From mduksa at gmail.com  Sun Feb  1 00:44:33 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Sat, 31 Jan 2009 21:44:33 -0800
Subject: [c-nsp] tagged attribute in FreeRadius
Message-ID: <a89d89ac0901312144p4aad209fscf7e2740ec4d8e02@mail.gmail.com>

Does anyone know the syntax on FreeRadius to pass 'tagged' attribute value
from the server to the client?

For example, this is how the attribute is defined in dictionary file:

ATTRIBUTE       ERX-CoS-Parameter-Type                  108     string
has_tag

and this is how I'm trying to return it:

:
:
ERX-CoS-Parameter-Type:1 = "basic_sch",
ERX-CoS-Parameter-Type:2 = "8m"

Is this syntax correct? Obviously it does not wotk in my case, this is why I
ask. Usually there is no :<num> after the attribute name, but I figured that
if a have an attribute with the tag, the tag should be after the colon.
Anyone has experience with this?
Thanks,
Marlon

From sami.joseph at gmail.com  Sun Feb  1 06:43:44 2009
From: sami.joseph at gmail.com (Sami Joseph)
Date: Sun, 1 Feb 2009 13:43:44 +0200
Subject: [c-nsp] How TACACS works? IOS vs IOS XR
Message-ID: <9da37ec40902010343p6a0e3daai3eda774fd1956ee1@mail.gmail.com>

Hello everyone,

I am trying to understand how TACACS works (Authorization) so i would be
able to understand how this works in IOS XR too.

*IOS:*
Let me take it from scratch, in IOS, we can create a user with local
privileges so if we assign priv. 15 to a user, he'll be able to do
everything.

If we want more granularity, we can use the TACACS server to limit the
commands a user can execute and it works like the following, every command
has an Attribute Value pair, the command is sent to the AAA Server and it
will compare that pair to the configured policy (ex. can do show commands
only)


*In IOS XR:*

We assign task IDs locally so that a user can access L2VPN and Traffic eng
components for example but can not change BGP.

Then there are the root/cisco_support accounts and they give higher
privilege to the user.

So assume i want to brign an XR box into TACACS, do i need to make sure that
the AAA server understands the IOS XR AV pairs or is it a standard format?

Do i need to make anything special on IOS XR for the cisco_support user or i
just treat it just like IOS ?

Thanks,
Sam

From good1 at live.com  Sun Feb  1 09:41:10 2009
From: good1 at live.com (Andrew Jimmy)
Date: Sun, 1 Feb 2009 19:41:10 +0500
Subject: [c-nsp] mpls l3vpn
Message-ID: <COL110-DS809E5665BF90911B2C1B191C40@phx.gbl>

Why you get * on destination PE and one extra hop when you do traceroute. 

 

 

traceroute to 192.1.1.5 (192.1.1.5), 30 hops max, 40 byte packets

 1  1.1.0.1 (1.1.0.1)  157.301 ms  207.940 ms  157.392 ms

     MPLS Label=299840 CoS=0 TTL=1 S=0

     MPLS Label=17 CoS=0 TTL=1 S=1

 2  10.1.1.2 (10.1.1.2)  183.165 ms  123.536 ms  185.375 ms

     MPLS Label=300704 CoS=0 TTL=1 S=0

     MPLS Label=17 CoS=0 TTL=2 S=1

 3  * * *

 4  192.1.1.5 (192.1.1.5)  134.623 ms  181.346 ms  183.886 ms

 


From nick.jon.griffin at gmail.com  Sun Feb  1 11:06:13 2009
From: nick.jon.griffin at gmail.com (Nick Griffin)
Date: Sun, 1 Feb 2009 10:06:13 -0600
Subject: [c-nsp] BGP <-> OSPF default route failover
In-Reply-To: <50f158990901311050ldaf5ccdya62adbdc19cdb5e0@mail.gmail.com>
References: <A8A11BA006DA57498FAC0A566868650402F2171E@usilwdex04.spencerstuart.com>
	<50f158990901311050ldaf5ccdya62adbdc19cdb5e0@mail.gmail.com>
Message-ID: <a2b352c40902010806i8416faftd3b8f673a0361889@mail.gmail.com>

As he mentioned above, I don't believe he will be receiving a default route
from the service provider that he can pass in via redistribution, so an
option available is to use the bgp "default-information originate route-map
command he mentioned". I've used this in combination with IP Sla probes and
tracking recently to get the conditional announcement, and base it upon
upstream reachibility since in my case its rare that line protocol on the
isp circuit goes down since there is an on-site service provider switching
equipment. I've used icmp probes for this, but those tend to get dropped
from time to time, I've found a tcp connect probe to port 80 on some well
known web sites seems to work pretty well at least for me. What i did was
tied up a bogus static route to a particular ip address and tied a sla tcp
connect to this, this static route is then referenced by the
default-information route map, so when the tcp connect fails, bgp pulls the
default route out. It looked liked this:

!
!
track 2 rtr 2 reachability
 delay down 10 up 120
!
!
!
router bgp 65501
 no synchronization
 bgp router-id 10.255.255.254
 bgp log-neighbor-changes
 neighbor 10.255.255.252 remote-as 65500
 neighbor 10.255.255.252 description *** eBGP Peering to HQ Switch 1 ***
 neighbor 10.255.255.252 password 7 supersekret
 neighbor 10.255.255.252 ebgp-multihop 2
 neighbor 10.255.255.252 update-source Loopback0
 neighbor 10.255.255.252 default-originate route-map
CONDITIONAL_DEFAULT_ORIGINATE
 neighbor 10.255.255.252 soft-reconfiguration inbound
 no auto-summary
!
ip route 1.1.1.1 255.255.255.255 Null0 name
Used_For_BGP_Default_Originate_DO_NOT_REMOVE track 2
ip route 0.0.0.0 0.0.0.0 upstreamisp
!

!
!
ip prefix-list TRACKED_ROUTE seq 5 permit 1.1.1.1/32
!
ip sla logging traps
ip sla schedule 1 life forever start-time now
ip sla 2
 tcp-connect 209.191.93.52 80 source-ip myipaddress source-port 52142
control disable
 timeout 5000
 frequency 10
ip sla reaction-configuration 2 react timeout threshold-type consecutive 2
action-type trapOnly
ip sla schedule 2 life forever start-time now
!
!
route-map CONDITIONAL_DEFAULT_ORIGINATE permit 10
 match ip address prefix-list TRACKED_ROUTE

Keep in mind, if you have an iBGP adjacencies between the two routers, and
one of the routers is losing it's ebgp default route, and is now preferring
that default route via ibgp via the internal peering AND doing
redistribution into an IGP ie OSPF then you must use the BGP redistribute
internal, bgp process level command. This is in specific scenarios.

HTH,

Nick Griffin

On Sat, Jan 31, 2009 at 12:50 PM, Pete S. <pshuleski at gmail.com> wrote:

> I'd imagine you aren't completely redistributing your bgp tables into
> OSFP, and from your diagram I'll assume you are doing ibgp between
> your edge routers already.  So build a prefix list, and route-map,
> which permits only the default route from bgp.  Redistribute the bgp
> process into ospf, based on that route-map, as an E1 type.  This will
> put the default into your ospf area, and traffic will flow towards the
> closest exit.  If you rather a primary/secondary, use the ospf E2 type
> and assign a large metric to your secondary.
>
> I haven't checked the syntax, but this should probably point you in
> the right direction.
>
> !On your BGP routers
> !
> ip prefix-list bgp_default->ospf seq 5 permit 0.0.0.0/0
> ip prefix-list bgp_default->ospf seq 100 deny 0.0.0.0/0 ge 1 le 24
> !
> route-map bgp->ospf permit 10
>  match ip address prefix-list bgp_default->ospf
> !
> router ospf 100
>  ! I assign an arbitrary site ID, and then prepend my AS onto it but
> whatever suits you, tag is optional
>  ! select your own metric-type and metric depending on the exit
> behavior you want.
>  redistribute bgp 65535 metric-type 2 metric 100  tag 6553501
> route-map bgp->ospf
> !
> !
>
>
>
> --Pete
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From amaged at cisco.com  Sun Feb  1 13:29:27 2009
From: amaged at cisco.com (Ahmed Maged (amaged))
Date: Sun, 1 Feb 2009 19:29:27 +0100
Subject: [c-nsp] How TACACS works? IOS vs IOS XR
In-Reply-To: <9da37ec40902010343p6a0e3daai3eda774fd1956ee1@mail.gmail.com>
References: <9da37ec40902010343p6a0e3daai3eda774fd1956ee1@mail.gmail.com>
Message-ID: <0BB7A1080B7DBD4494E09FF171D2ACEA027F4DD5@xmb-ams-33c.emea.cisco.com>

Hi Sami,

You are right.

If you have TAC+ then do this.

# Set up accounting file if enabling accounting on NAS
accounting file = /var/log/cisco.log

# configuring key between router

key = cisco

# configuring group privilege, so we don't have to configure it for each
user

group = cisco {
       service = exec {
       priv_lvl = 15

# configure as optional so IOS or other vender router can ignore it

       optional task = "#root-system,#cisco-support"
       }


       }

# Set up accounting file if enabling accounting on NAS
accounting file = /var/log/tac.log


user = amaged {
       login = cleartext "amaged"
       member = cisco
}



amaged-ubuntu#

Regards,
Ahmed
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sami Joseph
Sent: Sunday, February 01, 2009 1:44 PM
To: Cisco-nsp
Subject: [c-nsp] How TACACS works? IOS vs IOS XR

Hello everyone,

I am trying to understand how TACACS works (Authorization) so i would be
able to understand how this works in IOS XR too.

*IOS:*
Let me take it from scratch, in IOS, we can create a user with local
privileges so if we assign priv. 15 to a user, he'll be able to do
everything.

If we want more granularity, we can use the TACACS server to limit the
commands a user can execute and it works like the following, every
command
has an Attribute Value pair, the command is sent to the AAA Server and
it
will compare that pair to the configured policy (ex. can do show
commands
only)


*In IOS XR:*

We assign task IDs locally so that a user can access L2VPN and Traffic
eng
components for example but can not change BGP.

Then there are the root/cisco_support accounts and they give higher
privilege to the user.

So assume i want to brign an XR box into TACACS, do i need to make sure
that
the AAA server understands the IOS XR AV pairs or is it a standard
format?

Do i need to make anything special on IOS XR for the cisco_support user
or i
just treat it just like IOS ?

Thanks,
Sam
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From scott at labyrinth.org  Sun Feb  1 13:31:22 2009
From: scott at labyrinth.org (Scott Keoseyan)
Date: Sun, 1 Feb 2009 13:31:22 -0500
Subject: [c-nsp] theoretical and practical route-table limits
Message-ID: <5C548098-B7E6-4B3C-903E-FD75C2152293@labyrinth.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all...

Does Cisco publish absolute theoretical route-table size limitations  
for their various platforms and memory configurations somewhere?  I am  
thinking of doing something with black hole routing locally and I was  
wondering just *how many routes* one could have in a route-table and  
how many BGP entries / peers / views one could contain nowadays.   
Obviously there are other factors, but it would be helpful if there  
was a guideline or published *limitation* somewhere.

Thanks,

Scott

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkmF6noACgkQA7TpMPAlvEcq0ACfcVYRONsK58P0bUvP7l4j197S
uogAnjeQQ5mu/o6oIyJ3+Dwudmne+jht
=6Sqc
-----END PGP SIGNATURE-----

From ismath.shaan at gmail.com  Mon Feb  2 00:53:54 2009
From: ismath.shaan at gmail.com (Basha)
Date: Mon, 2 Feb 2009 14:53:54 +0900
Subject: [c-nsp] show dsl int atm 0
Message-ID: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>

Hi Guys,

I need some assistance trying to understand the out put of show dsl int atm
0 command. Specifically the 'bit errors' column.

ATM0/0/0
Alcatel 20190 chipset information
                ATU-R (DS)                      ATU-C (US)
Modem Status:    Showtime (DMTDSL_SHOWTIME)
DSL Mode:        ITU G.992.1 (G.DMT) Annex A
ITU STD NUM:     0x01                            0x1
Vendor ID:       'STMI'                          'GSPN'
Vendor Specific: 0x0000                          0x0008
Vendor Country:  0x0F                            0xFF
Capacity Used:   15%                             67%
Noise Margin:    21.0 dB                          8.0 dB
Output Power:    13.5 dBm                         2.0 dBm
Attenuation:     23.0 dB                         11.5 dB
Defect Status:   None                            None

Last Fail Code:  None
Watchdog Counter: 0x2A
Watchdog Resets: 0
Selftest Result: 0x00
Subfunction:     0x00
Interrupts:      3834 (0 spurious)
PHY Access Err:  0
Activations:     1
LED Status:      OFF
LED On Time:     0
LED Off Time:    0
Init FW:         embedded
Operation FW:    embedded
FW Version:      2.542
                 Interleave             Fast    Interleave              Fast
Speed (kbps):             0             1536             0               512
Cells:                    0          3404282             0         659208107
Reed-Solomon EC:          0                0             0                 0
CRC Errors:               0                0             0                 1
Header Errors:            0                0             0                 0
Bit Errors:               0            48896
BER Valid sec:            0          7725096
BER Invalid sec:          0                0
LOM Monitoring : Disabled

Customer is running video and is seeing lots of packet drops

Thanks

From blahu77 at gmail.com  Mon Feb  2 03:22:02 2009
From: blahu77 at gmail.com (Mateusz Błaszczyk)
Date: Mon, 2 Feb 2009 08:22:02 +0000 (IST)
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>
Message-ID: <fqoviig79sfdn6eetcUYAxe124vaj_firegpg@mail.gmail.com>

Basha,

2009/2/2 Basha <ismath.shaan at gmail.com>:
> Hi Guys,
>
> I need some assistance trying to understand the out put of show dsl int atm
> 0 command. Specifically the 'bit errors' column.

[...]
> ? ? ? ? ? ? ? ? Interleave ? ? ? ? ? ? Fast ? ?Interleave ? ? ? ? ? ? ?Fast
> Bit Errors: ? ? ? ? ? ? ? 0 ? ? ? ? ? ?48896

[...]

> Customer is running video and is seeing lots of packet drops
>

Video traffic is very susceptible to bit errors due to inpulse noise.
Try enabling interleaving on the DSLAM, which should fix the problem.

Best Regards,

-mat

-- 
pgp-key 0x1C655CAB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 270 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090202/64abac1b/attachment.bin>

From zivl at gilat.net  Mon Feb  2 03:39:05 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Mon, 2 Feb 2009 10:39:05 +0200
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>
References: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622DA83330D@exch2k7.gilat.local>

In my opinion and based on my short experience with ADSL on Cisco routers, the only values that are relevant for me are:

Noise Margin: which represents, as the name says it, how far is your signal from the noise, the higher the better, the lowest recommended value would be around 20%.

Attenuation: the lower the better, anything below 10-15 dB, the highest this value is it means there may be problems in the hard line, or perhaps you're too far from the DSLAM.

These values are of course correlated to the others (Capacity, Output power) everything is a function of line quality, physically talking. The errors may be related to a poor quality.
Some workarounds can be setting the DSL mode to some specific mode instead of automatic, but you should know what is the best, you may talk with your provider and ask about this, when too far from the DSLAM or the line quality is poor, lowering the speed of the link may help improve those values too.
As I said, this is only "field" knowledge, is not based on any "scientific" facts, just mere experience.
Feel free to correct me if I'm wrong about something, I'd be glad to learn some more about this
Hope this helps
Ziv






-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Basha
Sent: Monday, February 02, 2009 7:54 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] show dsl int atm 0

Hi Guys,

I need some assistance trying to understand the out put of show dsl int atm
0 command. Specifically the 'bit errors' column.

ATM0/0/0
Alcatel 20190 chipset information
                ATU-R (DS)                      ATU-C (US)
Modem Status:    Showtime (DMTDSL_SHOWTIME)
DSL Mode:        ITU G.992.1 (G.DMT) Annex A
ITU STD NUM:     0x01                            0x1
Vendor ID:       'STMI'                          'GSPN'
Vendor Specific: 0x0000                          0x0008
Vendor Country:  0x0F                            0xFF
Capacity Used:   15%                             67%
Noise Margin:    21.0 dB                          8.0 dB
Output Power:    13.5 dBm                         2.0 dBm
Attenuation:     23.0 dB                         11.5 dB
Defect Status:   None                            None

Last Fail Code:  None
Watchdog Counter: 0x2A
Watchdog Resets: 0
Selftest Result: 0x00
Subfunction:     0x00
Interrupts:      3834 (0 spurious)
PHY Access Err:  0
Activations:     1
LED Status:      OFF
LED On Time:     0
LED Off Time:    0
Init FW:         embedded
Operation FW:    embedded
FW Version:      2.542
                 Interleave             Fast    Interleave              Fast
Speed (kbps):             0             1536             0               512
Cells:                    0          3404282             0         659208107
Reed-Solomon EC:          0                0             0                 0
CRC Errors:               0                0             0                 1
Header Errors:            0                0             0                 0
Bit Errors:               0            48896
BER Valid sec:            0          7725096
BER Invalid sec:          0                0
LOM Monitoring : Disabled

Customer is running video and is seeing lots of packet drops

Thanks
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From zivl at gilat.net  Mon Feb  2 03:42:40 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Mon, 2 Feb 2009 10:42:40 +0200
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <fqoviig79sfdn6eetcUYAxe124vaj_firegpg@mail.gmail.com>
References: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>
	<fqoviig79sfdn6eetcUYAxe124vaj_firegpg@mail.gmail.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622DA833311@exch2k7.gilat.local>

I second that, You're right, Basha.
I've forgot to mention it in my previous answer.
Setting interleave in the DSLAM will do automatically what I proposed before, lowering the speed of the link in order to improve line quality.
Ziv


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mateusz B?aszczyk
Sent: Monday, February 02, 2009 10:22 AM
To: Basha
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] show dsl int atm 0

Basha,

2009/2/2 Basha <ismath.shaan at gmail.com>:
> Hi Guys,
>
> I need some assistance trying to understand the out put of show dsl 
> int atm 0 command. Specifically the 'bit errors' column.

[...]
> ? ? ? ? ? ? ? ? Interleave ? ? ? ? ? ? Fast ? ?Interleave ? ? ? ? ? ? ?
> Fast Bit Errors: ? ? ? ? ? ? ? 0 ? ? ? ? ? ?48896

[...]

> Customer is running video and is seeing lots of packet drops
>

Video traffic is very susceptible to bit errors due to inpulse noise.
Try enabling interleaving on the DSLAM, which should fix the problem.

Best Regards,

-mat

--
pgp-key 0x1C655CAB



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************



From tim at pelican.org  Mon Feb  2 04:56:58 2009
From: tim at pelican.org (Tim Franklin)
Date: Mon, 02 Feb 2009 09:56:58 +0000
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622DA833311@exch2k7.gilat.local>
References: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>	<fqoviig79sfdn6eetcUYAxe124vaj_firegpg@mail.gmail.com>
	<EC993E87D960A541A66BF21D62AA42A622DA833311@exch2k7.gilat.local>
Message-ID: <4986C36A.1090406@pelican.org>

Ziv Leyes wrote:

> Setting interleave in the DSLAM will do automatically what I proposed
> before, lowering the speed of the link in order to improve line
> quality.

Be careful with what you mean by "speed" in this instance.  Interleaving 
typically increases latency, rather than reducing bandwidth.

Regards,
Tim.


From ian.mackinnon at lumison.net  Mon Feb  2 05:21:11 2009
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Mon, 02 Feb 2009 10:21:11 +0000
Subject: [c-nsp] Policers on 6500 Sup-32
Message-ID: <4986C917.30505@lumison.net>

Hi All,

I am having an issue with policers on a 6500 not actually doing any 
policing.  Running 12.2(33)SXH

I have config like :-
interface Vlan666
  ip address 10.10.10.1 255.255.255.252
  no ip redirects
  logging ip access-list cache out
  service-policy input 2MegPolice
  service-policy output 2MegPolice

policy-map 2MegPolice
   class class-default
    police 2097000 13000    conform-action transmit     exceed-action 
transmit     violate-action drop

So I want to allow a burst and then drop the violate.

A show policy-map interface does not show any exceed or violates.

In mrtg I can see that more than 2Meg is being passed, even as much as 
40M, and I can see the traffic in the destination graphs as well.

Anybody got this working, or seen issues like this?

Thanks
Ian


--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From zivl at gilat.net  Mon Feb  2 05:31:26 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Mon, 2 Feb 2009 12:31:26 +0200
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <4986C36A.1090406@pelican.org>
References: <df74e9ce0902012153k51fbbe93p49d2d4a30fbf6a14@mail.gmail.com>
	<fqoviig79sfdn6eetcUYAxe124vaj_firegpg@mail.gmail.com>
	<EC993E87D960A541A66BF21D62AA42A622DA833311@exch2k7.gilat.local>
	<4986C36A.1090406@pelican.org>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622DA83338D@exch2k7.gilat.local>

You're right, I didn't express myself right, so here's a clarification:
In any case of setting interleave mode because of a poor line, you should know that it will decrease performance in many aspects.


-----Original Message-----
From: Tim Franklin [mailto:tim at pelican.org] 
Sent: Monday, February 02, 2009 11:57 AM
To: Ziv Leyes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] show dsl int atm 0

Ziv Leyes wrote:

> Setting interleave in the DSLAM will do automatically what I proposed
> before, lowering the speed of the link in order to improve line
> quality.

Be careful with what you mean by "speed" in this instance.  Interleaving 
typically increases latency, rather than reducing bandwidth.

Regards,
Tim.




 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************





 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************



From skoal at skoal.name  Mon Feb  2 05:50:48 2009
From: skoal at skoal.name (Gergely Antal)
Date: Mon, 02 Feb 2009 11:50:48 +0100
Subject: [c-nsp] Policers on 6500 Sup-32
In-Reply-To: <4986C917.30505@lumison.net>
References: <4986C917.30505@lumison.net>
Message-ID: <4986D008.1000303@skoal.name>

did you set qos to vlan based?

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1726124

Ian MacKinnon wrote:
> Hi All,
> 
> I am having an issue with policers on a 6500 not actually doing any 
> policing.  Running 12.2(33)SXH
> 
> I have config like :-
> interface Vlan666
>   ip address 10.10.10.1 255.255.255.252
>   no ip redirects
>   logging ip access-list cache out
>   service-policy input 2MegPolice
>   service-policy output 2MegPolice
> 
> policy-map 2MegPolice
>    class class-default
>     police 2097000 13000    conform-action transmit     exceed-action 
> transmit     violate-action drop
> 
> So I want to allow a burst and then drop the violate.
> 
> A show policy-map interface does not show any exceed or violates.
> 
> In mrtg I can see that more than 2Meg is being passed, even as much as 
> 40M, and I can see the traffic in the destination graphs as well.
> 
> Anybody got this working, or seen issues like this?
> 
> Thanks
> Ian
> 
> 
> --
> 
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted.  Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison and nPlusOne.
> Finally, the recipient should check this email and any attachments for the
> presence of viruses.  Lumison and nPlusOne accept no liability for any
> damage caused by any virus transmitted by this email.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090202/bf704f64/attachment.bin>

From ian.mackinnon at lumison.net  Mon Feb  2 05:51:40 2009
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Mon, 02 Feb 2009 10:51:40 +0000
Subject: [c-nsp] Policers on 6500 Sup-32
In-Reply-To: <4986D008.1000303@skoal.name>
References: <4986C917.30505@lumison.net> <4986D008.1000303@skoal.name>
Message-ID: <4986D03C.5030908@lumison.net>

Hi Gergely,
Yes, I have the set this.

I did not before (several weeks ago), and was not seeing any traffic in 
the policy-map.
I changed it and can now see traffic in the map :-
nbg01-agg-switch-01#sh policy-map interface vlan 666


  Vlan666

   Service-policy input: 2MegPolice

     class-map: class-default (match-any)
       Match: any
       police :
         2096000 bps 13000 limit 13000 extended limit
       Earl in slot 5 :
         82564118403 bytes
         5 minute offered rate 102792 bps
         aggregate-forwarded 82564118403 bytes action: transmit
         exceeded 0 bytes action: transmit
         aggregate-forward 9008 bps exceed 0 bps

   Service-policy output: 2MegPolice

     class-map: class-default (match-any)
       Match: any
       police :
         2096000 bps 13000 limit 13000 extended limit
       Earl in slot 5 :
         7733193350 bytes
         5 minute offered rate 11896 bps
         aggregate-forwarded 7733193350 bytes action: transmit
         exceeded 0 bytes action: transmit
         aggregate-forward 4568 bps exceed 0 bps



On 02/02/2009 10:50, Gergely Antal wrote:
> did you set qos to vlan based?
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1726124
>
> Ian MacKinnon wrote:
>    
>> Hi All,
>>
>> I am having an issue with policers on a 6500 not actually doing any
>> policing.  Running 12.2(33)SXH
>>
>> I have config like :-
>> interface Vlan666
>>    ip address 10.10.10.1 255.255.255.252
>>    no ip redirects
>>    logging ip access-list cache out
>>    service-policy input 2MegPolice
>>    service-policy output 2MegPolice
>>
>> policy-map 2MegPolice
>>     class class-default
>>      police 2097000 13000    conform-action transmit     exceed-action
>> transmit     violate-action drop
>>
>> So I want to allow a burst and then drop the violate.
>>
>> A show policy-map interface does not show any exceed or violates.
>>
>> In mrtg I can see that more than 2Meg is being passed, even as much as
>> 40M, and I can see the traffic in the destination graphs as well.
>>
>> Anybody got this working, or seen issues like this?
>>
>> Thanks
>> Ian
>>
>>
>> --
>>
>> This email and any files transmitted with it are confidential and intended
>> solely for the use of the individual or entity to whom they are addressed.
>> If you have received this email in error please notify the sender. Any
>> offers or quotation of service are subject to formal specification.
>> Errors and omissions excepted.  Please note that any views or opinions
>> presented in this email are solely those of the author and do not
>> necessarily represent those of Lumison and nPlusOne.
>> Finally, the recipient should check this email and any attachments for the
>> presence of viruses.  Lumison and nPlusOne accept no liability for any
>> damage caused by any virus transmitted by this email.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>      
>
>    


-- 
Ian MacKinnon
Lumison
t: 0845 1199 900
d: 0131 514 4055
P.S. Do you love Lumison?

p.s. Looking for remote access?
Chat to our team about our award winning broadband and VoIP solutions
for remote and home working, or visit www.lumison.net




--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From ian.mackinnon at lumison.net  Mon Feb  2 06:08:10 2009
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Mon, 02 Feb 2009 11:08:10 +0000
Subject: [c-nsp] Policers on 6500 Sup-32
In-Reply-To: <20090202110456.GJ3262@wildfire.net.ic.ac.uk>
References: <4986C917.30505@lumison.net>
	<20090202110456.GJ3262@wildfire.net.ic.ac.uk>
Message-ID: <4986D41A.9040501@lumison.net>

On 02/02/2009 11:04, Phil Mayers wrote:
> On Mon, Feb 02, 2009 at 10:21:11AM +0000, Ian MacKinnon wrote:
>> Hi All,
>>
>> I am having an issue with policers on a 6500 not actually doing any 
>> policing.  Running 12.2(33)SXH
>
> Silly question, but you do have the global "mls qos" set?
:-)

yup
switch#sh mls qos
   QoS is enabled globally

Ian


--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From p.mayers at imperial.ac.uk  Mon Feb  2 06:13:22 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 2 Feb 2009 11:13:22 +0000
Subject: [c-nsp] Netconf (over SSHv2) in SXI
Message-ID: <20090202111322.GK3262@wildfire.net.ic.ac.uk>

All,

Does anyone have working examples talking to the netconf implementation 
in 12.2(33)SXI? Or pointers to libraries / code that works?

I've tried the examples from the cisco website:

www.tinyurl.com/aeof6v

...but I just get back all kinds of invalid XML messages and so forth. I 
can do a "show run" with an empty <get /> i.e. no filter, but if I try 
to issue CLI commands using the:

<rpc ... xmlns:cpi="http://www.cisc.com/cpi_10/schema">
  <get>
    <filter>
      <cpi:config-format-cli-ios-text-cmd> ... </..>
      <cpi:cli-operational-data>
	<show>arp</show>
      </cpi:cli...>

...I get error messages about the cpi: namespace and "debug cns xml" on 
the box tells me the XML stanzas in that namespace have no handler.

It seems like netconf would be really useful for automating IOS; has 
anyone made it work?

From p.mayers at imperial.ac.uk  Mon Feb  2 06:04:56 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 2 Feb 2009 11:04:56 +0000
Subject: [c-nsp] Policers on 6500 Sup-32
In-Reply-To: <4986C917.30505@lumison.net>
References: <4986C917.30505@lumison.net>
Message-ID: <20090202110456.GJ3262@wildfire.net.ic.ac.uk>

On Mon, Feb 02, 2009 at 10:21:11AM +0000, Ian MacKinnon wrote:
>Hi All,
>
>I am having an issue with policers on a 6500 not actually doing any 
>policing.  Running 12.2(33)SXH

Silly question, but you do have the global "mls qos" set?

From ltd at cisco.com  Mon Feb  2 07:11:23 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Mon, 02 Feb 2009 23:11:23 +1100
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
Message-ID: <4986E2EB.3070504@cisco.com>

Phil Mayers wrote:
> Does anyone have working examples talking to the netconf 
> implementation in 12.2(33)SXI? Or pointers to libraries / code that 
> works?
> [..]
> <rpc ... xmlns:cpi="http://www.cisc.com/cpi_10/schema">
>  <get>
>    <filter>
>      <cpi:config-format-cli-ios-text-cmd> ... </..>
>      <cpi:cli-operational-data>
>     <show>arp</show>
>      </cpi:cli...>
>
> ...I get error messages about the cpi: namespace and "debug cns xml" 
> on the box tells me the XML stanzas in that namespace have no handler.
i have worked extensively with Netconf/XML on NX-OS on Nexus 7000.

whatever you're requesting needs to match the schema.  based on my 
experience, i think you'll most likely need to modify what you have to:
    <show><arp /></show>

that is purely a guess - but checking the XML schema definition (XSD) 
that should also be posted on cisco.com will let you verify.
>
> It seems like netconf would be really useful for automating IOS; has 
> anyone made it work?
yes, on N7K at least. :)


cheers,

lincoln.

From chloekcy2000 at yahoo.ca  Mon Feb  2 09:19:43 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Mon, 2 Feb 2009 09:19:43 -0500 (EST)
Subject: [c-nsp] set clock
Message-ID: <753705.89309.qm@web57412.mail.re1.yahoo.com>

Hi
   
  I use show clock and get router / swtich time 
  14:15:22.574 UTC Mon Feb 2 2009
   
  But the correct time is 9:14 am Mon Feb 2, 2009
   
  How can I change it?
   
  How can I use the ntp to get the time?
   
  Thank you

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          

From george.horton at rm.com  Mon Feb  2 09:32:57 2009
From: george.horton at rm.com (George Horton)
Date: Mon, 2 Feb 2009 14:32:57 -0000
Subject: [c-nsp] set clock
In-Reply-To: <753705.89309.qm@web57412.mail.re1.yahoo.com>
References: <753705.89309.qm@web57412.mail.re1.yahoo.com>
Message-ID: <EFA892CE3738D4478E88BC83D5748FA7362E27@EMAIL03.internal.rmplc.net>

Hello

To set the clock use the command 'clock set hh:mm:ss' from enable mode.
NTP can be configured in the global configuration mode use the command
'ntp server hostname'.  The hostname can be an IP or a hostname, just
make sure that you use an NTP server the router/switch can reach.

Cheers
George

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
Sent: 02 February 2009 14:20
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] set clock

Hi
   
  I use show clock and get router / swtich time 
  14:15:22.574 UTC Mon Feb 2 2009
   
  But the correct time is 9:14 am Mon Feb 2, 2009
   
  How can I change it?
   
  How can I use the ntp to get the time?
   
  Thank you

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web
and bookmark your favourite sites. Download it now!          
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
______________________________________________________________________

You might be interested in this...

Schools and Colleges for the Future
Find out more about the programmes shaping education for the future.
http://www.rm.com/futureeducation

______________________________________________________________________

P.S. Think Green - don't print this email unless you really need to.


This message is confidential, so please treat it appropriately and for its intended purpose only.  In particular, if it refers to any technical data, terms or prices not generally available or known, such items are "commercially sensitive information" within the terms of the Freedom of Information Act 2000 and related laws.  As it would be prejudicial to RM's commercial interests if these were disclosed, please refrain from doing so.

 

As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents.  Any views or opinions presented are those of the author only and not of RM.  If you are not the intended recipient of this e-mail, please accept our apologies and arrange for copies of it to be deleted.  For your information, RM may intercept incoming and outgoing email communications.

 

RM Education plc 
Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England 
Registered Number: 1148594


From chris at lavin-llc.com  Mon Feb  2 09:45:48 2009
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Mon, 02 Feb 2009 09:45:48 -0500
Subject: [c-nsp] set clock
Message-ID: <46114.1233585948@lavin-llc.com>

>Hello
>
>To set the clock use the command 'clock set hh:mm:ss' from enable mode.
>NTP can be configured in the global configuration mode use the command
>'ntp server hostname'.  The hostname can be an IP or a hostname, just
>make sure that you use an NTP server the router/switch can reach.
>
>Cheers
>George

And regarding the time of 14:15 UTC v it being 09:15 locally; that has to do with the global timezone setting. UTC is referring to 
Greenwich Mean Time, sometimes also referred to as Zulu time. To change your device to reflect the local time use the 
commands "clock timezone EDT -5". But depending on where you live, you may have to account for Daylight Savings Time. You could use 
the command "clock summer-time 'timezone'". 

Most of us tend to like using the GMT (UTC) timezone because its a global reference that never changes. Therefore you don't have to 
worry about accounting for the dates that your local timezone "springs forward" or "falls back". 

HTH,
-chris 


>
>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[cisco-nsp-bounces at puck.nether.net','','','')">cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
>Sent: 02 February 2009 14:20
>To: cisco-nsp at puck.nether.net
>Subject: [c-nsp] set clock
>
>Hi
>   
>  I use show clock and get router / swtich time 
>  14:15:22.574 UTC Mon Feb 2 2009
>   
>  But the correct time is 9:14 am Mon Feb 2, 2009
>   
>  How can I change it?
>   
>  How can I use the ntp to get the time?
>   
>  Thank you
>
>       
> 
>              
>---------------------------------
>    
>       
>Yahoo!         Canada Toolbar : Search from anywhere on         the web
>and bookmark your favourite sites. Download it now!          
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>______________________________________________________________________
>
>You might be interested in this...
>
>Schools and Colleges for the Future
>Find out more about the programmes shaping education for the future.
>http://www.rm.com/futureeducation
>
>______________________________________________________________________
>
>P.S. Think Green - don't print this email unless you really need to.
>
>
>This message is confidential, so please treat it appropriately and for its intended purpose only.  In particular, if it refers to 
any technical data, terms or prices not generally available or known, such items are "commercially sensitive information" within 
the terms of the Freedom of Information Act 2000 and related laws.  As it would be prejudicial to RM's commercial interests if 
these were disclosed, please refrain from doing so.
>
> 
>
>As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents.  Any views or 
opinions presented are those of the author only and not of RM.  If you are not the intended recipient of this e-mail, please accept 
our apologies and arrange for copies of it to be deleted.  For your information, RM may intercept incoming and outgoing email 
communications.
>
> 
>
>RM Education plc 
>Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England 
>Registered Number: 1148594
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/



From chloekcy2000 at yahoo.ca  Mon Feb  2 10:53:52 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Mon, 2 Feb 2009 10:53:52 -0500 (EST)
Subject: [c-nsp] need help about switch boot up question
Message-ID: <436422.65354.qm@web57407.mail.re1.yahoo.com>

Hi 
   
  I boot up the 4947 switch and see this address
  1/ What is this address for?
  How can I change it?
   
   MAC Address  : 00-35-24-05-fb-6f 
 IP Address   : 192.168.0.5 
 Netmask      : 255.255.255.0 
 Gateway      : 10.1.1.1 
 TftpServer   : 10.1.1.1 
 Main Memory  : 256 MBytes
   
   
  In the default running config, there is 
   
  interface FastEthernet1
 no ip address
 speed auto
 duplex auto
   
  2/ my switch is 48 ports Gig. Ethernet. 
  Where is this phsically "interface FastEthernet1" 
   
  Thank you for your help

   

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          

From willay at gmail.com  Mon Feb  2 10:57:05 2009
From: willay at gmail.com (William)
Date: Mon, 2 Feb 2009 15:57:05 +0000
Subject: [c-nsp] VPN PIX 6.x Translation issue
Message-ID: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>

Hi folks!

I currently have a PIX firewall running 6 code, the firewall has 3
interfaces, inside, outside and inside2.

At the moment I can VPN and communicate to all the hosts on the
inside, what I'd like to do is also be able to communicate with the
hosts on inside2, the security levels are:

outside: 0
inside: 100
inside2: 90

When I try to speak to inside2 hosts, I get the following error:

%PIX-3-305005: No translation group found for icmp src
outside:10.10.199.3 dst inside2:192.168.0.1 (type 8, code 0)

I'm very confused as to where I should be putting global/nat
statements... so far my setup consists of:


nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.10.200.0 255.255.255.0 0 0
nat (inside2) 0 access-list office_outbound_nat0_acl
nat (inside2) 1 192.168.0.0 255.255.255.0 0 0
global (outside) 1 interface

This lets both inside and inside2 hosts contact the internet via int
outside, and no nat stuff that needs to traverse VPN tunnels...

If anyone can assist/educate me on getting this working I would
appreciate it very much!

Cheers,

W

From A.L.M.Buxey at lboro.ac.uk  Mon Feb  2 11:13:09 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 2 Feb 2009 16:13:09 +0000
Subject: [c-nsp] need help about switch boot up question
In-Reply-To: <436422.65354.qm@web57407.mail.re1.yahoo.com>
References: <436422.65354.qm@web57407.mail.re1.yahoo.com>
Message-ID: <20090202161309.GA27986@lboro.ac.uk>

Hi,

>   In the default running config, there is 
>    
>   interface FastEthernet1
>  no ip address
>  speed auto
>  duplex auto
>    
>   2/ my switch is 48 ports Gig. Ethernet. 
>   Where is this phsically "interface FastEthernet1" 

sounds suspiciously like a management interface, usually
found lurking around the back near the console port

alan

From jason at pins.net  Mon Feb  2 11:10:05 2009
From: jason at pins.net (Jason Berenson)
Date: Mon, 02 Feb 2009 11:10:05 -0500
Subject: [c-nsp] Channelized OC3 for 7206VXR
Message-ID: <49871ADD.4060905@pins.net>

Greetings,

We currently have a Turin DACS with DS3's in from the carrier and DS3's 
out to Cisco 7206VXR's.  We would like to swap out the DS3 cards on the 
routers to channelized OC3 cards.  Can anyone tell me the part number in 
a PA for the 7206 that can channelize an OC3 down to DS1?

I found this PA-POS-OC3SML, but it's not clear if it channelizes down to 
the DS3 or DS1.

Thanks,
Jason

From p.mayers at imperial.ac.uk  Mon Feb  2 11:17:05 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 2 Feb 2009 16:17:05 +0000
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <4986E2EB.3070504@cisco.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
Message-ID: <20090202161705.GB4869@wildfire.net.ic.ac.uk>

On Mon, Feb 02, 2009 at 12:11:23PM +0000, Lincoln Dale wrote:
>Phil Mayers wrote:
>> Does anyone have working examples talking to the netconf 
>> implementation in 12.2(33)SXI? Or pointers to libraries / code that 
>> works?
>> [..]
>> <rpc ... xmlns:cpi="http://www.cisc.com/cpi_10/schema">
>>  <get>
>>    <filter>
>>      <cpi:config-format-cli-ios-text-cmd> ... </..>
>>      <cpi:cli-operational-data>
>>     <show>arp</show>
>>      </cpi:cli...>
>>
>> ...I get error messages about the cpi: namespace and "debug cns xml" 
>> on the box tells me the XML stanzas in that namespace have no handler.
>i have worked extensively with Netconf/XML on NX-OS on Nexus 7000.
>
>whatever you're requesting needs to match the schema.  based on my 
>experience, i think you'll most likely need to modify what you have to:
>    <show><arp /></show>

That directly contradicts Cisco's examples.

Can you share the xml for any non-trivial thing you have working? I have 
literally tried every combo of xml and namespacing I can imagine.

This for example fails:

<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" \
		      xmlns:cpi="http://www.cisco.com/cpi_10/schema">
   <edit-config>
      <target>
	 <running/>
      </target>
      <config>
	 <cpi:cli-config-data>
	    <cmd>hostname test</cmd>
	    <cmd>interface fastEthernet0/1</cmd>
	    <cmd>ip address 192.168.1.1 255.255.255.0</cmd>
	 </cpi:cli-config-data>
      </config>
   </edit-config>
</rpc>

The netconf session reports:

<rpc-reply xmlns="urn:ietf:params:netconf:base:1.0">
  <rpc-error>
    <error-type>rpc</error-type>
    <error-tag>unknown-element</error-tag>
    <error-severity>error</error-severity>
    <error-info>
      <bad-element>cli-config-data</bad-element>
    </error-info>
  </rpc-error>
</rpc-reply>

...whilst "debug cns xml" says:

CNS XML Parser: ERROR - no handler for tag <cli-config-data>

*All* the cisco examples I have found fail the same way - elements from 
their namespace:

  http://www.cisco.com/cpi_10/schema

...are just not recognized.

>
>that is purely a guess - but checking the XML schema definition (XSD) 
>that should also be posted on cisco.com will let you verify.

The only XSD I can find is inside the docs I referenced in my tinyurl 
link, and it's minimal at best - it certainly does not document that.

>>
>> It seems like netconf would be really useful for automating IOS; has 
>> anyone made it work?
>yes, on N7K at least. :)

It seems it doesn't do anything useful on 12.2(33)SXI :o(

From daldworth at teliax.com  Mon Feb  2 11:22:23 2009
From: daldworth at teliax.com (David Aldworth)
Date: Mon, 2 Feb 2009 09:22:23 -0700
Subject: [c-nsp] Channelized OC3 for 7206VXR
In-Reply-To: <49871ADD.4060905@pins.net>
References: <49871ADD.4060905@pins.net>
Message-ID: <5D649A61-6E6F-4D64-822D-C9A1A8491753@teliax.com>

I went down this road a few months ago. A CHOC3 card does not seem to  
be available for the 7206 VXR. We wound up putting an Adtran OPTI-3 in  
front of the VXR to mux down the OC3 to DS3's. PA-MC-T3 or 2T3 works a  
charm in the VXR.

David

On Feb 2, 2009, at 9:10 AM, Jason Berenson wrote:

> Greetings,
>
> We currently have a Turin DACS with DS3's in from the carrier and  
> DS3's out to Cisco 7206VXR's.  We would like to swap out the DS3  
> cards on the routers to channelized OC3 cards.  Can anyone tell me  
> the part number in a PA for the 7206 that can channelize an OC3 down  
> to DS1?
>
> I found this PA-POS-OC3SML, but it's not clear if it channelizes  
> down to the DS3 or DS1.
>
> Thanks,
> Jason
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From streiner at cluebyfour.org  Mon Feb  2 11:29:42 2009
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Mon, 2 Feb 2009 11:29:42 -0500 (EST)
Subject: [c-nsp] Channelized OC3 for 7206VXR
In-Reply-To: <49871ADD.4060905@pins.net>
References: <49871ADD.4060905@pins.net>
Message-ID: <Pine.LNX.4.64.0902021125470.15671@whammy.cluebyfour.org>

On Mon, 2 Feb 2009, Jason Berenson wrote:

> We currently have a Turin DACS with DS3's in from the carrier and DS3's out 
> to Cisco 7206VXR's.  We would like to swap out the DS3 cards on the routers 
> to channelized OC3 cards.  Can anyone tell me the part number in a PA for the 
> 7206 that can channelize an OC3 down to DS1?
>
> I found this PA-POS-OC3SML, but it's not clear if it channelizes down to the 
> DS3 or DS1.

That particular card does not support channelized operation.  It's also 
end-of-life.  I'm not aware of a channelized OC3 port adapter for the 7200 
series.

jms



From jaldrich at blueridgecarpet.com  Mon Feb  2 11:32:13 2009
From: jaldrich at blueridgecarpet.com (John Aldrich)
Date: Mon, 2 Feb 2009 11:32:13 -0500
Subject: [c-nsp] ASA O/S version 8
Message-ID: <003101c98553$cdcffeb0$696ffc10$@com>

Hi, we just installed a new ASA, and the folks who sold it to us and
configured it for us (I don't know the first thing about configuring it!
<G>) said they had upgraded it to version 7.4 or something like that, but
that there was a new O/S version 8 available. I'm wondering if this is
something we ought to look at upgrading to ASAP or if it's something we
ought to wait and let someone else get the bugs worked out of first? :-)

Thanks,
John Aldrich
IT Manager, 
Blueridge Carpet
706-276-2001, Ext. 2233



From streiner at cluebyfour.org  Mon Feb  2 11:47:42 2009
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Mon, 2 Feb 2009 11:47:42 -0500 (EST)
Subject: [c-nsp] ASA O/S version 8
In-Reply-To: <003101c98553$cdcffeb0$696ffc10$@com>
References: <003101c98553$cdcffeb0$696ffc10$@com>
Message-ID: <Pine.LNX.4.64.0902021139370.15671@whammy.cluebyfour.org>

On Mon, 2 Feb 2009, John Aldrich wrote:

> Hi, we just installed a new ASA, and the folks who sold it to us and
> configured it for us (I don't know the first thing about configuring it!
> <G>) said they had upgraded it to version 7.4 or something like that, but
> that there was a new O/S version 8 available. I'm wondering if this is
> something we ought to look at upgrading to ASAP or if it's something we
> ought to wait and let someone else get the bugs worked out of first? :-)

Version 8.x for the ASA has been around for awhile and I have a few ASAs 
runninf 8.0(4)ED without too many issues, but they're pretty basic setups 
(access control, layer 2 firewall, multiple contexts, no VPNs).  As far as 
upgading the code goes, the main reasons to upgrade would be:
1. To resolve a published security vulnerability in the code you're 
running now.  Cisco publishes bulletins at http://www.cisco.com/go/psirt/ 
and the bulletins are available to the public.  Note that while the 
bulletins are available, you might need a CCO login and a valid support 
contract to download new code and ASDM packages.
2. To resolve a bug that isn't security related.
3. To get access to a feature you need, if that feature isn't available in 
the code you're running.

Also note that then the code is upgraded on a PIX or ASA, the ASDM (device 
manager) usually needs to be upgraded to match.

jms

From nick.jon.griffin at gmail.com  Mon Feb  2 12:09:15 2009
From: nick.jon.griffin at gmail.com (Nick Griffin)
Date: Mon, 2 Feb 2009 11:09:15 -0600
Subject: [c-nsp] ASA O/S version 8
In-Reply-To: <Pine.LNX.4.64.0902021139370.15671@whammy.cluebyfour.org>
References: <003101c98553$cdcffeb0$696ffc10$@com>
	<Pine.LNX.4.64.0902021139370.15671@whammy.cluebyfour.org>
Message-ID: <a2b352c40902020909u1e60339h2e7404ac41e83582@mail.gmail.com>

Done a couple 8.0.4(16), be aware of sql bug, CSCsu44598 in 8.0.4.



On Mon, Feb 2, 2009 at 10:47 AM, Justin M. Streiner <streiner at cluebyfour.org
> wrote:

> On Mon, 2 Feb 2009, John Aldrich wrote:
>
>  Hi, we just installed a new ASA, and the folks who sold it to us and
>> configured it for us (I don't know the first thing about configuring it!
>> <G>) said they had upgraded it to version 7.4 or something like that, but
>> that there was a new O/S version 8 available. I'm wondering if this is
>> something we ought to look at upgrading to ASAP or if it's something we
>> ought to wait and let someone else get the bugs worked out of first? :-)
>>
>
> Version 8.x for the ASA has been around for awhile and I have a few ASAs
> runninf 8.0(4)ED without too many issues, but they're pretty basic setups
> (access control, layer 2 firewall, multiple contexts, no VPNs).  As far as
> upgading the code goes, the main reasons to upgrade would be:
> 1. To resolve a published security vulnerability in the code you're running
> now.  Cisco publishes bulletins at http://www.cisco.com/go/psirt/ and the
> bulletins are available to the public.  Note that while the bulletins are
> available, you might need a CCO login and a valid support contract to
> download new code and ASDM packages.
> 2. To resolve a bug that isn't security related.
> 3. To get access to a feature you need, if that feature isn't available in
> the code you're running.
>
> Also note that then the code is upgraded on a PIX or ASA, the ASDM (device
> manager) usually needs to be upgraded to match.
>
> jms
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From chris at chrisserafin.com  Mon Feb  2 12:28:08 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Mon, 02 Feb 2009 11:28:08 -0600
Subject: [c-nsp] OSPF not propagating - But for only one route...?
Message-ID: <49872D28.2090503@chrisserafin.com>

I have 2 L3 devices (2811/3750) which are running OSPF and 
redistributing statics/connected networks.

For some reason 1 static route will not redistribute from the switch to 
the router and vice versa,

although OTHER static routes propagate just fine, even after clearing 
the OSPF processes on each

device.

2811:

interface Multilink1
 ip address 1.2.144.106 255.255.255.252
 ip accounting output-packets
 ip nbar protocol-discovery
 ip route-cache flow
 load-interval 30
 no peer neighbor-route
 ppp chap hostname xxxxxxxxx
 ppp multilink
 ppp multilink fragment disable
 ppp multilink links minimum 1
 ppp multilink group 1
 max-reserved-bandwidth 90
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 10.95.11.5 255.255.255.0
 ip accounting output-packets
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 redistribute bgp 65132 metric 1 subnets
 network 10.0.0.0 0.255.255.255 area 0
!
router bgp 65132
 no synchronization
 bgp log-neighbor-changes
 network 0.0.0.0
 redistribute connected
 redistribute static
 redistribute ospf 1 metric 0 match internal external 1 external 2 
route-map ospf-bgp
 neighbor 159.24.144.105 remote-as 65000
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.95.11.9
ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route

!
!
route-map ospf-bgp deny 10
 match tag 65000
!
route-map ospf-bgp permit 20
!
!
!
!


3750:

interface Vlan1
 no ip address
!
interface Vlan9
 ip address 10.95.9.9 255.255.255.0
!
interface Vlan10
 ip address 10.95.10.9 255.255.255.0
!
interface Vlan11
 description [ VLAN to MPLS Sites ]
 ip address 10.95.11.9 255.255.255.0
!
interface Vlan12
 description [ Server VLAN ]
 ip address 10.95.12.9 255.255.255.0
!
interface Vlan13
 ip address 10.95.13.9 255.255.255.0
!
interface Vlan14
 description [ DMZ VLAN ]
 ip address 10.95.14.9 255.255.255.0
 ip helper-address 10.95.12.12
!
interface Vlan16
 ip address 10.95.16.9 255.255.255.0
!
interface Vlan30
 description [ VMWare iSCSI VLAN ]
 ip address 172.27.30.9 255.255.255.0
!
interface Vlan40
 description [ VMWare Development VLAN ]
 ip address 10.95.19.9 255.255.255.0
!
interface Vlan100
 description [ External VLAN ]
 ip address 1.2.27.35 255.255.255.128
!
interface Vlan101
 ip address 172.27.101.9 255.255.255.0
!
interface Vlan102
 ip address 172.27.102.9 255.255.255.0
!
interface Vlan103
 ip address 172.27.103.9 255.255.255.0
!
interface Vlan200
 ip address 172.27.200.9 255.255.255.0
!
router ospf 1
 router-id 10.95.11.9
 log-adjacency-changes
 redistribute connected
 redistribute static
 network 10.0.0.0 0.255.255.255 area 0
!
ip default-gateway 10.95.12.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.95.12.1
ip route 10.95.18.0 255.255.255.0 10.95.11.1 ! this is the problem route
ip route 172.16.0.0 255.255.0.0 10.95.11.1

From gert at greenie.muc.de  Mon Feb  2 12:46:53 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 2 Feb 2009 18:46:53 +0100
Subject: [c-nsp] Channelized OC3 for 7206VXR
In-Reply-To: <Pine.LNX.4.64.0902021125470.15671@whammy.cluebyfour.org>
References: <49871ADD.4060905@pins.net>
	<Pine.LNX.4.64.0902021125470.15671@whammy.cluebyfour.org>
Message-ID: <20090202174653.GR290@greenie.muc.de>

Hi,

On Mon, Feb 02, 2009 at 11:29:42AM -0500, Justin M. Streiner wrote:
> That particular card does not support channelized operation.  It's also 
> end-of-life.  I'm not aware of a channelized OC3 port adapter for the 7200 
> series.

For whatever reason, there is a channelized STM-1 which goes down to E1,
but no channelized OC3 indeed.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090202/37342482/attachment.bin>

From peter at rathlev.dk  Mon Feb  2 12:46:41 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 02 Feb 2009 18:46:41 +0100
Subject: [c-nsp] VPN PIX 6.x Translation issue
In-Reply-To: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
References: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
Message-ID: <1233596801.3421.3.camel@localhost.localdomain>

On Mon, 2009-02-02 at 15:57 +0000, William wrote:
...
> outside: 0
> inside: 100
> inside2: 90
> 
> When I try to speak to inside2 hosts, I get the following error:
> 
> %PIX-3-305005: No translation group found for icmp src
> outside:10.10.199.3 dst inside2:192.168.0.1 (type 8, code 0)
> 
> I'm very confused as to where I should be putting global/nat
> statements... so far my setup consists of:
> 
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 10.10.200.0 255.255.255.0 0 0
> nat (inside2) 0 access-list office_outbound_nat0_acl
> nat (inside2) 1 192.168.0.0 255.255.255.0 0 0
> global (outside) 1 interface

You probably want a NAT-0 for traffic from inside2 to you VPN, i.e.
assuming your VPN users are 10.10.199.0/24:

access-list office_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.10.199.0 255.255.255.0

What does the inside_outbound_nat0_acl ACL look like when it works
there?

Regards,
Peter



From wp at null0.nl  Mon Feb  2 13:20:07 2009
From: wp at null0.nl (Wouter Prins)
Date: Mon, 2 Feb 2009 19:20:07 +0100
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <49872D28.2090503@chrisserafin.com>
References: <49872D28.2090503@chrisserafin.com>
Message-ID: <b5da8bca0902021020p664da9f1k7d9387060c5dca2b@mail.gmail.com>

Try redistribute static subnets?

2009/2/2 ChrisSerafin <chris at chrisserafin.com>

> I have 2 L3 devices (2811/3750) which are running OSPF and redistributing
> statics/connected networks.
>
> For some reason 1 static route will not redistribute from the switch to the
> router and vice versa,
>
> although OTHER static routes propagate just fine, even after clearing the
> OSPF processes on each
>
> device.
>
> 2811:
>
> interface Multilink1
> ip address 1.2.144.106 255.255.255.252
> ip accounting output-packets
> ip nbar protocol-discovery
> ip route-cache flow
> load-interval 30
> no peer neighbor-route
> ppp chap hostname xxxxxxxxx
> ppp multilink
> ppp multilink fragment disable
> ppp multilink links minimum 1
> ppp multilink group 1
> max-reserved-bandwidth 90
> !
> interface FastEthernet0/0
> description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
> ip address 10.95.11.5 255.255.255.0
> ip accounting output-packets
> duplex auto
> speed auto
> !
> router ospf 1
> log-adjacency-changes
> redistribute bgp 65132 metric 1 subnets
> network 10.0.0.0 0.255.255.255 area 0
> !
> router bgp 65132
> no synchronization
> bgp log-neighbor-changes
> network 0.0.0.0
> redistribute connected
> redistribute static
> redistribute ospf 1 metric 0 match internal external 1 external 2 route-map
> ospf-bgp
> neighbor 159.24.144.105 remote-as 65000
> no auto-summary
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 10.95.11.9
> ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route
>
> !
> !
> route-map ospf-bgp deny 10
> match tag 65000
> !
> route-map ospf-bgp permit 20
> !
> !
> !
> !
>
>
> 3750:
>
> interface Vlan1
> no ip address
> !
> interface Vlan9
> ip address 10.95.9.9 255.255.255.0
> !
> interface Vlan10
> ip address 10.95.10.9 255.255.255.0
> !
> interface Vlan11
> description [ VLAN to MPLS Sites ]
> ip address 10.95.11.9 255.255.255.0
> !
> interface Vlan12
> description [ Server VLAN ]
> ip address 10.95.12.9 255.255.255.0
> !
> interface Vlan13
> ip address 10.95.13.9 255.255.255.0
> !
> interface Vlan14
> description [ DMZ VLAN ]
> ip address 10.95.14.9 255.255.255.0
> ip helper-address 10.95.12.12
> !
> interface Vlan16
> ip address 10.95.16.9 255.255.255.0
> !
> interface Vlan30
> description [ VMWare iSCSI VLAN ]
> ip address 172.27.30.9 255.255.255.0
> !
> interface Vlan40
> description [ VMWare Development VLAN ]
> ip address 10.95.19.9 255.255.255.0
> !
> interface Vlan100
> description [ External VLAN ]
> ip address 1.2.27.35 255.255.255.128
> !
> interface Vlan101
> ip address 172.27.101.9 255.255.255.0
> !
> interface Vlan102
> ip address 172.27.102.9 255.255.255.0
> !
> interface Vlan103
> ip address 172.27.103.9 255.255.255.0
> !
> interface Vlan200
> ip address 172.27.200.9 255.255.255.0
> !
> router ospf 1
> router-id 10.95.11.9
> log-adjacency-changes
> redistribute connected
> redistribute static
> network 10.0.0.0 0.255.255.255 area 0
> !
> ip default-gateway 10.95.12.1
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.95.12.1
> ip route 10.95.18.0 255.255.255.0 10.95.11.1 ! this is the problem route
> ip route 172.16.0.0 255.255.0.0 10.95.11.1
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From oboehmer at cisco.com  Mon Feb  2 13:23:23 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 2 Feb 2009 19:23:23 +0100
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <49872D28.2090503@chrisserafin.com>
References: <49872D28.2090503@chrisserafin.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406CBA61B@xmb-ams-333.emea.cisco.com>

ChrisSerafin <> wrote on Monday, February 02, 2009 18:28:

> I have 2 L3 devices (2811/3750) which are running OSPF and
> redistributing statics/connected networks.
> 
> For some reason 1 static route will not redistribute from the switch
> to the router and vice versa,
> 
> although OTHER static routes propagate just fine, even after clearing
> the OSPF processes on each
 
> router ospf 1
>  router-id 10.95.11.9
>  log-adjacency-changes
>  redistribute connected
>  redistribute static
>  network 10.0.0.0 0.255.255.255 area 0
> !
> ip default-gateway 10.95.12.1
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.95.12.1
> ip route 10.95.18.0 255.255.255.0 10.95.11.1 ! this is the problem
> route ip route 172.16.0.0 255.255.0.0 10.95.11.1

as others might have noticed as well: you're missing the "subnets"
keyword in the "redistribute static"..

On the other router, I don't see a "redistribute static subnets" in
OSPF..

General note: I would add the outgoing interface to the static route,
i.e. "ip route 10.95.18.0 255.255.255.0 Vlan11 10.95.11.1"

	oli

From chloekcy2000 at yahoo.ca  Mon Feb  2 13:56:27 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Mon, 2 Feb 2009 13:56:27 -0500 (EST)
Subject: [c-nsp] need help about switch boot up question
In-Reply-To: <20090202161309.GA27986@lboro.ac.uk>
Message-ID: <815803.9371.qm@web57405.mail.re1.yahoo.com>

Thank you 
   
  How about this address when booting up
   
  IP Address : 192.168.0.5 
  Netmask : 255.255.255.0 
  Gateway : 10.1.1.1 
  TftpServer : 10.1.1.1 
  Main Memory : 256 MBytes
   
  What is this address for?
   
  Thank you again
  

A.L.M.Buxey at lboro.ac.uk wrote:
  Hi,

> In the default running config, there is 
> 
> interface FastEthernet1
> no ip address
> speed auto
> duplex auto
> 
> 2/ my switch is 48 ports Gig. Ethernet. 
> Where is this phsically "interface FastEthernet1" 

sounds suspiciously like a management interface, usually
found lurking around the back near the console port

alan


       
---------------------------------
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail 

From sigurbjornl at vodafone.is  Mon Feb  2 13:17:04 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Mon, 02 Feb 2009 18:17:04 +0000
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <49872D28.2090503@chrisserafin.com>
Message-ID: <C5ACE920.10A06%sigurbjornl@vodafone.is>

You need to redistribute static subnets for this to work...

BR,
Sibbi


On 2.2.2009 17:28, "ChrisSerafin" <chris at chrisserafin.com> wrote:

> I have 2 L3 devices (2811/3750) which are running OSPF and
> redistributing statics/connected networks.
> 
> For some reason 1 static route will not redistribute from the switch to
> the router and vice versa,
> 
> although OTHER static routes propagate just fine, even after clearing
> the OSPF processes on each
> 
> device.
> 
> 2811:
> 
> interface Multilink1
>  ip address 1.2.144.106 255.255.255.252
>  ip accounting output-packets
>  ip nbar protocol-discovery
>  ip route-cache flow
>  load-interval 30
>  no peer neighbor-route
>  ppp chap hostname xxxxxxxxx
>  ppp multilink
>  ppp multilink fragment disable
>  ppp multilink links minimum 1
>  ppp multilink group 1
>  max-reserved-bandwidth 90
> !
> interface FastEthernet0/0
>  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
>  ip address 10.95.11.5 255.255.255.0
>  ip accounting output-packets
>  duplex auto
>  speed auto
> !
> router ospf 1
>  log-adjacency-changes
>  redistribute bgp 65132 metric 1 subnets
>  network 10.0.0.0 0.255.255.255 area 0
> !
> router bgp 65132
>  no synchronization
>  bgp log-neighbor-changes
>  network 0.0.0.0
>  redistribute connected
>  redistribute static
>  redistribute ospf 1 metric 0 match internal external 1 external 2
> route-map ospf-bgp
>  neighbor 159.24.144.105 remote-as 65000
>  no auto-summary
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 10.95.11.9
> ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route
> 
> !
> !
> route-map ospf-bgp deny 10
>  match tag 65000
> !
> route-map ospf-bgp permit 20
> !
> !
> !
> !
> 
> 
> 3750:
> 
> interface Vlan1
>  no ip address
> !
> interface Vlan9
>  ip address 10.95.9.9 255.255.255.0
> !
> interface Vlan10
>  ip address 10.95.10.9 255.255.255.0
> !
> interface Vlan11
>  description [ VLAN to MPLS Sites ]
>  ip address 10.95.11.9 255.255.255.0
> !
> interface Vlan12
>  description [ Server VLAN ]
>  ip address 10.95.12.9 255.255.255.0
> !
> interface Vlan13
>  ip address 10.95.13.9 255.255.255.0
> !
> interface Vlan14
>  description [ DMZ VLAN ]
>  ip address 10.95.14.9 255.255.255.0
>  ip helper-address 10.95.12.12
> !
> interface Vlan16
>  ip address 10.95.16.9 255.255.255.0
> !
> interface Vlan30
>  description [ VMWare iSCSI VLAN ]
>  ip address 172.27.30.9 255.255.255.0
> !
> interface Vlan40
>  description [ VMWare Development VLAN ]
>  ip address 10.95.19.9 255.255.255.0
> !
> interface Vlan100
>  description [ External VLAN ]
>  ip address 1.2.27.35 255.255.255.128
> !
> interface Vlan101
>  ip address 172.27.101.9 255.255.255.0
> !
> interface Vlan102
>  ip address 172.27.102.9 255.255.255.0
> !
> interface Vlan103
>  ip address 172.27.103.9 255.255.255.0
> !
> interface Vlan200
>  ip address 172.27.200.9 255.255.255.0
> !
> router ospf 1
>  router-id 10.95.11.9
>  log-adjacency-changes
>  redistribute connected
>  redistribute static
>  network 10.0.0.0 0.255.255.255 area 0
> !
> ip default-gateway 10.95.12.1
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.95.12.1
> ip route 10.95.18.0 255.255.255.0 10.95.11.1 ! this is the problem route
> ip route 172.16.0.0 255.255.0.0 10.95.11.1
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tony at lava.net  Mon Feb  2 13:57:44 2009
From: tony at lava.net (Antonio Querubin)
Date: Mon, 2 Feb 2009 08:57:44 -1000 (HST)
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <49872D28.2090503@chrisserafin.com>
References: <49872D28.2090503@chrisserafin.com>
Message-ID: <alpine.LRH.2.00.0902020856260.3976@cust11798.lava.net>

On Mon, 2 Feb 2009, ChrisSerafin wrote:

> I have 2 L3 devices (2811/3750) which are running OSPF and redistributing 
> statics/connected networks.
>
> For some reason 1 static route will not redistribute from the switch to the 
> router and vice versa,

> redistribute connected
> redistribute static

> ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route

Have you tried 'redistribute static subnets'?

-- 
Antonio Querubin
whois:  AQ7-ARIN

From chris at chrisserafin.com  Mon Feb  2 14:09:48 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Mon, 02 Feb 2009 13:09:48 -0600
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <alpine.LRH.2.00.0902020856260.3976@cust11798.lava.net>
References: <49872D28.2090503@chrisserafin.com>
	<alpine.LRH.2.00.0902020856260.3976@cust11798.lava.net>
Message-ID: <498744FC.90406@chrisserafin.com>

How does 'redistribute static' differ from 'redistribute static subnets'?

Thanks



Antonio Querubin wrote:
> On Mon, 2 Feb 2009, ChrisSerafin wrote:
>
>> I have 2 L3 devices (2811/3750) which are running OSPF and 
>> redistributing statics/connected networks.
>>
>> For some reason 1 static route will not redistribute from the switch 
>> to the router and vice versa,
>
>> redistribute connected
>> redistribute static
>
>> ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route
>
> Have you tried 'redistribute static subnets'?
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.233 / Virus Database: 270.10.16/1926 - Release Date: 1/30/2009 5:31 PM
>
>   


From masood at nexlinx.net.pk  Mon Feb  2 14:18:56 2009
From: masood at nexlinx.net.pk (Masood Ahmad Shah)
Date: Tue, 3 Feb 2009 00:18:56 +0500
Subject: [c-nsp] OSPF not propagating - But for only one route...?
In-Reply-To: <498744FC.90406@chrisserafin.com>
References: <49872D28.2090503@chrisserafin.com>	<alpine.LRH.2.00.0902020856260.3976@cust11798.lava.net>
	<498744FC.90406@chrisserafin.com>
Message-ID: <012701c9856b$1bab3610$5301a230$@net.pk>

To redistribute static routes to subnets of classful networks you use
"redistribute static subnets" under the ospf router configuration.


Regards,
Masood 
Blog: http://weblogs.com.pk/jahil/

>> redistributing statics/connected networks.
>>
>> For some reason 1 static route will not redistribute from the switch 
>> to the router and vice versa,
>
>> redistribute connected
>> redistribute static
>
>> ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route
>
> Have you tried 'redistribute static subnets'?
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.233 / Virus Database: 270.10.16/1926 - Release Date:
1/30/2009 5:31 PM
>
>   

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From lgeyer at gmail.com  Mon Feb  2 14:49:52 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Mon, 2 Feb 2009 14:49:52 -0500
Subject: [c-nsp] VPN PIX 6.x Translation issue
In-Reply-To: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
References: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
Message-ID: <39647f4d0902021149u10c18081od1d0c88d1cfdebd8@mail.gmail.com>

This has to do with NAT behavior on Pix 6.x and supposedly changed on
the ASA, but I have personally observed the behavior there as well.

Pixes will inherently attempt to translate any traffic they receive on
an interface unless told not to.

In your case following should address the problem.

static (inside,inside2) 10.10.200.0 10.10.200.0 netmask 255.255.255.0

You could also build a nat exempt access-list and define the subnets
in question.

- Laurent

On Mon, Feb 2, 2009 at 10:57 AM, William <willay at gmail.com> wrote:
> Hi folks!
>
> I currently have a PIX firewall running 6 code, the firewall has 3
> interfaces, inside, outside and inside2.
>
> At the moment I can VPN and communicate to all the hosts on the
> inside, what I'd like to do is also be able to communicate with the
> hosts on inside2, the security levels are:
>
> outside: 0
> inside: 100
> inside2: 90
>
> When I try to speak to inside2 hosts, I get the following error:
>
> %PIX-3-305005: No translation group found for icmp src
> outside:10.10.199.3 dst inside2:192.168.0.1 (type 8, code 0)
>
> I'm very confused as to where I should be putting global/nat
> statements... so far my setup consists of:
>
>
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 10.10.200.0 255.255.255.0 0 0
> nat (inside2) 0 access-list office_outbound_nat0_acl
> nat (inside2) 1 192.168.0.0 255.255.255.0 0 0
> global (outside) 1 interface
>
> This lets both inside and inside2 hosts contact the internet via int
> outside, and no nat stuff that needs to traverse VPN tunnels...
>
> If anyone can assist/educate me on getting this working I would
> appreciate it very much!
>
> Cheers,
>
> W
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From oiyankok at yahoo.ca  Mon Feb  2 19:04:26 2009
From: oiyankok at yahoo.ca (ann kok)
Date: Mon, 2 Feb 2009 16:04:26 -0800 (PST)
Subject: [c-nsp] login
Message-ID: <665345.32707.qm@web111312.mail.gq1.yahoo.com>

Hi all

I have the running config but don't understand the meaning

Could you explain to me?


line con 0

 exec-timeout 0 0
 transport input none

line vty 0 4

line vty 5 15

Thank you



      __________________________________________________________________
Connect with friends from any web browser - no download required. Try the new Yahoo! Canada Messenger for the Web BETA at http://ca.messenger.yahoo.com/webmessengerpromo.php


From ahmedazim at gmail.com  Mon Feb  2 19:28:28 2009
From: ahmedazim at gmail.com (Ahmed Mohamed)
Date: Tue, 3 Feb 2009 02:28:28 +0200
Subject: [c-nsp] reacheability issue in MEL link
Message-ID: <bf5694530902021628s3f81a414m4808dd81e3f4f457@mail.gmail.com>

Hello,

this is a real life problem still occuring, and have no idea what may be
causing it ..

we are providing an internet direct service to our customer vial MEL (Metro
Ethernet Link)

CE (CS-7206 VXR) fe2/0.36 ------------------Etherlink(local
carrier)---------------- WS-3759G-24TS--PE(CS-7000)

the solution is providied using a carrier to link the customer CE to an
aggregated switch, using Metro Ethernet
configuring vlan 36 and using dot1q encapsulation
then from the aggregating switch to the PE router using also encapsulation
dot1q for vlan36

all interfaces are up-up , and still ping fails !!

i tried everything, resetting ports, switches, reconfigure interfaces ..etc.
still no joy

any idea what could be causing the problem ?

========================================================================
CE:
-----
interface FastEthernet2/0.36
 bandwidth 61440
 encapsulation dot1Q 36
 ip address 57.78.2.6 255.255.255.252
========================================================================
Agg. switch:
------------------
interface GigabitEthernet1/0/9
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 3109
 switchport trunk allowed vlan 36,3109
 switchport mode trunk
 switchport nonegotiate
 duplex full
 speed 100
 mls qos trust cos
 spanning-tree bpdufilter enable
========================================================================
PE:
------
 interface FastEthernet5/1/1.36
 bandwidth 61440
 encapsulation dot1Q 36
 ip address 57.78.2.5 255.255.255.252
 no ip redirects
 no ip proxy-arp
 no ip route-cache
 no cdp enable
========================================================================
bmil305#sh int FastEthernet5/1/1.36
FastEthernet5/1/1.36 is up, line protocol is up <<<<<<
Hardware is cyBus FastEthernet Interface, address is 0003.fe91.b8a9 (bia
0003.fe91.b8a9)
  Internet address is 57.78.2.5/30
  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
  ARP type: ARPA, ARP Timeout 04:00:00
========================================================================
pmil2534#sh int Fa2/0.36
FastEthernet2/0.36 is up, line protocol is up  <<<<<<
  Hardware is i82543 (Livengood), address is 0022.be8b.1038 (bia
0022.be8b.1038)
  Description: --- To bmil305 - FE5/1/1.5
  Internet address is 57.78.2.6/30
  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
========================================================================
ping pe to CE fails:
----------------------------
bmil305#ping 57.78.2.6   <<<<<<,
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 57.78.2.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
========================================================================
PE to internet (google) successfully:
------------------------------------------------------
bmil305#ping 216.239.59.147 source fast 5/1/1.36 repeat 100 size 500
Type escape sequence to abort.
Sending 100, 500-byte ICMP Echos to 216.239.59.147, timeout is 2 seconds:
Packet sent with a source address of 57.78.2.5
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 36/40/112 ms
========================================================================

From ariemer at wesenergy.com.au  Mon Feb  2 21:54:21 2009
From: ariemer at wesenergy.com.au (Aaron Riemer)
Date: Tue, 3 Feb 2009 11:54:21 +0900
Subject: [c-nsp] Initiating Connections to VPN Clients
Message-ID: <0867622C64B50C4B878AB45C95F43F110678BFAE@MAILWA01.wesenergy.local>

Hi guys,
 
I am trying to work out why I cannot initiate connections to our VPN
clients. ICMP seems to be okay and I can see that there is nothing in
the log indicating the connections are denied. What could I be missing
here? Connections inbound from the VPN clients work flawlessly. 
 
Thanks for any suggestions,
 
Aaron.
 

LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

From ariemer at wesenergy.com.au  Mon Feb  2 22:07:30 2009
From: ariemer at wesenergy.com.au (Aaron Riemer)
Date: Tue, 3 Feb 2009 12:07:30 +0900
Subject: [c-nsp] login
In-Reply-To: <665345.32707.qm@web111312.mail.gq1.yahoo.com>
References: <665345.32707.qm@web111312.mail.gq1.yahoo.com>
Message-ID: <0867622C64B50C4B878AB45C95F43F110678BFC6@MAILWA01.wesenergy.local>

These are your console and VTY lines for managing the device. Con being
out of band management. VTY being in band management.. i.e. telnet and
SSH.  

Aaron.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ann kok
Sent: Tuesday, 3 February 2009 9:04 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] login

Hi all

I have the running config but don't understand the meaning

Could you explain to me?


line con 0

 exec-timeout 0 0
 transport input none

line vty 0 4

line vty 5 15

Thank you



      __________________________________________________________________
Connect with friends from any web browser - no download required. Try
the new Yahoo! Canada Messenger for the Web BETA at
http://ca.messenger.yahoo.com/webmessengerpromo.php

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

From bitkraft at gmail.com  Mon Feb  2 22:55:33 2009
From: bitkraft at gmail.com (Brian Spade)
Date: Mon, 2 Feb 2009 19:55:33 -0800
Subject: [c-nsp] core OSPF configurations
Message-ID: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>

Hi,

Let's say you have a core router with 50+ SVIs and 4 uplinks to two other
OSPF routers in the same area.

What is the best way to configure OSPF to inject all 50+ SVIs into the
routing domain?

Would you configure network statements for all SVI networks and passive the
interfaces?
Would you configure OSPF on the uplink interfaces only and redistributed
connected to create type-5 externals?

/bs

From ltd at cisco.com  Mon Feb  2 23:19:40 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Tue, 03 Feb 2009 15:19:40 +1100
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <20090202161705.GB4869@wildfire.net.ic.ac.uk>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
	<20090202161705.GB4869@wildfire.net.ic.ac.uk>
Message-ID: <4987C5DC.9090505@cisco.com>



Phil Mayers wrote:
> On Mon, Feb 02, 2009 at 12:11:23PM +0000, Lincoln Dale wrote:
>> Phil Mayers wrote:
>>> Does anyone have working examples talking to the netconf 
>>> implementation in 12.2(33)SXI? Or pointers to libraries / code that 
>>> works?
>>> [..]
>>> <rpc ... xmlns:cpi="http://www.cisc.com/cpi_10/schema">
>>>  <get>
>>>    <filter>
>>>      <cpi:config-format-cli-ios-text-cmd> ... </..>
>>>      <cpi:cli-operational-data>
>>>     <show>arp</show>
>>>      </cpi:cli...>
>>>
>>> ...I get error messages about the cpi: namespace and "debug cns xml" 
>>> on the box tells me the XML stanzas in that namespace have no handler.
>> i have worked extensively with Netconf/XML on NX-OS on Nexus 7000.
>>
>> whatever you're requesting needs to match the schema.  based on my 
>> experience, i think you'll most likely need to modify what you have to:
>>    <show><arp /></show>
>
> That directly contradicts Cisco's examples.
indeed it does contradict the example you pointed to in 7600 IOS 12.2SR 
documentation, and isn't what i would have expected.
one thing i did notice is that your example had an incorrect xmlns 
specified (www.cisc.com/... rather than www.cisco.com/...).  the xmlns 
needs to be exact.

and again - if you're testing this on a 6500 IOS 12.2SXI, make sure you 
are matching the schema for _that_.

> Can you share the xml for any non-trivial thing you have working? I 
> have literally tried every combo of xml and namespacing I can imagine.
to reiterate, its important that what you're requesting match the schema 
(XSD).  the .XSD files are on cisco.com somewhere matching the IOS 
release you are running.



cheers,

lincoln.

From pshuleski at gmail.com  Tue Feb  3 00:36:38 2009
From: pshuleski at gmail.com (Pete S.)
Date: Tue, 3 Feb 2009 00:36:38 -0500
Subject: [c-nsp] core OSPF configurations
In-Reply-To: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
References: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
Message-ID: <50f158990902022136q6ddba3a9scc4002b7a10f9021@mail.gmail.com>

Many ways to go about it.  I'm not sure any is more correct than
another.  As long as you aren't wasting the router's CPU sending ospf
hello's out all of the SVI interfaces.

For my personal preference, I try to enumerate the networks in the the
ospf process.
This allows me to quickly see all the networks being announced on that
router just by sh run | b router ospf.  The list may get long.  but it
is a definitive list of what that router is allowed to announce.  You
can always supernet if you have contiguous space, or break it off into
another area, and range, if appropriate.

I'm also a fan of using passive-interface default, and no
passive-interface <interface> for the uplinks, in the routing process.
  Also for centralization.  I can see exactly what interfaces should
have OSPF neighbors.  This also gives you the control to add
additional SVIs, without any additional interface commands.

I tend to treat redistribute connected as a bad practice, simply
because, if an interface is created and IP'd, i don't necessarily ever
want it to instantly start announcing its network through my routing
protocol.  One wrong subnet typo on a new SVI, can instantly cause
issues...

I'm sure you'll hear a few opinions on how to do it, as there are a
few approaches.  If there are cpu or network benefits for one way over
another, I'd love to hear them.



--Pete

From david at hughes.com.au  Tue Feb  3 01:30:50 2009
From: david at hughes.com.au (David Hughes)
Date: Tue, 3 Feb 2009 16:30:50 +1000
Subject: [c-nsp] Fast UDLD timers in SXI?
Message-ID: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>

Hi

My trawling around CCO doco hasn't helped - I'm obviously running  
short of CCO foo today.

Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down  
to 1 second) or if we are still stuck with the old 7 sec timers.  We  
can do 1 sec UDLD on 2900 class switches so I hope we see it in the  
"premier switching platform" some time soon.  We need some way to pick  
up a link failure at the far end of an EoMPLS xconnect in a reasonable  
time.


Thanks

David
...

From jeff at ocjtech.us  Tue Feb  3 02:11:13 2009
From: jeff at ocjtech.us (Jeffrey Ollie)
Date: Tue, 3 Feb 2009 01:11:13 -0600
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <4987C5DC.9090505@cisco.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
	<20090202161705.GB4869@wildfire.net.ic.ac.uk>
	<4987C5DC.9090505@cisco.com>
Message-ID: <935ead450902022311t17704123lb68a64f3db4c6179@mail.gmail.com>

This piqued my interest, so I whipped up a quick program to do some
testing.  I've attached the resulting program, which when run against
my 6500 running 12.2(33)SXI produces a copy of the running config.

Some things I observed:

1.  Netconf over SSHv2 (http://www.rfc-editor.org/rfc/rfc4742.txt)
requires a "hello" message to be sent by the client, which didn't
appear to be documented in any of the Cisco docs.

2. If the "hello" message had problems, no error message is sent to
the client (an error message is logged though).

4. The namespace that it sends ("urn:ietf:params:netconf:base:1.0") is
different from what it expects
("urn:ietf:params:xml:ns:netconf:base:1.0") which I found a little
confusing.

5. I wasn't able to get any of the command fiiltering working.

The script is in Python, and you'll need the Paramiko (SSHv2) and lxml
(XML parsing) extensions.  Sample output (actual config file
truncated):

<?xml version='1.0' encoding='UTF-8'?>
<hello>
  <capabilities>
    <capability>urn:ietf:params:netconf:base:1.0</capability>
    <capability>urn:ietf:params:netconf:capability:writeable-running:1.0</capabi
lity>
    <capability>urn:ietf:params:netconf:capability:startup:1.0</capability>
    <capability>urn:ietf:params:netconf:capability:url:1.0</capability>
    <capability>urn:cisco:params:netconf:capability:notification:1.0</capability
>
  </capabilities>
  <session-id>1391240248</session-id>
</hello>

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:netconf:base:1.0" message-id="101">
  <data>
    <cli-config-data-block>!
! Last configuration change at 22:43:26 CST Mon Feb 2 2009 by Cisco
! NVRAM config last updated at 10:23:27 CST Mon Feb 2 2009 by Cisco
!
...
netconf ssh
!
end
</cli-config-data-block>
  </data>
</rpc-reply>

-- 
Jeff Ollie

"You know, I used to think it was awful that life was so unfair. Then
I thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe."

	-- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"

From gert at greenie.muc.de  Tue Feb  3 02:15:50 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 3 Feb 2009 08:15:50 +0100
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
Message-ID: <20090203071550.GU290@greenie.muc.de>

Hi,

On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote:
> Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down  
> to 1 second) or if we are still stuck with the old 7 sec timers.  We  
> can do 1 sec UDLD on 2900 class switches so I hope we see it in the  
> "premier switching platform" some time soon.  We need some way to pick  
> up a link failure at the far end of an EoMPLS xconnect in a reasonable  
> time.

Can you use BFD?

(Yes, this is not answering your question - I don't know the answer - but
it might be an alternative approach if this a layer 3 link)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090203/211f2d34/attachment.bin>

From p.mayers at imperial.ac.uk  Tue Feb  3 03:10:18 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 3 Feb 2009 08:10:18 +0000
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <935ead450902022311t17704123lb68a64f3db4c6179@mail.gmail.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
	<20090202161705.GB4869@wildfire.net.ic.ac.uk>
	<4987C5DC.9090505@cisco.com>
	<935ead450902022311t17704123lb68a64f3db4c6179@mail.gmail.com>
Message-ID: <20090203081018.GB15269@wildfire.net.ic.ac.uk>

On Tue, Feb 03, 2009 at 07:11:13AM +0000, Jeffrey Ollie wrote:
>This piqued my interest, so I whipped up a quick program to do some
>testing.  I've attached the resulting program, which when run against
>my 6500 running 12.2(33)SXI produces a copy of the running config.
>
>Some things I observed:

Yep, those match my observations.

>The script is in Python, and you'll need the Paramiko (SSHv2) and lxml

I used Twisted & a Nevow web UI, but seems python is popular ;o)

><?xml version='1.0' encoding='UTF-8'?>
><rpc-reply xmlns="urn:ietf:params:netconf:base:1.0" message-id="101">
>  <data>
>    <cli-config-data-block>!

Yeah - note that the cli-config-data-block element is not namespaced 
here. I suspect the netconf XML parser/generator is just broken in SXI.  
I'm going to bug TAC later today - it's either a software or docs bug.

From Marcus.Gerdon at versatel.de  Tue Feb  3 03:18:48 2009
From: Marcus.Gerdon at versatel.de (Marcus.Gerdon)
Date: Tue, 3 Feb 2009 09:18:48 +0100
Subject: [c-nsp] Channelized OC3 for 7206VXR
Message-ID: <227142482560EF458FF1F7E784E26AB823D075@FLBVEXCH01.versatel.local>

Hi,

the PA-MC-STM1 can be configured for SDH or Sonet framing on the controller, below which the TUG structure (don't know how's that called in Sonet) is configured. As far as I know (only done SDH for some time) when switching to Sonet we're in OCx world.

I've no installed PA at hand without links conencted so maybe someone can simply try what can be configured when in Sonet mode ?

regards,

Marcus
 

> -----Urspr?ngliche Nachricht-----
> Von: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von Gert Doering
> Gesendet: Montag, 2. Februar 2009 18:47
> An: Justin M. Streiner
> Cc: cisco-nsp at puck.nether.net
> Betreff: Re: [c-nsp] Channelized OC3 for 7206VXR
> 
> Hi,
> 
> On Mon, Feb 02, 2009 at 11:29:42AM -0500, Justin M. Streiner wrote:
> > That particular card does not support channelized 
> operation.  It's also 
> > end-of-life.  I'm not aware of a channelized OC3 port 
> adapter for the 7200 
> > series.
> 
> For whatever reason, there is a channelized STM-1 which goes 
> down to E1,
> but no channelized OC3 indeed.
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                            
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             
> gert at greenie.muc.de
> fax: +49-89-35655025                        
> gert at net.informatik.tu-muenchen.de
> 

From allan.eising at gmail.com  Tue Feb  3 03:45:04 2009
From: allan.eising at gmail.com (Allan Eising)
Date: Tue, 3 Feb 2009 09:45:04 +0100
Subject: [c-nsp] Initiating Connections to VPN Clients
In-Reply-To: <0867622C64B50C4B878AB45C95F43F110678BFAE@MAILWA01.wesenergy.local>
References: <0867622C64B50C4B878AB45C95F43F110678BFAE@MAILWA01.wesenergy.local>
Message-ID: <f7b7d3c40902030045w88fabc2u8f0a226182a1246e@mail.gmail.com>

On Tue, Feb 3, 2009 at 3:54 AM, Aaron Riemer <ariemer at wesenergy.com.au> wrote:
> Hi guys,
>
> I am trying to work out why I cannot initiate connections to our VPN
> clients. ICMP seems to be okay and I can see that there is nothing in
> the log indicating the connections are denied. What could I be missing
> here? Connections inbound from the VPN clients work flawlessly.
>
> Thanks for any suggestions,
>
> Aaron.
>
>
> LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

How is the server part of your vpn configured? Do you use dynamic maps?
Could you post the relevant configuration here?

Regards,

Allan

From nasir.shaikh at bt.com  Tue Feb  3 03:45:55 2009
From: nasir.shaikh at bt.com (nasir.shaikh at bt.com)
Date: Tue, 3 Feb 2009 08:45:55 -0000
Subject: [c-nsp] How secure are VLANs and VRFs?
Message-ID: <2B0ABDF9E4A1204AA7467F20075354560801EA46@E03MVZ4-UKDY.domain1.systemhost.net>

Hi,
I am looking for some studies/papers to convince my customer (and
myself) that VLANs can be as secure as physical segments and VRFs also
provide a secure segregation of traffic. A few years back I came across
a post referring to a document on the FBI or the NSA site stating that
VLANs were deemed just as secure as physical wires. 
 
I am sure that there are Service Providers offering an Internet VRF over
their MPLS cloud or enterprises with unfiltered Internet vrf on a
campus. How do you convince a customer about the security of a vrf?

Any references will be appreciated 

Nasir Shaikh 
CCIE #15845 | Senior Consultant | BT | Global Professional Services | E:
nasir.shaikh at bt.com | http://HYPERLINK
"http://www.bt.com/consulting"www.bt.com/consulting



From tim at pelican.org  Tue Feb  3 04:24:44 2009
From: tim at pelican.org (Tim Franklin)
Date: Tue, 3 Feb 2009 09:24:44 -0000 (GMT)
Subject: [c-nsp] set clock
In-Reply-To: <46114.1233585948@lavin-llc.com>
References: <46114.1233585948@lavin-llc.com>
Message-ID: <6b7153d53a0f0d50d41d62a27d0ebbc3.squirrel@webmail.pelican.org>

On Mon, February 2, 2009 2:45 pm, chris at lavin-llc.com wrote:

> Most of us tend to like using the GMT (UTC) timezone because its a global
> reference that never changes. Therefore you don't have to
> worry about accounting for the dates that your local timezone "springs
> forward" or "falls back".

Also, it lets you correlate logs from different time zones without having
to try and adjust everything - pretty much the same reason you run NTP on
a device in the first place.

This is useful point to be ready to explain to local ops people when
they're campaigning for national time zones on network devices, IME.

Regards,
Tim.



From thomas at dupas.be  Tue Feb  3 04:45:27 2009
From: thomas at dupas.be (Thomas Dupas)
Date: Tue, 3 Feb 2009 10:45:27 +0100
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <20090203071550.GU290@greenie.muc.de>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>,
	<20090203071550.GU290@greenie.muc.de>
Message-ID: <5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>

I assume it's a L2 link (EoMPLS), so BFD won't help much.

We're in the same situation, also stuck with UDLD timers and 2 parallel EoMPLS xconnects. I can't get the convergence lower then 20 seconds with the default UDLD, so I'm also hoping for fast UDLD

Best Regards,

Thomas

________________________________________
Van: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] namens Gert Doering [gert at greenie.muc.de]
Verzonden: dinsdag 3 februari 2009 8:15
Aan: David Hughes
CC: Cisco NSP ((E-mail))'
Onderwerp: Re: [c-nsp] Fast UDLD timers in SXI?

Hi,

On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote:
> Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down
> to 1 second) or if we are still stuck with the old 7 sec timers.  We
> can do 1 sec UDLD on 2900 class switches so I hope we see it in the
> "premier switching platform" some time soon.  We need some way to pick
> up a link failure at the far end of an EoMPLS xconnect in a reasonable
> time.

Can you use BFD?

(Yes, this is not answering your question - I don't know the answer - but
it might be an alternative approach if this a layer 3 link)

gert
--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

From eimantas at occ.lt  Tue Feb  3 04:12:19 2009
From: eimantas at occ.lt (=?UTF-8?B?RWltYW50YXMgWmRhbmV2acSNaXVz?=)
Date: Tue, 03 Feb 2009 11:12:19 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
Message-ID: <49880A73.2010702@occ.lt>

Hi all,

I have configured vpn on asa 5520 (software version 7.2). vpnclient 
connect to asa and says everything is ok. But i cannot ping any computer 
in inside network.

asa is working in router mode, single context. No nat on inside or 
outside interface

hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# interface ethernet1
hostname(config-if)# ip address 10.10.1.200 255.255.0.0
hostname(config-if)# nameif inside
hostname(config-if)# no shutdown
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

Thanks

Eimantas

From peter at rathlev.dk  Tue Feb  3 05:25:31 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 03 Feb 2009 11:25:31 +0100
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <49880A73.2010702@occ.lt>
References: <49880A73.2010702@occ.lt>
Message-ID: <1233656731.3494.195.camel@localhost.localdomain>

On Tue, 2009-02-03 at 11:12 +0200, Eimantas Zdanevi?ius wrote:
> I have configured vpn on asa 5520 (software version 7.2). vpnclient 
> connect to asa and says everything is ok. But i cannot ping any computer 
> in inside network.
> 
> asa is working in router mode, single context. No nat on inside or 
> outside interface
> 
...

What does the log say? Where's the ACLs for the interfaces? Are you sure
the firewall isn't denying the traffic as it does default?

Regards,
Peter


From eimantas at occ.lt  Tue Feb  3 06:47:41 2009
From: eimantas at occ.lt (=?UTF-8?B?RWltYW50YXMgWmRhbmV2acSNaXVz?=)
Date: Tue, 03 Feb 2009 13:47:41 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <498819FE.90609@lumison.net>
References: <49880A73.2010702@occ.lt> <498819FE.90609@lumison.net>
Message-ID: <49882EDD.608@occ.lt>

Alasdair Gow wrote:
> Hi,
>
> It looks like eth0 and eth1 are on the same network.
> they need to be on separate networks IIRC.
>
> Cheers,
> Ally
>   
sorry about my mistake. interfaces are on diferent networks
maske are 255.255.255.0

From eimantas at occ.lt  Tue Feb  3 06:57:02 2009
From: eimantas at occ.lt (=?UTF-8?B?RWltYW50YXMgWmRhbmV2acSNaXVz?=)
Date: Tue, 03 Feb 2009 13:57:02 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <1233656731.3494.195.camel@localhost.localdomain>
References: <49880A73.2010702@occ.lt>
	<1233656731.3494.195.camel@localhost.localdomain>
Message-ID: <4988310E.20109@occ.lt>

Peter Rathlev wrote:
> ...
>
> What does the log say? Where's the ACLs for the interfaces? Are you sure
> the firewall isn't denying the traffic as it does default?
>
> Regards,
> Peter
>   
Its hard to find anything in log, because this is a production firewall 
and there is a lot of messages in syslog.
if i'm greeping on ip addresses vpnclient  real address or  vpn address  
in syslog i cant find anything wrong.
on outside interface i have acl which accepts pings from any source to 
inside interface computers. and i can ping from any computer from 
outside to any computer on inside. Even in ASDM real time logging i 
can't see any message about dropping packets from vpn tunnel.



From engel.labiro at gmail.com  Tue Feb  3 09:30:15 2009
From: engel.labiro at gmail.com (Engelhard Labiro)
Date: Tue, 3 Feb 2009 23:30:15 +0900
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <49880A73.2010702@occ.lt>
References: <49880A73.2010702@occ.lt>
Message-ID: <74b0c3330902030630i1d7bf31i7e97698c29bb462e@mail.gmail.com>

> hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15

I guess this is a routing problem, since you assign 192.168.0.x to vpn
client which is located on different segment with PIX's own interface.
The pix must response to arp  request for 192.168.0.10 to 15 on behalf
of the vpn client. This is can be done with proxy arp setting on the
inside interface of the PIX... I forgot the command.
Or if you have a router in PIX's inside I/F, just create a route to
192.168.0.x pointing back
to your PIX's inside I/F.

HTH
Engel

From steve at ibctech.ca  Tue Feb  3 08:31:49 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Tue, 03 Feb 2009 08:31:49 -0500
Subject: [c-nsp] A little confusion: OSPF and iBGP
Message-ID: <49884745.2030304@ibctech.ca>

Hi everyone,

I've got a couple of questions regarding the use of iBGP and OSPF.

I've got:

rtrA - connected to Internet, and routes some prefixes of my /21 (and v6
/32) to the infrastructure/servers

rtrB - private eBGP peering with another company, and connects some
multihome clients with eBGP (they use space from our /21 and advertise
back to us with private AS). Also has numerous prefixes from our /21 on
the client facing sides. For these clients, our edge is their default
gateway for the prefix

rtrC - connects the multihomed clients secondary connection with a lower
eBGP preference, and also has a few prefixes from the /21 for other
access clients

Currently, I use OSPF to share the loopback interface IPs, and use iBGP
for the rest.

