
causes VTP convergence to fail; run the CE side in vtp transparent mode 
and add vlan manually
* another trick we've been think about is adjusting MTU on the end 
workstations
* mtu 1472 works fine as defrag/frag will happen on the pe/ce equipment; 
no worries with running high cpu on end-workstation due to frag/defrag 
operations
* "clear ip tra" & "sh ip tra" will show frag stat on routers

hope this helps.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Paul Stewart wrote:
> Thanks - yes, absolutely and I can figure that into the equation.  Been
> reading a lot of discussions in archives and Google about this.  I want to
> ensure that however/where we deploy this that we can provide a full 1500 MTU
> *without* having desktops make MTU adjustments basically.... at the expense
> of fragmentation and CPU (which we can account for).  No matter what I've
> tried so far I can't get a ping through our pair of test routers larger than
> 1472 though yet....
>
> This avoids websites being unreachable (Microsoft comes to mind) and other
> MTU annoyances we've encountered over time...
>
> Paul
>
>
> -----Original Message-----
> From: Ge Moua [mailto:moua0100 at umn.edu] 
> Sent: Thursday, February 26, 2009 11:50 AM
> To: Paul Stewart
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] l2tpv3 config - MTU question
>
> I was tackling a similar issue over here too, I think it may have to do 
> with the fact that l2tpv3 and ethernet headers are taking some of the 
> mtu allocation.
>
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
>
>
>
> Paul Stewart wrote:
>   
>> Hi folks.
>>
>>  
>>
>> I've setup a pair of 1841's back to back for testing l2tpv3 deployment for
>>     
> a
>   
>> client..
>>
>>  
>>
>> FastE0/0 from each 1841 is connected to one another at 10.0.0.0/24 - each
>> router has a loopback of 192.168.254.1 and .2  - OSPF is running and am
>>     
> able
>   
>> to successfully ping each other's loopback with redistributed subnets
>>     
> etc..
>   
>>  
>>
>> Configured each router to look like this:
>>
>>  
>>
>> pseudowire-class test
>>
>>  encapsulation l2tpv3
>>
>>  sequencing both
>>
>>  ip local interface Loopback0
>>
>>  
>>
>> interface FastEthernet0/0
>>
>>  ip address 10.0.0.2 255.255.255.0
>>
>>  duplex auto
>>
>>  speed auto
>>
>>  
>>
>> interface FastEthernet0/1
>>
>>  no ip address
>>
>>  duplex auto
>>
>>  speed auto
>>
>>  no cdp enable
>>
>>  xconnect 192.168.254.2 1234 pw-class test
>>
>>  
>>
>> Have a notebook hooked up to each FastE0/1 port and assigned 172.16.0.1
>>     
> and
>   
>> .2 on them.  I can ping back and forth proving connectivity etc.
>>
>>  
>>
>> My problem/question is how to get a packet of 1500 bytes to transverse the
>> link - obviously fragmented but that's ok.    In the real-world deployment
>> of this setup we are limited to 1500 MTU in most situations and will
>>     
> presume
>   
>> no mini-jumbo support anywhere (from a config perspective at least).
>>
>>  
>>
>> In my first config I had Path MTU discovery enabled and could only ping up
>> to 1440 bytes.  With that disabled I can now ping to 1472 but not beyond.
>>     
>
>   
>>  
>>
>> With Path MTU turned on it looked like this:
>>
>>  
>>
>> site2#sh l2tun session all
>>
>>  
>>
>> %No active L2F tunnels
>>
>>  
>>
>> L2TP Session Information Total tunnels 1 sessions 1
>>
>>  
>>
>> Session id 53211 is up, tunnel id 32076
>>
>> Call serial number is 1293300000
>>
>> Remote tunnel name is site1
>>
>>   Internet address is 192.168.254.1
>>
>>   Session is L2TP signalled
>>
>>   Session state is established, time since change 00:26:44
>>
>>     114 Packets sent, 116 received
>>
>>     30446 Bytes sent, 29032 received
>>
>>   Last clearing of "show vpdn" counters never
>>
>>     Receive packets dropped:
>>
>>       out-of-order:             0
>>
>>       total:                    0
>>
>>     Send packets dropped:
>>
>>       exceeded session MTU:     1
>>
>>       total:                    1
>>
>>   Session vcid is 1234
>>
>>   Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1
>>
>>   Circuit state is UP
>>
>>     Remote session id is 22201, remote tunnel id 12358
>>
>>   Session PMTU enabled, path MTU is 1500 bytes
>>
>>   DF bit on, ToS reflect disabled, ToS value 0, TTL value 255
>>
>>   No session cookie information available
>>
>>   UDP checksums are disabled
>>
>>   SSS switching enabled
>>
>>   Sequencing is on
>>
>>     Ns 114, Nr 116, 0 out of order packets received
>>
>>   Unique ID is 1
>>
>>  
>>
>> %No active PPTP tunnels
>>
>>  
>>
>>  
>>
>> Upon looking further I could see the DF bit on which I believe would
>>     
> explain
>   
>> the 1440 byte limit I hit.  But with that disabled I am puzzled or missing
>> something as to why I cannot fragment packets up to full 1500?   What I am
>> missing here?  Do I need to make MTU adjustments towards the FastE0/1
>> interface to force fragmentation before the l2tpv3 tunnel?
>>
>>  
>>
>> Thanks in advance,
>>
>>  
>>
>> Paul
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>   
>>     
>
>   

From mtinka at globaltransit.net  Thu Feb 26 11:59:34 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 27 Feb 2009 00:59:34 +0800
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <775A75B5625C6B418FC01477094E0BCC2408923351@IDCMAILBOX1.ads.integratelecom.com>
References: <200902260117.47321.mtinka@globaltransit.net>
	<200902270014.27225.mtinka@globaltransit.net>
	<775A75B5625C6B418FC01477094E0BCC2408923351@IDCMAILBOX1.ads.integratelecom.com>
Message-ID: <200902270059.41701.mtinka@globaltransit.net>

On Friday 27 February 2009 12:27:14 am Raymond, Steven 
wrote:

> Ah.  We haven't seen any reboots, but this is on sup720
> not NPE.

> We are probably experiencing different defects.

Well, according to TAC, the 7600 is unaffected by this 
particular bug.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090227/a5907c7e/attachment.bin>

From tkacprzynski at SpencerStuart.com  Thu Feb 26 12:32:09 2009
From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com)
Date: Thu, 26 Feb 2009 11:32:09 -0600
Subject: [c-nsp] Redistribution on ASA Firewall using route-map
In-Reply-To: <49A6CD12.50806@umn.edu>
Message-ID: <A8A11BA006DA57498FAC0A56686865042A3500B6@usilwdex04.spencerstuart.com>

Hello,

I'm trying to accomplish redistribution between two OSPF processes (100
and 175) using a route-map with an access-list on an ASA 8.0.

Can't seem to get it working. Does anyone know if this is possible or if
I have something messed up with the access-list (doesn't look like I can
do a prefix-list on the route-map in ASA)? See below:

Router OSPF 100
redistribute OSPF 175 metric-type 1 subnets tag 10457 route-map
OSPF175-OSPF100-RMAP

route-map OSPF175-OSPF100-RMAP permit 10
match ip address OSPF175-OSPF100-ACL

access-list OSPF175-OSPF100-ACL remark Used for redistribution
access-list OSPF175-OSPF100-ACL standard permit host x.y.z.0
access-list OSPF175-OSPF100-ACL standard permit host 0.0.0.0

Any help is greatly appreciated.

Thank you,


From paul at paulstewart.org  Thu Feb 26 12:32:56 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Thu, 26 Feb 2009 12:32:56 -0500
Subject: [c-nsp] l2tpv3 config - MTU question
In-Reply-To: <49A6CD12.50806@umn.edu>
References: <000001c9982d$f2429590$d6c7c0b0$@org> <49A6C83D.7090704@umn.edu>
	<000d01c99833$a84de100$f8e9a300$@org> <49A6CD12.50806@umn.edu>
Message-ID: <001d01c99838$434d74f0$c9e85ed0$@org>

Thank you ...

Perhaps I should have explained a little more in depth - my problem at this
moment is that with dfbit=off I still cannot do a ping larger than 1472 and
can't understand why it's NOT being fragmented....;)

Cheers,

Paul


-----Original Message-----
From: Ge Moua [mailto:moua0100 at umn.edu] 
Sent: Thursday, February 26, 2009 12:11 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] l2tpv3 config - MTU question

We've got about a half-dozen sites deployed on this, with about 1000 
user base total, and it's running most fine, caveats:
* watch out for VTP as thiere may be some out of order packets that 
causes VTP convergence to fail; run the CE side in vtp transparent mode 
and add vlan manually
* another trick we've been think about is adjusting MTU on the end 
workstations
* mtu 1472 works fine as defrag/frag will happen on the pe/ce equipment; 
no worries with running high cpu on end-workstation due to frag/defrag 
operations
* "clear ip tra" & "sh ip tra" will show frag stat on routers

hope this helps.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Paul Stewart wrote:
> Thanks - yes, absolutely and I can figure that into the equation.  Been
> reading a lot of discussions in archives and Google about this.  I want to
> ensure that however/where we deploy this that we can provide a full 1500
MTU
> *without* having desktops make MTU adjustments basically.... at the
expense
> of fragmentation and CPU (which we can account for).  No matter what I've
> tried so far I can't get a ping through our pair of test routers larger
than
> 1472 though yet....
>
> This avoids websites being unreachable (Microsoft comes to mind) and other
> MTU annoyances we've encountered over time...
>
> Paul
>
>
> -----Original Message-----
> From: Ge Moua [mailto:moua0100 at umn.edu] 
> Sent: Thursday, February 26, 2009 11:50 AM
> To: Paul Stewart
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] l2tpv3 config - MTU question
>
> I was tackling a similar issue over here too, I think it may have to do 
> with the fact that l2tpv3 and ethernet headers are taking some of the 
> mtu allocation.
>
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
>
>
>
> Paul Stewart wrote:
>   
>> Hi folks.
>>
>>  
>>
>> I've setup a pair of 1841's back to back for testing l2tpv3 deployment
for
>>     
> a
>   
>> client..
>>
>>  
>>
>> FastE0/0 from each 1841 is connected to one another at 10.0.0.0/24 - each
>> router has a loopback of 192.168.254.1 and .2  - OSPF is running and am
>>     
> able
>   
>> to successfully ping each other's loopback with redistributed subnets
>>     
> etc..
>   
>>  
>>
>> Configured each router to look like this:
>>
>>  
>>
>> pseudowire-class test
>>
>>  encapsulation l2tpv3
>>
>>  sequencing both
>>
>>  ip local interface Loopback0
>>
>>  
>>
>> interface FastEthernet0/0
>>
>>  ip address 10.0.0.2 255.255.255.0
>>
>>  duplex auto
>>
>>  speed auto
>>
>>  
>>
>> interface FastEthernet0/1
>>
>>  no ip address
>>
>>  duplex auto
>>
>>  speed auto
>>
>>  no cdp enable
>>
>>  xconnect 192.168.254.2 1234 pw-class test
>>
>>  
>>
>> Have a notebook hooked up to each FastE0/1 port and assigned 172.16.0.1
>>     
> and
>   
>> .2 on them.  I can ping back and forth proving connectivity etc.
>>
>>  
>>
>> My problem/question is how to get a packet of 1500 bytes to transverse
the
>> link - obviously fragmented but that's ok.    In the real-world
deployment
>> of this setup we are limited to 1500 MTU in most situations and will
>>     
> presume
>   
>> no mini-jumbo support anywhere (from a config perspective at least).
>>
>>  
>>
>> In my first config I had Path MTU discovery enabled and could only ping
up
>> to 1440 bytes.  With that disabled I can now ping to 1472 but not beyond.
>>     
>
>   
>>  
>>
>> With Path MTU turned on it looked like this:
>>
>>  
>>
>> site2#sh l2tun session all
>>
>>  
>>
>> %No active L2F tunnels
>>
>>  
>>
>> L2TP Session Information Total tunnels 1 sessions 1
>>
>>  
>>
>> Session id 53211 is up, tunnel id 32076
>>
>> Call serial number is 1293300000
>>
>> Remote tunnel name is site1
>>
>>   Internet address is 192.168.254.1
>>
>>   Session is L2TP signalled
>>
>>   Session state is established, time since change 00:26:44
>>
>>     114 Packets sent, 116 received
>>
>>     30446 Bytes sent, 29032 received
>>
>>   Last clearing of "show vpdn" counters never
>>
>>     Receive packets dropped:
>>
>>       out-of-order:             0
>>
>>       total:                    0
>>
>>     Send packets dropped:
>>
>>       exceeded session MTU:     1
>>
>>       total:                    1
>>
>>   Session vcid is 1234
>>
>>   Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1
>>
>>   Circuit state is UP
>>
>>     Remote session id is 22201, remote tunnel id 12358
>>
>>   Session PMTU enabled, path MTU is 1500 bytes
>>
>>   DF bit on, ToS reflect disabled, ToS value 0, TTL value 255
>>
>>   No session cookie information available
>>
>>   UDP checksums are disabled
>>
>>   SSS switching enabled
>>
>>   Sequencing is on
>>
>>     Ns 114, Nr 116, 0 out of order packets received
>>
>>   Unique ID is 1
>>
>>  
>>
>> %No active PPTP tunnels
>>
>>  
>>
>>  
>>
>> Upon looking further I could see the DF bit on which I believe would
>>     
> explain
>   
>> the 1440 byte limit I hit.  But with that disabled I am puzzled or
missing
>> something as to why I cannot fragment packets up to full 1500?   What I
am
>> missing here?  Do I need to make MTU adjustments towards the FastE0/1
>> interface to force fragmentation before the l2tpv3 tunnel?
>>
>>  
>>
>> Thanks in advance,
>>
>>  
>>
>> Paul
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>   
>>     
>
>   


From Daniel.Peachey at sns.bskyb.com  Thu Feb 26 12:44:05 2009
From: Daniel.Peachey at sns.bskyb.com (Dan Peachey)
Date: Thu, 26 Feb 2009 17:44:05 -0000
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
References: <200902260117.47321.mtinka@globaltransit.net><200902270014.27225.mtinka@globaltransit.net><775A75B5625C6B418FC01477094E0BCC2408923351@IDCMAILBOX1.ads.integratelecom.com>
	<200902270059.41701.mtinka@globaltransit.net>
Message-ID: <25832F73CFADDD4F8291320FD507BA68018F83E0@exch2-bllon.uk.easynet.corp>

> On Friday 27 February 2009 12:27:14 am Raymond, Steven
> wrote:
> 
> > Ah.  We haven't seen any reboots, but this is on sup720
> > not NPE.
> 
> > We are probably experiencing different defects.
> 
> Well, according to TAC, the 7600 is unaffected by this
> particular bug.
> 
> Cheers,
> 
> Mark.

I've had 12.2(33)SRC2 running in the lab on 7606 / SUP720 for a couple
of months and not seen any issues with BFD as yet. 

Dan


Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trade marks of British Sky Broadcasting Group plc and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky Interactive Limited (Registration No. 3554332), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

From moua0100 at umn.edu  Thu Feb 26 12:50:33 2009
From: moua0100 at umn.edu (Ge Moua)
Date: Thu, 26 Feb 2009 11:50:33 -0600
Subject: [c-nsp] l2tpv3 config - MTU question
In-Reply-To: <001d01c99838$434d74f0$c9e85ed0$@org>
References: <000001c9982d$f2429590$d6c7c0b0$@org> <49A6C83D.7090704@umn.edu>
	<000d01c99833$a84de100$f8e9a300$@org> <49A6CD12.50806@umn.edu>
	<001d01c99838$434d74f0$c9e85ed0$@org>
Message-ID: <49A6D669.5070401@umn.edu>

Ok, I see.