For the prefixes at the client access edge that are put in place
statically, I advertise them to the other internal peers via iBGP. Would
it be best to leave it this way, or to put this address space into the
IGP instead, and have BGP only announce the actual eBGP learnt routes?

Also, should all of my routers have a pull-up route for the entire /21,
or just for the prefixes that they house?

Thanks,

Steve

From ross at kallisti.us  Tue Feb  3 09:32:39 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Tue, 3 Feb 2009 09:32:39 -0500
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <20090203081018.GB15269@wildfire.net.ic.ac.uk>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
	<20090202161705.GB4869@wildfire.net.ic.ac.uk>
	<4987C5DC.9090505@cisco.com>
	<935ead450902022311t17704123lb68a64f3db4c6179@mail.gmail.com>
	<20090203081018.GB15269@wildfire.net.ic.ac.uk>
Message-ID: <20090203143239.GA31065@kallisti.us>

On Tue, Feb 03, 2009 at 08:10:18AM +0000, Phil Mayers wrote:
> On Tue, Feb 03, 2009 at 07:11:13AM +0000, Jeffrey Ollie wrote:
> >This piqued my interest, so I whipped up a quick program to do some
> >testing.  I've attached the resulting program, which when run against
> >my 6500 running 12.2(33)SXI produces a copy of the running config.
> >
> >Some things I observed:
> 
> Yep, those match my observations.
> 
> >The script is in Python, and you'll need the Paramiko (SSHv2) and lxml
> 
> I used Twisted & a Nevow web UI, but seems python is popular ;o)

FWIW, I've been working on NETCONF software in python for JUNOS (see a
recent j-nsp thread about my frustrations...) and have the beginnings
of a library for generating and parsing NETCONF documents in Python
with lxml.

It's got all JUNOS centric stuff, so it won't be too much help as-is,
but if you're interested let me know.

> ><rpc-reply xmlns="urn:ietf:params:netconf:base:1.0" message-id="101">
> > <data>
> >   <cli-config-data-block>!
> 
> Yeah - note that the cli-config-data-block element is not namespaced 
> here. I suspect the netconf XML parser/generator is just broken in SXI.  
> I'm going to bug TAC later today - it's either a software or docs bug.

Well, in an XML sense, it's taken the default namespace provided by
the rpc-reply tag.  So that is "<urn:ietf:params:netconf:base:1.0:data>".
I don't know if there's a data element defined by NETCONF, so I can't
speak to the well-formedness of the above XML, only its validity.

Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From eimantas at occ.lt  Tue Feb  3 09:33:43 2009
From: eimantas at occ.lt (=?UTF-8?B?RWltYW50YXMgWmRhbmV2acSNaXVz?=)
Date: Tue, 03 Feb 2009 16:33:43 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <74b0c3330902030626t28f66045j89b0d7e7bfeccc0c@mail.gmail.com>
References: <49880A73.2010702@occ.lt>
	<74b0c3330902030626t28f66045j89b0d7e7bfeccc0c@mail.gmail.com>
Message-ID: <498855C7.7050405@occ.lt>

Engelhard Labiro wrote:
>> hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
>>     
>
> I guess this is a routing problem, since you assign 192.168.0.x to vpn
> client which is located on different segment with PIX's own interface.
> The pix must response to arp  request for 192.168.0.10 to 15 on behalf
> of the vpn client. This is can be done with proxy arp setting on the
> inside interface of the PIX... I forgot the command.
> Or if you have a router in PIX's inside I/F, just create a route to
> 192.168.0.x pointing back
> to your PIX's inside I/F.
>
> HTH
> Engel
>   
When client connects to the asa, asa automaticaly adds a route:
S    192.168.0.10 255.255.255.255 [1/0] via default_gw, outside

Eimantas

From sigurbjornl at vodafone.is  Tue Feb  3 09:47:42 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Tue, 03 Feb 2009 14:47:42 +0000
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <498855C7.7050405@occ.lt>
Message-ID: <C5AE098E.10AC9%sigurbjornl@vodafone.is>

Not unless you configure RRI, see

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a00809d07de.shtml

BR,
Sibbi


On 3.2.2009 14:33, "Eimantas Zdanevi?ius" <eimantas at occ.lt> wrote:

> Engelhard Labiro wrote:
>>> hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
>>>     
>> 
>> I guess this is a routing problem, since you assign 192.168.0.x to vpn
>> client which is located on different segment with PIX's own interface.
>> The pix must response to arp  request for 192.168.0.10 to 15 on behalf
>> of the vpn client. This is can be done with proxy arp setting on the
>> inside interface of the PIX... I forgot the command.
>> Or if you have a router in PIX's inside I/F, just create a route to
>> 192.168.0.x pointing back
>> to your PIX's inside I/F.
>> 
>> HTH
>> Engel
>>   
> When client connects to the asa, asa automaticaly adds a route:
> S    192.168.0.10 255.255.255.255 [1/0] via default_gw, outside
> 
> Eimantas
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From sigurbjornl at vodafone.is  Tue Feb  3 09:55:17 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Tue, 03 Feb 2009 14:55:17 +0000
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <498855C7.7050405@occ.lt>
Message-ID: <C5AE0B55.10ACC%sigurbjornl@vodafone.is>

If you're connecting through a natted host to the VPN you might try adding

crypto isakmp nat-traversal 30

I have a fairly similar setup to yours which works just fine.

BR,
Sibbi III



On 3.2.2009 14:33, "Eimantas Zdanevi?ius" <eimantas at occ.lt> wrote:

> Engelhard Labiro wrote:
>>> hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
>>>     
>> 
>> I guess this is a routing problem, since you assign 192.168.0.x to vpn
>> client which is located on different segment with PIX's own interface.
>> The pix must response to arp  request for 192.168.0.10 to 15 on behalf
>> of the vpn client. This is can be done with proxy arp setting on the
>> inside interface of the PIX... I forgot the command.
>> Or if you have a router in PIX's inside I/F, just create a route to
>> 192.168.0.x pointing back
>> to your PIX's inside I/F.
>> 
>> HTH
>> Engel
>>   
> When client connects to the asa, asa automaticaly adds a route:
> S    192.168.0.10 255.255.255.255 [1/0] via default_gw, outside
> 
> Eimantas
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From eimantas at occ.lt  Tue Feb  3 10:22:15 2009
From: eimantas at occ.lt (=?ISO-8859-2?Q?Eimantas_Zdanevi=E8ius?=)
Date: Tue, 03 Feb 2009 17:22:15 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <C5AE0B55.10ACC%sigurbjornl@vodafone.is>
References: <C5AE0B55.10ACC%sigurbjornl@vodafone.is>
Message-ID: <49886127.1050805@occ.lt>

Sigurbj?rn Birkir L?russon wrote:
> If you're connecting through a natted host to the VPN you might try adding
>
> crypto isakmp nat-traversal 30
>
> I have a fairly similar setup to yours which works just fine.
>   
This solved the problem, thanks!

Another problem is that client sets default gateway to tunnel.
How can i configure only some networks to go trough tunnel?


Eimantas

From frnkblk at iname.com  Tue Feb  3 10:26:03 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Tue, 3 Feb 2009 09:26:03 -0600
Subject: [c-nsp] Multicast grooming
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADtC0iKdk8dSaw5jR/EVRzQAQAAAAA=@iname.com>

How many entries can be made with the "ip igmp snooping vlan static" on a
2960G?

I'm thinking of bringing in two GigE's of video and then grooming them with
that feature down to one GigE.  

Besides entries, is this feature implemented in hardware or software, such
that there might be scalability concerns, too?

Regards,

Frank


From ahmedazim at gmail.com  Tue Feb  3 11:02:34 2009
From: ahmedazim at gmail.com (Ahmed Mohamed)
Date: Tue, 3 Feb 2009 18:02:34 +0200
Subject: [c-nsp] reacheability issue in MEL link
In-Reply-To: <64206.172.25.144.4.1233648371.squirrel@imap.snnap.net>
References: <64206.172.25.144.4.1233648371.squirrel@imap.snnap.net>
Message-ID: <bf5694530902030802j483cec14w230a5e674f6d61@mail.gmail.com>

but this is an MCS (Mission Critical Site) solution,

i.e. we ordered the same circuit from the same carrier to implement the
solution in aother location for resilliency , and it works fine

P.S. : at some point i had 8% success rate of 100 pings , but after that all
dead

i told the carrier i want to have the packets transferred with dot1q
encapsulation, and they replied that they are providing a transparent
environment, reagardless the two ends are access or trunk

On Tue, Feb 3, 2009 at 10:06 AM, Tom Storey <tom at snnap.net> wrote:

> Are you sure that the two ports that face your metro ethernet provider are
> actually trunks?
>
> In my experience, carriers will only present access ports to "end users",
> where end users are yourself and your customer.
>
> This means that you do not setup trunking or sub-interfaces on any of your
> and your customers equipment, you configure access ports aswell.
>
> It means that you can have a lot of 1:1 patching from your ethernet
> provider to your aggregation switch, but it helps your carrier protect
> their network from certain types of misconfiguration - i.e. they cant
> accidentaly trunk someone elses VLAN down to you.
>
> > Hello,
> >
> > this is a real life problem still occuring, and have no idea what may be
> > causing it ..
> >
> > we are providing an internet direct service to our customer vial MEL
> > (Metro
> > Ethernet Link)
> >
> > CE (CS-7206 VXR) fe2/0.36 ------------------Etherlink(local
> > carrier)---------------- WS-3759G-24TS--PE(CS-7000)
> >
> > the solution is providied using a carrier to link the customer CE to an
> > aggregated switch, using Metro Ethernet
> > configuring vlan 36 and using dot1q encapsulation
> > then from the aggregating switch to the PE router using also
> encapsulation
> > dot1q for vlan36
> >
> > all interfaces are up-up , and still ping fails !!
> >
> > i tried everything, resetting ports, switches, reconfigure interfaces
> > ..etc.
> > still no joy
> >
> > any idea what could be causing the problem ?
> >
> > ========================================================================
> > CE:
> > -----
> > interface FastEthernet2/0.36
> >  bandwidth 61440
> >  encapsulation dot1Q 36
> >  ip address 57.78.2.6 255.255.255.252
> > ========================================================================
> > Agg. switch:
> > ------------------
> > interface GigabitEthernet1/0/9
> >  switchport trunk encapsulation dot1q
> >  switchport trunk native vlan 3109
> >  switchport trunk allowed vlan 36,3109
> >  switchport mode trunk
> >  switchport nonegotiate
> >  duplex full
> >  speed 100
> >  mls qos trust cos
> >  spanning-tree bpdufilter enable
> > ========================================================================
> > PE:
> > ------
> >  interface FastEthernet5/1/1.36
> >  bandwidth 61440
> >  encapsulation dot1Q 36
> >  ip address 57.78.2.5 255.255.255.252
> >  no ip redirects
> >  no ip proxy-arp
> >  no ip route-cache
> >  no cdp enable
> > ========================================================================
> > bmil305#sh int FastEthernet5/1/1.36
> > FastEthernet5/1/1.36 is up, line protocol is up <<<<<<
> > Hardware is cyBus FastEthernet Interface, address is 0003.fe91.b8a9 (bia
> > 0003.fe91.b8a9)
> >   Internet address is 57.78.2.5/30
> >   MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
> >      reliability 255/255, txload 1/255, rxload 1/255
> >   Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
> >   ARP type: ARPA, ARP Timeout 04:00:00
> > ========================================================================
> > pmil2534#sh int Fa2/0.36
> > FastEthernet2/0.36 is up, line protocol is up  <<<<<<
> >   Hardware is i82543 (Livengood), address is 0022.be8b.1038 (bia
> > 0022.be8b.1038)
> >   Description: --- To bmil305 - FE5/1/1.5
> >   Internet address is 57.78.2.6/30
> >   MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
> >      reliability 255/255, txload 1/255, rxload 1/255
> >   Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
> > ========================================================================
> > ping pe to CE fails:
> > ----------------------------
> > bmil305#ping 57.78.2.6   <<<<<<,
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 57.78.2.6, timeout is 2 seconds:
> > .....
> > Success rate is 0 percent (0/5)
> > ========================================================================
> > PE to internet (google) successfully:
> > ------------------------------------------------------
> > bmil305#ping 216.239.59.147 source fast 5/1/1.36 repeat 100 size 500
> > Type escape sequence to abort.
> > Sending 100, 500-byte ICMP Echos to 216.239.59.147, timeout is 2 seconds:
> > Packet sent with a source address of 57.78.2.5
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > Success rate is 100 percent (100/100), round-trip min/avg/max = 36/40/112
> > ms
> > ========================================================================
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>

From petelists at templin.org  Tue Feb  3 10:20:42 2009
From: petelists at templin.org (Pete Templin)
Date: Tue, 03 Feb 2009 09:20:42 -0600
Subject: [c-nsp] core OSPF configurations
In-Reply-To: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
References: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
Message-ID: <498860CA.90707@templin.org>

Brian Spade wrote:

> What is the best way to configure OSPF to inject all 50+ SVIs into the
> routing domain?
> 
> Would you configure network statements for all SVI networks and passive the
> interfaces?
> Would you configure OSPF on the uplink interfaces only and redistributed
> connected to create type-5 externals?

If it were me, the SVIs would be announced into BGP, so that my OSPF 
world stayed small and clean.

That said, remember that the network statement(s) only have to match, 
through wildcard math, the _IP addresses_ of the interfaces to be 
included in OSPF.  If you run a single area, 'network 0.0.0.0 
255.255.255.255 area 0' is all you need.  Flipside, if you want to lock 
down OSPF to the point that shifting an interface within a subnet causes 
OSPF to drop so you can catch the culprit in the act, 'network 
10.20.30.254 0.0.0.0 area 0' matches exactly that one address (but the 
interface's correct netmask is used when inserting the route into OSPF).

pt

From sigurbjornl at vodafone.is  Tue Feb  3 10:29:40 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Tue, 03 Feb 2009 15:29:40 +0000
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <49886127.1050805@occ.lt>
Message-ID: <C5AE1364.10AE2%sigurbjornl@vodafone.is>

Something along these lines if you wanted to just send 10.10.53.0/24 and
10.10.54.0/24 through the VPN tunnel

tunnel-group testgroup general-attributes
    default-group-policy testpolicy

group-policy testpolicy internal
group-policy testpolicy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value TunnelList

access-list TunnelList standard permit 10.10.53.0 255.255.255.0
access-list TunnelList standard permit 10.10.54.0 255.255.255.0

BR,
Sibbi


On 3.2.2009 15:22, "Eimantas Zdanevi?ius" <eimantas at occ.lt> wrote:

> Sigurbj?rn Birkir L?russon wrote:
>> If you're connecting through a natted host to the VPN you might try adding
>> 
>> crypto isakmp nat-traversal 30
>> 
>> I have a fairly similar setup to yours which works just fine.
>>   
> This solved the problem, thanks!
> 
> Another problem is that client sets default gateway to tunnel.
> How can i configure only some networks to go trough tunnel?
> 
> 
> Eimantas


From tsuther at i3bus.com  Tue Feb  3 12:30:48 2009
From: tsuther at i3bus.com (Tom Sutherland)
Date: Tue, 3 Feb 2009 12:30:48 -0500
Subject: [c-nsp] VPN PIX 6.x Translation issue
In-Reply-To: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
References: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
Message-ID: <1233682248.7244.16.camel@angry-butler444>

have you tried "global (outside) 0 interface" ?


-----Original Message-----
From: William <willay at gmail.com>
To: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Subject: [c-nsp] VPN PIX 6.x Translation issue
Date: Mon, 2 Feb 2009 10:57:05 -0500

Hi folks!

I currently have a PIX firewall running 6 code, the firewall has 3
interfaces, inside, outside and inside2.

At the moment I can VPN and communicate to all the hosts on the
inside, what I'd like to do is also be able to communicate with the
hosts on inside2, the security levels are:

outside: 0
inside: 100
inside2: 90

When I try to speak to inside2 hosts, I get the following error:

%PIX-3-305005: No translation group found for icmp src
outside:10.10.199.3 dst inside2:192.168.0.1 (type 8, code 0)

I'm very confused as to where I should be putting global/nat
statements... so far my setup consists of:


nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.10.200.0 255.255.255.0 0 0
nat (inside2) 0 access-list office_outbound_nat0_acl
nat (inside2) 1 192.168.0.0 255.255.255.0 0 0
global (outside) 1 interface

This lets both inside and inside2 hosts contact the internet via int
outside, and no nat stuff that needs to traverse VPN tunnels...

If anyone can assist/educate me on getting this working I would
appreciate it very much!

Cheers,

W
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From steve at ibctech.ca  Tue Feb  3 13:28:26 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Tue, 03 Feb 2009 13:28:26 -0500
Subject: [c-nsp] A little confusion: OSPF and iBGP
In-Reply-To: <200902040158.39927.mtinka@globaltransit.net>
References: <49884745.2030304@ibctech.ca>
	<200902040158.39927.mtinka@globaltransit.net>
Message-ID: <49888CCA.1040801@ibctech.ca>

Mark Tinka wrote:
> On Tuesday 03 February 2009 09:31:49 pm Steve Bertrand 
> wrote:

Thanks for the feedback Mark,

> For customer aggregation edge routers, prefixes used to 
> assign /30 (/126 for v6, or whatever you use for this 
> purpose) point-to-point addresses, as well as assignments 
> for their own use on their LAN's, from your own blocks, 
> would be included in your iBGP running on these router. 
> Typically, we assign whole /24's or more for this purpose, 
> and announce a shorter block within our network; keeps our 
> iBGP table as small as possible (can't have little /30's or 
> /126's running around in your iBGP, now can you :-)).

So far, I seem to be doing ok then, less the ability to aggregate the /30's.

At first, I allocated space for /30's from a reserved space for only
that purpose, and have this reserved space on both the inside, and
outside of the edge routers (and have to have the little /30's floating
around).

That's easy enough to rectify at this point by renumbering my
intra-router links, so thank you for pointing that out :)

Steve

From mtinka at globaltransit.net  Tue Feb  3 12:58:24 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 4 Feb 2009 01:58:24 +0800
Subject: [c-nsp] A little confusion: OSPF and iBGP
In-Reply-To: <49884745.2030304@ibctech.ca>
References: <49884745.2030304@ibctech.ca>
Message-ID: <200902040158.39927.mtinka@globaltransit.net>

On Tuesday 03 February 2009 09:31:49 pm Steve Bertrand 
wrote:

> For the prefixes at the client access edge that are put
> in place statically, I advertise them to the other
> internal peers via iBGP. Would it be best to leave it
> this way, or to put this address space into the IGP
> instead, and have BGP only announce the actual eBGP
> learnt routes?

Best to keep your IGP carrying only your Loopbacks, and iBGP 
handling your customer prefixes.

Doing this affords you the filtering capabilities of BGP and 
allows you to operationalize your routing policy better.

> Also, should all of my routers have a pull-up route for
> the entire /21, or just for the prefixes that they house?

Normally, I'd recommend the aggregates be originated by a 
very stable device in the network. We do this using our 
route reflectors, and change the NEXT_HOP attribute of the 
aggregates to point to the Null/Discard interface on all 
peripheral routers.

These edge routers would then be configured to re-announce 
the aggregates to remote eBGP peers (customers, transit 
providers, public/private peers, e.t.c.).

For customer aggregation edge routers, prefixes used to 
assign /30 (/126 for v6, or whatever you use for this 
purpose) point-to-point addresses, as well as assignments 
for their own use on their LAN's, from your own blocks, 
would be included in your iBGP running on these router. 
Typically, we assign whole /24's or more for this purpose, 
and announce a shorter block within our network; keeps our 
iBGP table as small as possible (can't have little /30's or 
/126's running around in your iBGP, now can you :-)).

So far, you seem to be on the right track.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090204/d8c07e3c/attachment.bin>

From deanperrine at gmail.com  Tue Feb  3 15:20:57 2009
From: deanperrine at gmail.com (Dean Perrine)
Date: Tue, 3 Feb 2009 12:20:57 -0800
Subject: [c-nsp] Cisco MARS vs. Q1 Qradar - and other vendors
Message-ID: <2db25e4e0902031220n792504aep25ded027db17cec5@mail.gmail.com>

Does anyone have some input on security event correlation systems?

Currently reviewing Cisco MARS vs. Q1 Labs QRadar.

Environment information:
Very large DMVPN, IPS's, FW's, CSM.

Thanks,

==========================
Dean Perrine

From peter at rathlev.dk  Tue Feb  3 15:26:12 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 03 Feb 2009 21:26:12 +0100
Subject: [c-nsp] VPN PIX 6.x Translation issue
In-Reply-To: <1233682248.7244.16.camel@angry-butler444>
References: <a24358fb0902020757u358f5fd4rfc968bcb7ac633fa@mail.gmail.com>
	<1233682248.7244.16.camel@angry-butler444>
Message-ID: <1233692772.4202.1.camel@localhost.localdomain>

On Tue, 2009-02-03 at 12:30 -0500, Tom Sutherland wrote:
> have you tried "global (outside) 0 interface" ?

Huh? A "global-0"? What does that do? Does it explicitly _not_ translate
to the interface address of the outside interface? ;-)

Regards,
Peter



From peter at rathlev.dk  Tue Feb  3 15:46:53 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 03 Feb 2009 21:46:53 +0100
Subject: [c-nsp] Cisco MARS vs. Q1 Qradar - and other vendors
In-Reply-To: <2db25e4e0902031220n792504aep25ded027db17cec5@mail.gmail.com>
References: <2db25e4e0902031220n792504aep25ded027db17cec5@mail.gmail.com>
Message-ID: <1233694013.4202.20.camel@localhost.localdomain>

On Tue, 2009-02-03 at 12:20 -0800, Dean Perrine wrote:
> Does anyone have some input on security event correlation systems?
> 
> Currently reviewing Cisco MARS vs. Q1 Labs QRadar.

We have a MARS-110 and I must frankly say I'm not impressed. The system
needs a _lot_ of training to be useful and the built in templates aren't
worth much in my eyes. (We've had 10 people take the "MARS" training
course and even then only a couple of us find it at most marginally
useful.)

My personal conclusion is that a combination of SEC, NFsen and a few
scripts parsing logfiles etc. are an easier, cheaper and better way of
accomplishing event correlations. It's (relatively) easy to do the
visualisations in a similar way to what MARS does by feeding GraphViz
with input from either CDP (L2-topology) or your IGP or BGP
(L3-topology).

Of course this means you have to love using these tools and you need to
have several people on staff with the relevant skills. CS-MARS could be
the right thing as an "almost turn key" solution.
 
> Environment information:
> Very large DMVPN, IPS's, FW's, CSM.

The integration from CS-MARS towards many other Cisco products would be
the one maybe strong point.

I'd say let the people having to work with it make the decision. :-)

Regards,
Peter



From pierre at userid.org  Tue Feb  3 16:35:26 2009
From: pierre at userid.org (Pierre Lamy)
Date: Tue, 03 Feb 2009 16:35:26 -0500
Subject: [c-nsp] Cisco switch FLP
Message-ID: <4988B89E.2020609@userid.org>

One of my fellow engineers needs to understand auto-advertise and 
autoneg with regards to Cisco switches.

Can anyone confirm that hard coded speed/duplex settings on a generic 
modern Cisco switch, will not prevent the switch port from sending fast 
link pulses, advertising the switch port's hardcoded speed/duplex 
settings so that the device at the other end, will be able to bring up a 
link if the remote device itself does not send out FLP?

Pierre

From gert at greenie.muc.de  Tue Feb  3 16:53:16 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 3 Feb 2009 22:53:16 +0100
Subject: [c-nsp] Cisco switch FLP
In-Reply-To: <4988B89E.2020609@userid.org>
References: <4988B89E.2020609@userid.org>
Message-ID: <20090203215316.GK290@greenie.muc.de>

Hi,

On Tue, Feb 03, 2009 at 04:35:26PM -0500, Pierre Lamy wrote:
> Can anyone confirm that hard coded speed/duplex settings on a generic 
> modern Cisco switch, will not prevent the switch port from sending fast 
> link pulses, advertising the switch port's hardcoded speed/duplex 
> settings so that the device at the other end, will be able to bring up a 
> link if the remote device itself does not send out FLP?

It will autoneg 100M, but it will usually result in a duplex mismatch.

"Don't hardcode ports unless you know for sure that you need it" (because
you connect to a Cisco 7200 with PA-FE or the like).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090203/9bf67582/attachment.bin>

From swmike at swm.pp.se  Tue Feb  3 17:13:54 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 3 Feb 2009 23:13:54 +0100 (CET)
Subject: [c-nsp] Cisco switch FLP
In-Reply-To: <4988B89E.2020609@userid.org>
References: <4988B89E.2020609@userid.org>
Message-ID: <alpine.DEB.1.10.0902032311570.16135@uplift.swm.pp.se>

On Tue, 3 Feb 2009, Pierre Lamy wrote:

> Can anyone confirm that hard coded speed/duplex settings on a generic 
> modern Cisco switch, will not prevent the switch port from sending fast 
> link pulses, advertising the switch port's hardcoded speed/duplex 
> settings so that the device at the other end, will be able to bring up a 
> link if the remote device itself does not send out FLP?

Generic behaviour is that if you hard-code both speed and duplex, switch 
stops advertising to the other end using autoneg.

So 100/full fixed at one end and other end set to auto/auto, will result 
in that end thinking it is speaking to a hub that doesn't do autoneg, and 
it'll detect the 100, but will go to 100/half.

There are recent hw from the past 1-2 years that can advertise 
capabilities even when being fixed, but it has to be configured in another 
way.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From rekordmeister at gmail.com  Tue Feb  3 17:21:06 2009
From: rekordmeister at gmail.com (MKS)
Date: Tue, 3 Feb 2009 22:21:06 +0000
Subject: [c-nsp] Ethernet to ATM local connect
Message-ID: <fad2fb270902031421t19fa9e33udd037782b94a2c03@mail.gmail.com>

Hi there

Is there a cisco platform / sw out there that can the following (the
critical part being _second-dot1q_)

interface gig3/1.10
 encapsulation dot1q 10 second-dot1q 2

interface atm2/0/0
 pvc 0/400 l2transport
 encapsulation aal5

connect atm-ethvlan atm2/0/0 0/400 gigabitethernet3/1.10 interworking ethernet

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1096615

Regards
MKS

From sigurbjornl at vodafone.is  Tue Feb  3 17:31:56 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Tue, 03 Feb 2009 22:31:56 +0000
Subject: [c-nsp] show dsl int atm 0
In-Reply-To: <4986C36A.1090406@pelican.org>
Message-ID: <C5AE765C.10B3A%sigurbjornl@vodafone.is>

Moving the Target Noise Margin or whatever it is called in your DSLAM is a
better plan.  

Interleaving has far more to do with sync stability, i.e. it allows the
router some time to respond to changes in the line quality before loosing
the sync, it also increases latency.  The more interleaving time you allow,
the greater the latency, but then again, better sync stability.

I would use both, interleave at a low setting, and a higher target noise
margin if you're running sensitive services such as IPTV over the line.

4ms interleave + 9dB target noise margin should leave the line relatively
stable.  If you find the maximum sync speed of the line moves below your set
minimum to offer the service when you're at 9dB (the higher the target noise
margin the lower the sync speed), the line probably isn't good enough to
offer the service to begin with.

BR,
Sibbi


On 2.2.2009 09:56, "Tim Franklin" <tim at pelican.org> wrote:

> Ziv Leyes wrote:
> 
>> Setting interleave in the DSLAM will do automatically what I proposed
>> before, lowering the speed of the link in order to improve line
>> quality.
> 
> Be careful with what you mean by "speed" in this instance.  Interleaving
> typically increases latency, rather than reducing bandwidth.
> 
> Regards,
> Tim.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From david at hughes.com.au  Tue Feb  3 17:49:49 2009
From: david at hughes.com.au (David Hughes)
Date: Wed, 4 Feb 2009 08:49:49 +1000
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>,
	<20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
Message-ID: <45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>


Yup, that's exactly the situation.  STP will work around some of the  
problem caused by this but if you are presenting an etherchannel over  
multiple xconnects you can't pick up the link failure of part of the  
etherchannel without UDLD.  We did some initial proof of concepts with  
2900s running 2 second timers and it was great.  Imagine the look on  
my face when we found out that 6500s don't have the functionality of a  
$1,000 access switch .....

So, is the config option on SXI still 7 seconds at best?


Thanks

David
...


On 03/02/2009, at 7:45 PM, Thomas Dupas wrote:

> I assume it's a L2 link (EoMPLS), so BFD won't help much.
>
> We're in the same situation, also stuck with UDLD timers and 2  
> parallel EoMPLS xconnects. I can't get the convergence lower then 20  
> seconds with the default UDLD, so I'm also hoping for fast UDLD
>
> Best Regards,
>
> Thomas
>
> ________________________________________
> Van: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net 
> ] namens Gert Doering [gert at greenie.muc.de]
> Verzonden: dinsdag 3 februari 2009 8:15
> Aan: David Hughes
> CC: Cisco NSP ((E-mail))'
> Onderwerp: Re: [c-nsp] Fast UDLD timers in SXI?
>
> Hi,
>
> On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote:
>> Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down
>> to 1 second) or if we are still stuck with the old 7 sec timers.  We
>> can do 1 sec UDLD on 2900 class switches so I hope we see it in the
>> "premier switching platform" some time soon.  We need some way to  
>> pick
>> up a link failure at the far end of an EoMPLS xconnect in a  
>> reasonable
>> time.
>
> Can you use BFD?
>
> (Yes, this is not answering your question - I don't know the answer  
> - but
> it might be an alternative approach if this a layer 3 link)
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


From harbor235 at gmail.com  Tue Feb  3 18:21:33 2009
From: harbor235 at gmail.com (harbor235)
Date: Tue, 3 Feb 2009 18:21:33 -0500
Subject: [c-nsp] Ring Protocol
Message-ID: <836bf1f90902031521i7aca90ffyf72d0fc3fcc8189c@mail.gmail.com>

I am looking to deploy a Ethernet Ring topology in a campus. The ring is to
connect
multiple buildings via a high speed 10G backbone. Does Cisco offer any
products in this
area? The ONS is too expensive, looking for something smaller that is
Ethernet based.


mike

From rubensk at gmail.com  Tue Feb  3 19:06:35 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Tue, 3 Feb 2009 22:06:35 -0200
Subject: [c-nsp] Ring Protocol
In-Reply-To: <836bf1f90902031521i7aca90ffyf72d0fc3fcc8189c@mail.gmail.com>
References: <836bf1f90902031521i7aca90ffyf72d0fc3fcc8189c@mail.gmail.com>
Message-ID: <6bb5f5b10902031606w5ba0331cq96e1d518522d5504@mail.gmail.com>

I don't think Cisco currently have an 10G ethernet ring offer. It
might come up when REP (Resilient Ethernet Protocol) gets implemented
in the 6500 IOS. It was supposed to be on SXI, but that didn't happen.
If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit
Etherchannel, perhaps ?

Outside of Cisco-land, Extreme, Foundry and Force 10 seems to have
currently shipping solutions.


Rubens



On Tue, Feb 3, 2009 at 9:21 PM, harbor235 <harbor235 at gmail.com> wrote:
> I am looking to deploy a Ethernet Ring topology in a campus. The ring is to
> connect
> multiple buildings via a high speed 10G backbone. Does Cisco offer any
> products in this
> area? The ONS is too expensive, looking for something smaller that is
> Ethernet based.
>
>
> mike
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rubensk at gmail.com  Tue Feb  3 19:37:57 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Tue, 3 Feb 2009 22:37:57 -0200
Subject: [c-nsp] Ring Protocol
In-Reply-To: <6bb5f5b10902031606w5ba0331cq96e1d518522d5504@mail.gmail.com>
References: <836bf1f90902031521i7aca90ffyf72d0fc3fcc8189c@mail.gmail.com>
	<6bb5f5b10902031606w5ba0331cq96e1d518522d5504@mail.gmail.com>
Message-ID: <6bb5f5b10902031637l67b82e22o228f0c2aa84feca2@mail.gmail.com>

A little bird from C whispered me the following:

"I'd take a look at the ME-4924-10GE device (REP Supports ~50ms
failover), as well as this you have support for it on the larger devices
like the 7600.

4924 support for REP started in 12.2(44)SG -
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_bulletin_c25_468227.html

7600 has supported REP since 12.2(33)SRC -
http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_cfg_rep.html"

I stand corrected.


Rubens

On Tue, Feb 3, 2009 at 10:06 PM, Rubens Kuhl <rubensk at gmail.com> wrote:
> I don't think Cisco currently have an 10G ethernet ring offer. It
> might come up when REP (Resilient Ethernet Protocol) gets implemented
> in the 6500 IOS. It was supposed to be on SXI, but that didn't happen.
> If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit
> Etherchannel, perhaps ?
>
> Outside of Cisco-land, Extreme, Foundry and Force 10 seems to have
> currently shipping solutions.
>
>
> Rubens
>
>
>
> On Tue, Feb 3, 2009 at 9:21 PM, harbor235 <harbor235 at gmail.com> wrote:
>> I am looking to deploy a Ethernet Ring topology in a campus. The ring is to
>> connect
>> multiple buildings via a high speed 10G backbone. Does Cisco offer any
>> products in this
>> area? The ONS is too expensive, looking for something smaller that is
>> Ethernet based.
>>
>>
>> mike
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

From harbor235 at gmail.com  Tue Feb  3 20:51:25 2009
From: harbor235 at gmail.com (harbor235)
Date: Tue, 3 Feb 2009 20:51:25 -0500
Subject: [c-nsp] Ring Protocol
In-Reply-To: <6bb5f5b10902031637l67b82e22o228f0c2aa84feca2@mail.gmail.com>
References: <836bf1f90902031521i7aca90ffyf72d0fc3fcc8189c@mail.gmail.com>
	<6bb5f5b10902031606w5ba0331cq96e1d518522d5504@mail.gmail.com>
	<6bb5f5b10902031637l67b82e22o228f0c2aa84feca2@mail.gmail.com>
Message-ID: <836bf1f90902031751u5031b0a9n223e5ec9cb5cb70d@mail.gmail.com>

Thank you for all your replies, that was exactly what I was looking for.

mike

On Tue, Feb 3, 2009 at 7:37 PM, Rubens Kuhl <rubensk at gmail.com> wrote:

> A little bird from C whispered me the following:
>
> "I'd take a look at the ME-4924-10GE device (REP Supports ~50ms
> failover), as well as this you have support for it on the larger devices
> like the 7600.
>
> 4924 support for REP started in 12.2(44)SG -
>
> http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_bulletin_c25_468227.html
>
> 7600 has supported REP since 12.2(33)SRC -
>
> http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_cfg_rep.html
> "
>
> I stand corrected.
>
>
> Rubens
>
> On Tue, Feb 3, 2009 at 10:06 PM, Rubens Kuhl <rubensk at gmail.com> wrote:
> > I don't think Cisco currently have an 10G ethernet ring offer. It
> > might come up when REP (Resilient Ethernet Protocol) gets implemented
> > in the 6500 IOS. It was supposed to be on SXI, but that didn't happen.
> > If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit
> > Etherchannel, perhaps ?
> >
> > Outside of Cisco-land, Extreme, Foundry and Force 10 seems to have
> > currently shipping solutions.
> >
> >
> > Rubens
> >
> >
> >
> > On Tue, Feb 3, 2009 at 9:21 PM, harbor235 <harbor235 at gmail.com> wrote:
> >> I am looking to deploy a Ethernet Ring topology in a campus. The ring is
> to
> >> connect
> >> multiple buildings via a high speed 10G backbone. Does Cisco offer any
> >> products in this
> >> area? The ONS is too expensive, looking for something smaller that is
> >> Ethernet based.
> >>
> >>
> >> mike
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
>

From engel.labiro at gmail.com  Tue Feb  3 21:41:56 2009
From: engel.labiro at gmail.com (Engelhard Labiro)
Date: Wed, 4 Feb 2009 11:41:56 +0900
Subject: [c-nsp] reacheability issue in MEL link
In-Reply-To: <bf5694530902030802j483cec14w230a5e674f6d61@mail.gmail.com>
References: <64206.172.25.144.4.1233648371.squirrel@imap.snnap.net>
	<bf5694530902030802j483cec14w230a5e674f6d61@mail.gmail.com>
Message-ID: <74b0c3330902031841s3bfa256fu486b1c5eb4fe2e94@mail.gmail.com>

> i told the carrier i want to have the packets transferred with dot1q
> encapsulation, and they replied that they are providing a transparent
> environment, reagardless the two ends are access or trunk

Does your carrier support 802.1QinQ or something alike that is able to
transport your dot1q tag?
http://www.ippacket.org/blog/archives/2004/08/ieee_8021q-in-q.html
just FYI, we have a CE router (7206VXR) with trunking port to provider's PE.
This working without problem here, YMMV.

From andy.saykao at staff.netspace.net.au  Wed Feb  4 02:11:32 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Wed, 4 Feb 2009 18:11:32 +1100
Subject: [c-nsp] MPLS QoS question about the HOSE model
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654BB1@vic-cr-ex1.staff.netspace.net.au>

Hi All,
 
I'm continuing to try and understand QoS a little better in relation to
applying it to our MPLS VPN network but it seems the more I read about
it the more I'm confused. Not to mention the lack of configuration
examples out there.
 
I understand that we can provide two QoS solutions for MPLS VPN
customers.
 
1/ Guaranteed BW at ingress/egress (also known as the HOSE model).
2/ Full QOS deployment with varying class of service based on IPP and/or
DSCP.
 
In relation to solution 1, I'm not really clear about guaranteeing the
bandwidth at the ingress/egress. Is the bandwidth guarantee in regards
to the physical link connecting the CE to the PE? Or are we giving the
customer a guarantee on the PE to P link (which would make more sense to
me)?
 
[ CE ] --- 2M/2M ---> [ PE ] ---> [ P ]
 
Imagine if the customer had a 2M/2M SHDSL connection into the SP's MPLS
network, are we able to for example guarantee a ICR of 256K and ECR of
512K??? And why would we do this when the customer would expect to be
able to send/receive up to 2M because that's what they're paying for.
 
My thinking is probably flawed, so if anybody could clear up my
misconceptions about the hose model, that would be great!
 
Thanks.
 
Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From eimantas at occ.lt  Wed Feb  4 02:45:00 2009
From: eimantas at occ.lt (=?ISO-8859-2?Q?Eimantas_Zdanevi=E8ius?=)
Date: Wed, 04 Feb 2009 09:45:00 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <C5AE1364.10AE2%sigurbjornl@vodafone.is>
References: <C5AE1364.10AE2%sigurbjornl@vodafone.is>
Message-ID: <4989477C.8060706@occ.lt>

Sigurbj?rn Birkir L?russon wrote:
> Something along these lines if you wanted to just send 10.10.53.0/24 and
> 10.10.54.0/24 through the VPN tunnel
>
> tunnel-group testgroup general-attributes
>     default-group-policy testpolicy
>
> group-policy testpolicy internal
> group-policy testpolicy attributes
>     split-tunnel-policy tunnelspecified
>     split-tunnel-network-list value TunnelList
>
> access-list TunnelList standard permit 10.10.53.0 255.255.255.0
> access-list TunnelList standard permit 10.10.54.0 255.255.255.0
>
> BR,
> Sibbi
>   
This perfectly sets routes for specified networks.
But how to disable default gateway setting on vpn client?

If i go to ASA ASDM->Configuration->VPN->Default Tunnel Gateway it says:

To configure default tunnel gateway, go to Static Route.

i have two static routes configured:

S    aaa.bbb.ccc.ddd 255.255.255.255 [1/0] via 10.10.1.2, inside
S*  0.0.0.0 0.0.0.0 [1/0] via 10.10.4.254, outside

From eng_mssk at hotmail.com  Wed Feb  4 03:25:59 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 4 Feb 2009 10:25:59 +0200
Subject: [c-nsp] Ethernet to ATM local connect
In-Reply-To: <fad2fb270902031421t19fa9e33udd037782b94a2c03@mail.gmail.com>
References: <fad2fb270902031421t19fa9e33udd037782b94a2c03@mail.gmail.com>
Message-ID: <BLU102-W2795BBF30B32EB082B7912FAC30@phx.gbl>


http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/qinq.html#wp1043332

> Date: Tue, 3 Feb 2009 22:21:06 +0000
> From: rekordmeister at gmail.com
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Ethernet to ATM local connect
> 
> Hi there
> 
> Is there a cisco platform / sw out there that can the following (the
> critical part being _second-dot1q_)
> 
> interface gig3/1.10
>  encapsulation dot1q 10 second-dot1q 2
> 
> interface atm2/0/0
>  pvc 0/400 l2transport
>  encapsulation aal5
> 
> connect atm-ethvlan atm2/0/0 0/400 gigabitethernet3/1.10 interworking ethernet
> 
> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1096615
> 
> Regards
> MKS
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________
Show them the way! Add maps and directions to your party invites. 
http://www.microsoft.com/windows/windowslive/events.aspx

From avayner at cisco.com  Wed Feb  4 04:41:30 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 4 Feb 2009 10:41:30 +0100
Subject: [c-nsp] Ethernet to ATM local connect
In-Reply-To: <fad2fb270902031421t19fa9e33udd037782b94a2c03@mail.gmail.com>
References: <fad2fb270902031421t19fa9e33udd037782b94a2c03@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D7275397@xmb-ams-331.emea.cisco.com>

Hi,

Take a look here:
http://www.cisco.com/en/US/products/hw/routers/ps368/module_installation
_and_configuration_guides_chapter09186a0080440138.html#wp1135748

Then, using ES20 for Ethernet with EVC, you have the option to
bridge-domain a QinQ VLAN to the same global SVI.

I have never tested it, and am not sure if it's a common application,
but I think this should work.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of MKS
Sent: Wednesday, February 04, 2009 00:21
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Ethernet to ATM local connect

Hi there

Is there a cisco platform / sw out there that can the following (the
critical part being _second-dot1q_)

interface gig3/1.10
 encapsulation dot1q 10 second-dot1q 2

interface atm2/0/0
 pvc 0/400 l2transport
 encapsulation aal5

connect atm-ethvlan atm2/0/0 0/400 gigabitethernet3/1.10 interworking
ethernet

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1
096615

Regards
MKS
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From wim.holemans at ua.ac.be  Wed Feb  4 04:51:09 2009
From: wim.holemans at ua.ac.be (Holemans Wim)
Date: Wed, 4 Feb 2009 10:51:09 +0100
Subject: [c-nsp] VSS upgrade problems
Message-ID: <A9C0DC3E3383224B83C528B074390E8C551E@xmail04.ad.ua.ac.be>

I'm testing a VSS solution for our campus network, most things seem to
work as expected. I ran however into problems when testing the eFSU
upgrade procedure. 

The system came with ip base 12.33SXH4 on, I created the cluster with
this version without problem (although the notes state that you should
use at least ip services). I upgraded the system the traditional way to
ip base 12.33 SXI without problem. The I decided to test the eFSU
upgrade procedure (available from 12.33SXI) which should give no
downtime at all (if all your connections are trunks to both chassis). I
tried to upgrade from ip base 12.33SXI to ip services 12.33SXI. This
however failed and kept my standby chassis continuously booting until I
removed the VSS connection between both (I forgot to activate the issu
rollback timer...)

 

This were the messages i got

1)  On the master :

 

01:01:47: %PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH: Asymmetrical redundant
configuration: Active SP has (1048576/8192K) memory, Standby has
(1048576/65536K).

01:01:47: %PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH: Asymmetrical redundant
configuration: Active RP has (1048576/8192K) memory, Standby has
(1048576/65536K).

01:01:48: %PFREDUN-SW2_SP-6-ACTIVE: Standby initializing for RPR mode

01:01:50: %ISSU-SW2_SP-4-FSM_INCOMP: Version of local ISSU client ISSU
ifs client(110) in session 327962 is incompatible with remote side.

01:01:50: %RFS-SW2_SP-3-START_NEGO_SESSION: RFS nego (327962:262609) to
[issu:rfs:Secondary RFS Server Port:0x3050000] failed:
[ISSU_RC_NEGO_ERROR]

01:02:21: %RF-SW2_SP-5-RF_RELOAD: Peer reload. Reason: RF Client RFS
RF(520) notification timeout

01:02:22: %VSLP-SW2_SP-3-VSLP_LMP_FAIL_REASON: Te2/5/4: Disabled by Peer
Reload Request

01:02:22: %VSLP-SW2_SP-2-VSL_DOWN:   Last VSL interface Te2/5/4 went
down

 

01:02:22: %VSLP-SW2_SP-2-VSL_DOWN:   All VSL links went down while
switch is in ACTIVE role

 

01:02:23: %PFREDUN-SW2_SP-6-ACTIVE: Standby processor removed or
reloaded, changing to Simplex mode

01:02:23: %RF-SW2_SP-3-NOTIF_TMO: Notification timer Expired for RF
Client: RFS RF(520)

01:02:24: %RF-SW2_SP-5-RF_RELOAD: Peer reload. Reason: Proxy request to
reload peer

 

2)  On the slave :

 

 

*Feb  3 10:48:12.695: %ISSU-SW1_SPSTBY-3-FSM_MISMATCH_MTU: ISSU nego
failed for client ISSU ifs client(110) entity_id 113 session 65694 due
to mismatch of mtu size 36 & 72.

-Traceback= 40252F70 4025350C 40969458 417A050C 417A0578 40966980
40966BE0 40966FD8 409A8FFC 4042FD60 40447984 4088E6C0 4088E6AC

*Feb  3 10:48:12.735: %ISSU-SW1_SPSTBY-4-FSM_INCOMP: Version of local
ISSU client ISSU ifs client(110) in session 65694 is incompatible with
remote side.

*Feb  3 10:48:12.735: %RFS-SW1_SPSTBY-3-START_NEGO_SESSION: RFS nego
(65694:65693) to [issu:rfs:65536:0x10000] failed: [ISSU_RC_NEGO_ERROR]

*Feb  3 10:48:43.551: %SYS-SW1_SPSTBY-5-RELOAD: Reload requested - From
Active Switch (Reload peer unit).

*Feb  3 10:48:45.071: %VSLP-SW1_SPSTBY-3-VSLP_LMP_FAIL_REASON:  5/4 :
Link down

*Feb  3 10:48:45.071: %VSLP-SW1_SPSTBY-2-VSL_DOWN:   Last VSL interface
5/4  went down

 

*Feb  3 10:48:45.075: %VSLP-SW1_SPSTBY-2-VSL_DOWN:   All VSL links went
down while switch is in Standby role

 

*Feb  3 10:48:45.083: %SATVS_IBC-SW1_SPSTBY-5-VSL_DOWN_SCP_DROP: VSL
inactive - dropping cached SCP packet: (SA/DA:0x4/0x4,
SSAP/DSAP:0x2/0x1, OP/SEQ:0x1E/0x13, SIG/INFO:0x1/0x501,
eSA:0000.0500.0000)

 

*Feb  3 10:48:46.127: %SYS-SW1_SPSTBY-5-RELOAD: Reload requested by
Delayed Reload. Reload Reason: Admin requested reload of the Standby
during ISSU.

*Feb  3 10:48:46.127: %OIR-SW1_SPSTBY-6-CONSOLE: Changing console
ownership to switch processor

 

 

Two things are strange : the message about the
PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH because these are 2 identical
supervisor boards, secondly the mtu mismatch error. I tried to find some
info about the MTU error but neither the Cisco website neither google
gave any info about this errors.

 

Anyone has an idea or just a pointer to more detailed technical detail ?
There is not that much documentation on the Cisco website about VSS...

 

Any help would be appreciated,

 

Greetings,

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 


From rmikisa at gmail.com  Wed Feb  4 04:34:22 2009
From: rmikisa at gmail.com (Mikisa Richard)
Date: Wed, 4 Feb 2009 12:34:22 +0300
Subject: [c-nsp] VPN with Static mapping - ASA5520
In-Reply-To: <4989477C.8060706@occ.lt>
References: <C5AE1364.10AE2%sigurbjornl@vodafone.is> <4989477C.8060706@occ.lt>
Message-ID: <4989611E.8070109@gmail.com>

Hi all,

Scenario is the need to create a VPN tunnel to remote site but remote 
site requires that the machine (local host) they connect to have a 
public IP. So I have setup a static mapping 10.101.25.25 -> 41.202.X.X. 
The tunnel comes up but the connection to the 10.101.25.25 fails. Conf 
below.  Point to note is that I have a working VPN tunnel to a different 
remote site that uses local net as 10.101.25.0/24. Would the fact the I 
am trying to use an IP from that range be the reason the connection fails?

!!
access-list acl-out extended permit ip any host 41.202.X.X
!!
access-list Inside_nat0_outbound extended permit ip host 41.202.X.X host 
131.166.X.X
access-list Outside_80_cryptomap extended permit ip host 41.202.X.X host 
131.166.X.X
!!
static (Inside,Outside) tcp 41.202.X.X ftp 10.101.25.25 ftp netmask 
255.255.255.255
!!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 80 match address Outside_80_cryptomap
crypto map Outside_map 80 set peer 131.166.X.Y
crypto map Outside_map 80 set transform-set ESP-3DES-SHA

crypto isakmp nat-traversal  30

tunnel-group 131.166.X.X type ipsec-l2l
tunnel-group 131.166.X.X ipsec-attributes
 pre-shared-key *

Regards
Richard






From ian.mackinnon at lumison.net  Wed Feb  4 06:37:12 2009
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Wed, 04 Feb 2009 11:37:12 +0000
Subject: [c-nsp] OSPF and metrics
Message-ID: <49897DE8.2000709@lumison.net>

Hi All,

I think my brain is misfiring today.

I am trying to provide some backup services between to gateway routers, 
on one router I just have a simple route statetment, and on the second 
router I have the same route with a metric on the end :-

router 1
     ip route 10.0.0.0 255.255.255.0 10.1.0.0.1
router 2
     ip route 10.0.0.0 255.255.255.0 10.2.0.01 666

ie router1 sends it via its connection, and router 2 is available when 
the link from router 1 goes away

This is then redistributed into ospf on both router, both routers then 
have the same neighbour upstream
  redistribute static metric-type 1 subnets

However when I look upstream I am not seeing the metric, and it is 
choosing the router 2 route

What am I missing?

Thanks
Ian




--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From ian.mackinnon at lumison.net  Wed Feb  4 07:11:16 2009
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Wed, 04 Feb 2009 12:11:16 +0000
Subject: [c-nsp] OSPF and metrics
In-Reply-To: <49897DE8.2000709@lumison.net>
References: <49897DE8.2000709@lumison.net>
Message-ID: <498985E4.7060509@lumison.net>

and what is the default distance of OSPF?

yes its 110, so you need to make the floating route have a distance 
higher than that!

So, all working now.



On 04/02/2009 11:37, Ian MacKinnon wrote:
> Hi All,
>
> I think my brain is misfiring today.
>
> I am trying to provide some backup services between to gateway 
> routers, on one router I just have a simple route statetment, and on 
> the second router I have the same route with a metric on the end :-
>
> router 1
>     ip route 10.0.0.0 255.255.255.0 10.1.0.0.1
> router 2
>     ip route 10.0.0.0 255.255.255.0 10.2.0.01 666
>
> ie router1 sends it via its connection, and router 2 is available when 
> the link from router 1 goes away
>
> This is then redistributed into ospf on both router, both routers then 
> have the same neighbour upstream
>  redistribute static metric-type 1 subnets
>
> However when I look upstream I am not seeing the metric, and it is 
> choosing the router 2 route
>
> What am I missing?
>
> Thanks
> Ian
>
>
>
>
> -- 
>
> This email and any files transmitted with it are confidential and 
> intended
> solely for the use of the individual or entity to whom they are 
> addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted.  Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison and nPlusOne.
> Finally, the recipient should check this email and any attachments for 
> the
> presence of viruses.  Lumison and nPlusOne accept no liability for any
> damage caused by any virus transmitted by this email.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


-- 
Ian MacKinnon
Lumison
t: 0845 1199 900
d: 0131 514 4055
P.S. Do you love Lumison?

p.s. Looking for remote access?
Chat to our team about our award winning broadband and VoIP solutions
for remote and home working, or visit www.lumison.net



--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From rens at autempspourmoi.be  Wed Feb  4 07:27:08 2009
From: rens at autempspourmoi.be (Rens)
Date: Wed, 4 Feb 2009 13:27:08 +0100
Subject: [c-nsp] Ethernet VPN circuits
Message-ID: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com>

Hi,

 

We have a provider that has a new product and I would like to know if I
could use it with our current infrastructure to interconnect sites.

 

This is how it works on the provider site:

 

1 Central Site where everything arrives

Multiple Remote Sites that you can connect to the Central Site

 

Per Remote Site we have to define a VLAN tag.

 

So it would look like this:

 

My CS router     <=> my CS switch           <=> provider CS switch     <=>
provider Backbone     <=> provider RS switch     <=> My RS router

7206VXR           <=> 3550                         <=> 2960
<=> No Idea                     <=> 2960                         <=> 1841

 

So if I want to do a /30 OSPF between my CS router and my RS router

I would use vlan 200 for this at RS router (subinterface dot1q) it enters
the provider RS switch and they add the predefined vlan as outer tag.
(example 800)

It arrives like this at my CS site and now I have a problem.

 

1) I either remove the outer tag VLAN (800) on the switch so on my router I
can do the same subinterface dot1q 200 => but this won't work when I want to
do the same thing with multiple RS

2)  Can I pass the double tag through my switch to our 7206 and configure a
double dot1q subinterface, so the router removes both outer & inner 800 &
200 and OSPF goes up :-)

 

Any help is appreciated.

 

Regards,

 

Rens


From oles at ovh.net  Wed Feb  4 06:38:08 2009
From: oles at ovh.net (oles at ovh.net)
Date: Wed, 4 Feb 2009 12:38:08 +0100
Subject: [c-nsp] VSS upgrade problems
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C551E@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C551E@xmail04.ad.ua.ac.be>
Message-ID: <20090204113808.GY28467@ovh.net>

> tried to upgrade from ip base 12.33SXI to ip services 12.33SXI. This
> 01:02:21: %RF-SW2_SP-5-RF_RELOAD: Peer reload. Reason: RF Client RFS
> RF(520) notification timeout

Hi,
I guest you have the problem I had with my (VSS/SXI) AND (a big setup
file, lot of ports, lot of port channels ...). I spent 3 nights looking
for a solution. If it's your problem, I found out this solution:
- shutdown all carts in the master (except sup720)
  "no power enable switch 1-2 module 1-4,6-9"
  you can leave slave with no changes
- then start the slave
- the sync of the setup between master/slave won't generate any "timeout" 
- you can restart the cart again
  power enable switch 1-2 module 1-4,6-9
- all is working again 

Once all is up:
- you have to add the new ports/new port channels with a "sleep 10"
  between every command (it allows the router to sync the setup
  between master/slave
- you can't touch any inter vlan XX, ip add XX YY. it creates a big 
  timeout and the slave reload.

Cisco said me, this bug will be fixed in SXI1. 4 weeks ? I don't know.

Regards,
Octave

From sigurbjornl at vodafone.is  Wed Feb  4 08:17:13 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Wed, 04 Feb 2009 13:17:13 +0000
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <4989477C.8060706@occ.lt>
Message-ID: <C5AF45D9.10B96%sigurbjornl@vodafone.is>

Hmm, assuming you are using the Cisco VPN client you shouldn't be getting a
default if the split-tunnel configuration is working

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a0080702999.shtml#s2

Has pretty good ASDM instructions on how to do this, I don't use the ASDM :)

BR,
Sibbi


On 4.2.2009 07:45, "Eimantas Zdanevi?ius" <eimantas at occ.lt> wrote:

> Sigurbj?rn Birkir L?russon wrote:
>> Something along these lines if you wanted to just send 10.10.53.0/24 and
>> 10.10.54.0/24 through the VPN tunnel
>> 
>> tunnel-group testgroup general-attributes
>>     default-group-policy testpolicy
>> 
>> group-policy testpolicy internal
>> group-policy testpolicy attributes
>>     split-tunnel-policy tunnelspecified
>>     split-tunnel-network-list value TunnelList
>> 
>> access-list TunnelList standard permit 10.10.53.0 255.255.255.0
>> access-list TunnelList standard permit 10.10.54.0 255.255.255.0
>> 
>> BR,
>> Sibbi
>>   
> This perfectly sets routes for specified networks.
> But how to disable default gateway setting on vpn client?
> 
> If i go to ASA ASDM->Configuration->VPN->Default Tunnel Gateway it says:
> 
> To configure default tunnel gateway, go to Static Route.
> 
> i have two static routes configured:
> 
> S    aaa.bbb.ccc.ddd 255.255.255.255 [1/0] via 10.10.1.2, inside
> S*  0.0.0.0 0.0.0.0 [1/0] via 10.10.4.254, outside


From gert at greenie.muc.de  Wed Feb  4 08:30:42 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 4 Feb 2009 14:30:42 +0100
Subject: [c-nsp] VSS upgrade problems
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C551E@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C551E@xmail04.ad.ua.ac.be>
Message-ID: <20090204133042.GO290@greenie.muc.de>

Hi,

On Wed, Feb 04, 2009 at 10:51:09AM +0100, Holemans Wim wrote:
> ip base 12.33 SXI without problem. The I decided to test the eFSU
> upgrade procedure (available from 12.33SXI) which should give no
> downtime at all (if all your connections are trunks to both chassis). I
> tried to upgrade from ip base 12.33SXI to ip services 12.33SXI. This

As far as I understand (this was mentioned in the VSS talk at networkers
last week) this will only work between minor releases carrying the same
feature set.

So: 

  ip services SXI -> ip services SXI1         --> will work
  ip services SXI -> advanced ip services SXI --> will not work

(Now the specific error messages are indeed not as helpful as one might
imagine...)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090204/51226587/attachment.bin>

From deric.kwok2000 at gmail.com  Wed Feb  4 09:02:39 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Wed, 4 Feb 2009 09:02:39 -0500
Subject: [c-nsp] access list help
Message-ID: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>

Hi All

I am new in cisco and trying to config the access list in my switch

My switch ip is 192.168.0.118

I am trying to block the http traffic in the host 192.168.0.115

When I do it in, I can not accces the switch !
But I can access http://192.168.0.115

Can you help what is wrong?
Can you give me examples?

access-list 120 deny   tcp any host 192.168.0.115 eq www any log
access-list 120 remark restrict www traffic to host 192.168.0.115
access-list 120 permit ip any host 192.168.0.115
(config)#interface vlan1
(config-if)#ip access-group 120 in

I also don't understand the access list only for deny 192.168.0.115.
Why it blocks me in  switch 192.168.0.118. but 192.168.0.115 is still fine?


More Questions:

ls access-list in switch same as router also?
and
Can you give me example to have access list for 3 hours?

Thank you for your help.

From eimantas at occ.lt  Wed Feb  4 09:05:46 2009
From: eimantas at occ.lt (=?ISO-8859-2?Q?Eimantas_Zdanevi=E8ius?=)
Date: Wed, 04 Feb 2009 16:05:46 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <C5AF45D9.10B96%sigurbjornl@vodafone.is>
References: <C5AF45D9.10B96%sigurbjornl@vodafone.is>
Message-ID: <4989A0BA.5080401@occ.lt>

Sigurbj?rn Birkir L?russon wrote:
> Hmm, assuming you are using the Cisco VPN client you shouldn't be getting a
> default if the split-tunnel configuration is working
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
> 86a0080702999.shtml#s2
>
> Has pretty good ASDM instructions on how to do this, I don't use the ASDM :)
>
> BR,
> Sibbi
Can be this because of routing metrics?

default gateway on asa has metric set to 1
vpnclient uses vodafone mobile connection.

Maybe, because of this vpn default route overrides vodafone default route?


From sigurbjornl at vodafone.is  Wed Feb  4 09:07:06 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Wed, 04 Feb 2009 14:07:06 +0000
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <4989A0BA.5080401@occ.lt>
Message-ID: <C5AF518A.10BBD%sigurbjornl@vodafone.is>

It shouldn't be sending you a default route at all, just the tunnel routes

BR,
Sibbi


On 4.2.2009 14:05, "Eimantas Zdanevi?ius" <eimantas at occ.lt> wrote:

> Sigurbj?rn Birkir L?russon wrote:
>> Hmm, assuming you are using the Cisco VPN client you shouldn't be getting a
>> default if the split-tunnel configuration is working
>> 
>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
>> 86a0080702999.shtml#s2
>> 
>> Has pretty good ASDM instructions on how to do this, I don't use the ASDM :)
>> 
>> BR,
>> Sibbi
> Can be this because of routing metrics?
> 
> default gateway on asa has metric set to 1
> vpnclient uses vodafone mobile connection.
> 
> Maybe, because of this vpn default route overrides vodafone default route?
> 


From steve at ibctech.ca  Wed Feb  4 09:10:24 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 04 Feb 2009 09:10:24 -0500
Subject: [c-nsp] access list help
In-Reply-To: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
Message-ID: <4989A1D0.1040101@ibctech.ca>

Deric Kwok wrote:
> Hi All
> 
> I am new in cisco and trying to config the access list in my switch
> 
> My switch ip is 192.168.0.118
> 
> I am trying to block the http traffic in the host 192.168.0.115
> 
> When I do it in, I can not accces the switch !
> But I can access http://192.168.0.115
> 
> Can you help what is wrong?
> Can you give me examples?
> 

This rule states "deny tcp traffic from any host, to 192.168.0.115, port 80"

> access-list 120 deny   tcp any host 192.168.0.115 eq www any log

This rule states that you want to allow the rest of all traffic to .115

> access-list 120 permit ip any host 192.168.0.115

Now, by default, without any other rules, the switch denies ALL other
traffic implicitly, including traffic destined to the management IP on
the switch itself.

To allow ALL other traffic to travel into, out of and to the switch, add:

# access-list 120 permit any any

...which will allow ALL other traffic to and from all ports, to any IP
address at any port.

I'd recommend permitting what you want explicitly, and then
deny-by-default, but the above will get you back up and going.

> I also don't understand the access list only for deny 192.168.0.115.
> Why it blocks me in  switch 192.168.0.118. but 192.168.0.115 is still fine?

See above.

Steve

From mauritz at three6five.com  Wed Feb  4 09:47:55 2009
From: mauritz at three6five.com (Mauritz Lewies)
Date: Wed, 04 Feb 2009 16:47:55 +0200
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
	, <20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
	<45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
Message-ID: <1233758875.6907.22.camel@mauritzlewies>

I've not had much chance to play with it but will Ethernet CFM not work
for this?





On Wed, 2009-02-04 at 08:49 +1000, David Hughes wrote:

> Yup, that's exactly the situation.  STP will work around some of the  
> problem caused by this but if you are presenting an etherchannel over  
> multiple xconnects you can't pick up the link failure of part of the  
> etherchannel without UDLD.  We did some initial proof of concepts with  
> 2900s running 2 second timers and it was great.  Imagine the look on  
> my face when we found out that 6500s don't have the functionality of a  
> $1,000 access switch .....
> 
> So, is the config option on SXI still 7 seconds at best?
> 
> 
> Thanks
> 
> David
> ...
> 
> 
> On 03/02/2009, at 7:45 PM, Thomas Dupas wrote:
> 
> > I assume it's a L2 link (EoMPLS), so BFD won't help much.
> >
> > We're in the same situation, also stuck with UDLD timers and 2  
> > parallel EoMPLS xconnects. I can't get the convergence lower then 20  
> > seconds with the default UDLD, so I'm also hoping for fast UDLD
> >
> > Best Regards,
> >
> > Thomas
> >
> > ________________________________________
> > Van: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net 
> > ] namens Gert Doering [gert at greenie.muc.de]
> > Verzonden: dinsdag 3 februari 2009 8:15
> > Aan: David Hughes
> > CC: Cisco NSP ((E-mail))'
> > Onderwerp: Re: [c-nsp] Fast UDLD timers in SXI?
> >
> > Hi,
> >
> > On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote:
> >> Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down
> >> to 1 second) or if we are still stuck with the old 7 sec timers.  We
> >> can do 1 sec UDLD on 2900 class switches so I hope we see it in the
> >> "premier switching platform" some time soon.  We need some way to  
> >> pick
> >> up a link failure at the far end of an EoMPLS xconnect in a  
> >> reasonable
> >> time.
> >
> > Can you use BFD?
> >
> > (Yes, this is not answering your question - I don't know the answer  
> > - but
> > it might be an alternative approach if this a layer 3 link)
> >
> > gert
> > --
> > USENET is *not* the non-clickable part of WWW!
> >                                                           //www.muc.de/~gert/
> > Gert Doering - Munich, Germany                             gert at greenie.muc.de
> > fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From eng_mssk at hotmail.com  Wed Feb  4 09:53:24 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 4 Feb 2009 16:53:24 +0200
Subject: [c-nsp] PPPoA sessions
Message-ID: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>


Hey all , 
i have a router with PPPoE and PPPoA sessions 
i used to the OID 1.3.6.1.4.1.9.9.194.1.1.1 to draw the PPPoE sessions
i searched for OID to draw the PPPoA but didnt find an OID for it
can anyone help ??
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us

From eimantas at occ.lt  Wed Feb  4 09:57:27 2009
From: eimantas at occ.lt (=?ISO-8859-2?Q?Eimantas_Zdanevi=E8ius?=)
Date: Wed, 04 Feb 2009 16:57:27 +0200
Subject: [c-nsp] ASA 5520 Remote Access VPN
In-Reply-To: <C5AF518A.10BBD%sigurbjornl@vodafone.is>
References: <C5AF518A.10BBD%sigurbjornl@vodafone.is>
Message-ID: <4989ACD7.1050708@occ.lt>

Sigurbj?rn Birkir L?russon wrote:
> It shouldn't be sending you a default route at all, just the tunnel routes
>
> BR,
> Sibbi
>
>   
Problem solved.

Default route was overrided by linux NetworkManager (vpnc) software on 
vpnclient machine. I need to set 'Use this connection only for resources 
on this network' in vpn connection configuration.

Cisco vpn client software don't overrides default route.

From deric.kwok2000 at gmail.com  Wed Feb  4 10:04:16 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Wed, 4 Feb 2009 10:04:16 -0500
Subject: [c-nsp] access list help
In-Reply-To: <4989A1D0.1040101@ibctech.ca>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
	<4989A1D0.1040101@ibctech.ca>
Message-ID: <40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>

Hi Steve

Thank you.

I don't understand why I can access http://192.168.0.115 if this access-list
is valid ?

My access list doesn't block www traffic to http://192.168.0.115
but block telnet / www to switch 192.168.0.118

I also don't understand about "access-list 120 permit any any"

If I have hundred access lists, I have to put this "permit any any" at the
end of each of hundred access-list

Thank you for your help

On Wed, Feb 4, 2009 at 9:10 AM, Steve Bertrand <steve at ibctech.ca> wrote:

> Deric Kwok wrote:
> > Hi All
> >
> > I am new in cisco and trying to config the access list in my switch
> >
> > My switch ip is 192.168.0.118
> >
> > I am trying to block the http traffic in the host 192.168.0.115
> >
> > When I do it in, I can not accces the switch !
> > But I can access http://192.168.0.115
> >
> > Can you help what is wrong?
> > Can you give me examples?
> >
>
> This rule states "deny tcp traffic from any host, to 192.168.0.115, port
> 80"
>
> > access-list 120 deny   tcp any host 192.168.0.115 eq www any log
>
> This rule states that you want to allow the rest of all traffic to .115
>
> > access-list 120 permit ip any host 192.168.0.115
>
> Now, by default, without any other rules, the switch denies ALL other
> traffic implicitly, including traffic destined to the management IP on
> the switch itself.
>
> To allow ALL other traffic to travel into, out of and to the switch, add:
>
> # access-list 120 permit any any
>
> ...which will allow ALL other traffic to and from all ports, to any IP
> address at any port.
>
> I'd recommend permitting what you want explicitly, and then
> deny-by-default, but the above will get you back up and going.
>
> > I also don't understand the access list only for deny 192.168.0.115.
> > Why it blocks me in  switch 192.168.0.118. but 192.168.0.115 is still
> fine?
>
> See above.
>
> Steve
>

From ahmedazim at gmail.com  Wed Feb  4 10:14:34 2009
From: ahmedazim at gmail.com (Ahmed Mohamed)
Date: Wed, 4 Feb 2009 17:14:34 +0200
Subject: [c-nsp] reacheability issue in MEL link
In-Reply-To: <0BB7A1080B7DBD4494E09FF171D2ACEA02855555@xmb-ams-33c.emea.cisco.com>
References: <bf5694530902021628s3f81a414m4808dd81e3f4f457@mail.gmail.com>
	<0BB7A1080B7DBD4494E09FF171D2ACEA02855555@xmb-ams-33c.emea.cisco.com>
Message-ID: <bf5694530902040714j3a1fa8f5q1a5f54209d74ddf@mail.gmail.com>

<CE>--------------------------------Metroethernet(carrier)---------------------<switch>----ethernet(cable)-----<PE>

for a link as simple as above, if :
+ the CE , the Agg. switch and the PE interfaces are in the same vlan
+ the CE and the PE IP interfaces are in the same subnet

the i must (at least) have an entry in arp table, and ping successful, which
is not the case

what was getting me crazy , is that all interfaces are up-up all the time,
but i just recieved a feedback today that MetroEthernet carriers have NTU's
acting as Ethernet HUB, so as long as they are functional , you will have
the interfaces up-up even if the circuit is broken inside the carrier !!!

tomorrow i will order dual dispatch to both ends, will test circuit
termination at both ends

"traceroute mac" feature is not in CE or PE IOS



On Wed, Feb 4, 2009 at 1:25 PM, Ahmed Maged (amaged) <amaged at cisco.com>wrote:

> Troubleshoot layer by layer.
>
> If the lower layers doesn't work, don't expect anything to behave
> properly.
>
> Follow the L2 frame with (ltrace) if available on your IOS.
>
> How about debugging?
>
> Can you install a sniffer?
>
> What do you see on the interfaces counters?
>
> Did you try anything else other than ping, maybe ICMP is blocked.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ahmed Mohamed
> Sent: Tuesday, February 03, 2009 2:28 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] reacheability issue in MEL link
>
> Hello,
>
> this is a real life problem still occuring, and have no idea what may be
> causing it ..
>
> we are providing an internet direct service to our customer vial MEL
> (Metro
> Ethernet Link)
>
> CE (CS-7206 VXR) fe2/0.36 ------------------Etherlink(local
> carrier)---------------- WS-3759G-24TS--PE(CS-7000)
>
> the solution is providied using a carrier to link the customer CE to an
> aggregated switch, using Metro Ethernet
> configuring vlan 36 and using dot1q encapsulation
> then from the aggregating switch to the PE router using also
> encapsulation
> dot1q for vlan36
>
> all interfaces are up-up , and still ping fails !!
>
> i tried everything, resetting ports, switches, reconfigure interfaces
> ..etc.
> still no joy
>
> any idea what could be causing the problem ?
>
> ========================================================================
> CE:
> -----
> interface FastEthernet2/0.36
>  bandwidth 61440
>  encapsulation dot1Q 36
>  ip address 57.78.2.6 255.255.255.252
> ========================================================================
> Agg. switch:
> ------------------
> interface GigabitEthernet1/0/9
>  switchport trunk encapsulation dot1q
>  switchport trunk native vlan 3109
>  switchport trunk allowed vlan 36,3109
>  switchport mode trunk
>  switchport nonegotiate
>  duplex full
>  speed 100
>  mls qos trust cos
>  spanning-tree bpdufilter enable
> ========================================================================
> PE:
> ------
>  interface FastEthernet5/1/1.36
>  bandwidth 61440
>  encapsulation dot1Q 36
>  ip address 57.78.2.5 255.255.255.252
>  no ip redirects
>  no ip proxy-arp
>  no ip route-cache
>  no cdp enable
> ========================================================================
> bmil305#sh int FastEthernet5/1/1.36
> FastEthernet5/1/1.36 is up, line protocol is up <<<<<<
> Hardware is cyBus FastEthernet Interface, address is 0003.fe91.b8a9 (bia
> 0003.fe91.b8a9)
>  Internet address is 57.78.2.5/30
>  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
>     reliability 255/255, txload 1/255, rxload 1/255
>  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
>  ARP type: ARPA, ARP Timeout 04:00:00
> ========================================================================
> pmil2534#sh int Fa2/0.36
> FastEthernet2/0.36 is up, line protocol is up  <<<<<<
>  Hardware is i82543 (Livengood), address is 0022.be8b.1038 (bia
> 0022.be8b.1038)
>  Description: --- To bmil305 - FE5/1/1.5
>  Internet address is 57.78.2.6/30
>  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
>     reliability 255/255, txload 1/255, rxload 1/255
>  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
> ========================================================================
> ping pe to CE fails:
> ----------------------------
> bmil305#ping 57.78.2.6   <<<<<<,
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 57.78.2.6, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> ========================================================================
> PE to internet (google) successfully:
> ------------------------------------------------------
> bmil305#ping 216.239.59.147 source fast 5/1/1.36 repeat 100 size 500
> Type escape sequence to abort.
> Sending 100, 500-byte ICMP Echos to 216.239.59.147, timeout is 2
> seconds:
> Packet sent with a source address of 57.78.2.5
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Success rate is 100 percent (100/100), round-trip min/avg/max =
> 36/40/112 ms
> ========================================================================
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From steve at ibctech.ca  Wed Feb  4 10:22:26 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 04 Feb 2009 10:22:26 -0500
Subject: [c-nsp] access list help
In-Reply-To: <40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>	
	<4989A1D0.1040101@ibctech.ca>
	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
Message-ID: <4989B2B2.9050801@ibctech.ca>

Deric Kwok wrote:
> Hi Steve
>  
> Thank you.
>  
> I don't understand why I can access http://192.168.0.115
> <http://192.168.0.115/> if this access-list is valid ?
>  
> My access list doesn't block www traffic to http://192.168.0.115
> <http://192.168.0.115/>
> but block telnet / www to switch 192.168.0.118
>  
> I also don't understand about "access-list 120 permit any any"

What type of switch is this? Please post the output of a:

# sh ip access-list

> If I have hundred access lists, I have to put this "permit any any" at
> the end of each of hundred access-list

Only if you don't permit first, and then let the implicit default deny
rule do its thing.

Steve

From frnkblk at iname.com  Wed Feb  4 10:39:16 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Wed, 4 Feb 2009 09:39:16 -0600
Subject: [c-nsp] PPPoA sessions
In-Reply-To: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>
References: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>

I've asked this before on cisco-bba: there doesn't appear to be an OID for
that.

I'm afraid you might need to screen-scrape.

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, February 04, 2009 8:53 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] PPPoA sessions


Hey all ,
i have a router with PPPoE and PPPoA sessions
i used to the OID 1.3.6.1.4.1.9.9.194.1.1.1 to draw the PPPoE sessions
i searched for OID to draw the PPPoA but didnt find an OID for it
can anyone help ??
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live
Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&
mkt=en-us
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From linkconnect at googlemail.com  Wed Feb  4 11:00:05 2009
From: linkconnect at googlemail.com (Wayne Lee)
Date: Wed, 4 Feb 2009 16:00:05 +0000
Subject: [c-nsp] PPPoA sessions
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>
References: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>
Message-ID: <3044d0930902040800r680abbb9j84b5910b89d2c1de@mail.gmail.com>

On Wed, Feb 4, 2009 at 3:39 PM, Frank Bulk - iName.com
<frnkblk at iname.com> wrote:
> I've asked this before on cisco-bba: there doesn't appear to be an OID for
> that.
>
> I'm afraid you might need to screen-scrape.
>
> Frank
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Wednesday, February 04, 2009 8:53 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PPPoA sessions
>
>
> Hey all ,
> i have a router with PPPoE and PPPoA sessions
> i used to the OID 1.3.6.1.4.1.9.9.194.1.1.1 to draw the PPPoE sessions
> i searched for OID to draw the PPPoA but didnt find an OID for it
> can anyone help ??


We have the below in our Cacti install which graphs online PPPoA users

<interface>
<name>Get Active PPP Sessions</name>
<description>Queries a Cisco for a list of online users</description>
<oid_index>1.3.6.1.4.1.9.10.24.1.1.4</oid_index>

<fields>
<usersIndex>
<name>Index</name>
<method>walk</method>
<source>value</source>
<direction>input</direction>
<oid>.1.3.6.1.4.1.9.10.24.1.1.4.1.3</oid>
</usersIndex>
<usersFiveMin>
<name>5 Minute Utilization</name>
<method>walk</method>
<source>value</source>
<direction>output</direction>
<oid>.1.3.6.1.4.1.9.10.24.1.1.4.1.3</oid>
</usersFiveMin>
</fields>
</interface>


Regards

Wayne

From tim at pelican.org  Wed Feb  4 11:15:55 2009
From: tim at pelican.org (Tim Franklin)
Date: Wed, 4 Feb 2009 16:15:55 -0000 (GMT)
Subject: [c-nsp] access list help
In-Reply-To: <40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
	<4989A1D0.1040101@ibctech.ca>
	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
Message-ID: <0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>

On Wed, February 4, 2009 3:04 pm, Deric Kwok wrote:

> I don't understand why I can access http://192.168.0.115 if this
> access-list
> is valid ?
>
> My access list doesn't block www traffic to http://192.168.0.115
> but block telnet / www to switch 192.168.0.118

Is your switch being a *switch* in this case, or a *router*, ie a layer-2
or layer-3 hop?

>From the config you're posting, it looks to me like you're applying the
traffic inbound towards the switch only - vlan1 is a layer-3 interface on
the switch.

Traffic that's being switched between layer-2 ports will never be
processed by that ACL.

What are the interfaces on your switch and their IP addresses?

> I also don't understand about "access-list 120 permit any any"
>
> If I have hundred access lists, I have to put this "permit any any" at the
> end of each of hundred access-list

Yes, if you want each of those ACLs to permit by default.  The default
Cisco behaviour is for any traffic not matched at all by an access list to
be denied, ie implicit 'deny any any' at the end of every ACL.

Regards,
Tim.



From dean at eatworms.org.uk  Wed Feb  4 10:27:20 2009
From: dean at eatworms.org.uk (Dean Smith)
Date: Wed, 4 Feb 2009 15:27:20 -0000
Subject: [c-nsp] Ethernet VPN circuits
In-Reply-To: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com>
References: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com>
Message-ID: <004201c986dd$1299bf10$37cd3d30$@org.uk>

Cant speak for your product...but in the UK we've used similar from the 4 or
5 biggest suppliers at the all work the same...

At the central site access is delivered over a single high B/W Trunk. We
(Customer) and supplier agree a vlan tag per site.
At the remote site the port is provided with no vlan tag.
0
So if we have single IP connection between there is no multiple VLAN tags.
Router at the central site - configure your IP interface as Vlan
subinterface on CS Router. Trunk Between CS Router & CS Switch. Configure CS
Switch port facing provider as trunk aswell. (Control the VLANs you want to
send etc on each trunk port). The CS Switch is optional. (we do actually
have these for various reasons - but will be phasing them out in new core
site builds).

At the Remote site its just a straight Ethernet port. Not sure why you'd use
the RS Switch at all.

Dean

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rens
Sent: 04 February 2009 12:27
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Ethernet VPN circuits

Hi,

 

We have a provider that has a new product and I would like to know if I
could use it with our current infrastructure to interconnect sites.

 

This is how it works on the provider site:

 

1 Central Site where everything arrives

Multiple Remote Sites that you can connect to the Central Site

 

Per Remote Site we have to define a VLAN tag.

 

So it would look like this:

 

My CS router     <=> my CS switch           <=> provider CS switch     <=>
provider Backbone     <=> provider RS switch     <=> My RS router

7206VXR           <=> 3550                         <=> 2960
<=> No Idea                     <=> 2960                         <=> 1841

 

So if I want to do a /30 OSPF between my CS router and my RS router

I would use vlan 200 for this at RS router (subinterface dot1q) it enters
the provider RS switch and they add the predefined vlan as outer tag.
(example 800)

It arrives like this at my CS site and now I have a problem.

 

1) I either remove the outer tag VLAN (800) on the switch so on my router I
can do the same subinterface dot1q 200 => but this won't work when I want to
do the same thing with multiple RS

2)  Can I pass the double tag through my switch to our 7206 and configure a
double dot1q subinterface, so the router removes both outer & inner 800 &
200 and OSPF goes up :-)

 

Any help is appreciated.

 

Regards,

 

Rens

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From psirt at cisco.com  Wed Feb  4 11:41:40 2009
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed,  4 Feb 2009 11:41:40 -0500
Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco
	Wireless LAN Controllers
Message-ID: <200902041141.wlc@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless
LAN Controllers

Advisory ID: cisco-sa-20090204-wlc

http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml

Revision 1.0

For Public Release 2009 February 04 1600 UTC (GMT)

Summary
=======

Multiple vulnerabilities exist in the Cisco Wireless LAN Controllers
(WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and
Cisco Catalyst 3750 Integrated Wireless LAN Controllers. This security
advisory outlines details of the following vulnerabilities:

  * Denial of Service Vulnerabilities (total of three)
  * Privilege Escalation Vulnerability

These vulnerabilities are independent of each other.

Cisco has released free software updates that address these
vulnerabilities.

There are no workarounds available for these vulnerabilities.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml.

Affected Products
=================

Vulnerable Products
+------------------

The following products and software versions are affected for each
vulnerability.

Denial of Service Vulnerabilities
+--------------------------------

Two denial of service (DoS) vulnerabilities affect software versions
4.2 and later. All Cisco Wireless LAN Controller (WLC) platforms are
affected.

A third DoS vulnerability affects software versions 4.1 and later. The
following platforms are affected by this vulnerability:

  * Cisco 4400 Series Wireless LAN Controllers
  * Cisco 4100 Series Wireless LAN Controllers
  * Cisco Catalyst 6500 Series/7600 Series Wireless Services Module
    (WiSM)
  * Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers

    Note: The Cisco Wireless LAN Controller Modules supported on Cisco
    2800 and 3800 series Integrated Services Routers are not vulnerable.
    The Cisco 2000 and 2100 Series Wireless LAN Controllers are also not
    affected by this vulnerability.

Privilege Escalation Vulnerability
+---------------------------------

Only WLC software version 4.2.173.0 is affected by this vulnerability.

Determination of Software Versions
+---------------------------------

To determine the WLC version that is running in a given environment, use
one of the following methods:

  * In the web interface, choose the Monitor tab, click Summary in
    the left pane, and note the Software Version.
  * From the command-line interface, type "show sysinfo" and note the
    Product Version, as shown in the following example:

        (Cisco Controller) >show sysinfo

        Manufacturer's Name.. Cisco Systems Inc.
        Product Name......... Cisco Controller
        Product Version...... 5.1.151.0
        RTOS Version......... Linux-2.6.10_mvl401
        Bootloader Version... 4.0.207.0
        Build Type........... DATA + WPS
        <output suppressed>

Use the "show wism module <module number> controller 1 status" command
on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and
note the Software Version, as demonstrated in the following example:

    Router#show wism mod 3 controller 1 status

    WiSM Controller 1 in Slot 3
    Operational Status of the Controller
       : Oper-Up
    Service VLAN
       : 192
    Service Port
       : 10
    Service Port Mac Address
       : 0011.92ff.8742
    Service IP Address
       : 192.168.10.1
    Management IP Address
       : 192.168.1.123
    Software Version
       : 5.1.151.0
    Port Channel Number
       : 288
    Allowed vlan list
       : 30,40
    Native VLAN ID
       : 40
    WCP Keep Alive Missed
       : 0

Products Confirmed Not Vulnerable
+--------------------------------

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless
Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless
LAN Controllers are responsible for system-wide wireless LAN functions,
such as security policies, intrusion prevention, RF management, quality
of service (QoS), and mobility.

These devices communicate with Controller-based Access Points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight
Access Point Protocol (LWAPP).

This Security Advisory describes multiple distinct vulnerabilities in
the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These
vulnerabilities are independent of each other.

Denial of Service Vulnerabilities
+--------------------------------

These vulnerabilities are documented in the following Cisco Bug ID and
have been assigned the following Common Vulnerabilities and Exposures
(CVE) identifiers:

  * CSCsq44516 - CVE-2009-0058

    Web authentication is a Layer 3 security feature that causes the
    controller to drop IP traffic (except DHCP and DNS related packets)
    from a particular client until that client has correctly supplied
    a valid username and password. An attacker may use a vulnerability
    scanner to cause the device to stop servicing web authentication
    or cause a reload of the device. The following error messages may
    appear on the console during an active attack:

        SshPmStMain/pm_st_main.c:1954/
           ssh_pm_st_main_batch_addition_result:
           Failed to add rule to the engine:
           restoring old state
        SshEnginePmApiPm/engine_pm_api_pm.c:1896/
           ssh_pme_enable_policy_lookup:
           Could not allocate message

  * CSCsm82364 - CVE-2009-0059

    An attacker may cause a device reload when sending a malformed post
    to the web authentication "login.html" page. The following error
    messages may appear on the WLC console during this attack:

        Cisco Crash Handler
        Signal generated during a signal 11,
           count 193
        Memory 0x14ef1e44 has been freed!

    Note: A crash file is not generated during this attack.

  * CSCso60979 - CVE-2009-0061

    Affected Cisco WLC, WiSM and Catalyst 3750 Wireless LAN Controller
    models are vulnerable to a DoS condition that is triggered by the
    receipt of certain IP packets. Upon receiving these IP packets, the
    affected device may become unresponsive and require a reboot to
    recover.

    Note: This vulnerability affects software versions 4.1 and later in
    the Cisco 4400 series WLCs, Cisco Catalyst 6500 WiSM, and the Cisco
    Catalyst 3750 Integrated Wireless LAN Controllers. Cisco 4100, 2100,
    and 2000 series WLCs are not affected by this vulnerability.

Privilege Escalation Vulnerability
+---------------------------------

A privilege escalation vulnerability exists only in WLC software version
4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain
full administrative rights on the affected system.

Note: Wireless network users are not affected by this vulnerability.

This vulnerability is documented in Cisco Bug ID CSCsv62283 and has
been assigned the Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0062.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss

* Certain packets may cause WebAuth services to hang or reload the
device (CSCsq44516)

CVSS Base Score - 6.1
    Access Vector -            Adjacent Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   None
    Integrity Impact -         None
    Availability Impact -      Complete

CVSS Temporal Score - 5.0
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* Crash handling invalid post for webauth (CSCsq44516)

CVSS Base Score - 6.1
    Access Vector -            Adjacent Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   None
    Integrity Impact -         None
    Availability Impact -      Complete

CVSS Temporal Score - 5.0
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* WLC TSEC driver may hang or crash the device (CSCso60979)

CVSS Base Score - 7.8
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   None
    Integrity Impact -         None
    Availability Impact -      Complete

CVSS Temporal Score - 6.4
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* Local Management Users may obtain full admin rights (CSCsv62283)

CVSS Base Score - 9.0
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           Single
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 7.8
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

Impact
======

Successful exploitation of the denial of service vulnerabilities may
cause the affected device to hang or reload. Repeated exploitation
could result in a sustained DoS condition. The privilege escalation
vulnerability may allow an authenticated user to obtain full
administrative rights on the affected system.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

+-----------------------------------------------------+
| Vulnerability | Affected | First      | Recommended |
| / Bug ID      | Release  | Fixed      | Release     |
|               |          | Version    |             |
|---------------+----------+------------+-------------|
|               | 4.1      | Migrate to | 4.2.176.0   |
|               |          | 4.2        |             |
|               |----------+------------+-------------|
|               | 4.2      | 4.2.173.0  | 4.2.176.0   |
|               |----------+------------+-------------|
|               | 5.0      | Migrate to | 5.2.157.0   |
| CSCsq44516    |          | 5.2        |             |
|               |----------+------------+-------------|
|               | 5.1      | Contact    | Contact TAC |
|               |          | TAC        |             |
|               |----------+------------+-------------|
|               | 5.2      | Not        | Not         |
|               |          | vulnerable | Vulnerable  |
|---------------+----------+------------+-------------|
|               | 4.1      | Migrate to | 4.2.176.0   |
|               |          | 4.2        |             |
|               |----------+------------+-------------|
|               | 4.2      | 4.2.112.0  | 4.2.176.0   |
|               |----------+------------+-------------|
| CSCsm82364    | 5.0      | Not        | Not         |
|               |          | vulnerable | vulnerable  |
|               |----------+------------+-------------|
|               | 5.1      | Not        | Not         |
|               |          | vulnerable | vulnerable  |
|               |----------+------------+-------------|
|               | 5.2      | 5.2.157.0  | 5.2.157.0   |
|---------------+----------+------------+-------------|
|               | 4.1      | Migrate to | 4.2.176.0   |
|               |          | 4.2        |             |
|               |----------+------------+-------------|
|               | 4.2      | 4.2.117.0  | 4.2.176.0   |
|               |----------+------------+-------------|
|               | 5.0      | Migrate to | 5.2.157.0   |
| CSCso60979    |          | 5.2        |             |
|               |----------+------------+-------------|
|               | 5.1      | Not        | Not         |
|               |          | vulnerable | vulnerable  |
|               |----------+------------+-------------|
|               | 5.2      | Not        | Not         |
|               |          | vulnerable | vulnerable  |
|---------------+----------+------------+-------------|
|               | 4.1      | Not        | Not         |
|               |          | vulnerable | vulnerable  |
|               |----------+------------+-------------|
|               | 4.2      | 4.2.174.0  | 4.2.176.0   |
|               |----------+------------+-------------|
|               | 5.0      | Not        | Not         |
| CSCsv62283    |          | Vulnerable | Vulnerable  |
|               |----------+------------+-------------|
|               | 5.1      | Not        | Not         |
|               |          | Vulnerable | vulnerable  |
|               |----------+------------+-------------|
|               | 5.2      | Not        | Not         |
|               |          | Vulnerable | vulnerable  |
+-----------------------------------------------------+

Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510
Access Points (APs) are recommended to migrate to release 4.2.176.0.
Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are
recommended to migrate to 5.2 or later.

Workarounds
===========

There are no workarounds for any of these vulnerabilities.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt at cisco.com or security-alert at cisco.com for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. These
vulnerabilities were found during internal testing and during the
resolution of customer support cases.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+------------------------------------------------------------+
| Revision 1.0 | 2009-February-04 | Initial public release.  |
+------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: Feb 04, 2009                             Document ID: 108336
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua
xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU
=waFY
-----END PGP SIGNATURE-----

From deric.kwok2000 at gmail.com  Wed Feb  4 13:24:47 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Wed, 4 Feb 2009 13:24:47 -0500
Subject: [c-nsp] access list help
In-Reply-To: <0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
	<4989A1D0.1040101@ibctech.ca>
	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
	<0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>
Message-ID: <40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>

>
> Thank you Tim and Steve
>


> >Is your switch being a *switch* in this case, or a *router*, ie a layer-2
> or layer-3 hop?
>

I am using this 3500 switch as switch.
As I can't access my switch now, I can get sh ip access-list



>
> >From the config you're posting, it looks to me like you're applying the
> >traffic inbound towards the switch only - vlan1 is a layer-3 interface on
> >the switch.
>
> >Traffic that's being switched between layer-2 ports will never be
> >processed by that ACL.
>

You mean my access-list is only for router not switch?

In this case, how can I do to not allow www traffic to 192.168.0.115 in
switch?

>
> >What are the interfaces on your switch and their IP addresses?
>

the ip address of switch is 192.168.0.118


>
>
> >Yes, if you want each of those ACLs to permit by default.  The default
> >Cisco behaviour is for any traffic not matched at all by an access list to
> >be denied, ie implicit 'deny any any' at the end of every ACL.
>

Could you give me examples ACLs to permit by default?

Thank you so much



>
> Regards,
> Tim.
>
>
>

From alasdairm at gmail.com  Wed Feb  4 14:02:45 2009
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Wed, 4 Feb 2009 19:02:45 +0000
Subject: [c-nsp] Cisco 3750E
Message-ID: <8558A7B4-505F-4CBF-9324-F177C5223E6E@gmail.com>

Hey everyone,

Can anyone tell me what the oversubscription ratios are on the  
10/100/1000 GigE ports on the 48-port 3750E switch?

The Cisco site doesn't seem to reference any oversubscription (unless  
I missed it) so figured I may as well ask!

Cheers
Alasdair

From sigurbjornl at vodafone.is  Wed Feb  4 14:15:21 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Wed, 04 Feb 2009 19:15:21 +0000
Subject: [c-nsp] Cisco 3750E
In-Reply-To: <8558A7B4-505F-4CBF-9324-F177C5223E6E@gmail.com>
Message-ID: <C5AF99C9.10C43%sigurbjornl@vodafone.is>

The claimed forwarding rate is 101.2Mpps.

Assuming full-duplex and maximum speed used on all ports at the same time
(48*2+2*20=136Gbit=17Gbyte/sec of traffic) means that the average packet
size would have to be less than 168 bytes for you not to get wirespeed
forwarding.

Given that I think you can safely assume they're not oversubscribed.

On 4.2.2009 19:02, "Alasdair McWilliam" <alasdairm at gmail.com> wrote:

> Hey everyone,
> 
> Can anyone tell me what the oversubscription ratios are on the
> 10/100/1000 GigE ports on the 48-port 3750E switch?
> 
> The Cisco site doesn't seem to reference any oversubscription (unless
> I missed it) so figured I may as well ask!
> 
> Cheers
> Alasdair
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From vijay.ramcharan at verizonbusiness.com  Wed Feb  4 14:19:35 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Wed, 04 Feb 2009 19:19:35 +0000
Subject: [c-nsp] WAE/WAAS in VRF environment
In-Reply-To: <40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
Message-ID: <A34003A5232DE744807D94D788E0751AAB11B4@ASHEVS011.mcilink.com>

Is it possible to configure application acceleration using WAAS in a vrf
environment? 

In other words, my WAN interface on the router is in a VRF, the LAN
interface is in another VRF and the WAE is on another VRF. 

--------------------------
I have gotten as far as the WAE registering the router: 
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."

wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
        Routers Configured and Seeing this Wide Area Engine(1)
                Router Id        Sent To        Recv ID
                0.0.0.0         209.1.1.1          0000022F
--------------------------

--------------------------
The router registers the WAE as a WCCP client: 
router04#
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"

The router however cannot figure out what its ID is and does not see
itself as a WCCP group router. 
router04#sh ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: 61
        Number of Service Group Clients:     1
        Number of Service Group Routers:     0
        Total Packets s/w Redirected:        0
          Process:                           0
          Fast:                              0
          CEF:                               0
        Redirect access-list:                ACCELERATED-TRAFFIC
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            25957
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
--------------------------

I will contact TAC shortly after this message (if our WAEs are still
supported).  

 
Vijay Ramcharan 

From MLouis at nwnit.com  Wed Feb  4 14:23:54 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Wed, 4 Feb 2009 14:23:54 -0500
Subject: [c-nsp] WAE/WAAS in VRF environment
In-Reply-To: <A34003A5232DE744807D94D788E0751AAB11B4@ASHEVS011.mcilink.com>
References: <40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>,
	<A34003A5232DE744807D94D788E0751AAB11B4@ASHEVS011.mcilink.com>
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25902AFA705@mncmx1.NWNIT.CORP>

How are you routing between your WAN and LAN interfaces today? Are you leaking routes between the VRFs on the same router?

________________________________________
From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Ramcharan, Vijay A [vijay.ramcharan at verizonbusiness.com]
Sent: Wednesday, February 04, 2009 2:19 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] WAE/WAAS in VRF environment

Is it possible to configure application acceleration using WAAS in a vrf
environment?

In other words, my WAN interface on the router is in a VRF, the LAN
interface is in another VRF and the WAE is on another VRF.

--------------------------
I have gotten as far as the WAE registering the router:
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."

wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
        Routers Configured and Seeing this Wide Area Engine(1)
                Router Id        Sent To        Recv ID
                0.0.0.0         209.1.1.1          0000022F
--------------------------

--------------------------
The router registers the WAE as a WCCP client:
router04#
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"

The router however cannot figure out what its ID is and does not see
itself as a WCCP group router.
router04#sh ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: 61
        Number of Service Group Clients:     1
        Number of Service Group Routers:     0
        Total Packets s/w Redirected:        0
          Process:                           0
          Fast:                              0
          CEF:                               0
        Redirect access-list:                ACCELERATED-TRAFFIC
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            25957
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
--------------------------

I will contact TAC shortly after this message (if our WAEs are still
supported).


Vijay Ramcharan
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.


From vijay.ramcharan at verizonbusiness.com  Wed Feb  4 14:31:31 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Wed, 04 Feb 2009 19:31:31 +0000
Subject: [c-nsp] WAE/WAAS in VRF environment
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25902AFA705@mncmx1.NWNIT.CORP>
Message-ID: <A34003A5232DE744807D94D788E0751AAB11CE@ASHEVS011.mcilink.com>

My LAN and WAE interfaces are in the same VRF. They are aware of the
routes within my WAN vrf. The reverse is also true. My WAN vrf is aware
of the routes reachable via the LAN and WAE interfaces.  

I can ping from the WAE in one site over to the WAE in the other site
across the WAN without any problems. 
 
To recap, wae01 and router04 are in one site (with VRFs), while wae02
(ping source below) and the CM is in another site (no VRFs) across the
WAN. 

wae02#ping 209.1.1.2
PING 209.1.1.2 (209.1.1.2) 56(84) bytes of data.
64 bytes from 209.1.1.2: icmp_seq=0 ttl=62 time=52.3 ms
64 bytes from 209.1.1.2: icmp_seq=1 ttl=62 time=52.3 ms
64 bytes from 209.1.1.2: icmp_seq=2 ttl=62 time=52.4 ms

Vijay Ramcharan 
  
-----Original Message-----
From: Mike Louis [mailto:MLouis at nwnit.com] 
Sent: February 04, 2009 14:24
To: Ramcharan, Vijay A; cisco-nsp at puck.nether.net
Subject: RE: WAE/WAAS in VRF environment

How are you routing between your WAN and LAN interfaces today? Are you
leaking routes between the VRFs on the same router?

________________________________________
From: cisco-nsp-bounces at puck.nether.net
[cisco-nsp-bounces at puck.nether.net] On Behalf Of Ramcharan, Vijay A
[vijay.ramcharan at verizonbusiness.com]
Sent: Wednesday, February 04, 2009 2:19 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] WAE/WAAS in VRF environment

Is it possible to configure application acceleration using WAAS in a vrf
environment?

In other words, my WAN interface on the router is in a VRF, the LAN
interface is in another VRF and the WAE is on another VRF.

--------------------------
I have gotten as far as the WAE registering the router:
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."

wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
        Routers Configured and Seeing this Wide Area Engine(1)
                Router Id        Sent To        Recv ID
                0.0.0.0         209.1.1.1          0000022F
--------------------------

--------------------------
The router registers the WAE as a WCCP client:
router04#
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb  4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"

The router however cannot figure out what its ID is and does not see
itself as a WCCP group router.
router04#sh ip wccp
Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0

    Service Identifier: 61
        Number of Service Group Clients:     1
        Number of Service Group Routers:     0
        Total Packets s/w Redirected:        0
          Process:                           0
          Fast:                              0
          CEF:                               0
        Redirect access-list:                ACCELERATED-TRAFFIC
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            25957
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
--------------------------

I will contact TAC shortly after this message (if our WAEs are still
supported).


Vijay Ramcharan
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Note: This message and any attachments is intended solely for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, legally privileged,
confidential, and/or exempt from disclosure.  If you are not the
intended recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify the
original sender immediately by telephone or return email and destroy or
delete this message along with any attachments immediately.


From A.L.M.Buxey at lboro.ac.uk  Wed Feb  4 14:37:31 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Wed, 4 Feb 2009 19:37:31 +0000
Subject: [c-nsp] Cisco 3750E
In-Reply-To: <8558A7B4-505F-4CBF-9324-F177C5223E6E@gmail.com>
References: <8558A7B4-505F-4CBF-9324-F177C5223E6E@gmail.com>
Message-ID: <20090204193731.GB30153@lboro.ac.uk>

Hi,
> Hey everyone,
>
> Can anyone tell me what the oversubscription ratios are on the  
> 10/100/1000 GigE ports on the 48-port 3750E switch?

? oversubscription ?

all the 3750E have a 68Mbps wire rate backplane so for pure L2
work they can shove more across the backplane than there are ports.

Also, these switches have StackWise+ stacking with a 64Gbps which means
that all 48 ports can throw 1000 mbits to 48 other ports on another
switch in the stack!

alan

From ibrahim.abozaid at gmail.com  Wed Feb  4 15:51:22 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Wed, 4 Feb 2009 22:51:22 +0200
Subject: [c-nsp] AToM Lab Problem
Message-ID: <a48927f70902041251x52d4f472i18f9628f1bf29987@mail.gmail.com>

Hi All

I was labbing AToM scenario and uses IOS 12.2(33)SRC for ATM AAL5 and ATM
Cell-relay feature but i can't get dynamips run for this image , it always
results "*** Error: 209-unable to start VM instance " error messages

any body lab this feature using different image or know how to fix this
error message ?

complete image name
c7200p-spservicesk9-mz.122-33.SRC3_3.bin


best regards
--Ibrahim

From linkconnect at googlemail.com  Wed Feb  4 16:10:48 2009
From: linkconnect at googlemail.com (Wayne Lee)
Date: Wed, 4 Feb 2009 21:10:48 +0000
Subject: [c-nsp] AToM Lab Problem
In-Reply-To: <a48927f70902041251x52d4f472i18f9628f1bf29987@mail.gmail.com>
References: <a48927f70902041251x52d4f472i18f9628f1bf29987@mail.gmail.com>
Message-ID: <3044d0930902041310w27d8f3b6i3f6b3b718089323@mail.gmail.com>

On Wed, Feb 4, 2009 at 8:51 PM, Ibrahim Abo Zaid
<ibrahim.abozaid at gmail.com> wrote:
> Hi All
>
> I was labbing AToM scenario and uses IOS 12.2(33)SRC for ATM AAL5 and ATM
> Cell-relay feature but i can't get dynamips run for this image , it always
> results "*** Error: 209-unable to start VM instance " error messages
>
> any body lab this feature using different image or know how to fix this
> error message ?
>
> complete image name
> c7200p-spservicesk9-mz.122-33.SRC3_3.bin
>
>
> best regards
> --Ibrahim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


I used the following in my .net file to get a p image to work


[localhost:7201]
    workingdir = /tmp
    udp = 10100
    [[7200]]
        image = /home/dynamips/c7200-spserv.image
        ghostios = True
        # sparsemem = True
        npe = npe-g2


Wayne

From frnkblk at iname.com  Wed Feb  4 16:26:59 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Wed, 4 Feb 2009 15:26:59 -0600
Subject: [c-nsp] PPPoA sessions
In-Reply-To: <3044d0930902040800r680abbb9j84b5910b89d2c1de@mail.gmail.com>
References: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>
	<3044d0930902040800r680abbb9j84b5910b89d2c1de@mail.gmail.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD6jfjOgVXqTq9XL6NxCs2uAQAAAAA=@iname.com>

Definitely doesn't work with 12.2(31)SB14.  I get all zeroes on my box.

OID	Object	Type	Value	
1.3.6.1.4.1.9.10.24.1.1.1.0	cvpdnTunnelTotal	GAUGE	0	
1.3.6.1.4.1.9.10.24.1.1.2.0	cvpdnSessionTotal	GAUGE	0	
1.3.6.1.4.1.9.10.24.1.1.3.0	cvpdnDeniedUsersTotal	COUNTER	0	

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wayne Lee
Sent: Wednesday, February 04, 2009 10:00 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PPPoA sessions

On Wed, Feb 4, 2009 at 3:39 PM, Frank Bulk - iName.com
<frnkblk at iname.com> wrote:
> I've asked this before on cisco-bba: there doesn't appear to be an OID for
> that.
>
> I'm afraid you might need to screen-scrape.
>
> Frank
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Wednesday, February 04, 2009 8:53 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PPPoA sessions
>
>
> Hey all ,
> i have a router with PPPoE and PPPoA sessions
> i used to the OID 1.3.6.1.4.1.9.9.194.1.1.1 to draw the PPPoE sessions
> i searched for OID to draw the PPPoA but didnt find an OID for it
> can anyone help ??


We have the below in our Cacti install which graphs online PPPoA users

<interface>
<name>Get Active PPP Sessions</name>
<description>Queries a Cisco for a list of online users</description>
<oid_index>1.3.6.1.4.1.9.10.24.1.1.4</oid_index>

<fields>
<usersIndex>
<name>Index</name>
<method>walk</method>
<source>value</source>
<direction>input</direction>
<oid>.1.3.6.1.4.1.9.10.24.1.1.4.1.3</oid>
</usersIndex>
<usersFiveMin>
<name>5 Minute Utilization</name>
<method>walk</method>
<source>value</source>
<direction>output</direction>
<oid>.1.3.6.1.4.1.9.10.24.1.1.4.1.3</oid>
</usersFiveMin>
</fields>
</interface>


Regards

Wayne
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From jeff at ocjtech.us  Wed Feb  4 17:16:39 2009
From: jeff at ocjtech.us (Jeffrey Ollie)
Date: Wed, 4 Feb 2009 16:16:39 -0600
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <4986E2EB.3070504@cisco.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>
	<4986E2EB.3070504@cisco.com>
Message-ID: <935ead450902041416k3d8f22aex4d7956ce2932b427@mail.gmail.com>

On Mon, Feb 2, 2009 at 6:11 AM, Lincoln Dale <ltd at cisco.com> wrote:
>
> that is purely a guess - but checking the XML schema definition (XSD) that
> should also be posted on cisco.com will let you verify.

Any clues on where to find the XSDs?  I can't seem to find them except
inline in the documentation and that doesn't seem like the best way to
get them.

-- 
Jeff Ollie

"You know, I used to think it was awful that life was so unfair. Then
I thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe."

	-- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"

From szpajder at staszic.waw.pl  Wed Feb  4 17:34:54 2009
From: szpajder at staszic.waw.pl (Tomasz Lemiech)
Date: Wed, 4 Feb 2009 23:34:54 +0100 (CET)
Subject: [c-nsp] PPPoA sessions
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD6jfjOgVXqTq9XL6NxCs2uAQAAAAA=@iname.com>
References: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>
	<3044d0930902040800r680abbb9j84b5910b89d2c1de@mail.gmail.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD6jfjOgVXqTq9XL6NxCs2uAQAAAAA=@iname.com>
Message-ID: <alpine.LNX.2.00.0902042329170.16656@boss.staszic.waw.pl>

On Wed, 4 Feb 2009, Frank Bulk wrote:

> Definitely doesn't work with 12.2(31)SB14.  I get all zeroes on my box.
>
> OID	Object	Type	Value
> 1.3.6.1.4.1.9.10.24.1.1.1.0	cvpdnTunnelTotal	GAUGE	0
> 1.3.6.1.4.1.9.10.24.1.1.2.0	cvpdnSessionTotal	GAUGE	0
> 1.3.6.1.4.1.9.10.24.1.1.3.0	cvpdnDeniedUsersTotal	COUNTER	0

I use .1.3.6.1.4.1.9.9.150.1.1.1.0 to obtain all sessions count and then 
subtract .1.3.6.1.4.1.9.9.194.1.1.1.0 (number of PPPoE sessions). But 
beware: .1.3.6.1.4.1.9.9.150.1.1.1.0 counts every session shown in "sh 
users" output (including VTY sessions).

Regards,

-- 
Tomasz Lemiech
RLU#189399
TL1942-RIPE

From amsoares at netcabo.pt  Wed Feb  4 19:47:10 2009
From: amsoares at netcabo.pt (Antonio Soares)
Date: Thu, 5 Feb 2009 00:47:10 -0000
Subject: [c-nsp] AToM Lab Problem
In-Reply-To: <3044d0930902041310w27d8f3b6i3f6b3b718089323@mail.gmail.com>
References: <a48927f70902041251x52d4f472i18f9628f1bf29987@mail.gmail.com>
	<3044d0930902041310w27d8f3b6i3f6b3b718089323@mail.gmail.com>
Message-ID: <D49281E48ECE4D0E964DF9FE1FCBFED1@int.convex.pt>

There's another problem: ATM AAL5 over MPLS and ATM Cell Relay over MPLS are not supported with the PA-A1, the only ATM interface
supported by Dynamips.

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/atom25s.html#wp1068980


Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wayne Lee
Sent: quarta-feira, 4 de Fevereiro de 2009 21:11
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] AToM Lab Problem

On Wed, Feb 4, 2009 at 8:51 PM, Ibrahim Abo Zaid <ibrahim.abozaid at gmail.com> wrote:
> Hi All
>
> I was labbing AToM scenario and uses IOS 12.2(33)SRC for ATM AAL5 and 
> ATM Cell-relay feature but i can't get dynamips run for this image , 
> it always results "*** Error: 209-unable to start VM instance " error 
> messages
>
> any body lab this feature using different image or know how to fix 
> this error message ?
>
> complete image name
> c7200p-spservicesk9-mz.122-33.SRC3_3.bin
>
>
> best regards
> --Ibrahim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


I used the following in my .net file to get a p image to work


[localhost:7201]
    workingdir = /tmp
    udp = 10100
    [[7200]]
        image = /home/dynamips/c7200-spserv.image
        ghostios = True
        # sparsemem = True
        npe = npe-g2


Wayne
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From ltd at cisco.com  Wed Feb  4 21:04:36 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Thu, 05 Feb 2009 13:04:36 +1100
Subject: [c-nsp] Netconf (over SSHv2) in SXI
In-Reply-To: <935ead450902041416k3d8f22aex4d7956ce2932b427@mail.gmail.com>
References: <20090202111322.GK3262@wildfire.net.ic.ac.uk>	
	<4986E2EB.3070504@cisco.com>
	<935ead450902041416k3d8f22aex4d7956ce2932b427@mail.gmail.com>
Message-ID: <498A4934.5090604@cisco.com>



Jeffrey Ollie wrote:
> On Mon, Feb 2, 2009 at 6:11 AM, Lincoln Dale <ltd at cisco.com> wrote:
>   
>> that is purely a guess - but checking the XML schema definition (XSD) that
>> should also be posted on cisco.com will let you verify.
>>     
>
> Any clues on where to find the XSDs?  I can't seem to find them except
> inline in the documentation and that doesn't seem like the best way to
> get them.
>
>   
for NX-OS, where i spend most of my time, we post the NetConf XSD right 
alongside the software images.

i am not sure where XSDs are posted on cisco.com (or if they are at all) 
for IOS images, but will ask internally.
to my mind they should be posted along side the images, or linked to 
from the release notes etc., because the schema would be unique to each 
image.


cheers,

lincoln.

From deric.kwok2000 at gmail.com  Wed Feb  4 21:26:05 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Wed, 4 Feb 2009 21:26:05 -0500
Subject: [c-nsp] How to add new rule in the same access-list
Message-ID: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>

Hi

I have old rule in the switch but don't know how to add new rule in the same
access-list

When I add new deny rule, it will be put at the end of the access-list

If I remove the access-list 140, I have to re-type all lines again.

Please help.

Thank you



switch#sh access-list 140
Extended IP access list 140
    deny udp any host 192.168.1.118 eq ntp log (4 matches)
    permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log
    deny udp any host 192.168.1.118 eq snmp log
    permit ip any any (49 matches)

switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#access-list 140 deny tcp any host 192.168.1.118 eq 123 log



switch#sh ip access-lists 140
Extended IP access list 140
    deny udp any host 192.168.1.118 eq ntp log (6 matches)
    permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log (35
matches)
    deny udp any host 192.168.1.118 eq snmp log
    permit ip any any (174 matches)
    deny tcp any host 192.168.1.118 eq 123 log

From brett at looney.id.au  Wed Feb  4 22:13:58 2009
From: brett at looney.id.au (Brett Looney)
Date: Thu, 5 Feb 2009 12:13:58 +0900
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
Message-ID: <063101c9873f$ce734500$6b59cf00$@id.au>

> I have old rule in the switch but don't know how to add new rule
> in the same access-list
> When I add new deny rule, it will be put at the end of the access-list
> If I remove the access-list 140, I have to re-type all lines again.

Start using named access lists:

# show access-list
Extended IP access list BrettTest
    10 deny ip host 192.168.101.88 any
    20 permit tcp host 192.168.17.231 any eq domain
    30 permit udp host 192.168.17.231 any eq domain
    40 permit tcp host 192.168.17.231 any eq www
<and so on>

Then, you can insert/delete lines:

(config)#ip access-list extended BrettTest
(config-ext-nacl)#no 20
(config-ext-nacl)#35 permit tcp host 192.168.17.230 any eq www

Easy. You can also renumber access lists using "ip access-list resequence
BrettTest 10 10".

About the only thing you can't do is insert a remark into the access list -
that'd be a nice feature to have.

B.


From David at Hughes.com.au  Wed Feb  4 23:54:53 2009
From: David at Hughes.com.au (David Hughes)
Date: Thu, 5 Feb 2009 14:54:53 +1000
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <1233758875.6907.22.camel@mauritzlewies>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au> ,
	<20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
	<45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
	<1233758875.6907.22.camel@mauritzlewies>
Message-ID: <C2EE3B72-ADD2-4ADF-B7E1-F00D25F974DB@Hughes.com.au>


Hi

Good point.  I see CFM has been introduced in SXI.  But after wading  
through the doco, particularly in the area of "Continuity Check  
Messages" I see ....

-----
CFM CCMs have the following characteristics:

?Transmitted at a configurable periodic interval by MEPs. The interval  
can be from 10 seconds to 65535 seconds, the default is 30.

?Contain a configurable hold-time value to indicate to the receiver  
the validity of the message. The default is 2.5 times the transmit  
interval.

-----


So I see we now have yet another protocol implementation that isn't  
going to help us improve the availability of the networks we run.  10  
second hello timers?  That's soooo 1980's.  :-)

According to feature navigator, the "UDLD Enhancements" feature which  
I believe provides fast timers is available in SXH4 and SXI.  Our  
boxes are SXF and SXH3.  Can someone with an SXI box check the  
configuration range for

	(config)#udld message time ?
         <7-90> Time in seconds between sending of messages in steady  
state


Thanks

David
...



On 05/02/2009, at 12:47 AM, Mauritz Lewies wrote:

> I've not had much chance to play with it but will Ethernet CFM not  
> work
> for this?
>
>
>
>
>
> On Wed, 2009-02-04 at 08:49 +1000, David Hughes wrote:
>
>> Yup, that's exactly the situation.  STP will work around some of the
>> problem caused by this but if you are presenting an etherchannel over
>> multiple xconnects you can't pick up the link failure of part of the
>> etherchannel without UDLD.  We did some initial proof of concepts  
>> with
>> 2900s running 2 second timers and it was great.  Imagine the look on
>> my face when we found out that 6500s don't have the functionality  
>> of a
>> $1,000 access switch .....
>>
>> So, is the config option on SXI still 7 seconds at best?
>>
>>
>> Thanks
>>
>> David
>> ...
>>
>>
>> On 03/02/2009, at 7:45 PM, Thomas Dupas wrote:
>>
>>> I assume it's a L2 link (EoMPLS), so BFD won't help much.
>>>
>>> We're in the same situation, also stuck with UDLD timers and 2
>>> parallel EoMPLS xconnects. I can't get the convergence lower then 20
>>> seconds with the default UDLD, so I'm also hoping for fast UDLD
>>>
>>> Best Regards,
>>>
>>> Thomas
>>>
>>> ________________________________________
>>> Van: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net
>>> ] namens Gert Doering [gert at greenie.muc.de]
>>> Verzonden: dinsdag 3 februari 2009 8:15
>>> Aan: David Hughes
>>> CC: Cisco NSP ((E-mail))'
>>> Onderwerp: Re: [c-nsp] Fast UDLD timers in SXI?
>>>
>>> Hi,
>>>
>>> On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote:
>>>> Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e.  
>>>> down
>>>> to 1 second) or if we are still stuck with the old 7 sec timers.   
>>>> We
>>>> can do 1 sec UDLD on 2900 class switches so I hope we see it in the
>>>> "premier switching platform" some time soon.  We need some way to
>>>> pick
>>>> up a link failure at the far end of an EoMPLS xconnect in a
>>>> reasonable
>>>> time.
>>>
>>> Can you use BFD?
>>>
>>> (Yes, this is not answering your question - I don't know the answer
>>> - but
>>> it might be an alternative approach if this a layer 3 link)
>>>
>>> gert
>>> --
>>> USENET is *not* the non-clickable part of WWW!
>>>                                                          //www.muc.de/~gert/
>>> Gert Doering - Munich, Germany                             gert at greenie.muc.de
>>> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tvarriale at comcast.net  Thu Feb  5 00:48:59 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Wed, 4 Feb 2009 23:48:59 -0600
Subject: [c-nsp] How to add new rule in the same access-list
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
Message-ID: <65DFE63F24D74C3C844F4312D00A5CDD@flamdt01>

conf t
ip access-list ext 140

But, based on your output, I'd guess your IOS doesn't support sequenceable 
ACLs.

What code are you running?

tv
----- Original Message ----- 
From: "Deric Kwok" <deric.kwok2000 at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, February 04, 2009 8:26 PM
Subject: [c-nsp] How to add new rule in the same access-list


> Hi
>
> I have old rule in the switch but don't know how to add new rule in the 
> same
> access-list
>
> When I add new deny rule, it will be put at the end of the access-list
>
> If I remove the access-list 140, I have to re-type all lines again.
>
> Please help.
>
> Thank you
>
>
>
> switch#sh access-list 140
> Extended IP access list 140
>    deny udp any host 192.168.1.118 eq ntp log (4 matches)
>    permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log
>    deny udp any host 192.168.1.118 eq snmp log
>    permit ip any any (49 matches)
>
> switch#config t
> Enter configuration commands, one per line.  End with CNTL/Z.
> switch(config)#access-list 140 deny tcp any host 192.168.1.118 eq 123 log
>
>
>
> switch#sh ip access-lists 140
> Extended IP access list 140
>    deny udp any host 192.168.1.118 eq ntp log (6 matches)
>    permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log (35
> matches)
>    deny udp any host 192.168.1.118 eq snmp log
>    permit ip any any (174 matches)
>    deny tcp any host 192.168.1.118 eq 123 log
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From Damien.Vigar at det.nsw.edu.au  Thu Feb  5 00:50:24 2009
From: Damien.Vigar at det.nsw.edu.au (Vigar, Damien)
Date: Thu, 5 Feb 2009 16:50:24 +1100
Subject: [c-nsp] 3750-12G interfaces dropping out
In-Reply-To: <5C548098-B7E6-4B3C-903E-FD75C2152293@labyrinth.org>
References: <5C548098-B7E6-4B3C-903E-FD75C2152293@labyrinth.org>
Message-ID: <0DD0E17BE9C0FA47981C67E9939D3D342EABEA0CCB@SLPPEXCCR02.central.det.win>

Hi all,

We're having an odd issue with a 3750 that's running as the core switch at one of our sites. It's been fine for years; suddenly, this week, it's decided that some of it's interfaces should reset randomly, disrupting access to staff phones and PCs in the buildings at the other end.

It's in a stack (as master) with a 3750-48. All interfaces are populated with 1000SX SFP modules (all genuine Cisco).

All edge switches are 3560s. None of the edge switches show anything in the log about the link loss (it's only about 3 seconds) but the core switch shows this:
Date

Time

Priority

Hostname

 Message

02-05-2009

16:30:44

Local7.Notice

10.2.115.182

640: 000609: Feb 5 16:30:44: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to up

02-05-2009

16:30:41

Local7.Notice

10.2.115.182

639: 000608: Feb 5 16:30:41: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to down

02-05-2009

16:28:31

Local7.Notice

10.2.115.182

638: 000607: Feb 5 16:28:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to up

02-05-2009

16:28:28

Local7.Notice

10.2.115.182

637: 000606: Feb 5 16:28:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to down

02-05-2009

16:24:41

Local7.Notice

10.2.115.182

635: 000604: Feb 5 16:24:41: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to up

02-05-2009

16:24:38

Local7.Notice

10.2.115.182

634: 000603: Feb 5 16:24:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to down

02-05-2009

16:16:42

Local7.Notice

10.2.115.182

633: 000602: Feb 5 16:16:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to up

02-05-2009

16:16:38

Local7.Notice

10.2.115.182

632: 000601: Feb 5 16:16:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to down

02-05-2009

16:14:36

Local7.Notice

10.2.115.182

631: 000600: Feb 5 16:14:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to up

02-05-2009

16:14:33

Local7.Notice

10.2.115.182

630: 000599: Feb 5 16:14:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to down

02-05-2009

16:12:03

Local7.Notice

10.2.115.182

629: 000598: Feb 5 16:12:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to up

02-05-2009

16:12:00

Local7.Notice

10.2.115.182

628: 000597: Feb 5 16:12:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/9, changed state to down

02-05-2009

16:01:35

Local7.Notice

10.2.115.182

627: 000596: Feb 5 16:01:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

02-05-2009

16:01:32

Local7.Notice

10.2.115.182

626: 000595: Feb 5 16:01:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down

02-05-2009

15:49:02

Local7.Notice

10.2.115.182

625: 000594: Feb 5 15:49:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/21, changed state to up

02-05-2009

15:49:00

Local7.Notice

10.2.115.182

624: 000593: Feb 5 15:48:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/21, changed state to down

02-05-2009

15:43:24

Local7.Notice

10.2.115.182

623: 000592: Feb 5 15:43:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

02-05-2009

15:43:21

Local7.Notice

10.2.115.182

622: 000591: Feb 5 15:43:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down


I note that it's only the line protocol dropping, not the actual interface. I have seen this happen once when I was looking at the switch - all the activity lights froze, some went out, and then the switch happily went back to normal.
It's only some of the interfaces, too - 1, 2, 5, 9 and 10 out of 12. None of the interfaces on the 3750-48 that's a stack member have been affected at all.

Has anyone seen this sort of behaviour before? It's hard to know where to look. Nothing much has happened this week; we did have a new link to new switches in a building patched in on Monday but that link isn't affected (I disabled the interface and the problem was still occurring while it was down). Some PCs and phones have been set up in one of the buildings that previously were at another site, so perhaps that could be related, although the edge switches in that building show no problems internally...

Regards,

Damien




**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************

From gert at greenie.muc.de  Thu Feb  5 02:24:26 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 5 Feb 2009 08:24:26 +0100
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <C2EE3B72-ADD2-4ADF-B7E1-F00D25F974DB@Hughes.com.au>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
	<20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
	<45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
	<1233758875.6907.22.camel@mauritzlewies>
	<C2EE3B72-ADD2-4ADF-B7E1-F00D25F974DB@Hughes.com.au>
Message-ID: <20090205072426.GU290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 02:54:53PM +1000, David Hughes wrote:
> 	(config)#udld message time ?
>         <7-90> Time in seconds between sending of messages in steady  
> state

SXI, Sup32:

Cisco-M(config)#udld message time ?
  <7-90>  Time in seconds between sending of messages in steady state

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090205/087c841c/attachment.bin>

From sethm at rollernet.us  Thu Feb  5 02:29:54 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 04 Feb 2009 23:29:54 -0800
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
Message-ID: <498A9572.6010608@rollernet.us>

Deric Kwok wrote:
> Hi
> 
> I have old rule in the switch but don't know how to add new rule in the same
> access-list
> 
> When I add new deny rule, it will be put at the end of the access-list
> 
> If I remove the access-list 140, I have to re-type all lines again.
> 

That's correct. You need to remove and recreate it in the correct order
lacking sequences.

~Seth

From ahmedazim at gmail.com  Thu Feb  5 05:10:39 2009
From: ahmedazim at gmail.com (Ahmed Mohamed)
Date: Thu, 5 Feb 2009 12:10:39 +0200
Subject: [c-nsp] reacheability issue in MEL link
In-Reply-To: <7FEDD455961B164D8C4EEA60E22914207D7B0FFFA7@EXCHANGE1.intranet.iseek.com.au>
References: <bf5694530902021628s3f81a414m4808dd81e3f4f457@mail.gmail.com>
	<0BB7A1080B7DBD4494E09FF171D2ACEA02855555@xmb-ams-33c.emea.cisco.com>
	<bf5694530902040714j3a1fa8f5q1a5f54209d74ddf@mail.gmail.com>
	<7FEDD455961B164D8C4EEA60E22914207D7B0FFFA7@EXCHANGE1.intranet.iseek.com.au>
Message-ID: <bf5694530902050210t1415bae2p10386298813fb9cb@mail.gmail.com>

Hi,

just wanted to share with you,

i found the problem in a damaged port,the port is in Fast Ethernet Module :
PA-2FE-TX
the funny thing is that the interfaces goes "up-up" when a cable plugged,
and "down-down" when unplugged, and the Field Engineer confirmed LED shows
normal operation, but the port wouldn't ping !!!

when i moved the circuit to the second port in the module, the ping came
successful

so beware of this tricky fault, always try another port ;)
On Wed, Feb 4, 2009 at 5:48 PM, Matt Carter <matt at iseek.com.au> wrote:

> hi,
>
>
> <off-list>
>
> my advice , check to see if the SP is actually giving you a service which
> you can do trunking on (ie, they have vlan stacking aka dot1q enabled)
>
> if that is the case, ensure you have the vlan dot1q tag native command
> enable to ensure all frames for all vlans are tagged (otherwise the native
> vlan will be untagged) that seems to cause some problem for some carriers
> (getting a mix of vlan colored/uncolored packets)
>
> and yes it is common for failure in the carrier network not to be reflected
> at the switch port you are connected to, enable UDLD or BFD to pick up holes
> in the middle..
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Ahmed Mohamed
>  > Sent: Thursday, 5 February 2009 1:15 AM
> > To: Ahmed Maged (amaged)
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] reacheability issue in MEL link
> >
> >
> <CE>--------------------------------Metroethernet(carrier)----------------
> > -----<switch>----ethernet(cable)-----<PE>
> >
> > for a link as simple as above, if :
> > + the CE , the Agg. switch and the PE interfaces are in the same vlan
> > + the CE and the PE IP interfaces are in the same subnet
> >
> > the i must (at least) have an entry in arp table, and ping successful,
> > which
> > is not the case
> >
> > what was getting me crazy , is that all interfaces are up-up all the
> time,
> > but i just recieved a feedback today that MetroEthernet carriers have
> > NTU's
> > acting as Ethernet HUB, so as long as they are functional , you will have
> > the interfaces up-up even if the circuit is broken inside the carrier !!!
> >
> > tomorrow i will order dual dispatch to both ends, will test circuit
> > termination at both ends
> >
> > "traceroute mac" feature is not in CE or PE IOS
> >
> >
> >
> > On Wed, Feb 4, 2009 at 1:25 PM, Ahmed Maged (amaged)
> > <amaged at cisco.com>wrote:
> >
> > > Troubleshoot layer by layer.
> > >
> > > If the lower layers doesn't work, don't expect anything to behave
> > > properly.
> > >
> > > Follow the L2 frame with (ltrace) if available on your IOS.
> > >
> > > How about debugging?
> > >
> > > Can you install a sniffer?
> > >
> > > What do you see on the interfaces counters?
> > >
> > > Did you try anything else other than ping, maybe ICMP is blocked.
> > >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ahmed Mohamed
> > > Sent: Tuesday, February 03, 2009 2:28 AM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] reacheability issue in MEL link
> > >
> > > Hello,
> > >
> > > this is a real life problem still occuring, and have no idea what may
> be
> > > causing it ..
> > >
> > > we are providing an internet direct service to our customer vial MEL
> > > (Metro
> > > Ethernet Link)
> > >
> > > CE (CS-7206 VXR) fe2/0.36 ------------------Etherlink(local
> > > carrier)---------------- WS-3759G-24TS--PE(CS-7000)
> > >
> > > the solution is providied using a carrier to link the customer CE to an
> > > aggregated switch, using Metro Ethernet
> > > configuring vlan 36 and using dot1q encapsulation
> > > then from the aggregating switch to the PE router using also
> > > encapsulation
> > > dot1q for vlan36
> > >
> > > all interfaces are up-up , and still ping fails !!
> > >
> > > i tried everything, resetting ports, switches, reconfigure interfaces
> > > ..etc.
> > > still no joy
> > >
> > > any idea what could be causing the problem ?
> > >
> > >
> ========================================================================
> > > CE:
> > > -----
> > > interface FastEthernet2/0.36
> > >  bandwidth 61440
> > >  encapsulation dot1Q 36
> > >  ip address 57.78.2.6 255.255.255.252
> > >
> ========================================================================
> > > Agg. switch:
> > > ------------------
> > > interface GigabitEthernet1/0/9
> > >  switchport trunk encapsulation dot1q
> > >  switchport trunk native vlan 3109
> > >  switchport trunk allowed vlan 36,3109
> > >  switchport mode trunk
> > >  switchport nonegotiate
> > >  duplex full
> > >  speed 100
> > >  mls qos trust cos
> > >  spanning-tree bpdufilter enable
> > >
> ========================================================================
> > > PE:
> > > ------
> > >  interface FastEthernet5/1/1.36
> > >  bandwidth 61440
> > >  encapsulation dot1Q 36
> > >  ip address 57.78.2.5 255.255.255.252
> > >  no ip redirects
> > >  no ip proxy-arp
> > >  no ip route-cache
> > >  no cdp enable
> > >
> ========================================================================
> > > bmil305#sh int FastEthernet5/1/1.36
> > > FastEthernet5/1/1.36 is up, line protocol is up <<<<<<
> > > Hardware is cyBus FastEthernet Interface, address is 0003.fe91.b8a9
> (bia
> > > 0003.fe91.b8a9)
> > >  Internet address is 57.78.2.5/30
> > >  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
> > >     reliability 255/255, txload 1/255, rxload 1/255
> > >  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
> > >  ARP type: ARPA, ARP Timeout 04:00:00
> > >
> ========================================================================
> > > pmil2534#sh int Fa2/0.36
> > > FastEthernet2/0.36 is up, line protocol is up  <<<<<<
> > >  Hardware is i82543 (Livengood), address is 0022.be8b.1038 (bia
> > > 0022.be8b.1038)
> > >  Description: --- To bmil305 - FE5/1/1.5
> > >  Internet address is 57.78.2.6/30
> > >  MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec,
> > >     reliability 255/255, txload 1/255, rxload 1/255
> > >  Encapsulation 802.1Q Virtual LAN, Vlan ID  36.
> > >
> ========================================================================
> > > ping pe to CE fails:
> > > ----------------------------
> > > bmil305#ping 57.78.2.6   <<<<<<,
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 57.78.2.6, timeout is 2 seconds:
> > > .....
> > > Success rate is 0 percent (0/5)
> > >
> ========================================================================
> > > PE to internet (google) successfully:
> > > ------------------------------------------------------
> > > bmil305#ping 216.239.59.147 source fast 5/1/1.36 repeat 100 size 500
> > > Type escape sequence to abort.
> > > Sending 100, 500-byte ICMP Echos to 216.239.59.147, timeout is 2
> > > seconds:
> > > Packet sent with a source address of 57.78.2.5
> > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > > Success rate is 100 percent (100/100), round-trip min/avg/max =
> > > 36/40/112 ms
> > >
> ========================================================================
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ibrahim.abozaid at gmail.com  Thu Feb  5 05:41:13 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Thu, 5 Feb 2009 12:41:13 +0200
Subject: [c-nsp] AToM Lab Problem
In-Reply-To: <D49281E48ECE4D0E964DF9FE1FCBFED1@int.convex.pt>
References: <a48927f70902041251x52d4f472i18f9628f1bf29987@mail.gmail.com>
	<3044d0930902041310w27d8f3b6i3f6b3b718089323@mail.gmail.com>
	<D49281E48ECE4D0E964DF9FE1FCBFED1@int.convex.pt>
Message-ID: <a48927f70902050241o371e3845w990a298aa3da3e0e@mail.gmail.com>

Dear All


Many thanks for your replies -:)


I think now i have to rent a rack to finish that -:)


best regards
--Ibrahim

On Thu, Feb 5, 2009 at 2:47 AM, Antonio Soares <amsoares at netcabo.pt> wrote:

> There's another problem: ATM AAL5 over MPLS and ATM Cell Relay over MPLS
> are not supported with the PA-A1, the only ATM interface
> supported by Dynamips.
>
>
> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/atom25s.html#wp1068980
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Wayne Lee
> Sent: quarta-feira, 4 de Fevereiro de 2009 21:11
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] AToM Lab Problem
>
> On Wed, Feb 4, 2009 at 8:51 PM, Ibrahim Abo Zaid <
> ibrahim.abozaid at gmail.com> wrote:
> > Hi All
> >
> > I was labbing AToM scenario and uses IOS 12.2(33)SRC for ATM AAL5 and
> > ATM Cell-relay feature but i can't get dynamips run for this image ,
> > it always results "*** Error: 209-unable to start VM instance " error
> > messages
> >
> > any body lab this feature using different image or know how to fix
> > this error message ?
> >
> > complete image name
> > c7200p-spservicesk9-mz.122-33.SRC3_3.bin
> >
> >
> > best regards
> > --Ibrahim
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
> I used the following in my .net file to get a p image to work
>
>
> [localhost:7201]
>    workingdir = /tmp
>    udp = 10100
>    [[7200]]
>        image = /home/dynamips/c7200-spserv.image
>        ghostios = True
>        # sparsemem = True
>        npe = npe-g2
>
>
> Wayne
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jaldrich at blueridgecarpet.com  Thu Feb  5 05:41:39 2009
From: jaldrich at blueridgecarpet.com (John Aldrich)
Date: Thu, 5 Feb 2009 05:41:39 -0500
Subject: [c-nsp] vpn client issues with ASA
Message-ID: <200902050541.39115.jaldrich@blueridgecarpet.com>

We just upgraded our firewall from a Pix to an ASA, and now, for some 
reason, even though we have it specified in the VPN Client software, we are 
having to enter our password every time. Is this a feature of the ASA or is 
it configurable? We never had to do this before, and it's rather annoying. I 
don't think it's the client as I never had to do this before, and also, I 
set up a new connection from scratch and it required the password as well 
when connecting.
Any suggestions?
-- 
Thanks,
John Aldrich
Blueridge Industries
IT Manager

From euang+cisco-nsp at lists.eusahues.co.uk  Thu Feb  5 06:11:00 2009
From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway)
Date: Thu, 5 Feb 2009 11:11:00 +0000
Subject: [c-nsp] PPPoA sessions
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD6jfjOgVXqTq9XL6NxCs2uAQAAAAA=@iname.com>
References: <BLU102-W6F0D00E9F90504F6B62EBFAC30@phx.gbl>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABjc42dbkW6SpSIQ6CCGRQtAQAAAAA=@iname.com>
	<3044d0930902040800r680abbb9j84b5910b89d2c1de@mail.gmail.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD6jfjOgVXqTq9XL6NxCs2uAQAAAAA=@iname.com>
Message-ID: <20090205111100.GA26248@hyperion.eusahues.co.uk>

On Wed, Feb 04, 2009 at 03:26:59PM -0600, Frank Bulk wrote:
> Definitely doesn't work with 12.2(31)SB14.  I get all zeroes on my box.
> 
> OID	Object	Type	Value	
> 1.3.6.1.4.1.9.10.24.1.1.1.0	cvpdnTunnelTotal	GAUGE	0	
> 1.3.6.1.4.1.9.10.24.1.1.2.0	cvpdnSessionTotal	GAUGE	0	
> 1.3.6.1.4.1.9.10.24.1.1.3.0	cvpdnDeniedUsersTotal	COUNTER	0	

Those are different to the ones quoted by Wayne.

1.3.6.1.4.1.9.10.24.1.1.4.1.2.tunneltype (2 for l2tp)   cvpdnSystemTunnelTotal
1.3.6.1.4.1.9.10.24.1.1.4.1.3.tunneltype (2 for l2tp)   cvpdnSystemSessionTotal
1.3.6.1.4.1.9.10.24.1.1.4.1.4.tunneltype (2 for l2tp)   cvpdnSystemDeniedUsersTotal

I would have thought those ones work in 12.2SB (not checked though).

-- 
Euan Galloway

From gkg at gmx.de  Thu Feb  5 06:59:30 2009
From: gkg at gmx.de (Garry)
Date: Thu, 05 Feb 2009 12:59:30 +0100
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498A9572.6010608@rollernet.us>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<498A9572.6010608@rollernet.us>
Message-ID: <498AD4A2.9040608@gmx.de>

Seth Mattinen wrote:
> Deric Kwok wrote:
>   
>> Hi
>>
>> I have old rule in the switch but don't know how to add new rule in the same
>> access-list
>>
>> When I add new deny rule, it will be put at the end of the access-list
>>
>> If I remove the access-list 140, I have to re-type all lines again.
>>
>>     
>
> That's correct. You need to remove and recreate it in the correct order
> lacking sequences.
>   
Not necessarily, you can always do a "show access-list 140", you'll get
a numbered list of rules. Then you can delete single lines by doing
something like this:

conf t
ip access-list extended 140
no 30                <-- if the line you want to get rid of is #30
30 permit ...      <-- of course you can add a new #30
31 permit ...      <-- or insert additional lines ...
32 deny ...         <-- dito

AFAIK, the numbering stays constant until the next router reload
...then, it is "renumbered" internally to use the 10-20-30... distance
for every line ... (if anybody knows a way to renumber w/o rebooting,
please let me know)

-garry

From erik at infopact.nl  Thu Feb  5 07:10:04 2009
From: erik at infopact.nl (E. Versaevel)
Date: Thu, 05 Feb 2009 13:10:04 +0100
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498AD4A2.9040608@gmx.de>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>	<498A9572.6010608@rollernet.us>
	<498AD4A2.9040608@gmx.de>
Message-ID: <498AD71C.3050008@infopact.nl>

Garry schreef:
> Seth Mattinen wrote:
>> Deric Kwok wrote:
>>   
>>> Hi
>>>
>>> I have old rule in the switch but don't know how to add new rule in the same
>>> access-list
>>>
>>> When I add new deny rule, it will be put at the end of the access-list
>>>
>>> If I remove the access-list 140, I have to re-type all lines again.
>>>
>>>     
>> That's correct. You need to remove and recreate it in the correct order
>> lacking sequences.
>>   
> Not necessarily, you can always do a "show access-list 140", you'll get
> a numbered list of rules. Then you can delete single lines by doing
> something like this:
> 
> conf t
> ip access-list extended 140
> no 30                <-- if the line you want to get rid of is #30
> 30 permit ...      <-- of course you can add a new #30
> 31 permit ...      <-- or insert additional lines ...
> 32 deny ...         <-- dito
> 
> AFAIK, the numbering stays constant until the next router reload
> ...then, it is "renumbered" internally to use the 10-20-30... distance
> for every line ... (if anybody knows a way to renumber w/o rebooting,
> please let me know)
> 

Time to read back a bit :)

Cisco has 2 kind of access-lists, the 'old' numbered access-lists

access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip any any

These cannot be editted other than deleting them and recreating the modified access-list (which might result in blackholing yourself if you delete the
access-list without removing it from the interfaces ;) as a non exsisting access-list on a interface equals deny any any)

The 2nd kind of access-list are the ip access-lists, these have sequence numbers and thus provide a way to insert/remove single entries from these lists.
The sequence numbers are reset after a router reload or can be resequenced by hand (ip access-list resequence list_name 10 10)
So in order to insert an entry in a ip access-list you need to know the available sequence numbers. If you issue a show ip access-list you'll get an
overview of the access-lists (and sequence numbers)



Erik Versaevel

From dv at dv.ru  Thu Feb  5 07:18:50 2009
From: dv at dv.ru (Dmitry Valdov)
Date: Thu, 5 Feb 2009 15:18:50 +0300 (MSK)
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498AD71C.3050008@infopact.nl>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<498A9572.6010608@rollernet.us> <498AD4A2.9040608@gmx.de>
	<498AD71C.3050008@infopact.nl>
Message-ID: <20090205151337.H22606@xkis.kis.ru>

Hello,

On Thu, 5 Feb 2009, E. Versaevel wrote:

> Cisco has 2 kind of access-lists, the 'old' numbered access-lists
>
> access-list 100 permit ip 192.168.0.0 0.0.0.255 any
> access-list 100 deny ip any any
>
> These cannot be editted other than deleting them and recreating the modified access-list (which might result in blackholing yourself if you delete the
> access-list without removing it from the interfaces ;) as a non exsisting access-list on a interface equals deny any any)

In recent IOS versions they can be edited in the same manner as named ACLs. 
Use number instead of name and specify right ACL type (standard/extended).

ip access-list standard 3
[....]


> The 2nd kind of access-list are the ip access-lists, these have sequence numbers and thus provide a way to insert/remove single entries from these lists.
> The sequence numbers are reset after a router reload or can be resequenced by hand (ip access-list resequence list_name 10 10)
> So in order to insert an entry in a ip access-list you need to know the available sequence numbers. If you issue a show ip access-list you'll get an
> overview of the access-lists (and sequence numbers)


-- 
Dmitry Valdov
CCIE #15379 (R&S and SP)

From tim at pelican.org  Thu Feb  5 07:45:15 2009
From: tim at pelican.org (Tim Franklin)
Date: Thu, 5 Feb 2009 12:45:15 -0000 (GMT)
Subject: [c-nsp] access list help
In-Reply-To: <40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
	<4989A1D0.1040101@ibctech.ca>
	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
	<0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>
	<40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
Message-ID: <9f41bd48f428fb15340c3dde3bab4c8b.squirrel@webmail.pelican.org>

On Wed, February 4, 2009 6:24 pm, Deric Kwok wrote:

>> >Traffic that's being switched between layer-2 ports will never be
>> >processed by that ACL.
>>
>
> You mean my access-list is only for router not switch?

Not so much the ACL, but where you've applied it.

'Interface vlan1' is a layer-3 interface.  Traffic will only go in or out
of this interface if it's going to the IP address of the switch, either
because it's destined to the switch, or because the switch is the IP
next-hop and is going to route (not switch) the traffic on.

Traffic that's being switched between ports at layer-2 only goes in and
out of the physical ports, e.g. fastethernet0/1 - even though they might
be in vlan 1, it doesn't traverse the vlan1 interface.

> In this case, how can I do to not allow www traffic to 192.168.0.115 in
> switch?

I believe you'll need the ACL applied in-bound on every physical port that
could have traffic going towards 192.168.0.115 - so the uplink port, and
any other ports that have devices attached.

> Could you give me examples ACLs to permit by default?

You need a 'permit ip any any' statement at the end of each ACL to permit
by default for that ACL.

This is going to be very important once you start applying the ACL to the
physical ports, as above - if you don't include the 'permit ip any any' at
the end, you'll effectively shut off that port completely.

Regards,
Tim.



From p.mayers at imperial.ac.uk  Thu Feb  5 08:08:53 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 05 Feb 2009 13:08:53 +0000
Subject: [c-nsp] Use "plain old IP" for non-VRF traffic?
Message-ID: <498AE4E5.9050101@imperial.ac.uk>

We have an MPLS L3VPN-based network, and I want to use plain-old IPv4 
(no labels) for the non-VRF traffic.

The reason I want to do this is we're seeing a bug related to 
VACL-capture - packets whose next-hop is a label-imposition are not 
captured. I'm going to deal with that separately via TAC, but we need 
the VACL capture to work ASAP.

This is in 12.2(33)SXI

From oboehmer at cisco.com  Thu Feb  5 08:20:35 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 5 Feb 2009 14:20:35 +0100
Subject: [c-nsp] Use "plain old IP" for non-VRF traffic?
In-Reply-To: <498AE4E5.9050101@imperial.ac.uk>
References: <498AE4E5.9050101@imperial.ac.uk>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0E86B@xmb-ams-333.emea.cisco.com>

Phil Mayers <> wrote on Thursday, February 05, 2009 14:09:

> We have an MPLS L3VPN-based network, and I want to use plain-old IPv4
> (no labels) for the non-VRF traffic.
> 
> The reason I want to do this is we're seeing a bug related to
> VACL-capture - packets whose next-hop is a label-imposition are not
> captured. I'm going to deal with that separately via TAC, but we need
> the VACL capture to work ASAP.
 
unless you are using BGP to carry IPv4 (plain old) prefixes, you can
limit label advertisements to your BGP next-hops (which advertise the
vpnv4 prefixes):

no mpls advertise-labels
mpls advertise-labels for PE-loopbacks
!
ip access-list standard PE-loopbacks
 permit <address> <wildcard>

strictly speaking you only need to do this on the router where you want
to use VACL, then the adjacent LSRs will pop their label towards this
node..

	oli

From p.mayers at imperial.ac.uk  Thu Feb  5 08:35:53 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 05 Feb 2009 13:35:53 +0000
Subject: [c-nsp] Use "plain old IP" for non-VRF traffic?
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0E86B@xmb-ams-333.emea.cisco.com>
References: <498AE4E5.9050101@imperial.ac.uk>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0E86B@xmb-ams-333.emea.cisco.com>
Message-ID: <498AEB39.9090105@imperial.ac.uk>

Oliver Boehmer (oboehmer) wrote:
> Phil Mayers <> wrote on Thursday, February 05, 2009 14:09:
> 
>> We have an MPLS L3VPN-based network, and I want to use plain-old IPv4
>> (no labels) for the non-VRF traffic.
>>
>> The reason I want to do this is we're seeing a bug related to
>> VACL-capture - packets whose next-hop is a label-imposition are not
>> captured. I'm going to deal with that separately via TAC, but we need
>> the VACL capture to work ASAP.
>  
> unless you are using BGP to carry IPv4 (plain old) prefixes, you can

Sadly, we are doing that.

From rens at autempspourmoi.be  Thu Feb  5 08:39:35 2009
From: rens at autempspourmoi.be (Rens)
Date: Thu, 5 Feb 2009 14:39:35 +0100
Subject: [c-nsp] Ethernet VPN circuits
In-Reply-To: <004201c986dd$1299bf10$37cd3d30$@org.uk>
References: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com>
	<004201c986dd$1299bf10$37cd3d30$@org.uk>
Message-ID: <4947ADE167854B32B3F41418CFEE4FF0@EU.corp.clearwire.com>

I think I explained my problem badly below.

On CS we receive the frames like this [outer tag].[inner tag]
On RS they strip of the outer tag

The provider uses the outer tag to decide to which RS it should go

So if I would want to do an OSPF between a CS & RS
I would have this problem:

1) I either remove the outer tag on the switch so on my router I
can do the same subinterface dot1q [inner tag] => but this won't work when I
want to do the same thing with multiple RS

2)  Can I pass the double tag through my switch to our 7206 and configure a
double dot1q [outer tag].[inner tag] on my subinterface ?


-----Original Message-----
From: Dean Smith [mailto:dean at eatworms.org.uk] 
Sent: mercredi 4 f?vrier 2009 16:27
To: 'Rens'; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Ethernet VPN circuits

Cant speak for your product...but in the UK we've used similar from the 4 or
5 biggest suppliers at the all work the same...

At the central site access is delivered over a single high B/W Trunk. We
(Customer) and supplier agree a vlan tag per site.
At the remote site the port is provided with no vlan tag.
0
So if we have single IP connection between there is no multiple VLAN tags.
Router at the central site - configure your IP interface as Vlan
subinterface on CS Router. Trunk Between CS Router & CS Switch. Configure CS
Switch port facing provider as trunk aswell. (Control the VLANs you want to
send etc on each trunk port). The CS Switch is optional. (we do actually
have these for various reasons - but will be phasing them out in new core
site builds).

At the Remote site its just a straight Ethernet port. Not sure why you'd use
the RS Switch at all.

Dean

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rens
Sent: 04 February 2009 12:27
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Ethernet VPN circuits

Hi,

 

We have a provider that has a new product and I would like to know if I
could use it with our current infrastructure to interconnect sites.

 

This is how it works on the provider site:

 

1 Central Site where everything arrives

Multiple Remote Sites that you can connect to the Central Site

 

Per Remote Site we have to define a VLAN tag.

 

So it would look like this:

 

My CS router     <=> my CS switch           <=> provider CS switch     <=>
provider Backbone     <=> provider RS switch     <=> My RS router

7206VXR           <=> 3550                         <=> 2960
<=> No Idea                     <=> 2960                         <=> 1841

 

So if I want to do a /30 OSPF between my CS router and my RS router

I would use vlan 200 for this at RS router (subinterface dot1q) it enters
the provider RS switch and they add the predefined vlan as outer tag.
(example 800)

It arrives like this at my CS site and now I have a problem.

 

1) I either remove the outer tag VLAN (800) on the switch so on my router I
can do the same subinterface dot1q 200 => but this won't work when I want to
do the same thing with multiple RS

2)  Can I pass the double tag through my switch to our 7206 and configure a
double dot1q subinterface, so the router removes both outer & inner 800 &
200 and OSPF goes up :-)

 

Any help is appreciated.

 

Regards,

 

Rens

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From deric.kwok2000 at gmail.com  Thu Feb  5 08:41:33 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Thu, 5 Feb 2009 08:41:33 -0500
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <65DFE63F24D74C3C844F4312D00A5CDD@flamdt01>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<65DFE63F24D74C3C844F4312D00A5CDD@flamdt01>
Message-ID: <40d8a95a0902050541w67d7c382yd23b9017e0cf8c5a@mail.gmail.com>

Hi Tony

You are right. i think my IOS (version 12.0) can't support the numbering

switch#sh access-list 140
Extended IP access list 140
    deny udp any host 192.168.1.118 eq ntp log (643 matches)
    permit udp host 192.186.1.114 host 192.168.1.118 eq snmp log (5950
matches)
    deny udp any host 192.168.1.118 eq snmp log
    permit ip any any (732 matches)
    deny tcp any host 192.168.1.118 eq 123 log

For the future. what can I do it properly?
Could you give me example?

Thank you so much


On Thu, Feb 5, 2009 at 12:48 AM, Tony Varriale <tvarriale at comcast.net>wrote:

> conf t
> ip access-list ext 140
>
> But, based on your output, I'd guess your IOS doesn't support sequenceable
> ACLs.
>
> What code are you running?
>
> tv
> ----- Original Message ----- From: "Deric Kwok" <deric.kwok2000 at gmail.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, February 04, 2009 8:26 PM
> Subject: [c-nsp] How to add new rule in the same access-list
>
>
>  Hi
>>
>> I have old rule in the switch but don't know how to add new rule in the
>> same
>> access-list
>>
>> When I add new deny rule, it will be put at the end of the access-list
>>
>> If I remove the access-list 140, I have to re-type all lines again.
>>
>> Please help.
>>
>> Thank you
>>
>>
>>
>> switch#sh access-list 140
>> Extended IP access list 140
>>   deny udp any host 192.168.1.118 eq ntp log (4 matches)
>>   permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log
>>   deny udp any host 192.168.1.118 eq snmp log
>>   permit ip any any (49 matches)
>>
>> switch#config t
>> Enter configuration commands, one per line.  End with CNTL/Z.
>> switch(config)#access-list 140 deny tcp any host 192.168.1.118 eq 123 log
>>
>>
>>
>> switch#sh ip access-lists 140
>> Extended IP access list 140
>>   deny udp any host 192.168.1.118 eq ntp log (6 matches)
>>   permit udp host 192.168.1.114 host 192.168.1.118 eq snmp log (35
>> matches)
>>   deny udp any host 192.168.1.118 eq snmp log
>>   permit ip any any (174 matches)
>>   deny tcp any host 192.168.1.118 eq 123 log
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From perc69 at gmail.com  Thu Feb  5 08:58:21 2009
From: perc69 at gmail.com (Pelle)
Date: Thu, 5 Feb 2009 14:58:21 +0100
Subject: [c-nsp] Ethernet VPN circuits
In-Reply-To: <4947ADE167854B32B3F41418CFEE4FF0@EU.corp.clearwire.com>
References: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com>
	<004201c986dd$1299bf10$37cd3d30$@org.uk>
	<4947ADE167854B32B3F41418CFEE4FF0@EU.corp.clearwire.com>
Message-ID: <746ca6da0902050558v10b9f0f0j8a40b117f26f5011@mail.gmail.com>

Hi.

> 2)  Can I pass the double tag through my switch to our 7206 and configure a
> double dot1q [outer tag].[inner tag] on my subinterface ?

Yes, but of course it depends on the IOS you are running.

>From a 7206VXR/NPE-G2 running SRC2:

lotta(config)#int GigabitEthernet0/2.123123
lotta(config-subif)#encapsulation dot1Q 123 ?
  native        Make this as native vlan
  second-dot1q  Configure this subinterface as a 1Q-in-1Q subinterface
  <cr>

lotta(config-subif)#encapsulation dot1Q 123 second-dot1q 123 ?
  <cr>

-- 
Pelle

From steve at ibctech.ca  Thu Feb  5 09:02:02 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 05 Feb 2009 09:02:02 -0500
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <40d8a95a0902050541w67d7c382yd23b9017e0cf8c5a@mail.gmail.com>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>	<65DFE63F24D74C3C844F4312D00A5CDD@flamdt01>
	<40d8a95a0902050541w67d7c382yd23b9017e0cf8c5a@mail.gmail.com>
Message-ID: <498AF15A.9080608@ibctech.ca>

Deric Kwok wrote:
> Hi Tony
> 
> You are right. i think my IOS (version 12.0) can't support the numbering
> 
> switch#sh access-list 140
> Extended IP access list 140
>     deny udp any host 192.168.1.118 eq ntp log (643 matches)
>     permit udp host 192.186.1.114 host 192.168.1.118 eq snmp log (5950
> matches)
>     deny udp any host 192.168.1.118 eq snmp log
>     permit ip any any (732 matches)
>     deny tcp any host 192.168.1.118 eq 123 log
> 
> For the future. what can I do it properly?
> Could you give me example?

#sh access-lists
Extended IP access list 110
    permit ip 142.x.x.0 0.0.0.255 208.70.104.0 0.0.7.255
    permit ip 208.70.111.68 0.0.0.3 any
    deny ip any any

# sh run
interface FastEthernet0/1.760
 ip access-group 110 in

...now to change, do a show run, copy the entire ACL 110 list and put it
into a text editor, add/remove the needed lines, then:

# conf t
# int fa0/1.760
# no ip access-group 110 in

...go back to global config context, and paste back in the updated
access list, and re-apply the list as an access-group back on the interface.

Steve

From oboehmer at cisco.com  Thu Feb  5 09:11:36 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 5 Feb 2009 15:11:36 +0100
Subject: [c-nsp] Use "plain old IP" for non-VRF traffic?
In-Reply-To: <498AEB39.9090105@imperial.ac.uk>
References: <498AE4E5.9050101@imperial.ac.uk>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0E86B@xmb-ams-333.emea.cisco.com>
	<498AEB39.9090105@imperial.ac.uk>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0E903@xmb-ams-333.emea.cisco.com>

Phil Mayers <mailto:p.mayers at imperial.ac.uk> wrote on Thursday, February
05, 2009 14:36:

> Oliver Boehmer (oboehmer) wrote:
>> Phil Mayers <> wrote on Thursday, February 05, 2009 14:09:
>> 
>>> We have an MPLS L3VPN-based network, and I want to use plain-old
>>> IPv4 (no labels) for the non-VRF traffic.
>>> 
>>> The reason I want to do this is we're seeing a bug related to
>>> VACL-capture - packets whose next-hop is a label-imposition are not
>>> captured. I'm going to deal with that separately via TAC, but we
>>> need the VACL capture to work ASAP.
>> 
>> unless you are using BGP to carry IPv4 (plain old) prefixes, you can
> 
> Sadly, we are doing that.

Well, then I don't know any other solution than using a different BGP
next-hop for vpnv4 and for ipv4, and restrict label advertisement to the
vpnv4 next-hop. 

	oli

From steve at ibctech.ca  Thu Feb  5 09:25:32 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 05 Feb 2009 09:25:32 -0500
Subject: [c-nsp] One more issue regarding iBGP-OSPF
Message-ID: <498AF6DC.3010703@ibctech.ca>

I'm having a little more trouble trying to put my finger on why a PtP
address block, announced successfully via iBGP is improperly routed
recursively if I don't put it into my OSPF config.

Right off the bat, I know that having the 111.x space on both sides of
rtrB is completely breaking aggregation, but I really want to understand
the problem before I look further at that:

rtrA-111.65/30---111.66/30-rtrB-111.69/30---111.70/30-rtrC

rtrA lo10 = 172.16.104.1/32
rtrB lo10 = 172.16.104.2/32
rtrC == client with eBGP peering to rtrB

In order for things to work as expected, I have to have the 111.68 and
111.64 in OSPF on rtrB, and the 111.64 on rtrA

 network 172.16.104.x 0.0.0.0 area 0
 network 208.70.111.64 0.0.0.3 area 0
 network 208.70.111.68 0.0.0.3 area 0

Both of these routes are already in iBGP, but not used with OSPF running:

B   208.70.111.68/30 [200/0] via 172.16.104.2, 1d11h35m

...but if I take them out of OSPF, then rtrA inserts the BGP learnt
route into the table, and makes it recursive via 192.168.222.1/32, which
is my null interface.

That then immediately breaks the route to the client as well, as .70 is
null-routed.

Have I described my issue clearly enough for someone to see what I am
missing?

Thanks,

Steve

From oboehmer at cisco.com  Thu Feb  5 10:42:29 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 5 Feb 2009 16:42:29 +0100
Subject: [c-nsp] One more issue regarding iBGP-OSPF
In-Reply-To: <498AF6DC.3010703@ibctech.ca>
References: <498AF6DC.3010703@ibctech.ca>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0E9D1@xmb-ams-333.emea.cisco.com>

Steve Bertrand <> wrote on Thursday, February 05, 2009 15:26:

> I'm having a little more trouble trying to put my finger on why a PtP
> address block, announced successfully via iBGP is improperly routed
> recursively if I don't put it into my OSPF config.
> 
> Right off the bat, I know that having the 111.x space on both sides of
> rtrB is completely breaking aggregation, but I really want to
> understand the problem before I look further at that:
> 
> rtrA-111.65/30---111.66/30-rtrB-111.69/30---111.70/30-rtrC
> 
> rtrA lo10 = 172.16.104.1/32
> rtrB lo10 = 172.16.104.2/32
> rtrC == client with eBGP peering to rtrB
> 
> In order for things to work as expected, I have to have the 111.68 and
> 111.64 in OSPF on rtrB, and the 111.64 on rtrA
> 
>  network 172.16.104.x 0.0.0.0 area 0
>  network 208.70.111.64 0.0.0.3 area 0
>  network 208.70.111.68 0.0.0.3 area 0

well, this sounds logical to me as you want to run OSPF between rtrA and
rtrB, don't you? So you have to enable OSPF on the interface.
There shouldn't be a reason to put .68 into OSPF as you seem to be using
next-hop-self on rtrB, so the next-hop is the loopback (advertised via
OSPF).

> Both of these routes are already in iBGP, but not used with OSPF
> running: 
>
> B   208.70.111.68/30 [200/0] via 172.16.104.2, 1d11h35m

this is expected as OSPF has a lower admin distance.
 
> ...but if I take them out of OSPF, then rtrA inserts the BGP learnt
> route into the table, and makes it recursive via 192.168.222.1/32,
> which is my null interface.
> 
> That then immediately breaks the route to the client as well, as .70
> is null-routed.

Well, see above: With OSPF not enabled between rtrA and B, rtrA cannot
resolve the next-hop loopback..

> Have I described my issue clearly enough for someone to see what I am
> missing?

Not sure, I might also be missing something obvious, and possibly also
missing what you're trying to achieve..

	oli

From steve at ibctech.ca  Thu Feb  5 10:47:57 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 05 Feb 2009 10:47:57 -0500
Subject: [c-nsp] One more issue regarding iBGP-OSPF
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0E9D1@xmb-ams-333.emea.cisco.com>
References: <498AF6DC.3010703@ibctech.ca>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0E9D1@xmb-ams-333.emea.cisco.com>
Message-ID: <498B0A2D.6020802@ibctech.ca>

Oliver Boehmer (oboehmer) wrote:
> Steve Bertrand <> wrote on Thursday, February 05, 2009 15:26:
> 
>> I'm having a little more trouble trying to put my finger on why a PtP
>> address block, announced successfully via iBGP is improperly routed
>> recursively if I don't put it into my OSPF config.
>>
>> Right off the bat, I know that having the 111.x space on both sides of
>> rtrB is completely breaking aggregation, but I really want to
>> understand the problem before I look further at that:
>>
>> rtrA-111.65/30---111.66/30-rtrB-111.69/30---111.70/30-rtrC
>>
>> rtrA lo10 = 172.16.104.1/32
>> rtrB lo10 = 172.16.104.2/32
>> rtrC == client with eBGP peering to rtrB
>>
>> In order for things to work as expected, I have to have the 111.68 and
>> 111.64 in OSPF on rtrB, and the 111.64 on rtrA
>>
>>  network 172.16.104.x 0.0.0.0 area 0
>>  network 208.70.111.64 0.0.0.3 area 0
>>  network 208.70.111.68 0.0.0.3 area 0
> 
> well, this sounds logical to me as you want to run OSPF between rtrA and
> rtrB, don't you? So you have to enable OSPF on the interface.
> There shouldn't be a reason to put .68 into OSPF as you seem to be using
> next-hop-self on rtrB, so the next-hop is the loopback (advertised via
> OSPF).

I'm not using next-hop-self. I've read that it is preferable to not use
it, but I will if I have to. My point was that when I remove .68 from
OSPF (which is my objective), the BGP learnt route automatically sets
the next-hop to .68 recursive via my null interface IP (192.168.222.1).
The next-hop really needs to be set to either 172.16.104.2 (lo), or
208.70.111.66 (ptp next-hop).

Is next-hop-self the only way around this behaviour (beside using a
static route)?

>> Both of these routes are already in iBGP, but not used with OSPF
>> running: 
>>
>> B   208.70.111.68/30 [200/0] via 172.16.104.2, 1d11h35m
> 
> this is expected as OSPF has a lower admin distance.

Indeed.

>> ...but if I take them out of OSPF, then rtrA inserts the BGP learnt
>> route into the table, and makes it recursive via 192.168.222.1/32,
>> which is my null interface.
>>
>> That then immediately breaks the route to the client as well, as .70
>> is null-routed.
> 
> Well, see above: With OSPF not enabled between rtrA and B, rtrA cannot
> resolve the next-hop loopback..

What my goal is, is to have only loopbacks in OSPF, and nothing else.
I'll need to toy with next-hop-self to fix the issue.

Thanks for the feedback.

Steve

From swmike at swm.pp.se  Thu Feb  5 10:53:53 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 5 Feb 2009 16:53:53 +0100 (CET)
Subject: [c-nsp] One more issue regarding iBGP-OSPF
In-Reply-To: <498B0A2D.6020802@ibctech.ca>
References: <498AF6DC.3010703@ibctech.ca>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0E9D1@xmb-ams-333.emea.cisco.com>
	<498B0A2D.6020802@ibctech.ca>
Message-ID: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>

On Thu, 5 Feb 2009, Steve Bertrand wrote:

> I'm not using next-hop-self. I've read that it is preferable to not use
> it, but I will if I have to. My point was that when I remove .68 from
> OSPF (which is my objective), the BGP learnt route automatically sets
> the next-hop to .68 recursive via my null interface IP (192.168.222.1).
> The next-hop really needs to be set to either 172.16.104.2 (lo), or
> 208.70.111.66 (ptp next-hop).

BCP is to have all BGP next-hops in your IGP.

> What my goal is, is to have only loopbacks in OSPF, and nothing else.
> I'll need to toy with next-hop-self to fix the issue.

Yes, if you only want loopbacks in OSPF, then use next-hop-self.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From steve at ibctech.ca  Thu Feb  5 10:58:45 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Thu, 05 Feb 2009 10:58:45 -0500
Subject: [c-nsp] One more issue regarding iBGP-OSPF
In-Reply-To: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
References: <498AF6DC.3010703@ibctech.ca>	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0E9D1@xmb-ams-333.emea.cisco.com>	<498B0A2D.6020802@ibctech.ca>
	<alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
Message-ID: <498B0CB5.1000300@ibctech.ca>

Mikael Abrahamsson wrote:
> On Thu, 5 Feb 2009, Steve Bertrand wrote:
> 
>> I'm not using next-hop-self. I've read that it is preferable to not use
>> it, but I will if I have to. My point was that when I remove .68 from
>> OSPF (which is my objective), the BGP learnt route automatically sets
>> the next-hop to .68 recursive via my null interface IP (192.168.222.1).
>> The next-hop really needs to be set to either 172.16.104.2 (lo), or
>> 208.70.111.66 (ptp next-hop).
> 
> BCP is to have all BGP next-hops in your IGP.

Ok, thank you. This is what I needed to know ;)

Steve

From jay at west.net  Thu Feb  5 11:49:58 2009
From: jay at west.net (Jay Hennigan)
Date: Thu, 05 Feb 2009 08:49:58 -0800
Subject: [c-nsp] access list help
In-Reply-To: <40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>	<4989A1D0.1040101@ibctech.ca>	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>	<0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>
	<40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
Message-ID: <498B18B6.4050300@west.net>

Deric Kwok wrote:

> I am using this 3500 switch as switch.
> As I can't access my switch now, I can get sh ip access-list

If you weren't able to save the change because you made it via IP 
(telnet or HTTP), reboot the switch and you'll be able to get in again. 
  Otherwise, you'll need to use a console cable locally at the switch.

> You mean my access-list is only for router not switch?

IP access-lists are only for routers (or as you discovered, for 
controlling traffic to the switch itself.)

> In this case, how can I do to not allow www traffic to 192.168.0.115 in
> switch?

You don't.  You do it in the router.  A layer 2 switch is unaware of IP 
addresses or applications with regard to traffic passing through the 
switch.  Because the switch doesn't examine or process IP address, 
protocol, or port information, it can't filter it.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From gary.ciscomail at gmail.com  Thu Feb  5 11:50:47 2009
From: gary.ciscomail at gmail.com (Gary Roberton)
Date: Thu, 5 Feb 2009 16:50:47 +0000
Subject: [c-nsp] Can someone look up which AS is advertising the 146.105.0.0
	/16 network.
Message-ID: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>

Hello all

Can someone look up which AS is advertising the 146.105.0.0 /16 network for
me, thanks.

Gary

From nicotine at warningg.com  Thu Feb  5 11:04:23 2009
From: nicotine at warningg.com (Brandon Ewing)
Date: Thu, 5 Feb 2009 10:04:23 -0600
Subject: [c-nsp] vpn client issues with ASA
In-Reply-To: <200902050541.39115.jaldrich@blueridgecarpet.com>
References: <200902050541.39115.jaldrich@blueridgecarpet.com>
Message-ID: <20090205160423.GA8176@biological.warningg.com>

On Thu, Feb 05, 2009 at 05:41:39AM -0500, John Aldrich wrote:
> We just upgraded our firewall from a Pix to an ASA, and now, for some 
> reason, even though we have it specified in the VPN Client software, we are 
> having to enter our password every time. Is this a feature of the ASA or is 
> it configurable? We never had to do this before, and it's rather annoying. I 
> don't think it's the client as I never had to do this before, and also, I 
> set up a new connection from scratch and it required the password as well 
> when connecting.
> Any suggestions?

You need to add "isakmp ikev1-user-authentication none" to the RA
tunnel-group to disable XAUTH.

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090205/82e9383e/attachment.bin>

From gary.ciscomail at gmail.com  Thu Feb  5 11:56:59 2009
From: gary.ciscomail at gmail.com (Gary Roberton)
Date: Thu, 5 Feb 2009 16:56:59 +0000
Subject: [c-nsp] Using the same IP range in different VRFs - best practice
Message-ID: <cf9098540902050856i374dbd42j8e661332cd6ff58e@mail.gmail.com>

Hi all

Can anyone point me towards a document that outlines best practices to use
regarding natting of IP address for customers in different VRFs.  For
example, when to use the same 'outside' addresses across multiple VRFs and
when to use individual 'static' translations.  I need something like an
SRND.

Thanks.

Gary

From sigurbjornl at vodafone.is  Thu Feb  5 12:00:44 2009
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Thu, 05 Feb 2009 17:00:44 +0000
Subject: [c-nsp] Can someone look up which AS is advertising the
 146.105.0.0 /16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <C5B0CBBC.10D5B%sigurbjornl@vodafone.is>

AS702

BR,
Sibbi


On 5.2.2009 16:50, "Gary Roberton" <gary.ciscomail at gmail.com> wrote:

> 146.105.0.0 


From christian at broknrobot.com  Thu Feb  5 12:01:13 2009
From: christian at broknrobot.com (Christian Koch)
Date: Thu, 5 Feb 2009 12:01:13 -0500
Subject: [c-nsp] Can someone look up which AS is advertising the
	146.105.0.0 /16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
References: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <c93a55220902050901t27656c1bk40e27460e3206155@mail.gmail.com>

use a route server?

On Thu, Feb 5, 2009 at 11:50 AM, Gary Roberton <gary.ciscomail at gmail.com> wrote:
> Hello all
>
> Can someone look up which AS is advertising the 146.105.0.0 /16 network for
> me, thanks.
>
> Gary
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jay at west.net  Thu Feb  5 12:03:07 2009
From: jay at west.net (Jay Hennigan)
Date: Thu, 05 Feb 2009 09:03:07 -0800
Subject: [c-nsp] Can someone look up which AS is advertising the
 146.105.0.0 /16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
References: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <498B1BCB.2070206@west.net>

Gary Roberton wrote:
> Hello all
> 
> Can someone look up which AS is advertising the 146.105.0.0 /16 network for
> me, thanks.

I don't know who is advertising it for you, but AS702 is advertising it 
on all of our feeds.

Hint:  Google "BGP looking glass".

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From blahu77 at gmail.com  Thu Feb  5 12:05:53 2009
From: blahu77 at gmail.com (Mateusz Blaszczyk)
Date: Thu, 5 Feb 2009 17:05:53 +0000 (IST)
Subject: [c-nsp] Can someone look up which AS is advertising the
	146.105.0.0 /16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <fqtojqpo4eds3oyvwwUYAxe124vaj_firegpg@mail.gmail.com>

as-name:         AS702
descr:           Verizon Business EMEA - Commercial IP service provider in Europe


2009/2/5 Gary Roberton <gary.ciscomail at gmail.com>:
> Hello all
>
> Can someone look up which AS is advertising the 146.105.0.0 /16 network for
> me, thanks.
>
> Gary
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
pgp-key 0x1C655CAB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 270 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090205/c2d00edc/attachment.bin>

From paul at paulstewart.org  Thu Feb  5 12:03:04 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Thu, 5 Feb 2009 12:03:04 -0500
Subject: [c-nsp] Can someone look up which AS is advertising the
	146.105.0.0	/16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
References: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <001a01c987b3$9c8a60e0$d59f22a0$@org>


AS702 from here.... any public looking glass sites could tell you this and
show you from various perspectives too...

http://www.traceroute.org

Hope this helps...

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary Roberton
Sent: Thursday, February 05, 2009 11:51 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Can someone look up which AS is advertising the 146.105.0.0
/16 network.

Hello all

Can someone look up which AS is advertising the 146.105.0.0 /16 network for
me, thanks.

Gary
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From SIngram at clayton.com  Thu Feb  5 13:41:26 2009
From: SIngram at clayton.com (Scott Ingram)
Date: Thu, 5 Feb 2009 13:41:26 -0500
Subject: [c-nsp] FW: effectively breaking EIGRP / BGP redistribution
	count-to-infinity loops
References: <A9604D7A0239984EAD184D9A42206FDE039B19D6@EXCHVS01.cgi.clayton.com>
Message-ID: <A9604D7A0239984EAD184D9A42206FDE039B19DC@EXCHVS01.cgi.clayton.com>

My environment is a 2 router and  2 Multihomed MPLS providers running EIGRP and BGP with redistribution.  When I have failovers between MPLS providers I run into random infinity loops.  Is there a way where I could establish the 2  BGP AS numbers to be shared.  I think that would help the looping issues with redistribution.
 
 
my main issue is:
 
- source traffic uses service provider A and return trip uses service provider B during an outage with either service provider A OR B
 
- routing loops when trying to trace to an ip addr loop happens where service provider A route table show route is active looping back and forth to source service provider B

IMPORTANT NOTICE:

This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message.  If you have received this communication in error, please notify the sender immediately and destroy the transmitted information.


From deric.kwok2000 at gmail.com  Thu Feb  5 15:47:41 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Thu, 5 Feb 2009 15:47:41 -0500
Subject: [c-nsp] many interfaces in router,
	how to easy use the access-list rules
Message-ID: <40d8a95a0902051247sf8d9277n9a49eb2ebdf81e1@mail.gmail.com>

Hi

I just try to put permit and deny rules in my router eg: for http access

eg: I have 3 ip addresses in the router in different interface 0 and 1

What is the easy way to put access-list for permit and deny to access http
in the router?

eg: my router interfaces 192.168.0.1/29, 192.168.3.1/24........

access-list permit tcp outsideip1 to 192.168.0.1 eq www
access-list permit tcp outsideip1 to 192.168.3.1 eq www
access-list permit tcp outsideip2 to 192.168.0.1 eq www
access-list permit tcp outsideip2 to 192.168.0.1 eq www
xxxxxx
xxxxxxx
access-list deny tcp any 192.168.0.1 eq www
xxxx

It will have many access-list rules for http only

Thank you

From David at hughes.com.au  Thu Feb  5 16:31:23 2009
From: David at hughes.com.au (David Hughes)
Date: Fri, 6 Feb 2009 07:31:23 +1000
Subject: [c-nsp] Fast UDLD timers in SXI?
In-Reply-To: <20090205072426.GU290@greenie.muc.de>
References: <23F34D6E-4028-4FB0-9A79-84EF9FCD244C@hughes.com.au>
	<20090203071550.GU290@greenie.muc.de>
	<5AF9A9CB79719D4C8F367CE2056BE0312451EFA290@mumble.dupas.be>
	<45380261-31C7-4FF9-B5C7-D236EB4901A7@hughes.com.au>
	<1233758875.6907.22.camel@mauritzlewies>
	<C2EE3B72-ADD2-4ADF-B7E1-F00D25F974DB@Hughes.com.au>
	<20090205072426.GU290@greenie.muc.de>
Message-ID: <AB8391FC-B2E2-4A65-B9CA-365A73D1357E@hughes.com.au>


Thanks Gert.  That's not the news I was hoping for.  I'll take it up  
with Cisco and find out what "UDLD Enhancements" are actually in SXI.   
I appreciate your help.


David
...


On 05/02/2009, at 5:24 PM, Gert Doering wrote:

> Hi,
>
> On Thu, Feb 05, 2009 at 02:54:53PM +1000, David Hughes wrote:
>> 	(config)#udld message time ?
>>        <7-90> Time in seconds between sending of messages in steady
>> state
>
> SXI, Sup32:
>
> Cisco-M(config)#udld message time ?
>  <7-90>  Time in seconds between sending of messages in steady state
>
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                           //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jloiacon at csc.com  Thu Feb  5 16:57:05 2009
From: jloiacon at csc.com (Joe Loiacono)
Date: Thu, 5 Feb 2009 16:57:05 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
Message-ID: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>

I realize RANCID is a great tool for keeping track of IOS changes, etc., 
but if a client was looking for a commercial tool that does this, what 
would you  recommend?

Thanks,

Joe Loiacono

From llc at dansketelecom.com  Thu Feb  5 17:09:04 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Thu, 5 Feb 2009 23:09:04 +0100
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <44417CD2F19FEA4F885088340A71D33201B4F2FA@mail.office.dansketelecom.com>

Hi Joe

I would probably recommend Kiwi CatTools http://www.kiwisyslog.com/kiwi-cattools-overview/, a Windows based application.

We used it for a couple of years, but I believe RANCID is more scalable from my perspective...

______________________________________

Med venlig hilsen / Kind regards

Lars Lystrup Christensen 
Director of Engineering, CCIE(tm) #20292

Danske Telecom A/S
Sundkrogsgade 13, 4 
2100 K?benhavn ? 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono
Sent: 5. februar 2009 22:57
To: Cisco-NSP Mailing List
Subject: [c-nsp] Rancid and commercial config management tools

I realize RANCID is a great tool for keeping track of IOS changes, etc., 
but if a client was looking for a commercial tool that does this, what 
would you  recommend?

Thanks,

Joe Loiacono
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From vijay.ramcharan at verizonbusiness.com  Thu Feb  5 17:12:33 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Thu, 05 Feb 2009 22:12:33 +0000
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <A34003A5232DE744807D94D788E0751AAB198E@ASHEVS011.mcilink.com>

We use Opsware NAS. I haven't configured it or anything but it is quite
commercial and can do nice things like configuration checks against a
standard policy, notifications of config changes, config automation and
things like that. 

 
Vijay Ramcharan 
  
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono
Sent: February 05, 2009 16:57
To: Cisco-NSP Mailing List
Subject: [c-nsp] Rancid and commercial config management tools

I realize RANCID is a great tool for keeping track of IOS changes, etc.,

but if a client was looking for a commercial tool that does this, what 
would you  recommend?

Thanks,

Joe Loiacono
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ptimmins at clearrate.com  Thu Feb  5 17:15:50 2009
From: ptimmins at clearrate.com (Paul G. Timmins)
Date: Thu, 5 Feb 2009 17:15:50 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <B98837F93D40A74D8656EAE7C1F57C5659D324@EXCHANGE1.corp.clearrate.net>

If I were you, I'd package up Rancid, call it "JoeWare", and bill them a
ton for it. :) 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono
> Sent: Thursday, February 05, 2009 4:57 PM
> To: Cisco-NSP Mailing List
> Subject: [c-nsp] Rancid and commercial config management tools
> 
> I realize RANCID is a great tool for keeping track of IOS 
> changes, etc., 
> but if a client was looking for a commercial tool that does 
> this, what 
> would you  recommend?
> 
> Thanks,
> 
> Joe Loiacono
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From alexmoya at bellsouth.net  Thu Feb  5 17:53:02 2009
From: alexmoya at bellsouth.net (Alex Moya)
Date: Thu, 5 Feb 2009 17:53:02 -0500
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498A9572.6010608@rollernet.us>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<498A9572.6010608@rollernet.us>
Message-ID: <40028F97-9DBA-4A16-9DB5-DEDF37A375E2@bellsouth.net>

You can add lines if you use sequence numbers on you acl. What version  
are you using


Sent from my iPhone

On Feb 5, 2009, at 2:29 AM, Seth Mattinen <sethm at rollernet.us> wrote:

> Deric Kwok wrote:
>> Hi
>>
>> I have old rule in the switch but don't know how to add new rule in  
>> the same
>> access-list
>>
>> When I add new deny rule, it will be put at the end of the access- 
>> list
>>
>> If I remove the access-list 140, I have to re-type all lines again.
>>
>
> That's correct. You need to remove and recreate it in the correct  
> order
> lacking sequences.
>
> ~Seth
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From alasdairm at gmail.com  Thu Feb  5 18:13:24 2009
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Thu, 5 Feb 2009 23:13:24 +0000
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <B98837F93D40A74D8656EAE7C1F57C5659D324@EXCHANGE1.corp.clearrate.net>
References: <B98837F93D40A74D8656EAE7C1F57C5659D324@EXCHANGE1.corp.clearrate.net>
Message-ID: <1EF5B5B6-210A-4CED-A0B2-22860BE68413@gmail.com>

I use a tool called Network Configuration Store to track device  
configurations I use it because I made it but.... it solved a problem  
I had and see no reason to replace it :-p

Version 3.x requires a Windows system and IIS but everything else is  
free.

It's got a reasonable GUI (nice and easy) and is fairly self contained  
with just a few dependencies. Also fires out e-mail alerts if you give  
it an SMTP server.

http://sf.net/projects/ncs

*** end of plug ! ***



On 5 Feb 2009, at 22:15, Paul G. Timmins wrote:

> If I were you, I'd package up Rancid, call it "JoeWare", and bill  
> them a
> ton for it. :)
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono
>> Sent: Thursday, February 05, 2009 4:57 PM
>> To: Cisco-NSP Mailing List
>> Subject: [c-nsp] Rancid and commercial config management tools
>>
>> I realize RANCID is a great tool for keeping track of IOS
>> changes, etc.,
>> but if a client was looking for a commercial tool that does
>> this, what
>> would you  recommend?
>>
>> Thanks,
>>
>> Joe Loiacono
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From justin at justinshore.com  Thu Feb  5 19:01:09 2009
From: justin at justinshore.com (Justin Shore)
Date: Thu, 05 Feb 2009 18:01:09 -0600
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
Message-ID: <498B7DC5.7060803@justinshore.com>

I'm curious to see what everyone's take is on handling the addressing of 
customer-facing DS1s.  Rather than provision a /30 per customer and 
waste IP space I'm planning on using IP unnumbered to a loopback for the 
vast majority of our most basic DS1 customers.  They'll get assigned 1 
IP out of the pool and if they request (and pay for) any more then I'll 
static route their allocation to their pool IP.  We'll also request that 
they only use the statically-routed subnet for server assignments and 
not PAT their pool IP; that way they can be migrated to our LRE solution 
  with minimal IP and DNS changes as LRE becomes available in their 
local CO.

I'm prepared to offer /30s where needed of course, in case their CPE 
runs into trouble for some reason or in case they wig out over the 
thought of their external interface being in the same bcast domain as 
other customers.  I'm actually looking at options to restrict bcasts 
between IP unnumbered serial interfaces too.  We need to allow direct
access between the sites but not bcast.

One of my concerns is QoS.  We'll be offering QoS-enabled VoIP over 
these DS1s in some cases.  Can I still use service-policies on physical 
interfaces or would it have to be on the loopback and apply to all 
users?  I have not tried QoS and IP unnumbered yet.  Perhaps VoIP 
circuits will have to be addressed with /30s (or /31s since we're 
managing the CE in VoIP installations).

I know that IP unnumbered works in general; I'm just wondering if anyone 
has already done it in production and ran into problems?  My goal is to 
not waste IP space on network and bcast addresses where possible.  No, 
I'm not going to assign /31s; customers just won't be able to comprehend 
that, especially when the IOS through our a warning message when you 
assign a /31 to an interface.  I use /31s internally but not for 
customer links.  IP unnumbered wastes the least amount of IP space. 
Since we're targeting our services at the low-end of the SMB market who 
most likely it already on CATV or RBE DSL and share a bcast domain with 
their neighbors already, I don't envision IP unnumbered to be a big 
deal.  I'm looking for guidance though.  Thoughts?

Thanks
  Justin


From sethm at rollernet.us  Thu Feb  5 20:03:29 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 05 Feb 2009 17:03:29 -0800
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <40028F97-9DBA-4A16-9DB5-DEDF37A375E2@bellsouth.net>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<498A9572.6010608@rollernet.us>
	<40028F97-9DBA-4A16-9DB5-DEDF37A375E2@bellsouth.net>
Message-ID: <498B8C61.9060408@rollernet.us>

Alex Moya wrote:
> You can add lines if you use sequence numbers on you acl. What version
> are you using
> 
> 
> Sent from my iPhone
> 
> On Feb 5, 2009, at 2:29 AM, Seth Mattinen <sethm at rollernet.us> wrote:
> 
>> Deric Kwok wrote:
>>> Hi
>>>
>>> I have old rule in the switch but don't know how to add new rule in
>>> the same
>>> access-list
>>>
>>> When I add new deny rule, it will be put at the end of the access-list
>>>
>>> If I remove the access-list 140, I have to re-type all lines again.
>>>
>>
>> That's correct. You need to remove and recreate it in the correct order
>> lacking sequences.
>>

Like I said, if he doesn't have sequences (which based on the
information given in the original question I can only assume he doesn't
have an IOS that supports it on old-skool access lists).

~Seth

From abalashov at evaristesys.com  Thu Feb  5 20:48:35 2009
From: abalashov at evaristesys.com (Alex Balashov)
Date: Thu, 05 Feb 2009 20:48:35 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B7DC5.7060803@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
Message-ID: <498B96F3.8060204@evaristesys.com>

The problem mainly has to do with troubleshooting.  Sometimes you need 
to know whether a customer's CPE is genuinely down on the WAN side, and 
not necessarily the LAN interface where the head of the routed block 
typically is.  To make that work, it helps to have real transport IPs on 
the WAN interface.

There is no reason why you need to "waste" IP address on the /30s - who 
said they have to be public IPs?  Just carve out some address space out 
of a 10.0.0.0/8 range and use private transport IPs.  All you need them 
for is to test end-to-end connectivity from the aggregation router on 
your side, not for any other reachability purpose.  If they pay for 1 
static IP you can throw it up on a loopback interface on the other side 
and add a /32 route for it over the transport /30 block.

Justin Shore wrote:

> I'm curious to see what everyone's take is on handling the addressing of 
> customer-facing DS1s.  Rather than provision a /30 per customer and 
> waste IP space I'm planning on using IP unnumbered to a loopback for the 
> vast majority of our most basic DS1 customers.  They'll get assigned 1 
> IP out of the pool and if they request (and pay for) any more then I'll 
> static route their allocation to their pool IP.  We'll also request that 
> they only use the statically-routed subnet for server assignments and 
> not PAT their pool IP; that way they can be migrated to our LRE solution 
>  with minimal IP and DNS changes as LRE becomes available in their local 
> CO.
> 
> I'm prepared to offer /30s where needed of course, in case their CPE 
> runs into trouble for some reason or in case they wig out over the 
> thought of their external interface being in the same bcast domain as 
> other customers.  I'm actually looking at options to restrict bcasts 
> between IP unnumbered serial interfaces too.  We need to allow direct
> access between the sites but not bcast.
> 
> One of my concerns is QoS.  We'll be offering QoS-enabled VoIP over 
> these DS1s in some cases.  Can I still use service-policies on physical 
> interfaces or would it have to be on the loopback and apply to all 
> users?  I have not tried QoS and IP unnumbered yet.  Perhaps VoIP 
> circuits will have to be addressed with /30s (or /31s since we're 
> managing the CE in VoIP installations).
> 
> I know that IP unnumbered works in general; I'm just wondering if anyone 
> has already done it in production and ran into problems?  My goal is to 
> not waste IP space on network and bcast addresses where possible.  No, 
> I'm not going to assign /31s; customers just won't be able to comprehend 
> that, especially when the IOS through our a warning message when you 
> assign a /31 to an interface.  I use /31s internally but not for 
> customer links.  IP unnumbered wastes the least amount of IP space. 
> Since we're targeting our services at the low-end of the SMB market who 
> most likely it already on CATV or RBE DSL and share a bcast domain with 
> their neighbors already, I don't envision IP unnumbered to be a big 
> deal.  I'm looking for guidance though.  Thoughts?
> 
> Thanks
>  Justin
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

From damin at nacs.net  Thu Feb  5 20:09:43 2009
From: damin at nacs.net (Gregory Boehnlein)
Date: Thu, 5 Feb 2009 20:09:43 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B7DC5.7060803@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
Message-ID: <01f801c987f7$983bd660$c8b38320$@net>

> I'm curious to see what everyone's take is on handling the addressing
> of customer-facing DS1s.  Rather than provision a /30 per customer and
> waste IP space I'm planning on using IP unnumbered to a loopback for
> the vast majority of our most basic DS1 customers.  They'll get assigned 1
> IP out of the pool and if they request (and pay for) any more then I'll
> static route their allocation to their pool IP.  We'll also request
> that they only use the statically-routed subnet for server assignments and
> not PAT their pool IP; that way they can be migrated to our LRE
> solution with minimal IP and DNS changes as LRE becomes available in their
> local CO.

This is very similar to what we do. While we have several customers that
need larger subnets, the majority of our customers are using IP Unnumbered.

In some cases, we will provide the customer a /29 if they need additional
external IP addresses, but the configuration on their router uses the low IP
in the /29 as it's loopback interface. We send our default route out of the
interface, rather than to the remote gateway IP, so if we change the ip of
the loopback on our side, we do not need to adjust anything for the
customer.

> One of my concerns is QoS.  We'll be offering QoS-enabled VoIP over
> these DS1s in some cases.  Can I still use service-policies on physical
> interfaces or would it have to be on the loopback and apply to all
> users?  I have not tried QoS and IP unnumbered yet.  Perhaps VoIP
> circuits will have to be addressed with /30s (or /31s since we're
> managing the CE in VoIP installations).

We use outbound service policies on unnumbered interfaces just fine:

interface Serial10/1/0/3:0
 description L3 OH/XXXX/XXXX to XXXXXXX channel 12
 ip unnumbered Loopback0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 service-policy output llq
 no fair-queue
 down-when-looped
 no clns route-cache

And the routing statement:

ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA

 
> I know that IP unnumbered works in general; I'm just wondering if
> anyone has already done it in production and ran into problems?  My goal
is to
> not waste IP space on network and bcast addresses where possible.  No,
> I'm not going to assign /31s; customers just won't be able to
> comprehend
> that, especially when the IOS through our a warning message when you
> assign a /31 to an interface.  I use /31s internally but not for
> customer links.  IP unnumbered wastes the least amount of IP space.
> Since we're targeting our services at the low-end of the SMB market who
> most likely it already on CATV or RBE DSL and share a bcast domain with
> their neighbors already, I don't envision IP unnumbered to be a big
> deal.  I'm looking for guidance though.  Thoughts?

I've been doing ip unnumbered since 1995 in production and it "just works".
There are undoubtedly some routers out there that might have issues, but any
Cisco device should be able to handle things just fine.


From mike-cisconsplist at tiedyenetworks.com  Thu Feb  5 23:08:22 2009
From: mike-cisconsplist at tiedyenetworks.com (Mike)
Date: Thu, 05 Feb 2009 20:08:22 -0800
Subject: [c-nsp] setting source address for icmp messages
Message-ID: <498BB7B6.9010509@tiedyenetworks.com>

Hello,

I'm trying to learn how to get my 7204vxr to not send icmp messages with 
the source ip of interface the message is being sent out. I have a 
public ip on my loopback and thought this was what ios preferred if it 
exists? I have some other interfaces which have 10.x.x.x addresses and 
icmp messages like host unreachable and such are sourced from this which 
is undesirable due to inbound filtering at many sites at their gateways 
for rfc1918 and other bogon addresses.