Are you seeing this with more than one test workstation.  I wonder if it 
is a end-station issue.

df=off should allow for large ping payloads

what is the syntax you are using on the end-workstation.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Paul Stewart wrote:
> Thank you ...
>
> Perhaps I should have explained a little more in depth - my problem at this
> moment is that with dfbit=off I still cannot do a ping larger than 1472 and
> can't understand why it's NOT being fragmented....;)
>
> Cheers,
>
> Paul
>
>
> -----Original Message-----
> From: Ge Moua [mailto:moua0100 at umn.edu] 
> Sent: Thursday, February 26, 2009 12:11 PM
> To: Paul Stewart
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] l2tpv3 config - MTU question
>
> We've got about a half-dozen sites deployed on this, with about 1000 
> user base total, and it's running most fine, caveats:
> * watch out for VTP as thiere may be some out of order packets that 
> causes VTP convergence to fail; run the CE side in vtp transparent mode 
> and add vlan manually
> * another trick we've been think about is adjusting MTU on the end 
> workstations
> * mtu 1472 works fine as defrag/frag will happen on the pe/ce equipment; 
> no worries with running high cpu on end-workstation due to frag/defrag 
> operations
> * "clear ip tra" & "sh ip tra" will show frag stat on routers
>
> hope this helps.
>
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
>
>
>
> Paul Stewart wrote:
>   
>> Thanks - yes, absolutely and I can figure that into the equation.  Been
>> reading a lot of discussions in archives and Google about this.  I want to
>> ensure that however/where we deploy this that we can provide a full 1500
>>     
> MTU
>   
>> *without* having desktops make MTU adjustments basically.... at the
>>     
> expense
>   
>> of fragmentation and CPU (which we can account for).  No matter what I've
>> tried so far I can't get a ping through our pair of test routers larger
>>     
> than
>   
>> 1472 though yet....
>>
>> This avoids websites being unreachable (Microsoft comes to mind) and other
>> MTU annoyances we've encountered over time...
>>
>> Paul
>>
>>
>> -----Original Message-----
>> From: Ge Moua [mailto:moua0100 at umn.edu] 
>> Sent: Thursday, February 26, 2009 11:50 AM
>> To: Paul Stewart
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] l2tpv3 config - MTU question
>>
>> I was tackling a similar issue over here too, I think it may have to do 
>> with the fact that l2tpv3 and ethernet headers are taking some of the 
>> mtu allocation.
>>
>> Regards,
>> Ge Moua | Email: moua0100 at umn.edu
>>
>> Network Design Engineer
>> University of Minnesota | Networking & Telecommunications Services
>>
>>
>>
>> Paul Stewart wrote:
>>   
>>     
>>> Hi folks.
>>>
>>>  
>>>
>>> I've setup a pair of 1841's back to back for testing l2tpv3 deployment
>>>       
> for
>   
>>>     
>>>       
>> a
>>   
>>     
>>> client..
>>>
>>>  
>>>
>>> FastE0/0 from each 1841 is connected to one another at 10.0.0.0/24 - each
>>> router has a loopback of 192.168.254.1 and .2  - OSPF is running and am
>>>     
>>>       
>> able
>>   
>>     
>>> to successfully ping each other's loopback with redistributed subnets
>>>     
>>>       
>> etc..
>>   
>>     
>>>  
>>>
>>> Configured each router to look like this:
>>>
>>>  
>>>
>>> pseudowire-class test
>>>
>>>  encapsulation l2tpv3
>>>
>>>  sequencing both
>>>
>>>  ip local interface Loopback0
>>>
>>>  
>>>
>>> interface FastEthernet0/0
>>>
>>>  ip address 10.0.0.2 255.255.255.0
>>>
>>>  duplex auto
>>>
>>>  speed auto
>>>
>>>  
>>>
>>> interface FastEthernet0/1
>>>
>>>  no ip address
>>>
>>>  duplex auto
>>>
>>>  speed auto
>>>
>>>  no cdp enable
>>>
>>>  xconnect 192.168.254.2 1234 pw-class test
>>>
>>>  
>>>
>>> Have a notebook hooked up to each FastE0/1 port and assigned 172.16.0.1
>>>     
>>>       
>> and
>>   
>>     
>>> .2 on them.  I can ping back and forth proving connectivity etc.
>>>
>>>  
>>>
>>> My problem/question is how to get a packet of 1500 bytes to transverse
>>>       
> the
>   
>>> link - obviously fragmented but that's ok.    In the real-world
>>>       
> deployment
>   
>>> of this setup we are limited to 1500 MTU in most situations and will
>>>     
>>>       
>> presume
>>   
>>     
>>> no mini-jumbo support anywhere (from a config perspective at least).
>>>
>>>  
>>>
>>> In my first config I had Path MTU discovery enabled and could only ping
>>>       
> up
>   
>>> to 1440 bytes.  With that disabled I can now ping to 1472 but not beyond.
>>>     
>>>       
>>   
>>     
>>>  
>>>
>>> With Path MTU turned on it looked like this:
>>>
>>>  
>>>
>>> site2#sh l2tun session all
>>>
>>>  
>>>
>>> %No active L2F tunnels
>>>
>>>  
>>>
>>> L2TP Session Information Total tunnels 1 sessions 1
>>>
>>>  
>>>
>>> Session id 53211 is up, tunnel id 32076
>>>
>>> Call serial number is 1293300000
>>>
>>> Remote tunnel name is site1
>>>
>>>   Internet address is 192.168.254.1
>>>
>>>   Session is L2TP signalled
>>>
>>>   Session state is established, time since change 00:26:44
>>>
>>>     114 Packets sent, 116 received
>>>
>>>     30446 Bytes sent, 29032 received
>>>
>>>   Last clearing of "show vpdn" counters never
>>>
>>>     Receive packets dropped:
>>>
>>>       out-of-order:             0
>>>
>>>       total:                    0
>>>
>>>     Send packets dropped:
>>>
>>>       exceeded session MTU:     1
>>>
>>>       total:                    1
>>>
>>>   Session vcid is 1234
>>>
>>>   Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1
>>>
>>>   Circuit state is UP
>>>
>>>     Remote session id is 22201, remote tunnel id 12358
>>>
>>>   Session PMTU enabled, path MTU is 1500 bytes
>>>
>>>   DF bit on, ToS reflect disabled, ToS value 0, TTL value 255
>>>
>>>   No session cookie information available
>>>
>>>   UDP checksums are disabled
>>>
>>>   SSS switching enabled
>>>
>>>   Sequencing is on
>>>
>>>     Ns 114, Nr 116, 0 out of order packets received
>>>
>>>   Unique ID is 1
>>>
>>>  
>>>
>>> %No active PPTP tunnels
>>>
>>>  
>>>
>>>  
>>>
>>> Upon looking further I could see the DF bit on which I believe would
>>>     
>>>       
>> explain
>>   
>>     
>>> the 1440 byte limit I hit.  But with that disabled I am puzzled or
>>>       
> missing
>   
>>> something as to why I cannot fragment packets up to full 1500?   What I
>>>       
> am
>   
>>> missing here?  Do I need to make MTU adjustments towards the FastE0/1
>>> interface to force fragmentation before the l2tpv3 tunnel?
>>>
>>>  
>>>
>>> Thanks in advance,
>>>
>>>  
>>>
>>> Paul
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>   
>>>     
>>>       
>>   
>>     
>
>   

From drew.weaver at thenap.com  Thu Feb 26 12:45:51 2009
From: drew.weaver at thenap.com (Drew Weaver)
Date: Thu, 26 Feb 2009 09:45:51 -0800
Subject: [c-nsp] L2 traffic tunneling
Message-ID: <F3318834F1F89D46857972DD4B411D7003DBC9F0@EXCHANGE.thenap.com>

We have a scenario that looks like this:

Router    Router
HostA- Switch    Switch- HostB

The switches are each connected to both routers, but not to each other.

The routers are 12000s and the switches are 6500s.

I'm wondering what the best way besides running a really long cable to get HostA and HostB in the same VLAN.

I'm pretty sure my only choice is Q in Q but I wanted to check with you folks.

Thanks,
-Drew

From mahgri at gmail.com  Thu Feb 26 13:23:00 2009
From: mahgri at gmail.com (Rik Koenig)
Date: Thu, 26 Feb 2009 13:23:00 -0500
Subject: [c-nsp] Quick VTP question
Message-ID: <82fe47b0902261023he7788eo286de854938881df@mail.gmail.com>

When using VTP, do servers save VLAN updates locally? I've read
through some pieces of Cisco's docs on VTP, and they all indicate that
clients won't save VTP-learned VLAN information locally. However, I'm
wondering if a switch running as a server will save VTP-learned info
to its local VLAN.dat file.

Thanks
~Rik

From rodunn at cisco.com  Thu Feb 26 13:25:02 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Thu, 26 Feb 2009 13:25:02 -0500
Subject: [c-nsp] L2 traffic tunneling
In-Reply-To: <F3318834F1F89D46857972DD4B411D7003DBC9F0@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D7003DBC9F0@EXCHANGE.thenap.com>
Message-ID: <20090226182502.GC11488@rtp-cse-489.cisco.com>

l2tpv3 or EoMPLS are options.

You have to check the hw/sw requirements against the
actual LC's you have and code.

Rodney

On Thu, Feb 26, 2009 at 09:45:51AM -0800, Drew Weaver wrote:
> We have a scenario that looks like this:
> 
> Router    Router
> HostA- Switch    Switch- HostB
> 
> The switches are each connected to both routers, but not to each other.
> 
> The routers are 12000s and the switches are 6500s.
> 
> I'm wondering what the best way besides running a really long cable to get HostA and HostB in the same VLAN.
> 
> I'm pretty sure my only choice is Q in Q but I wanted to check with you folks.
> 
> Thanks,
> -Drew
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From rodunn at cisco.com  Thu Feb 26 14:04:30 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Thu, 26 Feb 2009 14:04:30 -0500
Subject: [c-nsp] L2 traffic tunneling
In-Reply-To: <20090226182502.GC11488@rtp-cse-489.cisco.com>
References: <F3318834F1F89D46857972DD4B411D7003DBC9F0@EXCHANGE.thenap.com>
	<20090226182502.GC11488@rtp-cse-489.cisco.com>
Message-ID: <20090226190430.GD11488@rtp-cse-489.cisco.com>

Bruce mentioned local switching to me offline.

And it made me look at your email closer.

I'm not sure it would be worth the complexity vs. just
running a cable to .1q trunk between the switches to get
the L2 connectivity.

Without that I agree with Bruce you would have to see
if the LC on the GSR supports local switching between
the two subinterfaces that would come up on the trunks from
both switches.

Rodney



On Thu, Feb 26, 2009 at 01:25:02PM -0500, Rodney Dunn wrote:
> l2tpv3 or EoMPLS are options.
> 
> You have to check the hw/sw requirements against the
> actual LC's you have and code.
> 
> Rodney
> 
> On Thu, Feb 26, 2009 at 09:45:51AM -0800, Drew Weaver wrote:
> > We have a scenario that looks like this:
> > 
> > Router    Router
> > HostA- Switch    Switch- HostB
> > 
> > The switches are each connected to both routers, but not to each other.
> > 
> > The routers are 12000s and the switches are 6500s.
> > 
> > I'm wondering what the best way besides running a really long cable to get HostA and HostB in the same VLAN.
> > 
> > I'm pretty sure my only choice is Q in Q but I wanted to check with you folks.
> > 
> > Thanks,
> > -Drew
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From bep at whack.org  Thu Feb 26 13:28:08 2009
From: bep at whack.org (Bruce Pinsky)
Date: Thu, 26 Feb 2009 10:28:08 -0800
Subject: [c-nsp] L2 traffic tunneling
In-Reply-To: <F3318834F1F89D46857972DD4B411D7003DBC9F0@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D7003DBC9F0@EXCHANGE.thenap.com>
Message-ID: <49A6DF38.3050209@whack.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Drew Weaver wrote:
> We have a scenario that looks like this:
> 
> Router    Router
> HostA- Switch    Switch- HostB
> 
> The switches are each connected to both routers, but not to each other.
> 
> The routers are 12000s and the switches are 6500s.
> 
> I'm wondering what the best way besides running a really long cable to get HostA and HostB in the same VLAN.
> 
> I'm pretty sure my only choice is Q in Q but I wanted to check with you folks.
> 

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1107177


- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmm3zgACgkQE1XcgMgrtyblJwCg2flRCV3IWitR8HrDEWmhSlkl
rksAoOMnISTIfWmQqUaZ9KiFrZ1nxynX
=LTzF
-----END PGP SIGNATURE-----

From paul at paulstewart.org  Thu Feb 26 14:15:23 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Thu, 26 Feb 2009 14:15:23 -0500
Subject: [c-nsp] l2tpv3 config - MTU question
In-Reply-To: <49A6D669.5070401@umn.edu>
References: <000001c9982d$f2429590$d6c7c0b0$@org> <49A6C83D.7090704@umn.edu>
	<000d01c99833$a84de100$f8e9a300$@org> <49A6CD12.50806@umn.edu>
	<001d01c99838$434d74f0$c9e85ed0$@org> <49A6D669.5070401@umn.edu>
Message-ID: <003101c99846$9344c4a0$b9ce4de0$@org>

Thank you - both are Windows XP machines with no firewall etc.  I have tried
another machine just to try and see....

Also, I tried the notebooks on a x-over cable back to back and can ping full
1500 no problem...

The entire config looks like this:

pseudowire-class test
 encapsulation l2tpv3
 sequencing both
 ip local interface Loopback0
!
interface Loopback0
 ip address 192.168.254.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 no cdp enable
 xconnect 192.168.254.2 1234 pw-class test
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 10.0.0.0 0.0.0.255 area 0

Take care,

Paul


-----Original Message-----
From: Ge Moua [mailto:moua0100 at umn.edu] 
Sent: Thursday, February 26, 2009 12:51 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] l2tpv3 config - MTU question

Ok, I see.

Are you seeing this with more than one test workstation.  I wonder if it 
is a end-station issue.