Am I being silly to want this or is there something I can do to get my 
way here?

Tks.

Mike-

From hill.matt.w at edumail.vic.gov.au  Thu Feb  5 23:19:03 2009
From: hill.matt.w at edumail.vic.gov.au (Hill, Matt W)
Date: Fri, 6 Feb 2009 15:19:03 +1100
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <498BB7B6.9010509@tiedyenetworks.com>
References: <498BB7B6.9010509@tiedyenetworks.com>
Message-ID: <E0E97B8128D9DC4A89E8A3B163C69C7A0233C09F@educm02.education.vic.gov.au>

Hi Mike,

Try this:

Ping ip
<follow prompts>
Extended commands <- press "y"

Then you can specify the source.

Cheers,
Matt

-- 
Matt Hill
CCIE #22386
p: +61 3 9637 3509? |? m: +61 4 1330 3635? |? f: +61 3 96372600? |? e: hill.matt.w at edumail.vic.gov.au
Data Communications Consultant |? Infrastructure Engineering? |? ITD? |? DEECD
Level 2 East, 2 Treasury Place, East Melbourne, Victoria, Australia, 3002


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
Sent: Friday, 6 February 2009 3:08 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] setting source address for icmp messages

Hello,

I'm trying to learn how to get my 7204vxr to not send icmp messages with 
the source ip of interface the message is being sent out. I have a 
public ip on my loopback and thought this was what ios preferred if it 
exists? I have some other interfaces which have 10.x.x.x addresses and 
icmp messages like host unreachable and such are sourced from this which 
is undesirable due to inbound filtering at many sites at their gateways 
for rfc1918 and other bogon addresses.

Am I being silly to want this or is there something I can do to get my 
way here?

Tks.

Mike-
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education and Early Childhood Development.

From dale.shaw+cisco-nsp at gmail.com  Thu Feb  5 23:50:42 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Fri, 6 Feb 2009 15:50:42 +1100
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <E0E97B8128D9DC4A89E8A3B163C69C7A0233C09F@educm02.education.vic.gov.au>
References: <498BB7B6.9010509@tiedyenetworks.com>
	<E0E97B8128D9DC4A89E8A3B163C69C7A0233C09F@educm02.education.vic.gov.au>
Message-ID: <3329cbb40902052050s10857e0dq4a256babeca3df9d@mail.gmail.com>

Hi,

When I read the OP I figured he was talking about automatically
generated ICMP messages (e.g. unreachables, source quench), not pings
send for administrative purposes (or IP SLAs or whatever).

I don't personally know of an elegant way to achieve this. One
potentially undesirable option might be to disable unreachables ("no
ip unreachables") on the privately-addressed interfaces. Why are the
messages being generated anyway? no route? ACL violation?

Sending the messages sourced with an address of anything but the
interface where the packet landed probably violates some RFC. I _can_
see why you (Mike) want to do this.

Such packets (sourced with RFC1918 addresses) should be explicitly
nailed at the perimeter anyway.

cheers,
Dale

On Fri, Feb 6, 2009 at 3:19 PM, Hill, Matt W
<hill.matt.w at edumail.vic.gov.au> wrote:
> Hi Mike,
>
> Try this:
>
> Ping ip
> <follow prompts>
> Extended commands <- press "y"
>
> Then you can specify the source.
>
> Cheers,
> Matt
>
> --
> Matt Hill
> CCIE #22386
> p: +61 3 9637 3509  |  m: +61 4 1330 3635  |  f: +61 3 96372600  |  e: hill.matt.w at edumail.vic.gov.au
> Data Communications Consultant |  Infrastructure Engineering  |  ITD  |  DEECD
> Level 2 East, 2 Treasury Place, East Melbourne, Victoria, Australia, 3002
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
> Sent: Friday, 6 February 2009 3:08 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] setting source address for icmp messages
>
> Hello,
>
> I'm trying to learn how to get my 7204vxr to not send icmp messages with
> the source ip of interface the message is being sent out. I have a
> public ip on my loopback and thought this was what ios preferred if it
> exists? I have some other interfaces which have 10.x.x.x addresses and
> icmp messages like host unreachable and such are sourced from this which
> is undesirable due to inbound filtering at many sites at their gateways
> for rfc1918 and other bogon addresses.
>
> Am I being silly to want this or is there something I can do to get my
> way here?
>
> Tks.
>
> Mike-

From rens at autempspourmoi.be  Fri Feb  6 02:15:03 2009
From: rens at autempspourmoi.be (Rens)
Date: Fri, 6 Feb 2009 08:15:03 +0100
Subject: [c-nsp] Ethernet VPN circuits
In-Reply-To: <746ca6da0902050558v10b9f0f0j8a40b117f26f5011@mail.gmail.com>
References: <0F5612EF8E564E069536CCA12F5512F4@EU.corp.clearwire.com><004201c986dd$1299bf10$37cd3d30$@org.uk><4947ADE167854B32B3F41418CFEE4FF0@EU.corp.clearwire.com>
	<746ca6da0902050558v10b9f0f0j8a40b117f26f5011@mail.gmail.com>
Message-ID: <F8E9EB3F4DF348A8ADD9F6CFAEB0ED03@EU.corp.clearwire.com>

Oki thanks,
Then I just need to make sure that the switch between the router & the
circuit can be changed to minimum 1504 system mtu right?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pelle
Sent: jeudi 5 f?vrier 2009 14:58
To: c-nsp
Subject: Re: [c-nsp] Ethernet VPN circuits

Hi.

> 2)  Can I pass the double tag through my switch to our 7206 and configure
a
> double dot1q [outer tag].[inner tag] on my subinterface ?

Yes, but of course it depends on the IOS you are running.

>From a 7206VXR/NPE-G2 running SRC2:

lotta(config)#int GigabitEthernet0/2.123123
lotta(config-subif)#encapsulation dot1Q 123 ?
  native        Make this as native vlan
  second-dot1q  Configure this subinterface as a 1Q-in-1Q subinterface
  <cr>

lotta(config-subif)#encapsulation dot1Q 123 second-dot1q 123 ?
  <cr>

-- 
Pelle
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From perc69 at gmail.com  Fri Feb  6 03:19:57 2009
From: perc69 at gmail.com (Pelle)
Date: Fri, 6 Feb 2009 09:19:57 +0100
Subject: [c-nsp] many interfaces in router,
	how to easy use the 	access-list rules
In-Reply-To: <40d8a95a0902051247sf8d9277n9a49eb2ebdf81e1@mail.gmail.com>
References: <40d8a95a0902051247sf8d9277n9a49eb2ebdf81e1@mail.gmail.com>
Message-ID: <746ca6da0902060019w41fa7544x29dd17a2199e5de@mail.gmail.com>

Hi.

> What is the easy way to put access-list for permit and deny to access http
> in the router?

If you want an *easy* way, you can protect the http process with a ACL:

ip http access-class <acl>

See: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_08.html#wp1020105

This not as "safe" as protecting all ingress interfaces, but it works.
An ingress ACL is better because unwanted packets are dropped using
less resources, especially on a hardware platform.

-- 
Pelle

From p.mayers at imperial.ac.uk  Fri Feb  6 03:41:23 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 6 Feb 2009 08:41:23 +0000
Subject: [c-nsp] VACL capture - is this supposed to work
Message-ID: <20090206084123.GB27732@wildfire.net.ic.ac.uk>

We have this config on a 6500/sup720

int Vlan3799
  description upstream
  ip address ...
int Vlan4000
  descripion core
  ip address ...
  mpls ip

vlan filter CAPTURE_HTTP vlan 3799

int Gi9/1
  switchport
  switchport mode access
  switchport access vlan 3799
  switchport capture
  switchport capture allowed vlan 3799

...and the the CAPTURE_HTTP map does:

 1. tcp port 80, capture & forward
 2. ip any any, forward

The intent is to capture inbound and outbound HTTP traffic, and log it 
with urlsnarf for legal compliance reasons.

This *HAS* been working for months. However, we did a recent upgrade of 
this router to 12.2(33)SXI and it stopped working - the VACL capture 
only seems to capture packets outbound i.e. input on Vl4000, out on 
Vl3799. It does capture any CPU-punt packets in the other direction.

At first I thought it was a bug in SXI, but we failed our default route 
over to another 6500 running SXF9 with the same config, and it suffers 
the same problem.

I had wondered if the problem was that the inbound traffic next-hop has 
an MPLS label imposed, but the other router is 1 hop away so uses 
plain-old IP, and it suffers the same.

So I'm baffled - we have a router that was running SXF10 for months with 
this config, no problem. Another with SXF9 doesn't work, nor does the 
original router with 12.2(33)SXI.

So, question: exactly what traffic should VACL capture actually 
*capture*? Is my config supported?

I have a TAC case open, but we're getting desperate - we need that URL 
logging, and a "normal" SPAN port generates way, way too much traffic - 
having the ACL to filter a sub-set is important.

sh tcam int vl3799 acl in/out ip det

...shows appropriate TCAM entries with the CAP flag set.

Any pointers gratefully received.

From A.L.M.Buxey at lboro.ac.uk  Fri Feb  6 03:52:21 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Fri, 6 Feb 2009 08:52:21 +0000
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498B8C61.9060408@rollernet.us>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>
	<498A9572.6010608@rollernet.us>
	<40028F97-9DBA-4A16-9DB5-DEDF37A375E2@bellsouth.net>
	<498B8C61.9060408@rollernet.us>
Message-ID: <20090206085221.GA32648@lboro.ac.uk>

Hi,

> Like I said, if he doesn't have sequences (which based on the
> information given in the original question I can only assume he doesn't
> have an IOS that supports it on old-skool access lists).

edit the access list on an tftp server and then eg

copy tftp://server/accesslist-name.acl running-config

alan

From gert at greenie.muc.de  Fri Feb  6 04:19:37 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:19:37 +0100
Subject: [c-nsp] access list help
In-Reply-To: <498B18B6.4050300@west.net>
References: <40d8a95a0902040602k832a73cycbb47472721c9710@mail.gmail.com>
	<4989A1D0.1040101@ibctech.ca>
	<40d8a95a0902040704o2c2dca16m53df244566866c59@mail.gmail.com>
	<0c15ddc49f527a89ec6f7f77e10da264.squirrel@webmail.pelican.org>
	<40d8a95a0902041024v20516bc8scc60752e209d5c97@mail.gmail.com>
	<498B18B6.4050300@west.net>
Message-ID: <20090206091937.GW290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 08:49:58AM -0800, Jay Hennigan wrote:
> You don't.  You do it in the router.  A layer 2 switch is unaware of IP 
> addresses or applications with regard to traffic passing through the 
> switch.  Because the switch doesn't examine or process IP address, 
> protocol, or port information, it can't filter it.

There's a few exceptions which I think are noteworthy here - the Catalyst
2950 and 2960 permit filtering on IP and TCP/UDP information, even if they
are just "plain" layer 2 switches.  The ACL capabilities are a bit restricted
("if it can't be mapped to TCAM it won't work") but it's still a very nice
thing to have.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/1465d024/attachment.bin>

From gert at greenie.muc.de  Fri Feb  6 04:20:55 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:20:55 +0100
Subject: [c-nsp] Can someone look up which AS is advertising the
	146.105.0.0 /16 network.
In-Reply-To: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
References: <cf9098540902050850q51f9ec2ag96b66f9a151d7876@mail.gmail.com>
Message-ID: <20090206092055.GX290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 04:50:47PM +0000, Gary Roberton wrote:
> Can someone look up which AS is advertising the 146.105.0.0 /16 network for
> me, thanks.

Try: "telnet route-views.oregon-ix.net" and then "show ip bgp ..."

route-views.oregon-ix.net>sh ip b 146.105.0.0
BGP routing table entry for 146.105.0.0/16, version 5677725
Paths: (33 available, best #23, table Default-IP-Routing-Table)
  Not advertised to any peer
  3356 701 702
    4.69.184.193 from 4.69.184.193 (4.68.3.50)
      Origin IGP, metric 0, localpref 100, valid, external
      Community: 3356:3 3356:22 3356:86 3356:575 3356:666 3356:2011
  [...]

"teach a man to fish"...

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/64e7036a/attachment-0001.bin>

From gert at greenie.muc.de  Fri Feb  6 04:35:08 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:35:08 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B7DC5.7060803@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
Message-ID: <20090206093508.GB290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 06:01:09PM -0600, Justin Shore wrote:
> I'm curious to see what everyone's take is on handling the addressing of 
> customer-facing DS1s.  

We run all our customers "ip unnumbered", whether it's E1/E3 or DSL
customers.  Since the first 64 kbit ISDN leased line...

Exception:
  - customers on ethernet circuits
  - customers that require dynamic routing
  - customers with multiple circuits and failover
    (to be able to monitor the links independent of the customer service IPs)

QoS, ACLs, etc. are tacked to the physical interface (or virtual, in
case of DSL), never to the loopback.

> I'm actually looking at options to restrict bcasts 
> between IP unnumbered serial interfaces too.  We need to allow direct
> access between the sites but not bcast.

Where should broadcasts come from...?  There is nothing in your router
that would turn "all serial links on this box" into "a big broadcast
domain", except if you configure a bridge group (which is not a good
plan).

> I know that IP unnumbered works in general; I'm just wondering if anyone 
> has already done it in production and ran into problems?  My goal is to 
> not waste IP space on network and bcast addresses where possible.  

Go for IPv6 :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/09cb4f1f/attachment.bin>

From gert at greenie.muc.de  Fri Feb  6 04:38:42 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:38:42 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <01f801c987f7$983bd660$c8b38320$@net>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
Message-ID: <20090206093842.GC290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 08:09:43PM -0500, Gregory Boehnlein wrote:
> We send our default route out of the
> interface, rather than to the remote gateway IP, so if we change the ip of
> the loopback on our side, we do not need to adjust anything for the
> customer.

I can only second this.  If you have a dedicated point-to-point interface for 
things, tacking the route on the interface is usually more robust than
pointing towards a gateway IP that might not be there, or might be learned
recursively over another interface, etc.

For multiaccess-links, *don't* do "ip route 0.0.0.0 0.0.0.0 eth0", of
course (use "... eth0 <gateway_ip>").  Just to make this very clear.

> ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA

One can tack a *name* to routes?  Need to test this :-)

Does this name get carried in IGPs?  Or is it just there in the config
to document things?

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/a01ea539/attachment.bin>

From gert at greenie.muc.de  Fri Feb  6 04:40:56 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:40:56 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B96F3.8060204@evaristesys.com>
References: <498B7DC5.7060803@justinshore.com>
	<498B96F3.8060204@evaristesys.com>
Message-ID: <20090206094056.GD290@greenie.muc.de>

Hi,

On Thu, Feb 05, 2009 at 08:48:35PM -0500, Alex Balashov wrote:
> There is no reason why you need to "waste" IP address on the /30s - who 
> said they have to be public IPs?  Just carve out some address space out 
> of a 10.0.0.0/8 range and use private transport IPs.  

RFC1918 (indirectly) says that this is not permitted.

(If you do this, ICMPs sourced by the remote router will send their
packets with an RFC1918 source address, which is strictly not allowed.
If you filter those packets, you'll break traceroute and PMTUd).

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/67913071/attachment.bin>

From oboehmer at cisco.com  Fri Feb  6 04:48:10 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Fri, 6 Feb 2009 10:48:10 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <20090206093842.GC290@greenie.muc.de>
References: <498B7DC5.7060803@justinshore.com><01f801c987f7$983bd660$c8b38320$@net>
	<20090206093842.GC290@greenie.muc.de>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0ECD7@xmb-ams-333.emea.cisco.com>

Gert Doering <> wrote on Friday, February 06, 2009 10:39:

>> ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA
> 
> One can tack a *name* to routes?  Need to test this :-)
> 
> Does this name get carried in IGPs?  Or is it just there in the config
> to document things?

this name stays local to the router, and was/is required for Large-Scale
Dial-out (LSDO) where the router performed an AAA/Radius request to
retrieve dial information, and used the name for this.. Dial - sigh -
almost feels like legacy technology ;-)

But I agree, it's a nice way of documenting things :)

	oli

From gert at greenie.muc.de  Fri Feb  6 04:54:07 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 6 Feb 2009 10:54:07 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D0ECD7@xmb-ams-333.emea.cisco.com>
References: <20090206093842.GC290@greenie.muc.de>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D0ECD7@xmb-ams-333.emea.cisco.com>
Message-ID: <20090206095407.GE290@greenie.muc.de>

Hi,

On Fri, Feb 06, 2009 at 10:48:10AM +0100, Oliver Boehmer (oboehmer) wrote:
> this name stays local to the router, and was/is required for Large-Scale
> Dial-out (LSDO) where the router performed an AAA/Radius request to
> retrieve dial information, and used the name for this.. 

Ah, so you put the route in like this:

  ip route 1.2.3.4 255.255.255.255 name customerX

and the router would do a radius-query to get the phone number, authentication
data, etc. to call up?  Cool :-)

> Dial - sigh - almost feels like legacy technology ;-)

Well, it came back in disguise... DSL, L2TP, ... :))

> But I agree, it's a nice way of documenting things :)

Indeed!

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/ef311e3f/attachment.bin>

From blahu77 at gmail.com  Fri Feb  6 05:12:25 2009
From: blahu77 at gmail.com (Mateusz Blaszczyk)
Date: Fri, 6 Feb 2009 10:12:25 +0000
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B7DC5.7060803@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
Message-ID: <383357750902060212k5a18d067t2f615818d5d48f9a@mail.gmail.com>

Justin,

just be sure not to assign .255 address to the customer, windows is
buggy there: http://support.microsoft.com/kb/281579
We've been bitten there.

Best Regards,

-mat
-- 
pgp-key 0x1C655CAB

From benny+usenet at amorsen.dk  Fri Feb  6 05:14:03 2009
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Fri, 06 Feb 2009 11:14:03 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498B96F3.8060204@evaristesys.com> (Alex Balashov's message of
	"Thu\, 05 Feb 2009 20\:48\:35 -0500")
References: <498B7DC5.7060803@justinshore.com>
	<498B96F3.8060204@evaristesys.com>
Message-ID: <m34oz7q3dg.fsf@ursa.amorsen.dk>

Alex Balashov <abalashov at evaristesys.com> writes:

> There is no reason why you need to "waste" IP address on the /30s -
> who said they have to be public IPs?  Just carve out some address
> space out of a 10.0.0.0/8 range and use private transport IPs.

You risk that ICMP comes from those addresses. This could happen with
traceroute, where it is harmless, and with ICMP-Packet-Too-Big, where
it isn't harmless.

Is there a way to force a particular IP to be used for ICMP messages
with Cisco?


/Benny


From jcovini at free.fr  Fri Feb  6 05:30:59 2009
From: jcovini at free.fr (jcovini at free.fr)
Date: Fri, 06 Feb 2009 11:30:59 +0100
Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static route
Message-ID: <1233916259.498c11638d5c6@imp.free.fr>

Hey,

Got a strange behavior on a C3560 12.2(35)SE5.

I am locally attached interface to 9.9.9.0/24 network where my next hop 9.9.9.9
is. This interface is member of vrf Internet

I have a vrf static route, working perfect :
ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9


As soon as I remove and replace this route by a tracked one, the IOS adds the
"global" keyword.
I input this :
ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 track 2
and got this in the show run output :
ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 global track 2

Leaking then occurs, traffic is not reaching next-hop 9.9.9.9, but rather goes
to some router defined in the global routing table, which has a 9.0.0.0/8 entry.
My tracker object is correctly defined inside the vrf Internet and is flagged
UP.

I rollback to a non-tracked route : no global keayword added, no leaking,
everything is fine.

Have no idea what's happening here. Got the same config on a 6509 12.2.33sxh,
works like a charm. What error did I do ?

Jerome Covini

From wp at null0.nl  Fri Feb  6 05:52:53 2009
From: wp at null0.nl (Wouter Prins)
Date: Fri, 6 Feb 2009 11:52:53 +0100
Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static
	route
In-Reply-To: <1233916259.498c11638d5c6@imp.free.fr>
References: <1233916259.498c11638d5c6@imp.free.fr>
Message-ID: <b5da8bca0902060252i2ba79755j1d7c02924bd8e2bd@mail.gmail.com>

Can you try to specify the outgoing interface in your static vrf route and
test again?

2009/2/6 <jcovini at free.fr>

> Hey,
>
> Got a strange behavior on a C3560 12.2(35)SE5.
>
> I am locally attached interface to 9.9.9.0/24 network where my next hop
> 9.9.9.9
> is. This interface is member of vrf Internet
>
> I have a vrf static route, working perfect :
> ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9
>
>
> As soon as I remove and replace this route by a tracked one, the IOS adds
> the
> "global" keyword.
> I input this :
> ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 track 2
> and got this in the show run output :
> ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 global track 2
>
> Leaking then occurs, traffic is not reaching next-hop 9.9.9.9, but rather
> goes
> to some router defined in the global routing table, which has a 9.0.0.0/8entry.
> My tracker object is correctly defined inside the vrf Internet and is
> flagged
> UP.
>
> I rollback to a non-tracked route : no global keayword added, no leaking,
> everything is fine.
>
> Have no idea what's happening here. Got the same config on a 6509
> 12.2.33sxh,
> works like a charm. What error did I do ?
>
> Jerome Covini
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jcovini at free.fr  Fri Feb  6 06:05:58 2009
From: jcovini at free.fr (jcovini at free.fr)
Date: Fri, 06 Feb 2009 12:05:58 +0100
Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static
	route
In-Reply-To: <b5da8bca0902060252i2ba79755j1d7c02924bd8e2bd@mail.gmail.com>
References: <1233916259.498c11638d5c6@imp.free.fr>
	<b5da8bca0902060252i2ba79755j1d7c02924bd8e2bd@mail.gmail.com>
Message-ID: <1233918358.498c19967ff9a@imp.free.fr>

Just tried : it still installs the route with "global" flag
ip route vrf Internet 192.168.0.0 255.255.255.0 Vlan999 9.9.9.9 global track 2



Selon Wouter Prins <wp at null0.nl>:

> Can you try to specify the outgoing interface in your static vrf route and
> test again?
>
> 2009/2/6 <jcovini at free.fr>
>
> > Hey,
> >
> > Got a strange behavior on a C3560 12.2(35)SE5.
> >
> > I am locally attached interface to 9.9.9.0/24 network where my next hop
> > 9.9.9.9
> > is. This interface is member of vrf Internet
> >
> > I have a vrf static route, working perfect :
> > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9
> >
> >
> > As soon as I remove and replace this route by a tracked one, the IOS adds
> > the
> > "global" keyword.
> > I input this :
> > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 track 2
> > and got this in the show run output :
> > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 global track 2
> >
> > Leaking then occurs, traffic is not reaching next-hop 9.9.9.9, but rather
> > goes
> > to some router defined in the global routing table, which has a
> 9.0.0.0/8entry.
> > My tracker object is correctly defined inside the vrf Internet and is
> > flagged
> > UP.
> >
> > I rollback to a non-tracked route : no global keayword added, no leaking,
> > everything is fine.
> >
> > Have no idea what's happening here. Got the same config on a 6509
> > 12.2.33sxh,
> > works like a charm. What error did I do ?
> >
> > Jerome Covini
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>



From eric at atlantech.net  Fri Feb  6 06:08:05 2009
From: eric at atlantech.net (Eric Van Tol)
Date: Fri, 6 Feb 2009 06:08:05 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Joe Loiacono
> Sent: Thursday, February 05, 2009 4:57 PM
> To: Cisco-NSP Mailing List
> Subject: [c-nsp] Rancid and commercial config management tools
> 
> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
> but if a client was looking for a commercial tool that does this, what
> would you  recommend?
> 
> Thanks,
> 
> Joe Loiacono

I would also take a look at Solarwinds Network Configuration Manager (formerly Cirrus).  Backup configs, make mass changes, check configs against a specific defined policy, inventory equipment, etc.  It may be worth mentioning that Solarwinds recently purchased Kiwi, and their plan is to integrate some of the Kiwi-specific features into NCM.

-evt

From wp at null0.nl  Fri Feb  6 06:32:57 2009
From: wp at null0.nl (Wouter Prins)
Date: Fri, 6 Feb 2009 12:32:57 +0100
Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static
	route
In-Reply-To: <1233918358.498c19967ff9a@imp.free.fr>
References: <1233916259.498c11638d5c6@imp.free.fr>
	<b5da8bca0902060252i2ba79755j1d7c02924bd8e2bd@mail.gmail.com>
	<1233918358.498c19967ff9a@imp.free.fr>
Message-ID: <b5da8bca0902060332o7fb2ffc2s21d8a544afd6af0e@mail.gmail.com>

Okay then i guess it happens because you didnt specify the vrf in your sla
configuration.

ip sla monitor 1
 type xx
 vrf x

I dont know if the 3560 can do that (my guess is no) :)

Can you post your sla config?

2009/2/6 <jcovini at free.fr>

> Just tried : it still installs the route with "global" flag
> ip route vrf Internet 192.168.0.0 255.255.255.0 Vlan999 9.9.9.9 global
> track 2
>
>
>
> Selon Wouter Prins <wp at null0.nl>:
>
> > Can you try to specify the outgoing interface in your static vrf route
> and
> > test again?
> >
> > 2009/2/6 <jcovini at free.fr>
> >
> > > Hey,
> > >
> > > Got a strange behavior on a C3560 12.2(35)SE5.
> > >
> > > I am locally attached interface to 9.9.9.0/24 network where my next
> hop
> > > 9.9.9.9
> > > is. This interface is member of vrf Internet
> > >
> > > I have a vrf static route, working perfect :
> > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9
> > >
> > >
> > > As soon as I remove and replace this route by a tracked one, the IOS
> adds
> > > the
> > > "global" keyword.
> > > I input this :
> > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 track 2
> > > and got this in the show run output :
> > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 global track 2
> > >
> > > Leaking then occurs, traffic is not reaching next-hop 9.9.9.9, but
> rather
> > > goes
> > > to some router defined in the global routing table, which has a
> > 9.0.0.0/8entry.
> > > My tracker object is correctly defined inside the vrf Internet and is
> > > flagged
> > > UP.
> > >
> > > I rollback to a non-tracked route : no global keayword added, no
> leaking,
> > > everything is fine.
> > >
> > > Have no idea what's happening here. Got the same config on a 6509
> > > 12.2.33sxh,
> > > works like a charm. What error did I do ?
> > >
> > > Jerome Covini
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
>
>
>

From paul at paulstewart.org  Fri Feb  6 06:17:36 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 6 Feb 2009 06:17:36 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
Message-ID: <005401c9884c$83c508f0$8b4f1ad0$@org>

Yes, we use Orion Network Configuration Management (old Cirrus) and love it!
The last release finally has a fairly slick web interface...

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Van Tol
Sent: February 6, 2009 6:08 AM
To: Cisco-NSP Mailing List
Subject: Re: [c-nsp] Rancid and commercial config management tools

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Joe Loiacono
> Sent: Thursday, February 05, 2009 4:57 PM
> To: Cisco-NSP Mailing List
> Subject: [c-nsp] Rancid and commercial config management tools
> 
> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
> but if a client was looking for a commercial tool that does this, what
> would you  recommend?
> 
> Thanks,
> 
> Joe Loiacono

I would also take a look at Solarwinds Network Configuration Manager
(formerly Cirrus).  Backup configs, make mass changes, check configs against
a specific defined policy, inventory equipment, etc.  It may be worth
mentioning that Solarwinds recently purchased Kiwi, and their plan is to
integrate some of the Kiwi-specific features into NCM.

-evt
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From peter.hicks at poggs.co.uk  Fri Feb  6 07:41:10 2009
From: peter.hicks at poggs.co.uk (Peter Hicks)
Date: Fri, 06 Feb 2009 12:41:10 +0000
Subject: [c-nsp] Desktop PoE switch for CME
Message-ID: <498C2FE6.9040608@poggs.co.uk>

Hello

I have a requirement for a number of low-cost 8 or 24-port PoE switches 
on which Cisco 7940 and 7941 IP phones will work successfully.  Ideally 
they need to support a few VLANs and dot1q, and don't *have* to be Cisco.

Does anyone have recommendations, to save me spending ages buying and 
testing?


Peter


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

From r.tahina at moov.mg  Fri Feb  6 07:48:47 2009
From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina)
Date: Fri, 06 Feb 2009 15:48:47 +0300
Subject: [c-nsp] hssi transmit only
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D714D843@xmb-ams-331.emea.ci
	sco.com>
References: <7.0.1.0.2.20090122143031.05b95b78@moov.mg>
	<78C984F8939D424697B15E4B1C1BB3D714D843@xmb-ams-331.emea.cisco.com>
Message-ID: <7.0.1.0.2.20090206154745.04c19108@moov.mg>

Thanks Arie,

It was a clock issue on modem.

Regards.

At 21:37 22/01/2009, Arie Vayner (avayner) wrote:
>No. A regular cable should be fine.
>Arie
>
>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of RAZAFINDRATSIFA
>Rivo Tahina
>Sent: Thursday, January 22, 2009 13:32
>To: cisco-nsp at puck.nether.net
>Subject: [c-nsp] hssi transmit only
>
>Hi all,
>
>I have to connect a modem and a 7200 with HSSI used for transmit
>only, does it need specific cabling/configuration?
>
>Kind regards.
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

From r.tahina at moov.mg  Fri Feb  6 07:53:26 2009
From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina)
Date: Fri, 06 Feb 2009 15:53:26 +0300
Subject: [c-nsp] Multihomed BGP load balancing
Message-ID: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>

Dear All,

I'm multihomed to 2 upstreams, from time to time, 1 link is full 
while the other has half of its capacity unused, as of now, I have to 
manual announce of /24 to try to balance traffics, are there more 
intelligent way to do that?

Regards.

From blahu77 at gmail.com  Fri Feb  6 08:03:16 2009
From: blahu77 at gmail.com (Mateusz Blaszczyk)
Date: Fri, 6 Feb 2009 13:03:16 +0000 (IST)
Subject: [c-nsp] Multihomed BGP load balancing
In-Reply-To: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>
Message-ID: <fquvbldofs5tslaljUYAxe124vaj_firegpg@mail.gmail.com>

>
> I'm multihomed to 2 upstreams, from time to time, 1 link is full while the
> other has half of its capacity unused, as of now, I have to manual announce
> of /24 to try to balance traffics, are there more intelligent way to do
> that?
>

depending on which direction it gets full
you can use dmz-bandwidth for outgoing traffic, there is also something called pfr but all I know is that it is used for traffic optimization.

Best Regards,

-mat

-- 
pgp-key 0x1C655CAB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 270 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/1e841c1e/attachment.bin>

From achatz at forthnet.gr  Fri Feb  6 08:14:49 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 06 Feb 2009 15:14:49 +0200
Subject: [c-nsp] Multihomed BGP load balancing
In-Reply-To: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>
References: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>
Message-ID: <498C37C9.1010908@forthnet.gr>

Someone would say use PfR, but i'm not this one ;)
Great potential, awkward configuration.

-- 
Tassos

RAZAFINDRATSIFA Rivo Tahina wrote on 06/02/2009 14:53:
> Dear All,
> 
> I'm multihomed to 2 upstreams, from time to time, 1 link is full while 
> the other has half of its capacity unused, as of now, I have to manual 
> announce of /24 to try to balance traffics, are there more intelligent 
> way to do that?
> 
> Regards.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From jcovini at free.fr  Fri Feb  6 08:28:36 2009
From: jcovini at free.fr (jcovini at free.fr)
Date: Fri, 06 Feb 2009 14:28:36 +0100
Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static
	route
In-Reply-To: <b5da8bca0902060332o7fb2ffc2s21d8a544afd6af0e@mail.gmail.com>
References: <1233916259.498c11638d5c6@imp.free.fr>
	<b5da8bca0902060252i2ba79755j1d7c02924bd8e2bd@mail.gmail.com>
	<1233918358.498c19967ff9a@imp.free.fr>
	<b5da8bca0902060332o7fb2ffc2s21d8a544afd6af0e@mail.gmail.com>
Message-ID: <1233926916.498c3b041ae71@imp.free.fr>

I would love you to be right, but it is indeed tracking inside the right vrf
I am changing the @IP in the paste below voluntarily (public ips...)

I have pretty similar config running on 6509 12.2.33sxh without this behavior.
The only difference is my 6509 use newer style config (ip sla monitor foo)
instead of former one (rtr foo)


rtr 2
 type echo protocol ipIcmpEcho 1.2.3.4
 timeout 1000
 vrf Internet
 frequency 5
rtr schedule 2 life forever start-time now
track 2 rtr 2 reachability

o#sho rtr config 2
SA Agent, Infrastructure Engine-II.

Entry number: 2
Owner:
Tag:
Type of operation to perform: echo
Target address: 1.2.3.4
Source address: 0.0.0.0
Request size (ARR data portion): 28
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Vrf Name: Internet
Operation frequency (seconds): 5
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None
Enhanced History:



Selon Wouter Prins <wp at null0.nl>:

> Okay then i guess it happens because you didnt specify the vrf in your sla
> configuration.
>
> ip sla monitor 1
>  type xx
>  vrf x
>
> I dont know if the 3560 can do that (my guess is no) :)
>
> Can you post your sla config?
>
> 2009/2/6 <jcovini at free.fr>
>
> > Just tried : it still installs the route with "global" flag
> > ip route vrf Internet 192.168.0.0 255.255.255.0 Vlan999 9.9.9.9 global
> > track 2
> >
> >
> >
> > Selon Wouter Prins <wp at null0.nl>:
> >
> > > Can you try to specify the outgoing interface in your static vrf route
> > and
> > > test again?
> > >
> > > 2009/2/6 <jcovini at free.fr>
> > >
> > > > Hey,
> > > >
> > > > Got a strange behavior on a C3560 12.2(35)SE5.
> > > >
> > > > I am locally attached interface to 9.9.9.0/24 network where my next
> > hop
> > > > 9.9.9.9
> > > > is. This interface is member of vrf Internet
> > > >
> > > > I have a vrf static route, working perfect :
> > > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9
> > > >
> > > >
> > > > As soon as I remove and replace this route by a tracked one, the IOS
> > adds
> > > > the
> > > > "global" keyword.
> > > > I input this :
> > > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 track 2
> > > > and got this in the show run output :
> > > > ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9 global track 2
> > > >
> > > > Leaking then occurs, traffic is not reaching next-hop 9.9.9.9, but
> > rather
> > > > goes
> > > > to some router defined in the global routing table, which has a
> > > 9.0.0.0/8entry.
> > > > My tracker object is correctly defined inside the vrf Internet and is
> > > > flagged
> > > > UP.
> > > >
> > > > I rollback to a non-tracked route : no global keayword added, no
> > leaking,
> > > > everything is fine.
> > > >
> > > > Have no idea what's happening here. Got the same config on a 6509
> > > > 12.2.33sxh,
> > > > works like a charm. What error did I do ?
> > > >
> > > > Jerome Covini
> > > > _______________________________________________
> > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > >
> >
> >
> >
>



From kratzers at ctinetworks.com  Fri Feb  6 08:45:50 2009
From: kratzers at ctinetworks.com (Stephen Kratzer)
Date: Fri, 6 Feb 2009 08:45:50 -0500
Subject: [c-nsp] Multihomed BGP load balancing
In-Reply-To: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>
References: <7.0.1.0.2.20090206154900.04c26b40@moov.mg>
Message-ID: <200902060845.51247.kratzers@ctinetworks.com>

On Friday 06 February 2009 07:53:26 RAZAFINDRATSIFA Rivo Tahina wrote:
> Dear All,
>
> I'm multihomed to 2 upstreams, from time to time, 1 link is full
> while the other has half of its capacity unused, as of now, I have to
> manual announce of /24 to try to balance traffics, are there more
> intelligent way to do that?
>
> Regards.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

If you're connected to two different transit providers, say A and B, and A is 
MUCH more well-connected than B, you could see if A supports communities to 
restrict the advertisement of your routes to their peers and/or customers 
only. This may, however, make the pendulum swing too far the other way. Also, 
if provider B uses provider A as a transit provider also, you could try using 
communities to either increase local pref on provider A's network or decrease 
local pref on provider B's network.

And, when none of those options work as desired, you'll probably go back to 
deaggregating...

Stephen Kratzer
Network Engineer
CTI Networks, Inc.

From erey at ernw.de  Fri Feb  6 09:34:37 2009
From: erey at ernw.de (Enno Rey)
Date: Fri, 6 Feb 2009 15:34:37 +0100
Subject: [c-nsp] Urgently looking for a C2811/2821 to rent or buy _today_ in
	Washington DC area
Message-ID: <20090206143437.GE12988@ws25.ernw.de>

Hi,

I have to give a talk tomorrow that includes a demo/lab with some MPLS VPN stuff.
I brought a 3750-Metro and a 3560 with me (both running latest code) but just noticed the 3560s do not support MPLS VPNs at all.

So I'm urgently looking for some MPLS VPN capable device (acting as PE), preferably a 2811 or 2821 (as we've use for those in our lab anyway).
If anybody in the Washington DC area is reading this, pls contact me off-list. I'm willing to buy/rent a device immediately. The transaction has to happen today (paid by cash if needed) as I'll have to set up the stuff before tomorrow.

thanks,

Enno


-- 
Enno Rey

ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Enno Rey


From manafo at hotmail.com  Fri Feb  6 09:44:16 2009
From: manafo at hotmail.com (Manaf Al Oqlah)
Date: Fri, 6 Feb 2009 16:44:16 +0200
Subject: [c-nsp] DHCP Binding Expiration
Message-ID: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>

Hi all,

I am configuring a Cisco 7600 router as DHCP server for my broadband clients. I am using DHCP snooping and ARP inspection for security reasons and the leased time expiration is set for 30 minutes and no excluded-address is configured. The problem is that I still can see  some clients IP addresses lease expiration are Infinite in the DHCP binding! what could be the reason for this behavior and could be this some sort of attack!! 

Here is my configuration of the DHCP server:
!
ip dhcp pool DHCP-POOL
   network 192.168.48.0 255.255.240.0
   default-router 192.168.48.1
   dns-server x.x.x.x x.x.x.x
   domain-name domain.com
   lease 0 0 30
!

and here is the output of the DHCP binding:

R1#show ip dhcp binding | include Infinite
192.168.50.50        001e.e58d.5f27          Infinite                Automatic
192.168.50.93        0017.3f0c.9d47          Infinite                Automatic
192.168.51.5         001e.e595.11b9          Infinite                Automatic
192.168.56.239       001e.e595.1109          Infinite                Automatic
192.168.56.251       0018.392d.94b5          Infinite                Automatic
192.168.57.7         001e.e595.10f9          Infinite                Automatic
192.168.57.77        0018.392d.9473          Infinite                Automatic
192.168.58.76        001f.3c66.6d1d          Infinite                Automatic
192.168.58.133       0014.bf65.80f7          Infinite                Automatic
192.168.58.137       001e.e58d.6671          Infinite                Automatic
192.168.58.151       00c0.020d.91bf          Infinite                Automatic
192.168.58.162       001e.e595.1b23          Infinite                Automatic
192.168.58.191       001e.e58d.6669          Infinite                Automatic
192.168.58.218       0018.3937.a0d7          Infinite                Automatic
192.168.58.231       0016.367b.086d          Infinite                Automatic


Regards,
Manaf

From razor at meganet.net  Fri Feb  6 11:27:59 2009
From: razor at meganet.net (Paul A)
Date: Fri, 6 Feb 2009 11:27:59 -0500
Subject: [c-nsp] learned routes disappear
Message-ID: <033401c98877$dfe851c0$9fb8f540$@net>

Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
into this.

 

I have two routers, router A and router B doing bgp.

 

Router A is advertising 5 routes to router B, when the session 1st comes up,
router B has 5 routes received from router A. After 1:15 min the learned
routes on router B disappear.

 

 

Router A

Learns the routes from one of my bgp customers.

 

neighbor 2xx.xx.xx.xx description xxx

 neighbor 2xx.xx.xx.xx update-source FastEthernet1/43

 neighbor 2xx.xx.xx.xx default-originate

 neighbor 2xx.xx.xx.xx prefix-list PxxPL-IN in

 neighbor 2xx.xx.xx.xx route-map PLIN in

 neighbor 2xx.xx.xx.xx filter-list 109 in

 neighbor 2xx.xx.xx.xx filter-list 2 out

 neighbor 2xx.xx.xx.xx remote-as xxx

 neighbor 2xx.xx.xx.xx update-source Loopback0

 neighbor 2xx.xx.xx.xx next-hop-self

 

it advertises them to the configured neighbor on router A

 

neighbor 216.xxx update-source Loopback0

 neighbor 216.xxx next-hop-self

 neighbor 216.xxx filter-list 1 in

 neighbor 216.xxx filter-list 1 out

 

If I clear the bpg session or when the session 1st comes up on router B, I
see the routes but then they disappear after 1:15 min.

 

Thanks PA

 


From razor at meganet.net  Fri Feb  6 12:47:44 2009
From: razor at meganet.net (Paul A)
Date: Fri, 6 Feb 2009 12:47:44 -0500
Subject: [c-nsp] learned routes disappear
In-Reply-To: <498C75E9.50809@rainierconnect.net>
References: <033401c98877$dfe851c0$9fb8f540$@net>
	<498C75E9.50809@rainierconnect.net>
Message-ID: <000801c98883$03f8a550$0be9eff0$@net>

Thanks Walter.

I really didn't want to mess with debug as it's a production router and I
would have to do this late night, hopefully without crashing it. I really
was hoping someone ran into this issue before.

FYI the 1st update-source is from router A to my bgp customer on fa1/43 the
other is from router A to router B on loop0
So I think that's fine.

-----Original Message-----
From: Walter Keen [mailto:walter.keen at RainierConnect.net] 
Sent: Friday, February 06, 2009 12:40 PM
To: Paul A
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] learned routes disappear

I would turn on debugging and see if 1:15m corresponds to one of the BGP
nexthop scanning or other events.  Don't leave debugging on any longer
than needed on production systems.  If you can replicate in a lab
scenario, that would be ideal.  One thing that looks odd, is that you
have 2 different update-source interfaces listed on RouterA's neighbor
configuration for RouterB


Paul A wrote:
> Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> into this.
>
>  
>
> I have two routers, router A and router B doing bgp.
>
>  
>
> Router A is advertising 5 routes to router B, when the session 1st comes
up,
> router B has 5 routes received from router A. After 1:15 min the learned
> routes on router B disappear.
>
>  
>
>  
>
> Router A
>
> Learns the routes from one of my bgp customers.
>
>  
>
> neighbor 2xx.xx.xx.xx description xxx
>
>  neighbor 2xx.xx.xx.xx update-source FastEthernet1/43
>
>  neighbor 2xx.xx.xx.xx default-originate
>
>  neighbor 2xx.xx.xx.xx prefix-list PxxPL-IN in
>
>  neighbor 2xx.xx.xx.xx route-map PLIN in
>
>  neighbor 2xx.xx.xx.xx filter-list 109 in
>
>  neighbor 2xx.xx.xx.xx filter-list 2 out
>
>  neighbor 2xx.xx.xx.xx remote-as xxx
>
>  neighbor 2xx.xx.xx.xx update-source Loopback0
>
>  neighbor 2xx.xx.xx.xx next-hop-self
>
>  
>
> it advertises them to the configured neighbor on router A
>
>  
>
> neighbor 216.xxx update-source Loopback0
>
>  neighbor 216.xxx next-hop-self
>
>  neighbor 216.xxx filter-list 1 in
>
>  neighbor 216.xxx filter-list 1 out
>
>  
>
> If I clear the bpg session or when the session 1st comes up on router B, I
> see the routes but then they disappear after 1:15 min.
>
>  
>
> Thanks PA
>
>  
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.0.233 / Virus Database: 270.10.18/1936 - Release Date: 02/05/09
11:34:00


From vijay.ramcharan at verizonbusiness.com  Fri Feb  6 13:03:32 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Fri, 06 Feb 2009 18:03:32 +0000
Subject: [c-nsp] VACL capture - is this supposed to work
In-Reply-To: <20090206084123.GB27732@wildfire.net.ic.ac.uk>
Message-ID: <A34003A5232DE744807D94D788E0751AAB1D6A@ASHEVS011.mcilink.com>

Phil I have a similar config on a few 6500 switches running SXF10 and it
appears to be doing its job. My config is quite similar to yours sans
MPLS. These same switches also do local SPAN to a couple of 10G ports. 

C6506E with Sup720-3BXL running 12.2(18)SXF10

vlan access-map VLAN110-MAP 10
 match ip address VIP-TRAFFIC
 action forward capture
 
vlan access-map VLAN110-MAP 15
 match ip address ANY-VLAN110-TRAFFIC
 action forward

ip access-list extended VIP-TRAFFIC
 permit ip any 1.2.3.0 0.0.0.127
 permit ip 1.2.3.0 0.0.0.127 any

ip access-list extended ANY-VLAN110-TRAFFIC
 permit ip any any

vlan filter VLAN110-MAP vlan-list 110

interface GigabitEthernet1/1
 description PRI-CAPTURE-PORT
 switchport
 switchport access vlan 999
 switchport mode access
 switchport capture
 switchport capture allowed vlan 110
 no ip address
 spanning-tree portfast

swp10#sh int g1/1 | inc rate
  Queueing strategy: fifo
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 181007000 bits/sec, 27250 packets/sec
swp10#


 
Vijay Ramcharan 
  
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: February 06, 2009 03:41
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VACL capture - is this supposed to work

We have this config on a 6500/sup720

int Vlan3799
  description upstream
  ip address ...
int Vlan4000
  descripion core
  ip address ...
  mpls ip

vlan filter CAPTURE_HTTP vlan 3799

int Gi9/1
  switchport
  switchport mode access
  switchport access vlan 3799
  switchport capture
  switchport capture allowed vlan 3799

...and the the CAPTURE_HTTP map does:

 1. tcp port 80, capture & forward
 2. ip any any, forward

The intent is to capture inbound and outbound HTTP traffic, and log it 
with urlsnarf for legal compliance reasons.

This *HAS* been working for months. However, we did a recent upgrade of 
this router to 12.2(33)SXI and it stopped working - the VACL capture 
only seems to capture packets outbound i.e. input on Vl4000, out on 
Vl3799. It does capture any CPU-punt packets in the other direction.

At first I thought it was a bug in SXI, but we failed our default route 
over to another 6500 running SXF9 with the same config, and it suffers 
the same problem.

I had wondered if the problem was that the inbound traffic next-hop has 
an MPLS label imposed, but the other router is 1 hop away so uses 
plain-old IP, and it suffers the same.

So I'm baffled - we have a router that was running SXF10 for months with

this config, no problem. Another with SXF9 doesn't work, nor does the 
original router with 12.2(33)SXI.

So, question: exactly what traffic should VACL capture actually 
*capture*? Is my config supported?

I have a TAC case open, but we're getting desperate - we need that URL 
logging, and a "normal" SPAN port generates way, way too much traffic - 
having the ACL to filter a sub-set is important.

sh tcam int vl3799 acl in/out ip det

...shows appropriate TCAM entries with the CAP flag set.

Any pointers gratefully received.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From walter.keen at RainierConnect.net  Fri Feb  6 12:39:53 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Fri, 06 Feb 2009 09:39:53 -0800
Subject: [c-nsp] learned routes disappear
In-Reply-To: <033401c98877$dfe851c0$9fb8f540$@net>
References: <033401c98877$dfe851c0$9fb8f540$@net>
Message-ID: <498C75E9.50809@rainierconnect.net>

I would turn on debugging and see if 1:15m corresponds to one of the BGP
nexthop scanning or other events.  Don't leave debugging on any longer
than needed on production systems.  If you can replicate in a lab
scenario, that would be ideal.  One thing that looks odd, is that you
have 2 different update-source interfaces listed on RouterA's neighbor
configuration for RouterB


Paul A wrote:
> Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> into this.
>
>  
>
> I have two routers, router A and router B doing bgp.
>
>  
>
> Router A is advertising 5 routes to router B, when the session 1st comes up,
> router B has 5 routes received from router A. After 1:15 min the learned
> routes on router B disappear.
>
>  
>
>  
>
> Router A
>
> Learns the routes from one of my bgp customers.
>
>  
>
> neighbor 2xx.xx.xx.xx description xxx
>
>  neighbor 2xx.xx.xx.xx update-source FastEthernet1/43
>
>  neighbor 2xx.xx.xx.xx default-originate
>
>  neighbor 2xx.xx.xx.xx prefix-list PxxPL-IN in
>
>  neighbor 2xx.xx.xx.xx route-map PLIN in
>
>  neighbor 2xx.xx.xx.xx filter-list 109 in
>
>  neighbor 2xx.xx.xx.xx filter-list 2 out
>
>  neighbor 2xx.xx.xx.xx remote-as xxx
>
>  neighbor 2xx.xx.xx.xx update-source Loopback0
>
>  neighbor 2xx.xx.xx.xx next-hop-self
>
>  
>
> it advertises them to the configured neighbor on router A
>
>  
>
> neighbor 216.xxx update-source Loopback0
>
>  neighbor 216.xxx next-hop-self
>
>  neighbor 216.xxx filter-list 1 in
>
>  neighbor 216.xxx filter-list 1 out
>
>  
>
> If I clear the bpg session or when the session 1st comes up on router B, I
> see the routes but then they disappear after 1:15 min.
>
>  
>
> Thanks PA
>
>  
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From SPfister at dps.k12.oh.us  Fri Feb  6 14:48:48 2009
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Fri, 06 Feb 2009 14:48:48 -0500
Subject: [c-nsp] Need help adding a device to an existing vlan
Message-ID: <498C4DC2.9E6F.00B8.0@dps.k12.oh.us>

I'm sure this is something simple, but I'm not quite seeing it...

I need some help adding a device to an existing, recently created vlan. 

Here is the fragment of our network:

[core 4507] -> [8540] -> [3550] -> [1230 WAP]

[configuration excerpts are below]

The 1230 access point described is attached to our network, and is functioning properly. Recently, I tried to add another 3550 (in another part of the building), and a 1230 access point, copying the first configuration as the model. The vlan 99 (the user workstations) worked right away, but vlan 199 (the wireless access points) I cannot get working.

I can still get to the first access point, but am having trouble with the new one:

- it's unreachable when connected to the new switch, but I can get to it when connected to the first switch
- I can get to the vlan 199 default gateway from the new switch, and can get to the first access point from the new switch, but I can't get to the new access point, even when logged into the new switch.
- If I assign an ip address to the vlan 199 interface, I can get to the new access point from the new switch, but then I can't get to the vlan's default gateway or to the first access point.

Can someone help me find where the problem is? Do I need to allow vlan 1 on the interface on the core 4507?

Thanks for your help!

--Steve

Here are configuration fragments of each:

4507 (vtp server, domain ADM_VTP):
----------------------------------

interface GigabitEthernet1/1
 description Trunk to 8540
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 40,51,99,199,997,998
 switchport mode trunk
 switchport nonegotiate
 no logging event link-status
 qos trust dscp
 tx-queue 3
   priority high
!
interface Vlan199
 description ADM WLAN Management
 ip address 192.168.199.1 255.255.255.0
 ip helper-address 10.99.20.62
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
end

8540 (vtp client, domain ADM_VTP):
----------------------------------

interface GigabitEthernet1/0/0
 description Fiber to 99-c45-clan1
 no ip address
 no ip redirects
 no ip proxy-arp
 no cdp enable
!
interface GigabitEthernet1/0/0.1
 description Native VLAN
 encapsulation dot1Q 1 native
 no ip redirects
 no ip proxy-arp
!
interface GigabitEthernet1/0/0.40
 description Security VLAN
 encapsulation dot1Q 40
 no ip redirects
 no ip proxy-arp
 no cdp enable
 bridge-group 40
!
interface GigabitEthernet1/0/0.51
 description Voice Network
 encapsulation dot1Q 51
 no ip redirects
 no ip proxy-arp
 no cdp enable
 bridge-group 51
!
interface GigabitEthernet1/0/0.99
 description ADM LAN Access VLAN
 encapsulation dot1Q 99
 no ip redirects
 no ip proxy-arp
 no cdp enable
 bridge-group 99
!
interface GigabitEthernet1/0/0.199
 description Admin WLAN Management
 encapsulation dot1Q 199
 no ip redirects
 no ip proxy-arp
 no cdp enable
 bridge-group 199
!
interface GigabitEthernet1/0/0.997
 description ADM IVDL
 encapsulation dot1Q 997
 no ip redirects
 no ip proxy-arp
 bridge-group 97
!
interface GigabitEthernet1/0/0.998
 description Admin WLAN
 encapsulation dot1Q 998
 no ip redirects
 no ip proxy-arp
 bridge-group 98
!
interface GigabitEthernet1/0/2
 description Fiber to 3550
 no ip address
 no ip redirects
 no ip proxy-arp
 no cdp enable
!
interface GigabitEthernet1/0/2.1
 description Native VLAN
 encapsulation dot1Q 1 native
 no ip redirects
 no ip proxy-arp
!
interface GigabitEthernet1/0/2.99
 description ADM LAN Access VLAN
 encapsulation dot1Q 99
 no ip redirects
 no ip proxy-arp
 no cdp enable
 bridge-group 99
!
interface GigabitEthernet1/0/2.199
 description Admin WLAN Management
 encapsulation dot1Q 199
 no ip redirects
 no ip proxy-arp
 bridge-group 199
!
interface GigabitEthernet1/0/2.998
 description Admin WLAN
 encapsulation dot1Q 998
 no ip redirects
 no ip proxy-arp
 bridge-group 98
!
interface BVI199
 description Admin WLAN Management
 ip address 192.168.199.2 255.255.255.0
end

3550 (vtp client, domain ADM_VTP):
---------------------------------

interface GigabitEthernet0/1
 description to 99-c85-catm1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/2
 switchport mode dynamic desirable
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan99
 ip address 10.99.20.211 255.255.248.0
 no ip route-cache
 ntp broadcast client
!
interface Vlan199
 no ip address
!
interface FastEthernet0/38
  description to 1230 WAP
 switchport access vlan 199
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
 no snmp trap link-status
 storm-control broadcast level 1.00
 storm-control multicast level 2.00
 storm-control unicast level 5.00
end


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


From trejrco at gmail.com  Fri Feb  6 15:22:30 2009
From: trejrco at gmail.com (TJ)
Date: Fri, 6 Feb 2009 15:22:30 -0500
Subject: [c-nsp] How to add new rule in the same access-list
In-Reply-To: <498B8C61.9060408@rollernet.us>
References: <40d8a95a0902041826o6c343f22we2039ce1d912b944@mail.gmail.com>	<498A9572.6010608@rollernet.us>	<40028F97-9DBA-4A16-9DB5-DEDF37A375E2@bellsouth.net>
	<498B8C61.9060408@rollernet.us>
Message-ID: <000101c98898$a80b7720$f8226560$@com>

>> You can add lines if you use sequence numbers on you acl. What version
>> are you using
>>
>>
>>>> I have old rule in the switch but don't know how to add new rule in
>>>> the same access-list
>>>>
>>>> When I add new deny rule, it will be put at the end of the
>>>> access-list
>>>>
>>>> If I remove the access-list 140, I have to re-type all lines again.
>>>>
>>>
>>> That's correct. You need to remove and recreate it in the correct
>>> order lacking sequences.
>>>
>
>Like I said, if he doesn't have sequences (which based on the information
>given in the original question I can only assume he doesn't have an IOS
that
>supports it on old-skool access lists).


With a word of caution - if this is an ACL that effects YOUR connectivity to
the router: removing the ACL is fine, but the first line you put back in
better be the line that lets you in!  Otherwise you'll be driving in ...
((Or, even better, either un-apply the ACL from the interface -or- start
over with a new ACL, with the new line(s), and apply that to the interface
(and then dump the ACL).  Oh, and the "reload in XX" command is your friend
(but don't forget the "reload cancel" part).))



MAN I am glad I don't need to do any of that any more, sequence numbers are
a Good Thing!
/TJ


From mksmith at adhost.com  Fri Feb  6 15:46:37 2009
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Fri, 6 Feb 2009 12:46:37 -0800
Subject: [c-nsp] learned routes disappear
In-Reply-To: <000801c98883$03f8a550$0be9eff0$@net>
References: <033401c98877$dfe851c0$9fb8f540$@net><498C75E9.50809@rainierconnect.net>
	<000801c98883$03f8a550$0be9eff0$@net>
Message-ID: <17838240D9A5544AAA5FF95F8D520316057BF4DC@ad-exh01.adhost.lan>

Hello Paul:

> 
> Paul A wrote:
> > Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> > into this.
> >
> >
> >
> > I have two routers, router A and router B doing bgp.
> >
> >
> >
> > Router A is advertising 5 routes to router B, when the session 1st comes
> up,
> > router B has 5 routes received from router A. After 1:15 min the learned
> > routes on router B disappear.
> >
> >
How are the routes getting into BGP?  Are the coming in via tie-down routes in the IGP somewhere?  Could it be that you have an IGP failure of some sort such that the routes are being withdrawn legitimately? 

Regards,

Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090206/c5fae76a/attachment-0001.bin>

From abalashov at evaristesys.com  Fri Feb  6 16:02:04 2009
From: abalashov at evaristesys.com (Alex Balashov)
Date: Fri, 06 Feb 2009 16:02:04 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <20090206094056.GD290@greenie.muc.de>
References: <498B7DC5.7060803@justinshore.com>
	<498B96F3.8060204@evaristesys.com>
	<20090206094056.GD290@greenie.muc.de>
Message-ID: <498CA54C.4010400@evaristesys.com>

Gert Doering wrote:
> Hi,
> 
> On Thu, Feb 05, 2009 at 08:48:35PM -0500, Alex Balashov wrote:
>> There is no reason why you need to "waste" IP address on the /30s - who 
>> said they have to be public IPs?  Just carve out some address space out 
>> of a 10.0.0.0/8 range and use private transport IPs.  
> 
> RFC1918 (indirectly) says that this is not permitted.
> 
> (If you do this, ICMPs sourced by the remote router will send their
> packets with an RFC1918 source address, which is strictly not allowed.
> If you filter those packets, you'll break traceroute and PMTUd).

I find that to be OK.  :)

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

From abalashov at evaristesys.com  Fri Feb  6 16:03:03 2009
From: abalashov at evaristesys.com (Alex Balashov)
Date: Fri, 06 Feb 2009 16:03:03 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CA54C.4010400@evaristesys.com>
References: <498B7DC5.7060803@justinshore.com>
	<498B96F3.8060204@evaristesys.com>
	<20090206094056.GD290@greenie.muc.de>
	<498CA54C.4010400@evaristesys.com>
Message-ID: <498CA587.1070606@evaristesys.com>

Alex Balashov wrote:
> Gert Doering wrote:
>> Hi,
>>
>> On Thu, Feb 05, 2009 at 08:48:35PM -0500, Alex Balashov wrote:
>>> There is no reason why you need to "waste" IP address on the /30s - 
>>> who said they have to be public IPs?  Just carve out some address 
>>> space out of a 10.0.0.0/8 range and use private transport IPs.  
>>
>> RFC1918 (indirectly) says that this is not permitted.
>>
>> (If you do this, ICMPs sourced by the remote router will send their
>> packets with an RFC1918 source address, which is strictly not allowed.
>> If you filter those packets, you'll break traceroute and PMTUd).
> 
> I find that to be OK.  :)
> 

But yeah, it's a little nasty in some cases for that exact reason.  It's 
a much better idea to do a single IP and a /32 route on Loopback.

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

From harbor235 at gmail.com  Fri Feb  6 16:39:29 2009
From: harbor235 at gmail.com (harbor235)
Date: Fri, 6 Feb 2009 16:39:29 -0500
Subject: [c-nsp] learned routes disappear
In-Reply-To: <000801c98883$03f8a550$0be9eff0$@net>
References: <033401c98877$dfe851c0$9fb8f540$@net>
	<498C75E9.50809@rainierconnect.net>
	<000801c98883$03f8a550$0be9eff0$@net>
Message-ID: <836bf1f90902061339o214d9c94p123ecdfc1508d056@mail.gmail.com>

Most likely the 5 routes are not reachable. If you just added the routes via
a supernet advertisement
and they do not exist elsewhere, either locally  connected or learned via an
IGP this behavior will happen.
This is normal and the correct way for BGP to operate.

mike

On Fri, Feb 6, 2009 at 12:47 PM, Paul A <razor at meganet.net> wrote:

> Thanks Walter.
>
> I really didn't want to mess with debug as it's a production router and I
> would have to do this late night, hopefully without crashing it. I really
> was hoping someone ran into this issue before.
>
> FYI the 1st update-source is from router A to my bgp customer on fa1/43 the
> other is from router A to router B on loop0
> So I think that's fine.
>
> -----Original Message-----
> From: Walter Keen [mailto:walter.keen at RainierConnect.net]
> Sent: Friday, February 06, 2009 12:40 PM
> To: Paul A
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] learned routes disappear
>
> I would turn on debugging and see if 1:15m corresponds to one of the BGP
> nexthop scanning or other events.  Don't leave debugging on any longer
> than needed on production systems.  If you can replicate in a lab
> scenario, that would be ideal.  One thing that looks odd, is that you
> have 2 different update-source interfaces listed on RouterA's neighbor
> configuration for RouterB
>
>
> Paul A wrote:
> > Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> > into this.
> >
> >
> >
> > I have two routers, router A and router B doing bgp.
> >
> >
> >
> > Router A is advertising 5 routes to router B, when the session 1st comes
> up,
> > router B has 5 routes received from router A. After 1:15 min the learned
> > routes on router B disappear.
> >
> >
> >
> >
> >
> > Router A
> >
> > Learns the routes from one of my bgp customers.
> >
> >
> >
> > neighbor 2xx.xx.xx.xx description xxx
> >
> >  neighbor 2xx.xx.xx.xx update-source FastEthernet1/43
> >
> >  neighbor 2xx.xx.xx.xx default-originate
> >
> >  neighbor 2xx.xx.xx.xx prefix-list PxxPL-IN in
> >
> >  neighbor 2xx.xx.xx.xx route-map PLIN in
> >
> >  neighbor 2xx.xx.xx.xx filter-list 109 in
> >
> >  neighbor 2xx.xx.xx.xx filter-list 2 out
> >
> >  neighbor 2xx.xx.xx.xx remote-as xxx
> >
> >  neighbor 2xx.xx.xx.xx update-source Loopback0
> >
> >  neighbor 2xx.xx.xx.xx next-hop-self
> >
> >
> >
> > it advertises them to the configured neighbor on router A
> >
> >
> >
> > neighbor 216.xxx update-source Loopback0
> >
> >  neighbor 216.xxx next-hop-self
> >
> >  neighbor 216.xxx filter-list 1 in
> >
> >  neighbor 216.xxx filter-list 1 out
> >
> >
> >
> > If I clear the bpg session or when the session 1st comes up on router B,
> I
> > see the routes but then they disappear after 1:15 min.
> >
> >
> >
> > Thanks PA
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.0.233 / Virus Database: 270.10.18/1936 - Release Date: 02/05/09
> 11:34:00
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From paul at paulstewart.org  Fri Feb  6 16:45:42 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 6 Feb 2009 16:45:42 -0500
Subject: [c-nsp] IDS Recommendations - Cisco?
Message-ID: <000001c988a4$42d8fa60$c88aef20$@org>

Hi there...

Our server farms hang off a pair of 6509's today.  The SVI interfaces are
redundant with HSRP for each VLAN that feeds the servers.... Sup2/MSFC2
running native IOS.

So, we're looking for IDS/firewall solutions to protect a few of the VLAN's
in particular.  We did have a pair of FWSM's in these boxes but had a lot of
grief getting them running only to be faced with hardware failure problems.
They are removed from the picture now.

Several options exist but I'm wondering if a pair of IDSM-2 would serve us
better - each server has its own firewall and we can do some 'basic
limiting' with access-lists to compliment the efforts made by the servers
already.  

Our approach is two staged - first is to limit the exposure and secondly is
to be as secure as possible on the traffic that is exposed.  Since these
server farms do email, web hosting and other public facing service provider
tasks I believe we'll be better investing in IDSM blades or similar...

Another option was to put a pair of Juniper IDP boxes on those VLAN's and
use STP to dump the traffic through them...

Thoughts?  I realize this is kind of a very brief overview - don't want to
bore everyone with our security policies ;)

Thanks,

Paul



From justin at justinshore.com  Fri Feb  6 17:32:03 2009
From: justin at justinshore.com (Justin Shore)
Date: Fri, 06 Feb 2009 16:32:03 -0600
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <20090206093842.GC290@greenie.muc.de>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
	<20090206093842.GC290@greenie.muc.de>
Message-ID: <498CBA63.7080908@justinshore.com>

Gert Doering wrote:
> I can only second this.  If you have a dedicated point-to-point interface for 
> things, tacking the route on the interface is usually more robust than
> pointing towards a gateway IP that might not be there, or might be learned
> recursively over another interface, etc.

I'm going to have to think on this.  This could be a good solution for 
us, though again I don't ever foresee the need to re-IP a loopback.  Can 
anyone give me an example of such a scenario?

> For multiaccess-links, *don't* do "ip route 0.0.0.0 0.0.0.0 eth0", of
> course (use "... eth0 <gateway_ip>").  Just to make this very clear.
> 
>> ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA
> 
> One can tack a *name* to routes?  Need to test this :-)
> 
> Does this name get carried in IGPs?  Or is it just there in the config
> to document things?

LOL.  Yes, Gert.  One can name static routes, contrary to what my 
predecessor thought. :-)  It's local to the router.  It's just a nice 
way to describe what the static is for.

Thanks for the info
  Justin

From justin at justinshore.com  Fri Feb  6 17:34:12 2009
From: justin at justinshore.com (Justin Shore)
Date: Fri, 06 Feb 2009 16:34:12 -0600
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <383357750902060212k5a18d067t2f615818d5d48f9a@mail.gmail.com>
References: <498B7DC5.7060803@justinshore.com>
	<383357750902060212k5a18d067t2f615818d5d48f9a@mail.gmail.com>
Message-ID: <498CBAE4.50503@justinshore.com>

Yes, we exclude .255 and .0 in all our DHCP pools.  I make sure to not 
hand that out manually too.  One good thing about IP unnumbered is that 
I have to point a static route for the customer's assigned IP at their 
interface.  This lets me use uRPF again and eliminates the need for a 
customer ingress ACL on each CE-facing interface.

Justin


Mateusz Blaszczyk wrote:
> Justin,
> 
> just be sure not to assign .255 address to the customer, windows is
> buggy there: http://support.microsoft.com/kb/281579
> We've been bitten there.
> 
> Best Regards,
> 
> -mat

From Gregori.Parker at theplatform.com  Fri Feb  6 17:10:46 2009
From: Gregori.Parker at theplatform.com (Gregori Parker)
Date: Fri, 6 Feb 2009 14:10:46 -0800
Subject: [c-nsp] IDS Recommendations - Cisco?
In-Reply-To: <000001c988a4$42d8fa60$c88aef20$@org>
References: <000001c988a4$42d8fa60$c88aef20$@org>
Message-ID: <1A9866F953006D45AEE0166066114E0915895B59@TPMAIL02.corp.theplatform.com>

I would highly recommend keeping some sort of firewall to ACL/NAT
upstream from your hosts...I personally don't put a lot of stock into
host-based firewalling as one's sole means of protection.  If the FWSM
didn't serve you well (all my problems with FWSM went away since 3.1.6),
you could look into the ASA 5500, or better yet work with TAC to get
your FWSM hardware issues resolved/units replaced.

Anyways, I don't want to second-guess your architecture or reasons, but
IME it's best to have an IDSM passively monitoring a span port behind
the firewall or load-balancer.  The idea here is that you want the
limiting factor upstream from the IDS so that it's not processing
packets/connections that will be dropped/refused anyways.  The IDSM
doesn't act as a firewall, even if you choose to put it inline (I'd
recommend against that unless you really want active mitigation and your
traffic rate is well below 400mbps), and it requires much more tuning to
be useful.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Friday, February 06, 2009 1:46 PM
To: 'Cisco-nsp'
Subject: [c-nsp] IDS Recommendations - Cisco?

Hi there...

Our server farms hang off a pair of 6509's today.  The SVI interfaces
are
redundant with HSRP for each VLAN that feeds the servers.... Sup2/MSFC2
running native IOS.

So, we're looking for IDS/firewall solutions to protect a few of the
VLAN's
in particular.  We did have a pair of FWSM's in these boxes but had a
lot of
grief getting them running only to be faced with hardware failure
problems.
They are removed from the picture now.

Several options exist but I'm wondering if a pair of IDSM-2 would serve
us
better - each server has its own firewall and we can do some 'basic
limiting' with access-lists to compliment the efforts made by the
servers
already.  

Our approach is two staged - first is to limit the exposure and secondly
is
to be as secure as possible on the traffic that is exposed.  Since these
server farms do email, web hosting and other public facing service
provider
tasks I believe we'll be better investing in IDSM blades or similar...

Another option was to put a pair of Juniper IDP boxes on those VLAN's
and
use STP to dump the traffic through them...

Thoughts?  I realize this is kind of a very brief overview - don't want
to
bore everyone with our security policies ;)

Thanks,

Paul


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From justin at justinshore.com  Fri Feb  6 18:08:47 2009
From: justin at justinshore.com (Justin Shore)
Date: Fri, 06 Feb 2009 17:08:47 -0600
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <01f801c987f7$983bd660$c8b38320$@net>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
Message-ID: <498CC2FF.6090109@justinshore.com>

Gregory Boehnlein wrote:
> This is very similar to what we do. While we have several customers that
> need larger subnets, the majority of our customers are using IP Unnumbered.
> 
> In some cases, we will provide the customer a /29 if they need additional
> external IP addresses, but the configuration on their router uses the low IP
> in the /29 as it's loopback interface. We send our default route out of the
> interface, rather than to the remote gateway IP, so if we change the ip of
> the loopback on our side, we do not need to adjust anything for the
> customer.

That's not a bad idea.  Though wouldn't pointing a default at an 
interface force it to ARP constantly?  Several hundred CEs ARPing 
non-stop could be a load issue on your PE.

I'm not too worried about the loopback's IP changing.  I only put a /24 
on the loopback to get us started.  I'll load it with customer DS1s 
until I get to around 90% IP utilization and then create another 
loopback with another /24 or perhaps a /23 this time around.  I padded 
the front of the subnet sufficiently to allow for future HA projects and 
the unforeseeable.  I can't foresee ever needing to change the IP on a 
loopback once I have it in production.

> We use outbound service policies on unnumbered interfaces just fine:
> 
> interface Serial10/1/0/3:0
>  description L3 OH/XXXX/XXXX to XXXXXXX channel 12
>  ip unnumbered Loopback0
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  service-policy output llq
>  no fair-queue
>  down-when-looped
>  no clns route-cache

Excellent.  QoS was something that occurred to me as I was writing my 
original message.


> ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA

So you'd prefer to route a larger customer assignment to the the 
CE-facing interface instead of to their assigned IP unnumbered address?

> I've been doing ip unnumbered since 1995 in production and it "just works".
> There are undoubtedly some routers out there that might have issues, but any
> Cisco device should be able to handle things just fine.

Very good.  On the CE side I really don't anticipate many problems.  I 
see this as more of a CE knowledge thing than anything.  I'm sure we'll 
have several customers that need something special.  I hope that for the 
  most part we can lump them all into an IP unnumbered design.

Thanks for the input
  Justin


From damin at nacs.net  Fri Feb  6 19:06:47 2009
From: damin at nacs.net (Gregory Boehnlein)
Date: Fri, 6 Feb 2009 19:06:47 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CC2FF.6090109@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
	<498CC2FF.6090109@justinshore.com>
Message-ID: <023a01c988b7$f7ad6b20$e7084160$@net>

>> We send our default route out of the interface, rather than to the remote
gateway IP, so if we change the
>> ip of the loopback on our side, we do not need to adjust anything for the
>> customer.
> 
> That's not a bad idea.  Though wouldn't pointing a default at an
> interface force it to ARP constantly?  Several hundred CEs ARPing
> non-stop could be a load issue on your PE.

I've not experienced that.
 
> I'm not too worried about the loopback's IP changing.  I only put a /24
> on the loopback to get us started.  I'll load it with customer DS1s
> until I get to around 90% IP utilization and then create another
> loopback with another /24 or perhaps a /23 this time around.  I padded
> the front of the subnet sufficiently to allow for future HA projects
> and the unforeseeable.  I can't foresee ever needing to change the IP on a
> loopback once I have it in production.

It makes it much easier to groom services from one router to the other if
you have to migrate a lot, and over the years, I have had to migrate a lot
of customers from one router to the next etc..

> > We use outbound service policies on unnumbered interfaces just fine:
> >
> > interface Serial10/1/0/3:0
> >  description L3 OH/XXXX/XXXX to XXXXXXX channel 12
> >  ip unnumbered Loopback0
> >  no ip redirects
> >  no ip unreachables
> >  no ip proxy-arp
> >  service-policy output llq
> >  no fair-queue
> >  down-when-looped
> >  no clns route-cache
> 
> Excellent.  QoS was something that occurred to me as I was writing my
> original message.
> 
> 
> > ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA
> 
> So you'd prefer to route a larger customer assignment to the the
> CE-facing interface instead of to their assigned IP unnumbered address?
> 
> > I've been doing ip unnumbered since 1995 in production and it "just
> works".
> > There are undoubtedly some routers out there that might have issues,
> but any
> > Cisco device should be able to handle things just fine.
> 
> Very good.  On the CE side I really don't anticipate many problems.  I
> see this as more of a CE knowledge thing than anything.  I'm sure we'll
> have several customers that need something special.  I hope that for
> the most part we can lump them all into an IP unnumbered design.

To be truthful, I haven't found anything that we cannot do w/ IP unnumbered
yet.


From paul at paulstewart.org  Fri Feb  6 19:24:34 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 6 Feb 2009 19:24:34 -0500
Subject: [c-nsp] IDS Recommendations - Cisco?
In-Reply-To: <1A9866F953006D45AEE0166066114E0915895B59@TPMAIL02.corp.theplatform.com>
References: <000001c988a4$42d8fa60$c88aef20$@org>
	<1A9866F953006D45AEE0166066114E0915895B59@TPMAIL02.corp.theplatform.com>
Message-ID: <006501c988ba$73c58970$5b509c50$@org>

Thanks for the response...

What we have today is ACL's on the 6500's and then iptables on the Linux
boxes for example.  This has worked fairly well and is basic to administer.
My underlying goal is to have an inline IDS solution that will actively
block (inline) on configured severe signatures - of course the tuning aspect
of this is going to take a lot of work.

A good example to paint a picture here is that some of these servers are for
web hosting.  If a client uploads a php script (example) that has a
vulnerability we would like the IDS to trip on it - again we can't have the
world but that's kind of what I have in mind.  This could be something that
triggers based on sudden SMTP activity where the script is being used
maliciously to send out spam (seen that before).  Just an example but
hopefully that helps share a bit better what we had in mind.  These servers
do a combined throughput of probably 100Mb/s at peak.

I could think of many more scenarios but at a high level I'm looking for
vendor/product recommendations based on actual usage if possible.  Since
we're primarily a Cisco shop I'd love to use something from Cisco but having
said that we want the best solution when possible.  Another option to
consider may be a Sourcefire 3D solution or similar too (powered by Snort).

Appreciate the input...
Paul


-----Original Message-----
From: Gregori Parker [mailto:Gregori.Parker at theplatform.com] 
Sent: February 6, 2009 5:11 PM
To: Paul Stewart; Cisco-nsp
Subject: RE: [c-nsp] IDS Recommendations - Cisco?

I would highly recommend keeping some sort of firewall to ACL/NAT
upstream from your hosts...I personally don't put a lot of stock into
host-based firewalling as one's sole means of protection.  If the FWSM
didn't serve you well (all my problems with FWSM went away since 3.1.6),
you could look into the ASA 5500, or better yet work with TAC to get
your FWSM hardware issues resolved/units replaced.

Anyways, I don't want to second-guess your architecture or reasons, but
IME it's best to have an IDSM passively monitoring a span port behind
the firewall or load-balancer.  The idea here is that you want the
limiting factor upstream from the IDS so that it's not processing
packets/connections that will be dropped/refused anyways.  The IDSM
doesn't act as a firewall, even if you choose to put it inline (I'd
recommend against that unless you really want active mitigation and your
traffic rate is well below 400mbps), and it requires much more tuning to
be useful.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Friday, February 06, 2009 1:46 PM
To: 'Cisco-nsp'
Subject: [c-nsp] IDS Recommendations - Cisco?

Hi there...

Our server farms hang off a pair of 6509's today.  The SVI interfaces
are
redundant with HSRP for each VLAN that feeds the servers.... Sup2/MSFC2
running native IOS.

So, we're looking for IDS/firewall solutions to protect a few of the
VLAN's
in particular.  We did have a pair of FWSM's in these boxes but had a
lot of
grief getting them running only to be faced with hardware failure
problems.
They are removed from the picture now.

Several options exist but I'm wondering if a pair of IDSM-2 would serve
us
better - each server has its own firewall and we can do some 'basic
limiting' with access-lists to compliment the efforts made by the
servers
already.  

Our approach is two staged - first is to limit the exposure and secondly
is
to be as secure as possible on the traffic that is exposed.  Since these
server farms do email, web hosting and other public facing service
provider
tasks I believe we'll be better investing in IDSM blades or similar...

Another option was to put a pair of Juniper IDP boxes on those VLAN's
and
use STP to dump the traffic through them...

Thoughts?  I realize this is kind of a very brief overview - don't want
to
bore everyone with our security policies ;)

Thanks,

Paul


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From david at davidcoulson.net  Fri Feb  6 20:10:51 2009
From: david at davidcoulson.net (David Coulson)
Date: Fri, 06 Feb 2009 20:10:51 -0500
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CC2FF.6090109@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>	<01f801c987f7$983bd660$c8b38320$@net>
	<498CC2FF.6090109@justinshore.com>
Message-ID: <498CDF9B.7060507@davidcoulson.net>

Justin Shore wrote:
> That's not a bad idea.  Though wouldn't pointing a default at an 
> interface force it to ARP constantly?  Several hundred CEs ARPing 
> non-stop could be a load issue on your PE. 
It's a serial interface. It doesn't ARP :-)

From nbernadeau at gallantsys.com  Fri Feb  6 16:03:31 2009
From: nbernadeau at gallantsys.com (Nathaniel Bernadeau)
Date: Fri, 06 Feb 2009 16:03:31 -0500
Subject: [c-nsp] Cisco AXSM
Message-ID: <498CA5A3.80306@gallantsys.com>

Has the Cisco AXSM line reach end of life?

-- 
regards,
 
Nathaniel Bernadeau
Gallant Systems,  LLC
11064 Livingston RD Suite 106-C
Fort Washington, MD 20744
Toll Free: 888-836-3751
Ph: 301-627-6358
Fax: 240-823-6897
Cell: 202-246-2229
nbernadeau at gallantsys.com
www.gallantsys.com


From gert at greenie.muc.de  Sat Feb  7 01:08:10 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 7 Feb 2009 07:08:10 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CBA63.7080908@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
	<20090206093842.GC290@greenie.muc.de>
	<498CBA63.7080908@justinshore.com>
Message-ID: <20090207060810.GJ290@greenie.muc.de>

Hi,

On Fri, Feb 06, 2009 at 04:32:03PM -0600, Justin Shore wrote:
> Gert Doering wrote:
> >I can only second this.  If you have a dedicated point-to-point interface 
> >for things, tacking the route on the interface is usually more robust than
> >pointing towards a gateway IP that might not be there, or might be learned
> >recursively over another interface, etc.
> 
> I'm going to have to think on this.  This could be a good solution for 
> us, though again I don't ever foresee the need to re-IP a loopback.  Can 
> anyone give me an example of such a scenario?

Well, one example would be "you currently have 3 routers with lots of
individual E1 cables.  Your telco provider offers you to move all the
E1s into a STM-1, and you can serve the same customers from a single
new router".

Now of course you could move all 3 former loopback IPs to the new box and
migrate all customers at once - or assign a single new one, and migrate
them one by one.

(This might not be the most typical example, but "moving customers to a
different router" is happening out there :) - and then you either have
something that's not dependent on the loopback IP, or you have pains)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090207/2b63b0b5/attachment.bin>

From gert at greenie.muc.de  Sat Feb  7 01:13:56 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 7 Feb 2009 07:13:56 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CC2FF.6090109@justinshore.com>
References: <498B7DC5.7060803@justinshore.com>
	<01f801c987f7$983bd660$c8b38320$@net>
	<498CC2FF.6090109@justinshore.com>
Message-ID: <20090207061356.GK290@greenie.muc.de>

Hi,

On Fri, Feb 06, 2009 at 05:08:47PM -0600, Justin Shore wrote:
> Gregory Boehnlein wrote:
> >This is very similar to what we do. While we have several customers that
> >need larger subnets, the majority of our customers are using IP Unnumbered.
> >
> >In some cases, we will provide the customer a /29 if they need additional
> >external IP addresses, but the configuration on their router uses the low 
> >IP
> >in the /29 as it's loopback interface. We send our default route out of the
> >interface, rather than to the remote gateway IP, so if we change the ip of
> >the loopback on our side, we do not need to adjust anything for the
> >customer.
> 
> That's not a bad idea.  Though wouldn't pointing a default at an 
> interface force it to ARP constantly?  Several hundred CEs ARPing 
> non-stop could be a load issue on your PE.

There's no ARP on serial links (HDLC or PPP).  There's only "me" and "you".

So if you point a route to the interface, the router will stuff it in, and
the other router will receive it.

You need to be careful about ATM interfaces: it depends on how you configure
them.  If it's PPPoA, or AAL5 SNAP ("direct IP over ATM"), this will
work.  If you involve Ethernet, like with RBE (route-bridged encapsulation)
or with bridge-groups over ATM, you have ARP, and should specify a 
next-hop router.

> I'm not too worried about the loopback's IP changing.  I only put a /24 
> on the loopback to get us started.  I'll load it with customer DS1s 
> until I get to around 90% IP utilization and then create another 
> loopback with another /24 or perhaps a /23 this time around.  I padded 
> the front of the subnet sufficiently to allow for future HA projects and 
> the unforeseeable.  I can't foresee ever needing to change the IP on a 
> loopback once I have it in production.

Imagine customers moving to other routers.

[..]
> >ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA
> 
> So you'd prefer to route a larger customer assignment to the the 
> CE-facing interface instead of to their assigned IP unnumbered address?

Most definitely.

(That way, when the interface goes down, the route is properly withdrawn.
Otherwise, as long as you have route to the customer "IP unnumbered" 
address in your routing table, your PE router will still have the route
active, and will announce it in its IGP - leading to routing loops)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090207/f73560ef/attachment.bin>

From gert at greenie.muc.de  Sat Feb  7 01:14:41 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 7 Feb 2009 07:14:41 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <498CA54C.4010400@evaristesys.com>
References: <498B7DC5.7060803@justinshore.com>
	<498B96F3.8060204@evaristesys.com>
	<20090206094056.GD290@greenie.muc.de>
	<498CA54C.4010400@evaristesys.com>
Message-ID: <20090207061441.GL290@greenie.muc.de>

Hi,

On Fri, Feb 06, 2009 at 04:02:04PM -0500, Alex Balashov wrote:
> >(If you do this, ICMPs sourced by the remote router will send their
> >packets with an RFC1918 source address, which is strictly not allowed.
> >If you filter those packets, you'll break traceroute and PMTUd).
> 
> I find that to be OK.  :)

Breaking PMTUd is OK?  Thanks very much.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090207/2d74b55d/attachment.bin>

From sthaug at nethelp.no  Sat Feb  7 03:10:12 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Sat, 07 Feb 2009 09:10:12 +0100 (CET)
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <20090207061441.GL290@greenie.muc.de>
References: <20090206094056.GD290@greenie.muc.de>
	<498CA54C.4010400@evaristesys.com>
	<20090207061441.GL290@greenie.muc.de>
Message-ID: <20090207.091012.74683792.sthaug@nethelp.no>

> > >(If you do this, ICMPs sourced by the remote router will send their
> > >packets with an RFC1918 source address, which is strictly not allowed.
> > >If you filter those packets, you'll break traceroute and PMTUd).
> > 
> > I find that to be OK.  :)
> 
> Breaking PMTUd is OK?  Thanks very much.

We block RFC1918 source addresses at our borders. This is not
negotiable. If it breaks PMTUd because some operator used 1918
addresses on links, too bad...

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From gert at greenie.muc.de  Sat Feb  7 03:32:15 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 7 Feb 2009 09:32:15 +0100
Subject: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
In-Reply-To: <20090207.091012.74683792.sthaug@nethelp.no>
References: <20090206094056.GD290@greenie.muc.de>
	<498CA54C.4010400@evaristesys.com>
	<20090207061441.GL290@greenie.muc.de>
	<20090207.091012.74683792.sthaug@nethelp.no>
Message-ID: <20090207083215.GP290@greenie.muc.de>

Hi,

On Sat, Feb 07, 2009 at 09:10:12AM +0100, sthaug at nethelp.no wrote:
> > Breaking PMTUd is OK?  Thanks very much.
> 
> We block RFC1918 source addresses at our borders. This is not
> negotiable. If it breaks PMTUd because some operator used 1918
> addresses on links, too bad...

In case my opinion on this was not obvious (I received some private e-mail
concerning doubts): I'm very much opposed to breaking PMTUd or traceroutes
by using RFC1918 addresses on links.

(If you can get your routers to source ICMPs from global addresses, then
I have no issue with the RFC1918 part on the transfer networks - but ICMP 
is important, and breaking it is bad).

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090207/d14a17bb/attachment-0001.bin>

From llc at dansketelecom.com  Sat Feb  7 10:20:50 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Sat, 7 Feb 2009 16:20:50 +0100
Subject: [c-nsp] L2TPv3 password keeps changing
Message-ID: <44417CD2F19FEA4F885088340A71D33201B4F41D@mail.office.dansketelecom.com>

 

Hi all,

 

When configuring L2TPv3 on one of our routers, I've noticed that the
password keeps changing all the time, even tough the configuration has
not been altered.

 

The router is a 1811 running 12.4(6)T11 Advanced IP Services.

______________________________________

Med venlig hilsen / Kind regards

Lars Lystrup Christensen 
Director of Engineering, CCIE(tm) #20292


From ross at kallisti.us  Sat Feb  7 10:50:09 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Sat, 7 Feb 2009 10:50:09 -0500
Subject: [c-nsp] IDS Recommendations - Cisco?
In-Reply-To: <006501c988ba$73c58970$5b509c50$@org>
References: <000001c988a4$42d8fa60$c88aef20$@org>
	<1A9866F953006D45AEE0166066114E0915895B59@TPMAIL02.corp.theplatform.com>
	<006501c988ba$73c58970$5b509c50$@org>
Message-ID: <20090207155009.GA407@kallisti.us>

On Fri, Feb 06, 2009 at 07:24:34PM -0500, Paul Stewart wrote:
> A good example to paint a picture here is that some of these servers are for
> web hosting.  If a client uploads a php script (example) that has a
> vulnerability we would like the IDS to trip on it - again we can't have the
> world but that's kind of what I have in mind.

It's a good thought, but watch your session count.  All of the devices
have limits as to the number of sessions they can handle.  When
that's exhausted, expect to be offline.

I also work in hosting, and I have to say, the IDP is a great tool.
But there's nothing we could find that grew in performance with the
size of our installation.

> I could think of many more scenarios but at a high level I'm looking for
> vendor/product recommendations based on actual usage if possible.

If you know your traffic and session levels well, and you want to do
inline blocking, the Juniper ISG with integrated IDP modules are
pretty great tools.  You use NSM to write usual firewall policy, some
rules can optionally have IDP processing enabled.  Very granular.

Like I said - I abandoned it.  Our hosting grew much faster than their
performance could.  Monitoring the session and traffic levels of the
blades was always awkward, and we didn't have such good ideas of our
traffic/session levels.

Finally, remember that your IDP will be the weakest link in the
network.  A firewall is a bad enough single point of failure (ie,
having a session table that can be attacked), the IDP is many times
worse because of the level of processing it requires for each session.

So more power to you - but be very careful, or be prepared for some pain.
All of the IDP implementations we do today are passive.

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From razor at meganet.net  Sat Feb  7 18:49:57 2009
From: razor at meganet.net (Paul A)
Date: Sat, 7 Feb 2009 18:49:57 -0500
Subject: [c-nsp] learned routes disappear
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316057BF4DC@ad-exh01.adhost.lan>
References: <033401c98877$dfe851c0$9fb8f540$@net><498C75E9.50809@rainierconnect.net>
	<000801c98883$03f8a550$0be9eff0$@net>
	<17838240D9A5544AAA5FF95F8D520316057BF4DC@ad-exh01.adhost.lan>
Message-ID: <012c01c9897e$c8051270$580f3750$@net>

Hi Michael, 

 

it seems as I look more and more into this, mind you I?m no bgp expert, I think what is happening might be normal iBGP behavior.

 

Heres how the network is setup.

 

Router A (customer) which connects to router B (my router) . Router B is connection to router C (my 2nd router) over iBGP.

 

My BGP customer advertises 5 routes. The router directly connected to my customer?s bgp router (Router A)  shows all  5 routes when I do a (sh ip bgp sum).

Router C (my 2nd router iBGP) only shows these 5 router when I type ?show ip bgp sum? for about a 1:15 to 1:30 minutes then the routes disappear from State/PfxRcd.

 

When I do a show ip bgp on router B for one of the received routes from router A (cust router) it?s says:

 

Paths: (2 available, best #1, table Default-IP-Routing-Table)

Multipath: iBGP

  Not advertised to any peer

 

The second best route being from my customer (router A) and the 1st  best route being from Router C (my second iBGP router)

 

 

Now on Router C, where I?m confused when I do show ip bgp  for the same route I see.

 

Paths: (2 available, best #1, table Default-IP-Routing-Table)

  Advertised to update-groups:

     1

 

Both routes being from my two up streams on that router.

 

My confusion is when I do a show ip bgp sum <router B?s neighbor address> I see 5 routes under State/PfxRcd then after a minute or two they disappear.

 

Is this normal ibgp behavior? Are the router listed under State/PfxRcd only routes that are inserted in the routing table?

 

 

From: Michael K. Smith - Adhost [mailto:mksmith at adhost.com] 
Sent: Friday, February 06, 2009 3:47 PM
To: Paul A
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] learned routes disappear

 

Hello Paul:

>
> Paul A wrote:
> > Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> > into this.
> >
> >
> >
> > I have two routers, router A and router B doing bgp.
> >
> >
> >
> > Router A is advertising 5 routes to router B, when the session 1st comes
> up,
> > router B has 5 routes received from router A. After 1:15 min the learned
> > routes on router B disappear.
> >
> >
How are the routes getting into BGP?  Are the coming in via tie-down routes in the IGP somewhere?  Could it be that you have an IGP failure of some sort such that the routes are being withdrawn legitimately?

Regards,

Mike


From zivl at gilat.net  Sun Feb  8 04:06:07 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Sun, 8 Feb 2009 11:06:07 +0200
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <498BB7B6.9010509@tiedyenetworks.com>
References: <498BB7B6.9010509@tiedyenetworks.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>

Most recent IOS (last 2-3 years) support for sure the option to put everything on the fly on one line, for example:

ping 1.1.1.1 source loopback0 repeat 1000 size 512 timeout 2 validate df-bit etc, etc... 

A command followed by a question mark is always helpful, a lot of commands can be "extended" on a single command line

Ziv




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
Sent: Friday, February 06, 2009 6:08 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] setting source address for icmp messages

Hello,

I'm trying to learn how to get my 7204vxr to not send icmp messages with 
the source ip of interface the message is being sent out. I have a 
public ip on my loopback and thought this was what ios preferred if it 
exists? I have some other interfaces which have 10.x.x.x addresses and 
icmp messages like host unreachable and such are sourced from this which 
is undesirable due to inbound filtering at many sites at their gateways 
for rfc1918 and other bogon addresses.

Am I being silly to want this or is there something I can do to get my 
way here?

Tks.

Mike-
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From mike-cisconsplist at tiedyenetworks.com  Sun Feb  8 18:28:12 2009
From: mike-cisconsplist at tiedyenetworks.com (Mike)
Date: Sun, 08 Feb 2009 15:28:12 -0800
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>
References: <498BB7B6.9010509@tiedyenetworks.com>
	<EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>
Message-ID: <498F6A8C.80108@tiedyenetworks.com>

No.

I am trying to ensure that if the router ever emits icmp messages like 
'destination host unreachable', 'icmp frag needed' and the like, that 
I'm using a public routed ip and not some random flavor of the week ip 
related to whatever interface the router thinks is closer to the problem.






Ziv Leyes wrote:
> Most recent IOS (last 2-3 years) support for sure the option to put everything on the fly on one line, for example:
>
> ping 1.1.1.1 source loopback0 repeat 1000 size 512 timeout 2 validate df-bit etc, etc... 
>
> A command followed by a question mark is always helpful, a lot of commands can be "extended" on a single command line
>
> Ziv
>
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
> Sent: Friday, February 06, 2009 6:08 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] setting source address for icmp messages
>
> Hello,
>
> I'm trying to learn how to get my 7204vxr to not send icmp messages with 
> the source ip of interface the message is being sent out. I have a 
> public ip on my loopback and thought this was what ios preferred if it 
> exists? I have some other interfaces which have 10.x.x.x addresses and 
> icmp messages like host unreachable and such are sourced from this which 
> is undesirable due to inbound filtering at many sites at their gateways 
> for rfc1918 and other bogon addresses.
>
> Am I being silly to want this or is there something I can do to get my 
> way here?
>
> Tks.
>
> Mike-
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
>
>
>
>
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From illcritikz at gmail.com  Sun Feb  8 18:56:42 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 9 Feb 2009 10:26:42 +1030
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an impact?
Message-ID: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>

Howdy,
I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
obviously), can't seem to find any info on Cisco as to the consequences this
may have to traffic flowing through the Bus at the time(ie dropped packet
rates), and I want to know if the modules go from using Bus only backplane
to crossbar as soon as the module initiates or whether a reload would
actually be required for this.

Cheers

Ben

From deric.kwok2000 at gmail.com  Sun Feb  8 19:08:23 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Sun, 8 Feb 2009 19:08:23 -0500
Subject: [c-nsp] vlan needs help
Message-ID: <40d8a95a0902081608y51452910w500e31c7f5f015a5@mail.gmail.com>

Hi

I try to configure vlan in switch 4948

eg:

port1 and port2 unchange
port3-port15 vlan2
port16 to port24 vlan3

When I try to connect this 4948 switch (eg: port 4) to another upstream
switch,  machines eg: 192.168.0.100 in upstream  switch can't ping to
machine eg: 192.168.0.222 in port3 or port15 of 4948

I check the light in those ports connected are flashing.

I also setup ip in int vlan2 as 192.168.0.30 as same network but it still
won't work

Do I need to setup anything to make it work?