df=off should allow for large ping payloads

what is the syntax you are using on the end-workstation.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Paul Stewart wrote:
> Thank you ...
>
> Perhaps I should have explained a little more in depth - my problem at
this
> moment is that with dfbit=off I still cannot do a ping larger than 1472
and
> can't understand why it's NOT being fragmented....;)
>
> Cheers,
>
> Paul
>
>
> -----Original Message-----
> From: Ge Moua [mailto:moua0100 at umn.edu] 
> Sent: Thursday, February 26, 2009 12:11 PM
> To: Paul Stewart
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] l2tpv3 config - MTU question
>
> We've got about a half-dozen sites deployed on this, with about 1000 
> user base total, and it's running most fine, caveats:
> * watch out for VTP as thiere may be some out of order packets that 
> causes VTP convergence to fail; run the CE side in vtp transparent mode 
> and add vlan manually
> * another trick we've been think about is adjusting MTU on the end 
> workstations
> * mtu 1472 works fine as defrag/frag will happen on the pe/ce equipment; 
> no worries with running high cpu on end-workstation due to frag/defrag 
> operations
> * "clear ip tra" & "sh ip tra" will show frag stat on routers
>
> hope this helps.
>
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
>
>
>
> Paul Stewart wrote:
>   
>> Thanks - yes, absolutely and I can figure that into the equation.  Been
>> reading a lot of discussions in archives and Google about this.  I want
to
>> ensure that however/where we deploy this that we can provide a full 1500
>>     
> MTU
>   
>> *without* having desktops make MTU adjustments basically.... at the
>>     
> expense
>   
>> of fragmentation and CPU (which we can account for).  No matter what I've
>> tried so far I can't get a ping through our pair of test routers larger
>>     
> than
>   
>> 1472 though yet....
>>
>> This avoids websites being unreachable (Microsoft comes to mind) and
other
>> MTU annoyances we've encountered over time...
>>
>> Paul
>>
>>
>> -----Original Message-----
>> From: Ge Moua [mailto:moua0100 at umn.edu] 
>> Sent: Thursday, February 26, 2009 11:50 AM
>> To: Paul Stewart
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] l2tpv3 config - MTU question
>>
>> I was tackling a similar issue over here too, I think it may have to do 
>> with the fact that l2tpv3 and ethernet headers are taking some of the 
>> mtu allocation.
>>
>> Regards,
>> Ge Moua | Email: moua0100 at umn.edu
>>
>> Network Design Engineer
>> University of Minnesota | Networking & Telecommunications Services
>>
>>
>>
>> Paul Stewart wrote:
>>   
>>     
>>> Hi folks.
>>>
>>>  
>>>
>>> I've setup a pair of 1841's back to back for testing l2tpv3 deployment
>>>       
> for
>   
>>>     
>>>       
>> a
>>   
>>     
>>> client..
>>>
>>>  
>>>
>>> FastE0/0 from each 1841 is connected to one another at 10.0.0.0/24 -
each
>>> router has a loopback of 192.168.254.1 and .2  - OSPF is running and am
>>>     
>>>       
>> able
>>   
>>     
>>> to successfully ping each other's loopback with redistributed subnets
>>>     
>>>       
>> etc..
>>   
>>     
>>>  
>>>
>>> Configured each router to look like this:
>>>
>>>  
>>>
>>> pseudowire-class test
>>>
>>>  encapsulation l2tpv3
>>>
>>>  sequencing both
>>>
>>>  ip local interface Loopback0
>>>
>>>  
>>>
>>> interface FastEthernet0/0
>>>
>>>  ip address 10.0.0.2 255.255.255.0
>>>
>>>  duplex auto
>>>
>>>  speed auto
>>>
>>>  
>>>
>>> interface FastEthernet0/1
>>>
>>>  no ip address
>>>
>>>  duplex auto
>>>
>>>  speed auto
>>>
>>>  no cdp enable
>>>
>>>  xconnect 192.168.254.2 1234 pw-class test
>>>
>>>  
>>>
>>> Have a notebook hooked up to each FastE0/1 port and assigned 172.16.0.1
>>>     
>>>       
>> and
>>   
>>     
>>> .2 on them.  I can ping back and forth proving connectivity etc.
>>>
>>>  
>>>
>>> My problem/question is how to get a packet of 1500 bytes to transverse
>>>       
> the
>   
>>> link - obviously fragmented but that's ok.    In the real-world
>>>       
> deployment
>   
>>> of this setup we are limited to 1500 MTU in most situations and will
>>>     
>>>       
>> presume
>>   
>>     
>>> no mini-jumbo support anywhere (from a config perspective at least).
>>>
>>>  
>>>
>>> In my first config I had Path MTU discovery enabled and could only ping
>>>       
> up
>   
>>> to 1440 bytes.  With that disabled I can now ping to 1472 but not
beyond.
>>>     
>>>       
>>   
>>     
>>>  
>>>
>>> With Path MTU turned on it looked like this:
>>>
>>>  
>>>
>>> site2#sh l2tun session all
>>>
>>>  
>>>
>>> %No active L2F tunnels
>>>
>>>  
>>>
>>> L2TP Session Information Total tunnels 1 sessions 1
>>>
>>>  
>>>
>>> Session id 53211 is up, tunnel id 32076
>>>
>>> Call serial number is 1293300000
>>>
>>> Remote tunnel name is site1
>>>
>>>   Internet address is 192.168.254.1
>>>
>>>   Session is L2TP signalled
>>>
>>>   Session state is established, time since change 00:26:44
>>>
>>>     114 Packets sent, 116 received
>>>
>>>     30446 Bytes sent, 29032 received
>>>
>>>   Last clearing of "show vpdn" counters never
>>>
>>>     Receive packets dropped:
>>>
>>>       out-of-order:             0
>>>
>>>       total:                    0
>>>
>>>     Send packets dropped:
>>>
>>>       exceeded session MTU:     1
>>>
>>>       total:                    1
>>>
>>>   Session vcid is 1234
>>>
>>>   Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1
>>>
>>>   Circuit state is UP
>>>
>>>     Remote session id is 22201, remote tunnel id 12358
>>>
>>>   Session PMTU enabled, path MTU is 1500 bytes
>>>
>>>   DF bit on, ToS reflect disabled, ToS value 0, TTL value 255
>>>
>>>   No session cookie information available
>>>
>>>   UDP checksums are disabled
>>>
>>>   SSS switching enabled
>>>
>>>   Sequencing is on
>>>
>>>     Ns 114, Nr 116, 0 out of order packets received
>>>
>>>   Unique ID is 1
>>>
>>>  
>>>
>>> %No active PPTP tunnels
>>>
>>>  
>>>
>>>  
>>>
>>> Upon looking further I could see the DF bit on which I believe would
>>>     
>>>       
>> explain
>>   
>>     
>>> the 1440 byte limit I hit.  But with that disabled I am puzzled or
>>>       
> missing
>   
>>> something as to why I cannot fragment packets up to full 1500?   What I
>>>       
> am
>   
>>> missing here?  Do I need to make MTU adjustments towards the FastE0/1
>>> interface to force fragmentation before the l2tpv3 tunnel?
>>>
>>>  
>>>
>>> Thanks in advance,
>>>
>>>  
>>>
>>> Paul
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>   
>>>     
>>>       
>>   
>>     
>
>   


From schilling2006 at gmail.com  Thu Feb 26 15:25:08 2009
From: schilling2006 at gmail.com (schilling)
Date: Thu, 26 Feb 2009 15:25:08 -0500
Subject: [c-nsp] Redistribution on ASA Firewall using route-map
In-Reply-To: <A8A11BA006DA57498FAC0A56686865042A3500B6@usilwdex04.spencerstuart.com>
References: <49A6CD12.50806@umn.edu>
	<A8A11BA006DA57498FAC0A56686865042A3500B6@usilwdex04.spencerstuart.com>
Message-ID: <bd3771a60902261225m412bdbc6u962f97ef4f9b5e3@mail.gmail.com>

Yes, you can do the prefix-list.

Schilling

On Thu, Feb 26, 2009 at 12:32 PM, <tkacprzynski at spencerstuart.com> wrote:

> Hello,
>
> I'm trying to accomplish redistribution between two OSPF processes (100
> and 175) using a route-map with an access-list on an ASA 8.0.
>
> Can't seem to get it working. Does anyone know if this is possible or if
> I have something messed up with the access-list (doesn't look like I can
> do a prefix-list on the route-map in ASA)? See below:
>
> Router OSPF 100
> redistribute OSPF 175 metric-type 1 subnets tag 10457 route-map
> OSPF175-OSPF100-RMAP
>
> route-map OSPF175-OSPF100-RMAP permit 10
> match ip address OSPF175-OSPF100-ACL
>
> access-list OSPF175-OSPF100-ACL remark Used for redistribution
> access-list OSPF175-OSPF100-ACL standard permit host x.y.z.0
> access-list OSPF175-OSPF100-ACL standard permit host 0.0.0.0
>
> Any help is greatly appreciated.
>
> Thank you,
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From walter.keen at RainierConnect.net  Thu Feb 26 16:49:56 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Thu, 26 Feb 2009 13:49:56 -0800
Subject: [c-nsp] (off-topic) IP Management
Message-ID: <49A70E84.3090200@rainierconnect.net>

This may be off-topic, but I'm not sure what lists to ask this in.

We are looking for an IP management system, and are considering ipplan. 
Has anyone using this integrated it into ARIN's rwhois server, or what
system do you use (preferably that ties into rwhois or has it built-in)
to manage IP's.



From sfischer1967 at gmail.com  Thu Feb 26 17:26:15 2009
From: sfischer1967 at gmail.com (Steven Fischer)
Date: Thu, 26 Feb 2009 17:26:15 -0500
Subject: [c-nsp] weird OSPF behavior
Message-ID: <500ffb690902261426w445b6658gf1c2987256d59444@mail.gmail.com>

I am seeing weird behavior on OSPF between a 2811 Router, and a 4510R
switch.  A number of google searches on this came up empty.  It appears as
if OSPF is dropping with the following message on hourly intervals,
sometimes one hour, sometime two hours, sometimes three hours.
005840: Feb 26 15:28:05.415 EST: %OSPF-5-ADJCHG: Process 300, Nbr
192.168.208.1 on Vlan208 from FULL to DOWN, Neighbor Down: Dead timer
expired

This message came from the 4510R

note, the OSPF config is on the SVI interface, not on the physical
interface.  The config for each side is as follows:

4510R
interface Vlan208
 description Management Interface
 ip address 192.168.209.254 255.255.254.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 <hidden>
 ip ospf network point-to-point
 ip ospf resync-timeout 12
 ip ospf dead-interval minimal hello-multiplier 4
 ip ospf retransmit-interval 1
end

2811

interface FastEthernet0/1
 ip address 192.168.208.1 255.255.254.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 <hidden>
 ip ospf network point-to-point
 ip ospf resync-timeout 12
 ip ospf dead-interval minimal hello-multiplier 4
 ip ospf retransmit-interval 1
 duplex auto
 speed auto
end
I've checked the MTU's, and they look consistent.  Anything obvious I'm
overlooking?  This is at a remote site, and I've thought about having them
swap the cable, but it would seem odd that a cable would so consistely fail
at hourly intervals.  Any ideas?  Thanks in advance
-- 
To him who is able to keep you from falling and to present you before his
glorious presence without fault and with great joy

From MLouis at nwnit.com  Thu Feb 26 19:40:19 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Thu, 26 Feb 2009 19:40:19 -0500
Subject: [c-nsp] GET-VPN and BGP
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25C24841F4F@mncmx1.NWNIT.CORP>

Dear list,

I am working with a customer who is migrating from a static MPLS VPN to a BGP based MPLS VPN. Today they currently have a hub and spoke IPSEC VPN running overtop of their MPLS WAN. Once they migrate to BGP they would like to have a solution that will support the any-to-any connectivity the MPLS WAN offers and be able to scale well to many sites >50. What are my options here. Configuring point to point static IPSEC tunnels are not practical.

I see DMVPN and GET-VPN as practical options. Any thoughts or opinions on why they should consider one or the other?

Any feedback is greatly appreciated.

Mike



________________________________
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.

From dwinkworth at att.net  Thu Feb 26 20:01:28 2009
From: dwinkworth at att.net (Derick Winkworth)
Date: Thu, 26 Feb 2009 19:01:28 -0600
Subject: [c-nsp] GET-VPN and BGP
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25C24841F4F@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25C24841F4F@mncmx1.NWNIT.CORP>
Message-ID: <49A73B68.8080003@att.net>

We have deployed several networks now with GET, and now that we are used
to it.. there is no looking back at DMVPN.  When it comes to
troubleshooting on the CE device, I feel GET is much easier.  There is
no overlay network with GET.



Mike Louis wrote:
> Dear list,
>
> I am working with a customer who is migrating from a static MPLS VPN to a BGP based MPLS VPN. Today they currently have a hub and spoke IPSEC VPN running overtop of their MPLS WAN. Once they migrate to BGP they would like to have a solution that will support the any-to-any connectivity the MPLS WAN offers and be able to scale well to many sites >50. What are my options here. Configuring point to point static IPSEC tunnels are not practical.
>
> I see DMVPN and GET-VPN as practical options. Any thoughts or opinions on why they should consider one or the other?
>
> Any feedback is greatly appreciated.
>
> Mike
>
>
>
> ________________________________
> Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.11.3/1974 - Release Date: 02/26/09 14:51:00
>
>   

From sam+cisco-nsp at australiaonline.net.au  Fri Feb 27 00:28:30 2009
From: sam+cisco-nsp at australiaonline.net.au (Sam Tilders)
Date: Fri, 27 Feb 2009 16:28:30 +1100
Subject: [c-nsp] packet loss between adjacent ciscos
Message-ID: <20090227162830.xbtdn6m8jyss40sg@webmail2.australiaonline.net.au>

Hi,

We have been experiencing some packet loss between a switch and a
router directly connected to each other and are having some difficulty
finding the problem.

The problem showed up when a customer complained that there were
moments of silence on their voip calls. They did some pings and found
that there was packet loss at the same time as the silence on the calls.

With some further help from the customer, I was able to narrow the
problem down to loss between two ciscos in our rack.

The network layout is like this:

carrier peer port
       |
       |
       | 100% ping success.
       |
       | iofe
border router (7200vxr w/npe-400 12.2(18)S4)
       | pa-fe-tx
       |
       | 99.994 - 99.999% ping success
       |
       |
switch (2924 xl en)
       |
       |
       | 100% ping success
       |
       | iofe
l2tp termination router (7200vxr w/npe-300 12.4(4)T1)
       | gige
       |
       |
downstream to customers

The ping percentages are from repeated 100000 ping samples.

The interfaces are all forced duplex full, the switch interfaces are
forced speed 100.

When the link between the router and the switch has loss it can be
seen in the ping as a slow down then a single timeout.

The ping output goes something like:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! !  !   !    !     !      !         .!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

where I've used spacing to indicate the time between markers.

So it appears that the ping and reply begins to slow, then it slows
enough that a single 2 second timeout occurs and then it picks up
again at full speed.

A 100000 ping takes a few minutes to run and during this time it may
lose one or half a dozen pings, each lost ping spaced apart,
apparently with no regular period.

The router and switch are typically running around 30% cpu.

When I run these ping tests the switch gets to 80% cpu, however it can
be shown with cases like a customer's voip call that the problem
occurs even when the util is lower.

I have correlated the ping loss with the customer's voip silence,
having them on a call while running the ping and they experience a
couple of seconds of silence at the same time as the router misses a
ping.

I've been on site and replaced the pa-fe-tx in the 7200 to no
improvement. I moved the PA to a different port on the router, no
improvement. I've replaced the switch with no improvement.

(We had previously tried different switch ports and replacing the cabling.)

All the while, none of the interface statistics report any errors
other than the occasional ignored packet - however, these don't occur  
at the same time as
the problem and much less frequently.

I've had various debug options turned on - both on the switch and the
router - there has been no clear correlation between any events and
the occurence of packet loss.

So, I was wondering if this sounds familiar to anyone or if there is
anything someone might be able to suggest to further investigate or
resolve this issue.

I'd appreciate any advice that can be given.

Regards,

- Sam





From ATolstykh at integrysgroup.com  Fri Feb 27 01:23:34 2009
From: ATolstykh at integrysgroup.com (Tolstykh, Andrew)
Date: Fri, 27 Feb 2009 00:23:34 -0600
Subject: [c-nsp] Interesting NAToverload  issue
In-Reply-To: <alpine.WNT.2.00.0902251345270.1368@pckoug1.intranet.gr>
Message-ID: <6E31172B4025564D861CD73627500BAC02E2FC2E@pru-mail02.pe.net>

Long term your client should consider migrating to the "RPC over HTTPS"
connectivity model (single HTTPS connection per client).

http://technet.microsoft.com/en-us/library/bb123741.aspx


////---////

Exchange Server 2003 enabled users to use the Windows RPC over HTTP
Proxy component to access their Exchange information from the Internet.
This technology wraps remote procedure calls (RPCs) with an HTTP layer.
This allows the traffic to traverse network firewalls without requiring
RPC ports to be opened.

You do not have to use a virtual private network (VPN) to access
Exchange servers across the Internet.

You must allow only port 443 through your firewall, because Outlook
requests use HTTP over SSL. If you already use Outlook Web Access with
SSL or Exchange ActiveSync with SSL, you do not have to open any
additional ports from the Internet.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Kougoulos
Sent: Wednesday, February 25, 2009 5:49 AM
To: nasir.shaikh at bt.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Interesting NAToverload issue

Hello,

you could split the usage of nat pools based on statistics of the source

IP addresses eg use 1 ip/overloaded nat pool for even source IPs and 
another IP for the odd source IPs

Best Regards,
John

On Wed, 25 Feb 2009, nasir.shaikh at bt.com wrote:

> Hi,
>
> I have a client who has moved their Microsoft Exchange servers to a 
> service provider location (as part of a de-perimeterization strategy).

> These servers are reachable via the Internet. Thus, the client IP are 
> NATted before they cross the corporate boundary. There are about 45000

> users. Each user needs about 17-22 sessions (that's how MS Outlook 
> works) and thus as many NAT entries Therefore a NAT pool is used with 
> overload. It was working fine for more than a year now but suddenly
the 
> following phenomenon has been noticed. - When a user session is being 
> built up and he has let's say 10 NAT entries using the first IP in the

> NAT pool and the port numbers run out, the next IP in the NAT pool is 
> used to complete the required number of sessions. - Exchange server is

> apparently not happy with one client using 2 IP addresses and keeps 
> (re-)building sessions untill all of them are using the same NATted
IP. 
> This can sometimes take upto 5 miniutes.
>
> Is there a solution to this problem? There is one single destination 
> global address. Is there a way to force the usage of the same IP from 
> the NAT pool for all NAT requests from a particular source IP?
Platform 
> is7206-vxr with NPE-G2
>
> Thanks in advance
>
>
> Nasir Shaikh
> This email contains information from BT Nederland N.V., which may be
privileged or confidential.
> It's meant only for the individual(s) or entity named above. If you
are not the intended recipient, note that disclosing, copying,
distributing or using this information is prohibited.
> If you have received this email in error, please let me know
immediately on the email address above.
> We monitor our systems, and may record your emails.
>
> BT Nederland N.V.
> Registered office:  Offices Minerva and Mercurius, Herikerbergweg 2,
1101 CM Amsterdam
> Registered at the Amsterdam Chamber of Commerce no:  33296214
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited.  If you received this in error, please contact the sender and delete the material from any computer.


From oboehmer at cisco.com  Fri Feb 27 03:12:24 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Fri, 27 Feb 2009 09:12:24 +0100
Subject: [c-nsp] weird OSPF behavior
In-Reply-To: <500ffb690902261426w445b6658gf1c2987256d59444@mail.gmail.com>
References: <500ffb690902261426w445b6658gf1c2987256d59444@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406F46728@xmb-ams-333.emea.cisco.com>

Steven Fischer <> wrote on Thursday, February 26, 2009 23:26:

> I am seeing weird behavior on OSPF between a 2811 Router, and a 4510R
> switch.  A number of google searches on this came up empty.  It
> appears as if OSPF is dropping with the following message on hourly
> intervals, sometimes one hour, sometime two hours, sometimes three
> hours. 005840: Feb 26 15:28:05.415 EST: %OSPF-5-ADJCHG: Process 300,
> Nbr 192.168.208.1 on Vlan208 from FULL to DOWN, Neighbor Down: Dead
> timer expired
> 
> This message came from the 4510R
> 
> 4510R
> interface Vlan208
>  ip ospf dead-interval minimal hello-multiplier 4
[...]

you are running aggressive hellos against a relatively "small" 2811
router which uses the CPU for both control and forwarding plane, so
chances are the 2811 is too busy switching packets or doing something
else than generating OSPF hellos at that pace.
With BFD not being available on the 4500, you can only 

a) incresae the interval to be less aggressive (recommended)
b) try to tune the scheduler on the 2811 (for example "scheduler
allocate 3000 1000") and see if this helps. This will allocate more CPU
time to non-interrupt tasks (i.e. control plane), this could have minor
effects on forwarding..

(b) might help to reduce the number of flaps, you will likely never be
able to get rid of them completely in such a setup.

	oli

From oiyankok at yahoo.ca  Fri Feb 27 07:03:46 2009
From: oiyankok at yahoo.ca (ann kok)
Date: Fri, 27 Feb 2009 04:03:46 -0800 (PST)
Subject: [c-nsp] NAT and vlan works?
Message-ID: <354337.7689.qm@web111315.mail.gq1.yahoo.com>


Hi 

I want to configure 802.1q 3 vlans and router NAT

eth1 as

192.168.1.0/24 vlan2

192.168.2.0/24 vlan3 ....

192.168.3.0/24 vlan4

eth0 is public

Can it work?

How can I configure?

Thank you for your help


      __________________________________________________________________
Instant Messaging, free SMS, sharing photos and more... Try the new Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/


From deric.kwok2000 at gmail.com  Fri Feb 27 07:15:31 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Fri, 27 Feb 2009 07:15:31 -0500
Subject: [c-nsp] function of access-list in switch?
Message-ID: <40d8a95a0902270415t6e0e2c04tbc172b3c9a8a3dda@mail.gmail.com>

Hi All

Could you explain to me what is function of access-list in switch?

It looks like to do prevent access to switch only?

Am I right?

Thank you

From steve at ibctech.ca  Fri Feb 27 08:58:08 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Fri, 27 Feb 2009 08:58:08 -0500
Subject: [c-nsp] function of access-list in switch?
In-Reply-To: <40d8a95a0902270415t6e0e2c04tbc172b3c9a8a3dda@mail.gmail.com>
References: <40d8a95a0902270415t6e0e2c04tbc172b3c9a8a3dda@mail.gmail.com>
Message-ID: <49A7F170.3020703@ibctech.ca>

Deric Kwok wrote:
> Hi All
> 
> Could you explain to me what is function of access-list in switch?
> 
> It looks like to do prevent access to switch only?
> 
> Am I right?

Yes. So long as the switch is a Layer-2 device only.

Steve

From luan at netcraftsmen.net  Fri Feb 27 09:06:45 2009
From: luan at netcraftsmen.net (Luan Nguyen)
Date: Fri, 27 Feb 2009 09:06:45 -0500
Subject: [c-nsp] GET-VPN and BGP
In-Reply-To: <49A73B68.8080003@att.net>
References: <CBBF2C7B2547D14A910A349B58810AC25C24841F4F@mncmx1.NWNIT.CORP>
	<49A73B68.8080003@att.net>
Message-ID: <03a601c998e4$9fbae180$df30a480$@net>

How could GET be easier than DMPVN? :)

They both have pros and cons, so you have to look at the current design and
decide which will fit better. 
First, one has to look at the hardware/software pieces to see whether they
can do GET-VPN.
Also, with ~50 nodes, you probably want a redundant key servers solution.
That's 2 extra devices.  Then you need to decide where to put the key
servers.
Also, one needs to look at the integration between features.  If you have
Zone Based Firewall, then GET is a pain to look at.  With DMVPN, you just
need to throw the tunnel interface into a zone.
If the customer already used GRE/IPSEC, then in my opinion, it's easier to
migrate into DMVPN than GET-VPN.

Regards,

----------------------------------------------------------------------------
---------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/
------------------------------------------------------------------------

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick Winkworth
Sent: Thursday, February 26, 2009 8:01 PM
To: Mike Louis
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] GET-VPN and BGP

We have deployed several networks now with GET, and now that we are used
to it.. there is no looking back at DMVPN.  When it comes to
troubleshooting on the CE device, I feel GET is much easier.  There is
no overlay network with GET.



Mike Louis wrote:
> Dear list,
>
> I am working with a customer who is migrating from a static MPLS VPN to a
BGP based MPLS VPN. Today they currently have a hub and spoke IPSEC VPN
running overtop of their MPLS WAN. Once they migrate to BGP they would like
to have a solution that will support the any-to-any connectivity the MPLS
WAN offers and be able to scale well to many sites >50. What are my options
here. Configuring point to point static IPSEC tunnels are not practical.
>
> I see DMVPN and GET-VPN as practical options. Any thoughts or opinions on
why they should consider one or the other?
>
> Any feedback is greatly appreciated.
>
> Mike
>
>
>
> ________________________________
> Note: This message and any attachments is intended solely for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, legally privileged,
confidential, and/or exempt from disclosure. If you are not the intended
recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited. If
you have received this communication in error, please notify the original
sender immediately by telephone or return email and destroy or delete this
message along with any attachments immediately.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.11.3/1974 - Release Date: 02/26/09
14:51:00
>
>   
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From jason at lixfeld.ca  Fri Feb 27 09:15:06 2009
From: jason at lixfeld.ca (Jason Lixfeld)
Date: Fri, 27 Feb 2009 09:15:06 -0500
Subject: [c-nsp] Odd request to anyone who has a switch capable of EoMPLS
Message-ID: <C5290E36-F64A-4EB4-8F43-60D2A0B609A8@lixfeld.ca>

Hi,

This sounds odd, but I'm wondering if someone can test something for  
me.  I don't have the gear to do the test myself, but I need the  
results for a compatibility study I'm currently working on.

I need to know whether or not a switch port from a 6500/7600 or ME6500  
(or any other switch series that does EoMPLS) that is configured for  
EoMPLS (xconnect <vc> <IP>) still transmits STP BPDUs while the EoMPLS  
tunnel is up (or down for that matter).

I have observed that with one vendor, BPDUs are still transmitted  
after the port has been put into EoMPLS mode and it is my personal  
belief is that this is the incorrect behavior.

If anyone has the ability to test this with Wireshark or tcpdump, I'd  
be most grateful.

From nsp at shreddedmail.com  Fri Feb 27 09:08:02 2009
From: nsp at shreddedmail.com (Rick Ernst)
Date: Fri, 27 Feb 2009 06:08:02 -0800 (PST)
Subject: [c-nsp] Real life and worst-case performance of Cisco and Juniper?
Message-ID: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>


I'm looking at a network refresh and both Cisco and Juniper are on the
radar.  We are currently almost all-Cisco.  The two platforms we are
looking at are the Juniper M10i and the Cisco 7606/Sup7203BXL.

Our bandwidth needs are pretty modest; currently less than 500Mbs amd our
packet consumption is about 75,000pps.  I'm currently projecting over 1Gbs
in about a year.  Our existing gear (7200/7500/RSM) handles the load
fairly well, but memory on the VIPs, RSMs, and older RSPs can't handle a
full table.  We also need to be able to absorb high pps DDoSes.

Juniper seems to essentially claim that "you get whatever the platform is
spec'd for, regardless of packet size/type" at ~4-8Gbs.  Cisco claims
720Gbs (full-duplex?) and about 40Mpps on the 720 with DFC.

Our border/core pretty much just moves packets, so I'm not too worried
about the packet handling at that level.  A large portion of our customer
traffic is rate-limited/policed (hundreds of ethernet connections).

Does anybody have any "Yeah, Juniper really does that" stories, or
experience with how packet manipulation impacts the Sup720 performance? 
Essentially, what could the Sup720 handle if every packet hit the CPU? 
Does the architectural difference between the Sup720 and 7200/7500 at
least somewhat mitigate CPU impact with CAR/policing?

Thanks!


From mtinka at globaltransit.net  Fri Feb 27 09:48:25 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 27 Feb 2009 22:48:25 +0800
Subject: [c-nsp] packet loss between adjacent ciscos
In-Reply-To: <20090227162830.xbtdn6m8jyss40sg@webmail2.australiaonline.net.au>
References: <20090227162830.xbtdn6m8jyss40sg@webmail2.australiaonline.net.au>
Message-ID: <200902272248.30103.mtinka@globaltransit.net>

On Friday 27 February 2009 01:28:30 pm Sam Tilders wrote:

> So, I was wondering if this sounds familiar to anyone or
> if there is anything someone might be able to suggest to
> further investigate or resolve this issue.

Does this affect all other traffic running across this 
switch, or just the VoIP customer?

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090227/30152d88/attachment.bin>

From swmike at swm.pp.se  Fri Feb 27 09:55:49 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Fri, 27 Feb 2009 15:55:49 +0100 (CET)
Subject: [c-nsp] Real life and worst-case performance of Cisco and
 Juniper?
In-Reply-To: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>
References: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>
Message-ID: <alpine.DEB.1.10.0902271552230.16135@uplift.swm.pp.se>

On Fri, 27 Feb 2009, Rick Ernst wrote:

> Essentially, what could the Sup720 handle if every packet hit the CPU? 
> Does the architectural difference between the Sup720 and 7200/7500 at 
> least somewhat mitigate CPU impact with CAR/policing?

So.. You should look into RSP720 and not SUP720 if you're buying new (more 
CPU, same list price).

I don't have any numbers on CPU forwarding performance on the RSP/SUP720, 
but basically you'd be very disappointed, it'd be in the few 100kpps 
range, whereas worst case performance with CFC only is around 15Mpps. 
Don't enable features that use the process switching path.

If you just want to move packets, RSP720+67xx series line cards will do 
just fine, plenty of grunt even without DFC.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From erik at infopact.nl  Fri Feb 27 09:58:32 2009
From: erik at infopact.nl (E. Versaevel)
Date: Fri, 27 Feb 2009 15:58:32 +0100
Subject: [c-nsp] Real life and worst-case performance of Cisco and
	Juniper?
In-Reply-To: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>
References: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>
Message-ID: <49A7FF98.103@infopact.nl>

Hi Rick,

We have been in a similar situation last year.
Originaly we had 7206 VXR NPE-G1's as both access routers and core routers, however maintaining a full bgp table on the core routers
became a bit to much for the 7206's and we wanted more interfaces for our access network (and needed to expand the access network).

In the end we went for the 7606/RSP720 as a core router(s) and moved the `core` 7206's to the access network .

First of all because our entire network is Cisco which means our support staff wouldn't have to learn a new router OS.
Next to that we've tested a M7i which performed flawlessly and I personally like the JunOS config style (tested mpls/ldp/ospf/bgp only, no ip
vpn/virtual routers/BBA etc just plain packet forwarding).
However we have a policy that every access device needs 2 direct connections to the core routers which means we need quite a few interfaces.
Interface pricing on the Junipers is ridicules imho, 18k$ for a single gigabit ethernet connection, for a fraction of that you would get a 24x SFP
module for the 7600 series... (add to that that we have a few STM-1 connections which are even more expensive)


Kind regards,

Erik

Rick Ernst schreef:
> I'm looking at a network refresh and both Cisco and Juniper are on the
> radar.  We are currently almost all-Cisco.  The two platforms we are
> looking at are the Juniper M10i and the Cisco 7606/Sup7203BXL.
> 
> Our bandwidth needs are pretty modest; currently less than 500Mbs amd our
> packet consumption is about 75,000pps.  I'm currently projecting over 1Gbs
> in about a year.  Our existing gear (7200/7500/RSM) handles the load
> fairly well, but memory on the VIPs, RSMs, and older RSPs can't handle a
> full table.  We also need to be able to absorb high pps DDoSes.
> 
> Juniper seems to essentially claim that "you get whatever the platform is
> spec'd for, regardless of packet size/type" at ~4-8Gbs.  Cisco claims
> 720Gbs (full-duplex?) and about 40Mpps on the 720 with DFC.
> 
> Our border/core pretty much just moves packets, so I'm not too worried
> about the packet handling at that level.  A large portion of our customer
> traffic is rate-limited/policed (hundreds of ethernet connections).
> 
> Does anybody have any "Yeah, Juniper really does that" stories, or
> experience with how packet manipulation impacts the Sup720 performance? 
> Essentially, what could the Sup720 handle if every packet hit the CPU? 
> Does the architectural difference between the Sup720 and 7200/7500 at
> least somewhat mitigate CPU impact with CAR/policing?
> 
> Thanks!
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



Erik Versaevel

From nsp at shreddedmail.com  Fri Feb 27 10:08:12 2009
From: nsp at shreddedmail.com (Rick Ernst)
Date: Fri, 27 Feb 2009 07:08:12 -0800 (PST)
Subject: [c-nsp] Real life and worst-case performance of Cisco and
	Juniper?
In-Reply-To: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>
References: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>
Message-ID: <52612.69.30.17.85.1235747292.squirrel@www.woofpaws.com>



I'm already seeing several responses to this; thanks!

It may be worthwhile for me to rephrase the questions, rather than
pre-selecting hardware... :)

- What device would you use for upstream/core connectivity that would be
  able to withstand high pps DDoS?

- What device and features would you use to terminate hundreds of rate-
  limited ethernet connections?

Both devices would need to be able to handle full tables.

Thanks again,




On Fri, February 27, 2009 06:08, Rick Ernst wrote:
>
> I'm looking at a network refresh and both Cisco and Juniper are on the
> radar.  We are currently almost all-Cisco.  The two platforms we are
> looking at are the Juniper M10i and the Cisco 7606/Sup7203BXL.
>
> Our bandwidth needs are pretty modest; currently less than 500Mbs amd our
> packet consumption is about 75,000pps.  I'm currently projecting over 1Gbs
> in about a year.  Our existing gear (7200/7500/RSM) handles the load
> fairly well, but memory on the VIPs, RSMs, and older RSPs can't handle a
> full table.  We also need to be able to absorb high pps DDoSes.
>
> Juniper seems to essentially claim that "you get whatever the platform is
> spec'd for, regardless of packet size/type" at ~4-8Gbs.  Cisco claims
> 720Gbs (full-duplex?) and about 40Mpps on the 720 with DFC.
>
> Our border/core pretty much just moves packets, so I'm not too worried
> about the packet handling at that level.  A large portion of our customer
> traffic is rate-limited/policed (hundreds of ethernet connections).
>
> Does anybody have any "Yeah, Juniper really does that" stories, or
> experience with how packet manipulation impacts the Sup720 performance?
> Essentially, what could the Sup720 handle if every packet hit the CPU?
> Does the architectural difference between the Sup720 and 7200/7500 at
> least somewhat mitigate CPU impact with CAR/policing?
>
> Thanks!
>
>


From david.freedman at uk.clara.net  Fri Feb 27 10:29:01 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Fri, 27 Feb 2009 15:29:01 +0000
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <200902260117.47321.mtinka@globaltransit.net>
References: <200902260117.47321.mtinka@globaltransit.net>
Message-ID: <go90ru$6op$1@ger.gmane.org>

SRC2 has been an absolute disaster for me, plenty of undiscovered bugs
cropping up on a regular basis now, on a related note, am keen to hear
about SRC3 vs SRD, any thoughts?