Thank you

From masood at nexlinx.net.pk  Sun Feb  8 19:19:42 2009
From: masood at nexlinx.net.pk (Masood Ahmad Shah)
Date: Mon, 9 Feb 2009 05:19:42 +0500
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an impact?
In-Reply-To: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
Message-ID: <015a01c98a4c$1ecd04f0$5c670ed0$@net.pk>

Yea it is hot-swappable. You must install the Switch Fabric Module in either
slot 5 or slot 6 of the Catalyst 6506 switch. For redundancy, you can
install a standby Switch Fabric Module. The module first installed functions
as the primary module. When you install two Switch Fabric Modules at the
same time, the module in slot 5 acts as the primary module, and the module
in slot 6 acts as the backup. If you reset the module in slot 5, the module
in slot 6 becomes the primary module.


Regards,
Masood
Blog: http://weblogs.com.pk/jahil/


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele
Sent: Monday, February 09, 2009 4:57 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] WS-6500-SFM insertion into production box, much of an
impact?

Howdy,
I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
obviously), can't seem to find any info on Cisco as to the consequences this
may have to traffic flowing through the Bus at the time(ie dropped packet
rates), and I want to know if the modules go from using Bus only backplane
to crossbar as soon as the module initiates or whether a reload would
actually be required for this.

Cheers

Ben
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From illcritikz at gmail.com  Sun Feb  8 19:32:40 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 9 Feb 2009 11:02:40 +1030
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <015a01c98a4c$1ecd04f0$5c670ed0$@net.pk>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
	<015a01c98a4c$1ecd04f0$5c670ed0$@net.pk>
Message-ID: <4422cf660902081632o1179998rd6036025c928e0fb@mail.gmail.com>

Thank you for cut and pasting the information from Cisco that i've already
read :)
Seriously though, that doesn't answer my question.

On Mon, Feb 9, 2009 at 10:49 AM, Masood Ahmad Shah <masood at nexlinx.net.pk>wrote:

> Yea it is hot-swappable. You must install the Switch Fabric Module in
> either
> slot 5 or slot 6 of the Catalyst 6506 switch. For redundancy, you can
> install a standby Switch Fabric Module. The module first installed
> functions
> as the primary module. When you install two Switch Fabric Modules at the
> same time, the module in slot 5 acts as the primary module, and the module
> in slot 6 acts as the backup. If you reset the module in slot 5, the module
> in slot 6 becomes the primary module.
>
>
> Regards,
> Masood
> Blog: http://weblogs.com.pk/jahil/
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele
> Sent: Monday, February 09, 2009 4:57 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] WS-6500-SFM insertion into production box, much of an
> impact?
>
> Howdy,
> I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> obviously), can't seem to find any info on Cisco as to the consequences
> this
> may have to traffic flowing through the Bus at the time(ie dropped packet
> rates), and I want to know if the modules go from using Bus only backplane
> to crossbar as soon as the module initiates or whether a reload would
> actually be required for this.
>
> Cheers
>
> Ben
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From rubensk at gmail.com  Sun Feb  8 20:36:33 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Sun, 8 Feb 2009 23:36:33 -0200
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
Message-ID: <6bb5f5b10902081736j61899799i7eed2e6e07216779@mail.gmail.com>

Remember that full SFM usage requires all modules to be
fabric-enabled. If there are any line cards that aren't fabric
enabled, all traffic will still go thru the bus, doesn't matter if it
is an OIR or from power-up.

Your question is if this OIR stands for Online Insertion and Removal
or for Online Insertion and Reboot... although I don't know the
answer, what I saw over the years is that even if it doesn't require a
reboot, you will want to do one, because any issues will have after
that will make you wonder whether if it's due to OIR or not, so you
will end up rebooting anyway.

So, reboot while you have a planned window to do so, not when you are
under pressure.


Rubens


On Sun, Feb 8, 2009 at 9:56 PM, Ben Steele <illcritikz at gmail.com> wrote:
> Howdy,
> I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> obviously), can't seem to find any info on Cisco as to the consequences this
> may have to traffic flowing through the Bus at the time(ie dropped packet
> rates), and I want to know if the modules go from using Bus only backplane
> to crossbar as soon as the module initiates or whether a reload would
> actually be required for this.
>
> Cheers
>
> Ben
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From illcritikz at gmail.com  Sun Feb  8 21:25:45 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 9 Feb 2009 12:55:45 +1030
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <6bb5f5b10902081736j61899799i7eed2e6e07216779@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
	<6bb5f5b10902081736j61899799i7eed2e6e07216779@mail.gmail.com>
Message-ID: <4422cf660902081825l27c4a7e9ta96b75a58509df22@mail.gmail.com>

Thanks Rubens, i'm aware of the line card requirements to operate in full
compact mode, my question i'm really interested in is during the insertion
of the module is there any dropped packets while the cards move from a Bus
switching mode to compact switching.

On Mon, Feb 9, 2009 at 12:06 PM, Rubens Kuhl <rubensk at gmail.com> wrote:

> Remember that full SFM usage requires all modules to be
> fabric-enabled. If there are any line cards that aren't fabric
> enabled, all traffic will still go thru the bus, doesn't matter if it
> is an OIR or from power-up.
>
> Your question is if this OIR stands for Online Insertion and Removal
> or for Online Insertion and Reboot... although I don't know the
> answer, what I saw over the years is that even if it doesn't require a
> reboot, you will want to do one, because any issues will have after
> that will make you wonder whether if it's due to OIR or not, so you
> will end up rebooting anyway.
>
> So, reboot while you have a planned window to do so, not when you are
> under pressure.
>
>
> Rubens
>
>
> On Sun, Feb 8, 2009 at 9:56 PM, Ben Steele <illcritikz at gmail.com> wrote:
> > Howdy,
> > I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> > obviously), can't seem to find any info on Cisco as to the consequences
> this
> > may have to traffic flowing through the Bus at the time(ie dropped packet
> > rates), and I want to know if the modules go from using Bus only
> backplane
> > to crossbar as soon as the module initiates or whether a reload would
> > actually be required for this.
> >
> > Cheers
> >
> > Ben
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>

From mtinka at globaltransit.net  Sun Feb  8 23:10:01 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Mon, 9 Feb 2009 12:10:01 +0800
Subject: [c-nsp] vlan needs help
Message-ID: <200902091210.06334.mtinka@globaltransit.net>

On Monday 09 February 2009 08:08:23 am Deric Kwok wrote:

> When I try to connect this 4948 switch (eg: port 4) to
> another upstream switch,  machines eg: 192.168.0.100 in
> upstream  switch can't ping to machine eg: 192.168.0.222
> in port3 or port15 of 4948

Is the connection between both switches configured as an 
802.1Q trunk? If so, make sure you're allowing all VLAN ID's 
across this trunk (to check that things are working first, 
then filter if necessary).

Is the VLAN ID between both switches for this subnet the 
same?

Do you have the VLAN ID's configured in the VLAN database of 
either switch (I think later code does this automatically 
when a VLAN ID is assigned to a port, but I can't be sure 
how universal this is)?

Cheers,

Mark.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090209/cd2a8d35/attachment-0001.bin>

From link at pobox.com  Mon Feb  9 01:13:51 2009
From: link at pobox.com (Terje Bless)
Date: Mon, 9 Feb 2009 07:13:51 +0100
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <4422cf660902081825l27c4a7e9ta96b75a58509df22@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
	<6bb5f5b10902081736j61899799i7eed2e6e07216779@mail.gmail.com>
	<4422cf660902081825l27c4a7e9ta96b75a58509df22@mail.gmail.com>
Message-ID: <47ac005a0902082213o7e6f9acdw5bfb4873467773df@mail.gmail.com>

On Mon, Feb 9, 2009 at 3:25 AM, Ben Steele <illcritikz at gmail.com> wrote:
> Thanks Rubens, i'm aware of the line card requirements to operate in full
> compact mode, my question i'm really interested in is during the insertion
> of the module is there any dropped packets while the cards move from a Bus
> switching mode to compact switching.

It's been a while so my mind may be playing tricks on me, but as I
recall the box hiccups a bit while it does its backplane sync magic
and then continues on its merry way. Depending on timing and your
traffic patterns this event may or may not rate as "noticeable" to
your users.

Note that I can't swear that my recollection reflects inserting a new
SFM into a box currently in bus mode (as opposed to swapping out an
existing SFM), so YMMV. I'll echo the recommendation to schedule
downtime and reload the box just to be sure.

-link

From oboehmer at cisco.com  Mon Feb  9 02:27:28 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 9 Feb 2009 08:27:28 +0100
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <498F6A8C.80108@tiedyenetworks.com>
References: <498BB7B6.9010509@tiedyenetworks.com><EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>
	<498F6A8C.80108@tiedyenetworks.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>

Mike <> wrote on Monday, February 09, 2009 00:28:

> No.
> 
> I am trying to ensure that if the router ever emits icmp messages like
> 'destination host unreachable', 'icmp frag needed' and the like, that
> I'm using a public routed ip and not some random flavor of the week ip
> related to whatever interface the router thinks is closer to the
> problem. 

I don't think this can be done..

	oli

From oboehmer at cisco.com  Mon Feb  9 02:32:04 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 9 Feb 2009 08:32:04 +0100
Subject: [c-nsp] learned routes disappear
In-Reply-To: <012c01c9897e$c8051270$580f3750$@net>
References: <033401c98877$dfe851c0$9fb8f540$@net><498C75E9.50809@rainierconnect.net><000801c98883$03f8a550$0be9eff0$@net><17838240D9A5544AAA5FF95F8D520316057BF4DC@ad-exh01.adhost.lan>
	<012c01c9897e$c8051270$580f3750$@net>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C5@xmb-ams-333.emea.cisco.com>

Paul,

looks like you're preferring the route from the upstream over your
customer's advertisement (for whatever reason), so it is expected that
Router B is not advertising the path received from your customer/Router
A.

You are correct: The PfxRcd counter in "show ip bgp sum" only shows the
best paths, you need to look at "show ip bgp neighbor x.x.x.x" (or "show
ip bgp neighbor x.x.x.x routes") to see all paths..

	oli


Paul A <> wrote on Sunday, February 08, 2009 00:50:

> Hi Michael,
> 
> 
> 
> it seems as I look more and more into this, mind you I'm no bgp
> expert, I think what is happening might be normal iBGP behavior. 
> 
> 
> 
> Heres how the network is setup.
> 
> 
> 
> Router A (customer) which connects to router B (my router) . Router B
> is connection to router C (my 2nd router) over iBGP. 
> 
> 
> 
> My BGP customer advertises 5 routes. The router directly connected to
> my customer's bgp router (Router A)  shows all  5 routes when I do a
> (sh ip bgp sum).  
> 
> Router C (my 2nd router iBGP) only shows these 5 router when I type
> "show ip bgp sum" for about a 1:15 to 1:30 minutes then the routes
> disappear from State/PfxRcd.  
> 
> 
> 
> When I do a show ip bgp on router B for one of the received routes
> from router A (cust router) it's says: 
> 
> 
> 
> Paths: (2 available, best #1, table Default-IP-Routing-Table)
> 
> Multipath: iBGP
> 
>   Not advertised to any peer
> 
> 
> 
> The second best route being from my customer (router A) and the 1st 
> best route being from Router C (my second iBGP router) 
> 
> 
> 
> 
> 
> Now on Router C, where I'm confused when I do show ip bgp  for the
> same route I see. 
> 
> 
> 
> Paths: (2 available, best #1, table Default-IP-Routing-Table)
> 
>   Advertised to update-groups:
> 
>      1
> 
> 
> 
> Both routes being from my two up streams on that router.
> 
> 
> 
> My confusion is when I do a show ip bgp sum <router B's neighbor
> address> I see 5 routes under State/PfxRcd then after a minute or two
> they disappear.  
> 
> 
> 
> Is this normal ibgp behavior? Are the router listed under
> State/PfxRcd only routes that are inserted in the routing table? 
> 
> 
> 
> 
> 
> From: Michael K. Smith - Adhost [mailto:mksmith at adhost.com]
> Sent: Friday, February 06, 2009 3:47 PM
> To: Paul A
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] learned routes disappear
> 
> 
> 
> Hello Paul:
> 
>> 
>> Paul A wrote:
>>> Hi, I'm having a bgp issue I can't figure out and hoping someone
>>> has ran into this. 
>>> 
>>> 
>>> 
>>> I have two routers, router A and router B doing bgp.
>>> 
>>> 
>>> 
>>> Router A is advertising 5 routes to router B, when the session 1st
>>> comes up, router B has 5 routes received from router A. After 1:15
>>> min the learned routes on router B disappear. 
>>> 
>>> 
> How are the routes getting into BGP?  Are the coming in via tie-down
> routes in the IGP somewhere?  Could it be that you have an IGP
> failure of some sort such that the routes are being withdrawn
> legitimately?   
> 
> Regards,
> 
> Mike
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From gert at greenie.muc.de  Mon Feb  9 02:50:21 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 9 Feb 2009 08:50:21 +0100
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an impact?
In-Reply-To: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
Message-ID: <20090209075021.GW290@greenie.muc.de>

Hi,

On Mon, Feb 09, 2009 at 10:26:42AM +1030, Ben Steele wrote:
> I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> obviously), can't seem to find any info on Cisco as to the consequences this
> may have to traffic flowing through the Bus at the time(ie dropped packet
> rates), and I want to know if the modules go from using Bus only backplane
> to crossbar as soon as the module initiates or whether a reload would
> actually be required for this.

I've never done this, so I can speak from personal experience.

Judging from the overwall way the box decides how to do switching
("if there is a 3A DFC in the system, all 3B PFCs fall back to 3A mode,
and you need a reload to get it back to 3B"), my guess would be "you
can insert it just fine, but it won't be used for switching unless you
reload".  So I'd schedule a maintenance window with downtime.

I'm looking forward to hear about your experiences, though :-)

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090209/0413f326/attachment.bin>

From peter at rathlev.dk  Mon Feb  9 04:07:20 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 09 Feb 2009 10:07:20 +0100
Subject: [c-nsp] WS-6500-SFM insertion into production box,
 much of an impact?
In-Reply-To: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
Message-ID: <1234170440.3420.13.camel@localhost.localdomain>

On Mon, 2009-02-09 at 10:26 +1030, Ben Steele wrote:
> I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> obviously), can't seem to find any info on Cisco as to the consequences this
> may have to traffic flowing through the Bus at the time(ie dropped packet
> rates),

Just to chime in with more non-certain knowlegde: When doing OIR the box
does a "bus stall" AFAIK. This happens between when the pins start
connecting and when all pins are connected.

If this were to not cause any lost packets, the modules would have to
buffer while the bus stall is in effect and retransmit whatever was on
the wire when it happened. I don't think they do.

Regards,
Peter


From achatz at forthnet.gr  Mon Feb  9 04:10:33 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Mon, 09 Feb 2009 11:10:33 +0200
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>
References: <498BB7B6.9010509@tiedyenetworks.com><EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>	<498F6A8C.80108@tiedyenetworks.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>
Message-ID: <498FF309.8010105@forthnet.gr>

I believe that with a little bit of local PBR and NAT magic and it can be done.
I'm sure i've done it in the past for traceroute "time-exceeded/port-unreachable" local 
generated massages.

But, i don't know if it's worth the hassle.

-- 
Tassos

Oliver Boehmer (oboehmer) wrote on 09/02/2009 09:27:
> Mike <> wrote on Monday, February 09, 2009 00:28:
> 
>> No.
>>
>> I am trying to ensure that if the router ever emits icmp messages like
>> 'destination host unreachable', 'icmp frag needed' and the like, that
>> I'm using a public routed ip and not some random flavor of the week ip
>> related to whatever interface the router thinks is closer to the
>> problem. 
> 
> I don't think this can be done..
> 
> 	oli
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From illcritikz at gmail.com  Mon Feb  9 04:32:50 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 9 Feb 2009 20:02:50 +1030
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <1234170440.3420.13.camel@localhost.localdomain>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
	<1234170440.3420.13.camel@localhost.localdomain>
Message-ID: <4422cf660902090132x7bc04294s5446e10007298e0c@mail.gmail.com>

Thanks for all the replies, personally i'm thinking it will be a few second
hiccup like you often get with OIR then on its way again but the fact i'm
changing how the underlying switch fabric works with this makes it more
interesting... i've scheduled an outage for this Sunday evening so I will
let you all know how it goes.
Cheers

Ben

On Mon, Feb 9, 2009 at 7:37 PM, Peter Rathlev <peter at rathlev.dk> wrote:

> On Mon, 2009-02-09 at 10:26 +1030, Ben Steele wrote:
> > I'm looking for some info on the insertion of a SFM into a live 6500(Sup2
> > obviously), can't seem to find any info on Cisco as to the consequences
> this
> > may have to traffic flowing through the Bus at the time(ie dropped packet
> > rates),
>
> Just to chime in with more non-certain knowlegde: When doing OIR the box
> does a "bus stall" AFAIK. This happens between when the pins start
> connecting and when all pins are connected.
>
> If this were to not cause any lost packets, the modules would have to
> buffer while the bus stall is in effect and retransmit whatever was on
> the wire when it happened. I don't think they do.
>
> Regards,
> Peter
>
>

From jmaimon at ttec.com  Mon Feb  9 07:11:54 2009
From: jmaimon at ttec.com (Joe Maimon)
Date: Mon, 09 Feb 2009 07:11:54 -0500
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>
References: <498BB7B6.9010509@tiedyenetworks.com><EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>	<498F6A8C.80108@tiedyenetworks.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>
Message-ID: <49901D8A.1090100@ttec.com>



Oliver Boehmer (oboehmer) wrote:
> Mike <> wrote on Monday, February 09, 2009 00:28:
> 
>> No.
>>
>> I am trying to ensure that if the router ever emits icmp messages like
>> 'destination host unreachable', 'icmp frag needed' and the like, that
>> I'm using a public routed ip and not some random flavor of the week ip
>> related to whatever interface the router thinks is closer to the
>> problem. 
> 
> I don't think this can be done..
> 
> 	oli


Of course it can be done, its just really inelegant and requires nat, 
which is problematic for many.

It sure would be nice were it to be a nice feature such as control-plane 
nat or an interface level command such as

ip icmp source-interface loopback10

From oboehmer at cisco.com  Mon Feb  9 07:15:47 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 9 Feb 2009 13:15:47 +0100
Subject: [c-nsp] setting source address for icmp messages
In-Reply-To: <49901D8A.1090100@ttec.com>
References: <498BB7B6.9010509@tiedyenetworks.com><EC993E87D960A541A66BF21D62AA42A622DA833D67@exch2k7.gilat.local>	<498F6A8C.80108@tiedyenetworks.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C2@xmb-ams-333.emea.cisco.com>
	<49901D8A.1090100@ttec.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5CB7B@xmb-ams-333.emea.cisco.com>

Joe Maimon <mailto:jmaimon at ttec.com> wrote on Monday, February 09, 2009
13:12:

> Oliver Boehmer (oboehmer) wrote:
>> Mike <> wrote on Monday, February 09, 2009 00:28:
>> 
>>> No.
>>> 
>>> I am trying to ensure that if the router ever emits icmp messages
>>> like 'destination host unreachable', 'icmp frag needed' and the
>>> like, that I'm using a public routed ip and not some random flavor
>>> of the week ip related to whatever interface the router thinks is
>>> closer to the problem.
>> 
>> I don't think this can be done..
>> 
>> 	oli
> 
> 
> Of course it can be done, its just really inelegant and requires nat,
> which is problematic for many.

Sorry, you are right of course, I was referring to a config knob instead
of ugly/complicated NAT/PBR/etc. hacks..

> It sure would be nice were it to be a nice feature such as
> control-plane nat or an interface level command such as
> 
> ip icmp source-interface loopback10

that would be a nice way of doing this, a global knob sounds too scary
to me..

	oli

From Michael.Robson at manchester.ac.uk  Mon Feb  9 07:41:06 2009
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Mon, 9 Feb 2009 12:41:06 +0000
Subject: [c-nsp] 6500 card compatibility
In-Reply-To: <mailman.2528.1234181540.2617.cisco-nsp@puck.nether.net>
References: <mailman.2528.1234181540.2617.cisco-nsp@puck.nether.net>
Message-ID: <53569A15-0B4D-4D59-84C3-4174D852372E@manchester.ac.uk>

As I understand it, the WS-X6182-2PA 2 port adapter FlexWAN (with PA- 
POS-OC3SMI 155 SDH Daughter Card inserted) is not compatible with a  
6500E/sup720-3b setup: can anyone confirm or refute this?

Thanks,


Michael
-- 


From cisco-nsp at tracker.fire-world.de  Mon Feb  9 07:45:47 2009
From: cisco-nsp at tracker.fire-world.de (Sebastian Wiesinger)
Date: Mon, 9 Feb 2009 13:45:47 +0100
Subject: [c-nsp] Cisco 4900M and QinQ
Message-ID: <20090209124547.GA16723@danton.fire-world.de>

Hi,

has anyone a working QinQ tunnel on a Cisco 4900M? I tried it in the
lab with 12.2(50)SG Enterprise Services SSH and it didn't work.

Setup like this:

[Node 1]---trunk---[4900M]===dot1q-tunnel===[3550]---trunk---[Node 2]

l2protocol-tunnel enabled for cdp/stp/vtp

The symptoms were:

Node 1 has the mac-address of Node 2 in the cam table.
Node 2 DOESN'T have the mac-address of Node 1.

The cam table on the 4900M doesn't show any entries on the
dot1q-tunnel interface to Node 1.

The funny thing:

Node 1 DOESN'T have a cdp neighbor entry for Node 2.
Node 2 does have a cdp neighbor entry for Node 1.

This is the opposite to the mac address symtoms. :)

Consequently a ping between the two nodes times out.

Can anyone confirm this? When I replace the 4900M with a 3550 the QinQ
works instantly.

Kind Regards,

Sebastian

-- 
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

From skoal at skoal.name  Mon Feb  9 08:59:33 2009
From: skoal at skoal.name (Gergely Antal)
Date: Mon, 09 Feb 2009 14:59:33 +0100
Subject: [c-nsp] Lab setup
Message-ID: <499036C5.9010807@skoal.name>

Hiall

I want to build a lab setup for education proposes and,
I have 2 7206 VXR's and each of them has a PA-POS-2OC3 card.
Is it somehow possible to cross-connect these cards or I need some active equipment for this?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090209/0ea80a27/attachment.bin>

From razor at meganet.net  Mon Feb  9 09:44:03 2009
From: razor at meganet.net (Paul A)
Date: Mon, 9 Feb 2009 09:44:03 -0500
Subject: [c-nsp] learned routes disappear
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C5@xmb-ams-333.emea.cisco.com>
References: <033401c98877$dfe851c0$9fb8f540$@net><498C75E9.50809@rainierconnect.net><000801c98883$03f8a550$0be9eff0$@net><17838240D9A5544AAA5FF95F8D520316057BF4DC@ad-exh01.adhost.lan>
	<012c01c9897e$c8051270$580f3750$@net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406D5C8C5@xmb-ams-333.emea.cisco.com>
Message-ID: <00db01c98ac4$da35ecc0$8ea1c640$@net>

Thanks for the reply Oli.

-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com] 
Sent: Monday, February 09, 2009 2:32 AM
To: Paul A; Michael K. Smith - Adhost
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] learned routes disappear

Paul,

looks like you're preferring the route from the upstream over your
customer's advertisement (for whatever reason), so it is expected that
Router B is not advertising the path received from your customer/Router
A.

You are correct: The PfxRcd counter in "show ip bgp sum" only shows the
best paths, you need to look at "show ip bgp neighbor x.x.x.x" (or "show
ip bgp neighbor x.x.x.x routes") to see all paths..

	oli


Paul A <> wrote on Sunday, February 08, 2009 00:50:

> Hi Michael,
> 
> 
> 
> it seems as I look more and more into this, mind you I'm no bgp
> expert, I think what is happening might be normal iBGP behavior. 
> 
> 
> 
> Heres how the network is setup.
> 
> 
> 
> Router A (customer) which connects to router B (my router) . Router B
> is connection to router C (my 2nd router) over iBGP. 
> 
> 
> 
> My BGP customer advertises 5 routes. The router directly connected to
> my customer's bgp router (Router A)  shows all  5 routes when I do a
> (sh ip bgp sum).  
> 
> Router C (my 2nd router iBGP) only shows these 5 router when I type
> "show ip bgp sum" for about a 1:15 to 1:30 minutes then the routes
> disappear from State/PfxRcd.  
> 
> 
> 
> When I do a show ip bgp on router B for one of the received routes
> from router A (cust router) it's says: 
> 
> 
> 
> Paths: (2 available, best #1, table Default-IP-Routing-Table)
> 
> Multipath: iBGP
> 
>   Not advertised to any peer
> 
> 
> 
> The second best route being from my customer (router A) and the 1st 
> best route being from Router C (my second iBGP router) 
> 
> 
> 
> 
> 
> Now on Router C, where I'm confused when I do show ip bgp  for the
> same route I see. 
> 
> 
> 
> Paths: (2 available, best #1, table Default-IP-Routing-Table)
> 
>   Advertised to update-groups:
> 
>      1
> 
> 
> 
> Both routes being from my two up streams on that router.
> 
> 
> 
> My confusion is when I do a show ip bgp sum <router B's neighbor
> address> I see 5 routes under State/PfxRcd then after a minute or two
> they disappear.  
> 
> 
> 
> Is this normal ibgp behavior? Are the router listed under
> State/PfxRcd only routes that are inserted in the routing table? 
> 
> 
> 
> 
> 
> From: Michael K. Smith - Adhost [mailto:mksmith at adhost.com]
> Sent: Friday, February 06, 2009 3:47 PM
> To: Paul A
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] learned routes disappear
> 
> 
> 
> Hello Paul:
> 
>> 
>> Paul A wrote:
>>> Hi, I'm having a bgp issue I can't figure out and hoping someone
>>> has ran into this. 
>>> 
>>> 
>>> 
>>> I have two routers, router A and router B doing bgp.
>>> 
>>> 
>>> 
>>> Router A is advertising 5 routes to router B, when the session 1st
>>> comes up, router B has 5 routes received from router A. After 1:15
>>> min the learned routes on router B disappear. 
>>> 
>>> 
> How are the routes getting into BGP?  Are the coming in via tie-down
> routes in the IGP somewhere?  Could it be that you have an IGP
> failure of some sort such that the routes are being withdrawn
> legitimately?   
> 
> Regards,
> 
> Mike
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.0.233 / Virus Database: 270.10.19/1938 - Release Date: 02/06/09
17:28:00


From jml at packetpimp.org  Mon Feb  9 09:20:45 2009
From: jml at packetpimp.org (Jason LeBlanc)
Date: Mon, 09 Feb 2009 09:20:45 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <A34003A5232DE744807D94D788E0751AAB198E@ASHEVS011.mcilink.com>
References: <A34003A5232DE744807D94D788E0751AAB198E@ASHEVS011.mcilink.com>
Message-ID: <49903BBD.9020000@packetpimp.org>

+1 I really like Opsware.

Ramcharan, Vijay A wrote:
> We use Opsware NAS. I haven't configured it or anything but it is quite
> commercial and can do nice things like configuration checks against a
> standard policy, notifications of config changes, config automation and
> things like that. 
>
>  
> Vijay Ramcharan 
>   
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono
> Sent: February 05, 2009 16:57
> To: Cisco-NSP Mailing List
> Subject: [c-nsp] Rancid and commercial config management tools
>
> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
>
> but if a client was looking for a commercial tool that does this, what 
> would you  recommend?
>
> Thanks,
>
> Joe Loiacono
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From jmplank at gmail.com  Mon Feb  9 10:49:30 2009
From: jmplank at gmail.com (Jason Plank)
Date: Mon, 9 Feb 2009 10:49:30 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <adc8da300902090749yce2e512vc9108360cd67cf1a@mail.gmail.com>

I'm a huge fan of Cirrus by Solarwinds. It works very well. They integrated
it into Solarwinds.. which can be either good or bad. Depends on how you
look at it :) I'm not sure if you can still get a standalone version, but
since it uses a sql database it's easy to backup.

On Thu, Feb 5, 2009 at 4:57 PM, Joe Loiacono <jloiacon at csc.com> wrote:

> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
> but if a client was looking for a commercial tool that does this, what
> would you  recommend?
>
> Thanks,
>
> Joe Loiacono
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
--
Jason Plank
(CCIE #16560)

From clinton at scripty.com  Mon Feb  9 12:27:25 2009
From: clinton at scripty.com (Clinton Work)
Date: Mon, 09 Feb 2009 10:27:25 -0700
Subject: [c-nsp] Lab setup
In-Reply-To: <499036C5.9010807@skoal.name>
References: <499036C5.9010807@skoal.name>
Message-ID: <4990677D.3060506@scripty.com>


You can connect the cards back to back and they should work fine.  Just 
a couple of notes:

a) Set both POS interfaces to "clock source internal" because there is 
no network clock  in a back to back configuration.
b) Looks like the POM-OC3-MM and POM-OC3-SMIR optics are safe in a back 
to back configuration without optical pads.  If you using the 
POM-OC3-SMLR you will need at least 10db pads on a short fiber patch.  
c) Make sure you to cross over the transit/receive on the back to back 
fibers patch cables. 

Clinton. 

Gergely Antal wrote:
> Hiall
>
> I want to build a lab setup for education proposes and,
> I have 2 7206 VXR's and each of them has a PA-POS-2OC3 card.
> Is it somehow possible to cross-connect these cards or I need some active equipment for this?
>
>   

From simon at slimey.org  Mon Feb  9 12:30:31 2009
From: simon at slimey.org (Simon Lockhart)
Date: Mon, 9 Feb 2009 17:30:31 +0000
Subject: [c-nsp] Lab setup
In-Reply-To: <4990677D.3060506@scripty.com>
References: <499036C5.9010807@skoal.name> <4990677D.3060506@scripty.com>
Message-ID: <20090209173031.GR11420@virtual.bogons.net>

On Mon Feb 09, 2009 at 10:27:25AM -0700, Clinton Work wrote:
> a) Set both POS interfaces to "clock source internal" because there is 
> no network clock  in a back to back configuration.

Surely if you're connecting back to back you want "clock source internal" on
one end, and "clock source network" on the other end - otherwise you've got 
two free running clocks which might be in sync, or might not...

Simon

From petelists at templin.org  Mon Feb  9 12:34:19 2009
From: petelists at templin.org (Pete Templin)
Date: Mon, 09 Feb 2009 11:34:19 -0600
Subject: [c-nsp] Lab setup
In-Reply-To: <20090209173031.GR11420@virtual.bogons.net>
References: <499036C5.9010807@skoal.name> <4990677D.3060506@scripty.com>
	<20090209173031.GR11420@virtual.bogons.net>
Message-ID: <4990691B.4020507@templin.org>

Simon Lockhart wrote:
> On Mon Feb 09, 2009 at 10:27:25AM -0700, Clinton Work wrote:
>> a) Set both POS interfaces to "clock source internal" because there is 
>> no network clock  in a back to back configuration.
> 
> Surely if you're connecting back to back you want "clock source internal" on
> one end, and "clock source network" on the other end - otherwise you've got 
> two free running clocks which might be in sync, or might not...

Au contraire.  Each side of the POS path is separate, so both as 'clock 
source internal' is best.

http://www.cisco.com/en/US/tech/tk482/tk607/technologies_tech_note09186a0080094bb9.shtml

pt




From justin at justinshore.com  Mon Feb  9 12:46:32 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 09 Feb 2009 11:46:32 -0600
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
Message-ID: <49906BF8.2070802@justinshore.com>

Eric Van Tol wrote:
> It may be worth mentioning that Solarwinds recently purchased Kiwi, and their plan is to integrate some of the Kiwi-specific features into NCM.

That sucks.  Now it will become overpriced and bundled with bloatware vs 
the inexpensive sleek tool it once was.  Might as well have been bought 
by a well-known 800lbs gorilla.

J


From justin at justinshore.com  Mon Feb  9 12:50:54 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 09 Feb 2009 11:50:54 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
Message-ID: <49906CFE.7040407@justinshore.com>

Manaf Al Oqlah wrote:
> Hi all,
> 
> I am configuring a Cisco 7600 router as DHCP server for my broadband clients. I am using DHCP snooping and ARP inspection for security reasons and the leased time expiration is set for 30 minutes and no excluded-address is configured. The problem is that I still can see  some clients IP addresses lease expiration are Infinite in the DHCP binding! what could be the reason for this behavior and could be this some sort of attack!! 

I get them too.  I never have figured out what causes them.  So far it 
hasn't been a big deal for me.

BTW, I'd recommend not using the IOS DHCP server for anything that more 
than convenience at a very small site.  I would highly recommend 
deploying a server-based DHCP server like ISC DHCPd.  Lots more bells a 
whistles to work with.  Plus you can have redundancy with the 
server-based solution.  The IOS DHCP server is a fairly stripped down 
implementation.  I don't think it was intended to be used in large 
environments like a SP's broadband network.

Justin

From cchurc05 at harris.com  Mon Feb  9 12:53:43 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Mon, 9 Feb 2009 11:53:43 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49906CFE.7040407@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>

Aren't those BOOTP clients that don't understand the concept of an
expiration? 

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Monday, February 09, 2009 12:51 PM
To: Manaf Al Oqlah
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DHCP Binding Expiration


Manaf Al Oqlah wrote:
> Hi all,
> 
> I am configuring a Cisco 7600 router as DHCP server for my broadband
clients. I am using DHCP snooping and ARP inspection for security
reasons and the leased time expiration is set for 30 minutes and no
excluded-address is configured. The problem is that I still can see
some clients IP addresses lease expiration are Infinite in the DHCP
binding! what could be the reason for this behavior and could be this
some sort of attack!! 

I get them too.  I never have figured out what causes them.  So far it 
hasn't been a big deal for me.

BTW, I'd recommend not using the IOS DHCP server for anything that more 
than convenience at a very small site.  I would highly recommend 
deploying a server-based DHCP server like ISC DHCPd.  Lots more bells a 
whistles to work with.  Plus you can have redundancy with the 
server-based solution.  The IOS DHCP server is a fairly stripped down 
implementation.  I don't think it was intended to be used in large 
environments like a SP's broadband network.

Justin
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From chris.flav at yahoo.ca  Mon Feb  9 13:01:47 2009
From: chris.flav at yahoo.ca (chris.flav at yahoo.ca)
Date: Mon, 9 Feb 2009 18:01:47 +0000
Subject: [c-nsp] 7200VXR for Session Border Controller
Message-ID: <799300665-1234202468-cardhu_decombobulator_blackberry.rim.net-792359161-@bxe105.bisx.prod.on.blackberry>

Hello,

We are looking to deploy a SBC for SIP subscribers and are looking at
using a 7204VXR.  We are not needing transcoding facilities but simply
forwarding SIP INVITES and signalling to and from a SIP server to
subscribers.

The documentation regarding the setup of such a system is terse,
therefore any pointers to related information or example configs would
be appreciated.

Thanks,

C. Flav




From A.L.M.Buxey at lboro.ac.uk  Mon Feb  9 13:01:01 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 9 Feb 2009 18:01:01 +0000
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49906CFE.7040407@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
Message-ID: <20090209180101.GA4542@lboro.ac.uk>

Hi,

> BTW, I'd recommend not using the IOS DHCP server for anything that more  
> than convenience at a very small site.  I would highly recommend  
> deploying a server-based DHCP server like ISC DHCPd.  Lots more bells a  

agreed - DHCP brough out 2600 series routers to their knees. a quick
ISC config sorted thigns out - and gave us some nice bells and whistles

alan

From A.L.M.Buxey at lboro.ac.uk  Mon Feb  9 13:02:06 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 9 Feb 2009 18:02:06 +0000
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <49906BF8.2070802@justinshore.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
	<49906BF8.2070802@justinshore.com>
Message-ID: <20090209180206.GB4542@lboro.ac.uk>

Hi,

> Eric Van Tol wrote:
>> It may be worth mentioning that Solarwinds recently purchased Kiwi, and their plan is to integrate some of the Kiwi-specific features into NCM.
>
> That sucks.  Now it will become overpriced and bundled with bloatware vs  
> the inexpensive sleek tool it once was.  Might as well have been bought  
> by a well-known 800lbs gorilla.


..and thats just Kiwi - what'll happen to Solarwinds?  ;-)

alan

From paul at paulstewart.org  Mon Feb  9 13:15:38 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Mon, 9 Feb 2009 13:15:38 -0500
Subject: [c-nsp] IDS Recommendations - Cisco?
In-Reply-To: <20090207155009.GA407@kallisti.us>
References: <000001c988a4$42d8fa60$c88aef20$@org>
	<1A9866F953006D45AEE0166066114E0915895B59@TPMAIL02.corp.theplatform.com>
	<006501c988ba$73c58970$5b509c50$@org>
	<20090207155009.GA407@kallisti.us>
Message-ID: <000b01c98ae2$69d09890$3d71c9b0$@org>

Thanks very much for the reply (and other replies I got to date as well)....

So, you are doing passive monitoring today - would that mean that when your
IDP systems alarm that this generates an alert to your NOC for immediate
investigation (on a serious issue)?  I'm just wanting to understand your
process a bit to see how it might fit into our plans here....;)

Cheers,

Paul


-----Original Message-----
From: Ross Vandegrift [mailto:ross at kallisti.us] 
Sent: Saturday, February 07, 2009 10:50 AM
To: Paul Stewart
Cc: 'Gregori Parker'; 'Cisco-nsp'
Subject: Re: [c-nsp] IDS Recommendations - Cisco?

On Fri, Feb 06, 2009 at 07:24:34PM -0500, Paul Stewart wrote:
> A good example to paint a picture here is that some of these servers are
for
> web hosting.  If a client uploads a php script (example) that has a
> vulnerability we would like the IDS to trip on it - again we can't have
the
> world but that's kind of what I have in mind.

It's a good thought, but watch your session count.  All of the devices
have limits as to the number of sessions they can handle.  When
that's exhausted, expect to be offline.

I also work in hosting, and I have to say, the IDP is a great tool.
But there's nothing we could find that grew in performance with the
size of our installation.

> I could think of many more scenarios but at a high level I'm looking for
> vendor/product recommendations based on actual usage if possible.

If you know your traffic and session levels well, and you want to do
inline blocking, the Juniper ISG with integrated IDP modules are
pretty great tools.  You use NSM to write usual firewall policy, some
rules can optionally have IDP processing enabled.  Very granular.

Like I said - I abandoned it.  Our hosting grew much faster than their
performance could.  Monitoring the session and traffic levels of the
blades was always awkward, and we didn't have such good ideas of our
traffic/session levels.

Finally, remember that your IDP will be the weakest link in the
network.  A firewall is a bad enough single point of failure (ie,
having a session table that can be attacked), the IDP is many times
worse because of the level of processing it requires for each session.

So more power to you - but be very careful, or be prepared for some pain.
All of the IDP implementations we do today are passive.

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie


From b.turnbow at twt.it  Mon Feb  9 13:26:02 2009
From: b.turnbow at twt.it (Brian Turnbow)
Date: Mon, 9 Feb 2009 19:26:02 +0100
Subject: [c-nsp] 7200VXR for Session Border Controller
In-Reply-To: <799300665-1234202468-cardhu_decombobulator_blackberry.rim.net-792359161-@bxe105.bisx.prod.on.blackberry>
References: <799300665-1234202468-cardhu_decombobulator_blackberry.rim.net-792359161-@bxe105.bisx.prod.on.blackberry>
Message-ID: <F2207DB22012F94E92D7030F81A2629401DBE1A0@twt-exch.milano.twt>

You need to look for unified border element , it used to be multiservice ip to ip gateway.
There should be some basic examble on the site as well.

Here is the configuration guide

http://www.ciscosystems.com/en/US/docs/ios/voice/cube/configuration/guide/12_4t/vb_12_4t_book.html
 


Brian 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chris.flav at yahoo.ca
Sent: luned? 9 febbraio 2009 19.02
To: Cisco NSP
Subject: [c-nsp] 7200VXR for Session Border Controller

Hello,

We are looking to deploy a SBC for SIP subscribers and are looking at
using a 7204VXR.  We are not needing transcoding facilities but simply
forwarding SIP INVITES and signalling to and from a SIP server to
subscribers.

The documentation regarding the setup of such a system is terse,
therefore any pointers to related information or example configs would
be appreciated.

Thanks,

C. Flav



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From eric at atlantech.net  Mon Feb  9 14:09:37 2009
From: eric at atlantech.net (Eric Van Tol)
Date: Mon, 9 Feb 2009 14:09:37 -0500
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <49906BF8.2070802@justinshore.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<2C05E949E19A9146AF7BDF9D44085B863517B3BBC9@exchange.aoihq.local>
	<49906BF8.2070802@justinshore.com>
Message-ID: <2C05E949E19A9146AF7BDF9D44085B863517B3BBE5@exchange.aoihq.local>

> -----Original Message-----
> From: Justin Shore [mailto:justin at justinshore.com]
> Sent: Monday, February 09, 2009 12:47 PM
> To: Eric Van Tol
> Cc: Cisco-NSP Mailing List
> Subject: Re: [c-nsp] Rancid and commercial config management tools
> 
> Eric Van Tol wrote:
> > It may be worth mentioning that Solarwinds recently purchased Kiwi, and
> their plan is to integrate some of the Kiwi-specific features into NCM.
> 
> That sucks.  Now it will become overpriced and bundled with bloatware vs
> the inexpensive sleek tool it once was.  Might as well have been bought
> by a well-known 800lbs gorilla.
> 
> J

Actually, I cannot speak in certainties, but I don't believe that this is the plan.  SW has a long history of purchasing other network management products and continuing development on those product lines, while also taking the backend technology and using it to improve their existing products.

-evt


From justin at justinshore.com  Mon Feb  9 14:10:38 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 09 Feb 2009 13:10:38 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
Message-ID: <49907FAE.4050006@justinshore.com>

Church, Charles wrote:
> Aren't those BOOTP clients that don't understand the concept of an
> expiration? 

Once when I was curious (and very bored) I tracked a couple of them 
down.  One was a Windows XP machine and the other was a fairly new 
D-Link router/firewall CPE (which we have hundreds on our network).  I 
don't know if either of them support Bootp but I would expect this 
problem to come up more often if that was the case.  I'm trying to think 
of what our customers would have on our edges that would support Bootp. 
  Nothing comes to mind.  I'm sure you can configure some older clients 
to do Bootp of course (Macs still support it if you intentionally 
configure it that way) but no major demographic comes to mind.  I can 
certainly be missing something though.

Justin


From cchurc05 at harris.com  Mon Feb  9 14:21:43 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Mon, 9 Feb 2009 13:21:43 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49907FAE.4050006@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
	<49907FAE.4050006@justinshore.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>

Interesting.  Might be fun (in a dorky networking kind of way) to look
at a packet capture of it.  Maybe the client doesn't like the lease
time, or it's tied into DDNS somehow.  I looked a bit, and found in the
RFC (http://www.faqs.org/rfcs/rfc2131.html) a blurb about lease times:

"The client may ask for a
   permanent assignment by asking for an infinite lease.  Even when
   assigning "permanent" addresses, a server may choose to give out
   lengthy but non-infinite leases to allow detection of the fact that
   the client has been retired. "

I've seen those infinite leases before, never cared enough to look into
it.  Might be interesting to find out why though...

Chuck 

-----Original Message-----
From: Justin Shore [mailto:justin at justinshore.com] 
Sent: Monday, February 09, 2009 2:11 PM
To: Church, Charles
Cc: Manaf Al Oqlah; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DHCP Binding Expiration


Church, Charles wrote:
> Aren't those BOOTP clients that don't understand the concept of an
> expiration? 

Once when I was curious (and very bored) I tracked a couple of them 
down.  One was a Windows XP machine and the other was a fairly new 
D-Link router/firewall CPE (which we have hundreds on our network).  I 
don't know if either of them support Bootp but I would expect this 
problem to come up more often if that was the case.  I'm trying to think

of what our customers would have on our edges that would support Bootp. 
  Nothing comes to mind.  I'm sure you can configure some older clients 
to do Bootp of course (Macs still support it if you intentionally 
configure it that way) but no major demographic comes to mind.  I can 
certainly be missing something though.

Justin


From justin at justinshore.com  Mon Feb  9 14:30:16 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 09 Feb 2009 13:30:16 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
	<49907FAE.4050006@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>
Message-ID: <49908448.6080300@justinshore.com>

Church, Charles wrote:
> Interesting.  Might be fun (in a dorky networking kind of way) to look
> at a packet capture of it.  Maybe the client doesn't like the lease
> time, or it's tied into DDNS somehow.  I looked a bit, and found in the
> RFC (http://www.faqs.org/rfcs/rfc2131.html) a blurb about lease times:
> 
> "The client may ask for a
>    permanent assignment by asking for an infinite lease.  Even when
>    assigning "permanent" addresses, a server may choose to give out
>    lengthy but non-infinite leases to allow detection of the fact that
>    the client has been retired. "
> 
> I've seen those infinite leases before, never cared enough to look into
> it.  Might be interesting to find out why though...

One thing on my to do list is to figure out how to always reject lease 
extension requests to force the CPE to pull a new IP every time a lease 
expires.  This would prevent many of the less technical users from 
trying to run a publicly-accessible server.  Set the lease time to 2 
hours, client tries to extend the lease at 50% of the lease (1hr) and 
the server NAKs.  The only question is will the client continue to 
request the IP until the lease expires before falling back and do a 
DISCOVER at the 2hr mark (interrupting the flow of traffic) or will it 
do a bcast DISCOVER in response to the NAK and immediately switch to the 
new IP once it gets an OFFER 1hr before the original lease expires, thus 
interrupting traffic again.

I've seen systems do something similar before (or at least I thought 
they were).  When I first got Cox CATV I could only keep my IP for about 
a day before it changed.  One way to mitigate the flow of traffic 
problem would be to grant short lease extensions automatically until the 
wee hours of the morning and then force the change.  Something to think 
about.

It's on my list right behind setting up an OSS walled garden and 
convincing the boss to replace our 7 different DHCP & provisioning 
systems with CNR.  Oh, and finishing my IPv6 deployment.

Thanks for the info
  Justin

From panocisco77 at gmail.com  Mon Feb  9 14:49:55 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Mon, 9 Feb 2009 14:49:55 -0500
Subject: [c-nsp] Hello
Message-ID: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>

Hello every one

From A.L.M.Buxey at lboro.ac.uk  Mon Feb  9 15:01:58 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 9 Feb 2009 20:01:58 +0000
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49908448.6080300@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
	<49907FAE.4050006@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>
	<49908448.6080300@justinshore.com>
Message-ID: <20090209200158.GB7043@lboro.ac.uk>

Hi,

> expires.  This would prevent many of the less technical users from  
> trying to run a publicly-accessible server.  Set the lease time to 2  

default TCP inbound deny works wonders for this. Or, even crueller, NAT

> I've seen systems do something similar before (or at least I thought  
> they were).  When I first got Cox CATV I could only keep my IP for about  
> a day before it changed.  One way to mitigate the flow of traffic  
> problem would be to grant short lease extensions automatically until the  
> wee hours of the morning and then force the change.  Something to think  
> about.

you can flush/destroy the DHCP binding table - it'll have the same effect
(good fun - all those PCs set to print to the IP address that the
pritner got when it was installed then have to be reconfigured etc)

> systems with CNR.  Oh, and finishing my IPv6 deployment.

DHCPv6 or router solicited?

alan

From jfitz at Princeton.EDU  Mon Feb  9 16:01:12 2009
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Mon, 9 Feb 2009 16:01:12 -0500
Subject: [c-nsp] VRF and BGP ?
Message-ID: <46AB14E5-3FC2-4033-B574-DD3972A520AA@princeton.edu>

I am running 12.2.SXI on a 6500 with sup-720


I currently have 3 full BGP peers with two on I1 and one on I2.

I now need a fourth peer with ESNet (gov ISP) but only allow  two /22  
net from Princeton U. access to ESNet.

My dilemma is how to only let the two nets see the additional ESNet  
routes so that no other host on campus will try and use the ESNET  
routes and fail.

I have not used the VRF feature yet, but it appears that it might do  
the trick if I can create a separate routing domain with just ESNet  
routes, and then point only the two nets to the VRF so they check the  
ESNet table first and if not present fall thru to the global table.    
I should be able to use a ROUTE-MAP to accomplish this.

 From the doc it states that I can create a VRF and import routes from  
the global table but that means everybody will still see the routes to  
ESNet ( I would guess anyway).

  Can I peer directly with the VRF without doing an import from the  
global table so only it has the ESNet routes?

Does anybody have any suggestions on this issue?


Thanks for any help.



Jeff Fitzwater
OIT Network Systems
Princeton University

From jaldrich at blueridgecarpet.com  Mon Feb  9 16:36:42 2009
From: jaldrich at blueridgecarpet.com (John Aldrich)
Date: Mon, 9 Feb 2009 16:36:42 -0500
Subject: [c-nsp] Cannot connect to ASA using ASDM software
Message-ID: <000001c98afe$7f9cab70$7ed60250$@com>

For some reason, our new ASA 5510 series will ONLY let me connect via the
web interface. Every time I try it says it is "unable to read the
configuration from the ASA." However, running the Java version works just
fine. I'd really like to know what the problem is and why it can't load the
config? Do I need to be connected via serial cable to the ASA or something?

Thanks,
John Aldrich
IT Manager, 
Blueridge Carpet
706-276-2001, Ext. 2233


From manafo at hotmail.com  Mon Feb  9 16:40:35 2009
From: manafo at hotmail.com (Manaf Al Oqlah)
Date: Mon, 9 Feb 2009 23:40:35 +0200
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <20090209200158.GB7043@lboro.ac.uk>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl><49906CFE.7040407@justinshore.com><FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net><49907FAE.4050006@justinshore.com><FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net><49908448.6080300@justinshore.com>
	<20090209200158.GB7043@lboro.ac.uk>
Message-ID: <BLU130-DS515730CBF12F0DE195739C5BC0@phx.gbl>

hi all,

thank you for your help.
It seems that all those hosts with infinite expiration time are devices that 
do not have "client identifier" such as D-Link, Cisco Linksys routers or 
Unix systems. does it make sense?

Manaf
--------------------------------------------------
From: <A.L.M.Buxey at lboro.ac.uk>
Sent: Monday, February 09, 2009 10:01 PM
To: "Justin Shore" <justin at justinshore.com>
Cc: <cisco-nsp at puck.nether.net>; "Church, Charles" <cchurc05 at harris.com>
Subject: Re: [c-nsp] DHCP Binding Expiration

> Hi,
>
>> expires.  This would prevent many of the less technical users from
>> trying to run a publicly-accessible server.  Set the lease time to 2
>
> default TCP inbound deny works wonders for this. Or, even crueller, NAT
>
>> I've seen systems do something similar before (or at least I thought
>> they were).  When I first got Cox CATV I could only keep my IP for about
>> a day before it changed.  One way to mitigate the flow of traffic
>> problem would be to grant short lease extensions automatically until the
>> wee hours of the morning and then force the change.  Something to think
>> about.
>
> you can flush/destroy the DHCP binding table - it'll have the same effect
> (good fun - all those PCs set to print to the IP address that the
> pritner got when it was installed then have to be reconfigured etc)
>
>> systems with CNR.  Oh, and finishing my IPv6 deployment.
>
> DHCPv6 or router solicited?
>
> alan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From cchurc05 at harris.com  Mon Feb  9 16:54:23 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Mon, 9 Feb 2009 15:54:23 -0600
Subject: [c-nsp] Cannot connect to ASA using ASDM software
In-Reply-To: <000001c98afe$7f9cab70$7ed60250$@com>
References: <000001c98afe$7f9cab70$7ed60250$@com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01E4DF2D@mspe2k1.cs.myharris.net>

I'm guessing you've upgraded to the latest Java version.  Seems like the
last one broke the ASDM partially.  You can https to the ASA, and then
pick the 'run applet' option.  On mine, that'll spawn the ASDM
executable and it works.  But running the executable directly ends up
doing what you're seeing.  It's annoying. 

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Aldrich
Sent: Monday, February 09, 2009 4:37 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cannot connect to ASA using ASDM software


For some reason, our new ASA 5510 series will ONLY let me connect via
the
web interface. Every time I try it says it is "unable to read the
configuration from the ASA." However, running the Java version works
just
fine. I'd really like to know what the problem is and why it can't load
the
config? Do I need to be connected via serial cable to the ASA or
something?

Thanks,
John Aldrich
IT Manager, 
Blueridge Carpet
706-276-2001, Ext. 2233

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From rubensk at gmail.com  Mon Feb  9 17:06:23 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Mon, 9 Feb 2009 20:06:23 -0200
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
Message-ID: <6bb5f5b10902091406n44016486o897ebf8d534c7d32@mail.gmail.com>

Why not a free(not open, but no cost) tool with commercial support ?
http://inventory.alterpoint.com/

BTW, what are people's opinions comparing RANCID to Network Authority
Inventory (formerly known as ZipTie) in the configuration management
discipline ?


Rubens


On Thu, Feb 5, 2009 at 7:57 PM, Joe Loiacono <jloiacon at csc.com> wrote:
> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
> but if a client was looking for a commercial tool that does this, what
> would you  recommend?
>
> Thanks,
>
> Joe Loiacono
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From bms314 at gmail.com  Mon Feb  9 17:22:44 2009
From: bms314 at gmail.com (Brian)
Date: Mon, 9 Feb 2009 16:22:44 -0600
Subject: [c-nsp] Cannot connect to ASA using ASDM software
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01E4DF2D@mspe2k1.cs.myharris.net>
References: <000001c98afe$7f9cab70$7ed60250$@com>
	<FA1BA229357DB640B944218F3585FECA01E4DF2D@mspe2k1.cs.myharris.net>
Message-ID: <7aaaf7f0902091422j7e3a9392ya450f908238e4b0a@mail.gmail.com>

You need to upgrade to the latest interim release of ASDM 6.1.5(57) to
fix the Java issue with JRE6update11.

Brian

On 2/9/09, Church, Charles <cchurc05 at harris.com> wrote:
> I'm guessing you've upgraded to the latest Java version.  Seems like the
> last one broke the ASDM partially.  You can https to the ASA, and then
> pick the 'run applet' option.  On mine, that'll spawn the ASDM
> executable and it works.  But running the executable directly ends up
> doing what you're seeing.  It's annoying.
>
> Chuck
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Aldrich
> Sent: Monday, February 09, 2009 4:37 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cannot connect to ASA using ASDM software
>
>
> For some reason, our new ASA 5510 series will ONLY let me connect via
> the
> web interface. Every time I try it says it is "unable to read the
> configuration from the ASA." However, running the Java version works
> just
> fine. I'd really like to know what the problem is and why it can't load
> the
> config? Do I need to be connected via serial cable to the ASA or
> something?
>
> Thanks,
> John Aldrich
> IT Manager,
> Blueridge Carpet
> 706-276-2001, Ext. 2233
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From A.L.M.Buxey at lboro.ac.uk  Mon Feb  9 17:23:29 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 9 Feb 2009 22:23:29 +0000
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <6bb5f5b10902091406n44016486o897ebf8d534c7d32@mail.gmail.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<6bb5f5b10902091406n44016486o897ebf8d534c7d32@mail.gmail.com>
Message-ID: <20090209222329.GA7319@lboro.ac.uk>

Hi,

> BTW, what are people's opinions comparing RANCID to Network Authority
> Inventory (formerly known as ZipTie) in the configuration management
> discipline ?

ooh. well, i've only used RANCID to store the configs in nice
CVS control - whereas ZipTie's main claim is the pushing of
configs and updating of IOS firmware via a webby interface, non?

alan

From hnyhus at gmail.com  Mon Feb  9 17:31:31 2009
From: hnyhus at gmail.com (=?UTF-8?Q?H=C3=A5vard_Nyhus?=)
Date: Mon, 9 Feb 2009 23:31:31 +0100
Subject: [c-nsp] Need help adding a device to an existing vlan
In-Reply-To: <498C4DC2.9E6F.00B8.0@dps.k12.oh.us>
References: <498C4DC2.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <6bc4a240902091431k4315c3bfv98f4eed20a382a67@mail.gmail.com>

> interface FastEthernet0/38
>  description to 1230 WAP
>  switchport access vlan 199
>  switchport trunk encapsulation dot1q
>  switchport mode trunk
>  no ip address
>  no snmp trap link-status
>  storm-control broadcast level 1.00
>  storm-control multicast level 2.00
>  storm-control unicast level 5.00
> end

This won't work. Try the following:


switchport mode access
no switchport trunk encap dot1q


-- 
H?vard Staub Nyhus
Atea AS
+47 41 88 00 99

From cchurc05 at harris.com  Mon Feb  9 17:30:19 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Mon, 9 Feb 2009 16:30:19 -0600
Subject: [c-nsp] Cannot connect to ASA using ASDM software
In-Reply-To: <7aaaf7f0902091422j7e3a9392ya450f908238e4b0a@mail.gmail.com>
References: <000001c98afe$7f9cab70$7ed60250$@com>
	<FA1BA229357DB640B944218F3585FECA01E4DF2D@mspe2k1.cs.myharris.net>
	<7aaaf7f0902091422j7e3a9392ya450f908238e4b0a@mail.gmail.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01E4DF4D@mspe2k1.cs.myharris.net>

I'm still using 5.2.x ASDM, as the ASA is running 7.2.x still (both late
interim releases).  Hoping for a newer ASDM soon.  5.2(4)50 still is
broken. 


Chuck 
-----Original Message-----
From: Brian [mailto:bms314 at gmail.com] 
Sent: Monday, February 09, 2009 5:23 PM
To: Church, Charles; John Aldrich; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cannot connect to ASA using ASDM software


You need to upgrade to the latest interim release of ASDM 6.1.5(57) to
fix the Java issue with JRE6update11.

Brian

On 2/9/09, Church, Charles <cchurc05 at harris.com> wrote:
> I'm guessing you've upgraded to the latest Java version.  Seems like
the
> last one broke the ASDM partially.  You can https to the ASA, and then
> pick the 'run applet' option.  On mine, that'll spawn the ASDM
> executable and it works.  But running the executable directly ends up
> doing what you're seeing.  It's annoying.
>
> Chuck
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Aldrich
> Sent: Monday, February 09, 2009 4:37 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cannot connect to ASA using ASDM software
>
>
> For some reason, our new ASA 5510 series will ONLY let me connect via
> the
> web interface. Every time I try it says it is "unable to read the
> configuration from the ASA." However, running the Java version works
> just
> fine. I'd really like to know what the problem is and why it can't
load
> the
> config? Do I need to be connected via serial cable to the ASA or
> something?
>
> Thanks,
> John Aldrich
> IT Manager,
> Blueridge Carpet
> 706-276-2001, Ext. 2233
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From walter.keen at RainierConnect.net  Mon Feb  9 17:44:52 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Mon, 09 Feb 2009 14:44:52 -0800
Subject: [c-nsp] VRF and BGP ?
In-Reply-To: <46AB14E5-3FC2-4033-B574-DD3972A520AA@princeton.edu>
References: <46AB14E5-3FC2-4033-B574-DD3972A520AA@princeton.edu>
Message-ID: <4990B1E4.9040902@rainierconnect.net>

I use VRF's quite a bit on 7600 and other platforms with internal OSPF
neighbors.  So long as the interfaces you are connecting with (dot1q
vlan's in my case most of the time) are associated with that vrf, you
should be able to do so, although, I've never tried to leak routes from
the global routing table into a VRF, or use BGP (in OSPF there is a vrf
tag you must use if I remember correctly).  Using VRF's will give you a
seperate routing table isolated from your global routing table however. 
I'm not an expert on this subject so if anyone has corrections, please
chime in.

Jeff Fitzwater wrote:
> I am running 12.2.SXI on a 6500 with sup-720
>
>
> I currently have 3 full BGP peers with two on I1 and one on I2.
>
> I now need a fourth peer with ESNet (gov ISP) but only allow  two /22
> net from Princeton U. access to ESNet.
>
> My dilemma is how to only let the two nets see the additional ESNet
> routes so that no other host on campus will try and use the ESNET
> routes and fail.
>
> I have not used the VRF feature yet, but it appears that it might do
> the trick if I can create a separate routing domain with just ESNet
> routes, and then point only the two nets to the VRF so they check the
> ESNet table first and if not present fall thru to the global table.  
> I should be able to use a ROUTE-MAP to accomplish this.
>
> From the doc it states that I can create a VRF and import routes from
> the global table but that means everybody will still see the routes to
> ESNet ( I would guess anyway).
>
>  Can I peer directly with the VRF without doing an import from the
> global table so only it has the ESNet routes?
>
> Does anybody have any suggestions on this issue?
>
>
> Thanks for any help.
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From justin at justinshore.com  Mon Feb  9 18:11:17 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 09 Feb 2009 17:11:17 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <BLU130-DS515730CBF12F0DE195739C5BC0@phx.gbl>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl><49906CFE.7040407@justinshore.com><FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net><49907FAE.4050006@justinshore.com><FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net><49908448.6080300@justinshore.com>
	<20090209200158.GB7043@lboro.ac.uk>
	<BLU130-DS515730CBF12F0DE195739C5BC0@phx.gbl>
Message-ID: <4990B815.1000509@justinshore.com>

Manaf Al Oqlah wrote:
> hi all,
> 
> thank you for your help.
> It seems that all those hosts with infinite expiration time are devices 
> that do not have "client identifier" such as D-Link, Cisco Linksys 
> routers or Unix systems. does it make sense?

I don't think that's the cause of the problem.  We have several hundreds 
if not thousands of Linksys and D-Link CPEs on our assorted last-mile 
access mediums and only a few dozen infinite leases.  I'd expect far 
more infinite leases if a blank client ID was the cause.

Justin



From lukasz at bromirski.net  Mon Feb  9 18:14:52 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Tue, 10 Feb 2009 00:14:52 +0100
Subject: [c-nsp] Cisco 4900M and QinQ
In-Reply-To: <20090209124547.GA16723@danton.fire-world.de>
References: <20090209124547.GA16723@danton.fire-world.de>
Message-ID: <4990B8EC.8000403@bromirski.net>

On 2009-02-09 13:45, Sebastian Wiesinger wrote:
> Hi,
>
> has anyone a working QinQ tunnel on a Cisco 4900M? I tried it in the
> lab with 12.2(50)SG Enterprise Services SSH and it didn't work.

QinQ on 4900M and Sup-6E will be supported on 12.2(52)SG.

Currently it isn't:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_15594.html#wp363642

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From bitkraft at gmail.com  Mon Feb  9 18:50:14 2009
From: bitkraft at gmail.com (Brian Spade)
Date: Mon, 9 Feb 2009 15:50:14 -0800
Subject: [c-nsp] core OSPF configurations
In-Reply-To: <498860CA.90707@templin.org>
References: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
	<498860CA.90707@templin.org>
Message-ID: <505b616c0902091550l51674b46je8d870a429e13f6a@mail.gmail.com>

Thanks Pete & Pete for your insight.  :-)

  I was hoping to get more feedback from engineers, but this definitely
helps.

/bs

On Tue, Feb 3, 2009 at 7:20 AM, Pete Templin <petelists at templin.org> wrote:

> Brian Spade wrote:
>
>  What is the best way to configure OSPF to inject all 50+ SVIs into the
>> routing domain?
>>
>> Would you configure network statements for all SVI networks and passive
>> the
>> interfaces?
>> Would you configure OSPF on the uplink interfaces only and redistributed
>> connected to create type-5 externals?
>>
>
> If it were me, the SVIs would be announced into BGP, so that my OSPF world
> stayed small and clean.
>
> That said, remember that the network statement(s) only have to match,
> through wildcard math, the _IP addresses_ of the interfaces to be included
> in OSPF.  If you run a single area, 'network 0.0.0.0 255.255.255.255 area 0'
> is all you need.  Flipside, if you want to lock down OSPF to the point that
> shifting an interface within a subnet causes OSPF to drop so you can catch
> the culprit in the act, 'network 10.20.30.254 0.0.0.0 area 0' matches
> exactly that one address (but the interface's correct netmask is used when
> inserting the route into OSPF).
>
> pt
>

From agristina+cisco-nsp at gmail.com  Mon Feb  9 19:00:23 2009
From: agristina+cisco-nsp at gmail.com (Andrew Gristina)
Date: Mon, 9 Feb 2009 16:00:23 -0800
Subject: [c-nsp] Rancid and commercial config management tools
In-Reply-To: <6bb5f5b10902091406n44016486o897ebf8d534c7d32@mail.gmail.com>
References: <alpine.DEB.1.10.0902051652420.16135@uplift.swm.pp.se>
	<OF4872C806.21C7BEE7-ON85257554.00786AA1-85257554.00789489@csc.com>
	<6bb5f5b10902091406n44016486o897ebf8d534c7d32@mail.gmail.com>
Message-ID: <70bb1b8f0902091600p5d928c77s8aa1dfd400030367@mail.gmail.com>

Free as in beer isn't as valuable as Free as in speech.

On Mon, Feb 9, 2009 at 2:06 PM, Rubens Kuhl <rubensk at gmail.com> wrote:
> Why not a free(not open, but no cost) tool with commercial support ?
> http://inventory.alterpoint.com/
>
> BTW, what are people's opinions comparing RANCID to Network Authority
> Inventory (formerly known as ZipTie) in the configuration management
> discipline ?
>
>
> Rubens
>
>
> On Thu, Feb 5, 2009 at 7:57 PM, Joe Loiacono <jloiacon at csc.com> wrote:
>> I realize RANCID is a great tool for keeping track of IOS changes, etc.,
>> but if a client was looking for a commercial tool that does this, what
>> would you  recommend?
>>
>> Thanks,
>>
>> Joe Loiacono
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From lowen at pari.edu  Mon Feb  9 20:22:14 2009
From: lowen at pari.edu (Lamar Owen)
Date: Mon, 9 Feb 2009 20:22:14 -0500
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49906CFE.7040407@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
Message-ID: <200902092022.14601.lowen@pari.edu>

On Monday 09 February 2009 12:50:54 Justin Shore wrote:
> Manaf Al Oqlah wrote:
> > The problem is that I still can see  some
> > clients IP addresses lease expiration are Infinite in the DHCP binding!
> > what could be the reason for this behavior and could be this some sort of
> > attack!!
>
> I get them too.  I never have figured out what causes them.  So far it
> hasn't been a big deal for me.

BOOTP.

BOOTP clients can bring any DHCP server to its knees, especially if the BOOTP 
client is badly coded.  For instance, I run a Smoothwall Advanced Firewall 
here in a testing mode (I'm tech support for the local reseller), and I 
started noticing all of the sudden that ALL of the leases were taken, and most 
were clients with an UNKNOWN expiry.  I looked closely, and the MAC addresses 
were sequential, and there were right at 100 of them.

Tracked it down to, believe it or not, a Catalyst 8540MSR switch, which was 
requesting via BOOTP for every single one of its MACs.

From dale.shaw+cisco-nsp at gmail.com  Mon Feb  9 20:31:50 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 10 Feb 2009 12:31:50 +1100
Subject: [c-nsp] core OSPF configurations
In-Reply-To: <505b616c0902091550l51674b46je8d870a429e13f6a@mail.gmail.com>
References: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
	<498860CA.90707@templin.org>
	<505b616c0902091550l51674b46je8d870a429e13f6a@mail.gmail.com>
Message-ID: <3329cbb40902091731icbb7bc3i8eb71d5c352825e1@mail.gmail.com>

Hi,

On Tue, Feb 10, 2009 at 10:50 AM, Brian Spade <bitkraft at gmail.com> wrote:
>
> Thanks Pete & Pete for your insight.  :-)
>
>  I was hoping to get more feedback from engineers, but this definitely
> helps.

Strange comment.

Anyway, if it was me, I'd:

router ospf <processID>
 passive-interface default
 no passive-interface uplink1
 ...
 no passive-interface uplink4
!
interface VlanA
 ip ospf <processID> area <n>
...
interface VlanZ
 ip ospf <processID> area <n>

I like the "ip ospf area" interface command better than network
statements. It's a personal preference as the end result is the same.

Irrespective of the method you choose, it's easy to get a quick
summary of what interface is in what area with "show ip ospf interface
brief"

One potential benefit of redistributing them is that you'd be able to
summarise all the SVIs into that one area you mentioned. Another is
that in the process of redistributing you could do some route-map
voodoo to make "different stuff" happen.

I guess whether you turn this core router into an ASBR depends on your
current network design (e.g. area design, # of routes, OSPF router
load) and where you see it going in the future. If it's just "how
would you inject these routes into OSPF?", see above.

cheers,
Dale

From frnkblk at iname.com  Mon Feb  9 21:49:10 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Mon, 9 Feb 2009 20:49:10 -0600
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49908448.6080300@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>	<49906CFE.7040407@justinshore.com>	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>	<49907FAE.4050006@justinshore.com>	<FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>
	<49908448.6080300@justinshore.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACTJwq598e6QrO6JOyTmoOTAQAAAAA=@iname.com>

The ability to provide a new/different IP every time has been oft-discussed
on ISC' dhcp-user listserv.  IIRC, it contradicts the spec.  You would have
customize the code to have that functionality, or, as someone said, play
with the leases file.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Monday, February 09, 2009 1:30 PM
To: Church, Charles
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DHCP Binding Expiration

<snip>

One thing on my to do list is to figure out how to always reject lease
extension requests to force the CPE to pull a new IP every time a lease
expires.  This would prevent many of the less technical users from
trying to run a publicly-accessible server.  Set the lease time to 2
hours, client tries to extend the lease at 50% of the lease (1hr) and
the server NAKs.  The only question is will the client continue to
request the IP until the lease expires before falling back and do a
DISCOVER at the 2hr mark (interrupting the flow of traffic) or will it
do a bcast DISCOVER in response to the NAK and immediately switch to the
new IP once it gets an OFFER 1hr before the original lease expires, thus
interrupting traffic again.

I've seen systems do something similar before (or at least I thought
they were).  When I first got Cox CATV I could only keep my IP for about
a day before it changed.  One way to mitigate the flow of traffic
problem would be to grant short lease extensions automatically until the
wee hours of the morning and then force the change.  Something to think
about.

It's on my list right behind setting up an OSS walled garden and
convincing the boss to replace our 7 different DHCP & provisioning
systems with CNR.  Oh, and finishing my IPv6 deployment.

Thanks for the info
  Justin
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From dale.shaw+cisco-nsp at gmail.com  Mon Feb  9 21:57:58 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 10 Feb 2009 13:57:58 +1100
Subject: [c-nsp] core OSPF configurations
In-Reply-To: <3329cbb40902091731icbb7bc3i8eb71d5c352825e1@mail.gmail.com>
References: <505b616c0902021955n41212a3eub411f9942bbaea65@mail.gmail.com>
	<498860CA.90707@templin.org>
	<505b616c0902091550l51674b46je8d870a429e13f6a@mail.gmail.com>
	<3329cbb40902091731icbb7bc3i8eb71d5c352825e1@mail.gmail.com>
Message-ID: <3329cbb40902091857sd8b14a1yfb85ca1040629504@mail.gmail.com>

Poor form, I know, to follow up on my own post, but:

On Tue, Feb 10, 2009 at 12:31 PM, Dale Shaw
<dale.shaw+cisco-nsp at gmail.com> wrote:
> One potential benefit of redistributing them is that you'd be able to
> summarise all the SVIs into that one area you mentioned.

You can obviously also do this just by placing the SVIs in a different area.

This would result in them being advertised into the backbone area as
type-3s. You can filter, summarise, make the area a stub, and so on.
Again it all comes down to what you are trying to achieve.

cheers,
Dale

From jason at chatinara.com  Mon Feb  9 22:32:24 2009
From: jason at chatinara.com (Jason Ford)
Date: Mon, 09 Feb 2009 22:32:24 -0500
Subject: [c-nsp] Two BGP Routers and EIGRP
Message-ID: <4990F548.8010908@chatinara.com>

Hey all,

I am seeing an issue with routes dropping in our configuration and 
wanted to do a sanity check. We have two sup2/msfc2 w/ 512MB (router A 
and B) each connected to a distinct BGP peer. We are running eigrp on 
these routers as well to redistribute static and connected routes to two 
other routers (router C and D) in our network. Currently I have a 
default static route configured on router B to point to the BGP peer's 
uplink. This in turn injects a default route into eigrp which router 
A/C/D pick up. This is my question, is there a better way to set this 
up? We do not want to push all BGP routes to router C and D because they 
do not need all of the routes simply only a default route that is 
dynamic if router D dies.

Second part is, we see inbound routes getting dropped  and causing 
bouncing routes but it is only a select few. Traffic from peer comes to 
router D and then router D sends it back to peer then peer sends it back 
to router D etc etc. Is this due to the way I have the network setup up 
above? If I hard reset the BGP session, the problem goes away for ~3 
weeks. Is this a limitation of sup2's with BGP now that we are over 256k 
routes?

Any suggestions are more than welcomed!

jason

From ccie15385 at gmail.com  Tue Feb 10 01:29:45 2009
From: ccie15385 at gmail.com (JH Cockburn)
Date: Tue, 10 Feb 2009 08:29:45 +0200
Subject: [c-nsp] VRF and BGP ?
In-Reply-To: <4990B1E4.9040902@rainierconnect.net>
References: <46AB14E5-3FC2-4033-B574-DD3972A520AA@princeton.edu>
	<4990B1E4.9040902@rainierconnect.net>
Message-ID: <000601c98b48$fbf407f0$f3dc17d0$@com>

Hi All,
We had a similar situation where we had to create an "internet" vrf and
"leak/connect" that to the global routing table.
So we had a couple of interfaces belonging to the internet vrf of which one
connected back to the same device on an interface in the global network. We
had ospf as IGP to exchange infrastructure/loopback addresses and BGP for
Internet addresses. The problem was that OSPF did come up at first, so the
problem on the 6500's/7600's is that they use the same MAC address for all
L3 interfaces. Change the one side's MAC to a MAC of your choice and up
comes OSPF and after that BGP can do its thing.
So when we implemented this on our GSRs/7206's it still didn't work... So
after a bit of ol debugging I came to the conclusion that the following
happens:
The router (either VRF of global) wants to connect to the (OSPF) neighbor,
needs to do a arp for the address but then sees it already has an attached
interface with that IP/MAC pair so it never sends the arp and goes into a
loop of sorts. (Maybe some real propeller head can give the real reasons..)
So the OSPF never comes up. I added static arp entries (see below) and
jippeee, OSPF comes up etc...

-----
arp 10.241.0.66 001f.26e0.d419 ARPA
arp vrf internet 10.241.0.65 001f.26e0.d41a ARPA
-----

I hope this helps and gives you some idea what to look for when you need
this..

Cheers
JC

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen
Sent: Tuesday, February 10, 2009 12:45 AM
To: Jeff Fitzwater
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VRF and BGP ?

I use VRF's quite a bit on 7600 and other platforms with internal OSPF
neighbors.  So long as the interfaces you are connecting with (dot1q
vlan's in my case most of the time) are associated with that vrf, you
should be able to do so, although, I've never tried to leak routes from
the global routing table into a VRF, or use BGP (in OSPF there is a vrf
tag you must use if I remember correctly).  Using VRF's will give you a
seperate routing table isolated from your global routing table however. 
I'm not an expert on this subject so if anyone has corrections, please
chime in.

Jeff Fitzwater wrote:
> I am running 12.2.SXI on a 6500 with sup-720
>
>
> I currently have 3 full BGP peers with two on I1 and one on I2.
>
> I now need a fourth peer with ESNet (gov ISP) but only allow  two /22
> net from Princeton U. access to ESNet.
>
> My dilemma is how to only let the two nets see the additional ESNet
> routes so that no other host on campus will try and use the ESNET
> routes and fail.
>
> I have not used the VRF feature yet, but it appears that it might do
> the trick if I can create a separate routing domain with just ESNet
> routes, and then point only the two nets to the VRF so they check the
> ESNet table first and if not present fall thru to the global table.  
> I should be able to use a ROUTE-MAP to accomplish this.
>
> From the doc it states that I can create a VRF and import routes from
> the global table but that means everybody will still see the routes to
> ESNet ( I would guess anyway).
>
>  Can I peer directly with the VRF without doing an import from the
> global table so only it has the ESNet routes?
>
> Does anybody have any suggestions on this issue?
>
>
> Thanks for any help.
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From eng_mssk at hotmail.com  Tue Feb 10 01:38:53 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Tue, 10 Feb 2009 08:38:53 +0200
Subject: [c-nsp] Hello
In-Reply-To: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>
References: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>
Message-ID: <BLU102-W453F28EF9DCBB7E3E1A120FABD0@phx.gbl>


hello dude :)

> Date: Mon, 9 Feb 2009 14:49:55 -0500
> From: panocisco77 at gmail.com
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Hello
> 
> Hello every one
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx

From dale.shaw+cisco-nsp at gmail.com  Tue Feb 10 01:49:01 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 10 Feb 2009 17:49:01 +1100
Subject: [c-nsp] Hello
In-Reply-To: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>
References: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>
Message-ID: <3329cbb40902092249w6e227dd5rda4543601db2d1fd@mail.gmail.com>

On Tue, Feb 10, 2009 at 6:49 AM, Renelson Panosky <panocisco77 at gmail.com> wrote:
> Hello every one

*insert terrible routing protocol adjacency "dad joke" here*

:-)

cheers,
Dale

From cisco-nsp at tracker.fire-world.de  Tue Feb 10 04:33:44 2009
From: cisco-nsp at tracker.fire-world.de (Sebastian Wiesinger)
Date: Tue, 10 Feb 2009 10:33:44 +0100
Subject: [c-nsp] Cisco 4900M and QinQ
In-Reply-To: <4990B8EC.8000403@bromirski.net>
References: <20090209124547.GA16723@danton.fire-world.de>
	<4990B8EC.8000403@bromirski.net>
Message-ID: <20090210093344.GA29512@danton.fire-world.de>

* ?ukasz Bromirski <lukasz at bromirski.net> [2009-02-10 00:16]:
> On 2009-02-09 13:45, Sebastian Wiesinger wrote:
> >Hi,
> >
> >has anyone a working QinQ tunnel on a Cisco 4900M? I tried it in the
> >lab with 12.2(50)SG Enterprise Services SSH and it didn't work.
> 
> QinQ on 4900M and Sup-6E will be supported on 12.2(52)SG.
> 
> Currently it isn't:
> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_15594.html#wp363642

These release nodes are somewhat vague. There is nowhere mentioned
that QinQ is not supported, just that layer 2 protocol tunneling
isn't. Or am I overlooking something?

It's nice that you can configure QinQ even if it isn't working... :(

Well I'll have to wait vor 52SG then.. thanks for the explanation.

Regards,

Sebastian

-- 
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

From rocker.rockerfeller at gmail.com  Tue Feb 10 07:10:45 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Tue, 10 Feb 2009 15:10:45 +0300
Subject: [c-nsp] Annoying POPups
Message-ID: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>

Hi,

I have a group of ips on my network a /24 that when browsing are getting an
annoying popup across the browser.

This strange behaviour started last week when the same block could not
access any http site.

Later the problem resolved itself so I thought till today.

Now the block can browse but the annoying pop up pops everytime the page is
refreshed and browsing is annoyingly.

Any advise assistance on how I can trace the loophole on my network and
rectify will be much appreciated.

Rocker.

From A.L.M.Buxey at lboro.ac.uk  Tue Feb 10 07:40:19 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Tue, 10 Feb 2009 12:40:19 +0000
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <48D7B275.50700@imperial.ac.uk>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk>
Message-ID: <20090210124019.GA8143@lboro.ac.uk>

hi,

okay - after fruitful time on the test/devel router and then
a prolonged period on 2 select routers, we're now SXI across
the board.... which has finally thrown up an error (of sorts!)
hurrah! :-)

having exhausted my usual supply of cisco and google (and c-nsp ;-) )
searches I thought I'd throw this one to the list before
visiting my TAC friends for the 3rd time this week.

note: so far we only obsrve this error on systems with 2 Sup720's in
SSO redundancy mode

this is whats being logged:

Feb 10 12:26:38: SP: Critical error processing oif ltl index change event (0100.5b00.073c, XXX, 0xB8B)
Feb 10 12:30:32: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
Feb 10 12:30:32: SP: Critical error processing oif ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
Feb 10 12:30:48: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
Feb 10 12:30:48: SP: Critical error processing oif ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
Feb 10 12:31:54: SP: Critical error processing rpf ltl index change event (0100.5b07.0076, XXX, 0xBBF)

hmm. very nice . XXX represents a VLAN number. if done simple obfuscation
of the MAC and this info just because of policy - however, those MACs *do* 
start with 0100 which is multicast L2 ....so currently I've got a feeling
that this is a problem with TTL=1 (and being dropped - eg ghost or rubbish
multicast app) and its hitting the RPF MLS  - what say you all?

alan


From mvanton at gmail.com  Tue Feb 10 08:05:54 2009
From: mvanton at gmail.com (vince anton)
Date: Tue, 10 Feb 2009 14:05:54 +0100
Subject: [c-nsp] changes in 7600 with DFC3BXL
Message-ID: <87e0d3ae0902100505k55a55b0cg76f87369abe6f49f@mail.gmail.com>

hey all,

Quick question for you, hope you can help me.

Im working on installing the DFCs in existing 67xx cards in our 7600s:

7606 w/SUP720-3BXL
2 x 6748-GE-TX
1 x 6704

Im aware there are some differences in how the box reacts when a DFC is
installed (the PFC will no longer need to make all the decisions, etc...).
In particular this seems to change the beahviour for qos policers as well as
L2 etherchannels.  Im using both of these, but I cant seem to find any
definite documentation on CCO explaining the exact changes and perhaps any
recommendations.  Of course I need to know how the box will behave in order
to plan for this as part of the DFC upgrade, and so far all I found was an
FAQ at
http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_item09186a00809a7673.shtmlwhich
doesn't give so much detail, and a few items in the archives of the
list which touched the surface but didnt dig deep.

would appreciate if anyone can share any detailed info as to how qos and
etherchannel behaviour changes in PFC vs DFCX3BXL

thanks,

anton

From maillist at webjogger.net  Tue Feb 10 08:53:14 2009
From: maillist at webjogger.net (Adam Greene)
Date: Tue, 10 Feb 2009 08:53:14 -0500
Subject: [c-nsp] Hello
References: <16e2ac180902091149v691b19del4255433093a39155@mail.gmail.com>
	<3329cbb40902092249w6e227dd5rda4543601db2d1fd@mail.gmail.com>
Message-ID: <687F25C7A2714E929A0860D03408EE60@GINKGO>

Dang, you beat me to it!

----- Original Message ----- 
From: "Dale Shaw" <dale.shaw+cisco-nsp at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, February 10, 2009 1:49 AM
Subject: Re: [c-nsp] Hello


> On Tue, Feb 10, 2009 at 6:49 AM, Renelson Panosky <panocisco77 at gmail.com> 
> wrote:
>> Hello every one
>
> *insert terrible routing protocol adjacency "dad joke" here*
>
> :-)
>
> cheers,
> Dale
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 



From Marcus.Gerdon at versatel.de  Tue Feb 10 08:51:44 2009
From: Marcus.Gerdon at versatel.de (Marcus.Gerdon)
Date: Tue, 10 Feb 2009 14:51:44 +0100
Subject: [c-nsp] Q-in-Q termination on 6500/7600
Message-ID: <227142482560EF458FF1F7E784E26AB82C3129@FLBVEXCH01.versatel.local>

Hi @all,

I'm looking for information regarding termination of Q-in-Q on 6500 and/or 7600 boxes. We only need plain termination on subinterfaces with IP (somewhere on Cisco called 'IPoQinQ') configured on; no EoMPLS, PPPoE or alike.

As usual Cisco's really annoying as no useful clear information is to be found, and as usual Feature Navigator seems to be missing working configurations (i.e. told me no Q-in-Q on 7200...).

All I could find out rather trustworthy is:

- ES20 and SIP for Local Vlan Significance
- ES20 supports Q-in-Q termination, a lot of tag rewrite functions etc.
- 12.2SR supports Q-in-Q termination (working on 7200)

I only need IP on a subinterface and have no need for all that fancy stuff the ES20 provide (and has to be payed for).

So the question is:

Can someone definitely confirm or reject due to tests or production setup whether Q-in-Q termination on a normal 67xx module (DFC installed) can be configured (encaps dot1q * second *) and by using which IOS ?

6500's running SXI and 7600's running SRx are the ones to look at I think as running SXF presumably won't work at all.

thanks,

Marcus

> -----Urspr?ngliche Nachricht-----
> Von: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von vince anton
> Gesendet: Dienstag, 10. Februar 2009 14:06
> An: cisco-nsp
> Betreff: [c-nsp] changes in 7600 with DFC3BXL
> 
> hey all,
> 
> Quick question for you, hope you can help me.
> 
> Im working on installing the DFCs in existing 67xx cards in our 7600s:
> 
> 7606 w/SUP720-3BXL
> 2 x 6748-GE-TX
> 1 x 6704
> 
> Im aware there are some differences in how the box reacts 
> when a DFC is
> installed (the PFC will no longer need to make all the 
> decisions, etc...).
> In particular this seems to change the beahviour for qos 
> policers as well as
> L2 etherchannels.  Im using both of these, but I cant seem to find any
> definite documentation on CCO explaining the exact changes 
> and perhaps any
> recommendations.  Of course I need to know how the box will 
> behave in order
> to plan for this as part of the DFC upgrade, and so far all I 
> found was an
> FAQ at
> http://www.cisco.com/en/US/products/hw/switches/ps708/products
> _qanda_item09186a00809a7673.shtmlwhich
> doesn't give so much detail, and a few items in the archives of the
> list which touched the surface but didnt dig deep.
> 
> would appreciate if anyone can share any detailed info as to 
> how qos and
> etherchannel behaviour changes in PFC vs DFCX3BXL
> 
> thanks,
> 
> anton
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From avayner at cisco.com  Tue Feb 10 08:54:47 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 10 Feb 2009 14:54:47 +0100
Subject: [c-nsp] changes in 7600 with DFC3BXL
In-Reply-To: <87e0d3ae0902100505k55a55b0cg76f87369abe6f49f@mail.gmail.com>
References: <87e0d3ae0902100505k55a55b0cg76f87369abe6f49f@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D72E2D6F@xmb-ams-331.emea.cisco.com>

Anton,

With regards to policing, what would happen is that each DFC would have
its own policers, so if you a policy applied for a VLAN which has ports
on different module, each module would have its own policer with the
configured rate. This means that if you set a 10Mbps policer, but you
have ports on 2 separate cards, each card would apply a separate 10Mbps
policer (allowing in total a potential 20Mbps rate).
The same, BTW, applies to aggregate policers.

The only change I can remember right now with regards to Etherchannel is
the optional capability of specifying a load balancing algorithm per
module.

Arie



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vince anton
Sent: Tuesday, February 10, 2009 15:06
To: cisco-nsp
Subject: [c-nsp] changes in 7600 with DFC3BXL

hey all,

Quick question for you, hope you can help me.

Im working on installing the DFCs in existing 67xx cards in our 7600s:

7606 w/SUP720-3BXL
2 x 6748-GE-TX
1 x 6704

Im aware there are some differences in how the box reacts when a DFC is
installed (the PFC will no longer need to make all the decisions,
etc...).
In particular this seems to change the beahviour for qos policers as
well as
L2 etherchannels.  Im using both of these, but I cant seem to find any
definite documentation on CCO explaining the exact changes and perhaps
any
recommendations.  Of course I need to know how the box will behave in
order
to plan for this as part of the DFC upgrade, and so far all I found was
an
FAQ at
http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_ite
m09186a00809a7673.shtmlwhich
doesn't give so much detail, and a few items in the archives of the
list which touched the surface but didnt dig deep.

would appreciate if anyone can share any detailed info as to how qos and
etherchannel behaviour changes in PFC vs DFCX3BXL

thanks,

anton
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From peter at rathlev.dk  Tue Feb 10 09:08:16 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 10 Feb 2009 15:08:16 +0100
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <20090210124019.GA8143@lboro.ac.uk>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk>  <20090210124019.GA8143@lboro.ac.uk>
Message-ID: <1234274896.3416.51.camel@localhost.localdomain>

On Tue, 2009-02-10 at 12:40 +0000, A.L.M.Buxey at lboro.ac.uk wrote:
...
> Feb 10 12:31:54: SP: Critical error processing rpf ltl index change event (0100.5b07.0076, XXX, 0xBBF)
> 
> hmm. very nice . XXX represents a VLAN number. if done simple
> obfuscation of the MAC and this info just because of policy - however,
> those MACs *do* start with 0100 which is multicast L2 ....so currently
> I've got a feeling that this is a problem with TTL=1 (and being
> dropped - eg ghost or rubbish multicast app) and its hitting the RPF
> MLS  - what say you all?

I don't think it has anything to do with TTL, since that's a L3 thing.
This is the switch processor complaining. It could very well seem
multicast related, considering the "rpf", "oif" and "ltl" TLAs.

Considering the "index change event", could it be related to some
multicast registration of some kind going wrong?

Regards,
Peter


From A.L.M.Buxey at lboro.ac.uk  Tue Feb 10 09:14:13 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Tue, 10 Feb 2009 14:14:13 +0000
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <1234274896.3416.51.camel@localhost.localdomain>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk> <20090210124019.GA8143@lboro.ac.uk>
	<1234274896.3416.51.camel@localhost.localdomain>
Message-ID: <20090210141413.GB8209@lboro.ac.uk>

Hi,

> I don't think it has anything to do with TTL, since that's a L3 thing.
> This is the switch processor complaining. It could very well seem
> multicast related, considering the "rpf", "oif" and "ltl" TLAs.
> 
> Considering the "index change event", could it be related to some
> multicast registration of some kind going wrong?

it certainly is - multicast has gone very wrong and wonky.
no longer receive SAPs from the rest of the world (isnt that
a blessing?) , internal SAPs are flappy and IGMP joins to watch 
a stream are non deterministic.  not good.

alan

From achatz at forthnet.gr  Tue Feb 10 09:16:26 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Tue, 10 Feb 2009 16:16:26 +0200
Subject: [c-nsp] Q-in-Q termination on 6500/7600
In-Reply-To: <227142482560EF458FF1F7E784E26AB82C3129@FLBVEXCH01.versatel.local>
References: <227142482560EF458FF1F7E784E26AB82C3129@FLBVEXCH01.versatel.local>
Message-ID: <49918C3A.1030708@forthnet.gr>


Been there, done that....you need the ES cards (get the new ES+ if you decide to use these).
Alternatively (as long as you traffic demands are low), use a much-cheaper-external-router-based solution for IP QinQ 
termination (7200 with 31SB works fine).

--
Tassos

Marcus.Gerdon wrote on 10/02/2009 15:51:
> Hi @all,
> 
> I'm looking for information regarding termination of Q-in-Q on 6500 and/or 7600 boxes. We only need plain termination on subinterfaces with IP (somewhere on Cisco called 'IPoQinQ') configured on; no EoMPLS, PPPoE or alike.
> 
> As usual Cisco's really annoying as no useful clear information is to be found, and as usual Feature Navigator seems to be missing working configurations (i.e. told me no Q-in-Q on 7200...).
> 
> All I could find out rather trustworthy is:
> 
> - ES20 and SIP for Local Vlan Significance
> - ES20 supports Q-in-Q termination, a lot of tag rewrite functions etc.
> - 12.2SR supports Q-in-Q termination (working on 7200)
> 
> I only need IP on a subinterface and have no need for all that fancy stuff the ES20 provide (and has to be payed for).
> 
> So the question is:
> 
> Can someone definitely confirm or reject due to tests or production setup whether Q-in-Q termination on a normal 67xx module (DFC installed) can be configured (encaps dot1q * second *) and by using which IOS ?
> 
> 6500's running SXI and 7600's running SRx are the ones to look at I think as running SXF presumably won't work at all.
> 
> thanks,
> 
> Marcus
> 

From pete at bytemark.co.uk  Tue Feb 10 09:36:06 2009
From: pete at bytemark.co.uk (Peter Taphouse)
Date: Tue, 10 Feb 2009 14:36:06 +0000
Subject: [c-nsp] temporary static routes
In-Reply-To: <4963A31E.3000103@utc.edu>
References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com><d6966e4b0901060933u6970ad33t7e464471328f82fb@mail.gmail.com>	<A34003A5232DE744807D94D788E0751A81ED49@ASHEVS011.mcilink.com>	<FA1BA229357DB640B944218F3585FECA01C9AA2D@mspe2k1.cs.myharris.net>
	<4963A31E.3000103@utc.edu>
Message-ID: <499190D6.5000805@bytemark.co.uk>


> Of course the ultimate solution would be a BGP-peering feed of IPs to
> null that also did the timeouts for you, but as far as I know, that's
> still the great pie in the sky :-)

Probably not a complete solution, but my colleague implemented a basic
bgp feeder that can be integrated with our databases a lot more easily
than using quagga/openbgpd/ios .

(hg clone) http://src.bytemark.co.uk/trac/bgpfeeder

-- 
Peter Taphouse

Bytemark Hosting
http://www.bytemark.co.uk/
tel. +44 (0) 845 004 3 004

From nicotine at warningg.com  Tue Feb 10 09:50:06 2009
From: nicotine at warningg.com (Brandon Ewing)
Date: Tue, 10 Feb 2009 08:50:06 -0600
Subject: [c-nsp] temporary static routes
In-Reply-To: <4963A31E.3000103@utc.edu>
References: <A34003A5232DE744807D94D788E0751A81ED49@ASHEVS011.mcilink.com>
	<FA1BA229357DB640B944218F3585FECA01C9AA2D@mspe2k1.cs.myharris.net>
	<4963A31E.3000103@utc.edu>
Message-ID: <20090210145006.GC28738@biological.warningg.com>

On Tue, Jan 06, 2009 at 01:29:50PM -0500, Jeff Kell wrote:
> 
> Of course the ultimate solution would be a BGP-peering feed of IPs to
> null that also did the timeouts for you, but as far as I know, that's
> still the great pie in the sky :-)
> 

clogin/RANCID + Quagga + crontab + <INSERT YOUR FAVORITE LANGUAGE HERE> +
Apache = BGP nullroute server with self-expiry.

I use it regularly to allow non-network personnel to temporarily nullroute
troublesome IPs while I sleep.

Additional, it's put together in such a way that I can leverage flowstats
top talker reports to have limited success blocking non-spoofed DDoS attacks
at the network edge via loose-mode RPF. Identify the hosts doing an order of
magnitude more [packets | bits | connections] than the rest of your traffic
stream, pipe it through awk, and feed it into your nullroute machine.

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090210/1668711f/attachment.bin>

From rocker.rockerfeller at gmail.com  Tue Feb 10 09:53:41 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Tue, 10 Feb 2009 17:53:41 +0300
Subject: [c-nsp] Annoying POPups
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01E4DFAC@mspe2k1.cs.myharris.net>
References: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>
	<FA1BA229357DB640B944218F3585FECA01E4DFAC@mspe2k1.cs.myharris.net>
Message-ID: <2299bfcb0902100653w3a80c21ai1dfba931f43defe6@mail.gmail.com>

Well am thinking its kind of an attack since its the whole network.