Dave.


Mark Tinka wrote:
> Hi all.
> 
> Is there anyone else still seeing this bug even with 
> 12.2(33)SRC3, where Cisco say they have it fixed?
> 
> We recently saw an NPE-G1 reboot because of this. We've 
> since re-engaged the workaround (disabling BFD) until we 
> hear more from TAC.
> 
> This bug is very annoying...
> 
> Cheers,
> 
> Mark.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From mtinka at globaltransit.net  Fri Feb 27 10:35:47 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 27 Feb 2009 23:35:47 +0800
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <go90ru$6op$1@ger.gmane.org>
References: <200902260117.47321.mtinka@globaltransit.net>
	<go90ru$6op$1@ger.gmane.org>
Message-ID: <200902272335.53802.mtinka@globaltransit.net>

On Friday 27 February 2009 11:29:01 pm David Freedman wrote:

> SRC2 has been an absolute disaster for me, plenty of
> undiscovered bugs cropping up on a regular basis now, on
> a related note, am keen to hear about SRC3 vs SRD, any
> thoughts?

Most of the bugs we filed during SRC, SRC1 and SRC2 have 
been fixed in SRC3 - with possibly the exception of this BFD 
one.

We haven't yet come across anything else in the field, but 
we're keeping it simple. We recently lab'ed SRC2 for the new 
Flexible NetFlow infrastructure, and that crashed a 7200. We 
haven't yet tested this with SRC3.

We're steering clear of SRD, as more work seems to have gone 
into SRC and there's nothing we need SRD for. Suffice it to 
say, SRD1 appears to be out.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090227/0fab67c8/attachment.bin>

From mtinka at globaltransit.net  Fri Feb 27 10:36:50 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 27 Feb 2009 23:36:50 +0800
Subject: [c-nsp] Real life and worst-case performance of Cisco and
	Juniper?
In-Reply-To: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>
References: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>
Message-ID: <200902272336.51154.mtinka@globaltransit.net>

On Friday 27 February 2009 10:08:02 pm Rick Ernst wrote:

> I'm looking at a network refresh and both Cisco and
> Juniper are on the radar.  We are currently almost
> all-Cisco.  The two platforms we are looking at are the
> Juniper M10i and the Cisco 7606/Sup7203BXL.

If you're looking at a much closer comparison, you'd be 
considering the ASR1004 or ASR1006 from Cisco to match 
Juniper's M10i platform.

> Our bandwidth needs are pretty modest; currently less
> than 500Mbs amd our packet consumption is about
> 75,000pps.  I'm currently projecting over 1Gbs in about a
> year.  Our existing gear (7200/7500/RSM) handles the load
> fairly well, but memory on the VIPs, RSMs, and older RSPs
> can't handle a full table.  We also need to be able to
> absorb high pps DDoSes.

No experience with the 7500 platform, but depending on your 
configuration, you could likely get 600Mbps to 750Mbps out 
of an NPE-G2 positioned as an edge router.

However, as you mention, you want some protection against 
DoS0-type traffic, so there isn't much headroom to work with 
in that respect. Besides, you're not likely to hit 1Gbps of 
routed traffic through the NPE-G2 either. Bottom line, the 
ASR1000 series might make more sense here (but watch out for 
feature support; things you're already running on your 
7200's).

> Juniper seems to essentially claim that "you get whatever
> the platform is spec'd for, regardless of packet
> size/type" at ~4-8Gbs.

We've spoken to our Juniper account team about these figures 
across their platforms. However, in actual practice for us, 
I guess we haven't yet pushed the routers to their limits to 
see this become an issue.

Yes, we are seeing far more tolerance than the 7200, but 
then again the M10i is a hardware platform, so that's not a 
fair comparison.

I'd suggest doing a PoC with your Juniper team as part of 
your purchase requirements, and throw various packet sizes 
at it and see if you are happy.

> Cisco claims 720Gbs
> (full-duplex?) and about 40Mpps on the 720 with DFC.

The advertised 720Gbps/400Mpps assumes v4 traffic at 
40Gbps/slot in, at least, a 9-slot chassis (which means 
fabric-enabled line cards running with DFC's installed 
pushing that much traffic). So you may not actually get this 
depending on how you populate each slot, how big your 
chassis is, and whether you decide to have a redundant 
supervisor engine. It doesn't mean the system isn't 
delivering, however.

The whole full-duplex/half-duplex thing is "marketing stuff" 
that gets in the way of technical capability. Grrrr... 
someone else should probably get into that :-).

And yeah, v6 traffic supposedly halves that forwarding 
capacity...

> Our border/core pretty much just moves packets, so I'm
> not too worried about the packet handling at that level. 
> A large portion of our customer traffic is
> rate-limited/policed (hundreds of ethernet connections).

Pretty standard.

> Does anybody have any "Yeah, Juniper really does that"
> stories, or experience with how packet manipulation
> impacts the Sup720 performance? Essentially, what could
> the Sup720 handle if every packet hit the CPU? Does the
> architectural difference between the Sup720 and 7200/7500
> at least somewhat mitigate CPU impact with CAR/policing?

You don't want (transit) packets hitting your CPU. The 
SUP720 supports some features in software; don't run them 
there if it can be helped (which should be all the time). 
Besides, word is if it's not done in hardware, it's not 
supported.

Policing can be done in hardware on the PFC/DFC, so no need 
to worry about that impacting your control plane.

As others have mentioned, consider the RSP720/MSFC4 instead, 
for the 7600. I'd say look at an ASR1000 as it looks closer 
to what your migration path might be, particularly if you're 
looking to terminate leased lines too, in addition to 
Ethernet.

AFAIK, Juniper, on the otherhand, don't generally punt to 
software. If it's not supported in hardware, it won't work. 
This means they'll offload some functions to specialized 
line cards, e.g., tunneling, flow collection/export, e.t.c., 
for platforms that don't have integrated components that can 
do this, or support them natively with limited 
functionality, i.e., enough not to break the box. This 
varies.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090227/c9e07016/attachment.bin>

From achatz at forthnet.gr  Fri Feb 27 10:53:04 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 27 Feb 2009 17:53:04 +0200
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <200902272335.53802.mtinka@globaltransit.net>
References: <200902260117.47321.mtinka@globaltransit.net>	<go90ru$6op$1@ger.gmane.org>
	<200902272335.53802.mtinka@globaltransit.net>
Message-ID: <49A80C60.6000209@forthnet.gr>

At last! EVC MIB support is in SRD1.

--
Tassos

Mark Tinka wrote on 27/02/2009 17:35:
> Suffice it to 
> say, SRD1 appears to be out.
> 
> Cheers,
> 
> Mark.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From mtinka at globaltransit.net  Fri Feb 27 10:54:11 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 27 Feb 2009 23:54:11 +0800
Subject: [c-nsp] Real life and worst-case performance of Cisco and
	Juniper?
In-Reply-To: <49A7FF98.103@infopact.nl>
References: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>
	<49A7FF98.103@infopact.nl>
Message-ID: <200902272354.16431.mtinka@globaltransit.net>

On Friday 27 February 2009 10:58:32 pm E. Versaevel wrote:

> We have been in a similar situation last year.
> Originaly we had 7206 VXR NPE-G1's as both access routers
> and core routers, however maintaining a full bgp table on
> the core routers became a bit to much for the 7206's...

We try not to get too religious about it, but forwarding on 
labels in the core is a good way to keep BGP (at least for 
IPv4) out, i.e., MPLS.

Again, I'm not recommending that MPLS is a solution to any 
kind of problem. I'm just saying that because of it, we've 
kept a couple of NPE-G2's and NPE-G1's running in smaller 
PoP's as core routers since we don't have the CPU and memory 
dealing with BGP. I may add that we've seen an NPE-G2 push 
as much as 950Mbps, aggregated, in this role.

> In the end we went for the 7606/RSP720 as a core
> router(s) and moved the `core` 7206's to the access
> network .

The problem with hardware memory, e.g., CAM, is that bad 
things start to happen when it's used up. The RSP720 has 
sufficient hardware memory (anyone moving from a SUP2/32 to 
a SUP/RSP720 knows this, painfully) for a long time to come, 
but keep that in mind as the Internet routing table 
continues to grow.

The advantage with software routers is that they will hold a 
ton of routes in memory, and use them for forwarding as 
well. Too bad their FIB is handled in software though :-(. 
That said, they do make great route reflectors. We just need 
to pester vendors to ensure larger memory sizes are 
supported in software routers for this purpose. We're not 
keen on using hardware platforms as route reflectors... but 
I digress.

> First of all because our entire network is Cisco which
> means our support staff wouldn't have to learn a new
> router OS.

We believe in a little diversity, but not too much - it's 
good for business and competition :-).

> Next to that we've tested a M7i which
> performed flawlessly and I personally like the JunOS
> config style (tested mpls/ldp/ospf/bgp only, no ip
> vpn/virtual routers/BBA etc just plain packet
> forwarding). However we have a policy that every access
> device needs 2 direct connections to the core routers...

Which is good.

> which means we need quite a few interfaces.

The M7i is fairly small, but with redundant connectivity 
into the core, you can get a couple of Gig-E interfaces in 
there to trunk to customers over 802.1Q.

Depending on the number, you might even have room to 
terminate a couple of leased lines too. This will vary, of 
course, as each network has its own requirements.

> Interface
> pricing on the Junipers is ridicules imho, 18k$ for a
> single gigabit ethernet connection, for a fraction of
> that you would get a 24x SFP module for the 7600
> series...

Vote with your wallet - get your account team (with 
whichever vendor) so see "cost/benefit" your way :-).

> (add to that that we have a few STM-1
> connections which are even more expensive)

I think STM-1, or generally, sub-Gig-E ports on the 7600 
just don't make any sense. A 7200, ASR1000 or M7i might make 
more sense here.

But since you moved your ex-7200 core routers into the edge, 
this isn't a problem you're facing.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090227/9171c4ba/attachment.bin>

From frnkblk at iname.com  Fri Feb 27 11:07:01 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Fri, 27 Feb 2009 10:07:01 -0600
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <200902272335.53802.mtinka@globaltransit.net>
References: <200902260117.47321.mtinka@globaltransit.net>	<go90ru$6op$1@ger.gmane.org>
	<200902272335.53802.mtinka@globaltransit.net>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAAnlhq5VVrpQZLX3vtNaBU+AQAAAAA=@iname.com>

We hit a bug with SRC1 that TAC said SRC3 would fix....despite the lack of
documentation on the bug we hit, we've been issue-free since.  Every
indication is that SRC3 is pretty solid.

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
Sent: Friday, February 27, 2009 9:36 AM
To: cisco-nsp at puck.nether.net
Cc: David Freedman
Subject: Re: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug

On Friday 27 February 2009 11:29:01 pm David Freedman wrote:

> SRC2 has been an absolute disaster for me, plenty of
> undiscovered bugs cropping up on a regular basis now, on
> a related note, am keen to hear about SRC3 vs SRD, any
> thoughts?

Most of the bugs we filed during SRC, SRC1 and SRC2 have
been fixed in SRC3 - with possibly the exception of this BFD
one.

We haven't yet come across anything else in the field, but
we're keeping it simple. We recently lab'ed SRC2 for the new
Flexible NetFlow infrastructure, and that crashed a 7200. We
haven't yet tested this with SRC3.

We're steering clear of SRD, as more work seems to have gone
into SRC and there's nothing we need SRD for. Suffice it to
say, SRD1 appears to be out.

Cheers,

Mark.


From mtinka at globaltransit.net  Fri Feb 27 11:13:31 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sat, 28 Feb 2009 00:13:31 +0800
Subject: [c-nsp] Real life and worst-case performance of Cisco and
	Juniper?
In-Reply-To: <52612.69.30.17.85.1235747292.squirrel@www.woofpaws.com>
References: <53926.69.30.17.85.1235743682.squirrel@www.woofpaws.com>
	<52612.69.30.17.85.1235747292.squirrel@www.woofpaws.com>
Message-ID: <200902280013.36265.mtinka@globaltransit.net>

On Friday 27 February 2009 11:08:12 pm Rick Ernst wrote:

> - What device would you use for upstream/core
> connectivity that would be able to withstand high pps
> DDoS?

Depends on:

a) how much bandwidth/pps you hope to handle
b) what switch fabric you have

We don't like giving vendors "free" money, so...

If I had to guess, I'd say, from Cisco, start off with an 
ASR1002 for the upstream, and take it from there. From 
Juniper, look at the M7i here.

For the core, I'd say consider an ASR1004/6 and work your 
way up from there. From Juniper, consider an M10i.

> - What device and features would you use to terminate
> hundreds of rate- limited ethernet connections?

Apart from 802.1Q VLAN's, policers, QoS, routing protocols, 
e.t.c., the rest of the features depends on what you want to 
achieve.

As for the device, again, not sure what your traffic levels 
are, but if you're looking at hundreds of Ethernet 
connections, a 7609-S from Cisco sounds good (if an ASR1006 
trunked to a couple of 3560G's is out of the question). Some 
folk may recommend running switches as routers, but we tend 
to like real routers doing that...

From Juniper, for hundreds of Ethernet connections, take a 
look at their MX480 router (if an M7i/M10i trunked to a 
couple of EX3200's is out of the question). Again, some folk 
may recommend running the EX3200's as routers, but...

> Both devices would need to be able to handle full tables.

Precisely why the low-end so-called "Layer 3 switches" 
shouldn't be run as full routers. Otherwise, the other 
options are good to go.

Again, these are just my opinions. You probably want to 
study your needs more, talk to your account team, run some 
PoC's, e.t.c., and not pay any real attention to what I'm 
saying :-).

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090228/da938cbc/attachment.bin>

From danletkeman at gmail.com  Fri Feb 27 11:17:39 2009
From: danletkeman at gmail.com (Dan Letkeman)
Date: Fri, 27 Feb 2009 10:17:39 -0600
Subject: [c-nsp] 1142 Power Options
Message-ID: <dcbb85870902270817x674a4539i86023c532b965a5a@mail.gmail.com>

Hello,

Has anyone tried powering the new 1142 access points on a 3550-24PWR
switch?  The docs says it requires only 12.95w of power but it also
says it requires an 802.3af switch.

Dan.

From ras at e-gerbil.net  Fri Feb 27 11:59:18 2009
From: ras at e-gerbil.net (Richard A Steenbergen)
Date: Fri, 27 Feb 2009 10:59:18 -0600
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <200902272335.53802.mtinka@globaltransit.net>
References: <200902260117.47321.mtinka@globaltransit.net>
	<go90ru$6op$1@ger.gmane.org>
	<200902272335.53802.mtinka@globaltransit.net>
Message-ID: <20090227165918.GW51443@gerbil.cluepon.net>

On Fri, Feb 27, 2009 at 11:35:47PM +0800, Mark Tinka wrote:
> Most of the bugs we filed during SRC, SRC1 and SRC2 have 
> been fixed in SRC3 - with possibly the exception of this BFD 
> one.
> 
> We haven't yet come across anything else in the field, but 
> we're keeping it simple. We recently lab'ed SRC2 for the new 
> Flexible NetFlow infrastructure, and that crashed a 7200. We 
> haven't yet tested this with SRC3.
> 
> We're steering clear of SRD, as more work seems to have gone 
> into SRC and there's nothing we need SRD for. Suffice it to 
> say, SRD1 appears to be out.

I'll pretty much agree with this in every respect for 7600 at well. SRC1
and SRC2 have multiple and serious bugs in BGP and RSVP which are fixed
in SRC3. SRC3 is really the drop dead minimum place you want to be, and
other than BFD hasn't done anything really "bad" yet. We threw SRD away
after quickly finding that route-map inbound continue was broken (very
nasty) and the SNMP bridge mib was broken, and yeah its pretty
unnecessary feature-wise anyways.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

From steve at geekinter.net  Fri Feb 27 11:35:37 2009
From: steve at geekinter.net (Steve Howes)
Date: Fri, 27 Feb 2009 16:35:37 +0000
Subject: [c-nsp] NAT and vlan works?
In-Reply-To: <354337.7689.qm@web111315.mail.gq1.yahoo.com>
References: <354337.7689.qm@web111315.mail.gq1.yahoo.com>
Message-ID: <7ED15D77-B078-48A9-B260-3D43FCB80866@geekinter.net>


On 27 Feb 2009, at 12:03, ann kok wrote:

>
> Hi
>
> I want to configure 802.1q 3 vlans and router NAT
>
> eth1 as
>
> 192.168.1.0/24 vlan2
>
> 192.168.2.0/24 vlan3 ....
>
> 192.168.3.0/24 vlan4
>
> eth0 is public
>
> Can it work?
>
> How can I configure?

Define the insides as insides, the outside as outside... configure the  
nat rule... plenty of documentation..

From vijay.ramcharan at verizonbusiness.com  Fri Feb 27 12:27:56 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Fri, 27 Feb 2009 17:27:56 +0000
Subject: [c-nsp] NAT and vlan works?
In-Reply-To: <7ED15D77-B078-48A9-B260-3D43FCB80866@geekinter.net>
Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB326FCB3@ASHEVS006.mcilink.com>

While this does not answer any questions, 

A lot of these fairly basic types of questions can quickly and easily be
lab'ed up using Dynamips/GNS3. It's well worth the minimal time and
effort to get either of those running and build yourself a basic network
topology. 

Online vendor documentation (and I understand that some documentation
can be difficult to comprehend, no sarcasm intended) is often helpful
but sometimes can be overwhelming especially if you're just starting
out. 
In these cases, trial and error with a virtual/physical lab pays big
dividends. In these days, who doesn't want dividends? 
The upside to a lab is that you get to test whether a suggested config
actually works before you deploy it. 

"Give a man a fish and you feed him for a day. Teach a man to fish and
you feed him for a lifetime" 
 
Vijay Ramcharan 
  
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steve Howes
Sent: February 27, 2009 11:36
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] NAT and vlan works?


On 27 Feb 2009, at 12:03, ann kok wrote:

>
> Hi
>
> I want to configure 802.1q 3 vlans and router NAT
>
> eth1 as
>
> 192.168.1.0/24 vlan2
>
> 192.168.2.0/24 vlan3 ....
>
> 192.168.3.0/24 vlan4
>
> eth0 is public
>
> Can it work?
>
> How can I configure?

Define the insides as insides, the outside as outside... configure the  
nat rule... plenty of documentation..
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From A.L.M.Buxey at lboro.ac.uk  Fri Feb 27 12:49:18 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Fri, 27 Feb 2009 17:49:18 +0000
Subject: [c-nsp] Quick VTP question
In-Reply-To: <82fe47b0902261023he7788eo286de854938881df@mail.gmail.com>
References: <82fe47b0902261023he7788eo286de854938881df@mail.gmail.com>
Message-ID: <20090227174918.GC17990@lboro.ac.uk>

Hi,
> When using VTP, do servers save VLAN updates locally? I've read
> through some pieces of Cisco's docs on VTP, and they all indicate that
> clients won't save VTP-learned VLAN information locally. However, I'm
> wondering if a switch running as a server will save VTP-learned info
> to its local VLAN.dat file.

servers save. all servers save.

alan

From mduksa at gmail.com  Fri Feb 27 13:02:57 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Fri, 27 Feb 2009 10:02:57 -0800
Subject: [c-nsp] ipsec support on 7600
Message-ID: <a89d89ac0902271002x3ca63607y9c1575e843609e26@mail.gmail.com>

Hi - does anyone know if Cisco 7600 can support IPSec only with RSPs and
ES20 cards? No additional hardware service modules such as IPSec VPN
modules. If so, I presume the processing of IPSec would take place in MSFC?I
understand that performance would be severely impacted without the HW
acceleration module, I just need to know if this is supported? And also
maybe what would be the performance in this case?
Thanks,
Marlon

From mezoth at gmail.com  Fri Feb 27 14:55:09 2009
From: mezoth at gmail.com (Mezoth)
Date: Fri, 27 Feb 2009 11:55:09 -0800 (PST)
Subject: [c-nsp] PBR on a 6.5K
In-Reply-To: <200902261512.n1QFC8Ln009996@sj-core-1.cisco.com>
References: <56F211C5E3F24F47B103EA1B253822BE03654AF8@vic-cr-ex1.staff.netspace.net.au>
	<C4C308A12A44EA4FABA72461FCBA807816EE15CF86@accmail.acc.accessline.com>
	<200902252023.n1PKNYof005139@sj-core-2.cisco.com>
	<C4C308A12A44EA4FABA72461FCBA807816EE15D11A@accmail.acc.accessline.com>
	<200902261512.n1QFC8Ln009996@sj-core-1.cisco.com>
Message-ID: <3cc89de9-ec45-4b96-aae7-0cb8659820b5@v15g2000yqn.googlegroups.com>

I have done some work on this recently under the 12.2(33)SRC2
codebase, and as far as I can tell it is a hardware limitation that
putting a PBR to
a tunnel is a software switched traffic path.  This does hit the
control-plane for
every packet and without some other configuration there is no way
around it - and Cisco
has so far told me it is not in the planned list of improvements for
the SR(x) train.

 However, I found an interesting work around, in that PBR->VRF is
hardware switched.  So pushing the traffic to a VRF, and having that
VRF with a default
route to the tunnel endpoint effectively pushes the traffic to the
tunnel.  The
downside is that this is not truly bidirectional for the tunnel, so it
depends on your
application on if this work around would apply.

 - Eric Lent

On Feb 26, 10:12?am, Tim Stevenson <tstev... at cisco.com> wrote:
> My sentence should have continued: "..., if you
> want it to do hardware-switched PBR".
>
> As Rodney pointed out, more recent s/w releases
> may have added this support, so could depend on
> what release you are running whether it is hw or sw switched.
>
> Tim
>
> At 12:29 AM 2/26/2009, Dan Pinkard stated:
>
>
>
>
>
> >Thanks!
>
> >It certainly happily accepts the command, and
> >even does the right thing for the first few
> >kpps. After that, not so much, which is where
> >the whole question began. It just does so poorly that it never catches up?
>
> >----------
> >From: Tim Stevenson [mailto:tstev... at cisco.com]
> >Sent: Wednesday, February 25, 2009 12:24 PM
> >To: Dan Pinkard; cisco-... at puck.nether.net
> >Subject: Re: [c-nsp] PBR on a 6.5K
>
> >IIRC, 6500 does not support PBR with the
> >recursive next hops, you must specify a directly
> >connected next hop that you have a resolved adj for.
>
> >Tim
>
> >At 11:47 AM 2/25/2009, Dan Pinkard stated:
>
> >What are the resource limitations on policy
> >routing on SUP720s/MSFC3? Are the flows
> >ultimately process switched every time or will it draw from the route-cache?
>
> >We were toying with a very simple route-map that
> >called for both a next-hop and a recursive
> >next-hop route. A moderate (20mbps/14kpps)
> >traffic level pegged the cpu and send IQD
> >counters sky-high. Which leads to the basic question of what went wrong?
>
> >Any ideas or observations from your own tests?
>
> >Thanks!
> >_______________________________________________
> >cisco-nsp mailing list ?cisco-... at puck.nether.net
> ><https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at
> ><http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/
>
> >Tim Stevenson, tstev... at cisco.com
> >Routing & Switching CCIE #5561
> >Technical Marketing Engineer, Cisco Nexus 7000
> >Cisco -http://www.cisco.com
> >IP Phone: 408-526-6759
> >********************************************************
> >The contents of this message may be *Cisco Confidential*
> >and are intended for the specified recipients only.
>
> Tim Stevenson, tstev... at cisco.com
> Routing & Switching CCIE #5561
> Technical Marketing Engineer, Cisco Nexus 7000
> Cisco -http://www.cisco.com
> IP Phone: 408-526-6759
> ********************************************************
> The contents of this message may be *Cisco Confidential*
> and are intended for the specified recipients only.
> _______________________________________________
> cisco-nsp mailing list ?cisco-... at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-nsp
> archive athttp://puck.nether.net/pipermail/cisco-nsp/

From lmeade at signal.ca  Fri Feb 27 15:14:54 2009
From: lmeade at signal.ca (Leslie Meade)
Date: Fri, 27 Feb 2009 12:14:54 -0800
Subject: [c-nsp] mls qos vlan-based issues
Message-ID: <EAF4FF4AB2142D499F2F5A3B9D8515290440F6CC@exch-bo.MGVFS.McLeanNet>

I have an issue that I cannot work out.

 I had all my policing statements working, when I had my asa's plugged
into an old 6509 via a fiber port that was trunked on both ends and the
ports that the asa's were plugged into were normal switch ports. 

I have now plugged them directly into the new 6509 and now I am only
getting policing on downloads only.

 

policy-map 8_Mb_Internet

  class class-default

   police cir 8388500 bc 265625 be 265625 conform-action transmit
exceed-action drop violate-action drop

 

interface GigabitEthernet5/8

switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 no ip address

 mls qos vlan-based

 

interface Vlan16

  ip address 10.1.16.2 255.255.255.0

 ip access-group Productions in

 ip helper-address 10.1.6.10

 no ip redirects

 no ip unreachables

 ip flow ingress

 ip route-cache flow

 no ip mroute-cache

 mls netflow sampling

 standby 15 ip 10.1.16.1

 standby 15 priority 250

 standby 15 preempt

 service-policy input 8_Mb_Internet

 service-policy output 8_Mb_Internet

 

Any ideas what could be causing the qos to police only downloads and not
up loads ?


From SPfister at dps.k12.oh.us  Fri Feb 27 16:00:05 2009
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Fri, 27 Feb 2009 16:00:05 -0500
Subject: [c-nsp] PIX causing problems with TLS esmtp session
Message-ID: <49A80E03.9E6F.00B8.0@dps.k12.oh.us>

There is one particular outside mail server we're having trouble sending to. Basically, our server (Groupwise) does an EHLO, and the other server offers STARTTLS. Our server sends a STARTTLS, sends a few bytes of encrypted data, and then the other server sends a RST. 

If we try a test server outside the PIX, everything is fine.

I've looked at "no fixup protocol smtp 25" and "no inspect esmtp" and those already seem to be in place.

Could the pix be doing something with the certificate? Could esmtp inspection still be on?

Thanks!

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From mhuff at ox.com  Fri Feb 27 16:06:35 2009
From: mhuff at ox.com (Matthew Huff)
Date: Fri, 27 Feb 2009 16:06:35 -0500
Subject: [c-nsp] PIX causing problems with TLS esmtp session
In-Reply-To: <49A80E03.9E6F.00B8.0@dps.k12.oh.us>
References: <49A80E03.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9B5BB3DC5A7@PUR-EXCH07.ox.com>

setup an access list with the hosts in it and port 25. use the capture
command to setup a capture on both interfaces. See which side is sending the
reset (the real host, or the firewall)

----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Steven Pfister
> Sent: Friday, February 27, 2009 4:00 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX causing problems with TLS esmtp session
> 
> There is one particular outside mail server we're having trouble
> sending to. Basically, our server (Groupwise) does an EHLO, and the
> other server offers STARTTLS. Our server sends a STARTTLS, sends a few
> bytes of encrypted data, and then the other server sends a RST.
> 
> If we try a test server outside the PIX, everything is fine.
> 
> I've looked at "no fixup protocol smtp 25" and "no inspect esmtp" and
> those already seem to be in place.
> 
> Could the pix be doing something with the certificate? Could esmtp
> inspection still be on?
> 
> Thanks!
> 
> Steve Pfister
> Technical Coordinator,
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St.
> Dayton, OH 45402
> 
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4229 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090227/6a5ccc11/attachment-0001.bin>

From elparis at cisco.com  Fri Feb 27 16:22:34 2009
From: elparis at cisco.com (Eloy Paris)
Date: Fri, 27 Feb 2009 16:22:34 -0500
Subject: [c-nsp] PIX causing problems with TLS esmtp session
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9B5BB3DC5A7@PUR-EXCH07.ox.com>
References: <49A80E03.9E6F.00B8.0@dps.k12.oh.us>
	<483E6B0272B0284BA86D7596C40D29F9B5BB3DC5A7@PUR-EXCH07.ox.com>
Message-ID: <20090227212234.GT14612@cisco.com>

On Fri, Feb 27, 2009 at 04:06:35PM -0500, Matthew Huff wrote:

> setup an access list with the hosts in it and port 25. use the capture
> command to setup a capture on both interfaces. See which side is sending the
> reset (the real host, or the firewall)

Agreed; this is a great way to start troubleshooting.

You could also look at the syslog messages generated by the PIX to see
why the connection (on the PIX) is terminating.

Cheers,

Eloy Paris.-
Cisco PSIRT

> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Steven Pfister
> > Sent: Friday, February 27, 2009 4:00 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] PIX causing problems with TLS esmtp session
> > 
> > There is one particular outside mail server we're having trouble
> > sending to. Basically, our server (Groupwise) does an EHLO, and the
> > other server offers STARTTLS. Our server sends a STARTTLS, sends a few
> > bytes of encrypted data, and then the other server sends a RST.
> > 
> > If we try a test server outside the PIX, everything is fine.
> > 
> > I've looked at "no fixup protocol smtp 25" and "no inspect esmtp" and
> > those already seem to be in place.
> > 
> > Could the pix be doing something with the certificate? Could esmtp
> > inspection still be on?
> > 
> > Thanks!
> > 
> > Steve Pfister
> > Technical Coordinator,
> > The Office of Information Technology
> > Dayton Public Schools
> > 115 S. Ludlow St.
> > Dayton, OH 45402
> > 
> > Office (937) 542-3149
> > Cell (937) 673-6779
> > Direct Connect: 137*131747*8
> > Email spfister at dps.k12.oh.us
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/




> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From vijay.ramcharan at verizonbusiness.com  Fri Feb 27 16:40:29 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Fri, 27 Feb 2009 21:40:29 +0000
Subject: [c-nsp] PIX causing problems with TLS esmtp session
In-Reply-To: <20090227212234.GT14612@cisco.com>
Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB32BA3D2@ASHEVS006.mcilink.com>

Check here for "allow-tls" 
http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn72
3.pdf
 
Vijay Ramcharan 
  
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eloy Paris
Sent: February 27, 2009 16:23
To: 'Steven Pfister'
Cc: 'cisco-nsp at puck.nether.net'
Subject: Re: [c-nsp] PIX causing problems with TLS esmtp session

On Fri, Feb 27, 2009 at 04:06:35PM -0500, Matthew Huff wrote:

> setup an access list with the hosts in it and port 25. use the capture
> command to setup a capture on both interfaces. See which side is
sending the
> reset (the real host, or the firewall)

Agreed; this is a great way to start troubleshooting.

You could also look at the syslog messages generated by the PIX to see
why the connection (on the PIX) is terminating.