Reason when I assign myself an ip on that range and check my ip address from
what is my ip.

It gives me the ip address of my cisco  router. where that ip range is from.


Appreciate any input.



On Tue, Feb 10, 2009 at 3:19 PM, Church, Charles <cchurc05 at harris.com>wrote:

> This isn't really Cisco related, but I'm guessing they're all infected
> with some kind of virus or spyware.  Make sure they're all patched
> (guessing they're Windows), then run something like AdAware or Spybot
> S&D on them to clean it up.  Then install Firefox on all machines.
>
> Chuck
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rocker Feller
> Sent: Tuesday, February 10, 2009 7:11 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Annoying POPups
>
>
> Hi,
>
> I have a group of ips on my network a /24 that when browsing are getting
> an
> annoying popup across the browser.
>
> This strange behaviour started last week when the same block could not
> access any http site.
>
> Later the problem resolved itself so I thought till today.
>
> Now the block can browse but the annoying pop up pops everytime the page
> is
> refreshed and browsing is annoyingly.
>
> Any advise assistance on how I can trace the loophole on my network and
> rectify will be much appreciated.
>
> Rocker.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jay at west.net  Tue Feb 10 10:19:10 2009
From: jay at west.net (Jay Hennigan)
Date: Tue, 10 Feb 2009 07:19:10 -0800
Subject: [c-nsp] Annoying POPups
In-Reply-To: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>
References: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>
Message-ID: <49919AEE.9070602@west.net>

Rocker Feller wrote:
> Hi,
> 
> I have a group of ips on my network a /24 that when browsing are getting an
> annoying popup across the browser.
> 
> This strange behaviour started last week when the same block could not
> access any http site.
> 
> Later the problem resolved itself so I thought till today.

This sounds like virus/spyware on the host or browser.  Does it happen 
to a Mac or Linux box running Firefox?

> Now the block can browse but the annoying pop up pops everytime the page is
> refreshed and browsing is annoyingly.
> 
> Any advise assistance on how I can trace the loophole on my network and
> rectify will be much appreciated.

Don't use Windows/IE/Outlook.  If you must, patch often and use 
antivirus software.  Ideally, take those hosts off of your network until 
they're disinfected.  In any case don't move them to another subnet 
until they're disinfected.


--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From schilling2006 at gmail.com  Tue Feb 10 10:22:36 2009
From: schilling2006 at gmail.com (schilling)
Date: Tue, 10 Feb 2009 10:22:36 -0500
Subject: [c-nsp] VRF and BGP ?
In-Reply-To: <000601c98b48$fbf407f0$f3dc17d0$@com>
References: <46AB14E5-3FC2-4033-B574-DD3972A520AA@princeton.edu>
	<4990B1E4.9040902@rainierconnect.net>
	<000601c98b48$fbf407f0$f3dc17d0$@com>
Message-ID: <bd3771a60902100722k214ad0caj36ed33c894b880fc@mail.gmail.com>

You could have a vrf for esnet, esnet routes could be in a headend/hub/pilot
router, your specific /22 would be in esnet vrf. You could inject a default
with ospf from your headend to other esnet vrf CEs.  In the headend, have a
staifc default to your loopback connection global side as JC described. So
all traffic in your /22 esnet vrf will go to esnet route if it exists,
otherwise, it goes to your global routing table.

The other way to the loopback cable is to use a routed VFW instance without
the ARP caveat. You could point your esnet vrf default to the VFW inside,
outside is connected to your global routing table. Basically, inside vlan
one end is in vrf esnet, the other is allocated to VFW as inside. The
outside vlan one end is in global routing table, the other is allocated to
VFW as outside. Some static routing configuration needed in the VFW since
multi context FWSM only support static route.

Schilling

On Tue, Feb 10, 2009 at 1:29 AM, JH Cockburn <ccie15385 at gmail.com> wrote:

> Hi All,
> We had a similar situation where we had to create an "internet" vrf and
> "leak/connect" that to the global routing table.
> So we had a couple of interfaces belonging to the internet vrf of which one
> connected back to the same device on an interface in the global network. We
> had ospf as IGP to exchange infrastructure/loopback addresses and BGP for
> Internet addresses. The problem was that OSPF did come up at first, so the
> problem on the 6500's/7600's is that they use the same MAC address for all
> L3 interfaces. Change the one side's MAC to a MAC of your choice and up
> comes OSPF and after that BGP can do its thing.
> So when we implemented this on our GSRs/7206's it still didn't work... So
> after a bit of ol debugging I came to the conclusion that the following
> happens:
> The router (either VRF of global) wants to connect to the (OSPF) neighbor,
> needs to do a arp for the address but then sees it already has an attached
> interface with that IP/MAC pair so it never sends the arp and goes into a
> loop of sorts. (Maybe some real propeller head can give the real reasons..)
> So the OSPF never comes up. I added static arp entries (see below) and
> jippeee, OSPF comes up etc...
>
> -----
> arp 10.241.0.66 001f.26e0.d419 ARPA
> arp vrf internet 10.241.0.65 001f.26e0.d41a ARPA
> -----
>
> I hope this helps and gives you some idea what to look for when you need
> this..
>
> Cheers
> JC
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen
> Sent: Tuesday, February 10, 2009 12:45 AM
> To: Jeff Fitzwater
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] VRF and BGP ?
>
> I use VRF's quite a bit on 7600 and other platforms with internal OSPF
> neighbors.  So long as the interfaces you are connecting with (dot1q
> vlan's in my case most of the time) are associated with that vrf, you
> should be able to do so, although, I've never tried to leak routes from
> the global routing table into a VRF, or use BGP (in OSPF there is a vrf
> tag you must use if I remember correctly).  Using VRF's will give you a
> seperate routing table isolated from your global routing table however.
> I'm not an expert on this subject so if anyone has corrections, please
> chime in.
>
> Jeff Fitzwater wrote:
> > I am running 12.2.SXI on a 6500 with sup-720
> >
> >
> > I currently have 3 full BGP peers with two on I1 and one on I2.
> >
> > I now need a fourth peer with ESNet (gov ISP) but only allow  two /22
> > net from Princeton U. access to ESNet.
> >
> > My dilemma is how to only let the two nets see the additional ESNet
> > routes so that no other host on campus will try and use the ESNET
> > routes and fail.
> >
> > I have not used the VRF feature yet, but it appears that it might do
> > the trick if I can create a separate routing domain with just ESNet
> > routes, and then point only the two nets to the VRF so they check the
> > ESNet table first and if not present fall thru to the global table.
> > I should be able to use a ROUTE-MAP to accomplish this.
> >
> > From the doc it states that I can create a VRF and import routes from
> > the global table but that means everybody will still see the routes to
> > ESNet ( I would guess anyway).
> >
> >  Can I peer directly with the VRF without doing an import from the
> > global table so only it has the ESNet routes?
> >
> > Does anybody have any suggestions on this issue?
> >
> >
> > Thanks for any help.
> >
> >
> >
> > Jeff Fitzwater
> > OIT Network Systems
> > Princeton University
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rodunn at cisco.com  Tue Feb 10 11:12:24 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 10 Feb 2009 11:12:24 -0500
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <20090210124019.GA8143@lboro.ac.uk>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk> <20090210124019.GA8143@lboro.ac.uk>
Message-ID: <20090210161224.GD7623@rtp-cse-489.cisco.com>

I only see the matches in the entire bug database for the message.

One I found is:

CSCsx26182
Console unusable with criitcal error msgs after ISSU LV/RV in mVPN setup

It was seen after they did an ISSU.

Did you do anything specific to the upgrade procedure when they
started showing up by chance?

Rodney


 

On Tue, Feb 10, 2009 at 12:40:19PM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
> hi,
> 
> okay - after fruitful time on the test/devel router and then
> a prolonged period on 2 select routers, we're now SXI across
> the board.... which has finally thrown up an error (of sorts!)
> hurrah! :-)
> 
> having exhausted my usual supply of cisco and google (and c-nsp ;-) )
> searches I thought I'd throw this one to the list before
> visiting my TAC friends for the 3rd time this week.
> 
> note: so far we only obsrve this error on systems with 2 Sup720's in
> SSO redundancy mode
> 
> this is whats being logged:
> 
> Feb 10 12:26:38: SP: Critical error processing oif ltl index change event (0100.5b00.073c, XXX, 0xB8B)
> Feb 10 12:30:32: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
> Feb 10 12:30:32: SP: Critical error processing oif ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
> Feb 10 12:30:48: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
> Feb 10 12:30:48: SP: Critical error processing oif ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
> Feb 10 12:31:54: SP: Critical error processing rpf ltl index change event (0100.5b07.0076, XXX, 0xBBF)
> 
> hmm. very nice . XXX represents a VLAN number. if done simple obfuscation
> of the MAC and this info just because of policy - however, those MACs *do* 
> start with 0100 which is multicast L2 ....so currently I've got a feeling
> that this is a problem with TTL=1 (and being dropped - eg ghost or rubbish
> multicast app) and its hitting the RPF MLS  - what say you all?
> 
> alan
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From rocker.rockerfeller at gmail.com  Tue Feb 10 11:19:57 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Tue, 10 Feb 2009 19:19:57 +0300
Subject: [c-nsp] Annoying POPups
In-Reply-To: <49919B51.1040104@west.net>
References: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>
	<FA1BA229357DB640B944218F3585FECA01E4DFAC@mspe2k1.cs.myharris.net>
	<2299bfcb0902100653w3a80c21ai1dfba931f43defe6@mail.gmail.com>
	<49919B51.1040104@west.net>
Message-ID: <2299bfcb0902100819o5fdc8657kce8e0c5590dc688b@mail.gmail.com>

No NAT these are all public ips.

Router 2811 is the terminating point for all these ips  which come in on
vlans on different subinterfaces.

Customers connect to me via this router and I have issued them public ips.

This router is connected direct to my uplink (Internet) provider.

Rocker



On Tue, Feb 10, 2009 at 6:20 PM, Jay Hennigan <jay at west.net> wrote:

> Rocker Feller wrote:
>
>> Well am thinking its kind of an attack since its the whole network.
>>
>> Reason when I assign myself an ip on that range and check my ip address
>> from
>> what is my ip.
>>
>> It gives me the ip address of my cisco  router. where that ip range is
>> from.
>>
>
> Is your Cisco router performing NAT?  If so, this is normal.
>
>
> --
> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
> Impulse Internet Service  -  http://www.impulse.net/
> Your local telephone and internet company - 805 884-6323 - WB6RDV
>

From davee925 at gmail.com  Tue Feb 10 11:39:23 2009
From: davee925 at gmail.com (Dave Edmondson)
Date: Tue, 10 Feb 2009 10:39:23 -0600
Subject: [c-nsp] Frame-relay to MLPPP traffic shaping and QoS?
Message-ID: <001401c98b9e$225b9250$371e0a0a@bonestroo.com>

Hello all,

I have inherited a network used for data, VoIP, and video conferencing. The
central site has a DS3 with a 12 mbps frame-relay interface into a
Juniper-based MPLS and a 12 mbps frame-relay interface to the Internet. 

The remote sites on the MPLS network have 2XT1 MLPPP interfaces, with all
Internet access via the central site. My central site has a Cisco 3845
(12.4(3f)) with an NM1-T3/E3 card, the remotes all have Cisco 1841
(12.3(10.3)T2).

We do video conferences between sites on the MPLS and FTP is used to move
multi-gigabyte files from the central site to the remote sites and from
remote site to remote site. Email servers are all at the main site. We are
moving toward central storage as well, so some backups are done from remote
sites to the central site. And they want to provide streaming media for
training...

We are not doing any BGP or OSPF, just static routes. Each site has a /16
assigned. 

                         3 meg MLPPP 1841, 10.20.X.X
                                                 |
                                                 |

3 meg MLPPP 1841, 10.20.X.X--- MPLS ---3 meg MLPPP 1841, 10.30.X.X

                                                 |
                                                 |
            DS3 w/12 meg frame relay PVC to 3845, 10.10.X.X 

My challenge: 

1) Shape traffic or rate limit to 3 megs from the central site to each of
the remote sites so I don't overrun the remote site bandwidth.

2) Apply QoS to traffic destined for each specific remote originating from
the central site, rate-limiting some protocols (like FTP). 

I am familiar with QoS configs on MLPPP bundles in Cisco, but I know nothing
about traffic shaping and QoS on frame relay interfaces. If ignorance is
bliss, I've been pretty happy until now....

Suggestions?


From rocker.rockerfeller at gmail.com  Tue Feb 10 11:57:12 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Tue, 10 Feb 2009 19:57:12 +0300
Subject: [c-nsp] Annoying POPups
In-Reply-To: <8852ac1c0902100843q3e50df3bte7022368134e2a61@mail.gmail.com>
References: <2299bfcb0902100410i4d65dbc9s51cd039848ffcbef@mail.gmail.com>
	<FA1BA229357DB640B944218F3585FECA01E4DFAC@mspe2k1.cs.myharris.net>
	<2299bfcb0902100653w3a80c21ai1dfba931f43defe6@mail.gmail.com>
	<49919B51.1040104@west.net>
	<2299bfcb0902100819o5fdc8657kce8e0c5590dc688b@mail.gmail.com>
	<8852ac1c0902100843q3e50df3bte7022368134e2a61@mail.gmail.com>
Message-ID: <2299bfcb0902100857p67621c2cq59ddb898984f4d4e@mail.gmail.com>

No.

They are all handled by the same DNS server and there is no proxy server
and  wccp is disabled  on that router.

On Tue, Feb 10, 2009 at 7:43 PM, Charles Klement <cjk at klement.org> wrote:

> do users on that subnet get handed a different DNS or proxy server ?
>
> On Tue, Feb 10, 2009 at 8:19 AM, Rocker Feller <
> rocker.rockerfeller at gmail.com> wrote:
>
>> No NAT these are all public ips.
>>
>> Router 2811 is the terminating point for all these ips  which come in on
>> vlans on different subinterfaces.
>>
>> Customers connect to me via this router and I have issued them public ips.
>>
>> This router is connected direct to my uplink (Internet) provider.
>>
>> Rocker
>>
>>
>>
>> On Tue, Feb 10, 2009 at 6:20 PM, Jay Hennigan <jay at west.net> wrote:
>>
>> > Rocker Feller wrote:
>> >
>> >> Well am thinking its kind of an attack since its the whole network.
>> >>
>> >> Reason when I assign myself an ip on that range and check my ip address
>> >> from
>> >> what is my ip.
>> >>
>> >> It gives me the ip address of my cisco  router. where that ip range is
>> >> from.
>> >>
>> >
>> > Is your Cisco router performing NAT?  If so, this is normal.
>> >
>> >
>> > --
>> > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
>> > Impulse Internet Service  -  http://www.impulse.net/
>> > Your local telephone and internet company - 805 884-6323 - WB6RDV
>> >
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From A.L.M.Buxey at lboro.ac.uk  Tue Feb 10 12:24:04 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Tue, 10 Feb 2009 17:24:04 +0000
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <20090210161224.GD7623@rtp-cse-489.cisco.com>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk> <20090210124019.GA8143@lboro.ac.uk>
	<20090210161224.GD7623@rtp-cse-489.cisco.com>
Message-ID: <20090210172404.GA10002@lboro.ac.uk>

Hi,

> I only see the matches in the entire bug database for the message.
> 
> One I found is:
> 
> CSCsx26182
> Console unusable with criitcal error msgs after ISSU LV/RV in mVPN setup
> 
> It was seen after they did an ISSU.
> 
> Did you do anything specific to the upgrade procedure when they
> started showing up by chance?

no - but I've narrowed the problem down massively - by removing
the second supervisor, the error messages stop totally.  Our
dual-sups are (or were ;-) ) in SSO config - now, i'm not sure
what nastiness might lurk in the SXI for this config. worked
fine for SXF (never did SXH on them due to oh so many! issues) 

anyway, TAC case hopefully opened via our support folk so
we'll see what happens.

of note, however, since the update to SXI, multicast is still
rather wierd....some IGMP joins are fine, others dont seem
to work - and all SAP has stopped coming through - all our
settings are the same.... (i also note 'ip sap listen' has gone
from the command line.....good ;-) ) - so I've still got some
issues with this..but hey, when does an upgrade (even planned)
go glass-smooth?

alan

From jeff-kell at utc.edu  Tue Feb 10 12:38:00 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Tue, 10 Feb 2009 12:38:00 -0500
Subject: [c-nsp] Cannot connect to ASA using ASDM software
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01E4DF4D@mspe2k1.cs.myharris.net>
References: <000001c98afe$7f9cab70$7ed60250$@com>	<FA1BA229357DB640B944218F3585FECA01E4DF2D@mspe2k1.cs.myharris.net>	<7aaaf7f0902091422j7e3a9392ya450f908238e4b0a@mail.gmail.com>
	<FA1BA229357DB640B944218F3585FECA01E4DF4D@mspe2k1.cs.myharris.net>
Message-ID: <4991BB78.8080004@utc.edu>

Church, Charles wrote:
> I'm still using 5.2.x ASDM, as the ASA is running 7.2.x still (both late
> interim releases).  Hoping for a newer ASDM soon.  5.2(4)50 still is
> broken. 

There is a 5.2(4)52 that works with 7.2, but you have to have TAC to a
custom file download (or at least you did when I ran across this).

There's a similar issue with the ASDM(F) for the FWSM.  6.1(2)F works
with both 3.2 (backward-compatible) and 4.x FWSM software.

Jeff

From jfitz at Princeton.EDU  Tue Feb 10 14:22:13 2009
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Tue, 10 Feb 2009 14:22:13 -0500
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
Message-ID: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>

We are running 12.2.SXI on sup-720-cxl

We use snmp getnext and getbulk to get the ARP table from a router  
that has ~16K entries and it takes about 10min to complete, with  
ROUTER CPU at 100%.   Our other routers have the same hardware and IOS  
but have <10K entries and work fine.

This is an old problem with CISCO and I thought they might have  
finally fixed it in SXI, but NOT.

The problem is the ARP entries are stored internally in a hashed  
format and SNMP needs them in an ordered format, so for every snmp PDU  
the CPU must get the entire ARP table and crunch it to create the  
ordered PDU response.  This will take place for as many PDUs as it  
takes to retrieve the entire table.   There does appear to be a point   
(size of ARP table) at which it takes very long to retrieve the whole  
table which seems to be around 12K but with a 16K table it takes  
forever.

In the attached PDF from CISCO they explain the problem and also state  
the if you turn on CEF (has always been on for long time) that it is  
much faster since the FIB is already in a lexical order that snmp  
likes.   Since CEF is always on, why does it still take so long.

-------------- next part --------------



At this point we basically cannot do any retrieval of the ARP  tables.



Their must be many other groups that have this same problem or I have  
really missed something.


I will open up a ticket with CISCO if nobody out there has an answer.

Currently we use an expect script to get the table via CLI which is  
much faster but it doesn't help tools that must use snmp.


Thanks for any help.


Jeff Fitzwater
OIT Network Systems
Princeton University

From jared at puck.nether.net  Tue Feb 10 14:27:49 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Tue, 10 Feb 2009 14:27:49 -0500
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
In-Reply-To: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
Message-ID: <20090210192749.GC70058@puck.nether.net>

On Tue, Feb 10, 2009 at 02:22:13PM -0500, Jeff Fitzwater wrote:
> We are running 12.2.SXI on sup-720-cxl
>
> We use snmp getnext and getbulk to get the ARP table from a router that 
> has ~16K entries and it takes about 10min to complete, with ROUTER CPU at 
> 100%.   Our other routers have the same hardware and IOS but have <10K 
> entries and work fine.

	When you say getnext/getbulk, I presume you mean a snmp v2c bulkwalk?
Or are you using snmp V1?

> This is an old problem with CISCO and I thought they might have finally 
> fixed it in SXI, but NOT.
>
> The problem is the ARP entries are stored internally in a hashed format 
> and SNMP needs them in an ordered format, so for every snmp PDU the CPU 
> must get the entire ARP table and crunch it to create the ordered PDU 
> response.  This will take place for as many PDUs as it takes to retrieve 
> the entire table.   There does appear to be a point  (size of ARP table) 
> at which it takes very long to retrieve the whole table which seems to be 
> around 12K but with a 16K table it takes forever.
>
> In the attached PDF from CISCO they explain the problem and also state  
> the if you turn on CEF (has always been on for long time) that it is  
> much faster since the FIB is already in a lexical order that snmp likes.  
>  Since CEF is always on, why does it still take so long.

	(The list strips the pdf files, you can email them to me to
post on puck, or give a pointer to the pdf on cisco.com)

>
>
>
> At this point we basically cannot do any retrieval of the ARP  tables.
>
>
>
> Their must be many other groups that have this same problem or I have  
> really missed something.
>
>
> I will open up a ticket with CISCO if nobody out there has an answer.
>
> Currently we use an expect script to get the table via CLI which is much 
> faster but it doesn't help tools that must use snmp.
>
>
> Thanks for any help.
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University

> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

From graham at g-rock.net  Tue Feb 10 14:42:05 2009
From: graham at g-rock.net (Graham Wooden)
Date: Tue, 10 Feb 2009 14:42:05 -0500
Subject: [c-nsp] 7606 with SPA-2xT3, hot insert - reboot required?
In-Reply-To: <20090210192749.GC70058@puck.nether.net>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
	<20090210192749.GC70058@puck.nether.net>
Message-ID: <20090210144205.oq9bo02bnocg44c0@webmail.iamforeverme.com>

Hi fellas,

I have a 7606 and I inserted (hot) a SPA-2xT3 card into my SIP400  
subslot (2/1), from which it shows up in various "show" commands  
jst... but I doesn't give me the ability to actually config the  
interfaces on it.  Does it require a reboot for the serial interfaces  
to come up?

7606, with dual 720's.  Running c7600s72033-adventerprisek9-mz.122-33.SRC.bin.
 From the module guide, this is the first supported rev of this card  
in the slot.
Any known issues, or does the box need to take a reboot?

Thanks in advance,

-graham


Feb  9 14:54:56 CST: %DIAG-SP-6-RUN_MINIMUM: Module 2/1: Running  
Minimal Diagnostics...
Feb  9 14:54:57 CST: %DIAG-SP-6-DIAG_OK: Module 2/1: Passed Online Diagnostics
Feb  9 14:54:57 CST: %SPA_OIR-6-ONLINECARD: SPA (SPA-2XT3/E3) online  
in subslot 2/1


#show hw-module subslot all oir
Module        Model                Operational Status
------------- -------------------- ------------------------
subslot 2/0   SPA-1XOC12-ATM       ok
subslot 2/1   SPA-2XT3/E3          ok


#show hw-module subslot 2/1 fpd

==== ====================== ======  
=============================================
                              H/W   Field Programmable   Current    
Min. Required
Slot Card Type               Ver.  Device: "ID-Name"    Version      Version
==== ====================== ====== ================== ===========  
==============
  2/1 SPA-2XT3/E3             1.1   1-ROMMON               2.12        2.12
                                    2-I/O FPGA             1.0         1.0
                                    3-E3 FPGA              1.4         1.4
                                    4-T3 FPGA              1.4         1.4
==== ====================== ======  
=============================================








From robbie.jacka at regions.com  Tue Feb 10 14:48:19 2009
From: robbie.jacka at regions.com (robbie.jacka at regions.com)
Date: Tue, 10 Feb 2009 13:48:19 -0600
Subject: [c-nsp] 7606 with SPA-2xT3, hot insert - reboot required?
In-Reply-To: <20090210144205.oq9bo02bnocg44c0@webmail.iamforeverme.com>
Message-ID: <OF5827B74E.15CAD5E2-ON86257559.006CBDA6-86257559.006CCB67@corp.rgbk.com>

Have you set "card type t3 2 1"?
--
robbie




                                                                           
             Graham Wooden                                                 
             <graham at g-rock.ne                                             
             t>                                                         To 
             Sent by:                  cisco-nsp at puck.nether.net           
             cisco-nsp-bounces                                          cc 
             @puck.nether.net                                              
                                                                   Subject 
                                       [c-nsp] 7606 with SPA-2xT3, hot     
             02/10/2009 01:43          insert - reboot required?           
             PM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi fellas,

I have a 7606 and I inserted (hot) a SPA-2xT3 card into my SIP400
subslot (2/1), from which it shows up in various "show" commands
jst... but I doesn't give me the ability to actually config the
interfaces on it.  Does it require a reboot for the serial interfaces
to come up?

7606, with dual 720's.  Running
c7600s72033-adventerprisek9-mz.122-33.SRC.bin.
 From the module guide, this is the first supported rev of this card
in the slot.
Any known issues, or does the box need to take a reboot?

Thanks in advance,

-graham


Feb  9 14:54:56 CST: %DIAG-SP-6-RUN_MINIMUM: Module 2/1: Running
Minimal Diagnostics...
Feb  9 14:54:57 CST: %DIAG-SP-6-DIAG_OK: Module 2/1: Passed Online
Diagnostics
Feb  9 14:54:57 CST: %SPA_OIR-6-ONLINECARD: SPA (SPA-2XT3/E3) online
in subslot 2/1


#show hw-module subslot all oir
Module        Model                Operational Status
------------- -------------------- ------------------------
subslot 2/0   SPA-1XOC12-ATM       ok
subslot 2/1   SPA-2XT3/E3          ok


#show hw-module subslot 2/1 fpd

==== ====================== ======
=============================================
                              H/W   Field Programmable   Current
Min. Required
Slot Card Type               Ver.  Device: "ID-Name"    Version
Version
==== ====================== ====== ================== ===========
==============
  2/1 SPA-2XT3/E3             1.1   1-ROMMON               2.12        2.12
                                    2-I/O FPGA             1.0         1.0
                                    3-E3 FPGA              1.4         1.4
                                    4-T3 FPGA              1.4         1.4
==== ====================== ======
=============================================







_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From jfitz at Princeton.EDU  Tue Feb 10 14:53:28 2009
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Tue, 10 Feb 2009 14:53:28 -0500
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
In-Reply-To: <20090210192749.GC70058@puck.nether.net>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
	<20090210192749.GC70058@puck.nether.net>
Message-ID: <EB183E03-FE7C-491E-8536-2C87E5FD0694@Princeton.EDU>

Hello Jared,

We use only snmp V2.

Here is the URL  http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml


Jeff
On Feb 10, 2009, at 2:27 PM, Jared Mauch wrote:

> On Tue, Feb 10, 2009 at 02:22:13PM -0500, Jeff Fitzwater wrote:
>> We are running 12.2.SXI on sup-720-cxl
>>
>> We use snmp getnext and getbulk to get the ARP table from a router  
>> that
>> has ~16K entries and it takes about 10min to complete, with ROUTER  
>> CPU at
>> 100%.   Our other routers have the same hardware and IOS but have  
>> <10K
>> entries and work fine.
>
> 	When you say getnext/getbulk, I presume you mean a snmp v2c bulkwalk?
> Or are you using snmp V1?
>
>> This is an old problem with CISCO and I thought they might have  
>> finally
>> fixed it in SXI, but NOT.
>>
>> The problem is the ARP entries are stored internally in a hashed  
>> format
>> and SNMP needs them in an ordered format, so for every snmp PDU the  
>> CPU
>> must get the entire ARP table and crunch it to create the ordered PDU
>> response.  This will take place for as many PDUs as it takes to  
>> retrieve
>> the entire table.   There does appear to be a point  (size of ARP  
>> table)
>> at which it takes very long to retrieve the whole table which seems  
>> to be
>> around 12K but with a 16K table it takes forever.
>>
>> In the attached PDF from CISCO they explain the problem and also  
>> state
>> the if you turn on CEF (has always been on for long time) that it is
>> much faster since the FIB is already in a lexical order that snmp  
>> likes.
>> Since CEF is always on, why does it still take so long.
>
> 	(The list strips the pdf files, you can email them to me to
> post on puck, or give a pointer to the pdf on cisco.com)
>
>>
>>
>>
>> At this point we basically cannot do any retrieval of the ARP   
>> tables.
>>
>>
>>
>> Their must be many other groups that have this same problem or I have
>> really missed something.
>>
>>
>> I will open up a ticket with CISCO if nobody out there has an answer.
>>
>> Currently we use an expect script to get the table via CLI which is  
>> much
>> faster but it doesn't help tools that must use snmp.
>>
>>
>> Thanks for any help.
>>
>>
>> Jeff Fitzwater
>> OIT Network Systems
>> Princeton University
>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> -- 
> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> clue++;      | http://puck.nether.net/~jared/  My statements are  
> only mine.


From graham at g-rock.net  Tue Feb 10 14:56:43 2009
From: graham at g-rock.net (Graham Wooden)
Date: Tue, 10 Feb 2009 14:56:43 -0500
Subject: [c-nsp] 7606 with SPA-2xT3, hot insert - reboot required?
In-Reply-To: <OF5827B74E.15CAD5E2-ON86257559.006CBDA6-86257559.006CCB67@corp.rgbk.com>
References: <OF5827B74E.15CAD5E2-ON86257559.006CBDA6-86257559.006CCB67@corp.rgbk.com>
Message-ID: <20090210145643.ueye4j8l4w00kogo@webmail.iamforeverme.com>

Bah ... that was the trick.  Thanks Robbie.

-graham

> Have you set "card type t3 2 1"?
> --
> robbie
>
>
>
>
>
>              Graham Wooden
>              <graham at g-rock.ne
>              t>                                                         To
>              Sent by:                  cisco-nsp at puck.nether.net
>              cisco-nsp-bounces                                          cc
>              @puck.nether.net
>                                                                    Subject
>                                        [c-nsp] 7606 with SPA-2xT3, hot
>              02/10/2009 01:43          insert - reboot required?
>              PM
>
>
>
>
>
>
>
>
>
> Hi fellas,
>
> I have a 7606 and I inserted (hot) a SPA-2xT3 card into my SIP400
> subslot (2/1), from which it shows up in various "show" commands
> jst... but I doesn't give me the ability to actually config the
> interfaces on it.  Does it require a reboot for the serial interfaces
> to come up?
>
> 7606, with dual 720's.  Running
> c7600s72033-adventerprisek9-mz.122-33.SRC.bin.
>  From the module guide, this is the first supported rev of this card
> in the slot.
> Any known issues, or does the box need to take a reboot?
>
> Thanks in advance,
>
> -graham
>
>
> Feb  9 14:54:56 CST: %DIAG-SP-6-RUN_MINIMUM: Module 2/1: Running
> Minimal Diagnostics...
> Feb  9 14:54:57 CST: %DIAG-SP-6-DIAG_OK: Module 2/1: Passed Online
> Diagnostics
> Feb  9 14:54:57 CST: %SPA_OIR-6-ONLINECARD: SPA (SPA-2XT3/E3) online
> in subslot 2/1
>
>
> #show hw-module subslot all oir
> Module        Model                Operational Status
> ------------- -------------------- ------------------------
> subslot 2/0   SPA-1XOC12-ATM       ok
> subslot 2/1   SPA-2XT3/E3          ok
>
>
> #show hw-module subslot 2/1 fpd
>
> ==== ====================== ======
> =============================================
>                               H/W   Field Programmable   Current
> Min. Required
> Slot Card Type               Ver.  Device: "ID-Name"    Version
> Version
> ==== ====================== ====== ================== ===========
> ==============
>   2/1 SPA-2XT3/E3             1.1   1-ROMMON               2.12        2.12
>                                     2-I/O FPGA             1.0         1.0
>                                     3-E3 FPGA              1.4         1.4
>                                     4-T3 FPGA              1.4         1.4
> ==== ====================== ======
> =============================================
>
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>




From kwoody at citytel.net  Tue Feb 10 14:02:41 2009
From: kwoody at citytel.net (Keith)
Date: Tue, 10 Feb 2009 11:02:41 -0800 (PST)
Subject: [c-nsp] VTP domain.
Message-ID: <20090210102330.K55176@pop.citytel.net>


Have a 3560 I am configuring to replace a 3550. Somehow the 3560 grabbed a
vtp domain name when it was connected to another switch in our lab rack.
The switch is not part of any domain, it just pushes packets.

The 3550 being replaced has no vtp domain name. Is it possible to remove
the vtp domain name without deleting the vlan.dat file? I have looked over
the TAC but see nothing really regarding removing a vtp domain name. Lots
about adding one, not about removing one.

There are two routed connections to two other switches, I don't have to
worry about any vlan advertisments being sent from the 3560 as long as
there are no trunks between switches correct? I'm very afraid of swapping
out the switches and having vlan data overwritten...

Thanks for any info.

From RTeller at deltadentalwa.com  Tue Feb 10 15:43:52 2009
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 10 Feb 2009 12:43:52 -0800
Subject: [c-nsp] VTP domain.
In-Reply-To: <20090210102330.K55176@pop.citytel.net>
References: <20090210102330.K55176@pop.citytel.net>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA134117A8@tiger.deltadentalwa.com>

What is the current vtp mode of the switch?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Keith
Sent: Tuesday, February 10, 2009 11:03 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VTP domain.


Have a 3560 I am configuring to replace a 3550. Somehow the 3560 grabbed
a
vtp domain name when it was connected to another switch in our lab rack.
The switch is not part of any domain, it just pushes packets.

The 3550 being replaced has no vtp domain name. Is it possible to remove
the vtp domain name without deleting the vlan.dat file? I have looked
over
the TAC but see nothing really regarding removing a vtp domain name.
Lots
about adding one, not about removing one.

There are two routed connections to two other switches, I don't have to
worry about any vlan advertisments being sent from the 3560 as long as
there are no trunks between switches correct? I'm very afraid of
swapping
out the switches and having vlan data overwritten...

Thanks for any info.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From kwoody at citytel.net  Tue Feb 10 15:49:23 2009
From: kwoody at citytel.net (Keith)
Date: Tue, 10 Feb 2009 12:49:23 -0800 (PST)
Subject: [c-nsp] VTP domain.
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA134117A8@tiger.deltadentalwa.com>
References: <20090210102330.K55176@pop.citytel.net>
	<06C1E76E03FE9C4B85BFA9C75365D9DA134117A8@tiger.deltadentalwa.com>
Message-ID: <20090210124831.K55176@pop.citytel.net>

On Tue, 10 Feb 2009, Teller, Robert wrote:

|->What is the current vtp mode of the switch?
|->
|->Have a 3560 I am configuring to replace a 3550. Somehow the 3560 grabbed
|->a
|->vtp domain name when it was connected to another switch in our lab rack.
|->The switch is not part of any domain, it just pushes packets.
|->
|->The 3550 being replaced has no vtp domain name. Is it possible to remove
|->the vtp domain name without deleting the vlan.dat file? I have looked
|->over
|->the TAC but see nothing really regarding removing a vtp domain name.
|->Lots
|->about adding one, not about removing one.
|->
|->There are two routed connections to two other switches, I don't have to
|->worry about any vlan advertisments being sent from the 3560 as long as
|->there are no trunks between switches correct? I'm very afraid of
|->swapping
|->out the switches and having vlan data overwritten...

Sorry should have posted that. VTP mode is server...

From peter at rathlev.dk  Tue Feb 10 15:56:18 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 10 Feb 2009 21:56:18 +0100
Subject: [c-nsp] VTP domain.
In-Reply-To: <20090210102330.K55176@pop.citytel.net>
References: <20090210102330.K55176@pop.citytel.net>
Message-ID: <1234299378.7862.4.camel@localhost.localdomain>

On Tue, 2009-02-10 at 11:02 -0800, Keith wrote:
> Have a 3560 I am configuring to replace a 3550. Somehow the 3560 grabbed a
> vtp domain name when it was connected to another switch in our lab rack.
> The switch is not part of any domain, it just pushes packets.
> 
> The 3550 being replaced has no vtp domain name. Is it possible to remove
> the vtp domain name without deleting the vlan.dat file? I have looked over
> the TAC but see nothing really regarding removing a vtp domain name. Lots
> about adding one, not about removing one.
> 
> There are two routed connections to two other switches, I don't have to
> worry about any vlan advertisments being sent from the 3560 as long as
> there are no trunks between switches correct? I'm very afraid of swapping
> out the switches and having vlan data overwritten...

Don't rely on different VTP domains (or even passwords) for this kind of
seperation. Instead set the device to use "vtp mode transparent". This
way it will not send or recieve VTP messages.

About the questions: AFAIK there's no way to explicitly set a "null"
name for the VTP domain when it has already been set. And AFAIK you're
right about VTP not being carried across access ports.

But do use transparent VTP mode if you need the switch to stay out of
VTP.

Regards,
Peter



From kwoody at citytel.net  Tue Feb 10 16:31:10 2009
From: kwoody at citytel.net (Keith)
Date: Tue, 10 Feb 2009 13:31:10 -0800 (PST)
Subject: [c-nsp] VTP domain.
In-Reply-To: <1234299378.7862.4.camel@localhost.localdomain>
References: <20090210102330.K55176@pop.citytel.net>
	<1234299378.7862.4.camel@localhost.localdomain>
Message-ID: <20090210125825.D55176@pop.citytel.net>

On Tue, 10 Feb 2009, Peter Rathlev wrote:

|->On Tue, 2009-02-10 at 11:02 -0800, Keith wrote:
|->> Have a 3560 I am configuring to replace a 3550. Somehow the 3560 grabbed a
|->> vtp domain name when it was connected to another switch in our lab rack.
|->> The switch is not part of any domain, it just pushes packets.
|->>
|->> The 3550 being replaced has no vtp domain name. Is it possible to remove
|->> the vtp domain name without deleting the vlan.dat file? I have looked over
|->> the TAC but see nothing really regarding removing a vtp domain name. Lots
|->> about adding one, not about removing one.
|->>
|->> There are two routed connections to two other switches, I don't have to
|->> worry about any vlan advertisments being sent from the 3560 as long as
|->> there are no trunks between switches correct? I'm very afraid of swapping
|->> out the switches and having vlan data overwritten...
|->
|->Don't rely on different VTP domains (or even passwords) for this kind of
|->seperation. Instead set the device to use "vtp mode transparent". This
|->way it will not send or recieve VTP messages.
|->
|->About the questions: AFAIK there's no way to explicitly set a "null"
|->name for the VTP domain when it has already been set. And AFAIK you're
|->right about VTP not being carried across access ports.
|->
|->But do use transparent VTP mode if you need the switch to stay out of
|->VTP.

We don't use VTP here at all. We keep vlans seperate on each switch. I
have not really thought about VTP much until going over all the things
that can go wrong with this switch swap. All our switches do routing, so
any links between switches are set no switchport and assigned IP's.

I will change it to transparent mode just to make sure no vlan info is
carried over the two links to the other switches.

Also thanks for the answer to the question regarding vtp domain names. I'm
guessing the domain name that is there now and having the switch in
tranparent mode will not affect anything since it is not sending or
recieving VTP messages?

Thanks again,
Keith


From mduksa at gmail.com  Tue Feb 10 17:23:29 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Tue, 10 Feb 2009 14:23:29 -0800
Subject: [c-nsp] itu/c DWDM
Message-ID: <a89d89ac0902101423l64c7dc29x299c087b11f33698@mail.gmail.com>

Hi - can anyone explain  difference between 'tunable optics' and DWDM
capable cards on Cisco routers (7600, 12K and CRS), or is this the same?

Also, can in essence a  4-10GE-ITU/C  (4x10G C-band DWDM PLIM on CRS) do the
same thing as SPA-1x10GE-L-ITUC (1x10G C-Band spa) on 12K (port capacity put
aside)?

Does this mean that I can have a single physical port (on a DWDM enabled
7600/12K/CRS cards/PLIMs) carrying traffic at various speeds over
different wavelengths(BW totaling 10G for example for a 10G physical port)?
For example, I can create  one channel with oc-12 speed over one wavelength,
another channel with oc-48 speed on another channel and then bind those
channels to a sub-interface? Is this how this is done?

With  IPoDWDM optical integration they talk about eliminating transponders,
but I'm not sure what those transponders would do anyway, before they drop
traffic to an (RO)ADM?

Can anyone shed some light on this please.
Thanks,
Marlon

From swmike at swm.pp.se  Tue Feb 10 17:36:48 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 10 Feb 2009 23:36:48 +0100 (CET)
Subject: [c-nsp] itu/c DWDM
In-Reply-To: <a89d89ac0902101423l64c7dc29x299c087b11f33698@mail.gmail.com>
References: <a89d89ac0902101423l64c7dc29x299c087b11f33698@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0902102332030.16135@uplift.swm.pp.se>

On Tue, 10 Feb 2009, Marlon Duksa wrote:

> Hi - can anyone explain  difference between 'tunable optics' and DWDM
> capable cards on Cisco routers (7600, 12K and CRS), or is this the same?

Yes, that is the same.

> Also, can in essence a  4-10GE-ITU/C  (4x10G C-band DWDM PLIM on CRS) do the
> same thing as SPA-1x10GE-L-ITUC (1x10G C-Band spa) on 12K (port capacity put
> aside)?

It's my understanding that they can.

> Does this mean that I can have a single physical port (on a DWDM enabled
> 7600/12K/CRS cards/PLIMs) carrying traffic at various speeds over
> different wavelengths(BW totaling 10G for example for a 10G physical port)?
> For example, I can create  one channel with oc-12 speed over one wavelength,
> another channel with oc-48 speed on another channel and then bind those
> channels to a sub-interface? Is this how this is done?

No, it's single wavelength at any given time, and it's 10G only, and it's 
single point to point link over that single DWDM wave. You can of course 
have multiple ports in your router and thus achieve multiple waves, but 
each port only outputs single wave.

> With  IPoDWDM optical integration they talk about eliminating transponders,
> but I'm not sure what those transponders would do anyway, before they drop
> traffic to an (RO)ADM?

A DWDM transponder converts your 1310nm light into C-band single 
wavelength light and might add Forward Error Correction (FEC), plus 
supplies the people who run the DWDM with an administrative interface to 
monitor, both the DWDM side and the local tributary side.

With the above router linecards you basically put the transponder into the 
router so the router outputs the C-band light and does FEC, and then you 
put this light via a variable attenuator into the DWDM system without any 
further Optical-Electrical-Optical conversion.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From chris at chrisserafin.com  Tue Feb 10 17:44:04 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Tue, 10 Feb 2009 16:44:04 -0600
Subject: [c-nsp] Sprint & AT&T BGP multihoming
Message-ID: <49920334.6040306@chrisserafin.com>

I am planning on multi-homing a client's Internet connection for 
redundancy, and wanted to know if anyone is doing this with Sprint 
and/or AT&T and has any pointers or 'gotchas' they have run into.

I'm still months out from doing this and will most likely want to KEEP 
the existing subnets that they gave us (a /23 and /24), without the need 
for rebuilding a bunch or VPNs, re-IP'ing externally facing devices, and 
DNS changes for externally available web presence.

Ideas? Comments? Concerns? Flames?

Thanks,

Chris Serafin
chris at chrisserafin.com

From dwcarder at wisc.edu  Tue Feb 10 18:10:46 2009
From: dwcarder at wisc.edu (Dale W. Carder)
Date: Tue, 10 Feb 2009 17:10:46 -0600
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
In-Reply-To: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
Message-ID: <1D21D11C-D7DC-4315-9B06-EBCCC10AA563@wisc.edu>


To answer your subject: no.

On Feb 10, 2009, at 1:22 PM, Jeff Fitzwater wrote:
>
> We use snmp getnext and getbulk to get the ARP table from a router  
> that has ~16K entries and it takes about 10min to complete, with  
> ROUTER CPU at 100%.   Our other routers have the same hardware and  
> IOS but have <10K entries and work fine.

Same here.  It's been that way for what seems like a long time though.

> In the attached PDF from CISCO they explain the problem and also  
> state the if you turn on CEF (has always been on for long time) that  
> it is much faster since the FIB is already in a lexical order that  
> snmp likes.   Since CEF is always on, why does it still take so long.

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml

That document seems pretty dated and/or doesn't fit tcam based
architectures.

The solution could come in a couple of different forms:
- a processor faster than what shipped in my cell phone
(perhaps you would have had an rsp720 by now on 6500 had the
6500/7600 customer alienation not occurred, yada yada, Gert
takes a deep breath)
- maintaining a new datastructure in memory just to speed up
these sorts of things.
- finding a better sorting algorithm.
- create a new mib that returns the values in hardware order.

> At this point we basically cannot do any retrieval of the ARP  tables.

> Currently we use an expect script to get the table via CLI which is  
> much faster

That's what we do too, and we also scrape the ipv6 neighbor cache.
This all gets stuffed into sql.

> but it doesn't help tools that must use snmp.

I'm guessing you're referring to something that wants to use
the arp table to help with topology discovery?  I'll admit we
gave up on that long ago, too.

Dale


From mduksa at gmail.com  Tue Feb 10 18:33:12 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Tue, 10 Feb 2009 15:33:12 -0800
Subject: [c-nsp] itu/c DWDM
In-Reply-To: <alpine.DEB.1.10.0902102332030.16135@uplift.swm.pp.se>
References: <a89d89ac0902101423l64c7dc29x299c087b11f33698@mail.gmail.com>
	<alpine.DEB.1.10.0902102332030.16135@uplift.swm.pp.se>
Message-ID: <a89d89ac0902101533v43d131b2ldb183d1f821e341e@mail.gmail.com>

Got it. This help a lot. Thanks.Marlon

On Tue, Feb 10, 2009 at 2:36 PM, Mikael Abrahamsson <swmike at swm.pp.se>wrote:

> On Tue, 10 Feb 2009, Marlon Duksa wrote:
>
>  Hi - can anyone explain  difference between 'tunable optics' and DWDM
>> capable cards on Cisco routers (7600, 12K and CRS), or is this the same?
>>
>
> Yes, that is the same.
>
>  Also, can in essence a  4-10GE-ITU/C  (4x10G C-band DWDM PLIM on CRS) do
>> the
>> same thing as SPA-1x10GE-L-ITUC (1x10G C-Band spa) on 12K (port capacity
>> put
>> aside)?
>>
>
> It's my understanding that they can.
>
>  Does this mean that I can have a single physical port (on a DWDM enabled
>> 7600/12K/CRS cards/PLIMs) carrying traffic at various speeds over
>> different wavelengths(BW totaling 10G for example for a 10G physical
>> port)?
>> For example, I can create  one channel with oc-12 speed over one
>> wavelength,
>> another channel with oc-48 speed on another channel and then bind those
>> channels to a sub-interface? Is this how this is done?
>>
>
> No, it's single wavelength at any given time, and it's 10G only, and it's
> single point to point link over that single DWDM wave. You can of course
> have multiple ports in your router and thus achieve multiple waves, but each
> port only outputs single wave.
>
>  With  IPoDWDM optical integration they talk about eliminating
>> transponders,
>> but I'm not sure what those transponders would do anyway, before they drop
>> traffic to an (RO)ADM?
>>
>
> A DWDM transponder converts your 1310nm light into C-band single wavelength
> light and might add Forward Error Correction (FEC), plus supplies the people
> who run the DWDM with an administrative interface to monitor, both the DWDM
> side and the local tributary side.
>
> With the above router linecards you basically put the transponder into the
> router so the router outputs the C-band light and does FEC, and then you put
> this light via a variable attenuator into the DWDM system without any
> further Optical-Electrical-Optical conversion.
>
> --
> Mikael Abrahamsson    email: swmike at swm.pp.se
>

From mtinka at globaltransit.net  Tue Feb 10 18:54:18 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 11 Feb 2009 07:54:18 +0800
Subject: [c-nsp] VTP domain.
In-Reply-To: <20090210102330.K55176@pop.citytel.net>
References: <20090210102330.K55176@pop.citytel.net>
Message-ID: <200902110754.27311.mtinka@globaltransit.net>

On Wednesday 11 February 2009 03:02:41 am Keith wrote:

> The 3550 being replaced has no vtp domain name. Is it
> possible to remove the vtp domain name without deleting
> the vlan.dat file? I have looked over the TAC but see
> nothing really regarding removing a vtp domain name. Lots
> about adding one, not about removing one.

No clear way to do this, today, without deleting the 
'vlan.dat' file. Wish that could be fixed.

But like you and others have said, maintaining VTP 
Transparent mode will ensure it stays away from VTP.

We used to "manually" clear VTP domain names, but recently 
found a batch of switches that had them configured. It's too 
much work to clear that, but we just say "no" to VTP anyway.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/c5cc97ae/attachment.bin>

From kwoody at citytel.net  Tue Feb 10 20:05:48 2009
From: kwoody at citytel.net (Keith)
Date: Tue, 10 Feb 2009 17:05:48 -0800 (PST)
Subject: [c-nsp] VTP domain.
In-Reply-To: <200902110754.27311.mtinka@globaltransit.net>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
Message-ID: <20090210161624.I98205@pop.citytel.net>

On Wed, 11 Feb 2009, Mark Tinka wrote:

|->On Wednesday 11 February 2009 03:02:41 am Keith wrote:
|->
|->> The 3550 being replaced has no vtp domain name. Is it
|->> possible to remove the vtp domain name without deleting
|->> the vlan.dat file? I have looked over the TAC but see
|->> nothing really regarding removing a vtp domain name. Lots
|->> about adding one, not about removing one.
|->
|->No clear way to do this, today, without deleting the
|->'vlan.dat' file. Wish that could be fixed.
|->
|->But like you and others have said, maintaining VTP
|->Transparent mode will ensure it stays away from VTP.
|->
|->We used to "manually" clear VTP domain names, but recently
|->found a batch of switches that had them configured. It's too
|->much work to clear that, but we just say "no" to VTP anyway.

Yes, not being able to delete a vtp domain name seems like something that
should be able to be done from the command line, but there must be a good
reason for it. I have only played with vtp in our lab rack of gear, never
used it in a real network.

Looking through the archives of this list, I see some have had some bad
experiences with vtp. Something I wish to avoid.

I have put the switch in transparent mode so it will not send/recieve vtp
updates, just in case.

Thanks,
Keith


From dale.shaw+cisco-nsp at gmail.com  Tue Feb 10 20:16:18 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Wed, 11 Feb 2009 12:16:18 +1100
Subject: [c-nsp] VTP domain.
In-Reply-To: <200902110754.27311.mtinka@globaltransit.net>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
Message-ID: <3329cbb40902101716r6c75a13bmdca1acde9b687b6@mail.gmail.com>

Hi,

On Wed, Feb 11, 2009 at 10:54 AM, Mark Tinka <mtinka at globaltransit.net> wrote:
> No clear way to do this, today, without deleting the
> 'vlan.dat' file. Wish that could be fixed.

Anyone out there sadistic enough to have tried copying out vlan.dat,
nullifying the VTP domain with a hex editor, then copying it back in?
I wonder if that works at all.

The VTP domain name string can be up to 32 characters. It starts at
position 0xA (10) and goes through to 0x29 (41). I suppose there's a
strong possibility other parts of the file (other than the domain name
string) are changed with a domain name change.

SW1(config)#vtp domain ABCDEFGHIJKLMNOPQRSTUVWXYZABCABCABCABC
Domain name is truncated to 32 characters, maximum VTP domain name length.
Changing VTP domain name from ZAZAZAZAZAZAZAZAZAZAZAZAZAZAZAZ to
ABCDEFGHIJKLMNOPQRSTUVWXYZABCABC
SW1(config)#end
SW1#more /binary vlan.dat
00000000:  BADB100D 00000002 03204142 43444546    :[.. .... . AB CDEF
00000010:  4748494A 4B4C4D4E 4F505152 53545556    GHIJ KLMN OPQR STUV
00000020:  5758595A 41424341 42430000 00000000    WXYZ ABCA BC.. ....
[...]

So many silly ideas, so little time..

cheers,
Dale

From kwoody at citytel.net  Tue Feb 10 22:51:58 2009
From: kwoody at citytel.net (Keith)
Date: Tue, 10 Feb 2009 19:51:58 -0800 (PST)
Subject: [c-nsp] VTP domain.
In-Reply-To: <3329cbb40902101716r6c75a13bmdca1acde9b687b6@mail.gmail.com>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
	<3329cbb40902101716r6c75a13bmdca1acde9b687b6@mail.gmail.com>
Message-ID: <20090210194714.X30335@pop.citytel.net>

On Wed, 11 Feb 2009, Dale Shaw wrote:

|->Hi,
|->
|->On Wed, Feb 11, 2009 at 10:54 AM, Mark Tinka <mtinka at globaltransit.net> wrote:
|->> No clear way to do this, today, without deleting the
|->> 'vlan.dat' file. Wish that could be fixed.
|->
|->Anyone out there sadistic enough to have tried copying out vlan.dat,
|->nullifying the VTP domain with a hex editor, then copying it back in?
|->I wonder if that works at all.
|->
|->The VTP domain name string can be up to 32 characters. It starts at
|->position 0xA (10) and goes through to 0x29 (41). I suppose there's a
|->strong possibility other parts of the file (other than the domain name
|->string) are changed with a domain name change.
|->
|->SW1(config)#vtp domain ABCDEFGHIJKLMNOPQRSTUVWXYZABCABCABCABC
|->Domain name is truncated to 32 characters, maximum VTP domain name length.
|->Changing VTP domain name from ZAZAZAZAZAZAZAZAZAZAZAZAZAZAZAZ to
|->ABCDEFGHIJKLMNOPQRSTUVWXYZABCABC
|->SW1(config)#end
|->SW1#more /binary vlan.dat
|->00000000:  BADB100D 00000002 03204142 43444546    :[.. .... . AB CDEF
|->00000010:  4748494A 4B4C4D4E 4F505152 53545556    GHIJ KLMN OPQR STUV
|->00000020:  5758595A 41424341 42430000 00000000    WXYZ ABCA BC.. ....
|->[...]
|->
|->So many silly ideas, so little time..

A while back I took a vlan.dat file from a 24 port 3550 lab switch and
moved it to a 48 port 3560 to see what would happen (and to see if it
would save me time, in that I would not have to enter in the vlan info
again) but the 3560 went into a continuous reboot. Had to go into boot
mode and delete the vlan.dat. So much for a shortcut...



From cmadams at hiwaay.net  Tue Feb 10 22:55:55 2009
From: cmadams at hiwaay.net (Chris Adams)
Date: Tue, 10 Feb 2009 21:55:55 -0600
Subject: [c-nsp] VTP domain.
In-Reply-To: <3329cbb40902101716r6c75a13bmdca1acde9b687b6@mail.gmail.com>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
	<3329cbb40902101716r6c75a13bmdca1acde9b687b6@mail.gmail.com>
Message-ID: <20090211035554.GC1439943@hiwaay.net>

Once upon a time, Dale Shaw <dale.shaw+cisco-nsp at gmail.com> said:
> The VTP domain name string can be up to 32 characters. It starts at
> position 0xA (10) and goes through to 0x29 (41). I suppose there's a
> strong possibility other parts of the file (other than the domain name
> string) are changed with a domain name change.

The byte before that is the length of the domain name, so you'd have to
change that too.

I don't know if this is documented anywhere, but I figured out most of
the interesting (for me anyway) contents of vlan.dat:

off len description
  8   1 VTP Version
  9   1 VTP Domain Name length
 10   - VTP Domain Name (length from offset 9)
 44   4 Configuration Revision
 48   4 Last modified from this IP
 56   2 Last modified time - 2 digit year (not Y2K!)
 58   2 Last modified time - month
 60   2 Last modified time - day
 62   2 Last modified time - hour
 64   2 Last modified time - minute
 66   2 Last modified time - second
148   4 Number of existing VLANs

Starting at offset 160, there is an array of 60 byte entries for each
defined VLAN (number of entries from offset 148):

off len description
  0   1 VLAN name length
  1   - VLAN name (length from offset 0)
 34   1 VLAN type
 36   2 VLAN MTU
 38   2 VLAN ID
 40   2 VLAN SAID

I'm sure there's more in there that is useful, but that was enough for
my home-grown config saver to store a text config in CVS instead of a
binary vlan.dat.
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

From gert at greenie.muc.de  Wed Feb 11 02:48:11 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 11 Feb 2009 08:48:11 +0100
Subject: [c-nsp] VTP domain.
In-Reply-To: <20090210125825.D55176@pop.citytel.net>
References: <20090210102330.K55176@pop.citytel.net>
	<1234299378.7862.4.camel@localhost.localdomain>
	<20090210125825.D55176@pop.citytel.net>
Message-ID: <20090211074811.GE290@greenie.muc.de>

Hi,

On Tue, Feb 10, 2009 at 01:31:10PM -0800, Keith wrote:
> We don't use VTP here at all. 

In that case: make sure you actually turn it off ("vtp mode transparent"
or "vtp mode off").

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/76218c9b/attachment.bin>

From mvanton at gmail.com  Wed Feb 11 02:49:48 2009
From: mvanton at gmail.com (vince anton)
Date: Wed, 11 Feb 2009 08:49:48 +0100
Subject: [c-nsp] changes in 7600 with DFC3BXL
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D72E2D6F@xmb-ams-331.emea.cisco.com>
References: <87e0d3ae0902100505k55a55b0cg76f87369abe6f49f@mail.gmail.com>
	<78C984F8939D424697B15E4B1C1BB3D72E2D6F@xmb-ams-331.emea.cisco.com>
Message-ID: <87e0d3ae0902102349o50134258w7052fff362c7d023@mail.gmail.com>

Arie,

thanks - is there any cisco document that goes into some detail about the
various changes in behaviour/options between pfc and dfc, or should I open a
case with TAC ?


thanks

Mark

2009/2/10 Arie Vayner (avayner) <avayner at cisco.com>

> Anton,
>
> With regards to policing, what would happen is that each DFC would have
> its own policers, so if you a policy applied for a VLAN which has ports
> on different module, each module would have its own policer with the
> configured rate. This means that if you set a 10Mbps policer, but you
> have ports on 2 separate cards, each card would apply a separate 10Mbps
> policer (allowing in total a potential 20Mbps rate).
> The same, BTW, applies to aggregate policers.
>
> The only change I can remember right now with regards to Etherchannel is
> the optional capability of specifying a load balancing algorithm per
> module.
>
> Arie
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vince anton
> Sent: Tuesday, February 10, 2009 15:06
> To: cisco-nsp
> Subject: [c-nsp] changes in 7600 with DFC3BXL
>
> hey all,
>
> Quick question for you, hope you can help me.
>
> Im working on installing the DFCs in existing 67xx cards in our 7600s:
>
> 7606 w/SUP720-3BXL
> 2 x 6748-GE-TX
> 1 x 6704
>
> Im aware there are some differences in how the box reacts when a DFC is
> installed (the PFC will no longer need to make all the decisions,
> etc...).
> In particular this seems to change the beahviour for qos policers as
> well as
> L2 etherchannels.  Im using both of these, but I cant seem to find any
> definite documentation on CCO explaining the exact changes and perhaps
> any
> recommendations.  Of course I need to know how the box will behave in
> order
> to plan for this as part of the DFC upgrade, and so far all I found was
> an
> FAQ at
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_ite
> m09186a00809a7673.shtmlwhich
> doesn't give so much detail, and a few items in the archives of the
> list which touched the surface but didnt dig deep.
>
> would appreciate if anyone can share any detailed info as to how qos and
> etherchannel behaviour changes in PFC vs DFCX3BXL
>
> thanks,
>
> anton
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 

Thanks,

anton

From gert at greenie.muc.de  Wed Feb 11 02:55:16 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 11 Feb 2009 08:55:16 +0100
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
In-Reply-To: <1D21D11C-D7DC-4315-9B06-EBCCC10AA563@wisc.edu>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
	<1D21D11C-D7DC-4315-9B06-EBCCC10AA563@wisc.edu>
Message-ID: <20090211075516.GF290@greenie.muc.de>

Hi,

On Tue, Feb 10, 2009 at 05:10:46PM -0600, Dale W. Carder wrote:
> - a processor faster than what shipped in my cell phone
> (perhaps you would have had an rsp720 by now on 6500 had the
> 6500/7600 customer alienation not occurred, yada yada, Gert
> takes a deep breath)

This is getting sort of a running gag, isn't it...? :)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/86f5931c/attachment.bin>

From gert at greenie.muc.de  Wed Feb 11 03:29:11 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 11 Feb 2009 09:29:11 +0100
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49908448.6080300@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE45@mspe2k1.cs.myharris.net>
	<49907FAE.4050006@justinshore.com>
	<FA1BA229357DB640B944218F3585FECA01E4DE93@mspe2k1.cs.myharris.net>
	<49908448.6080300@justinshore.com>
Message-ID: <20090211082911.GH290@greenie.muc.de>

Hi,

this is turning religious, but still...

On Mon, Feb 09, 2009 at 01:30:16PM -0600, Justin Shore wrote:
> One thing on my to do list is to figure out how to always reject lease 
> extension requests to force the CPE to pull a new IP every time a lease 
> expires.  This would prevent many of the less technical users from 
> trying to run a publicly-accessible server.

... I think the current state of IP end-to-end connectivity is bad enough,
as it goes (NAT, dynamic addressing, etc.).

It would be much better to invest work to *return* to a proper Internet,
where people can *reach* other people, instead of trying to break things
even further.

If your business side of things is messed up (otherwise, why would you 
care what sort of IP application the client runs?  they pay for "Internet
access" not for "client access", no?) and you need to break your clients' 
servers, block outgoing SYNs to ports <1024...


But as I said: this is not really a technical issue, more layer 8 to 10
("financial, political, religious").

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/a28da62c/attachment.bin>

From Steven.Glogger at swisscom.com  Wed Feb 11 03:31:42 2009
From: Steven.Glogger at swisscom.com (Steven.Glogger at swisscom.com)
Date: Wed, 11 Feb 2009 09:31:42 +0100
Subject: [c-nsp] VTP domain.
In-Reply-To: <200902110754.27311.mtinka@globaltransit.net>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
Message-ID: <1FC8A0BAFBBD9749BB1F06010D23C8A552FFE7E0@sg000035.corproot.net>

VTP transparent switches DO forward vtp messages (if using version 2). see:
"VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2, transparent switches do forward VTP advertisements that they receive from other switches from their trunk interfaces. "

dont forget: the VTP domain can be learned if NO domain is given - the switch takes the first domain he sees in a VTP message.

make sure that you put switches in transparent mode if you want to prevent disasters. we all know that the highest revision number in a domain wins. a client can overwrite all other switches (incl. server) if the revision number is highter and if he has the same domain name.... 

vtp is evil as we all know ,-)

to remove the domain name just set another one. 

-steven


ps: your guide for any VTP questions:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swvtp.html 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
Sent: Wednesday, February 11, 2009 12:54 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VTP domain.

On Wednesday 11 February 2009 03:02:41 am Keith wrote:

> The 3550 being replaced has no vtp domain name. Is it possible to 
> remove the vtp domain name without deleting the vlan.dat file? I have 
> looked over the TAC but see nothing really regarding removing a vtp 
> domain name. Lots about adding one, not about removing one.

No clear way to do this, today, without deleting the 'vlan.dat' file. Wish that could be fixed.

But like you and others have said, maintaining VTP Transparent mode will ensure it stays away from VTP.

We used to "manually" clear VTP domain names, but recently found a batch of switches that had them configured. It's too much work to clear that, but we just say "no" to VTP anyway.

Cheers,

Mark.

From paul.cosgrove at heanet.ie  Wed Feb 11 05:43:12 2009
From: paul.cosgrove at heanet.ie (Paul Cosgrove)
Date: Wed, 11 Feb 2009 10:43:12 +0000
Subject: [c-nsp] VTP domain.
In-Reply-To: <1FC8A0BAFBBD9749BB1F06010D23C8A552FFE7E0@sg000035.corproot.net>
References: <20090210102330.K55176@pop.citytel.net>	<200902110754.27311.mtinka@globaltransit.net>
	<1FC8A0BAFBBD9749BB1F06010D23C8A552FFE7E0@sg000035.corproot.net>
Message-ID: <4992ABC0.7050100@heanet.ie>

The behaviour regarding forwarding vtp messages is identical between 
transparent mode in either VTP versions;  if the domain name is null all 
VTP messages are forwarded, while if it is set only messages for that 
domain are forwarded. Apparently this changed sometime in the distant 
past but the documentation was not updated (at least it wasn't the last 
time I looked).  You can find more information about this here:-
  http://www.groupstudy.com/archives/ccielab/200704/msg01533.html

You can see that there is also a mention there, apparently from a member 
of cisco TAC, that a capability to set a VTP domain name to Null had 
been considered but a decision was made not to implement it.

To stop any VTP messages being forwarded, if you really need to, you can 
use mac acls matching the destination address(0100.0ccc.cccc) and 
ethertype (0x2003).  If on the other hand you need the VTP messages to 
be forwarded for multiple domains, without affecting this switch, then 
you may need to delete the vlan.dat, change to transparent mode and reload.

Paul.

Steven.Glogger at swisscom.com wrote:
> VTP transparent switches DO forward vtp messages (if using version 2). see:
> "VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2, transparent switches do forward VTP advertisements that they receive from other switches from their trunk interfaces. "
>
> dont forget: the VTP domain can be learned if NO domain is given - the switch takes the first domain he sees in a VTP message.
>
> make sure that you put switches in transparent mode if you want to prevent disasters. we all know that the highest revision number in a domain wins. a client can overwrite all other switches (incl. server) if the revision number is highter and if he has the same domain name.... 
>
> vtp is evil as we all know ,-)
>
> to remove the domain name just set another one. 
>
> -steven
>
>
> ps: your guide for any VTP questions:
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swvtp.html 
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
> Sent: Wednesday, February 11, 2009 12:54 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] VTP domain.
>
> On Wednesday 11 February 2009 03:02:41 am Keith wrote:
>
>   
>> The 3550 being replaced has no vtp domain name. Is it possible to 
>> remove the vtp domain name without deleting the vlan.dat file? I have 
>> looked over the TAC but see nothing really regarding removing a vtp 
>> domain name. Lots about adding one, not about removing one.
>>     
>
> No clear way to do this, today, without deleting the 'vlan.dat' file. Wish that could be fixed.
>
> But like you and others have said, maintaining VTP Transparent mode will ensure it stays away from VTP.
>
> We used to "manually" clear VTP domain names, but recently found a batch of switches that had them configured. It's too much work to clear that, but we just say "no" to VTP anyway.
>
> Cheers,
>
> Mark.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   


From avayner at cisco.com  Wed Feb 11 06:22:28 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 11 Feb 2009 12:22:28 +0100
Subject: [c-nsp] changes in 7600 with DFC3BXL
In-Reply-To: <87e0d3ae0902102349o50134258w7052fff362c7d023@mail.gmail.com>
References: <87e0d3ae0902100505k55a55b0cg76f87369abe6f49f@mail.gmail.com>
	<78C984F8939D424697B15E4B1C1BB3D72E2D6F@xmb-ams-331.emea.cisco.com>
	<87e0d3ae0902102349o50134258w7052fff362c7d023@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D734B502@xmb-ams-331.emea.cisco.com>

Vince,

 

TAC is not the right place for this... TAC is meant to deal with break
and fix situations...

 

The best places I would look for information would be the configuration
guides (just search for the word DFC inside the docs using the browser):

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con
figuration/guide/book.html

 

A good pointer to understand what PFC/DFC support is affecting:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con
figuration/guide/intro.html#wp1029188

 

Arie

 

 

From: vince anton [mailto:mvanton at gmail.com] 
Sent: Wednesday, February 11, 2009 09:50
To: Arie Vayner (avayner)
Cc: cisco-nsp
Subject: Re: [c-nsp] changes in 7600 with DFC3BXL

 

Arie,

thanks - is there any cisco document that goes into some detail about
the various changes in behaviour/options between pfc and dfc, or should
I open a case with TAC ?


thanks

Mark

2009/2/10 Arie Vayner (avayner) <avayner at cisco.com>

Anton,

With regards to policing, what would happen is that each DFC would have
its own policers, so if you a policy applied for a VLAN which has ports
on different module, each module would have its own policer with the
configured rate. This means that if you set a 10Mbps policer, but you
have ports on 2 separate cards, each card would apply a separate 10Mbps
policer (allowing in total a potential 20Mbps rate).
The same, BTW, applies to aggregate policers.

The only change I can remember right now with regards to Etherchannel is
the optional capability of specifying a load balancing algorithm per
module.

Arie




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of vince anton
Sent: Tuesday, February 10, 2009 15:06
To: cisco-nsp
Subject: [c-nsp] changes in 7600 with DFC3BXL

hey all,

Quick question for you, hope you can help me.

Im working on installing the DFCs in existing 67xx cards in our 7600s:

7606 w/SUP720-3BXL
2 x 6748-GE-TX
1 x 6704

Im aware there are some differences in how the box reacts when a DFC is
installed (the PFC will no longer need to make all the decisions,
etc...).
In particular this seems to change the beahviour for qos policers as
well as
L2 etherchannels.  Im using both of these, but I cant seem to find any
definite documentation on CCO explaining the exact changes and perhaps
any
recommendations.  Of course I need to know how the box will behave in
order
to plan for this as part of the DFC upgrade, and so far all I found was
an
FAQ at
http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_ite
m09186a00809a7673.shtmlwhich
doesn't give so much detail, and a few items in the archives of the
list which touched the surface but didnt dig deep.

would appreciate if anyone can share any detailed info as to how qos and
etherchannel behaviour changes in PFC vs DFCX3BXL

thanks,

anton

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




-- 

Thanks,

anton


From john.douglas at gmail.com  Wed Feb 11 08:36:14 2009
From: john.douglas at gmail.com (john douglas)
Date: Wed, 11 Feb 2009 23:36:14 +1000
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
Message-ID: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>

Hi All,

I am hoping someone may have some guidance.

We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
3560 switch, dot1q trunking with a few Vlans. I find on the 7301
router whenever I try to drive a given gigabit sub interface beyond
about 200mbps I begin to see Input Errors (Overruns) incrementing on
the physical interface and begin exhibiting packet loss. Under the
show controller information I see rx_overrun and rx_int_drop
incrementing - all other Rx error values under "Statistics" section
are zero. On the switch I see pause input incrementing, but no errors.
Cpu is 40%.

I have read other postings about this being attributed to microburst
of traffic but I am still a little unclear I am trying to work out

1) Does the G1 correctly support pause frames?

2) Are there any knobs we can tweak - or we simply hitting the limits
of the silicon?

The short term solution has been to spread the vlan sub interfaces
over the 3 gig interfaces however this leaves me in a situation where
I cannot really use EEM to migrate sub interface config from one
gigabit interface to another should there be a failure, as the target
interface will being exhibiting overruns and loss.

Any advice appreciated,

Kind regards,

John

From vedlabs at gmail.com  Wed Feb 11 08:37:37 2009
From: vedlabs at gmail.com (Ved Labs)
Date: Wed, 11 Feb 2009 19:07:37 +0530
Subject: [c-nsp] Intercos Bursting
Message-ID: <7db92dcc0902110537t7dac2dcahf9463b7e9ddc1368@mail.gmail.com>

What is intercos bursting and purpose does it solve in QoS

From llc at dansketelecom.com  Wed Feb 11 08:47:34 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Wed, 11 Feb 2009 14:47:34 +0100
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
In-Reply-To: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
References: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
Message-ID: <44417CD2F19FEA4F885088340A71D33201B4F774@mail.office.dansketelecom.com>

Hi John

We had the same issue a few years ago on a Cisco 7204VXR with the NPE-G1 processor. I believe we were told, that we had hit the max capacity of the router.

______________________________________

Med venlig hilsen / Kind regards

Lars Lystrup Christensen 
Director of Engineering, CCIE(tm) #20292

Danske Telecom A/S
Sundkrogsgade 13, 4 
2100 K?benhavn ? 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of john douglas
Sent: 11. februar 2009 14:36
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns

Hi All,

I am hoping someone may have some guidance.

We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
3560 switch, dot1q trunking with a few Vlans. I find on the 7301
router whenever I try to drive a given gigabit sub interface beyond
about 200mbps I begin to see Input Errors (Overruns) incrementing on
the physical interface and begin exhibiting packet loss. Under the
show controller information I see rx_overrun and rx_int_drop
incrementing - all other Rx error values under "Statistics" section
are zero. On the switch I see pause input incrementing, but no errors.
Cpu is 40%.

I have read other postings about this being attributed to microburst
of traffic but I am still a little unclear I am trying to work out

1) Does the G1 correctly support pause frames?

2) Are there any knobs we can tweak - or we simply hitting the limits
of the silicon?

The short term solution has been to spread the vlan sub interfaces
over the 3 gig interfaces however this leaves me in a situation where
I cannot really use EEM to migrate sub interface config from one
gigabit interface to another should there be a failure, as the target
interface will being exhibiting overruns and loss.

Any advice appreciated,

Kind regards,

John
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From rodunn at cisco.com  Wed Feb 11 08:51:19 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 11 Feb 2009 08:51:19 -0500
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
In-Reply-To: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
References: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
Message-ID: <20090211135119.GJ18683@rtp-cse-489.cisco.com>

Whenver you reference load it's always best to specify both
bps and pps because it's the pps that drives the switching
capacity of the box to it's limits the fastest. It has to do
the work on every packet.

It's software forwarding only.

You would be better off with an ASR1000.

I forget the PAUSE frame scneario with it.

Rodney

On Wed, Feb 11, 2009 at 11:36:14PM +1000, john douglas wrote:
> Hi All,
> 
> I am hoping someone may have some guidance.
> 
> We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
> 3560 switch, dot1q trunking with a few Vlans. I find on the 7301
> router whenever I try to drive a given gigabit sub interface beyond
> about 200mbps I begin to see Input Errors (Overruns) incrementing on
> the physical interface and begin exhibiting packet loss. Under the
> show controller information I see rx_overrun and rx_int_drop
> incrementing - all other Rx error values under "Statistics" section
> are zero. On the switch I see pause input incrementing, but no errors.
> Cpu is 40%.
> 
> I have read other postings about this being attributed to microburst
> of traffic but I am still a little unclear I am trying to work out
> 
> 1) Does the G1 correctly support pause frames?
> 
> 2) Are there any knobs we can tweak - or we simply hitting the limits
> of the silicon?
> 
> The short term solution has been to spread the vlan sub interfaces
> over the 3 gig interfaces however this leaves me in a situation where
> I cannot really use EEM to migrate sub interface config from one
> gigabit interface to another should there be a failure, as the target
> interface will being exhibiting overruns and loss.
> 
> Any advice appreciated,
> 
> Kind regards,
> 
> John
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From maillist at webjogger.net  Wed Feb 11 08:58:30 2009
From: maillist at webjogger.net (Adam Greene)
Date: Wed, 11 Feb 2009 08:58:30 -0500
Subject: [c-nsp] Sprint & AT&T BGP multihoming
References: <49920334.6040306@chrisserafin.com>
Message-ID: <C19DF62A855F497391CBE5F53F52ED5C@GINKGO>

Had a good experience multihoming to AT&T, including fixing an issue with 
balancing traffic between the two providers, which we solved through 
advertisement of community strings. The engineer I spoke with was extremely 
knowledgable.

This was already a few years ago, though ...

----- Original Message ----- 
From: "ChrisSerafin" <chris at chrisserafin.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, February 10, 2009 5:44 PM
Subject: [c-nsp] Sprint & AT&T BGP multihoming


>I am planning on multi-homing a client's Internet connection for 
>redundancy, and wanted to know if anyone is doing this with Sprint and/or 
>AT&T and has any pointers or 'gotchas' they have run into.
>
> I'm still months out from doing this and will most likely want to KEEP the 
> existing subnets that they gave us (a /23 and /24), without the need for 
> rebuilding a bunch or VPNs, re-IP'ing externally facing devices, and DNS 
> changes for externally available web presence.
>
> Ideas? Comments? Concerns? Flames?
>
> Thanks,
>
> Chris Serafin
> chris at chrisserafin.com
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 



From maillist at webjogger.net  Wed Feb 11 09:04:54 2009
From: maillist at webjogger.net (Adam Greene)
Date: Wed, 11 Feb 2009 09:04:54 -0500
Subject: [c-nsp] VTP domain.
References: <20090210102330.K55176@pop.citytel.net>	<200902110754.27311.mtinka@globaltransit.net><1FC8A0BAFBBD9749BB1F06010D23C8A552FFE7E0@sg000035.corproot.net>
	<4992ABC0.7050100@heanet.ie>
Message-ID: <76EDD0CB80234F5CB478CC01858AC161@GINKGO>

In light of all the disasters that can happen with VTP, do people in general 
think it's worth the risk of deploying?

We're getting pretty tired of adding / removing VLANs manually throughout 
various parts of our network, and find that it is prone to sloppiness (i.e. 
vlans being left on links where they don't belong).

Not sure which is the greater evil ....

----- Original Message ----- 
From: "Paul Cosgrove" <paul.cosgrove at heanet.ie>
To: <Steven.Glogger at swisscom.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, February 11, 2009 5:43 AM
Subject: Re: [c-nsp] VTP domain.


> The behaviour regarding forwarding vtp messages is identical between 
> transparent mode in either VTP versions;  if the domain name is null all 
> VTP messages are forwarded, while if it is set only messages for that 
> domain are forwarded. Apparently this changed sometime in the distant past 
> but the documentation was not updated (at least it wasn't the last time I 
> looked).  You can find more information about this here:-
>  http://www.groupstudy.com/archives/ccielab/200704/msg01533.html
>
> You can see that there is also a mention there, apparently from a member 
> of cisco TAC, that a capability to set a VTP domain name to Null had been 
> considered but a decision was made not to implement it.
>
> To stop any VTP messages being forwarded, if you really need to, you can 
> use mac acls matching the destination address(0100.0ccc.cccc) and 
> ethertype (0x2003).  If on the other hand you need the VTP messages to be 
> forwarded for multiple domains, without affecting this switch, then you 
> may need to delete the vlan.dat, change to transparent mode and reload.
>
> Paul.
>
> Steven.Glogger at swisscom.com wrote:
>> VTP transparent switches DO forward vtp messages (if using version 2). 
>> see:
>> "VTP transparent switches do not participate in VTP. A VTP transparent 
>> switch does not advertise its VLAN configuration and does not synchronize 
>> its VLAN configuration based on received advertisements. However, in VTP 
>> version 2, transparent switches do forward VTP advertisements that they 
>> receive from other switches from their trunk interfaces. "
>>
>> dont forget: the VTP domain can be learned if NO domain is given - the 
>> switch takes the first domain he sees in a VTP message.
>>
>> make sure that you put switches in transparent mode if you want to 
>> prevent disasters. we all know that the highest revision number in a 
>> domain wins. a client can overwrite all other switches (incl. server) if 
>> the revision number is highter and if he has the same domain name....
>> vtp is evil as we all know ,-)
>>
>> to remove the domain name just set another one.
>> -steven
>>
>>
>> ps: your guide for any VTP questions:
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swvtp.html
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net 
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
>> Sent: Wednesday, February 11, 2009 12:54 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] VTP domain.
>>
>> On Wednesday 11 February 2009 03:02:41 am Keith wrote:
>>
>>
>>> The 3550 being replaced has no vtp domain name. Is it possible to remove 
>>> the vtp domain name without deleting the vlan.dat file? I have looked 
>>> over the TAC but see nothing really regarding removing a vtp domain 
>>> name. Lots about adding one, not about removing one.
>>>
>>
>> No clear way to do this, today, without deleting the 'vlan.dat' file. 
>> Wish that could be fixed.
>>
>> But like you and others have said, maintaining VTP Transparent mode will 
>> ensure it stays away from VTP.
>>
>> We used to "manually" clear VTP domain names, but recently found a batch 
>> of switches that had them configured. It's too much work to clear that, 
>> but we just say "no" to VTP anyway.
>>
>> Cheers,
>>
>> Mark.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 



From almidoster at gmail.com  Wed Feb 11 09:20:40 2009
From: almidoster at gmail.com (almidoster at gmail.com)
Date: Wed, 11 Feb 2009 09:20:40 -0500
Subject: [c-nsp] Dynamic Vlan with 3750
Message-ID: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>

Hi list,

I have one switch 3750 and five 3560 switches in my LAN, the central
switch is 3750, I have a access point DLINK in permanent place, I have
configured Wireless use other vlan, but I have some access points that
we have to move their position into the building,  I want to deploy
dynamic vlan, it is posible to deploy with these models, I heart that
I would have buy a 6500.

Regards

From rodunn at cisco.com  Wed Feb 11 09:24:11 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 11 Feb 2009 09:24:11 -0500
Subject: [c-nsp] Frame-relay to MLPPP traffic shaping and QoS?
In-Reply-To: <001401c98b9e$225b9250$371e0a0a@bonestroo.com>
References: <001401c98b9e$225b9250$371e0a0a@bonestroo.com>
Message-ID: <20090211142411.GM18683@rtp-cse-489.cisco.com>

This is a common question when the SP QOS isn't being used.

Your only option is to use what we call hierarchical shaping
at the hub to create a "fake" congestion point there to do the
QOS before it's sent to the cloud.

It looks like this sorta:


policy-map spokeqos
 class spoke1
   policy-map spoke1
 class spoke2
   policy-map spoke2
 ...


Then you define a class for each spoke to match on it's
ip subnet:

class-map match-any spoke1
 match ip address 101

access-list 101 permit ip any <spoke1subnet>

...



Then for your spoke QOS policy you shape it down and do the QOS
for the traffic.

 On Tue, Feb 10, 2009 at 10:39:23AM -0600, Dave Edmondson wrote:

ie:

class-map match-all data
 match ip precedence 4 
class-map match-any spoke2
 match access-group 102
class-map match-any spoke1
 match access-group 101
class-map match-all voice
 match ip precedence 5 
!
!
policy-map spokecbwfq
 class voice
  priority 200
 class data
  bandwidth 200
policy-map spokeqos
 class spoke1
  shape average 3000000
  service-policy spokecbwfq
 class spoke2
  shape average 3000000
  service-policy spokecbwfq


...

R2_#sh policy-map int e0/0
 Ethernet0/0 

  Service-policy output: spokeqos

    Class-map: spoke1 (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 101
        0 packets, 0 bytes
        5 minute rate 0 bps
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)  
          3000000/3000000   18750  75000     75000     25        9375     

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         0         0         0         0         no

      Service-policy : spokecbwfq

        Class-map: voice (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: ip precedence 5 
          Queueing
            Strict Priority
            Output Queue: Conversation 136 
            Bandwidth 200 (kbps) Burst 5000 (Bytes)
            (pkts matched/bytes matched) 0/0
            (total drops/bytes drops) 0/0

        Class-map: data (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: ip precedence 4 
          Queueing
            Output Queue: Conversation 137 
            Bandwidth 200 (kbps)Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

        Class-map: class-default (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any 
          
    Class-map: spoke2 (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 102
        0 packets, 0 bytes
        5 minute rate 0 bps
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)  
          3000000/3000000   18750  75000     75000     25        9375     

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         0         0         0         0         no

      Service-policy : spokecbwfq

        Class-map: voice (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: ip precedence 5 
          Queueing
            Strict Priority
            Output Queue: Conversation 136 
            Bandwidth 200 (kbps) Burst 5000 (Bytes)
            (pkts matched/bytes matched) 0/0
            (total drops/bytes drops) 0/0

        Class-map: data (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: ip precedence 4 
          Queueing
            Output Queue: Conversation 137 
            Bandwidth 200 (kbps)Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

        Class-map: class-default (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any 

    Class-map: class-default (match-any)
      37 packets, 3872 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 

...


the problem though is I can't remember if we could support a two level
shaper such that you could do shaping at the top parent level
to control burst above the 12Mbps limit.

Rodney




> Hello all,
> 
> I have inherited a network used for data, VoIP, and video conferencing. The
> central site has a DS3 with a 12 mbps frame-relay interface into a
> Juniper-based MPLS and a 12 mbps frame-relay interface to the Internet. 
> 
> The remote sites on the MPLS network have 2XT1 MLPPP interfaces, with all
> Internet access via the central site. My central site has a Cisco 3845
> (12.4(3f)) with an NM1-T3/E3 card, the remotes all have Cisco 1841
> (12.3(10.3)T2).
> 
> We do video conferences between sites on the MPLS and FTP is used to move
> multi-gigabyte files from the central site to the remote sites and from
> remote site to remote site. Email servers are all at the main site. We are
> moving toward central storage as well, so some backups are done from remote
> sites to the central site. And they want to provide streaming media for
> training...
> 
> We are not doing any BGP or OSPF, just static routes. Each site has a /16
> assigned. 
> 
>                          3 meg MLPPP 1841, 10.20.X.X
>                                                  |
>                                                  |
> 
> 3 meg MLPPP 1841, 10.20.X.X--- MPLS ---3 meg MLPPP 1841, 10.30.X.X
> 
>                                                  |
>                                                  |
>             DS3 w/12 meg frame relay PVC to 3845, 10.10.X.X 
> 
> My challenge: 
> 
> 1) Shape traffic or rate limit to 3 megs from the central site to each of
> the remote sites so I don't overrun the remote site bandwidth.
> 
> 2) Apply QoS to traffic destined for each specific remote originating from
> the central site, rate-limiting some protocols (like FTP). 
> 
> I am familiar with QoS configs on MLPPP bundles in Cisco, but I know nothing
> about traffic shaping and QoS on frame relay interfaces. If ignorance is
> bliss, I've been pretty happy until now....
> 
> Suggestions?
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From achatz at forthnet.gr  Wed Feb 11 09:26:07 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Wed, 11 Feb 2009 16:26:07 +0200
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
In-Reply-To: <44417CD2F19FEA4F885088340A71D33201B4F774@mail.office.dansketelecom.com>
References: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F774@mail.office.dansketelecom.com>
Message-ID: <4992DFFF.9070508@forthnet.gr>

We had a similar case with microbursts and lots of small packets and after moving to NPE-G2, we're very happy with it.
Traffic goes up, CPU is blocked at 75%, still no sign of drops.

Regarding the pause frames, i'm too very confused about them being supported.
http://markmail.org/message/y7bjuudmbrfofp6z

--
Tassos

Lars Lystrup Christensen wrote on 11/02/2009 15:47:
> Hi John
> 
> We had the same issue a few years ago on a Cisco 7204VXR with the NPE-G1 processor. I believe we were told, that we had hit the max capacity of the router.
> 
> ______________________________________
> 
> Med venlig hilsen / Kind regards
> 
> Lars Lystrup Christensen 
> Director of Engineering, CCIE(tm) #20292
> 
> Danske Telecom A/S
> Sundkrogsgade 13, 4 
> 2100 K?benhavn ? 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of john douglas
> Sent: 11. februar 2009 14:36
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
> 
> Hi All,
> 
> I am hoping someone may have some guidance.
> 
> We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
> 3560 switch, dot1q trunking with a few Vlans. I find on the 7301
> router whenever I try to drive a given gigabit sub interface beyond
> about 200mbps I begin to see Input Errors (Overruns) incrementing on
> the physical interface and begin exhibiting packet loss. Under the
> show controller information I see rx_overrun and rx_int_drop
> incrementing - all other Rx error values under "Statistics" section
> are zero. On the switch I see pause input incrementing, but no errors.
> Cpu is 40%.
> 
> I have read other postings about this being attributed to microburst
> of traffic but I am still a little unclear I am trying to work out
> 
> 1) Does the G1 correctly support pause frames?
> 
> 2) Are there any knobs we can tweak - or we simply hitting the limits
> of the silicon?
> 
> The short term solution has been to spread the vlan sub interfaces
> over the 3 gig interfaces however this leaves me in a situation where
> I cannot really use EEM to migrate sub interface config from one
> gigabit interface to another should there be a failure, as the target
> interface will being exhibiting overruns and loss.
> 
> Any advice appreciated,
> 
> Kind regards,
> 
> John
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From rodunn at cisco.com  Wed Feb 11 09:47:54 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 11 Feb 2009 09:47:54 -0500
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
In-Reply-To: <4992DFFF.9070508@forthnet.gr>
References: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F774@mail.office.dansketelecom.com>
	<4992DFFF.9070508@forthnet.gr>
Message-ID: <20090211144754.GP18683@rtp-cse-489.cisco.com>

On Wed, Feb 11, 2009 at 04:26:07PM +0200, Tassos Chatzithomaoglou wrote:
> We had a similar case with microbursts and lots of small packets and 
> after moving to NPE-G2, we're very happy with it.
> Traffic goes up, CPU is blocked at 75%, still no sign of drops.

Good to know. It all depends on the load.

The direction forward is hw based forwarding for gige line rate
traffic (ASR1000, 76xx, etc..)


> 
> Regarding the pause frames, i'm too very confused about them being 
> supported.
> http://markmail.org/message/y7bjuudmbrfofp6z

I've done some research and there appears to be some issues on
how the MAC chip can account for the pause frames sent/received
although it does appear to support flow control.

But my *opinion* on that is flow control is a wasted effort becaus
you can't quantify the burst and therefore you just buffer on the
other side and risk drops there.

Rodney

> 
> --
> Tassos
> 
> Lars Lystrup Christensen wrote on 11/02/2009 15:47:
> >Hi John
> >
> >We had the same issue a few years ago on a Cisco 7204VXR with the 
> >NPE-G1 processor. I believe we were told, that we had hit the max 
> >capacity of the router.
> >
> >______________________________________
> >
> >Med venlig hilsen / Kind regards
> >
> >Lars Lystrup Christensen 
> >Director of Engineering, CCIE(tm) #20292
> >
> >Danske Telecom A/S
> >Sundkrogsgade 13, 4 
> >2100 K?benhavn ? 
> >
> >-----Original Message-----
> >From: cisco-nsp-bounces at puck.nether.net 
> >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of john douglas
> >Sent: 11. februar 2009 14:36
> >To: cisco-nsp at puck.nether.net
> >Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
> >
> >Hi All,
> >
> >I am hoping someone may have some guidance.
> >
> >We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
> >3560 switch, dot1q trunking with a few Vlans. I find on the 7301
> >router whenever I try to drive a given gigabit sub interface beyond
> >about 200mbps I begin to see Input Errors (Overruns) incrementing on
> >the physical interface and begin exhibiting packet loss. Under the
> >show controller information I see rx_overrun and rx_int_drop
> >incrementing - all other Rx error values under "Statistics" section
> >are zero. On the switch I see pause input incrementing, but no 
> >errors.
> >Cpu is 40%.
> >
> >I have read other postings about this being attributed to microburst
> >of traffic but I am still a little unclear I am trying to work out
> >
> >1) Does the G1 correctly support pause frames?
> >
> >2) Are there any knobs we can tweak - or we simply hitting the limits
> >of the silicon?
> >
> >The short term solution has been to spread the vlan sub interfaces
> >over the 3 gig interfaces however this leaves me in a situation where
> >I cannot really use EEM to migrate sub interface config from one
> >gigabit interface to another should there be a failure, as the target
> >interface will being exhibiting overruns and loss.
> >
> >Any advice appreciated,
> >
> >Kind regards,
> >
> >John
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From kratzers at ctinetworks.com  Wed Feb 11 10:05:39 2009
From: kratzers at ctinetworks.com (Stephen Kratzer)
Date: Wed, 11 Feb 2009 10:05:39 -0500
Subject: [c-nsp] Sprint & AT&T BGP multihoming
In-Reply-To: <C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
References: <49920334.6040306@chrisserafin.com>
	<C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
Message-ID: <200902111005.39980.kratzers@ctinetworks.com>

Deleted the original post, so I'll reply to this leaf...

ATT is fine. Make sure that Sprint, at that particular location, has multiple 
transit providers. We are multihomed at one location with Embarq and Level3. 
As it turns out, Embarq's sole transit provider at that location IS Level3 
making the Embarq connection all but useless as far as diverse, load-balanced 
routing is concerned.

Stephen Kratzer
Network Engineer
CTI Networks, Inc.

On Wednesday 11 February 2009 08:58:30 Adam Greene wrote:
> Had a good experience multihoming to AT&T, including fixing an issue with
> balancing traffic between the two providers, which we solved through
> advertisement of community strings. The engineer I spoke with was extremely
> knowledgable.
>
> This was already a few years ago, though ...
>
> ----- Original Message -----
> From: "ChrisSerafin" <chris at chrisserafin.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Tuesday, February 10, 2009 5:44 PM
> Subject: [c-nsp] Sprint & AT&T BGP multihoming
>
> >I am planning on multi-homing a client's Internet connection for
> >redundancy, and wanted to know if anyone is doing this with Sprint and/or
> >AT&T and has any pointers or 'gotchas' they have run into.
> >
> > I'm still months out from doing this and will most likely want to KEEP
> > the existing subnets that they gave us (a /23 and /24), without the need
> > for rebuilding a bunch or VPNs, re-IP'ing externally facing devices, and
> > DNS changes for externally available web presence.
> >
> > Ideas? Comments? Concerns? Flames?
> >
> > Thanks,
> >
> > Chris Serafin
> > chris at chrisserafin.com


From peter at rathlev.dk  Wed Feb 11 10:27:01 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 11 Feb 2009 16:27:01 +0100
Subject: [c-nsp] VTP domain.
In-Reply-To: <76EDD0CB80234F5CB478CC01858AC161@GINKGO>
References: <20090210102330.K55176@pop.citytel.net>
	<200902110754.27311.mtinka@globaltransit.net>
	<1FC8A0BAFBBD9749BB1F06010D23C8A552FFE7E0@sg000035.corproot.net>
	<4992ABC0.7050100@heanet.ie> <76EDD0CB80234F5CB478CC01858AC161@GINKGO>
Message-ID: <1234366021.14934.3.camel@localhost.localdomain>

On Wed, 2009-02-11 at 09:04 -0500, Adam Greene wrote:
> In light of all the disasters that can happen with VTP, do people in
> general think it's worth the risk of deploying?
> 
> We're getting pretty tired of adding / removing VLANs manually
> throughout various parts of our network, and find that it is prone to
> sloppiness (i.e. vlans being left on links where they don't belong).
> 
> Not sure which is the greater evil ....

VTP is the greater evil, no question in my eyes. We roll out
configurations with a bash-script using SNMP og netConfigSet, and
pushing it to many switches is no problem this way. We have scripts
comparing running configurations with exptected parameters for various
things, so we know where we have mis-configurations. (Getting around to
fixing it is another matter.)

So if the network is large enough for chores like this to be tedious you
probably have/want a general configuration tool anyway.

Regards,
Peter



From antonio.soares at convex.pt  Wed Feb 11 10:36:16 2009
From: antonio.soares at convex.pt (Antonio M. Soares)
Date: Wed, 11 Feb 2009 15:36:16 -0000
Subject: [c-nsp] BGP MSS=576 bytes
Message-ID: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>

Hello group,

I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an
example:

++++++++++++++++++++++++++
6500>sh ip bgp neighbors x.x.x.x

...