Cheers,

Eloy Paris.-
Cisco PSIRT

> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Steven Pfister
> > Sent: Friday, February 27, 2009 4:00 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] PIX causing problems with TLS esmtp session
> > 
> > There is one particular outside mail server we're having trouble
> > sending to. Basically, our server (Groupwise) does an EHLO, and the
> > other server offers STARTTLS. Our server sends a STARTTLS, sends a
few
> > bytes of encrypted data, and then the other server sends a RST.
> > 
> > If we try a test server outside the PIX, everything is fine.
> > 
> > I've looked at "no fixup protocol smtp 25" and "no inspect esmtp"
and
> > those already seem to be in place.
> > 
> > Could the pix be doing something with the certificate? Could esmtp
> > inspection still be on?
> > 
> > Thanks!
> > 
> > Steve Pfister
> > Technical Coordinator,
> > The Office of Information Technology
> > Dayton Public Schools
> > 115 S. Ludlow St.
> > Dayton, OH 45402
> > 
> > Office (937) 542-3149
> > Cell (937) 673-6779
> > Direct Connect: 137*131747*8
> > Email spfister at dps.k12.oh.us
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/




> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From joey at clean.q7.com  Fri Feb 27 17:04:25 2009
From: joey at clean.q7.com (Joe Pruett)
Date: Fri, 27 Feb 2009 14:04:25 -0800 (PST)
Subject: [c-nsp] packet loss between adjacent ciscos
In-Reply-To: <20090227162830.xbtdn6m8jyss40sg@webmail2.australiaonline.net.au>
References: <20090227162830.xbtdn6m8jyss40sg@webmail2.australiaonline.net.au>
Message-ID: <alpine.LRH.2.00.0902271401420.30383@q7.q7.com>

> So, I was wondering if this sounds familiar to anyone or if there is
> anything someone might be able to suggest to further investigate or
> resolve this issue.
>
> I'd appreciate any advice that can be given.

the one time i saw something like this it was excessive arp packets 
triggering my switch to go into broadcast storm control mode.

From lukasz at bromirski.net  Fri Feb 27 19:56:21 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Sat, 28 Feb 2009 01:56:21 +0100
Subject: [c-nsp] 12.4(24)T is out with support for 4B ASNs
Message-ID: <49A88BB5.8050901@bromirski.net>


As there were numerous discussions on the list, there's 12.4(24)T
already on CCO which supports 4B ASNs (asdot only) on access boxes:

http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TNEWF.html#wp2184610

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From mtinka at globaltransit.net  Fri Feb 27 20:57:38 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sat, 28 Feb 2009 09:57:38 +0800
Subject: [c-nsp] 12.2(33)SRCx - Pseudo Pre-emption Handler - BFD Bug
In-Reply-To: <20090227165918.GW51443@gerbil.cluepon.net>
References: <200902260117.47321.mtinka@globaltransit.net>
	<200902272335.53802.mtinka@globaltransit.net>
	<20090227165918.GW51443@gerbil.cluepon.net>
Message-ID: <200902281002.22977.mtinka@globaltransit.net>

On Saturday 28 February 2009 12:59:18 am Richard A 
Steenbergen wrote:

> I'll pretty much agree with this in every respect for
> 7600 at well. SRC1 and SRC2 have multiple and serious
> bugs in BGP and RSVP which are fixed in SRC3. SRC3 is
> really the drop dead minimum place you want to be, and
> other than BFD hasn't done anything really "bad" yet. We
> threw SRD away after quickly finding that route-map
> inbound continue was broken (very nasty) and the SNMP
> bridge mib was broken, and yeah its pretty unnecessary
> feature-wise anyways.

Let's just hope that whichever SR* train ends up having 4-
byte ASN code by end of the year is stable, as that is what 
might force most of us to move from SRC, assuming 4-byte ASN 
support isn't included for it.

Need to check with our account team on this.

Mark.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090228/3e2ca0c6/attachment.bin>

From ras at e-gerbil.net  Fri Feb 27 21:52:16 2009
From: ras at e-gerbil.net (Richard A Steenbergen)
Date: Fri, 27 Feb 2009 20:52:16 -0600
Subject: [c-nsp] bootvar desync between RP and SP
Message-ID: <20090228025216.GC51443@gerbil.cluepon.net>

Has anyone ever seen a situation where the RP and SP bootvar gets 
desynced, like so:

router#sh bootvar
BOOT variable = disk0:s72033-advipservicesk9-mz.122-33.SRC3.bin,1;disk0:s72033-advipservicesk9-mz.122-33.SRC2.bin,1;
CONFIG_FILE variable = 
BOOTLDR variable = 
Configuration register is 0x2102

router#remote login switch
Trying Switch ...
Entering CONSOLE for Switch
Type "^C^C^C" to end this session

router-sp#show bootvar
BOOT variable = disk0:s72033-advipservicesk9-mz.122-33.SRC2.bin,1;disk0:s72033-advipservicesk9-mz.122-33.SRC1.bin,1;disk0:s72033-advipservicesk9-mz.122-33.SRC1.bin,1;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102

I tried clearing and readding the boot config, resetting the config 
register, etc, but when the box reboots it always tries to load the 
images specified in the SP bootvar. The only way to load new images on 
the box (short of breaking to rommon and manually typing the image name 
on console) is to rename the new file to one of the image names the SP 
is looking for, which needless to say is pretty annoying. Any clues?

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

From tdurack at gmail.com  Fri Feb 27 22:24:16 2009
From: tdurack at gmail.com (Tim Durack)
Date: Fri, 27 Feb 2009 22:24:16 -0500
Subject: [c-nsp] bootvar desync between RP and SP
In-Reply-To: <20090228025216.GC51443@gerbil.cluepon.net>
References: <20090228025216.GC51443@gerbil.cluepon.net>
Message-ID: <9e246b4d0902271924x133a1b9g1ca5cda9204621e4@mail.gmail.com>

On Fri, Feb 27, 2009 at 9:52 PM, Richard A Steenbergen <ras at e-gerbil.net>wrote:

> Has anyone ever seen a situation where the RP and SP bootvar gets
> desynced, like so:
>
> router#sh bootvar
> BOOT variable =
> disk0:s72033-advipservicesk9-mz.122-33.SRC3.bin,1;disk0:s72033-advipservicesk9-mz.122-33.SRC2.bin,1;
> CONFIG_FILE variable =
> BOOTLDR variable =
> Configuration register is 0x2102
>
> router#remote login switch
> Trying Switch ...
> Entering CONSOLE for Switch
> Type "^C^C^C" to end this session
>
> router-sp#show bootvar
> BOOT variable =
> disk0:s72033-advipservicesk9-mz.122-33.SRC2.bin,1;disk0:s72033-advipservicesk9-mz.122-33.SRC1.bin,1;disk0:s72033-advipservicesk9-mz.122-33.SRC1.bin,1;
> CONFIG_FILE variable does not exist
> BOOTLDR variable does not exist
> Configuration register is 0x2102
>
> I tried clearing and readding the boot config, resetting the config
> register, etc, but when the box reboots it always tries to load the
> images specified in the SP bootvar. The only way to load new images on
> the box (short of breaking to rommon and manually typing the image name
> on console) is to rename the new file to one of the image names the SP
> is looking for, which needless to say is pretty annoying. Any clues?
>

And you did all of that from the RP? I've had issues with the
config-register getting out of sync. Setting it on the RP and doing a write
mem fixed it for me (6k5 running SX. Different bugs than a 7k6 no doubt.)

Tim:>


>
> --
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ras at e-gerbil.net  Sat Feb 28 00:13:14 2009
From: ras at e-gerbil.net (Richard A Steenbergen)
Date: Fri, 27 Feb 2009 23:13:14 -0600
Subject: [c-nsp] bootvar desync between RP and SP
In-Reply-To: <9e246b4d0902271924x133a1b9g1ca5cda9204621e4@mail.gmail.com>
References: <20090228025216.GC51443@gerbil.cluepon.net>
	<9e246b4d0902271924x133a1b9g1ca5cda9204621e4@mail.gmail.com>
Message-ID: <20090228051314.GD51443@gerbil.cluepon.net>

On Fri, Feb 27, 2009 at 10:24:16PM -0500, Tim Durack wrote:
> And you did all of that from the RP? I've had issues with the
> config-register getting out of sync. Setting it on the RP and doing a write
> mem fixed it for me (6k5 running SX. Different bugs than a 7k6 no doubt.)

Yeah I've had those before too, but as you can see the SP and RP agree 
about the config-register (plus as I said, I manually reset it too). 
Making it sync the bootvar is a little more... unclear.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

From musmanashraf at gmail.com  Sat Feb 28 00:25:20 2009
From: musmanashraf at gmail.com (M Usman Ashraf)
Date: Sat, 28 Feb 2009 10:25:20 +0500
Subject: [c-nsp] bootvar desync between RP and SP
In-Reply-To: <20090228051314.GD51443@gerbil.cluepon.net>
References: <20090228025216.GC51443@gerbil.cluepon.net>
	<9e246b4d0902271924x133a1b9g1ca5cda9204621e4@mail.gmail.com>
	<20090228051314.GD51443@gerbil.cluepon.net>
Message-ID: <9149d2410902272125n189f4fc0sf678a50621538b0a@mail.gmail.com>

Hi,

What is the "boot system" command in this box configuration.


On Sat, Feb 28, 2009 at 10:13 AM, Richard A Steenbergen <ras at e-gerbil.net>wrote:

> On Fri, Feb 27, 2009 at 10:24:16PM -0500, Tim Durack wrote:
> > And you did all of that from the RP? I've had issues with the
> > config-register getting out of sync. Setting it on the RP and doing a
> write
> > mem fixed it for me (6k5 running SX. Different bugs than a 7k6 no doubt.)
>
> Yeah I've had those before too, but as you can see the SP and RP agree
> about the config-register (plus as I said, I manually reset it too).
> Making it sync the bootvar is a little more... unclear.
>
> --
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Regards,

M Usman Ashraf

From p_ambedkar at rediffmail.com  Sat Feb 28 00:41:07 2009
From: p_ambedkar at rediffmail.com (ambedkar  )
Date: 28 Feb 2009 05:41:07 -0000
Subject: [c-nsp] cisco 2600 fxs card
Message-ID: <20090228054107.18119.qmail@f4mail-235-246.rediffmail.com>


hi,
i am using fxs card in cisco 2600 router.the problem is in, "sh ver" it is showing voice ports, I have  configured for POTS, but dial tone is not coming. 
This card previously worked.

please give solutions.

bye.

From saku+cisco-nsp at ytti.fi  Sat Feb 28 03:11:35 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Sat, 28 Feb 2009 10:11:35 +0200
Subject: [c-nsp] function of access-list in switch?
In-Reply-To: <40d8a95a0902270415t6e0e2c04tbc172b3c9a8a3dda@mail.gmail.com>
References: <40d8a95a0902270415t6e0e2c04tbc172b3c9a8a3dda@mail.gmail.com>
Message-ID: <20090228081135.GA4171@mx.ytti.net>

On (2009-02-27 07:15 -0500), Deric Kwok wrote:

> Could you explain to me what is function of access-list in switch?
> 
> It looks like to do prevent access to switch only?
> 
> Am I right?

No. You can in many CSCO switches use  L3 access-lists in L2, althought
typically only on inbound  direction.

Some usage cases:
a) rudimentary anti-spoofing
b) stopping infected machine from spreading infection, while allowing
machine administration to reach it and fix it
c) for server aggregation style, on uplink you could protect the
servers, like only allow 0.0.0.0 80 to them and 22 from MGMT NET,
providing wire-rate protection of DoS.

As not just IP match is allowed, but also MAC and ethertype, you
could allow only IPv4, IPv6 and  ARP frames, to avoid unwanted
traffic entering.

-- 
  ++ytti

From saku+cisco-nsp at ytti.fi  Sat Feb 28 03:54:47 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Sat, 28 Feb 2009 10:54:47 +0200
Subject: [c-nsp] ftp.cisco.com unusable?
In-Reply-To: <49A88BB5.8050901@bromirski.net>
References: <49A88BB5.8050901@bromirski.net>
Message-ID: <20090228085447.GA4503@mx.ytti.net>

After seeing post about 12.4(24)T being released, I wondered why didn't I
know that, my script should have notified me.
It turns out, I haven't been able to really connect to ftp.cisco.com
lately. This problem has persisted at least from 14th day, but may
have been there earlier.
With some persistence you can get some directory listings out from
there, but for all purpose and intent it seems unusable.

Are others seeing this too?
-- 
  ++ytti

From elmi at 4ever.de  Sat Feb 28 06:15:09 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Sat, 28 Feb 2009 12:15:09 +0100
Subject: [c-nsp] ftp.cisco.com unusable?
In-Reply-To: <20090228085447.GA4503@mx.ytti.net>
References: <49A88BB5.8050901@bromirski.net>
	<20090228085447.GA4503@mx.ytti.net>
Message-ID: <20090228111509.GG27070@ronin.4ever.de>

Re Ytti,

saku+cisco-nsp at ytti.fi (Saku Ytti) wrote:

> It turns out, I haven't been able to really connect to ftp.cisco.com
> lately. This problem has persisted at least from 14th day, but may
> have been there earlier.

I just tried accessing Cisco FTP (ftp.cisco.com) - no problems, apart
from not being able to find ASR images...



From avayner at cisco.com  Sat Feb 28 06:17:11 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sat, 28 Feb 2009 12:17:11 +0100
Subject: [c-nsp] ipsec support on 7600
In-Reply-To: <a89d89ac0902271002x3ca63607y9c1575e843609e26@mail.gmail.com>
References: <a89d89ac0902271002x3ca63607y9c1575e843609e26@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D746DEA5@xmb-ams-331.emea.cisco.com>

Marlon,

The support is limited only for management purpose IPSec sessions.
Scale is very limited: 1-2Mbps.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa
Sent: Friday, February 27, 2009 20:03
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ipsec support on 7600

Hi - does anyone know if Cisco 7600 can support IPSec only with RSPs and
ES20 cards? No additional hardware service modules such as IPSec VPN
modules. If so, I presume the processing of IPSec would take place in
MSFC?I
understand that performance would be severely impacted without the HW
acceleration module, I just need to know if this is supported? And also
maybe what would be the performance in this case?
Thanks,
Marlon
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From saku+cisco-nsp at ytti.fi  Sat Feb 28 06:46:15 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Sat, 28 Feb 2009 13:46:15 +0200
Subject: [c-nsp] ftp.cisco.com unusable?
In-Reply-To: <20090228111509.GG27070@ronin.4ever.de>
References: <49A88BB5.8050901@bromirski.net>
	<20090228085447.GA4503@mx.ytti.net>
	<20090228111509.GG27070@ronin.4ever.de>
Message-ID: <20090228114615.GA5166@mx.ytti.net>

On (2009-02-28 12:15 +0100), Elmar K. Bins wrote:

> I just tried accessing Cisco FTP (ftp.cisco.com) - no problems, apart
> from not being able to find ASR images...

Strange, I know it's not just me, as several people were able to
confirm it, but kinda strange if it works for some people then. 

For me it is mostly just:
[ytti at ytti.fi ~]% lftp ftp.cisco.com
lftp ytti at ftp.cisco.com:~> ls                     
`ls' at 0 [Making data connection...]


Sometimes out of fluke it may work. 
-- 
  ++ytti

From elmi at 4ever.de  Sat Feb 28 07:33:05 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Sat, 28 Feb 2009 13:33:05 +0100
Subject: [c-nsp] ftp.cisco.com unusable?
In-Reply-To: <20090228114615.GA5166@mx.ytti.net>
References: <49A88BB5.8050901@bromirski.net>
	<20090228085447.GA4503@mx.ytti.net>
	<20090228111509.GG27070@ronin.4ever.de>
	<20090228114615.GA5166@mx.ytti.net>
Message-ID: <20090228123304.GI27070@ronin.4ever.de>

saku+cisco-nsp at ytti.fi (Saku Ytti) wrote:

> > I just tried accessing Cisco FTP (ftp.cisco.com) - no problems, apart
> > from not being able to find ASR images...
> 
> Strange, I know it's not just me, as several people were able to
> confirm it, but kinda strange if it works for some people then. 
> 
> For me it is mostly just:
> [ytti at ytti.fi ~]% lftp ftp.cisco.com
> lftp ytti at ftp.cisco.com:~> ls                     
> `ls' at 0 [Making data connection...]

Now that you mention it, it happens to me as well...

220 download-sj-4.cisco.com FTP Server (Apache) ready.
Name (ftp.cisco.com:ekb): elmi
331 Password required for elmi
Password:
230 User elmi logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 EPSV: Command not recognized
227 Entering Passive Mode (198,133,219,241,46,108)

Well, doing FTP with an Apache...

(that's like teaching a cowboy to shoot arrows, right?

Elmi.


From saku+cisco-nsp at ytti.fi  Sat Feb 28 08:05:53 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Sat, 28 Feb 2009 15:05:53 +0200
Subject: [c-nsp] ftp.cisco.com unusable?
In-Reply-To: <20090228123304.GI27070@ronin.4ever.de>
References: <49A88BB5.8050901@bromirski.net>
	<20090228085447.GA4503@mx.ytti.net>
	<20090228111509.GG27070@ronin.4ever.de>
	<20090228114615.GA5166@mx.ytti.net>
	<20090228123304.GI27070@ronin.4ever.de>
Message-ID: <20090228130553.GA5494@mx.ytti.net>

On (2009-02-28 13:33 +0100), Elmar K. Bins wrote:

> > lftp ytti at ftp.cisco.com:~> ls                     
> > `ls' at 0 [Making data connection...]
> 
> Now that you mention it, it happens to me as well...
> 
> ftp> ls
> 500 EPSV: Command not recognized
> 227 Entering Passive Mode (198,133,219,241,46,108)
> 
> Well, doing FTP with an Apache...
> (that's like teaching a cowboy to shoot arrows, right?

Right :). Thank you for the update. Hopefully someone
from @cisco.com picks up gets it fixed.

-- 
  ++ytti

From elmi at 4ever.de  Sat Feb 28 12:05:34 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Sat, 28 Feb 2009 18:05:34 +0100
Subject: [c-nsp] ftp.cisco.com unusable?
In-Reply-To: <20090228130553.GA5494@mx.ytti.net>
References: <49A88BB5.8050901@bromirski.net>
	<20090228085447.GA4503@mx.ytti.net>
	<20090228111509.GG27070@ronin.4ever.de>
	<20090228114615.GA5166@mx.ytti.net>
	<20090228123304.GI27070@ronin.4ever.de>
	<20090228130553.GA5494@mx.ytti.net>
Message-ID: <20090228170533.GJ27070@ronin.4ever.de>

saku+cisco-nsp at ytti.fi (Saku Ytti) wrote:

> > ftp> ls
> > 500 EPSV: Command not recognized
> > 227 Entering Passive Mode (198,133,219,241,46,108)
> > 
> > Well, doing FTP with an Apache...
> > (that's like teaching a cowboy to shoot arrows, right?
> 
> Right :). Thank you for the update. Hopefully someone
> from @cisco.com picks up gets it fixed.

I guess they will have to kick their sysadmins.
This happening or not depends on which Server DNS
gives you for "ftp.cisco.com".

Broken:		download-sj-4.cisco.com
Working:	download-sj-2.cisco.com

(Examples)


From avayner at cisco.com  Sat Feb 28 12:26:41 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sat, 28 Feb 2009 18:26:41 +0100
Subject: [c-nsp] ftp.cisco.com unusable?
In-Reply-To: <20090228170533.GJ27070@ronin.4ever.de>
References: <49A88BB5.8050901@bromirski.net><20090228085447.GA4503@mx.ytti.net><20090228111509.GG27070@ronin.4ever.de><20090228114615.GA5166@mx.ytti.net><20090228123304.GI27070@ronin.4ever.de><20090228130553.GA5494@mx.ytti.net>
	<20090228170533.GJ27070@ronin.4ever.de>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D746DEBF@xmb-ams-331.emea.cisco.com>

Guys,

I can recreate it from my PC as well.
It seems that:
 - download-sj-1 and download-sj-2 work
 - download-sj-3 and download-sj-4 are broken

I will file a case for this with Cisco IT.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Elmar K. Bins
Sent: Saturday, February 28, 2009 19:06
To: Saku Ytti
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ftp.cisco.com unusable?

saku+cisco-nsp at ytti.fi (Saku Ytti) wrote:

> > ftp> ls
> > 500 EPSV: Command not recognized
> > 227 Entering Passive Mode (198,133,219,241,46,108)
> > 
> > Well, doing FTP with an Apache...
> > (that's like teaching a cowboy to shoot arrows, right?
> 
> Right :). Thank you for the update. Hopefully someone
> from @cisco.com picks up gets it fixed.

I guess they will have to kick their sysadmins.
This happening or not depends on which Server DNS
gives you for "ftp.cisco.com".

Broken:		download-sj-4.cisco.com
Working:	download-sj-2.cisco.com

(Examples)

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From Joel.Snyder at Opus1.COM  Sat Feb 28 12:37:55 2009
From: Joel.Snyder at Opus1.COM (Joel Snyder)
Date: Sat, 28 Feb 2009 10:37:55 -0700
Subject: [c-nsp] ftp.cisco.com unusable?
Message-ID: <49A97673.4010604@opus1.com>

Doesn't work for me in either passive or active FTP mode.

Smells like a defective firewall ALG or IPS.
Must be they put an ASA in front of it... :-(

jms

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms

From deric.kwok2000 at gmail.com  Sat Feb 28 12:54:14 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Sat, 28 Feb 2009 12:54:14 -0500
Subject: [c-nsp] function of access-list in switch?
In-Reply-To: <20090228081135.GA4171@mx.ytti.net>
References: <40d8a95a0902270415t6e0e2c04tbc172b3c9a8a3dda@mail.gmail.com>
	<20090228081135.GA4171@mx.ytti.net>
Message-ID: <40d8a95a0902280954i536e1407w49cbf2b23c8bb985@mail.gmail.com>

Hi Saku

Thank you for your information. Good to learn from you

 One more question, I add one line access rule in cisco router (r700 CPU at
240MHz with  with 252928K/9216K bytes of memory.)

the cpu graph raises from 70% to 80%.

ls the switch also having this problem?

Thank you




On Sat, Feb 28, 2009 at 3:11 AM, Saku Ytti
<saku+cisco-nsp at ytti.fi<saku%2Bcisco-nsp at ytti.fi>
> wrote:

> On (2009-02-27 07:15 -0500), Deric Kwok wrote:
>
> > Could you explain to me what is function of access-list in switch?
> >
> > It looks like to do prevent access to switch only?
> >
> > Am I right?
>
> No. You can in many CSCO switches use  L3 access-lists in L2, althought
> typically only on inbound  direction.
>
> Some usage cases:
> a) rudimentary anti-spoofing
> b) stopping infected machine from spreading infection, while allowing
> machine administration to reach it and fix it
> c) for server aggregation style, on uplink you could protect the
> servers, like only allow 0.0.0.0 80 to them and 22 from MGMT NET,
> providing wire-rate protection of DoS.
>
> As not just IP match is allowed, but also MAC and ethertype, you
> could allow only IPv4, IPv6 and  ARP frames, to avoid unwanted
> traffic entering.
>
> --
>  ++ytti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From deric.kwok2000 at gmail.com  Sat Feb 28 12:59:20 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Sat, 28 Feb 2009 12:59:20 -0500
Subject: [c-nsp] how can I know which process takes over CPU and memory?
Message-ID: <40d8a95a0902280959q7c5abfb4j8b5def5adfe4a097@mail.gmail.com>

Hi All

I am trying to add access rule to prevent outside accessing to one host.

I realize the router CPU (R700 CPU at 240MHz) graph rising from 70% to 80%

How can I know which process used up how many CPU and memory?

I use show memory but don't understand the listing

Thank you for your help

From berni at birkenwald.de  Sat Feb 28 13:19:47 2009
From: berni at birkenwald.de (Bernhard Schmidt)
Date: Sat, 28 Feb 2009 18:19:47 +0000 (UTC)
Subject: [c-nsp] ftp.cisco.com unusable?
References: <49A88BB5.8050901@bromirski.net>
	<20090228085447.GA4503@mx.ytti.net>
Message-ID: <gobv83$s5v$1@ger.gmane.org>

Saku Ytti <saku+cisco-nsp at ytti.fi> wrote:

> It turns out, I haven't been able to really connect to ftp.cisco.com
> lately. This problem has persisted at least from 14th day, but may
> have been there earlier.
> With some persistence you can get some directory listings out from
> there, but for all purpose and intent it seems unusable.
>
> Are others seeing this too?

Cisco has apparently broken their DNS loadbalancer and returns (in my
book) invalid answers for AAAA queries, which messes with IPv6-enabled
clients a lot.

ftp.cisco.com.          86400   IN      NS      sjce-ddir-ns.cisco.com.
ftp.cisco.com.          86400   IN      NS      rtp5-ddir-ns.cisco.com. 

$ dig -t a ftp.cisco.com @sjce-ddir-ns.cisco.com +norec 
gives A record in the answer section, still not quite legit because the
answer is missing the aa flag but it seems to be accepted by most caches

$ dig -t aaaa ftp.cisco.com @sjce-ddir-ns.cisco.com +norec
gives a straight referral to the same servers (dig calls this horizontal
referral), which is obviously completely broken. If you're lucky your
resolver returns SERVFAIL, but you might get a timeout as well.

I've sent an email to my SE and all DNS contacts at cisco.com I could
find a week ago, but no answer so far. I'll kick my SE on Monday if it
hasn't improved until then.

Bernhard


From turunc.mehmet at gmail.com  Sat Feb 28 13:33:55 2009
From: turunc.mehmet at gmail.com (Mehmet Turunc)
Date: Sat, 28 Feb 2009 20:33:55 +0200
Subject: [c-nsp] cisco 2600 fxs card
In-Reply-To: <20090228054107.18119.qmail@f4mail-235-246.rediffmail.com>
References: <20090228054107.18119.qmail@f4mail-235-246.rediffmail.com>
Message-ID: <aaa5e34b0902281033jaed9edv57d5b90d1d753ed5@mail.gmail.com>

Did you shut/noshut the voice ports? Sometimes they can freeze as off-hook.

--
MT



On Sat, Feb 28, 2009 at 7:41 AM, ambedkar <p_ambedkar at rediffmail.com> wrote:

>
> hi,
> i am using fxs card in cisco 2600 router.the problem is in, "sh ver" it is
> showing voice ports, I have  configured for POTS, but dial tone is not
> coming.
> This card previously worked.
>
> please give solutions.
>
> bye.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From chip.gwyn at gmail.com  Sat Feb 28 13:38:01 2009
From: chip.gwyn at gmail.com (chip)
Date: Sat, 28 Feb 2009 13:38:01 -0500
Subject: [c-nsp] sho ip bgp nei <blah> [routes | received-routes] and their
	SNMP equivalents
Message-ID: <64a8ad980902281038g30856ce6w27da0f6e374d748e@mail.gmail.com>

Hi folks,

  Maybe I'm missing it, but I can't seem to find the SNMP OID for finding
the number of routes received from a peer post-filtering.

'sho ip bgp nei x.x.x.x received-routes' shows the route table received from
a peer prior to any filter modifications whereas 'sho ip bgp nei x.x.x.x
routes' shows routes from a peer after filtering.

I'm using the "bgp4PathAttrEntry" object to get a table but this seems to be
the one prior to any filtering.

NOTE:  unless "soft-reconfiguration inbound" is configured for the specific
peer the 'received-routes' command will not have any output.

Thanks!

--chip

-- 
Just my $.02, your mileage may vary,  batteries not included, etc....

From saku+cisco-nsp at ytti.fi  Sat Feb 28 14:33:19 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Sat, 28 Feb 2009 21:33:19 +0200
Subject: [c-nsp] function of access-list in switch?
In-Reply-To: <40d8a95a0902280954i536e1407w49cbf2b23c8bb985@mail.gmail.com>
References: <40d8a95a0902270415t6e0e2c04tbc172b3c9a8a3dda@mail.gmail.com>
	<20090228081135.GA4171@mx.ytti.net>
	<40d8a95a0902280954i536e1407w49cbf2b23c8bb985@mail.gmail.com>
Message-ID: <20090228193319.GA7100@mx.ytti.net>

On (2009-02-28 12:54 -0500), Deric Kwok wrote:

Hey,

>  One more question, I add one line access rule in cisco router (r700 CPU at
> 240MHz with  with 252928K/9216K bytes of memory.)
> 
> the cpu graph raises from 70% to 80%.
> 
> ls the switch also having this problem?

If the switch can do port acl it'll be done in ASIC. So as long as you
stay within ASIC limits (finite number of rules, typically port ranges
not possible or very limited amount available and no log statement) 
you're go.

> 
> Thank you
> 
> 
> 
> 
> On Sat, Feb 28, 2009 at 3:11 AM, Saku Ytti
> <saku+cisco-nsp at ytti.fi<saku%2Bcisco-nsp at ytti.fi>
> > wrote:
> 
> > On (2009-02-27 07:15 -0500), Deric Kwok wrote:
> >
> > > Could you explain to me what is function of access-list in switch?
> > >
> > > It looks like to do prevent access to switch only?
> > >
> > > Am I right?
> >
> > No. You can in many CSCO switches use  L3 access-lists in L2, althought
> > typically only on inbound  direction.
> >
> > Some usage cases:
> > a) rudimentary anti-spoofing
> > b) stopping infected machine from spreading infection, while allowing
> > machine administration to reach it and fix it
> > c) for server aggregation style, on uplink you could protect the
> > servers, like only allow 0.0.0.0 80 to them and 22 from MGMT NET,
> > providing wire-rate protection of DoS.
> >
> > As not just IP match is allowed, but also MAC and ethertype, you
> > could allow only IPv4, IPv6 and  ARP frames, to avoid unwanted
> > traffic entering.
> >
> > --
> >  ++ytti
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >

-- 
  ++ytti

From tdurack at gmail.com  Sat Feb 28 14:46:04 2009
From: tdurack at gmail.com (Tim Durack)
Date: Sat, 28 Feb 2009 14:46:04 -0500
Subject: [c-nsp] bootvar desync between RP and SP
In-Reply-To: <20090228051314.GD51443@gerbil.cluepon.net>
References: <20090228025216.GC51443@gerbil.cluepon.net>
	<9e246b4d0902271924x133a1b9g1ca5cda9204621e4@mail.gmail.com>
	<20090228051314.GD51443@gerbil.cluepon.net>
Message-ID: <9e246b4d0902281146v49e631f1s7d8bc97fa6b734f0@mail.gmail.com>

On Sat, Feb 28, 2009 at 12:13 AM, Richard A Steenbergen <ras at e-gerbil.net>wrote:

> On Fri, Feb 27, 2009 at 10:24:16PM -0500, Tim Durack wrote:
> > And you did all of that from the RP? I've had issues with the
> > config-register getting out of sync. Setting it on the RP and doing a
> write
> > mem fixed it for me (6k5 running SX. Different bugs than a 7k6 no doubt.)
>
> Yeah I've had those before too, but as you can see the SP and RP agree
> about the config-register (plus as I said, I manually reset it too).
> Making it sync the bootvar is a little more... unclear.
>
>
What does "show run" look like on the sp? Mine all have:

!
boot-start-marker
boot-end-marker
!

Wonder if that ever gets out of sync.

Tim:>

From ip at ioshints.info  Sat Feb 28 15:03:14 2009
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Sat, 28 Feb 2009 21:03:14 +0100
Subject: [c-nsp] how can I know which process takes over CPU and memory?
In-Reply-To: <40d8a95a0902280959q7c5abfb4j8b5def5adfe4a097@mail.gmail.com>
References: <40d8a95a0902280959q7c5abfb4j8b5def5adfe4a097@mail.gmail.com>
Message-ID: <002a01c999df$97fa2680$0a00000a@nil.si>

To get the top CPU consumers, use the "show proc cpu sorted" command. You're
probably experiencing increase in "interrupt CPU usage" (packet forwarding),
which is the second number in the "CPU utilization for five seconds" field
in the top line.

To get continuous CPU utilization display (similar to the Unix "top"
command), use this Tclsh script:

http://wiki.nil.com/Continuous_display_of_top_CPU_processes

Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/
 

> -----Original Message-----
> From: Deric Kwok [mailto:deric.kwok2000 at gmail.com] 
> Sent: Saturday, February 28, 2009 6:59 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] how can I know which process takes over CPU 
> and memory?
> 
> Hi All
> 
> I am trying to add access rule to prevent outside accessing 
> to one host.
> 
> I realize the router CPU (R700 CPU at 240MHz) graph rising 
> from 70% to 80%
> 
> How can I know which process used up how many CPU and memory?
> 
> I use show memory but don't understand the listing
> 
> Thank you for your help
> 
>