Datagrams (max data segment is 536 bytes):

Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes: 94316052

Sent: 296303 (retransmit: 727), with data: 35046, total data bytes: 994215

6500>
++++++++++++++++++++++++++

The documentation says that PMTUD is enabled by default so this should not be happening:

++++++++++++++++++++++++++
BGP Neighbor Session TCP PMTUD

TCP path MTU discovery is enabled by default for all BGP neighbor sessions, but there are situations when you may want to disable
TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD works well for larger transmission links (for example,
Packet over Sonet links), a badly configured TCP implementation or a firewall may slow or stop the TCP connections from forwarding
any packets. In this type of situation, you may need to disable TCP path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later releases, configuration options were introduced to permit
TCP path MTU discovery to be disabled, or subsequently reenabled, either for a single BGP neighbor session or for all BGP sessions.
To disable the TCP path MTU discovery globally for all BGP neighbors, use the no bgp transport path-mtu-discovery command under
router configuration mode. To disable the TCP path MTU discovery for a single neighbor, use the no neighbor transport
path-mtu-discovery command under router or address family configuration modes. 
++++++++++++++++++++++++++

I have for example a direct eBGP peering over TenGiga interfaces where i see the same problem:

++++++++++++++++++++++++++
6500>sh int tenGigabitEthernet x/x | inc MTU
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
6500>
6500>
6500>sh ip int tenGigabitEthernet x/x | inc MTU
  MTU is 1500 bytes
6500>
++++++++++++++++++++++++++



Any explanation to this strange behavior ?


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt


From skoal at skoal.name  Wed Feb 11 10:46:17 2009
From: skoal at skoal.name (Gergely Antal)
Date: Wed, 11 Feb 2009 16:46:17 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
Message-ID: <4992F2C9.2000009@skoal.name>

is "ip mtu 1500" set on the interfaces?

Antonio M. Soares wrote:
> Hello group,
> 
> I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> example:
> 
> ++++++++++++++++++++++++++
> 6500>sh ip bgp neighbors x.x.x.x
> 
> ...
> 
> Datagrams (max data segment is 536 bytes):
> 
> Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes: 94316052
> 
> Sent: 296303 (retransmit: 727), with data: 35046, total data bytes: 994215
> 
> 6500>
> ++++++++++++++++++++++++++
> 
> The documentation says that PMTUD is enabled by default so this should not be happening:
> 
> ++++++++++++++++++++++++++
> BGP Neighbor Session TCP PMTUD
> 
> TCP path MTU discovery is enabled by default for all BGP neighbor sessions, but there are situations when you may want to disable
> TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD works well for larger transmission links (for example,
> Packet over Sonet links), a badly configured TCP implementation or a firewall may slow or stop the TCP connections from forwarding
> any packets. In this type of situation, you may need to disable TCP path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
> 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later releases, configuration options were introduced to permit
> TCP path MTU discovery to be disabled, or subsequently reenabled, either for a single BGP neighbor session or for all BGP sessions.
> To disable the TCP path MTU discovery globally for all BGP neighbors, use the no bgp transport path-mtu-discovery command under
> router configuration mode. To disable the TCP path MTU discovery for a single neighbor, use the no neighbor transport
> path-mtu-discovery command under router or address family configuration modes. 
> ++++++++++++++++++++++++++
> 
> I have for example a direct eBGP peering over TenGiga interfaces where i see the same problem:
> 
> ++++++++++++++++++++++++++
> 6500>sh int tenGigabitEthernet x/x | inc MTU
>   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
> 6500>
> 6500>
> 6500>sh ip int tenGigabitEthernet x/x | inc MTU
>   MTU is 1500 bytes
> 6500>
> ++++++++++++++++++++++++++
> 
> 
> 
> Any explanation to this strange behavior ?
> 
> 
> Thanks.
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/947c3b99/attachment.bin>

From jared at puck.nether.net  Wed Feb 11 10:49:22 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Wed, 11 Feb 2009 10:49:22 -0500
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <4992F2C9.2000009@skoal.name>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<4992F2C9.2000009@skoal.name>
Message-ID: <20090211154922.GA17422@puck.nether.net>

	You want to enable

	'ip tcp path-mtu-discovery'

	globally.  This will allow it to scale outside the default 536, and
if you are using jumbo mtu, may cause significantly reduced convergence
times since it takes fewer packets to send those bgp updates.

	- Jared


On Wed, Feb 11, 2009 at 04:46:17PM +0100, Gergely Antal wrote:
> is "ip mtu 1500" set on the interfaces?
> 
> Antonio M. Soares wrote:
> > Hello group,
> > 
> > I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> > example:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh ip bgp neighbors x.x.x.x
> > 
> > ...
> > 
> > Datagrams (max data segment is 536 bytes):
> > 
> > Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes: 94316052
> > 
> > Sent: 296303 (retransmit: 727), with data: 35046, total data bytes: 994215
> > 
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > The documentation says that PMTUD is enabled by default so this should not be happening:
> > 
> > ++++++++++++++++++++++++++
> > BGP Neighbor Session TCP PMTUD
> > 
> > TCP path MTU discovery is enabled by default for all BGP neighbor sessions, but there are situations when you may want to disable
> > TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD works well for larger transmission links (for example,
> > Packet over Sonet links), a badly configured TCP implementation or a firewall may slow or stop the TCP connections from forwarding
> > any packets. In this type of situation, you may need to disable TCP path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
> > 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later releases, configuration options were introduced to permit
> > TCP path MTU discovery to be disabled, or subsequently reenabled, either for a single BGP neighbor session or for all BGP sessions.
> > To disable the TCP path MTU discovery globally for all BGP neighbors, use the no bgp transport path-mtu-discovery command under
> > router configuration mode. To disable the TCP path MTU discovery for a single neighbor, use the no neighbor transport
> > path-mtu-discovery command under router or address family configuration modes. 
> > ++++++++++++++++++++++++++
> > 
> > I have for example a direct eBGP peering over TenGiga interfaces where i see the same problem:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh int tenGigabitEthernet x/x | inc MTU
> >   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
> > 6500>
> > 6500>
> > 6500>sh ip int tenGigabitEthernet x/x | inc MTU
> >   MTU is 1500 bytes
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > 
> > 
> > Any explanation to this strange behavior ?
> > 
> > 
> > Thanks.
> > 
> > Regards,
> > 
> > Antonio Soares, CCIE #18473 (R&S)
> > amsoares at netcabo.pt
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

From cchurc05 at harris.com  Wed Feb 11 10:50:27 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Wed, 11 Feb 2009 09:50:27 -0600
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
Message-ID: <FA1BA229357DB640B944218F3585FECA01EDB6FB@mspe2k1.cs.myharris.net>

Is  "ip tcp path-mtu-discovery"  in the global config? 


Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio M.
Soares
Sent: Wednesday, February 11, 2009 10:36 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] BGP MSS=576 bytes


Hello group,

I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the
BGP sessions have negotiated a MSS of 536 bytes. Here's an
example:

++++++++++++++++++++++++++
6500>sh ip bgp neighbors x.x.x.x

...

Datagrams (max data segment is 536 bytes):

Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes:
94316052

Sent: 296303 (retransmit: 727), with data: 35046, total data bytes:
994215

6500>
++++++++++++++++++++++++++

The documentation says that PMTUD is enabled by default so this should
not be happening:

++++++++++++++++++++++++++
BGP Neighbor Session TCP PMTUD

TCP path MTU discovery is enabled by default for all BGP neighbor
sessions, but there are situations when you may want to disable
TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD
works well for larger transmission links (for example,
Packet over Sonet links), a badly configured TCP implementation or a
firewall may slow or stop the TCP connections from forwarding
any packets. In this type of situation, you may need to disable TCP path
MTU discovery. In Cisco IOS Release 12.2(33)SRA,
12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later
releases, configuration options were introduced to permit
TCP path MTU discovery to be disabled, or subsequently reenabled, either
for a single BGP neighbor session or for all BGP sessions.
To disable the TCP path MTU discovery globally for all BGP neighbors,
use the no bgp transport path-mtu-discovery command under
router configuration mode. To disable the TCP path MTU discovery for a
single neighbor, use the no neighbor transport
path-mtu-discovery command under router or address family configuration
modes. 
++++++++++++++++++++++++++

I have for example a direct eBGP peering over TenGiga interfaces where i
see the same problem:

++++++++++++++++++++++++++
6500>sh int tenGigabitEthernet x/x | inc MTU
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
6500>
6500>
6500>sh ip int tenGigabitEthernet x/x | inc MTU
  MTU is 1500 bytes
6500>
++++++++++++++++++++++++++



Any explanation to this strange behavior ?


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From paul.cosgrove at heanet.ie  Wed Feb 11 10:51:08 2009
From: paul.cosgrove at heanet.ie (Paul Cosgrove)
Date: Wed, 11 Feb 2009 15:51:08 +0000
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
Message-ID: <4992F3EC.9000207@heanet.ie>

TCP sessions normally use 536 if they are established between IPs which 
are not directly connected.  You may see the same on MSDP peerings.  
Enabling Path MTU Discovery allows the actual end to end MSS to be 
determined, provided the ICMP type 3 code 4 messages are not blocked 
along the way.

Paul.

Antonio M. Soares wrote:
> Hello group,
>
> I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> example:
>
> ++++++++++++++++++++++++++
> 6500>sh ip bgp neighbors x.x.x.x
>
> ...
>
> Datagrams (max data segment is 536 bytes):
>
> Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes: 94316052
>
> Sent: 296303 (retransmit: 727), with data: 35046, total data bytes: 994215
>
> 6500>
> ++++++++++++++++++++++++++
>
> The documentation says that PMTUD is enabled by default so this should not be happening:
>
> ++++++++++++++++++++++++++
> BGP Neighbor Session TCP PMTUD
>
> TCP path MTU discovery is enabled by default for all BGP neighbor sessions, but there are situations when you may want to disable
> TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD works well for larger transmission links (for example,
> Packet over Sonet links), a badly configured TCP implementation or a firewall may slow or stop the TCP connections from forwarding
> any packets. In this type of situation, you may need to disable TCP path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
> 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later releases, configuration options were introduced to permit
> TCP path MTU discovery to be disabled, or subsequently reenabled, either for a single BGP neighbor session or for all BGP sessions.
> To disable the TCP path MTU discovery globally for all BGP neighbors, use the no bgp transport path-mtu-discovery command under
> router configuration mode. To disable the TCP path MTU discovery for a single neighbor, use the no neighbor transport
> path-mtu-discovery command under router or address family configuration modes. 
> ++++++++++++++++++++++++++
>
> I have for example a direct eBGP peering over TenGiga interfaces where i see the same problem:
>
> ++++++++++++++++++++++++++
> 6500>sh int tenGigabitEthernet x/x | inc MTU
>   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
> 6500>
> 6500>
> 6500>sh ip int tenGigabitEthernet x/x | inc MTU
>   MTU is 1500 bytes
> 6500>
> ++++++++++++++++++++++++++
>
>
>
> Any explanation to this strange behavior ?
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   


From schilling2006 at gmail.com  Wed Feb 11 11:24:43 2009
From: schilling2006 at gmail.com (schilling)
Date: Wed, 11 Feb 2009 11:24:43 -0500
Subject: [c-nsp] Cisco Hard Copy Configuration Guides and Command References
Message-ID: <bd3771a60902110824n528a2a0ev58f83229174477bf@mail.gmail.com>

How to obtain Cisco Hard Copy materials? For example Cisco IOS 12.4
mainline. I read some old emaisl in this mailing list, somebody said
smartnet will qualify the printed materials. Our account manager was saying
that hard copy materials only come with new purchase. Is it still possilbe
to get printed materials from Cisco with no charge given that we have a lot
of cisco equipments and smartnet?

Thanks.

Schilling

From leonardo.souza at nec.com.br  Wed Feb 11 11:09:28 2009
From: leonardo.souza at nec.com.br (Leonardo Gama Souza)
Date: Wed, 11 Feb 2009 14:09:28 -0200
Subject: [c-nsp] RES:  BGP MSS=576 bytes
In-Reply-To: <20090211154922.GA17422@puck.nether.net>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt><4992F2C9.2000009@skoal.name>
	<20090211154922.GA17422@puck.nether.net>
Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>

Wasn't it supposed to be enabled by default for all BGP neighbors?
I think that's the point...
 
-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Jared Mauch
Enviada em: quarta-feira, 11 de fevereiro de 2009 13:49
Para: Gergely Antal
Cc: Antonio M. Soares; cisco-nsp at puck.nether.net
Assunto: Re: [c-nsp] BGP MSS=576 bytes

	You want to enable

	'ip tcp path-mtu-discovery'

	globally.  This will allow it to scale outside the default 536,
and
if you are using jumbo mtu, may cause significantly reduced convergence
times since it takes fewer packets to send those bgp updates.

	- Jared


On Wed, Feb 11, 2009 at 04:46:17PM +0100, Gergely Antal wrote:
> is "ip mtu 1500" set on the interfaces?
> 
> Antonio M. Soares wrote:
> > Hello group,
> > 
> > I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of
the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> > example:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh ip bgp neighbors x.x.x.x
> > 
> > ...
> > 
> > Datagrams (max data segment is 536 bytes):
> > 
> > Rcvd: 439340 (out of order: 252), with data: 406672, total data
bytes: 94316052
> > 
> > Sent: 296303 (retransmit: 727), with data: 35046, total data bytes:
994215
> > 
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > The documentation says that PMTUD is enabled by default so this
should not be happening:
> > 
> > ++++++++++++++++++++++++++
> > BGP Neighbor Session TCP PMTUD
> > 
> > TCP path MTU discovery is enabled by default for all BGP neighbor
sessions, but there are situations when you may want to disable
> > TCP path MTU discovery for one or all BGP neighbor sessions. While
PMTUD works well for larger transmission links (for example,
> > Packet over Sonet links), a badly configured TCP implementation or a
firewall may slow or stop the TCP connections from forwarding
> > any packets. In this type of situation, you may need to disable TCP
path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
> > 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and
later releases, configuration options were introduced to permit
> > TCP path MTU discovery to be disabled, or subsequently reenabled,
either for a single BGP neighbor session or for all BGP sessions.
> > To disable the TCP path MTU discovery globally for all BGP
neighbors, use the no bgp transport path-mtu-discovery command under
> > router configuration mode. To disable the TCP path MTU discovery for
a single neighbor, use the no neighbor transport
> > path-mtu-discovery command under router or address family
configuration modes. 
> > ++++++++++++++++++++++++++
> > 
> > I have for example a direct eBGP peering over TenGiga interfaces
where i see the same problem:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh int tenGigabitEthernet x/x | inc MTU
> >   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
> > 6500>
> > 6500>
> > 6500>sh ip int tenGigabitEthernet x/x | inc MTU
> >   MTU is 1500 bytes
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > 
> > 
> > Any explanation to this strange behavior ?
> > 
> > 
> > Thanks.
> > 
> > Regards,
> > 
> > Antonio Soares, CCIE #18473 (R&S)
> > amsoares at netcabo.pt
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only
mine.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From tvarriale at comcast.net  Wed Feb 11 12:03:37 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Wed, 11 Feb 2009 11:03:37 -0600
Subject: [c-nsp] RES:  BGP MSS=576 bytes
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt><4992F2C9.2000009@skoal.name><20090211154922.GA17422@puck.nether.net>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
Message-ID: <519F7C23AF574961827919376015128E@flamdt01>

I always enable this command (as well as a couple others) explicitly when 
doing BGP.

I'm looking at a 6500 with SHX1 right now and the command is in there...as 
in not default.

I also show all peers with a MSS of 1440 (2 internal, 2 external/ISP).

tv
----- Original Message ----- 
From: "Leonardo Gama Souza" <leonardo.souza at nec.com.br>
To: "cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Wednesday, February 11, 2009 10:09 AM
Subject: [c-nsp] RES: BGP MSS=576 bytes


> Wasn't it supposed to be enabled by default for all BGP neighbors?
> I think that's the point...
>
> -----Mensagem original-----
> De: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Jared Mauch
> Enviada em: quarta-feira, 11 de fevereiro de 2009 13:49
> Para: Gergely Antal
> Cc: Antonio M. Soares; cisco-nsp at puck.nether.net
> Assunto: Re: [c-nsp] BGP MSS=576 bytes
>
> You want to enable
>
> 'ip tcp path-mtu-discovery'
>
> globally.  This will allow it to scale outside the default 536,
> and
> if you are using jumbo mtu, may cause significantly reduced convergence
> times since it takes fewer packets to send those bgp updates.
>
> - Jared
>
>
> On Wed, Feb 11, 2009 at 04:46:17PM +0100, Gergely Antal wrote:
>> is "ip mtu 1500" set on the interfaces?
>>
>> Antonio M. Soares wrote:
>> > Hello group,
>> >
>> > I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of
> the BGP sessions have negotiated a MSS of 536 bytes. Here's an
>> > example:
>> >
>> > ++++++++++++++++++++++++++
>> > 6500>sh ip bgp neighbors x.x.x.x
>> >
>> > ...
>> >
>> > Datagrams (max data segment is 536 bytes):
>> >
>> > Rcvd: 439340 (out of order: 252), with data: 406672, total data
> bytes: 94316052
>> >
>> > Sent: 296303 (retransmit: 727), with data: 35046, total data bytes:
> 994215
>> >
>> > 6500>
>> > ++++++++++++++++++++++++++
>> >
>> > The documentation says that PMTUD is enabled by default so this
> should not be happening:
>> >
>> > ++++++++++++++++++++++++++
>> > BGP Neighbor Session TCP PMTUD
>> >
>> > TCP path MTU discovery is enabled by default for all BGP neighbor
> sessions, but there are situations when you may want to disable
>> > TCP path MTU discovery for one or all BGP neighbor sessions. While
> PMTUD works well for larger transmission links (for example,
>> > Packet over Sonet links), a badly configured TCP implementation or a
> firewall may slow or stop the TCP connections from forwarding
>> > any packets. In this type of situation, you may need to disable TCP
> path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
>> > 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and
> later releases, configuration options were introduced to permit
>> > TCP path MTU discovery to be disabled, or subsequently reenabled,
> either for a single BGP neighbor session or for all BGP sessions.
>> > To disable the TCP path MTU discovery globally for all BGP
> neighbors, use the no bgp transport path-mtu-discovery command under
>> > router configuration mode. To disable the TCP path MTU discovery for
> a single neighbor, use the no neighbor transport
>> > path-mtu-discovery command under router or address family
> configuration modes.
>> > ++++++++++++++++++++++++++
>> >
>> > I have for example a direct eBGP peering over TenGiga interfaces
> where i see the same problem:
>> >
>> > ++++++++++++++++++++++++++
>> > 6500>sh int tenGigabitEthernet x/x | inc MTU
>> >   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,
>> > 6500>
>> > 6500>
>> > 6500>sh ip int tenGigabitEthernet x/x | inc MTU
>> >   MTU is 1500 bytes
>> > 6500>
>> > ++++++++++++++++++++++++++
>> >
>> >
>> >
>> > Any explanation to this strange behavior ?
>> >
>> >
>> > Thanks.
>> >
>> > Regards,
>> >
>> > Antonio Soares, CCIE #18473 (R&S)
>> > amsoares at netcabo.pt
>> >
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> -- 
> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> clue++;      | http://puck.nether.net/~jared/  My statements are only
> mine.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From dudepron at gmail.com  Wed Feb 11 12:29:10 2009
From: dudepron at gmail.com (Aaron)
Date: Wed, 11 Feb 2009 12:29:10 -0500
Subject: [c-nsp] Sprint & AT&T BGP multihoming
In-Reply-To: <200902111005.39980.kratzers@ctinetworks.com>
References: <49920334.6040306@chrisserafin.com>
	<C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
	<200902111005.39980.kratzers@ctinetworks.com>
Message-ID: <480dad640902110929sf27873h69c40ad2e6f3b474@mail.gmail.com>

Sprint has a world wide network. They do not  by transit from anybody.

Aaron

On Wed, Feb 11, 2009 at 10:05, Stephen Kratzer <kratzers at ctinetworks.com>wrote:

> Deleted the original post, so I'll reply to this leaf...
>
> ATT is fine. Make sure that Sprint, at that particular location, has
> multiple
> transit providers. We are multihomed at one location with Embarq and
> Level3.
> As it turns out, Embarq's sole transit provider at that location IS Level3
> making the Embarq connection all but useless as far as diverse,
> load-balanced
> routing is concerned.
>
> Stephen Kratzer
> Network Engineer
> CTI Networks, Inc.
>
> On Wednesday 11 February 2009 08:58:30 Adam Greene wrote:
> > Had a good experience multihoming to AT&T, including fixing an issue with
> > balancing traffic between the two providers, which we solved through
> > advertisement of community strings. The engineer I spoke with was
> extremely
> > knowledgable.
> >
> > This was already a few years ago, though ...
> >
> > ----- Original Message -----
> > From: "ChrisSerafin" <chris at chrisserafin.com>
> > To: <cisco-nsp at puck.nether.net>
> > Sent: Tuesday, February 10, 2009 5:44 PM
> > Subject: [c-nsp] Sprint & AT&T BGP multihoming
> >
> > >I am planning on multi-homing a client's Internet connection for
> > >redundancy, and wanted to know if anyone is doing this with Sprint
> and/or
> > >AT&T and has any pointers or 'gotchas' they have run into.
> > >
> > > I'm still months out from doing this and will most likely want to KEEP
> > > the existing subnets that they gave us (a /23 and /24), without the
> need
> > > for rebuilding a bunch or VPNs, re-IP'ing externally facing devices,
> and
> > > DNS changes for externally available web presence.
> > >
> > > Ideas? Comments? Concerns? Flames?
> > >
> > > Thanks,
> > >
> > > Chris Serafin
> > > chris at chrisserafin.com
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From paul at paulstewart.org  Wed Feb 11 12:31:51 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Wed, 11 Feb 2009 12:31:51 -0500
Subject: [c-nsp] RES:  BGP MSS=576 bytes
In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt><4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
Message-ID: <000001c98c6e$a18a33d0$e49e9b70$@org>

I just checked some peers at random here on 6500 and 7600's - they all
defaulted to 1440 in an Ethernet environment...

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leonardo Gama Souza
Sent: Wednesday, February 11, 2009 11:09 AM
To: cisco-nsp
Subject: [c-nsp] RES: BGP MSS=576 bytes

Wasn't it supposed to be enabled by default for all BGP neighbors?
I think that's the point...
 
-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Jared Mauch
Enviada em: quarta-feira, 11 de fevereiro de 2009 13:49
Para: Gergely Antal
Cc: Antonio M. Soares; cisco-nsp at puck.nether.net
Assunto: Re: [c-nsp] BGP MSS=576 bytes

	You want to enable

	'ip tcp path-mtu-discovery'

	globally.  This will allow it to scale outside the default 536,
and
if you are using jumbo mtu, may cause significantly reduced convergence
times since it takes fewer packets to send those bgp updates.

	- Jared


On Wed, Feb 11, 2009 at 04:46:17PM +0100, Gergely Antal wrote:
> is "ip mtu 1500" set on the interfaces?
> 
> Antonio M. Soares wrote:
> > Hello group,
> > 
> > I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of
the BGP sessions have negotiated a MSS of 536 bytes. Here's an
> > example:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh ip bgp neighbors x.x.x.x
> > 
> > ...
> > 
> > Datagrams (max data segment is 536 bytes):
> > 
> > Rcvd: 439340 (out of order: 252), with data: 406672, total data
bytes: 94316052
> > 
> > Sent: 296303 (retransmit: 727), with data: 35046, total data bytes:
994215
> > 
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > The documentation says that PMTUD is enabled by default so this
should not be happening:
> > 
> > ++++++++++++++++++++++++++
> > BGP Neighbor Session TCP PMTUD
> > 
> > TCP path MTU discovery is enabled by default for all BGP neighbor
sessions, but there are situations when you may want to disable
> > TCP path MTU discovery for one or all BGP neighbor sessions. While
PMTUD works well for larger transmission links (for example,
> > Packet over Sonet links), a badly configured TCP implementation or a
firewall may slow or stop the TCP connections from forwarding
> > any packets. In this type of situation, you may need to disable TCP
path MTU discovery. In Cisco IOS Release 12.2(33)SRA,
> > 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and
later releases, configuration options were introduced to permit
> > TCP path MTU discovery to be disabled, or subsequently reenabled,
either for a single BGP neighbor session or for all BGP sessions.
> > To disable the TCP path MTU discovery globally for all BGP
neighbors, use the no bgp transport path-mtu-discovery command under
> > router configuration mode. To disable the TCP path MTU discovery for
a single neighbor, use the no neighbor transport
> > path-mtu-discovery command under router or address family
configuration modes. 
> > ++++++++++++++++++++++++++
> > 
> > I have for example a direct eBGP peering over TenGiga interfaces
where i see the same problem:
> > 
> > ++++++++++++++++++++++++++
> > 6500>sh int tenGigabitEthernet x/x | inc MTU
> >   MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
> > 6500>
> > 6500>
> > 6500>sh ip int tenGigabitEthernet x/x | inc MTU
> >   MTU is 1500 bytes
> > 6500>
> > ++++++++++++++++++++++++++
> > 
> > 
> > 
> > Any explanation to this strange behavior ?
> > 
> > 
> > Thanks.
> > 
> > Regards,
> > 
> > Antonio Soares, CCIE #18473 (R&S)
> > amsoares at netcabo.pt
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only
mine.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From brian at meganet.net  Wed Feb 11 12:24:07 2009
From: brian at meganet.net (Brian Wallingford)
Date: Wed, 11 Feb 2009 12:24:07 -0500 (EST)
Subject: [c-nsp] Sprint & AT&T BGP multihoming
In-Reply-To: <480dad640902110929sf27873h69c40ad2e6f3b474@mail.gmail.com>
References: <49920334.6040306@chrisserafin.com>
	<C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
	<200902111005.39980.kratzers@ctinetworks.com>
	<480dad640902110929sf27873h69c40ad2e6f3b474@mail.gmail.com>
Message-ID: <Pine.GSO.4.58.0902111222560.20146@evccyr>

They don't what?

On Wed, 11 Feb 2009, Aaron wrote:

:Sprint has a world wide network. They do not  by transit from anybody.
:
:Aaron
:
:On Wed, Feb 11, 2009 at 10:05, Stephen Kratzer <kratzers at ctinetworks.com>wrote:
:
:> Deleted the original post, so I'll reply to this leaf...
:>
:> ATT is fine. Make sure that Sprint, at that particular location, has
:> multiple
:> transit providers. We are multihomed at one location with Embarq and
:> Level3.
:> As it turns out, Embarq's sole transit provider at that location IS Level3
:> making the Embarq connection all but useless as far as diverse,
:> load-balanced
:> routing is concerned.
:>
:> Stephen Kratzer
:> Network Engineer
:> CTI Networks, Inc.
:>
:> On Wednesday 11 February 2009 08:58:30 Adam Greene wrote:
:> > Had a good experience multihoming to AT&T, including fixing an issue with
:> > balancing traffic between the two providers, which we solved through
:> > advertisement of community strings. The engineer I spoke with was
:> extremely
:> > knowledgable.
:> >
:> > This was already a few years ago, though ...
:> >
:> > ----- Original Message -----
:> > From: "ChrisSerafin" <chris at chrisserafin.com>
:> > To: <cisco-nsp at puck.nether.net>
:> > Sent: Tuesday, February 10, 2009 5:44 PM
:> > Subject: [c-nsp] Sprint & AT&T BGP multihoming
:> >
:> > >I am planning on multi-homing a client's Internet connection for
:> > >redundancy, and wanted to know if anyone is doing this with Sprint
:> and/or
:> > >AT&T and has any pointers or 'gotchas' they have run into.
:> > >
:> > > I'm still months out from doing this and will most likely want to KEEP
:> > > the existing subnets that they gave us (a /23 and /24), without the
:> need
:> > > for rebuilding a bunch or VPNs, re-IP'ing externally facing devices,
:> and
:> > > DNS changes for externally available web presence.
:> > >
:> > > Ideas? Comments? Concerns? Flames?
:> > >
:> > > Thanks,
:> > >
:> > > Chris Serafin
:> > > chris at chrisserafin.com
:>
:> _______________________________________________
:> cisco-nsp mailing list  cisco-nsp at puck.nether.net
:> https://puck.nether.net/mailman/listinfo/cisco-nsp
:> archive at http://puck.nether.net/pipermail/cisco-nsp/

From avayner at cisco.com  Wed Feb 11 12:45:06 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 11 Feb 2009 18:45:06 +0100
Subject: [c-nsp] Dynamic Vlan with 3750
In-Reply-To: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
References: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D734B76C@xmb-ams-331.emea.cisco.com>

Hi,

Can you please explain what is the behavior you expect from the "Dynamic
VLAN" feature?

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
almidoster at gmail.com
Sent: Wednesday, February 11, 2009 16:21
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Dynamic Vlan with 3750

Hi list,

I have one switch 3750 and five 3560 switches in my LAN, the central
switch is 3750, I have a access point DLINK in permanent place, I have
configured Wireless use other vlan, but I have some access points that
we have to move their position into the building,  I want to deploy
dynamic vlan, it is posible to deploy with these models, I heart that
I would have buy a 6500.

Regards
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From chloekcy2000 at yahoo.ca  Wed Feb 11 12:45:17 2009
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Wed, 11 Feb 2009 12:45:17 -0500 (EST)
Subject: [c-nsp] any hints about this error
Message-ID: <622593.88401.qm@web57405.mail.re1.yahoo.com>

Hi all
   
  I got the syslog about this error
   
  any idea and how can I solve it?
   
  1w0d: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/0 TDR=1, TRC=0
   
  Thank you

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          

From cisco-nsp at slepicka.net  Wed Feb 11 12:51:54 2009
From: cisco-nsp at slepicka.net (James Slepicka)
Date: Wed, 11 Feb 2009 11:51:54 -0600
Subject: [c-nsp] any hints about this error
In-Reply-To: <622593.88401.qm@web57405.mail.re1.yahoo.com>
References: <622593.88401.qm@web57405.mail.re1.yahoo.com>
Message-ID: <4993103A.6060309@slepicka.net>

1. google.com
2. AMDP2_FE-6-EXCESSCOLL site:cisco.com
3. I'm Feeling Lucky

chloe K wrote:
> Hi all
>    
>   I got the syslog about this error
>    
>   any idea and how can I solve it?
>    
>   1w0d: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/0 TDR=1, TRC=0
>    
>   Thank you
>
>        
>  
>               
> ---------------------------------
>     
>        
> Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From brian at meganet.net  Wed Feb 11 12:44:09 2009
From: brian at meganet.net (Brian Wallingford)
Date: Wed, 11 Feb 2009 12:44:09 -0500 (EST)
Subject: [c-nsp] any hints about this error
In-Reply-To: <622593.88401.qm@web57405.mail.re1.yahoo.com>
References: <622593.88401.qm@web57405.mail.re1.yahoo.com>
Message-ID: <Pine.GSO.4.58.0902111243210.20146@evccyr>

Examine speed/duplex on both ends.

On Wed, 11 Feb 2009, chloe K wrote:

:Hi all
:
:  I got the syslog about this error
:
:  any idea and how can I solve it?
:
:  1w0d: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/0 TDR=1, TRC=0
:
:  Thank you

From kev.edmunds at googlemail.com  Wed Feb 11 12:55:15 2009
From: kev.edmunds at googlemail.com (Kevin Edmunds)
Date: Wed, 11 Feb 2009 17:55:15 +0000
Subject: [c-nsp] 3750, EIGRP, and passive-interface
Message-ID: <e29dedbf0902110955y4c390897g82ec81e45fa9f3f0@mail.gmail.com>

Hi list,

I have a L3 3750, it has a 10MB circuit attached to one of its routed ports
which connects to another L3 3750 (again routed port).

I've started getting into the habit of using EIGRP instances to monitor
these type of circuits to see when the line goes down and up, however on a
3750 I don't want EIGRP broadcasting out on the rest of the ports, to my
knowledge i can suppress these with the passive-interface command but add a
few more circuits for other customers on there and the config will be
massive! is there a smarter way to surpress the updates on everything but
the port I want or is it something I need to put up with?

Thanks for your time.

Kev

From sethm at rollernet.us  Wed Feb 11 12:56:34 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 11 Feb 2009 09:56:34 -0800
Subject: [c-nsp] Sprint & AT&T BGP multihoming
In-Reply-To: <200902111005.39980.kratzers@ctinetworks.com>
References: <49920334.6040306@chrisserafin.com>	<C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
	<200902111005.39980.kratzers@ctinetworks.com>
Message-ID: <49931152.20306@rollernet.us>

Stephen Kratzer wrote:
> Deleted the original post, so I'll reply to this leaf...
> 
> ATT is fine. Make sure that Sprint, at that particular location, has multiple 
> transit providers. We are multihomed at one location with Embarq and Level3. 
> As it turns out, Embarq's sole transit provider at that location IS Level3 
> making the Embarq connection all but useless as far as diverse, load-balanced 
> routing is concerned.
> 

Sprint is Sprint, they don't purchase transit. See AS1239.

~Seth

From sethm at rollernet.us  Wed Feb 11 12:59:37 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 11 Feb 2009 09:59:37 -0800
Subject: [c-nsp] any hints about this error
In-Reply-To: <4993103A.6060309@slepicka.net>
References: <622593.88401.qm@web57405.mail.re1.yahoo.com>
	<4993103A.6060309@slepicka.net>
Message-ID: <49931209.3010103@rollernet.us>

James Slepicka wrote:
> 1. google.com
> 2. AMDP2_FE-6-EXCESSCOLL site:cisco.com
> 3. I'm Feeling Lucky
> 

Now now, don't go suggesting crazy ideas like that.

~Seth

From achatz at forthnet.gr  Wed Feb 11 13:32:17 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Wed, 11 Feb 2009 20:32:17 +0200
Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
In-Reply-To: <20090211144754.GP18683@rtp-cse-489.cisco.com>
References: <5c846eaf0902110536k524a47c4pa1915b3fc49b9d5d@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F774@mail.office.dansketelecom.com>
	<4992DFFF.9070508@forthnet.gr>
	<20090211144754.GP18683@rtp-cse-489.cisco.com>
Message-ID: <499319B1.8080201@forthnet.gr>

Regarding pause frames, there is some extra info on CCO about 7201, which makes it even more interesting by 
distinguishing the functionality between the GE ports.

http://www.cisco.com/en/US/docs/routers/7200/install_and_upgrade/7201_install_config/11364a.html#wp1013455

Too bad there isn't a way on these routers (like in switches) to disable flow-control but keep auto-negotiation on.

--
Tassos

Rodney Dunn wrote on 11/02/2009 16:47:
> On Wed, Feb 11, 2009 at 04:26:07PM +0200, Tassos Chatzithomaoglou wrote:
>> We had a similar case with microbursts and lots of small packets and 
>> after moving to NPE-G2, we're very happy with it.
>> Traffic goes up, CPU is blocked at 75%, still no sign of drops.
> 
> Good to know. It all depends on the load.
> 
> The direction forward is hw based forwarding for gige line rate
> traffic (ASR1000, 76xx, etc..)
> 
> 
>> Regarding the pause frames, i'm too very confused about them being 
>> supported.
>> http://markmail.org/message/y7bjuudmbrfofp6z
> 
> I've done some research and there appears to be some issues on
> how the MAC chip can account for the pause frames sent/received
> although it does appear to support flow control.
> 
> But my *opinion* on that is flow control is a wasted effort becaus
> you can't quantify the burst and therefore you just buffer on the
> other side and risk drops there.
> 
> Rodney
> 
>> --
>> Tassos
>>
>> Lars Lystrup Christensen wrote on 11/02/2009 15:47:
>>> Hi John
>>>
>>> We had the same issue a few years ago on a Cisco 7204VXR with the 
>>> NPE-G1 processor. I believe we were told, that we had hit the max 
>>> capacity of the router.
>>>
>>> ______________________________________
>>>
>>> Med venlig hilsen / Kind regards
>>>
>>> Lars Lystrup Christensen 
>>> Director of Engineering, CCIE(tm) #20292
>>>
>>> Danske Telecom A/S
>>> Sundkrogsgade 13, 4 
>>> 2100 K?benhavn ? 
>>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net 
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of john douglas
>>> Sent: 11. februar 2009 14:36
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] 7301 NPE-G1 gigabit overruns
>>>
>>> Hi All,
>>>
>>> I am hoping someone may have some guidance.
>>>
>>> We have some 7301 NPE-G1 running 12.2(33)SRC3 connected to Catalyst
>>> 3560 switch, dot1q trunking with a few Vlans. I find on the 7301
>>> router whenever I try to drive a given gigabit sub interface beyond
>>> about 200mbps I begin to see Input Errors (Overruns) incrementing on
>>> the physical interface and begin exhibiting packet loss. Under the
>>> show controller information I see rx_overrun and rx_int_drop
>>> incrementing - all other Rx error values under "Statistics" section
>>> are zero. On the switch I see pause input incrementing, but no 
>>> errors.
>>> Cpu is 40%.
>>>
>>> I have read other postings about this being attributed to microburst
>>> of traffic but I am still a little unclear I am trying to work out
>>>
>>> 1) Does the G1 correctly support pause frames?
>>>
>>> 2) Are there any knobs we can tweak - or we simply hitting the limits
>>> of the silicon?
>>>
>>> The short term solution has been to spread the vlan sub interfaces
>>> over the 3 gig interfaces however this leaves me in a situation where
>>> I cannot really use EEM to migrate sub interface config from one
>>> gigabit interface to another should there be a failure, as the target
>>> interface will being exhibiting overruns and loss.
>>>
>>> Any advice appreciated,
>>>
>>> Kind regards,
>>>
>>> John
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From steve at ibctech.ca  Wed Feb 11 13:55:37 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 11 Feb 2009 13:55:37 -0500
Subject: [c-nsp] 3750, EIGRP, and passive-interface
In-Reply-To: <e29dedbf0902110955y4c390897g82ec81e45fa9f3f0@mail.gmail.com>
References: <e29dedbf0902110955y4c390897g82ec81e45fa9f3f0@mail.gmail.com>
Message-ID: <49931F29.9030800@ibctech.ca>

Kevin Edmunds wrote:
> Hi list,
> 
> I have a L3 3750, it has a 10MB circuit attached to one of its routed ports
> which connects to another L3 3750 (again routed port).
> 
> I've started getting into the habit of using EIGRP instances to monitor
> these type of circuits to see when the line goes down and up, however on a
> 3750 I don't want EIGRP broadcasting out on the rest of the ports, to my
> knowledge i can suppress these with the passive-interface command but add a
> few more circuits for other customers on there and the config will be
> massive! is there a smarter way to surpress the updates on everything but
> the port I want or is it something I need to put up with?

I don't know much about EIGRP, but perhaps it has a function like OSPF
to allow one, and deny the rest:

passive-interface default
no passive-interface x/x

Steve

From gert at greenie.muc.de  Wed Feb 11 14:08:05 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 11 Feb 2009 20:08:05 +0100
Subject: [c-nsp] VTP domain.
In-Reply-To: <76EDD0CB80234F5CB478CC01858AC161@GINKGO>
References: <20090210102330.K55176@pop.citytel.net>
	<4992ABC0.7050100@heanet.ie>
	<76EDD0CB80234F5CB478CC01858AC161@GINKGO>
Message-ID: <20090211190805.GO290@greenie.muc.de>

Hi,

On Wed, Feb 11, 2009 at 09:04:54AM -0500, Adam Greene wrote:
> In light of all the disasters that can happen with VTP, do people in 
> general think it's worth the risk of deploying?

VTP 1 or 2, no.  VTP 3, maybe.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/544062cd/attachment.bin>

From peter at rathlev.dk  Wed Feb 11 14:07:16 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 11 Feb 2009 20:07:16 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <000001c98c6e$a18a33d0$e49e9b70$@org>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
	<000001c98c6e$a18a33d0$e49e9b70$@org>
Message-ID: <1234379236.18450.4.camel@localhost.localdomain>

On Wed, 2009-02-11 at 12:31 -0500, Paul Stewart wrote:
> I just checked some peers at random here on 6500 and 7600's - they all
> defaulted to 1440 in an Ethernet environment...

And they're not directly connected eBGP peers? Those default to using
the interface MTU. Internal neighbors should default to 536 (or 516 or
thereabout) AFAIK. At least that's how it's been for our 6500s running
SXF for years.

Strange though if the OP example of an eBGP peer is directly connected,
yet still uses 536 as default MTU.

Regards,
Peter



From gert at greenie.muc.de  Wed Feb 11 14:10:30 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 11 Feb 2009 20:10:30 +0100
Subject: [c-nsp] 3750, EIGRP, and passive-interface
In-Reply-To: <49931F29.9030800@ibctech.ca>
References: <e29dedbf0902110955y4c390897g82ec81e45fa9f3f0@mail.gmail.com>
	<49931F29.9030800@ibctech.ca>
Message-ID: <20090211191030.GP290@greenie.muc.de>

Hi,

On Wed, Feb 11, 2009 at 01:55:37PM -0500, Steve Bertrand wrote:
> I don't know much about EIGRP, but perhaps it has a function like OSPF
> to allow one, and deny the rest:
> 
> passive-interface default
> no passive-interface x/x

It will work and do exactly this :)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/30685393/attachment.bin>

From ygauteron at gmail.com  Wed Feb 11 14:12:21 2009
From: ygauteron at gmail.com (Yann Gauteron)
Date: Wed, 11 Feb 2009 20:12:21 +0100
Subject: [c-nsp] any hints about this error
In-Reply-To: <622593.88401.qm@web57405.mail.re1.yahoo.com>
References: <622593.88401.qm@web57405.mail.re1.yahoo.com>
Message-ID: <8097baf0902111112pe1522bcg2c122bbda3723d8f@mail.gmail.com>

What chassis and line cards do you run? Is the Ethernet0/0 a physical
interface or an internal (virtual) interface.

This error can be due to real collisions on physical interfaces due to
duplex mismatch.

But I also met this error condition on internal (virtual) interface on an
uBR10012 chassis (a Cable Modem Termination System based on a 10000
architecture) of one of my customers. In that chassis, the Ethernet0/0
interface is in fact a kind of internal bus used for the PRE to communicate
with the line cards. When I noticed this problem on the above mentionned
10012 chassis, we also had other problems (line card reboots). After long
(very long) analysis with the TAC without success, we finally proceeded with
a RMA. Since then, I saw this collision condition only after the boot/reload
of the equipment.

From justin at justinshore.com  Wed Feb 11 14:24:24 2009
From: justin at justinshore.com (Justin Shore)
Date: Wed, 11 Feb 2009 13:24:24 -0600
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <1234379236.18450.4.camel@localhost.localdomain>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>
	<1234379236.18450.4.camel@localhost.localdomain>
Message-ID: <499325E8.3060304@justinshore.com>

Peter Rathlev wrote:
> On Wed, 2009-02-11 at 12:31 -0500, Paul Stewart wrote:
>> I just checked some peers at random here on 6500 and 7600's - they all
>> defaulted to 1440 in an Ethernet environment...
> 
> And they're not directly connected eBGP peers? Those default to using
> the interface MTU. Internal neighbors should default to 536 (or 516 or
> thereabout) AFAIK. At least that's how it's been for our 6500s running
> SXF for years.
> 
> Strange though if the OP example of an eBGP peer is directly connected,
> yet still uses 536 as default MTU.

My external peers are 1440.  Almost all of my internal peers are 516 or 
536.  There are a few exceptions though.  I have one pair of 7600s that 
are 1440, me ME3750 that's also 1440, and one ME6524 that's 9132 (the 
other ME6524 is 516 for some reason).  Perplexing.

So how do one force iBGP sessions to choose a larger datagram size?  Do 
you have to do it in the BGP config with 'neighbor a.b.c.d transport 
path-mtu-discovery' or is there a more automatic solution?

Justin


From elparis at cisco.com  Tue Feb 10 16:43:06 2009
From: elparis at cisco.com (Eloy Paris)
Date: Tue, 10 Feb 2009 16:43:06 -0500
Subject: [c-nsp] BGP Session Teardown due to AS_CONFED_SEQUENCE in
	AS4_PATH
Message-ID: <20090210214306.GA16029@cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rob,

Eloy Paris from the Cisco PSIRT here. Please see below (inline) for
some comments regarding the issue you brought up in your email to the
cisco-nsp and nanog mailing lists this past Jan. 16th:

On Fri Jan 16 07:57:52 2009, Rob Shakir wrote:

> Strict RFC 4893 (4-byte ASN support) BGP4 implementations are
> vulnerable to a session reset by distant (not directly connected)
> ASes. This vulnerability is a feature of the standard, and unless
> immediate action is taken an increasingly significant number of
> networks will be open to attack. Accidental triggering of this
> vulnerability has already been seen in the wild, although the limited
> number of RFC 4893 deployments has limited its effect.
>
> Summary:
> It is possible to cause BGP sessions to remotely reset by injecting
> invalid data into the AS4_PATH attribute provided to store 4-byte ASN
> paths. Since AS4_PATH is an optional transitive attribute, the invalid
> data will be transited through many intermediate ASes which will not
> examine the content. To be vulnerable, an operator does not have to
> be actively using 4-byte AS support. This problem was first reported
> by Andy Davidson on NANOG in December 2008 [0], furthermore we have
> been able to demonstrate that a device running Cisco IOS release
> 12.0(32)S12 behaves as per this description.
>
> Details:

[...]

Cisco Bug CSCsx10140 was filed for Cisco IOS. Cisco IOS behaves exactly
as you described - upon receipt of AS_CONFED_SEQUENCE data in the
AS4_PATH attribute IOS will send a NOTIFICATION message to the peer,
which causes a termination of the BGP session. After the fix for this
bug IOS will ignore AS_CONFED_SEQUENCE data in the AS4_PATH attribute of
received BGP UPDATE messages and continue to process the UPDATE. This is
the new behavior that the revised RFC 4893 will require.

CSCsx18598 was filed for Cisco IOS XR. Cisco IOS XR doesn't reset the
session but accepts and forwards the invalid AS4_PATH data, so this bug
was filed to change this behavior.

CSCsx23179 was filed for Cisco NX-OS (for the Nexus switches.) Cisco
NX-OS behaves like IOS (it will reset the BGP session when it sees
AS_CONFED_SEQUENCE data in the AS4_PATH attribute), and this bug was
filed to change this and have the BGP implementation in Cisco NX-OS
follow the revised RFC 4893.

The Release Notes for each bug may have some additional
information. These are available via the Bug Toolkit on cisco.com
(http://tools.cisco.com/Support/BugToolKit)

To date, the only version of Cisco IOS that supports 4-byte AS numbers
is 12.0(32)S12, released in late December. A fix to the 12.0(32)Sxx
branch has been committed so the next 12.0(32)S-based release will have
the fix. 12.0(32)SY8 is coming out soon, and it will also have support
for 4-byte AS numbers, as well as the fix for the problem.

Thanks for bringing attention to this issue and for working with us,
specifically with the Cisco TAC, to get to the bottom of it and test
the proposed fix.

Cheers,

- -- 

Eloy Paris
Cisco PSIRT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmR9OoACgkQagjTfAtNY9jv5ACgg3fKuuWKv38h8F8d8QHBML5J
CTsAnAnGMB/fBIQhk5z4E922JlhHVU5A
=FSOP
-----END PGP SIGNATURE-----

From dudepron at gmail.com  Wed Feb 11 14:48:29 2009
From: dudepron at gmail.com (Aaron)
Date: Wed, 11 Feb 2009 14:48:29 -0500
Subject: [c-nsp] Sprint & AT&T BGP multihoming
In-Reply-To: <Pine.GSO.4.58.0902111222560.20146@evccyr>
References: <49920334.6040306@chrisserafin.com>
	<C19DF62A855F497391CBE5F53F52ED5C@GINKGO>
	<200902111005.39980.kratzers@ctinetworks.com>
	<480dad640902110929sf27873h69c40ad2e6f3b474@mail.gmail.com>
	<Pine.GSO.4.58.0902111222560.20146@evccyr>
Message-ID: <480dad640902111148m3239b6fdq671cb3559e2b9485@mail.gmail.com>

 .....do not buy transit.
You should have been able to figure out the misspelling of "by" vs "buy"

On Wed, Feb 11, 2009 at 12:24, Brian Wallingford <brian at meganet.net> wrote:

> They don't what?
>
> On Wed, 11 Feb 2009, Aaron wrote:
>
> :Sprint has a world wide network. They do not  by transit from anybody.
> :
> :Aaron
> :
> :On Wed, Feb 11, 2009 at 10:05, Stephen Kratzer <kratzers at ctinetworks.com
> >wrote:
> :
> :> Deleted the original post, so I'll reply to this leaf...
> :>
> :> ATT is fine. Make sure that Sprint, at that particular location, has
> :> multiple
> :> transit providers. We are multihomed at one location with Embarq and
> :> Level3.
> :> As it turns out, Embarq's sole transit provider at that location IS
> Level3
> :> making the Embarq connection all but useless as far as diverse,
> :> load-balanced
> :> routing is concerned.
> :>
> :> Stephen Kratzer
> :> Network Engineer
> :> CTI Networks, Inc.
> :>
> :> On Wednesday 11 February 2009 08:58:30 Adam Greene wrote:
> :> > Had a good experience multihoming to AT&T, including fixing an issue
> with
> :> > balancing traffic between the two providers, which we solved through
> :> > advertisement of community strings. The engineer I spoke with was
> :> extremely
> :> > knowledgable.
> :> >
> :> > This was already a few years ago, though ...
> :> >
> :> > ----- Original Message -----
> :> > From: "ChrisSerafin" <chris at chrisserafin.com>
> :> > To: <cisco-nsp at puck.nether.net>
> :> > Sent: Tuesday, February 10, 2009 5:44 PM
> :> > Subject: [c-nsp] Sprint & AT&T BGP multihoming
> :> >
> :> > >I am planning on multi-homing a client's Internet connection for
> :> > >redundancy, and wanted to know if anyone is doing this with Sprint
> :> and/or
> :> > >AT&T and has any pointers or 'gotchas' they have run into.
> :> > >
> :> > > I'm still months out from doing this and will most likely want to
> KEEP
> :> > > the existing subnets that they gave us (a /23 and /24), without the
> :> need
> :> > > for rebuilding a bunch or VPNs, re-IP'ing externally facing devices,
> :> and
> :> > > DNS changes for externally available web presence.
> :> > >
> :> > > Ideas? Comments? Concerns? Flames?
> :> > >
> :> > > Thanks,
> :> > >
> :> > > Chris Serafin
> :> > > chris at chrisserafin.com
> :>
> :> _______________________________________________
> :> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> :> https://puck.nether.net/mailman/listinfo/cisco-nsp
> :> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From lukasz at bromirski.net  Wed Feb 11 15:36:48 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Wed, 11 Feb 2009 21:36:48 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <499325E8.3060304@justinshore.com>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>
	<499325E8.3060304@justinshore.com>
Message-ID: <499336E0.7090101@bromirski.net>

On 2009-02-11 20:24, Justin Shore wrote:

> So how do one force iBGP sessions to choose a larger datagram size? Do
> you have to do it in the BGP config with 'neighbor a.b.c.d transport
> path-mtu-discovery' or is there a more automatic solution?

'ip tcp path-mtu-discovery' global command or the one You mentioned
for per-neighbor tuning.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From conceicao.jose at gmail.com  Wed Feb 11 15:51:10 2009
From: conceicao.jose at gmail.com (Jose Conceicao)
Date: Wed, 11 Feb 2009 20:51:10 +0000
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <499336E0.7090101@bromirski.net>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<4992F2C9.2000009@skoal.name> <20090211154922.GA17422@puck.nether.net>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
	<000001c98c6e$a18a33d0$e49e9b70$@org>
	<1234379236.18450.4.camel@localhost.localdomain>
	<499325E8.3060304@justinshore.com> <499336E0.7090101@bromirski.net>
Message-ID: <6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>

After choosing whatever prefered method, wouldn't these BGP sessions need to
be re-established to take effect? (since MSS is only carried in SYN and
SYN/ACKs)
And shouldn't u account for TCP/IP overhead?
(just being lazy by not testing this in lab)

/Jose

2009/2/11 ?ukasz Bromirski <lukasz at bromirski.net>

> On 2009-02-11 20:24, Justin Shore wrote:
>
> So how do one force iBGP sessions to choose a larger datagram size? Do
>> you have to do it in the BGP config with 'neighbor a.b.c.d transport
>> path-mtu-discovery' or is there a more automatic solution?
>>
>
> 'ip tcp path-mtu-discovery' global command or the one You mentioned
> for per-neighbor tuning.
>
> --
> "Don't expect me to cry for all the     |               ?ukasz Bromirski
>  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jeremy at evilrouters.net  Wed Feb 11 16:00:35 2009
From: jeremy at evilrouters.net (Jeremy Gaddis)
Date: Wed, 11 Feb 2009 16:00:35 -0500
Subject: [c-nsp] any hints about this error
In-Reply-To: <4993103A.6060309@slepicka.net>
References: <622593.88401.qm@web57405.mail.re1.yahoo.com>
	<4993103A.6060309@slepicka.net>
Message-ID: <8623d07f0902111300k4bfbefh7a7beab8618f3a90@mail.gmail.com>

On Wed, Feb 11, 2009 at 12:51 PM, James Slepicka <cisco-nsp at slepicka.net> wrote:
> 1. google.com
> 2. AMDP2_FE-6-EXCESSCOLL site:cisco.com
> 3. I'm Feeling Lucky

Even better:

http://tinyurl.com/d6mtrj

-- 
Jeremy L. Gaddis
http://evilrouters.net/

From justin at justinshore.com  Wed Feb 11 16:08:48 2009
From: justin at justinshore.com (Justin Shore)
Date: Wed, 11 Feb 2009 15:08:48 -0600
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <499336E0.7090101@bromirski.net>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>
	<499325E8.3060304@justinshore.com> <499336E0.7090101@bromirski.net>
Message-ID: <49933E60.6060107@justinshore.com>

?ukasz Bromirski wrote:
> On 2009-02-11 20:24, Justin Shore wrote:
> 
>> So how do one force iBGP sessions to choose a larger datagram size? Do
>> you have to do it in the BGP config with 'neighbor a.b.c.d transport
>> path-mtu-discovery' or is there a more automatic solution?
> 
> 'ip tcp path-mtu-discovery' global command or the one You mentioned
> for per-neighbor tuning.

I set 'ip tcp path-mtu-discovery' on all my boxes by default, and the 
vast majority of them still assumed 516 or 536 MSS.  I tweaked the 
transport options in a few routers and that brought up the MSS.  It 
looks like the code on one of ME6524s won't let me set that option 
though so I guess an upgrade is in order.

Thanks
  Justin



From aaron at wsc.ma.edu  Wed Feb 11 16:26:08 2009
From: aaron at wsc.ma.edu (Childs, Aaron)
Date: Wed, 11 Feb 2009 16:26:08 -0500
Subject: [c-nsp] FWSM w/v4 code
Message-ID: <3760B7E1B344364AA0384B231FE7BA690139F55EEB@ex-be1.ads.wsc.ma.edu>

Good Afternoon,

 

A couple of months ago I upgraded our FWSM to version 4 of the code. I
applied a new access-list today and wanted to remove an old one.  To my
amazement "no access-list blah" is no longer a valid command.  I have tried
to ask the oracle of Google and Cisco, but I can't find an answer.  Could
someone please direct me to the proper documentation?

 

Thank you,

  Aaron

 

-------------
Aaron Childs
Assistant Director, Networking
Westfield State College
 <http://www.wsc.ma.edu/it/> http://www.wsc.ma.edu/it/

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3157 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090211/eaa8b226/attachment-0001.bin>

From jason at lixfeld.ca  Wed Feb 11 16:32:08 2009
From: jason at lixfeld.ca (Jason Lixfeld)
Date: Wed, 11 Feb 2009 16:32:08 -0500
Subject: [c-nsp] FWSM w/v4 code
In-Reply-To: <3760B7E1B344364AA0384B231FE7BA690139F55EEB@ex-be1.ads.wsc.ma.edu>
References: <3760B7E1B344364AA0384B231FE7BA690139F55EEB@ex-be1.ads.wsc.ma.edu>
Message-ID: <9BD991D9-72E0-41C0-A240-E613E40935B4@lixfeld.ca>

Try 'clear configure access-list blah'.

I don't think the issue is that the command is invalid (going from  
memory here), rather you can only 'no' out an access-list line by line.

So, while this will work:

no access-list blah extended permit ip host 1.1.1.1 host 2.2.2.2
no access-list blah extended permit ip host 3.3.3.3 host 4.4.4.4

And this won't:

no access-list blah

This should work to get rid of the access-list:

clear configure access-list blah

On 11-Feb-09, at 4:26 PM, Childs, Aaron wrote:

> Good Afternoon,
>
>
>
> A couple of months ago I upgraded our FWSM to version 4 of the code. I
> applied a new access-list today and wanted to remove an old one.  To  
> my
> amazement "no access-list blah" is no longer a valid command.  I  
> have tried
> to ask the oracle of Google and Cisco, but I can't find an answer.   
> Could
> someone please direct me to the proper documentation?
>
>
>
> Thank you,
>
>  Aaron
>
>
>
> -------------
> Aaron Childs
> Assistant Director, Networking
> Westfield State College
> <http://www.wsc.ma.edu/it/> http://www.wsc.ma.edu/it/
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From moua0100 at umn.edu  Wed Feb 11 16:32:59 2009
From: moua0100 at umn.edu (Ge Moua)
Date: Wed, 11 Feb 2009 15:32:59 -0600
Subject: [c-nsp] FWSM w/v4 code
In-Reply-To: <3760B7E1B344364AA0384B231FE7BA690139F55EEB@ex-be1.ads.wsc.ma.edu>
References: <3760B7E1B344364AA0384B231FE7BA690139F55EEB@ex-be1.ads.wsc.ma.edu>
Message-ID: <4993440B.4060901@umn.edu>

That command is deprecated.  New syntax is:
"clear configure <acl_name>"

you can continue to use the old syntax to remove a particular ACE from 
an ACL, use the above to blow away the ACL completely.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Childs, Aaron wrote:
> Good Afternoon,
>
>  
>
> A couple of months ago I upgraded our FWSM to version 4 of the code. I
> applied a new access-list today and wanted to remove an old one.  To my
> amazement "no access-list blah" is no longer a valid command.  I have tried
> to ask the oracle of Google and Cisco, but I can't find an answer.  Could
> someone please direct me to the proper documentation?
>
>  
>
> Thank you,
>
>   Aaron
>
>  
>
> -------------
> Aaron Childs
> Assistant Director, Networking
> Westfield State College
>  <http://www.wsc.ma.edu/it/> http://www.wsc.ma.edu/it/
>
>  
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From lukasz at bromirski.net  Wed Feb 11 18:36:45 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Thu, 12 Feb 2009 00:36:45 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <49933E60.6060107@justinshore.com>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name>	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>
	<499325E8.3060304@justinshore.com> <499336E0.7090101@bromirski.net>
	<49933E60.6060107@justinshore.com>
Message-ID: <4993610D.3060608@bromirski.net>

On 2009-02-11 22:08, Justin Shore wrote:

 > I set 'ip tcp path-mtu-discovery' on all my boxes by default, and the
 >  vast majority of them still assumed 516 or 536 MSS.

Then something is messing up PMTUD.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From lukasz at bromirski.net  Wed Feb 11 18:39:52 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Thu, 12 Feb 2009 00:39:52 +0100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name>
	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>	<499325E8.3060304@justinshore.com>
	<499336E0.7090101@bromirski.net>
	<6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>
Message-ID: <499361C8.4060305@bromirski.net>

On 2009-02-11 21:51, Jose Conceicao wrote:
> After choosing whatever prefered method, wouldn't these BGP sessions
> need to be re-established to take effect? (since MSS is only carried
> in SYN and SYN/ACKs)

Sure.

> And shouldn't u account for TCP/IP overhead? (just being lazy by not
> testing this in lab)

TCP/IP overhead of what actually?

Here's a whitepaper on PMTUD/MSS:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

And there's CSCef52888 for all of You pre 12.2(18)SXF12 guys which
doesn't actually have PMTUD do it's work.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From brett at looney.id.au  Wed Feb 11 18:27:52 2009
From: brett at looney.id.au (Brett Looney)
Date: Thu, 12 Feb 2009 08:27:52 +0900
Subject: [c-nsp] Dynamic Vlan with 3750
In-Reply-To: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
References: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
Message-ID: <002101c98ca0$6169cef0$243d6cd0$@id.au>

> I have one switch 3750 and five 3560 switches in my LAN, the
> central switch is 3750,
<snip>
> I want to deploy dynamic vlan, it is posible to deploy with
> these models, I heart that I would have buy a 6500.

If you're referring to VMPS the 3560/3750 do support it but only in client
mode so you'll need to set up a VMPS server. You can get a 6500 to be a VMPS
server but only with CatOS so your best bet is an external server - Google
VMPS server and there are a few to choose from. I've done this and it works
well.

Alternately, you can do dynamic VLAN membership with 802.1x as well but that
will still require a back-end RADIUS server somewhere.

B.


From amsoares at netcabo.pt  Wed Feb 11 19:49:09 2009
From: amsoares at netcabo.pt (Antonio Soares)
Date: Thu, 12 Feb 2009 00:49:09 -0000
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <499361C8.4060305@bromirski.net>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<4992F2C9.2000009@skoal.name><20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>	<499325E8.3060304@justinshore.com><499336E0.7090101@bromirski.net><6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>
	<499361C8.4060305@bromirski.net>
Message-ID: <1ACA22C9F233408EA1689A5F17121869@int.convex.pt>

The documentation says that Path MTU discovery is enabled by default for all BGP neighbor sessions:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bgp_neighor.html#wp1054165

So enabling "ip tcp path-mtu-discovery" should not be necessary.

But i made some tests with 12.0S and it seems the documentation is not accurate:

- In the same 1500 bytes MTU ethernet segment, without that command the SYN packet is sent with MSS=536 bytes.
- With that command, the SYN packet is sent with MSS=1460 bytes.

This seems buggy to me :(


Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lukasz Bromirski
Sent: quarta-feira, 11 de Fevereiro de 2009 23:40
To: Jose Conceicao
Cc: cisco-nsp
Subject: Re: [c-nsp] BGP MSS=576 bytes

On 2009-02-11 21:51, Jose Conceicao wrote:
> After choosing whatever prefered method, wouldn't these BGP sessions 
> need to be re-established to take effect? (since MSS is only carried 
> in SYN and SYN/ACKs)

Sure.

> And shouldn't u account for TCP/IP overhead? (just being lazy by not 
> testing this in lab)

TCP/IP overhead of what actually?

Here's a whitepaper on PMTUD/MSS:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

And there's CSCef52888 for all of You pre 12.2(18)SXF12 guys which doesn't actually have PMTUD do it's work.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From dale.shaw+cisco-nsp at gmail.com  Wed Feb 11 20:44:58 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Thu, 12 Feb 2009 12:44:58 +1100
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <1ACA22C9F233408EA1689A5F17121869@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<20090211154922.GA17422@puck.nether.net>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>
	<000001c98c6e$a18a33d0$e49e9b70$@org>
	<1234379236.18450.4.camel@localhost.localdomain>
	<499325E8.3060304@justinshore.com> <499336E0.7090101@bromirski.net>
	<6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>
	<499361C8.4060305@bromirski.net>
	<1ACA22C9F233408EA1689A5F17121869@int.convex.pt>
Message-ID: <3329cbb40902111744r54310c15j72331c6ebf36a261@mail.gmail.com>

Hi,

2009/2/12 Antonio Soares <amsoares at netcabo.pt>:
> This seems buggy to me :(

Bad documentation, at least. The IOS 12.4 *mainline* command reference
and config guide waffle on and on about 'bgp transport' yet the
command (BGP router config mode or per-neighbour) doesn't even exist
in that train.

I suspect when it does exist (allegedly in 12.2(33)SRA, 12.2(31)SB,
and 12.2(33)SXH and 12.4(20)T), the behaviour is as described -- BGP
uses the BGP-specific TCP MSS settings. Without it, it uses the global
default (PMTUD off), and you need the 'ip tcp path-mtu-discovery'
global command to make it work.

I've tested it on IOS 12.4 mainline and even for directly connected
neighbours, MSS is 516 bytes. Once 'ip tcp path-mtu-discovery' is
switched on (on both peers), MSS is 1440 bytes.

cheers,
Dale

From juxiangt at yahoo.com  Wed Feb 11 20:08:33 2009
From: juxiangt at yahoo.com (judy teng)
Date: Wed, 11 Feb 2009 17:08:33 -0800 (PST)
Subject: [c-nsp] How to change I, and MS bits in OSPF DBD
Message-ID: <849281.15779.qm@web90604.mail.mud.yahoo.com>

Hello list,

I?tried to set up an ospf connection between?one access Cisco router (CE) and Redback routers (PE) in lab. But the It stucks in Exchange state. 

Debug messages?shows??EXCHANGE - OPTIONS/INIT not match

The Pcap shows DBD bits mismatch.??Any idea to change I and MS bis in Cisco router 1841.


cisco
DB Description: 0x02 (M)
.... 0... = R: OOBResync bit is NOT set0
.... .0.. = I: Init bit is NOT set
.... ..1. = M: More bit is SET
.... ...0 = MS: Master/Slave bit is NOT set

Redback
DB Description: 0x07 (I, M, MS)
.... 0... = R: OOBResync bit is NOT set
.... .1.. = I: Init bit is SET
.... ..1. = M: More bit is SET
.... ...1 = MS: Master/Slave bit is SET

Thanks,

Judy


      

From sethm at rollernet.us  Wed Feb 11 21:33:39 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 11 Feb 2009 18:33:39 -0800
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <3329cbb40902111744r54310c15j72331c6ebf36a261@mail.gmail.com>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>	<20090211154922.GA17422@puck.nether.net>	<9E07F8717FE8BC4FBAE6860F61EA6C1D0205B524@spsrvmail03.nec.br>	<000001c98c6e$a18a33d0$e49e9b70$@org>	<1234379236.18450.4.camel@localhost.localdomain>	<499325E8.3060304@justinshore.com>
	<499336E0.7090101@bromirski.net>	<6fcc278a0902111251y2dc1f7c5w1a2c43a0c3b25cdf@mail.gmail.com>	<499361C8.4060305@bromirski.net>	<1ACA22C9F233408EA1689A5F17121869@int.convex.pt>
	<3329cbb40902111744r54310c15j72331c6ebf36a261@mail.gmail.com>
Message-ID: <49938A83.10203@rollernet.us>

Dale Shaw wrote:
> Hi,
> 
> 2009/2/12 Antonio Soares <amsoares at netcabo.pt>:
>> This seems buggy to me :(
> 
> Bad documentation, at least. The IOS 12.4 *mainline* command reference
> and config guide waffle on and on about 'bgp transport' yet the
> command (BGP router config mode or per-neighbour) doesn't even exist
> in that train.
> 
> I suspect when it does exist (allegedly in 12.2(33)SRA, 12.2(31)SB,
> and 12.2(33)SXH and 12.4(20)T), the behaviour is as described -- BGP
> uses the BGP-specific TCP MSS settings. Without it, it uses the global
> default (PMTUD off), and you need the 'ip tcp path-mtu-discovery'
> global command to make it work.
> 
> I've tested it on IOS 12.4 mainline and even for directly connected
> neighbours, MSS is 516 bytes. Once 'ip tcp path-mtu-discovery' is
> switched on (on both peers), MSS is 1440 bytes.
> 

Just for fun I looked at my BGP mesh and found the following:

* Directly connected neighbors MTU=516
* Transit to upstreams MTU=1440 or 1460

This is under 12.4(16) and I've never touched 'ip tcp 
path-mtu-discovery' or per-neighbor MTU settings.

~Seth

From mtinka at globaltransit.net  Wed Feb 11 22:13:47 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 12 Feb 2009 11:13:47 +0800
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <49938A83.10203@rollernet.us>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
	<3329cbb40902111744r54310c15j72331c6ebf36a261@mail.gmail.com>
	<49938A83.10203@rollernet.us>
Message-ID: <200902121113.51512.mtinka@globaltransit.net>

On Thursday 12 February 2009 10:33:39 am Seth Mattinen 
wrote:

> Just for fun I looked at my BGP mesh and found the
> following:
>
> * Directly connected neighbors MTU=516
> * Transit to upstreams MTU=1440 or 1460
>
> This is under 12.4(16) and I've never touched 'ip tcp
> path-mtu-discovery' or per-neighbor MTU settings.

From our busier route reflectors (7201's), we are seeing:

* For v4, some of our IOS routers are agreeing on 1,440
  bytes, while others on 8,916 bytes. Need to look into
  the difference here - I recall we recently replaced a
  defective route reflector, which is the one registering
  the higher MTU.

* For v6, all our IOS routers are agreeing on 8,896 bytes.

Interface MTU is 9,000 bytes on all router interfaces. IOS 
code is 12.2(33)SRC3.

We have nearly similar values for our JunOS routers peering 
with the route reflectors, but not sure that's relevant 
here.

Suffice it to say that 'ip tcp path-mtu-discovery' isn't 
configured, although it is enabled by default for BGP:

#sh ip bgp neighbors
<snip>
Transport(tcp) path-mtu-discovery is enabled

#sh bgp ipv6 unicast neighbors
<snip>
Transport(tcp) path-mtu-discovery is enabled

For routers where we've configured 'no bgp transport path-
mtu-discovery' under the BGP process (for 
troubleshooting/testing), we've registered an agreed value 
of 516 bytes.

eBGP sessions to downstreams is at 1,440 bytes.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090212/0067bc11/attachment.bin>

From mtinka at globaltransit.net  Wed Feb 11 23:59:12 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 12 Feb 2009 12:59:12 +0800
Subject: [c-nsp] VTP domain.
In-Reply-To: <76EDD0CB80234F5CB478CC01858AC161@GINKGO>
References: <20090210102330.K55176@pop.citytel.net>
	<4992ABC0.7050100@heanet.ie>
	<76EDD0CB80234F5CB478CC01858AC161@GINKGO>
Message-ID: <200902121259.12955.mtinka@globaltransit.net>

On Wednesday 11 February 2009 10:04:54 pm Adam Greene wrote:

> We're getting pretty tired of adding / removing VLANs
> manually throughout various parts of our network, and
> find that it is prone to sloppiness (i.e. vlans being
> left on links where they don't belong).

In our case, VLAN's (and their associated VLAN ID's) start 
and end on the router-switch pair.

The Layer 2 backbone is driven by an MPLS control plane.

We have negligible situations where customers span multiple 
switches and need to maintain the same VLAN ID, so we're 
handling this manually for the time being.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090212/96347339/attachment.bin>

From chris.garzon at gmail.com  Thu Feb 12 01:52:02 2009
From: chris.garzon at gmail.com (Dracul)
Date: Thu, 12 Feb 2009 14:52:02 +0800
Subject: [c-nsp] IOS and 4 byte ASNs
Message-ID: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>

Hi List,

does the current 12-4  IOS versions support 4 byte ASNs? Or do i need to
upgrade my routers to IOS-XR

Best regards,
Chris

From swmike at swm.pp.se  Thu Feb 12 01:58:51 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 12 Feb 2009 07:58:51 +0100 (CET)
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0902120756100.16135@uplift.swm.pp.se>

On Thu, 12 Feb 2009, Dracul wrote:

> does the current 12-4 IOS versions support 4 byte ASNs? Or do i need to 
> upgrade my routers to IOS-XR

No, 12.4 does not support this.

12.0S is getting 32bit ASN in 12.0(32)SY8 and 12.0(32)S12 has it (but with 
the undesireable feature regarding confereation and session teardown) but 
S13 will have this behaviour changed if I understood correctly (and it's 
already "right" in SY8).

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From chris.garzon at gmail.com  Thu Feb 12 03:56:40 2009
From: chris.garzon at gmail.com (Dracul)
Date: Thu, 12 Feb 2009 16:56:40 +0800
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <alpine.DEB.1.10.0902120756100.16135@uplift.swm.pp.se>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
	<alpine.DEB.1.10.0902120756100.16135@uplift.swm.pp.se>
Message-ID: <876789290902120056g7049c39dm4e2ede31316710b0@mail.gmail.com>

Thanks Mik,

But does that mean in order for a supported IOS (for the 4 byte ASN) I will
have to compromise some features that i get from
12-4?

regards,
chris

On Thu, Feb 12, 2009 at 2:58 PM, Mikael Abrahamsson <swmike at swm.pp.se>wrote:

> On Thu, 12 Feb 2009, Dracul wrote:
>
>  does the current 12-4 IOS versions support 4 byte ASNs? Or do i need to
>> upgrade my routers to IOS-XR
>>
>
> No, 12.4 does not support this.
>
> 12.0S is getting 32bit ASN in 12.0(32)SY8 and 12.0(32)S12 has it (but with
> the undesireable feature regarding confereation and session teardown) but
> S13 will have this behaviour changed if I understood correctly (and it's
> already "right" in SY8).
>
> --
> Mikael Abrahamsson    email: swmike at swm.pp.se
>

From llc at dansketelecom.com  Thu Feb 12 04:06:16 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Thu, 12 Feb 2009 10:06:16 +0100
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
Message-ID: <44417CD2F19FEA4F885088340A71D33201B4F82B@mail.office.dansketelecom.com>

Hi Chris

4 byte ASNs will be supported on most platforms throughout this year. IOS-XR should already support it.

However, in the mean time you can setup peerings using the AS23456 as your neighbouring AS.

ASR1000 should have it in RLS 3 and 7600/7200 should have it in 12.2(33)SRE. 

______________________________________

Med venlig hilsen / Kind regards

Lars Lystrup Christensen 
Director of Engineering, CCIE(tm) #20292

Danske Telecom A/S
Sundkrogsgade 13, 4 
2100 K?benhavn ? 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul
Sent: 12. februar 2009 07:52
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IOS and 4 byte ASNs

Hi List,

does the current 12-4  IOS versions support 4 byte ASNs? Or do i need to
upgrade my routers to IOS-XR

Best regards,
Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From shivlu.jain at gmail.com  Thu Feb 12 05:26:48 2009
From: shivlu.jain at gmail.com (Shivlu Jain)
Date: Thu, 12 Feb 2009 15:56:48 +0530
Subject: [c-nsp] Weird Issue 12.2 31 SB Internet Issue In MPLS
Message-ID: <be2a1c900902120226g7d94bd2fib7a475460ca9d6c6@mail.gmail.com>

We upgraded the core PE 7200 router to SB 13 ios. The weird issue we faced
is that if the vrf internet which is having default route is configured on
that PE and the custmer is serving from its vrf by vrf leaking on the same
router is not able to access the internet. If we migrate the default route
on any other router then it works fine. Does anyone have visibilty for the
problem?

-- 
Thanks & Regards
shivlu jain

From elmi at 4ever.de  Thu Feb 12 06:07:11 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Thu, 12 Feb 2009 12:07:11 +0100
Subject: [c-nsp] Cisco SLB on 7201s - custom probes?
Message-ID: <20090212110710.GA27070@ronin.4ever.de>

Hi gents,

maybe someone can give me a hint on where to look.

Newer Cisco SLB (server load balancing) documents
mention the "ip slb probe..." command, which I'd
like to use - I want to balance not web servers
or firewalls, but DNS...

My 7201, running some 12.4(15)T3, doesn't know about
"ip slb probe". The software advisor doesn't list
any feature that comes closer than "SLB: Ping Probes"
which doesn't help here.

My questions:

  - is there some IOS for 7201s that does custom probes?
  - how can I find it?

Thanks for your help,
			Elmar.

From swmike at swm.pp.se  Thu Feb 12 06:09:09 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 12 Feb 2009 12:09:09 +0100 (CET)
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <876789290902120056g7049c39dm4e2ede31316710b0@mail.gmail.com>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
	<alpine.DEB.1.10.0902120756100.16135@uplift.swm.pp.se>
	<876789290902120056g7049c39dm4e2ede31316710b0@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0902121207370.16135@uplift.swm.pp.se>

On Thu, 12 Feb 2009, Dracul wrote:

> But does that mean in order for a supported IOS (for the 4 byte ASN) I 
> will have to compromise some features that i get from 12-4?

Yes, 12.0S lacks a lot of what you probably use in 12.4.

If you need 32bit ASN I guess the most compatible version of IOS which 
might get 32bit ASN (I don't have any concrete info though) would be 
12.2SR-something or 12.4T.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From sandmaier at schlund.net  Thu Feb 12 07:26:50 2009
From: sandmaier at schlund.net (sandmaier at schlund.net)
Date: Thu, 12 Feb 2009 13:26:50 +0100
Subject: [c-nsp] OSM-1OC48-POS-SS(+) for 7600/6500
Message-ID: <4994158A.1070605@schlund.net>

Hi all,

does anybody know what the differences are between OSM-1OC48-POS-SS and 
OSM-1OC48-POS-SS+ ?

AFAIK the differences only concern QoS.

I'm not sure if my assumptions are true:

The OSM has a 8 GBps uplink in the Sup-SF and use the PFC for the 
forwarding decision (IPv4/6/MPLS) and QoS marking/policing, while PXF is 
used for queuing/scheduling. Not sure if LLQ, CBWFQ, WRED is completely 
unsupported on the !+ or if there are only limitations.

Is this historically with the exception of the queuing/scheduling stuff?:
OSR were originally designed for the 7600OSR and used this PXF (parallel 
xpress forwarding) directly on the linecard for forwarding and 
everything else. The enhanced version has for PXF double Route Table 
Memory and Packet Processing Memory and 4 times Backet Buffer, 6Mpps to 
3Mpps throughput, more queues and VRFs and enhanced QoS (LLQ, CBWFQ, WRED).

Thanks,
Jan


From almidoster at gmail.com  Thu Feb 12 09:04:57 2009
From: almidoster at gmail.com (almidoster at gmail.com)
Date: Thu, 12 Feb 2009 09:04:57 -0500
Subject: [c-nsp] Dynamic Vlan with 3750
In-Reply-To: <002101c98ca0$6169cef0$243d6cd0$@id.au>
References: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
	<002101c98ca0$6169cef0$243d6cd0$@id.au>
Message-ID: <fd3f95910902120604l4ea13bd6yf70e25f306752b64@mail.gmail.com>

I have found some programs opensource to deploy a VMPS server, I will
be trying setting up on linux server. If you know another program,
please notify me. Thanks.

http://sourceforge.net/projects/vmps
http://kobesearch.cpan.org/htdocs/VMPS-Server/

Regards



2009/2/11 Brett Looney <brett at looney.id.au>:
>> I have one switch 3750 and five 3560 switches in my LAN, the
>> central switch is 3750,
> <snip>
>> I want to deploy dynamic vlan, it is posible to deploy with
>> these models, I heart that I would have buy a 6500.
>
> If you're referring to VMPS the 3560/3750 do support it but only in client
> mode so you'll need to set up a VMPS server. You can get a 6500 to be a VMPS
> server but only with CatOS so your best bet is an external server - Google
> VMPS server and there are a few to choose from. I've done this and it works
> well.
>
> Alternately, you can do dynamic VLAN membership with 802.1x as well but that
> will still require a back-end RADIUS server somewhere.
>
> B.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From A.L.M.Buxey at lboro.ac.uk  Thu Feb 12 09:26:12 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Thu, 12 Feb 2009 14:26:12 +0000
Subject: [c-nsp] Dynamic Vlan with 3750
In-Reply-To: <fd3f95910902120604l4ea13bd6yf70e25f306752b64@mail.gmail.com>
References: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
	<002101c98ca0$6169cef0$243d6cd0$@id.au>
	<fd3f95910902120604l4ea13bd6yf70e25f306752b64@mail.gmail.com>
Message-ID: <20090212142612.GB12420@lboro.ac.uk>

Hi,
> I have found some programs opensource to deploy a VMPS server, I will
> be trying setting up on linux server. If you know another program,
> please notify me. Thanks.

FreeRADIUS. very very fast at doing VMPS - we use it

alan

From achatz at forthnet.gr  Thu Feb 12 10:34:12 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 12 Feb 2009 17:34:12 +0200
Subject: [c-nsp] how to clear the counters of the policy-map under the
	control-plane
Message-ID: <49944174.3000206@forthnet.gr>

Any idea how to clear the counters of the policy-map under the control-plane on a 7200 (31SB12)?

I have tried all of the following, but nothing works.

clear control-plane
clear control-plane *
clear counters


--
Tassos

From steve.mcnamara at gmail.com  Thu Feb 12 11:30:53 2009
From: steve.mcnamara at gmail.com (Steve McNamara)
Date: Thu, 12 Feb 2009 16:30:53 +0000
Subject: [c-nsp] WS-SVC-IDSM-2 visio icon
Message-ID: <494a4f80902120830y1d9f055elaf506f3a737ce4da@mail.gmail.com>

Hello All,

I'm looking for a Visio icon for a WS-SVC-IDSM-2 icon without any
luck. I've downloaded the complete Viso icon zip from
http://www.cisco.com/en/US/products/prod_visio_icon_list.html, but
there's no icon for this module? There are other service modules such
as NAM1 & 2 in the 6500 shape stencil, but not this one. Does anyone
know where it can be found or have any other suggestions?

Thanks
Steve

From chris at chrisserafin.com  Thu Feb 12 12:22:04 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Thu, 12 Feb 2009 11:22:04 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
Message-ID: <49945ABC.7020706@chrisserafin.com>

Anyone deal with these? They look to have basic IOS functions like all 
other IOS based Cisco devices, but for some reason, I cannot get one 
switch to talk to another switch by connecting a straight through cable 
from the external switch ports of one to another. I'm looking for just 
basic native VLAN connectivity between the two for today, and then to 
also have a pair of 2960's upstream to provide data center redundancy.

Google is failing me :(

Thanks,

Chris Serafin
chris at chrisserafin.com

From jason at lixfeld.ca  Thu Feb 12 12:31:01 2009
From: jason at lixfeld.ca (Jason Lixfeld)
Date: Thu, 12 Feb 2009 12:31:01 -0500
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <49945ABC.7020706@chrisserafin.com>
References: <49945ABC.7020706@chrisserafin.com>
Message-ID: <E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>

Not sure if the CIGESMs in the eServer BladeCenters are the same  
thing, but with those, connectivity between two modules in the same  
chassis is provided by one of the internal mgmt interfaces.  It's  
Gi0/15 in my case.  I think there's some stuff you have to tweak in  
the MM gui, but it should be pretty easy to find, although I can't  
recall off the top of my head.

On 12-Feb-09, at 12:22 PM, ChrisSerafin wrote:

> Anyone deal with these? They look to have basic IOS functions like  
> all other IOS based Cisco devices, but for some reason, I cannot get  
> one switch to talk to another switch by connecting a straight  
> through cable from the external switch ports of one to another. I'm  
> looking for just basic native VLAN connectivity between the two for  
> today, and then to also have a pair of 2960's upstream to provide  
> data center redundancy.
>
> Google is failing me :(
>
> Thanks,
>
> Chris Serafin
> chris at chrisserafin.com
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


From streiner at cluebyfour.org  Thu Feb 12 12:43:23 2009
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Thu, 12 Feb 2009 12:43:23 -0500 (EST)
Subject: [c-nsp] WS-SVC-IDSM-2 visio icon
In-Reply-To: <494a4f80902120830y1d9f055elaf506f3a737ce4da@mail.gmail.com>
References: <494a4f80902120830y1d9f055elaf506f3a737ce4da@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0902121242360.32680@whammy.cluebyfour.org>

On Thu, 12 Feb 2009, Steve McNamara wrote:

> I'm looking for a Visio icon for a WS-SVC-IDSM-2 icon without any
> luck. I've downloaded the complete Viso icon zip from
> http://www.cisco.com/en/US/products/prod_visio_icon_list.html, but
> there's no icon for this module? There are other service modules such
> as NAM1 & 2 in the 6500 shape stencil, but not this one. Does anyone
> know where it can be found or have any other suggestions?

If it comes down to it, you can always make one on your own.  I've had to 
do that in several cases.

jms

From mcpick at us.net  Thu Feb 12 12:46:51 2009
From: mcpick at us.net (McLean Pickett)
Date: Thu, 12 Feb 2009 12:46:51 -0500
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>
References: <49945ABC.7020706@chrisserafin.com>
	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>
Message-ID: <74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>


Chris -

The CIGESM's are expensive and have limited feature support based on the way
they are deployed in the chassis (you can't channel the NICs on the blades).
They are additional devices to support and every time the server guys reboot
the chassis spanning tree is impacted.

Go with the pass-through modules and connect the blade NIC's to an external
switch.

-McLean

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Lixfeld
Sent: Thursday, February 12, 2009 12:31 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?

Not sure if the CIGESMs in the eServer BladeCenters are the same  
thing, but with those, connectivity between two modules in the same  
chassis is provided by one of the internal mgmt interfaces.  It's  
Gi0/15 in my case.  I think there's some stuff you have to tweak in  
the MM gui, but it should be pretty easy to find, although I can't  
recall off the top of my head.

On 12-Feb-09, at 12:22 PM, ChrisSerafin wrote:

> Anyone deal with these? They look to have basic IOS functions like  
> all other IOS based Cisco devices, but for some reason, I cannot get  
> one switch to talk to another switch by connecting a straight  
> through cable from the external switch ports of one to another. I'm  
> looking for just basic native VLAN connectivity between the two for  
> today, and then to also have a pair of 2960's upstream to provide  
> data center redundancy.
>
> Google is failing me :(
>
> Thanks,
>
> Chris Serafin
> chris at chrisserafin.com
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From chris at chrisserafin.com  Thu Feb 12 12:57:47 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Thu, 12 Feb 2009 11:57:47 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>
	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
Message-ID: <4994631B.3060800@chrisserafin.com>

Weird thing the ports do not light up with either a x-over or straight 
through cable.

The client is opposed to using the external nics for anything but 
uplinks to switches... :(

McLean Pickett wrote:
> Chris -
>
> The CIGESM's are expensive and have limited feature support based on the way
> they are deployed in the chassis (you can't channel the NICs on the blades).
> They are additional devices to support and every time the server guys reboot
> the chassis spanning tree is impacted.
>
> Go with the pass-through modules and connect the blade NIC's to an external
> switch.
>
> -McLean
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Lixfeld
> Sent: Thursday, February 12, 2009 12:31 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
>
> Not sure if the CIGESMs in the eServer BladeCenters are the same  
> thing, but with those, connectivity between two modules in the same  
> chassis is provided by one of the internal mgmt interfaces.  It's  
> Gi0/15 in my case.  I think there's some stuff you have to tweak in  
> the MM gui, but it should be pretty easy to find, although I can't  
> recall off the top of my head.
>
> On 12-Feb-09, at 12:22 PM, ChrisSerafin wrote:
>
>   
>> Anyone deal with these? They look to have basic IOS functions like  
>> all other IOS based Cisco devices, but for some reason, I cannot get  
>> one switch to talk to another switch by connecting a straight  
>> through cable from the external switch ports of one to another. I'm  
>> looking for just basic native VLAN connectivity between the two for  
>> today, and then to also have a pair of 2960's upstream to provide  
>> data center redundancy.
>>
>> Google is failing me :(
>>
>> Thanks,
>>
>> Chris Serafin
>> chris at chrisserafin.com
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>     
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.234 / Virus Database: 270.10.23/1949 - Release Date: 02/11/09 18:11:00
>
>   


From Gregori.Parker at theplatform.com  Thu Feb 12 13:31:27 2009
From: Gregori.Parker at theplatform.com (Gregori Parker)
Date: Thu, 12 Feb 2009 10:31:27 -0800
Subject: [c-nsp] WS-SVC-IDSM-2 visio icon
In-Reply-To: <Pine.LNX.4.64.0902121242360.32680@whammy.cluebyfour.org>
References: <494a4f80902120830y1d9f055elaf506f3a737ce4da@mail.gmail.com>
	<Pine.LNX.4.64.0902121242360.32680@whammy.cluebyfour.org>
Message-ID: <1A9866F953006D45AEE0166066114E09159929F7@TPMAIL02.corp.theplatform.com>

If you're after a physical icon, just doctor the FWSM, there's not much
difference.

If you're after a logical icon, the generally accepted icon for IDS (at
least in my world) is the one called "SwitchProbe" in the Cisco logical
shapes list - it's the cube with a magnifying glass on it.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M.
Streiner
Sent: Thursday, February 12, 2009 9:43 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WS-SVC-IDSM-2 visio icon

On Thu, 12 Feb 2009, Steve McNamara wrote:

> I'm looking for a Visio icon for a WS-SVC-IDSM-2 icon without any
> luck. I've downloaded the complete Viso icon zip from
> http://www.cisco.com/en/US/products/prod_visio_icon_list.html, but
> there's no icon for this module? There are other service modules such
> as NAM1 & 2 in the 6500 shape stencil, but not this one. Does anyone
> know where it can be found or have any other suggestions?

If it comes down to it, you can always make one on your own.  I've had
to 
do that in several cases.

jms
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From David at Hughes.com.au  Thu Feb 12 17:08:41 2009
From: David at Hughes.com.au (David Hughes)
Date: Fri, 13 Feb 2009 08:08:41 +1000
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
References: <49945ABC.7020706@chrisserafin.com>
	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>
	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
Message-ID: <B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>


On 13/02/2009, at 3:46 AM, McLean Pickett wrote:

> The CIGESM's are expensive and have limited feature support based on  
> the way
> they are deployed in the chassis (you can't channel the NICs on the  
> blades).
> They are additional devices to support and every time the server  
> guys reboot
> the chassis spanning tree is impacted.

We have lots of IBM chassis with CIGESMs deployed in the wild and are  
pretty happy with them.  The addition of the L3 Fa port in the 3012  
and Protected Mode removes all the strange "chassis module" behavior  
and makes them a pretty normal switch.

 From my perspective, the blade chassis is an enclosure that contains  
servers, a couple of GigE switches and a couple of FC switches.   
Conceptually, you can view the enclosure as a small rack.  Having  
server guys just randomly rebooting a chassis would be like having a  
server guy randomly power cycling a rack.  They would not have a happy  
day.  Using passthrough module removes the advantages of using the  
blade chassis IMHO.


David
...

From KPowers at canvassystems.com  Thu Feb 12 17:10:37 2009
From: KPowers at canvassystems.com (Powers, Kenny)
Date: Thu, 12 Feb 2009 17:10:37 -0500
Subject: [c-nsp] SUP upgrade when moving from Gig to 10gig
Message-ID: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>


I have a client that has a SUP720-3BXL in his core and is moving from gige blades to 6708-10G-3C cards.  Does he need VS-S720-10G-3C engines to get full capabilities out of the 6708s?  or would the 3BXLs be okay?

Kenny

************************************************************************************

Except for those software products specifically listed by Canvas on a sales quote, Customer acknowledges and agrees that Canvas does not provide any operating system software or software right-to-use licenses with the equipment it sells. Customer is responsible for registering any software it uses or obtains with the applicable licensor and for complying with all software licensing policies of such licensor.   

The information contained in this message and any attachments is confidential and proprietary.  It is intended only for the named recipient(s).  If you received this message in error, please notify us immediately and be aware that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited.

From sethm at rollernet.us  Thu Feb 12 18:13:00 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 12 Feb 2009 15:13:00 -0800
Subject: [c-nsp] SUP upgrade when moving from Gig to 10gig
In-Reply-To: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
References: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
Message-ID: <4994ACFC.9070803@rollernet.us>

Powers, Kenny wrote:
> I have a client that has a SUP720-3BXL in his core and is moving from gige blades to 6708-10G-3C cards.  Does he need VS-S720-10G-3C engines to get full capabilities out of the 6708s?  or would the 3BXLs be okay?
> 

The VS supervisors are for the virtual switching system (VSS), if I'm
not mistaken.

~Seth

From lukasz at bromirski.net  Thu Feb 12 18:44:44 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Fri, 13 Feb 2009 00:44:44 +0100
Subject: [c-nsp] SUP upgrade when moving from Gig to 10gig
In-Reply-To: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
References: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
Message-ID: <4994B46C.8040804@bromirski.net>

On 2009-02-12 23:10, Powers, Kenny wrote:
> I have a client that has a SUP720-3BXL in his core and is moving from
> gige blades to 6708-10G-3C cards.  Does he need VS-S720-10G-3C
> engines to get full capabilities out of the 6708s? or would the 3BXLs
> be okay?

This is rolled-over on this list at least once a week.

For 6500 you have an option to do distributed processing/forwarding
by use of DFCs - which are essentially a copy of PFC that's on the
Supervisor. To be able to get full functionality of the system,
you need to match the PFC type with DFC type.

So, VS-S720-10G-3C uses PFC3C for processing. Essentially, PFC3C/CXL
have better MAC scalability (96k vs 64k) and some bugs fixed over
PFC3B/BXL.

If You'll use Sup720BXL (which means - PFC3-BXL) with the 6708
equipped with DFC3C, the system will 'downgrade' the DFCs 3C to 3B
level as lowest common denominator[1].

So yes, it is okay and will work but with above limitation.

[1].https://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/prod_bulletin0900aecd806ee29a.html

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From gert at greenie.muc.de  Thu Feb 12 19:27:47 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 13 Feb 2009 01:27:47 +0100
Subject: [c-nsp] SUP upgrade when moving from Gig to 10gig
In-Reply-To: <4994ACFC.9070803@rollernet.us>
References: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
	<4994ACFC.9070803@rollernet.us>
Message-ID: <20090213002746.GX290@greenie.muc.de>

Hi,

On Thu, Feb 12, 2009 at 03:13:00PM -0800, Seth Mattinen wrote:
> The VS supervisors are for the virtual switching system (VSS), if I'm
> not mistaken.

The VS supervisors are a strict requirement to *have* if you want to use
VSS - but you can use them as a "fast Sup with 10G ports" just fine, with
no VSS.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090213/8653e39e/attachment.bin>

From David at Hughes.com.au  Thu Feb 12 20:27:00 2009
From: David at Hughes.com.au (David Hughes)
Date: Fri, 13 Feb 2009 11:27:00 +1000
Subject: [c-nsp] SUP upgrade when moving from Gig to 10gig
In-Reply-To: <4994ACFC.9070803@rollernet.us>
References: <D08EAB1C8EE2F840B2A951213F02D3F1136BA13905@cormsx02.corp.local>
	<4994ACFC.9070803@rollernet.us>
Message-ID: <AD5D8922-8600-4311-8DB7-33C75FDC468E@Hughes.com.au>


On 13/02/2009, at 9:13 AM, Seth Mattinen wrote:

> The VS supervisors are for the virtual switching system (VSS), if I'm
> not mistaken.

The VS sup's are sup's that can also do VSS.  We are running them in a  
few boxes for their onboard 10GigE ports without using VSS.  All is  
good.


David
...

From llc at dansketelecom.com  Fri Feb 13 04:59:51 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Fri, 13 Feb 2009 10:59:51 +0100
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <20090213093233.GH21570@f17.dmitry.net>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F82B@mail.office.dansketelecom.com>
	<20090213093233.GH21570@f17.dmitry.net>
Message-ID: <44417CD2F19FEA4F885088340A71D33201B4F985@mail.office.dansketelecom.com>

Hi Dmitry

Well... It depends on whether you have been given a 4-byte ASN or it is
your neighbor, who has the 4-byte ASN.

Have a look at
http://as4.cluepon.net/index.php/Example_Configurations#Cisco_IOS

To be honest, I haven't done any setups yet with the 4-byte ASN, but it
may be interesting to do some testing...

Regards,
Lars Christensen

CCIE #20292

-----Original Message-----
From: Dmitry Kiselev [mailto:dmitry at dmitry.net] 
Sent: 13. februar 2009 10:33
To: Lars Lystrup Christensen
Cc: Dracul; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IOS and 4 byte ASNs

Hello!

On Thu, Feb 12, 2009 at 10:06:16AM +0100, Lars Lystrup Christensen
wrote:

> Hi Chris
> 
> 4 byte ASNs will be supported on most platforms throughout this year.
> IOS-XR should already support it.
> 
> However, in the mean time you can setup peerings using the AS23456 as
your neighbouring AS.
> 
> ASR1000 should have it in RLS 3 and 7600/7200 should have it in
12.2(33)SRE. 

 

Does its mean that I should configure "router bgp 23456" if already have
32-bit ASN?
And what I should do if my eBGP neighbor have 32-bit ASN too and run
this fine
software called "IOS"?
 router bgp 23456
  neighbor X.X.X.X remote-as 23456
  neighbor X.X.X.X allowas-in
?


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul
> Sent: 12. februar 2009 07:52
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IOS and 4 byte ASNs
> 
> Hi List,
> 
> does the current 12-4  IOS versions support 4 byte ASNs? Or do i need
to
> upgrade my routers to IOS-XR
> 
> Best regards,
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Dmitry Kiselev

From dmitry at dmitry.net  Fri Feb 13 04:32:33 2009
From: dmitry at dmitry.net (Dmitry Kiselev)
Date: Fri, 13 Feb 2009 11:32:33 +0200
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <44417CD2F19FEA4F885088340A71D33201B4F82B@mail.office.dansketelecom.com>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F82B@mail.office.dansketelecom.com>
Message-ID: <20090213093233.GH21570@f17.dmitry.net>

Hello!

On Thu, Feb 12, 2009 at 10:06:16AM +0100, Lars Lystrup Christensen wrote:

> Hi Chris
> 
> 4 byte ASNs will be supported on most platforms throughout this year.
> IOS-XR should already support it.
> 
> However, in the mean time you can setup peerings using the AS23456 as your neighbouring AS.
> 
> ASR1000 should have it in RLS 3 and 7600/7200 should have it in 12.2(33)SRE. 

 

Does its mean that I should configure "router bgp 23456" if already have 32-bit ASN?
And what I should do if my eBGP neighbor have 32-bit ASN too and run this fine
software called "IOS"?
 router bgp 23456
  neighbor X.X.X.X remote-as 23456
  neighbor X.X.X.X allowas-in
?


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul
> Sent: 12. februar 2009 07:52
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IOS and 4 byte ASNs
> 
> Hi List,
> 
> does the current 12-4  IOS versions support 4 byte ASNs? Or do i need to
> upgrade my routers to IOS-XR
> 
> Best regards,
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Dmitry Kiselev

From gert at greenie.muc.de  Fri Feb 13 05:38:40 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 13 Feb 2009 11:38:40 +0100
Subject: [c-nsp] IOS and 4 byte ASNs
In-Reply-To: <20090213093233.GH21570@f17.dmitry.net>
References: <876789290902112252x4b65c8d0pb2b6497d536cc8b6@mail.gmail.com>
	<44417CD2F19FEA4F885088340A71D33201B4F82B@mail.office.dansketelecom.com>
	<20090213093233.GH21570@f17.dmitry.net>
Message-ID: <20090213103840.GD290@greenie.muc.de>

Hi,

On Fri, Feb 13, 2009 at 11:32:33AM +0200, Dmitry Kiselev wrote:
> Does its mean that I should configure "router bgp 23456" if already have 32-bit ASN?

If *you* have a 32bit-ASN, you need a 32bit-ASN-capable router OS.

> And what I should do if my eBGP neighbor have 32-bit ASN too and run this fine
> software called "IOS"?
>  router bgp 23456
>   neighbor X.X.X.X remote-as 23456
>   neighbor X.X.X.X allowas-in
> ?

... if your neighbours have 32-bit ASNs, and your router software cannot
do it yet, configure "remote-as 23456" on your side, yes.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090213/5ad99c35/attachment.bin>

From AMcglinchey at wiseman-dairies.co.uk  Fri Feb 13 11:02:40 2009
From: AMcglinchey at wiseman-dairies.co.uk (Alun Mcglinchey)
Date: Fri, 13 Feb 2009 16:02:40 +0000
Subject: [c-nsp] Alun Mcglinchey is out of the office.
Message-ID: <OFEEDD36AA.5847DF31-ON8025755C.005822B1-8025755C.005822B1@wiseman-dairies.co.uk>


I will be out of the office starting  06/02/2009 and will not return until
16/02/2009.

I will respond to your message when I return, if your query is urgent
please contact the IT servicedesk team on 6634 or email Cameron McKinnon
(cmckinnon at wiseman-dairies.co.uk)



*********************************************************************************
Disclaimer: This electronic mail, together with any attachments, is for the exclusive and confidential use of the recipient addressee. Any other distribution, use or reproduction without our prior consent is unauthorised and strictly prohibited. If you have received this message in error, please delete it immediately and contact the sender directly or the Robert Wiseman & Sons Ltd IT Helpdesk on +44 (0)1355 270634. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Robert Wiseman & Sons Ltd or of any of its associated companies. No reliance may be placed on this message without written confirmation from an authorised representative of the company.

Robert Wiseman & Sons Limited reserves the right to monitor all e-mail communications through its network.

This message has been checked for viruses but the recipient is strongly advised to re-scan the message before opening any attachments or attached executable files.

ROBERT WISEMAN & SONS LIMITED
Registered Number: 87376 Scotland
Registered Office: 159 Glasgow Road,
East Kilbride, Glasgow, G74 4PA

********************************************************************************

From chris at chrisserafin.com  Fri Feb 13 11:52:16 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Fri, 13 Feb 2009 10:52:16 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
Message-ID: <4995A540.5010007@chrisserafin.com>

So how do you have this implemented? I see the L3 fa0 port connects to 
the internal 'virtual switch chassis' and the rest is L2.....

I'm trying to setup Citrix XEN VM Server on the blades and thinking this 
is how I will do it:

I will have a pair of 2960's upstream that will have 2 bonded 
etherchannels going into each switch blade from each 2960. The 
etherchannels will be trunk links and then I will configure the internal 
virtual switchports as trunks going into the XEN Server....XEN is just 
like VMware/ESX...... the server tags the VLANs depending on what 
network they need to be on.


Make sense at all? I've been google'ing until my eyes bleed trying to 
get up to speed on these devices.


David Hughes wrote:
>
> On 13/02/2009, at 3:46 AM, McLean Pickett wrote:
>
>> The CIGESM's are expensive and have limited feature support based on 
>> the way
>> they are deployed in the chassis (you can't channel the NICs on the 
>> blades).
>> They are additional devices to support and every time the server guys 
>> reboot
>> the chassis spanning tree is impacted.
>
> We have lots of IBM chassis with CIGESMs deployed in the wild and are 
> pretty happy with them.  The addition of the L3 Fa port in the 3012 
> and Protected Mode removes all the strange "chassis module" behavior 
> and makes them a pretty normal switch.
>
> From my perspective, the blade chassis is an enclosure that contains 
> servers, a couple of GigE switches and a couple of FC switches.  
> Conceptually, you can view the enclosure as a small rack.  Having 
> server guys just randomly rebooting a chassis would be like having a 
> server guy randomly power cycling a rack.  They would not have a happy 
> day.  Using passthrough module removes the advantages of using the 
> blade chassis IMHO.
>
>
> David
> ...
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.234 / Virus Database: 270.10.23/1949 - Release Date: 02/12/09 11:34:00
>
>   


From lgeyer at gmail.com  Fri Feb 13 12:02:10 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 12:02:10 -0500
Subject: [c-nsp] EoMPLS - port mode to vlan mode
Message-ID: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>

Hey there.

Does anybody here happen to have any experience working with pseudo
wires that are port-tunneled on one side and vlan-tunneled on the
other? Having a bear of a time trying to figure out why I cannot pass
any traffic over a vc that's configured in this fashion.

Switch A (7609/rsp720-3cxl-10ge) ------ MPLS ------ Switch B
(7609/rsp720-3cxl-10ge)

Both switches have LAN cards only (no SIP or FlexWAN here) and run 12.2(33)SRC3

Switch A
-------------
interface GigabitEthernet2/1
 mtu 9216
 no ip address
 load-interval
 speed nonegotiate
 xconnect <Switch B IP> 100 encapsulation mpls
end


Switch B
-------------
interface TenGigabitEthernet3/1
 mtu 9216
 no ip address
 load-interval 30
end

interface TenGigabitEthernet3/1.100
 encapsulation dot1Q 100
 xconnect <Switch A IP> 100 encapsulation mpls
end


The VC comes up fine on both sides, but the only way I can get any
traffic to pass is if I'm either vlan-tunneled or port-tunneled on
both sides.

So far I'm hearing conflicting things from TAC on whether this will
work or not. The maddening part is that we already have VCs in place
where type 4 to type 5 VCs work just fine. The difference in at least
one of the working cases is that the port-tunneled VC is on a 6500
running 12.2(18)SXF9.

I'm a bit apprehensive about debugging this issue in production right
now and TAC has been slow to get back with me so I'd appreciate any
feedback.

Thanks,

Laurent

From justin at justinshore.com  Fri Feb 13 12:10:18 2009
From: justin at justinshore.com (Justin Shore)
Date: Fri, 13 Feb 2009 11:10:18 -0600
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
Message-ID: <4995A97A.2060800@justinshore.com>

Laurent Geyer wrote:
> interface TenGigabitEthernet3/1.100
>  encapsulation dot1Q 100
>  xconnect <Switch A IP> 100 encapsulation mpls
> end

Are you sure that you're not getting any traffic out of Te3/1.100?  My 
thought would be that you're inputing untagged traffic on Gi2/1 but 
tagged traffic on Te3/1.100.  I would expect to see traffic coming out 
of either int that's being discarded by the device on either side but 
that's just my thought.  I don't have many L2VPNs in place at this time. 
  I always heard though that the VLAN tag had to match on both sides if 
it existed at all.

Justin


From lgeyer at gmail.com  Fri Feb 13 12:44:51 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 12:44:51 -0500
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <4995A97A.2060800@justinshore.com>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
	<4995A97A.2060800@justinshore.com>
Message-ID: <39647f4d0902130944r3105113bx10a0c955b0b892f1@mail.gmail.com>

On Fri, Feb 13, 2009 at 12:10 PM, Justin Shore <justin at justinshore.com> wrote:
> Laurent Geyer wrote:
>>
>> interface TenGigabitEthernet3/1.100
>>  encapsulation dot1Q 100
>>  xconnect <Switch A IP> 100 encapsulation mpls
>> end
>
> Are you sure that you're not getting any traffic out of Te3/1.100?  My
> thought would be that you're inputing untagged traffic on Gi2/1 but tagged
> traffic on Te3/1.100.  I would expect to see traffic coming out of either
> int that's being discarded by the device on either side but that's just my
> thought.  I don't have many L2VPNs in place at this time.  I always heard
> though that the VLAN tag had to match on both sides if it existed at all.

I'm absolutely positive unfortunately.

>From what I understand, and anybody correct me if I'm wrong please,
the dot1q tag in the header is only need for the label imposition on
the ingress side.

The egress interface for the traffic is determined by a LFIB lookup
not by information that's part of the original ethernet frame, so it
shouldn't really matter that one side is untagged.

- Laurent

From saku+cisco-nsp at ytti.fi  Fri Feb 13 13:25:28 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Fri, 13 Feb 2009 20:25:28 +0200
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
Message-ID: <20090213182528.GA9212@mx.ytti.net>

On (2009-02-13 12:02 -0500), Laurent Geyer wrote:

> Does anybody here happen to have any experience working with pseudo
> wires that are port-tunneled on one side and vlan-tunneled on the
> other? Having a bear of a time trying to figure out why I cannot pass

You need to configure interworking. Instead of encap mpls, 
use pw-class foo and configure foo as ethernet interworking.

-- 
  ++ytti

From lgeyer at gmail.com  Fri Feb 13 13:50:43 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 13:50:43 -0500
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <20090213182528.GA9212@mx.ytti.net>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
	<20090213182528.GA9212@mx.ytti.net>
Message-ID: <39647f4d0902131050ye5116fcnd91b82eed6bf3de5@mail.gmail.com>

On Fri, Feb 13, 2009 at 1:25 PM, Saku Ytti <saku+cisco-nsp at ytti.fi> wrote:
> On (2009-02-13 12:02 -0500), Laurent Geyer wrote:
>
>> Does anybody here happen to have any experience working with pseudo
>> wires that are port-tunneled on one side and vlan-tunneled on the
>> other? Having a bear of a time trying to figure out why I cannot pass
>
> You need to configure interworking. Instead of encap mpls,
> use pw-class foo and configure foo as ethernet interworking.

Ok, so ethernet interworking defines the pseudo wire type, you still
have to configure mpls encapsulation.

I can see why you would have to define that in a pseudo wire class,
but if you're configuring the encapsulation on an interface the VC
type should be implicit.

Any reason why you believe I need to use pseudo wire classes here?

- Laurent

From rmcconner at gmail.com  Fri Feb 13 14:05:50 2009
From: rmcconner at gmail.com (Ross McConner)
Date: Fri, 13 Feb 2009 14:05:50 -0500
Subject: [c-nsp] untagged to QinQ switch ports
Message-ID: <44f77d120902131105l2bc06ea2q75f26975806c9145@mail.gmail.com>

Maybe I'm just hitting my head against a wall and therefore can't see the
answer..

I'm looking for a way to take a non-trunked ethernet port and encapsulate
any of the L2 packets into a double-tagged dot1q vlan.

Basically my provider gives me a single circuit with 802.1q and then tunnels
vlans to different destinations (most likely via xconnects).  At this
(small) location I don't need to have all the vlans in use, just specific
ones - so I'm looking for a way to do it without installing a 2nd switch in
front of the cisco just to create the inner vlan tags, which is what all of
cisco's documentation assumes.

In psuedo IOS - what I'd like to do:

!
interface FastEthernet 0/0
  switchport access vlan 10 20
!
interface FastEthernet 0/1
  switchport access vlan 50 60
!
interface FastEthernet 1/0
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 20,60
!

Is this possible at all?

From lgeyer at gmail.com  Fri Feb 13 14:12:28 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 14:12:28 -0500
Subject: [c-nsp] untagged to QinQ switch ports
In-Reply-To: <44f77d120902131105l2bc06ea2q75f26975806c9145@mail.gmail.com>
References: <44f77d120902131105l2bc06ea2q75f26975806c9145@mail.gmail.com>
Message-ID: <39647f4d0902131112g20d3a05en75408ba66c60336e@mail.gmail.com>

On Fri, Feb 13, 2009 at 2:05 PM, Ross McConner <rmcconner at gmail.com> wrote:
> Maybe I'm just hitting my head against a wall and therefore can't see the
> answer..
>
> I'm looking for a way to take a non-trunked ethernet port and encapsulate
> any of the L2 packets into a double-tagged dot1q vlan.
>
> Basically my provider gives me a single circuit with 802.1q and then tunnels
> vlans to different destinations (most likely via xconnects).  At this
> (small) location I don't need to have all the vlans in use, just specific
> ones - so I'm looking for a way to do it without installing a 2nd switch in
> front of the cisco just to create the inner vlan tags, which is what all of
> cisco's documentation assumes.

Here is something I've seen working before.

interface fa0/1
  switchport
  switchport access vlan <Provider VLAN>
  switchport mode dot1q-tunnel

interface fa0/1
   switchport

From lgeyer at gmail.com  Fri Feb 13 14:17:25 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 14:17:25 -0500
Subject: [c-nsp] untagged to QinQ switch ports
In-Reply-To: <44f77d120902131105l2bc06ea2q75f26975806c9145@mail.gmail.com>
References: <44f77d120902131105l2bc06ea2q75f26975806c9145@mail.gmail.com>
Message-ID: <39647f4d0902131117w7f7eacffm230262dd405ceb83@mail.gmail.com>

On Fri, Feb 13, 2009 at 2:05 PM, Ross McConner <rmcconner at gmail.com> wrote:
> Maybe I'm just hitting my head against a wall and therefore can't see the
> answer..
>
> I'm looking for a way to take a non-trunked ethernet port and encapsulate
> any of the L2 packets into a double-tagged dot1q vlan.
>
> Basically my provider gives me a single circuit with 802.1q and then tunnels
> vlans to different destinations (most likely via xconnects).  At this
> (small) location I don't need to have all the vlans in use, just specific
> ones - so I'm looking for a way to do it without installing a 2nd switch in
> front of the cisco just to create the inner vlan tags, which is what all of
> cisco's documentation assumes.

Sorry for the previous mail, hit some weird gmail keyboard shortcut.

Here is what I've seen work before.

interface fa0/1
  switchport
  switchport access vlan <provider vlan>
  switchport mode dot1q-tunnel
end

interface fa0/2
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 50, 60
  switchport mode trunk
end

interface fa0/3
  switchport
  switchport access vlan <provider vlan>
  switchport mode access
end


Connect a crossover cable between fa0/1 and fa0/2 and put the access
ports you want double tagged over the provider link the respective
access vlan.

Of course your layer2 path will have to have the necessary MTU size to
carry the double tagged frames.

- Laurent

From paul at paulstewart.org  Fri Feb 13 14:21:46 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 13 Feb 2009 14:21:46 -0500
Subject: [c-nsp] 7600 SVI + Subinterface Question
Message-ID: <000001c98e10$4ffc5e50$eff51af0$@org>

Hi folks...

I believe the answer is no but worth asking... we have a large VLAN database
on some 6500's with VTP running.  On one of these 7600's we have many SVI
interfaces which in turn are trunked on GigE's to other layer2 switches...

We have a client coming onboard that we need to possibly send about 60
layer3 connections over a GigE trunk connection but the requested VLAN
numbers are mostly already in use on the 7600.  Without getting into other
options can I do the following??

Interface vlan 300
Descr test test
Ip address 10.10.10.1 255.255.255.248

Interface GigE9/1
Switchport mode trunk
Switchport trunk allowed vlan 300

Interface GigE9/8.300
Descr Another customer
IP address 192.168.0.1 255.255.255.240

I realize this gets mapped to internal VLAN's but in this case will those
VLAN's co-exist or conflict?

Thanks,

Paul




From MLouis at nwnit.com  Fri Feb 13 14:24:35 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Fri, 13 Feb 2009 14:24:35 -0500
Subject: [c-nsp] 6500 VTP and VLANs disappearing
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25C24804096@mncmx1.NWNIT.CORP>

Hey all,

I just ran across an issue I have never seen before. We have a switch configured with about 250 VLANs and SVIs. The switch is configured in VTP transparent mode. Everything has been working fine until this morning we added a couple more vlans. After that we noticed that all but about 80 of the VLANs in the VTP database were missing. Somehow they got erased. No one was in the device since this happened and its configured in trans mode. Any ideas what could have happened? We put the VLANs back in and everything came up fine for now.

Anyone ever heard of something like this happening? Is there a max number of L3 interfaces for 6500?


Mike Louis
Senior Solutions Architect
CCIE  #17082 (R&S)
NWN, Inc
mobile:336.253.5247
mlouis at nwnit.com


________________________________
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.

From peter at rathlev.dk  Fri Feb 13 15:49:12 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 13 Feb 2009 21:49:12 +0100
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <000001c98e10$4ffc5e50$eff51af0$@org>
References: <000001c98e10$4ffc5e50$eff51af0$@org>
Message-ID: <1234558152.5766.7.camel@localhost.localdomain>

On Fri, 2009-02-13 at 14:21 -0500, Paul Stewart wrote:
> I believe the answer is no but worth asking... we have a large VLAN database
> on some 6500's with VTP running.  On one of these 7600's we have many SVI
> interfaces which in turn are trunked on GigE's to other layer2 switches...
> 
> We have a client coming onboard that we need to possibly send about 60
> layer3 connections over a GigE trunk connection but the requested VLAN
> numbers are mostly already in use on the 7600.  Without getting into other
> options can I do the following??
> 
> Interface vlan 300
> Descr test test
> Ip address 10.10.10.1 255.255.255.248
> 
> Interface GigE9/1
> Switchport mode trunk
> Switchport trunk allowed vlan 300
> 
> Interface GigE9/8.300
> Descr Another customer
> IP address 192.168.0.1 255.255.255.240
> 
> I realize this gets mapped to internal VLAN's but in this case will those
> VLAN's co-exist or conflict?

If you also want to use "encapsulation dot1q 300" on Gi9/8.300 it will
not work. The box will complain that VLAN 300 is already in use.

Furthermore you cannot use VTP and dot1q subinterfaces together. You
need to use transparent VTP mode for that.

You might use VLAN Mapping in order to provide services for their VLANs
but with your numbering.

Regards,
Peter



From avayner at cisco.com  Fri Feb 13 16:16:38 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Fri, 13 Feb 2009 22:16:38 +0100
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <000001c98e10$4ffc5e50$eff51af0$@org>
References: <000001c98e10$4ffc5e50$eff51af0$@org>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D734C0C1@xmb-ams-331.emea.cisco.com>

Paul,

The best option for using local VLAN significance is to use the more
advanced ES20 modules on the 7600:
http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sh
eet0900aecd8057f3ad.html

Another thing you can take a look at is VLAN Translation:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/gu
ide/vlans.html#wp1044990

Arie


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Friday, February 13, 2009 21:22
To: 'Cisco-nsp'
Subject: [c-nsp] 7600 SVI + Subinterface Question

Hi folks...

I believe the answer is no but worth asking... we have a large VLAN
database
on some 6500's with VTP running.  On one of these 7600's we have many
SVI
interfaces which in turn are trunked on GigE's to other layer2
switches...

We have a client coming onboard that we need to possibly send about 60
layer3 connections over a GigE trunk connection but the requested VLAN
numbers are mostly already in use on the 7600.  Without getting into
other
options can I do the following??

Interface vlan 300
Descr test test
Ip address 10.10.10.1 255.255.255.248

Interface GigE9/1
Switchport mode trunk
Switchport trunk allowed vlan 300

Interface GigE9/8.300
Descr Another customer
IP address 192.168.0.1 255.255.255.240

I realize this gets mapped to internal VLAN's but in this case will
those
VLAN's co-exist or conflict?

Thanks,

Paul



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From saku+cisco-nsp at ytti.fi  Fri Feb 13 16:36:20 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Fri, 13 Feb 2009 23:36:20 +0200
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <39647f4d0902131050ye5116fcnd91b82eed6bf3de5@mail.gmail.com>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
	<20090213182528.GA9212@mx.ytti.net>
	<39647f4d0902131050ye5116fcnd91b82eed6bf3de5@mail.gmail.com>
Message-ID: <20090213213620.GA10607@mx.ytti.net>

On (2009-02-13 13:50 -0500), Laurent Geyer wrote:
 
> Any reason why you believe I need to use pseudo wire classes here?

Because you need to dig out ethernet frame out from mismatching headers
in each end-point.
For all IOS cares, other side could be ATM in this case, it simply
does not match to the other side.

-- 
  ++ytti

From saku+cisco-nsp at ytti.fi  Fri Feb 13 16:45:16 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Fri, 13 Feb 2009 23:45:16 +0200
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D734C0C1@xmb-ams-331.emea.cisco.com>
References: <000001c98e10$4ffc5e50$eff51af0$@org>
	<78C984F8939D424697B15E4B1C1BB3D734C0C1@xmb-ams-331.emea.cisco.com>
Message-ID: <20090213214516.GB10607@mx.ytti.net>

On (2009-02-13 22:16 +0100), Arie Vayner (avayner) wrote:

> The best option for using local VLAN significance is to use the more
> advanced ES20 modules on the 7600:
> http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sh
> eet0900aecd8057f3ad.html

ES20 cards do not have vlan local significance, while toasters are
capable of doing it, you guys opted not to do it (perhaps due to
toaster+microcode evilness when compared to ezcip+c?)

giga2/0/1.42 
  encap dot1q 42
giga2/0/2.42
  encap dot1q 42

Is not and will not be (non-technical reasons) possible in ES20.
OP should rather consider ES+ cards, which are completely different
cards and will do this.
Sure you can workaround this through EVC in ES20 but that is another
bag of worms. I would strongly advice against anyone buying ES20,
as ES+ costs the same.

(Of course you still can't escape the 4k VLAN limit in the platfor)


-- 
  ++ytti

From lgeyer at gmail.com  Fri Feb 13 17:04:58 2009
From: lgeyer at gmail.com (Laurent Geyer)
Date: Fri, 13 Feb 2009 17:04:58 -0500
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <20090213213620.GA10607@mx.ytti.net>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
	<20090213182528.GA9212@mx.ytti.net>
	<39647f4d0902131050ye5116fcnd91b82eed6bf3de5@mail.gmail.com>
	<20090213213620.GA10607@mx.ytti.net>
Message-ID: <39647f4d0902131404j16b1d9b4v3824aba1d4f3e439@mail.gmail.com>

O

On Fri, Feb 13, 2009 at 4:36 PM, Saku Ytti <saku+cisco-nsp at ytti.fi> wrote:
> On (2009-02-13 13:50 -0500), Laurent Geyer wrote:
>
>> Any reason why you believe I need to use pseudo wire classes here?
>
> Because you need to dig out ethernet frame out from mismatching headers
> in each end-point.
> For all IOS cares, other side could be ATM in this case, it simply
> does not match to the other side.

Ok, I see what you're saying.

Still, you cannot define a networking type for a pseudo wire until
mpls encapsulation is enabled.

I just tested what you suggested and the output for `show mpls
l2transport vc 821 detail' is the same whether I use a pseudo wire
class like you suggested, or I simply define encapsulation mpls on the
interface level.

pseudowire-class vltun-ethtun
 encapsulation mpls
 interworking ethernet

interface GigabitEthernet2/20
 mtu 9216
 no ip address
 speed nonegotiate
 xconnect <remote IP> 821 pw-class vltun-ethtun
end

show mpls l2transport vc 821 detail
Local interface: Gi2/20 up, line protocol up, Ethernet up
  Destination address: <remote IP>, VC ID: 821, VC status: up
    Output interface: Vl2, imposed label stack {291 209}
    Preferred path: not configured
    Default path: active
    Next hop: <next hop>
  Create time: 00:00:06, last status change time: 00:00:06
  Signaling protocol: LDP, peer <remote IP>:0 up
    Targeted Hello: <lo IP> (LDP Id) -> <remote IP>
    Status TLV support (local/remote)   : enabled/supported
      Label/status state machine        : established, LruRru
      Last local dataplane   status rcvd: no fault
      Last local SSS circuit status rcvd: no fault
      Last local SSS circuit status sent: no fault
      Last local  LDP TLV    status sent: no fault
      Last remote LDP TLV    status rcvd: no fault
    MPLS VC labels: local 604, remote 209
    Group ID: local 0, remote 0
    MTU: local 9216, remote 9216
    Remote interface description:
  Sequencing: receive disabled, send disabled
  VC statistics:
    packet totals: receive 0, send 0
    byte totals:   receive 0, send 0
    packet drops:  receive 0, seq error 0, send 0

interface GigabitEthernet2/20
 mtu 9216
 no ip address
 speed nonegotiate
 xconnect <remote IP> 821 encapsulation mpls
end

show mpls l2transport vc 821 detail
Local interface: Gi2/20 up, line protocol up, Ethernet up
  Destination address: <remote IP>, VC ID: 821, VC status: up
    Output interface: Vl2, imposed label stack {291 209}
    Preferred path: not configured
    Default path: active
    Next hop: <next hop IP>
  Create time: 00:00:22, last status change time: 00:00:22
  Signaling protocol: LDP, peer <remote IP>:0 up
    Targeted Hello: <local IP>(LDP Id) -> <remote IP>
    Status TLV support (local/remote)   : enabled/supported
      Label/status state machine        : established, LruRru
      Last local dataplane   status rcvd: no fault
      Last local SSS circuit status rcvd: no fault
      Last local SSS circuit status sent: no fault
      Last local  LDP TLV    status sent: no fault
      Last remote LDP TLV    status rcvd: no fault
    MPLS VC labels: local 603, remote 209
    Group ID: local 0, remote 0
    MTU: local 9216, remote 9216
    Remote interface description:
  Sequencing: receive disabled, send disabled
  VC statistics:
    packet totals: receive 6, send 7
    byte totals:   receive 732, send 1214
    packet drops:  receive 0, seq error 0, send 0

From gert at greenie.muc.de  Fri Feb 13 17:40:09 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 13 Feb 2009 23:40:09 +0100
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <000001c98e10$4ffc5e50$eff51af0$@org>
References: <000001c98e10$4ffc5e50$eff51af0$@org>
Message-ID: <20090213224009.GF290@greenie.muc.de>

Hi,

On Fri, Feb 13, 2009 at 02:21:46PM -0500, Paul Stewart wrote:
> I realize this gets mapped to internal VLAN's but in this case will those
> VLAN's co-exist or conflict?

With "normal" (= affordable) LAN cards, it will conflict.  

There will be no translation - that is, if you have

 "encaps dot1q 300"

on a GigE subif, it will use "VLAN 300" for that.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090213/78d74f9a/attachment.bin>

From cphillips at wbsconnect.com  Fri Feb 13 17:54:58 2009
From: cphillips at wbsconnect.com (Chris Phillips)
Date: Fri, 13 Feb 2009 14:54:58 -0800
Subject: [c-nsp] 6500 VTP and VLANs disappearing
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25C24804096@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25C24804096@mncmx1.NWNIT.CORP>
Message-ID: <4995FA42.9040102@wbsconnect.com>

Mike,

I've had this happen twice.  Both times we were running VTP transparent, 
both times on 6509s with SUP720-3BXL and both times on 12.2.18-SXF*. 
We've not had this happen again since moving to 12.2.33-SXI.

Mike Louis wrote:
> Hey all,
> 
> I just ran across an issue I have never seen before. We have a switch configured with about 250 VLANs and SVIs. The switch is configured in VTP transparent mode. Everything has been working fine until this morning we added a couple more vlans. After that we noticed that all but about 80 of the VLANs in the VTP database were missing. Somehow they got erased. No one was in the device since this happened and its configured in trans mode. Any ideas what could have happened? We put the VLANs back in and everything came up fine for now.
> 
> Anyone ever heard of something like this happening? Is there a max number of L3 interfaces for 6500?
> 
> 
> Mike Louis
> Senior Solutions Architect
> CCIE  #17082 (R&S)
> NWN, Inc
> mobile:336.253.5247
> mlouis at nwnit.com
> 
> 
> ________________________________
> Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Chris Phillips

From ney25 at hotmail.com  Fri Feb 13 19:31:38 2009
From: ney25 at hotmail.com (Jack)
Date: Sat, 14 Feb 2009 08:31:38 +0800
Subject: [c-nsp] 6500 VTP and VLANs disappearing
In-Reply-To: <4995FA42.9040102@wbsconnect.com>
References: <CBBF2C7B2547D14A910A349B58810AC25C24804096@mncmx1.NWNIT.CORP>
	<4995FA42.9040102@wbsconnect.com>
Message-ID: <BAY126-DS770D945E085DD8DF6D634BAB90@phx.gbl>

Hi Chris,

Did you check the VTP version ? I have a incident before but it was due to 
the VTP version 1 and 2 , new IOS loaded to my Cat6 but some how the VTP 
automatically became version 1, therefore most of my access layer cant 
communicate to the Core layer.

it is no harm to check vtp version as well .

Regards,
Jack

--------------------------------------------------
From: "Chris Phillips" <cphillips at wbsconnect.com>
Sent: Saturday, 14 February, 2009 6:54 AM
To: "Mike Louis" <MLouis at nwnit.com>
Cc: <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] 6500 VTP and VLANs disappearing

> Mike,
>
> I've had this happen twice.  Both times we were running VTP transparent, 
> both times on 6509s with SUP720-3BXL and both times on 12.2.18-SXF*. We've 
> not had this happen again since moving to 12.2.33-SXI.
>
> Mike Louis wrote:
>> Hey all,
>>
>> I just ran across an issue I have never seen before. We have a switch 
>> configured with about 250 VLANs and SVIs. The switch is configured in VTP 
>> transparent mode. Everything has been working fine until this morning we 
>> added a couple more vlans. After that we noticed that all but about 80 of 
>> the VLANs in the VTP database were missing. Somehow they got erased. No 
>> one was in the device since this happened and its configured in trans 
>> mode. Any ideas what could have happened? We put the VLANs back in and 
>> everything came up fine for now.
>>
>> Anyone ever heard of something like this happening? Is there a max number 
>> of L3 interfaces for 6500?
>>
>>
>> Mike Louis
>> Senior Solutions Architect
>> CCIE  #17082 (R&S)
>> NWN, Inc
>> mobile:336.253.5247
>> mlouis at nwnit.com
>>
>>
>> ________________________________
>> Note: This message and any attachments is intended solely for the use of 
>> the individual or entity to which it is addressed and may contain 
>> information that is non-public, proprietary, legally privileged, 
>> confidential, and/or exempt from disclosure. If you are not the intended 
>> recipient, you are hereby notified that any use, dissemination, 
>> distribution, or copying of this communication is strictly prohibited. If 
>> you have received this communication in error, please notify the original 
>> sender immediately by telephone or return email and destroy or delete 
>> this message along with any attachments immediately.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> -- 
> Chris Phillips
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From MLouis at nwnit.com  Fri Feb 13 19:41:39 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Fri, 13 Feb 2009 19:41:39 -0500
Subject: [c-nsp] 6500 VTP and VLANs disappearing
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25C24841E75@mncmx1.NWNIT.CORP>

Well we are running sxi so its happening in that rev as well. Any idea why or when it happens. If its a bug its a terrible one.

-----Original Message-----
From: Chris Phillips <cphillips at wbsconnect.com>
Sent: Friday, February 13, 2009 5:54 PM
To: Mike Louis <MLouis at nwnit.com>
Cc: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] 6500 VTP and VLANs disappearing


Mike,

I've had this happen twice.  Both times we were running VTP transparent,
both times on 6509s with SUP720-3BXL and both times on 12.2.18-SXF*.
We've not had this happen again since moving to 12.2.33-SXI.

Mike Louis wrote:
> Hey all,
>
> I just ran across an issue I have never seen before. We have a switch configured with about 250 VLANs and SVIs. The switch is configured in VTP transparent mode. Everything has been working fine until this morning we added a couple more vlans. After that we noticed that all but about 80 of the VLANs in the VTP database were missing. Somehow they got erased. No one was in the device since this happened and its configured in trans mode. Any ideas what could have happened? We put the VLANs back in and everything came up fine for now.
>
> Anyone ever heard of something like this happening? Is there a max number of L3 interfaces for 6500?
>
>
> Mike Louis
> Senior Solutions Architect
> CCIE  #17082 (R&S)
> NWN, Inc
> mobile:336.253.5247
> mlouis at nwnit.com
>
>
> ________________________________
> Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

--
Chris Phillips


Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.


From David at hughes.com.au  Fri Feb 13 21:42:19 2009
From: David at hughes.com.au (David Hughes)
Date: Sat, 14 Feb 2009 12:42:19 +1000
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <4995A540.5010007@chrisserafin.com>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
	<4995A540.5010007@chrisserafin.com>
Message-ID: <AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>



On 14/02/2009, at 2:52 AM, ChrisSerafin wrote:

> I will have a pair of 2960's upstream that will have 2 bonded  
> etherchannels going into each switch blade from each 2960. The  
> etherchannels will be trunk links and then I will configure the  
> internal virtual switchports as trunks going into the XEN  
> Server....XEN is just like VMware/ESX...... the server tags the  
> VLANs depending on what network they need to be on.
>
>
> Make sense at all? I've been google'ing until my eyes bleed trying  
> to get up to speed on these devices.

Yup, that makes perfect sense and is similar to our architecture (if  
you substitute 6500 for 2960 you'd pretty much have our standard  
setup).  We run nodes of ESX farms on blades in this configuration.   
If you are planning on dense virtualisation or multi-node farms then  
you'll need to be running MST for your spanning tree.  Running any  
form of per vlan STP will have you running out of STP instances before  
you run out of vlans you need to trunk to your ESX / Xen boxes.


Thanks

David
...

From madunix at gmail.com  Sat Feb 14 01:59:07 2009
From: madunix at gmail.com (Mad Unix)
Date: Sat, 14 Feb 2009 08:59:07 +0200
Subject: [c-nsp] CCIE Lab
Message-ID: <4d3f56c90902132259o364ff05fr69ae58c865f119bc@mail.gmail.com>

Can you please tell me, what *you* did to master Ccie Lab?

your iput really appreciated.

-- 
"UNIX is basically a simple operating system, but you have to be a
genius to understand the simplicity."
Dennis Ritchie.

From saku+cisco-nsp at ytti.fi  Sat Feb 14 03:47:31 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Sat, 14 Feb 2009 10:47:31 +0200
Subject: [c-nsp] EoMPLS - port mode to vlan mode
In-Reply-To: <39647f4d0902131404j16b1d9b4v3824aba1d4f3e439@mail.gmail.com>
References: <39647f4d0902130902o29f03a90n1307d4516dcc7fe6@mail.gmail.com>
	<20090213182528.GA9212@mx.ytti.net>
	<39647f4d0902131050ye5116fcnd91b82eed6bf3de5@mail.gmail.com>
	<20090213213620.GA10607@mx.ytti.net>
	<39647f4d0902131404j16b1d9b4v3824aba1d4f3e439@mail.gmail.com>
Message-ID: <20090214084731.GB14923@mx.ytti.net>

On (2009-02-13 17:04 -0500), Laurent Geyer wrote:
 
> Still, you cannot define a networking type for a pseudo wire until
> mpls encapsulation is enabled.

I'm sorry if yo understood my connect that way, I was simply trying
to explain you don't specify it in the xconnect line, but instead
use pw-class where you can (also) define interworking.

> I just tested what you suggested and the output for `show mpls
> l2transport vc 821 detail' is the same whether I use a pseudo wire
> class like you suggested, or I simply define encapsulation mpls on the
> interface level.

Did you configure it on both sides? Configuration is OK now.

-- 
  ++ytti

From cphillips at wbsconnect.com  Sat Feb 14 04:10:40 2009
From: cphillips at wbsconnect.com (Chris Phillips)
Date: Sat, 14 Feb 2009 01:10:40 -0800
Subject: [c-nsp] 6500 VTP and VLANs disappearing
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25C24841E75@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25C24841E75@mncmx1.NWNIT.CORP>
Message-ID: <49968A90.7000106@wbsconnect.com>

Have no idea why it happened.  I assumed it was a bug in the SXF train. 
  It hasn't happened to us again, luckily.

One other characteristic that I remember about it is that it only 
deleted non-extended VLANs.  Was that similar to what happened to you?

Mike Louis wrote:
> Well we are running sxi so its happening in that rev as well. Any idea why or when it happens. If its a bug its a terrible one.
> 
> -----Original Message-----
> From: Chris Phillips <cphillips at wbsconnect.com>
> Sent: Friday, February 13, 2009 5:54 PM
> To: Mike Louis <MLouis at nwnit.com>
> Cc: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] 6500 VTP and VLANs disappearing
> 
> 
> Mike,
> 
> I've had this happen twice.  Both times we were running VTP transparent,
> both times on 6509s with SUP720-3BXL and both times on 12.2.18-SXF*.
> We've not had this happen again since moving to 12.2.33-SXI.
> 
> Mike Louis wrote:
>> Hey all,
>>
>> I just ran across an issue I have never seen before. We have a switch configured with about 250 VLANs and SVIs. The switch is configured in VTP transparent mode. Everything has been working fine until this morning we added a couple more vlans. After that we noticed that all but about 80 of the VLANs in the VTP database were missing. Somehow they got erased. No one was in the device since this happened and its configured in trans mode. Any ideas what could have happened? We put the VLANs back in and everything came up fine for now.
>>
>> Anyone ever heard of something like this happening? Is there a max number of L3 interfaces for 6500?
>>
>>
>> Mike Louis
>> Senior Solutions Architect
>> CCIE  #17082 (R&S)
>> NWN, Inc
>> mobile:336.253.5247
>> mlouis at nwnit.com
>>
>>
>> ________________________________
>> Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> --
> Chris Phillips
> 
> 
> Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
> 

-- 
Chris Phillips


From clanjones1 at yahoo.com  Sat Feb 14 09:34:00 2009
From: clanjones1 at yahoo.com (Mike Jones)
Date: Sat, 14 Feb 2009 06:34:00 -0800 (PST)
Subject: [c-nsp] 6500 VTP and VLANs disappearing
In-Reply-To: <49968A90.7000106@wbsconnect.com>
Message-ID: <362994.77947.qm@web36903.mail.mud.yahoo.com>

I have never come across this, however, if I recall correctly, the Supervisor MSFC should be able to handle at least 3000 IDBs running 12.2 IOS. A physical interface will take 1 IDB, and a logical interface (VLAN or subinterface) will take another IDB. I highly doubt you ran into an IDB limitation on your SUP.Mike J <><

--- On Sat, 2/14/09, Chris Phillips <cphillips at wbsconnect.com> wrote:
From: Chris Phillips <cphillips at wbsconnect.com>
Subject: Re: [c-nsp] 6500 VTP and VLANs disappearing
To: "Mike Louis" <MLouis at nwnit.com>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Date: Saturday, February 14, 2009, 3:10 AM

Have no idea why it happened.  I assumed it was a bug in the SXF train. 
  It hasn't happened to us again, luckily.

One other characteristic that I remember about it is that it only 
deleted non-extended VLANs.  Was that similar to what happened to you?

Mike Louis wrote:
> Well we are running sxi so its happening in that rev as well. Any idea why
or when it happens. If its a bug its a terrible one.
> 
> -----Original Message-----
> From: Chris Phillips <cphillips at wbsconnect.com>
> Sent: Friday, February 13, 2009 5:54 PM
> To: Mike Louis <MLouis at nwnit.com>
> Cc: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] 6500 VTP and VLANs disappearing
> 
> 
> Mike,
> 
> I've had this happen twice.  Both times we were running VTP
transparent,
> both times on 6509s with SUP720-3BXL and both times on 12.2.18-SXF*.
> We've not had this happen again since moving to 12.2.33-SXI.
> 
> Mike Louis wrote:
>> Hey all,
>>
>> I just ran across an issue I have never seen before. We have a switch
configured with about 250 VLANs and SVIs. The switch is configured in VTP
transparent mode. Everything has been working fine until this morning we added a
couple more vlans. After that we noticed that all but about 80 of the VLANs in
the VTP database were missing. Somehow they got erased. No one was in the device
since this happened and its configured in trans mode. Any ideas what could have
happened? We put the VLANs back in and everything came up fine for now.
>>
>> Anyone ever heard of something like this happening? Is there a max
number of L3 interfaces for 6500?
>>
>>
>> Mike Louis
>> Senior Solutions Architect
>> CCIE  #17082 (R&S)
>> NWN, Inc
>> mobile:336.253.5247
>> mlouis at nwnit.com
>>
>>
>> ________________________________
>> Note: This message and any attachments is intended solely for the use
of the individual or entity to which it is addressed and may contain information
that is non-public, proprietary, legally privileged, confidential, and/or exempt
from disclosure. If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this communication is
strictly prohibited. If you have received this communication in error, please
notify the original sender immediately by telephone or return email and destroy
or delete this message along with any attachments immediately.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> --
> Chris Phillips
> 
> 
> Note: This message and any attachments is intended solely for the use of
the individual or entity to which it is addressed and may contain information
that is non-public, proprietary, legally privileged, confidential, and/or exempt
from disclosure.  If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this communication is
strictly prohibited.  If you have received this communication in error, please
notify the original sender immediately by telephone or return email and destroy
or delete this message along with any attachments immediately.
> 

-- 
Chris Phillips

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From dwinkworth at att.net  Sat Feb 14 10:53:32 2009
From: dwinkworth at att.net (Derick Winkworth)
Date: Sat, 14 Feb 2009 09:53:32 -0600
Subject: [c-nsp] OT: CCIE Lab
In-Reply-To: <4d3f56c90902132259o364ff05fr69ae58c865f119bc@mail.gmail.com>
References: <4d3f56c90902132259o364ff05fr69ae58c865f119bc@mail.gmail.com>
Message-ID: <4996E8FC.8000307@att.net>

You should subscribe to the CCIE groupstudy list.  See
http://www.groupstudy.com/

Studying.  Practice.  Lots of practice.  I purchased the
InternetworkExpert end-to-end program and I completed all 30 of the
practice labs plus a couple of mock labs (Brian and Brian were great!). 
I did the live on-line classes and I watched the prerecorded ones
repeatedly.  I listened to the audio classes repeatedly. I also took the
first week of the NetMasterClass training.  Bruce, Val, and Bob are great!

I took notes in several different forms.  I used a tool called freemind
to make a massive mind-map.  I took traditional notes and highlighted
items in various texts.  I made close to one thousand flashcards for
particular items I needed help remembering.

All said, I spent 8 months, 4-12 hours a day, 5-6 days a week preparing
for the lab.  Then I took and passed the lab.

Personally the one thing that helped me the most, more than anything,
was to admit that I knew far less about networking than I previously
thought.  I humbled myself greatly and I approached every topic as if I
was learning it anew.  I had a lot of false notions about how things
actually worked.   Also, you will realize during the actual hands-on
application of the various topics... that there are a lot of dead trees
in the form of books (including CiscoPress books) that are written very
poorly or are just plain wrong.  Even Cisco's documentation is very poor
or wrong in a lot of places.  The only way to really wrap your head
around some things is to read from multiple sources about it AND to then
build it in a lab and debug it.. in various scenarios and environments. 
A particularly enlightening exercise to try and reduce any scenario or
functionality to the absolute minimum amount of commands needed to do
it.  Then think carefully on what you removed and what the actual
purpose of it is.

Then take copious notes.

The end.

Mad Unix wrote:
> Can you please tell me, what *you* did to master Ccie Lab?
>
> your iput really appreciated.
>
>   
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.10.23/1952 - Release Date: 02/13/09 18:29:00
>
>   

From avayner at cisco.com  Sat Feb 14 11:05:23 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sat, 14 Feb 2009 17:05:23 +0100
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <20090213214516.GB10607@mx.ytti.net>
References: <000001c98e10$4ffc5e50$eff51af0$@org><78C984F8939D424697B15E4B1C1BB3D734C0C1@xmb-ams-331.emea.cisco.com>
	<20090213214516.GB10607@mx.ytti.net>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D734C118@xmb-ams-331.emea.cisco.com>

Ytti,

You can do it on regular ES20's with EVC.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Friday, February 13, 2009 23:45
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 7600 SVI + Subinterface Question

On (2009-02-13 22:16 +0100), Arie Vayner (avayner) wrote:

> The best option for using local VLAN significance is to use the more
> advanced ES20 modules on the 7600:
>
http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sh
> eet0900aecd8057f3ad.html

ES20 cards do not have vlan local significance, while toasters are
capable of doing it, you guys opted not to do it (perhaps due to
toaster+microcode evilness when compared to ezcip+c?)

giga2/0/1.42 
  encap dot1q 42
giga2/0/2.42
  encap dot1q 42

Is not and will not be (non-technical reasons) possible in ES20.
OP should rather consider ES+ cards, which are completely different
cards and will do this.
Sure you can workaround this through EVC in ES20 but that is another
bag of worms. I would strongly advice against anyone buying ES20,
as ES+ costs the same.

(Of course you still can't escape the 4k VLAN limit in the platfor)


-- 
  ++ytti
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From saku+cisco-nsp at ytti.fi  Sat Feb 14 11:24:25 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Sat, 14 Feb 2009 18:24:25 +0200
Subject: [c-nsp] 7600 SVI + Subinterface Question
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D734C118@xmb-ams-331.emea.cisco.com>
References: <20090213214516.GB10607@mx.ytti.net>
	<78C984F8939D424697B15E4B1C1BB3D734C118@xmb-ams-331.emea.cisco.com>
Message-ID: <20090214162425.GA20342@mx.ytti.net>

On (2009-02-14 17:05 +0100), Arie Vayner (avayner) wrote:

> You can do it on regular ES20's with EVC.

>> Sure you can workaround this through EVC in ES20 but that is another
>> bag of worms. I would strongly advice against anyone buying ES20,
>> as ES+ costs the same.

The bag of worms I was referring to, means e.g. you can only match
to CoS or class-default in EVC MQC. ACL is not available.
So simple requirement of policing all traffic means you do class-default,
instead of correct solution of ACL of 'any'. With class-default you
lose ability to use VPN CAM and in L3 MPLS VPN environment you increase
your VLAN usage (and reduce the amount of customers you can terminate).

Also one could argue higher configuration overhead to use EVC + SVI, more 
cruft in config. Many people don't like seeing lot and lot of SVI's when
subinterface suffices.
It would be nice, if EVC would optionally implement SVI internally, so
you could simply add IP address to EVC when you only have one interface
for given connection.

-- 
  ++ytti

From scott at labyrinth.org  Sat Feb 14 21:13:27 2009
From: scott at labyrinth.org (Scott Keoseyan)
Date: Sat, 14 Feb 2009 21:13:27 -0500
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <49906CFE.7040407@justinshore.com>
References: <BLU130-DS67E67EE25C7A09FF50827C5C10@phx.gbl>
	<49906CFE.7040407@justinshore.com>
Message-ID: <C40E8F0C-0A67-45B9-9A3E-374AA3FC0390@labyrinth.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Didn't Infoblox just announce a module for the ISR for DNS/DHCP/NTP?   
That might be more appropriate somehow...


Scott

On Feb 9, 2009, at 12:50 PM, Justin Shore wrote:

> Manaf Al Oqlah wrote:
>> Hi all,
>> I am configuring a Cisco 7600 router as DHCP server for my  
>> broadband clients. I am using DHCP snooping and ARP inspection for  
>> security reasons and the leased time expiration is set for 30  
>> minutes and no excluded-address is configured. The problem is that  
>> I still can see  some clients IP addresses lease expiration are  
>> Infinite in the DHCP binding! what could be the reason for this  
>> behavior and could be this some sort of attack!!
>
> I get them too.  I never have figured out what causes them.  So far  
> it hasn't been a big deal for me.
>
> BTW, I'd recommend not using the IOS DHCP server for anything that  
> more than convenience at a very small site.  I would highly  
> recommend deploying a server-based DHCP server like ISC DHCPd.  Lots  
> more bells a whistles to work with.  Plus you can have redundancy  
> with the server-based solution.  The IOS DHCP server is a fairly  
> stripped down implementation.  I don't think it was intended to be  
> used in large environments like a SP's broadband network.
>
> Justin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkmXekcACgkQA7TpMPAlvEfWSwCfY6wmZItxj+YacfiZI1Vshe2M
o0UAoIHZ4FIXXIfMa6fhwUItDfsOEVsM
=9amM
-----END PGP SIGNATURE-----

From scott at labyrinth.org  Sat Feb 14 21:58:44 2009
From: scott at labyrinth.org (Scott Keoseyan)
Date: Sat, 14 Feb 2009 21:58:44 -0500
Subject: [c-nsp] Dynamic Vlan with 3750
In-Reply-To: <20090212142612.GB12420@lboro.ac.uk>
References: <fd3f95910902110620g6cd47eeeye1ef1fdf4c1b49ba@mail.gmail.com>
	<002101c98ca0$6169cef0$243d6cd0$@id.au>
	<fd3f95910902120604l4ea13bd6yf70e25f306752b64@mail.gmail.com>
	<20090212142612.GB12420@lboro.ac.uk>
Message-ID: <EB8FFA55-3CFE-4282-9E68-802C02861CB7@labyrinth.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Umm, if you're going thru the effort of running RADIUS anyways, why  
not just use MAC-Auth Bypass with 802.1x instead?  It's going to be a  
lot more scalable and extensible.

Scott

On Feb 12, 2009, at 9:26 AM, A.L.M.Buxey at lboro.ac.uk wrote:

> Hi,
>> I have found some programs opensource to deploy a VMPS server, I will
>> be trying setting up on linux server. If you know another program,
>> please notify me. Thanks.
>
> FreeRADIUS. very very fast at doing VMPS - we use it
>
> alan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkmXhOQACgkQA7TpMPAlvEfQOACfavFkdWeIFCx9y6ujVwTKU9hf
ZkIAn33HzEFLoUi/yP1ussJnQ7v1BRH6
=uJua
-----END PGP SIGNATURE-----

From gtb at slac.stanford.edu  Sun Feb 15 00:51:53 2009
From: gtb at slac.stanford.edu (Buhrmaster, Gary)
Date: Sat, 14 Feb 2009 21:51:53 -0800
Subject: [c-nsp] DHCP Binding Expiration
In-Reply-To: <200902092022.14601.lowen@pari.edu>
References: <49906CFE.7040407@justinshore.com>
	<200902092022.14601.lowen@pari.edu>
Message-ID: <D0D0330CBD07114D85B70B784E80C2F2022FCFB6@exch-mail2.win.slac.stanford.edu>

 

> 
> BOOTP.
> 

Have not used the IOS dhcp server in a long
time (the ISC dhcp server is far more capable),
but when I did, I vaguely recall adding these
commands which eliminated the infinite lease
times in my specific environment (which were
all traced down to bootp requests):

  no ip bootp server
  ip dhcp bootp ignore


From p.mayers at imperial.ac.uk  Sun Feb 15 06:34:54 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sun, 15 Feb 2009 11:34:54 +0000
Subject: [c-nsp] 12.2(33)SXI revisited
In-Reply-To: <20090210124019.GA8143@lboro.ac.uk>
References: <9e246b4d0809220719ld6f7b9em34cb0886f4d190fd@mail.gmail.com>
	<48D7B275.50700@imperial.ac.uk> <20090210124019.GA8143@lboro.ac.uk>
Message-ID: <20090215113454.GA24043@wildfire.net.ic.ac.uk>

On Tue, Feb 10, 2009 at 12:40:19PM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
>hi,
>
>okay - after fruitful time on the test/devel router and then
>a prolonged period on 2 select routers, we're now SXI across
>the board.... which has finally thrown up an error (of sorts!)
>hurrah! :-)
>
>having exhausted my usual supply of cisco and google (and c-nsp ;-) )
>searches I thought I'd throw this one to the list before
>visiting my TAC friends for the 3rd time this week.
>
>note: so far we only obsrve this error on systems with 2 Sup720's in
>SSO redundancy mode
>
>this is whats being logged:
>
>Feb 10 12:26:38: SP: Critical error processing oif ltl index change event (0100.5b00.073c, XXX, 0xB8B)
>Feb 10 12:30:32: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
>Feb 10 12:30:32: SP: Critical error processing oif ltl index change event (0100.5b1f.fefd, XXX, 0xBAB)
>Feb 10 12:30:48: SP: Critical error processing rpf ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
>Feb 10 12:30:48: SP: Critical error processing oif ltl index change event (0100.5b1f.fefa, XXX, 0xBB3)
>Feb 10 12:31:54: SP: Critical error processing rpf ltl index change event (0100.5b07.0076, XXX, 0xBBF)

I haven't seen that one, but interestingly, I'm getting messages related 
to multicast on SXI too:

%MLSM-6-LC_SCP_FAILURE: NMP encountered internal communication failure 
for (s,g,vlan),  flow will be software switched

We're getting them *very* infrequently, but we are getting them. TAC 
tell me this only happens after an SSO or OIR, however the last SSO/OIR 
was days (in some cases a week or more) before the most recent messages.

We've also got some messages related to ISSU which were triggered by a 
bad chassis, so my perception is the logging verbosity is a bit higher 
in SXI generally.

From p.mayers at imperial.ac.uk  Sun Feb 15 06:52:35 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sun, 15 Feb 2009 11:52:35 +0000
Subject: [c-nsp] BGP MSS=576 bytes
In-Reply-To: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
References: <FFE5DFBABC924C71817B71653D539548@int.convex.pt>
Message-ID: <49980203.70803@imperial.ac.uk>

Antonio M. Soares wrote:
> Hello group,
> 
> I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an

I think you need a newer IOS. Certainly under SXI I see:

ac-core#sh ip bgp neighbors  | inc path-mtu|max data seg
   Transport(tcp) path-mtu-discovery is enabled
Datagrams (max data segment is 536 bytes):
   Transport(tcp) path-mtu-discovery is enabled
Datagrams (max data segment is 1460 bytes):
   Transport(tcp) path-mtu-discovery is enabled
Datagrams (max data segment is 9060 bytes):
   Transport(tcp) path-mtu-discovery is enabled
Datagrams (max data segment is 536 bytes):

...depending on whether the neighbor is similarly equipped to be 
jumbo-framed and PMTU.

From p.mayers at imperial.ac.uk  Sun Feb 15 07:02:32 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Sun, 15 Feb 2009 12:02:32 +0000
Subject: [c-nsp] high CPU with snmp IS THERE A REAL FIX
In-Reply-To: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
References: <CDDF96AE-EEA9-4BAC-B0B4-9289721FF40D@princeton.edu>
Message-ID: <49980458.4080201@imperial.ac.uk>

Jeff Fitzwater wrote:
> We are running 12.2.SXI on sup-720-cxl

Short answer: no, it's just slow.

My advice, and the solution we adopted - fetch the ARP table using an 
expect script via the CLI, which does not have this problem - we had 
mean RP CPU use drop a *huge* amount when I implemented that.

If I ever get the "netconf" interface working for CLI, it'll become an 
even more attractive solution.

You'd probably need an RFE to get the SNMP method "fixed", and I am not 
optimistic about your chances of success.

> 
> We use snmp getnext and getbulk to get the ARP table from a router  
> that has ~16K entries and it takes about 10min to complete, with  
> ROUTER CPU at 100%.   Our other routers have the same hardware and IOS  
> but have <10K entries and work fine.
> 
> This is an old problem with CISCO and I thought they might have  
> finally fixed it in SXI, but NOT.
> 
> The problem is the ARP entries are stored internally in a hashed  
> format and SNMP needs them in an ordered format, so for every snmp PDU  
> the CPU must get the entire ARP table and crunch it to create the  
> ordered PDU response.  This will take place for as many PDUs as it  
> takes to retrieve the entire table.   There does appear to be a point   
> (size of ARP table) at which it takes very long to retrieve the whole  
> table which seems to be around 12K but with a 16K table it takes  
> forever.

Yep - it's an exponential slowdown.

You could try the cseCefFib MIB (CISCO-SWITCH-ENGINE-MIB) but in our 
environment it was only ~10% faster, with an even higher CPU usage.

> 
> In the attached PDF from CISCO they explain the problem and also state  
> the if you turn on CEF (has always been on for long time) that it is  
> much faster since the FIB is already in a lexical order that snmp  
> likes.   Since CEF is always on, why does it still take so long.

The explanation cisco offer has two problems:

  1. it really dates from the days of CPU routers where the CEF 
structure lives primarily in CPU RAM, as opposed to the 6500s where it's 
formatted to be optimal for the hardware

  2. the CEF table may be "in order" but you still have to do some 
sorting - namely for the ifIndex, because the ipNetToMedia table is 
indexed by:

ifIndex.ip0.ip1.ip2.ip3

From peter at whole-uk.com  Sun Feb 15 13:14:41 2009
From: peter at whole-uk.com (Pete Barnwell)
Date: Sun, 15 Feb 2009 18:14:41 +0000
Subject: [c-nsp] Router requirement
Message-ID: <49985B91.6060706@whole-uk.com>

Hi,

Wonder if anybody can help me with selecting the right router for CPE?
It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
QoS and a few ACLs but no dynamic routing protocols.

Thanks

Pete


From dwinkworth at att.net  Sun Feb 15 14:16:56 2009
From: dwinkworth at att.net (Derick Winkworth)
Date: Sun, 15 Feb 2009 13:16:56 -0600
Subject: [c-nsp] Router requirement
In-Reply-To: <49985B91.6060706@whole-uk.com>
References: <49985B91.6060706@whole-uk.com>
Message-ID: <49986A28.4050003@att.net>

7200vxr

Pete Barnwell wrote:
> Hi,
>
> Wonder if anybody can help me with selecting the right router for CPE?
> It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
> QoS and a few ACLs but no dynamic routing protocols.
>
> Thanks
>
> Pete
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.10.23/1953 - Release Date: 02/14/09 18:01:00
>
>   

From sthaug at nethelp.no  Sun Feb 15 16:03:04 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Sun, 15 Feb 2009 22:03:04 +0100 (CET)
Subject: [c-nsp] Router requirement
In-Reply-To: <49986A28.4050003@att.net>
References: <49985B91.6060706@whole-uk.com>
	<49986A28.4050003@att.net>
Message-ID: <20090215.220304.74692549.sthaug@nethelp.no>

> 7200vxr

Well, if the QoS requirements aren't too advanced, something like a
3560 switch used as a router should work just fine.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

> 
> Pete Barnwell wrote:
> > Hi,
> >
> > Wonder if anybody can help me with selecting the right router for CPE?
> > It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
> > QoS and a few ACLs but no dynamic routing protocols.
> >
> > Thanks
> >
> > Pete
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > ------------------------------------------------------------------------
> >
> >
> > No virus found in this incoming message.
> > Checked by AVG - www.avg.com 
> > Version: 8.0.237 / Virus Database: 270.10.23/1953 - Release Date: 02/14/09 18:01:00
> >
> >   
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From rubensk at gmail.com  Sun Feb 15 16:22:49 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Sun, 15 Feb 2009 18:22:49 -0300
Subject: [c-nsp] Router requirement
In-Reply-To: <49985B91.6060706@whole-uk.com>
References: <49985B91.6060706@whole-uk.com>
Message-ID: <6bb5f5b10902151322w2d016d04x5f84b03591f3de28@mail.gmail.com>

Consider using this one:
ME-3400G-2CS-A with METROBASE IOS

Be aware that it doesn't have routing capabilities, but you can move
the routing part to the PE, if (and that's a you need to verify it
"if") you can ACL/QoS the broadcast and non-IP traffic to not leave
the CPE.

See http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6580/prod_qas0900aecd8034fefb.html
for this one.

Rubens



On Sun, Feb 15, 2009 at 3:14 PM, Pete Barnwell <peter at whole-uk.com> wrote:
> Hi,
>
> Wonder if anybody can help me with selecting the right router for CPE?
> It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
> QoS and a few ACLs but no dynamic routing protocols.
>
> Thanks
>
> Pete
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at whole-uk.com  Sun Feb 15 17:53:38 2009
From: peter at whole-uk.com (Pete Barnwell)
Date: Sun, 15 Feb 2009 22:53:38 +0000
Subject: [c-nsp] Router requirement
In-Reply-To: <6bb5f5b10902151443n7df6fa10g263b24f21e9ea44e@mail.gmail.com>
References: <49985B91.6060706@whole-uk.com>	
	<6bb5f5b10902151322w2d016d04x5f84b03591f3de28@mail.gmail.com>	
	<4998973C.9070008@whole-uk.com>
	<6bb5f5b10902151443n7df6fa10g263b24f21e9ea44e@mail.gmail.com>
Message-ID: <49989CF2.4020107@whole-uk.com>


> 
> The good thing about METROIPACCESS is the routing and OAM features
> (OAM features are also available on METROACCESS, the middle ground
> between BASE and IPACCESS), the bad thing about METROIPACCES is its
> cost. I don't know the cost structure or profit margins of your
> service, but cash is known to be useful nowadays...
> 
> If you could post the results of the lab testing to the list, it would be nice.

I will do once completed.

To answer your queries on cost - I can live with METROIPACCESS if I need 
it, but as you identify if I can 'get away' with the cheaper feature set 
it'd be nice...

Regards

Pete

From illcritikz at gmail.com  Sun Feb 15 20:30:50 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 16 Feb 2009 12:00:50 +1030
Subject: [c-nsp] WS-6500-SFM insertion into production box,
	much of an 	impact?
In-Reply-To: <4422cf660902090132x7bc04294s5446e10007298e0c@mail.gmail.com>
References: <4422cf660902081556l3388db28h23c768ec82ce9e81@mail.gmail.com>
	<1234170440.3420.13.camel@localhost.localdomain>
	<4422cf660902090132x7bc04294s5446e10007298e0c@mail.gmail.com>
Message-ID: <4422cf660902151730k4ed9e2c4yf8fca23e667cd3df@mail.gmail.com>

For those interested I put the SFM's in last night without a hitch, in
fact it didn't even drop a packet(1s ping intervals) it just did the usual
OIR Bus pause and one packet went up to 1600ms then everything went back to
normal except packets were now using the new crossbar fabric(no reboot
required), very smooth.
Running 12.2(18)SXF4

Before:

router#sh fab swi
Global switching mode is Flow through
dCEF mode is not enforced for system to operate
Fabric module is not  required for system to operate
Modules are allowed to operate in bus mode
Truncated mode is not allowed unless threshold is met
Threshold for truncated mode operation is 2 SFM-capable cards

Module Slot     Switching Mode
    1                      Bus
    3                      Bus
    5                      Bus

After:

router#sh fab swi
Global switching mode is Compact
dCEF mode is not enforced for system to operate
Fabric module is not  required for system to operate
Modules are allowed to operate in bus mode
Truncated mode is not allowed unless threshold is met
Threshold for truncated mode operation is 2 SFM-capable cards

Module Slot     Switching Mode
    1                     dCEF
    3                 Crossbar
    5                 Crossbar
    6            No Interfaces

router#sh fab util

 slot    channel  Ingress %   Egress %

    1          0          0          0

    3          0          5          1

    5          0          1          5


Ben

On Mon, Feb 9, 2009 at 8:02 PM, Ben Steele <illcritikz at gmail.com> wrote:

> Thanks for all the replies, personally i'm thinking it will be a few second
> hiccup like you often get with OIR then on its way again but the fact i'm
> changing how the underlying switch fabric works with this makes it more
> interesting... i've scheduled an outage for this Sunday evening so I will
> let you all know how it goes.
> Cheers
>
> Ben
>
>
> On Mon, Feb 9, 2009 at 7:37 PM, Peter Rathlev <peter at rathlev.dk> wrote:
>
>> On Mon, 2009-02-09 at 10:26 +1030, Ben Steele wrote:
>> > I'm looking for some info on the insertion of a SFM into a live
>> 6500(Sup2
>> > obviously), can't seem to find any info on Cisco as to the consequences
>> this
>> > may have to traffic flowing through the Bus at the time(ie dropped
>> packet
>> > rates),
>>
>> Just to chime in with more non-certain knowlegde: When doing OIR the box
>> does a "bus stall" AFAIK. This happens between when the pins start
>> connecting and when all pins are connected.
>>
>> If this were to not cause any lost packets, the modules would have to
>> buffer while the bus stall is in effect and retransmit whatever was on
>> the wire when it happened. I don't think they do.
>>
>> Regards,
>> Peter
>>
>>
>

From gkg at gmx.de  Mon Feb 16 00:14:19 2009
From: gkg at gmx.de (Garry)
Date: Mon, 16 Feb 2009 06:14:19 +0100
Subject: [c-nsp] Router requirement
In-Reply-To: <49985B91.6060706@whole-uk.com>
References: <49985B91.6060706@whole-uk.com>
Message-ID: <4998F62B.6070105@gmx.de>

Pete Barnwell wrote:
> Hi,
> 
> Wonder if anybody can help me with selecting the right router for CPE?
> It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
> QoS and a few ACLs but no dynamic routing protocols.

If you can live with a worst-case scenario of 87MBit, a 2821 might be
decent choice, too. Typical throughput, even with moderate QoS/ACL
should be well over 100M (maybe even with a 2811). Otherwise, a 3825
with its two 1G interfaces built in would be a real good alternative to
the rather pricey 72k ...

-garry

From andy.saykao at staff.netspace.net.au  Mon Feb 16 00:31:20 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 16 Feb 2009 16:31:20 +1100
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654BF9@vic-cr-ex1.staff.netspace.net.au>

 Is it possible to aggregate and then load balance unequal ethernet
circuits like so:

I have two ethenet circuits on my Cisco router. Both have equal costs to
the next hop.

Ethernet Circuit #1- 200M
Ethernet Circuit #2 - 100M

Can I aggregate both ethernet circuits so that the total amount of
bandwidth available to the next hop is is 300M? 
Can I then load balance it so both circuits are equally utilized?

For example...

* If I have 150M of traffic flowing to the next hop then the router
would spread the load across both links like so:

100M through Ethernet Circuit #1.
50M through Ethernet Circuit #2.

* The formula to use for this would be something like:

Utilization / Total Bandwidth = percentage of utilization required per
link
150/300 = 0.5

0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M

* If there was a total of 250M of traffic flowing to the next hop, and
applying the formula above, the router would work out that the load
distributed across both ethernet links would be:

166M through Ethernet Circuit #1.
84M through Ethernet Circuit #2.

Any ideas???

Thanks.

Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From illcritikz at gmail.com  Mon Feb 16 01:32:29 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 16 Feb 2009 17:02:29 +1030
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <4422cf660902152229m1549f3c6ma804332630aa2f1d@mail.gmail.com>
References: <56F211C5E3F24F47B103EA1B253822BE03654BF9@vic-cr-ex1.staff.netspace.net.au>
	<4422cf660902152229m1549f3c6ma804332630aa2f1d@mail.gmail.com>
Message-ID: <4422cf660902152232i13b4f261h5efa5697971b1b53@mail.gmail.com>

Woops meant to reply all in case someone else wants to chime in.

On Mon, Feb 16, 2009 at 4:59 PM, Ben Steele <illcritikz at gmail.com> wrote:

> You could do this with variance in eigrp, just add variance 2 into the
> eigrp config and it will load balance on a 2:1 ratio, if your links are
> equally matched in terms of latency you can look at enabling per-packet load
> sharing on the 2 egress interfaces to get an even more granular
> distribution, this can wreck some havoc with unequal paths and out of
> sequence packets though, however if equally similar in characteristics then
> performance is usually very good.
> Ben
>
>
> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao <
> andy.saykao at staff.netspace.net.au> wrote:
>
>>  Is it possible to aggregate and then load balance unequal ethernet
>> circuits like so:
>>
>> I have two ethenet circuits on my Cisco router. Both have equal costs to
>> the next hop.
>>
>> Ethernet Circuit #1- 200M
>> Ethernet Circuit #2 - 100M
>>
>> Can I aggregate both ethernet circuits so that the total amount of
>> bandwidth available to the next hop is is 300M?
>> Can I then load balance it so both circuits are equally utilized?
>>
>> For example...
>>
>> * If I have 150M of traffic flowing to the next hop then the router
>> would spread the load across both links like so:
>>
>> 100M through Ethernet Circuit #1.
>> 50M through Ethernet Circuit #2.
>>
>> * The formula to use for this would be something like:
>>
>> Utilization / Total Bandwidth = percentage of utilization required per
>> link
>> 150/300 = 0.5
>>
>> 0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
>> 0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
>>
>> * If there was a total of 250M of traffic flowing to the next hop, and
>> applying the formula above, the router would work out that the load
>> distributed across both ethernet links would be:
>>
>> 166M through Ethernet Circuit #1.
>> 84M through Ethernet Circuit #2.
>>
>> Any ideas???
>>
>> Thanks.
>>
>> Andy
>>
>> This email and any files transmitted with it are confidential and intended
>>  solely for the use of the individual or entity to whom they are
>> addressed.
>> Please notify the sender immediately by email if you have received this
>> email by mistake and delete this email from your system. Please note that
>>  any views or opinions presented in this email are solely those of the
>>  author and do not necessarily represent those of the organisation.
>> Finally, the recipient should check this email and any attachments for
>> the presence of viruses. The organisation accepts no liability for any
>> damage caused by any virus transmitted by this email.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From andy.saykao at staff.netspace.net.au  Mon Feb 16 01:39:29 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 16 Feb 2009 17:39:29 +1100
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654BFA@vic-cr-ex1.staff.netspace.net.au>

Hi Ben,
 
When I googled around, there were many discussions abvout using the
variance command with eigrp but we don't run eigrp internally as our
IGP. 
 
This is a typical setup where we need to upgrade some of our links, so
we might upgrade 50M on the second leg and end up with a situation where
the first leg is100M and the second leg is 150M. As you may know, some
providers aren't so flexible so you can't just upgrade 25M on each leg
because they increment by 50M per leg only. Hence my question if it was
possible to load balance across unequal ethernet circuits without buying
additional bandwidth for both circuits.
 
Thanks.
 
Andy

 
________________________________

From: Ben Steele [mailto:illcritikz at gmail.com] 
Sent: Monday, 16 February 2009 5:29 PM
To: Andy Saykao
Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth


You could do this with variance in eigrp, just add variance 2 into the
eigrp config and it will load balance on a 2:1 ratio, if your links are
equally matched in terms of latency you can look at enabling per-packet
load sharing on the 2 egress interfaces to get an even more granular
distribution, this can wreck some havoc with unequal paths and out of
sequence packets though, however if equally similar in characteristics
then performance is usually very good. 

Ben


On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
<andy.saykao at staff.netspace.net.au> wrote:


	 Is it possible to aggregate and then load balance unequal
ethernet
	circuits like so:
	
	I have two ethenet circuits on my Cisco router. Both have equal
costs to
	the next hop.
	
	Ethernet Circuit #1- 200M
	Ethernet Circuit #2 - 100M
	
	Can I aggregate both ethernet circuits so that the total amount
of
	bandwidth available to the next hop is is 300M?
	Can I then load balance it so both circuits are equally
utilized?
	
	For example...
	
	* If I have 150M of traffic flowing to the next hop then the
router
	would spread the load across both links like so:
	
	100M through Ethernet Circuit #1.
	50M through Ethernet Circuit #2.
	
	* The formula to use for this would be something like:
	
	Utilization / Total Bandwidth = percentage of utilization
required per
	link
	150/300 = 0.5
	
	0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
	0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
	
	* If there was a total of 250M of traffic flowing to the next
hop, and
	applying the formula above, the router would work out that the
load
	distributed across both ethernet links would be:
	
	166M through Ethernet Circuit #1.
	84M through Ethernet Circuit #2.
	
	Any ideas???
	
	Thanks.
	
	Andy
	
	This email and any files transmitted with it are confidential
and intended
	 solely for the use of the individual or entity to whom they are
addressed.
	Please notify the sender immediately by email if you have
received this
	email by mistake and delete this email from your system. Please
note that
	 any views or opinions presented in this email are solely those
of the
	 author and do not necessarily represent those of the
organisation.
	Finally, the recipient should check this email and any
attachments for
	the presence of viruses. The organisation accepts no liability
for any
	damage caused by any virus transmitted by this email.
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/
	



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


From illcritikz at gmail.com  Mon Feb 16 01:44:18 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 16 Feb 2009 17:14:18 +1030
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654BFA@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03654BFA@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <4422cf660902152244y5ec215b5h595668bfbc25f78c@mail.gmail.com>

So are these links your WAN links to your provider you are referring to? If
so are you running BGP over them or just a static default?

On Mon, Feb 16, 2009 at 5:09 PM, Andy Saykao <
andy.saykao at staff.netspace.net.au> wrote:

>  Hi Ben,
>
> When I googled around, there were many discussions abvout using the
> variance command with eigrp but we don't run eigrp internally as our IGP.
>
> This is a typical setup where we need to upgrade some of our links, so we
> might upgrade 50M on the second leg and end up with a situation where the
> first leg is100M and the second leg is 150M. As you may know, some providers
> aren't so flexible so you can't just upgrade 25M on each leg because they
> increment by 50M per leg only. Hence my question if it was possible to load
> balance across unequal ethernet circuits without buying additional bandwidth
> for both circuits.
>
> Thanks.
>
> Andy
>
>
>  ------------------------------
> *From:* Ben Steele [mailto:illcritikz at gmail.com]
> *Sent:* Monday, 16 February 2009 5:29 PM
> *To:* Andy Saykao
> *Subject:* Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
>
> You could do this with variance in eigrp, just add variance 2 into the
> eigrp config and it will load balance on a 2:1 ratio, if your links are
> equally matched in terms of latency you can look at enabling per-packet load
> sharing on the 2 egress interfaces to get an even more granular
> distribution, this can wreck some havoc with unequal paths and out of
> sequence packets though, however if equally similar in characteristics then
> performance is usually very good.
> Ben
>
> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao <
> andy.saykao at staff.netspace.net.au> wrote:
>
>>  Is it possible to aggregate and then load balance unequal ethernet
>> circuits like so:
>>
>> I have two ethenet circuits on my Cisco router. Both have equal costs to
>> the next hop.
>>
>> Ethernet Circuit #1- 200M
>> Ethernet Circuit #2 - 100M
>>
>> Can I aggregate both ethernet circuits so that the total amount of
>> bandwidth available to the next hop is is 300M?
>> Can I then load balance it so both circuits are equally utilized?
>>
>> For example...
>>
>> * If I have 150M of traffic flowing to the next hop then the router
>> would spread the load across both links like so:
>>
>> 100M through Ethernet Circuit #1.
>> 50M through Ethernet Circuit #2.
>>
>> * The formula to use for this would be something like:
>>
>> Utilization / Total Bandwidth = percentage of utilization required per
>> link
>> 150/300 = 0.5
>>
>> 0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
>> 0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
>>
>> * If there was a total of 250M of traffic flowing to the next hop, and
>> applying the formula above, the router would work out that the load
>> distributed across both ethernet links would be:
>>
>> 166M through Ethernet Circuit #1.
>> 84M through Ethernet Circuit #2.
>>
>> Any ideas???
>>
>> Thanks.
>>
>> Andy
>>
>> This email and any files transmitted with it are confidential and intended
>>  solely for the use of the individual or entity to whom they are
>> addressed.
>> Please notify the sender immediately by email if you have received this
>> email by mistake and delete this email from your system. Please note that
>>  any views or opinions presented in this email are solely those of the
>>  author and do not necessarily represent those of the organisation.
>> Finally, the recipient should check this email and any attachments for
>> the presence of viruses. The organisation accepts no liability for any
>> damage caused by any virus transmitted by this email.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> Please notify the sender immediately by email if you have received this
> email by mistake and delete this email from your system. Please note that
> any views or opinions presented in this email are solely those of the author
> and do not necessarily represent those of the organisation. Finally, the
> recipient should check this email and any attachments for the presence of
> viruses. The organisation accepts no liability for any damage caused by any
> virus transmitted by this email.
>

From td_miles at yahoo.com  Mon Feb 16 02:02:05 2009
From: td_miles at yahoo.com (Tony)
Date: Sun, 15 Feb 2009 23:02:05 -0800 (PST)
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654BFA@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <994486.58791.qm@web110103.mail.gq1.yahoo.com>


Hi Andy,

What do you run as IGP then so that we can help you out ?

If static routes, then you can do it using by having multiple routes that are to the same destination.

eg. on 2x serial links you might have:

serial1 = 200Mbps (10.1.1.1/30)
serial2 = 100Mbps (10.1.1.5/3)

You would then add static routes like this:
 ip route x y serial1
 ip route x y 10.1.1.2
 ip route x y serial2 

This way when you do "show ip route x" you would see something like:

* directly connected via serial1
      Route metric is 0, traffic share count is 1
* directly connected via serial2
      Route metric is 0, traffic share count is 1
*  10.1.1.2
      Route metric is 0, traffic share count is 1

Your router would then divide the traffic into three with one third going to each of the destinations configured. The fact that two of those destinations are the same link means that two thirds will go down your 200Mbps link and one third down your 100Mbps link.

This is fairly basic and doesn't scale very well, but will work.


regards,
Tony.


--- On Mon, 16/2/09, Andy Saykao <andy.saykao at staff.netspace.net.au> wrote:

> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
> To: "Ben Steele" <illcritikz at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Date: Monday, 16 February, 2009, 5:39 PM
> Hi Ben,
>  
> When I googled around, there were many discussions abvout
> using the
> variance command with eigrp but we don't run eigrp
> internally as our
> IGP. 
>  
> This is a typical setup where we need to upgrade some of
> our links, so
> we might upgrade 50M on the second leg and end up with a
> situation where
> the first leg is100M and the second leg is 150M. As you may
> know, some
> providers aren't so flexible so you can't just
> upgrade 25M on each leg
> because they increment by 50M per leg only. Hence my
> question if it was
> possible to load balance across unequal ethernet circuits
> without buying
> additional bandwidth for both circuits.
>  
> Thanks.
>  
> Andy
> 
>  
> ________________________________
> 
> From: Ben Steele [mailto:illcritikz at gmail.com] 
> Sent: Monday, 16 February 2009 5:29 PM
> To: Andy Saykao
> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
> Bandwidth
> 
> 
> You could do this with variance in eigrp, just add variance
> 2 into the
> eigrp config and it will load balance on a 2:1 ratio, if
> your links are
> equally matched in terms of latency you can look at
> enabling per-packet
> load sharing on the 2 egress interfaces to get an even more
> granular
> distribution, this can wreck some havoc with unequal paths
> and out of
> sequence packets though, however if equally similar in
> characteristics
> then performance is usually very good. 
> 
> Ben
> 
> 
> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
> <andy.saykao at staff.netspace.net.au> wrote:
> 
> 
> 	 Is it possible to aggregate and then load balance unequal
> ethernet
> 	circuits like so:
> 	
> 	I have two ethenet circuits on my Cisco router. Both have
> equal
> costs to
> 	the next hop.
> 	
> 	Ethernet Circuit #1- 200M
> 	Ethernet Circuit #2 - 100M
> 	
> 	Can I aggregate both ethernet circuits so that the total
> amount
> of
> 	bandwidth available to the next hop is is 300M?
> 	Can I then load balance it so both circuits are equally
> utilized?
> 	
> 	For example...
> 	
> 	* If I have 150M of traffic flowing to the next hop then
> the
> router
> 	would spread the load across both links like so:
> 	
> 	100M through Ethernet Circuit #1.
> 	50M through Ethernet Circuit #2.
> 	
> 	* The formula to use for this would be something like:
> 	
> 	Utilization / Total Bandwidth = percentage of utilization
> required per
> 	link
> 	150/300 = 0.5
> 	
> 	0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
> 	0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
> 	
> 	* If there was a total of 250M of traffic flowing to the
> next
> hop, and
> 	applying the formula above, the router would work out that
> the
> load
> 	distributed across both ethernet links would be:
> 	
> 	166M through Ethernet Circuit #1.
> 	84M through Ethernet Circuit #2.
> 	
> 	Any ideas???
> 	
> 	Thanks.
> 	
> 	Andy



      


From illcritikz at gmail.com  Mon Feb 16 02:06:19 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Mon, 16 Feb 2009 17:36:19 +1030
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <994486.58791.qm@web110103.mail.gq1.yahoo.com>
References: <56F211C5E3F24F47B103EA1B253822BE03654BFA@vic-cr-ex1.staff.netspace.net.au>
	<994486.58791.qm@web110103.mail.gq1.yahoo.com>
Message-ID: <4422cf660902152306o502d9d7du338317c80cd8e946@mail.gmail.com>

Alternatively if you are using BGP, have a look at BGP Link Bandwidth
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftbgplb.html

On Mon, Feb 16, 2009 at 5:32 PM, Tony <td_miles at yahoo.com> wrote:

>
> Hi Andy,
>
> What do you run as IGP then so that we can help you out ?
>
> If static routes, then you can do it using by having multiple routes that
> are to the same destination.
>
> eg. on 2x serial links you might have:
>
> serial1 = 200Mbps (10.1.1.1/30)
> serial2 = 100Mbps (10.1.1.5/3)
>
> You would then add static routes like this:
>  ip route x y serial1
>  ip route x y 10.1.1.2
>  ip route x y serial2
>
> This way when you do "show ip route x" you would see something like:
>
> * directly connected via serial1
>      Route metric is 0, traffic share count is 1
> * directly connected via serial2
>      Route metric is 0, traffic share count is 1
> *  10.1.1.2
>      Route metric is 0, traffic share count is 1
>
> Your router would then divide the traffic into three with one third going
> to each of the destinations configured. The fact that two of those
> destinations are the same link means that two thirds will go down your
> 200Mbps link and one third down your 100Mbps link.
>
> This is fairly basic and doesn't scale very well, but will work.
>
>
> regards,
> Tony.
>
>
> --- On Mon, 16/2/09, Andy Saykao <andy.saykao at staff.netspace.net.au>
> wrote:
>
> > From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> > Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
> > To: "Ben Steele" <illcritikz at gmail.com>
> > Cc: cisco-nsp at puck.nether.net
> > Date: Monday, 16 February, 2009, 5:39 PM
> > Hi Ben,
> >
> > When I googled around, there were many discussions abvout
> > using the
> > variance command with eigrp but we don't run eigrp
> > internally as our
> > IGP.
> >
> > This is a typical setup where we need to upgrade some of
> > our links, so
> > we might upgrade 50M on the second leg and end up with a
> > situation where
> > the first leg is100M and the second leg is 150M. As you may
> > know, some
> > providers aren't so flexible so you can't just
> > upgrade 25M on each leg
> > because they increment by 50M per leg only. Hence my
> > question if it was
> > possible to load balance across unequal ethernet circuits
> > without buying
> > additional bandwidth for both circuits.
> >
> > Thanks.
> >
> > Andy
> >
> >
> > ________________________________
> >
> > From: Ben Steele [mailto:illcritikz at gmail.com]
> > Sent: Monday, 16 February 2009 5:29 PM
> > To: Andy Saykao
> > Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
> > Bandwidth
> >
> >
> > You could do this with variance in eigrp, just add variance
> > 2 into the
> > eigrp config and it will load balance on a 2:1 ratio, if
> > your links are
> > equally matched in terms of latency you can look at
> > enabling per-packet
> > load sharing on the 2 egress interfaces to get an even more
> > granular
> > distribution, this can wreck some havoc with unequal paths
> > and out of
> > sequence packets though, however if equally similar in
> > characteristics
> > then performance is usually very good.
> >
> > Ben
> >
> >
> > On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
> > <andy.saykao at staff.netspace.net.au> wrote:
> >
> >
> >        Is it possible to aggregate and then load balance unequal
> > ethernet
> >       circuits like so:
> >
> >       I have two ethenet circuits on my Cisco router. Both have
> > equal
> > costs to
> >       the next hop.
> >
> >       Ethernet Circuit #1- 200M
> >       Ethernet Circuit #2 - 100M
> >
> >       Can I aggregate both ethernet circuits so that the total
> > amount
> > of
> >       bandwidth available to the next hop is is 300M?
> >       Can I then load balance it so both circuits are equally
> > utilized?
> >
> >       For example...
> >
> >       * If I have 150M of traffic flowing to the next hop then
> > the
> > router
> >       would spread the load across both links like so:
> >
> >       100M through Ethernet Circuit #1.
> >       50M through Ethernet Circuit #2.
> >
> >       * The formula to use for this would be something like:
> >
> >       Utilization / Total Bandwidth = percentage of utilization
> > required per
> >       link
> >       150/300 = 0.5
> >
> >       0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
> >       0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
> >
> >       * If there was a total of 250M of traffic flowing to the
> > next
> > hop, and
> >       applying the formula above, the router would work out that
> > the
> > load
> >       distributed across both ethernet links would be:
> >
> >       166M through Ethernet Circuit #1.
> >       84M through Ethernet Circuit #2.
> >
> >       Any ideas???
> >
> >       Thanks.
> >
> >       Andy
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From andy.saykao at staff.netspace.net.au  Mon Feb 16 02:39:55 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 16 Feb 2009 18:39:55 +1100
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654BFC@vic-cr-ex1.staff.netspace.net.au>

Hi Tony,

Thanks for that.

Yeah I saw at an example of that at:

http://blog.ioshints.info/2007/02/unequal-load-split-with-static-routes.
html

It's a nice trick to know. Although when one link goes down, I believe
you'll lose packets (or they may be delayed or resent) as the
load-sharing algorithm uses round-robin to distribute the load and
doesn't take into account whether the link has gone down or not.

Cheers.

Andy 

-----Original Message-----
From: Tony [mailto:td_miles at yahoo.com] 
Sent: Monday, 16 February 2009 6:02 PM
To: Andy Saykao
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth


Hi Andy,

What do you run as IGP then so that we can help you out ?

If static routes, then you can do it using by having multiple routes
that are to the same destination.

eg. on 2x serial links you might have:

serial1 = 200Mbps (10.1.1.1/30)
serial2 = 100Mbps (10.1.1.5/3)

You would then add static routes like this:
 ip route x y serial1
 ip route x y 10.1.1.2
 ip route x y serial2 

This way when you do "show ip route x" you would see something like:

* directly connected via serial1
      Route metric is 0, traffic share count is 1
* directly connected via serial2
      Route metric is 0, traffic share count is 1
*  10.1.1.2
      Route metric is 0, traffic share count is 1

Your router would then divide the traffic into three with one third
going to each of the destinations configured. The fact that two of those
destinations are the same link means that two thirds will go down your
200Mbps link and one third down your 100Mbps link.

This is fairly basic and doesn't scale very well, but will work.


regards,
Tony.


--- On Mon, 16/2/09, Andy Saykao <andy.saykao at staff.netspace.net.au>
wrote:

> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
> To: "Ben Steele" <illcritikz at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Date: Monday, 16 February, 2009, 5:39 PM Hi Ben,
>  
> When I googled around, there were many discussions abvout using the 
> variance command with eigrp but we don't run eigrp internally as our 
> IGP.
>  
> This is a typical setup where we need to upgrade some of our links, so

> we might upgrade 50M on the second leg and end up with a situation 
> where the first leg is100M and the second leg is 150M. As you may 
> know, some providers aren't so flexible so you can't just upgrade 25M 
> on each leg because they increment by 50M per leg only. Hence my 
> question if it was possible to load balance across unequal ethernet 
> circuits without buying additional bandwidth for both circuits.
>  
> Thanks.
>  
> Andy
> 
>  
> ________________________________
> 
> From: Ben Steele [mailto:illcritikz at gmail.com]
> Sent: Monday, 16 February 2009 5:29 PM
> To: Andy Saykao
> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
> 
> 
> You could do this with variance in eigrp, just add variance
> 2 into the
> eigrp config and it will load balance on a 2:1 ratio, if
> your links are
> equally matched in terms of latency you can look at
> enabling per-packet
> load sharing on the 2 egress interfaces to get an even more
> granular
> distribution, this can wreck some havoc with unequal paths
> and out of
> sequence packets though, however if equally similar in
> characteristics
> then performance is usually very good. 
> 
> Ben
> 
> 
> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
> <andy.saykao at staff.netspace.net.au> wrote:
> 
> 
> 	 Is it possible to aggregate and then load balance unequal
> ethernet
> 	circuits like so:
> 	
> 	I have two ethenet circuits on my Cisco router. Both have
> equal
> costs to
> 	the next hop.
> 	
> 	Ethernet Circuit #1- 200M
> 	Ethernet Circuit #2 - 100M
> 	
> 	Can I aggregate both ethernet circuits so that the total
> amount
> of
> 	bandwidth available to the next hop is is 300M?
> 	Can I then load balance it so both circuits are equally
> utilized?
> 	
> 	For example...
> 	
> 	* If I have 150M of traffic flowing to the next hop then
> the
> router
> 	would spread the load across both links like so:
> 	
> 	100M through Ethernet Circuit #1.
> 	50M through Ethernet Circuit #2.
> 	
> 	* The formula to use for this would be something like:
> 	
> 	Utilization / Total Bandwidth = percentage of utilization
> required per
> 	link
> 	150/300 = 0.5
> 	
> 	0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
> 	0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
> 	
> 	* If there was a total of 250M of traffic flowing to the
> next
> hop, and
> 	applying the formula above, the router would work out that
> the
> load
> 	distributed across both ethernet links would be:
> 	
> 	166M through Ethernet Circuit #1.
> 	84M through Ethernet Circuit #2.
> 	
> 	Any ideas???
> 	
> 	Thanks.
> 	
> 	Andy



      


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From andy.saykao at staff.netspace.net.au  Mon Feb 16 02:47:13 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Mon, 16 Feb 2009 18:47:13 +1100
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654BFD@vic-cr-ex1.staff.netspace.net.au>

Tony - we run OSPF as our IGP.
 
Ben - on our WAN link we run BGP. We also have ethernet circuits between
our POPS in each capital city which we run OSPF over.
 
I'll give that link a read. Thanks

________________________________

From: Ben Steele [mailto:illcritikz at gmail.com] 
Sent: Monday, 16 February 2009 6:06 PM
To: td_miles at yahoo.com
Cc: Andy Saykao; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth


Alternatively if you are using BGP, have a look at BGP Link Bandwidth
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftbgplb.h
tml 


On Mon, Feb 16, 2009 at 5:32 PM, Tony <td_miles at yahoo.com> wrote:



	Hi Andy,
	
	What do you run as IGP then so that we can help you out ?
	
	If static routes, then you can do it using by having multiple
routes that are to the same destination.
	
	eg. on 2x serial links you might have:
	
	serial1 = 200Mbps (10.1.1.1/30)
	serial2 = 100Mbps (10.1.1.5/3)
	
	You would then add static routes like this:
	 ip route x y serial1
	 ip route x y 10.1.1.2
	 ip route x y serial2
	
	This way when you do "show ip route x" you would see something
like:
	
	* directly connected via serial1
	     Route metric is 0, traffic share count is 1
	* directly connected via serial2
	     Route metric is 0, traffic share count is 1
	*  10.1.1.2
	     Route metric is 0, traffic share count is 1
	
	Your router would then divide the traffic into three with one
third going to each of the destinations configured. The fact that two of
those destinations are the same link means that two thirds will go down
your 200Mbps link and one third down your 100Mbps link.
	
	This is fairly basic and doesn't scale very well, but will work.
	
	
	regards,
	Tony.
	
	
	--- On Mon, 16/2/09, Andy Saykao
<andy.saykao at staff.netspace.net.au> wrote:
	
	> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
	
	> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
Bandwidth
	
	> To: "Ben Steele" <illcritikz at gmail.com>
	> Cc: cisco-nsp at puck.nether.net
	> Date: Monday, 16 February, 2009, 5:39 PM
	
	> Hi Ben,
	>
	> When I googled around, there were many discussions abvout
	> using the
	> variance command with eigrp but we don't run eigrp
	> internally as our
	> IGP.
	>
	> This is a typical setup where we need to upgrade some of
	> our links, so
	> we might upgrade 50M on the second leg and end up with a
	> situation where
	> the first leg is100M and the second leg is 150M. As you may
	> know, some
	> providers aren't so flexible so you can't just
	> upgrade 25M on each leg
	> because they increment by 50M per leg only. Hence my
	> question if it was
	> possible to load balance across unequal ethernet circuits
	> without buying
	> additional bandwidth for both circuits.
	>
	> Thanks.
	>
	> Andy
	>
	>
	> ________________________________
	>
	> From: Ben Steele [mailto:illcritikz at gmail.com]
	> Sent: Monday, 16 February 2009 5:29 PM
	> To: Andy Saykao
	> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
	> Bandwidth
	>
	>
	> You could do this with variance in eigrp, just add variance
	> 2 into the
	> eigrp config and it will load balance on a 2:1 ratio, if
	> your links are
	> equally matched in terms of latency you can look at
	> enabling per-packet
	> load sharing on the 2 egress interfaces to get an even more
	> granular
	> distribution, this can wreck some havoc with unequal paths
	> and out of
	> sequence packets though, however if equally similar in
	> characteristics
	> then performance is usually very good.
	>
	> Ben
	>
	>
	> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
	> <andy.saykao at staff.netspace.net.au> wrote:
	>
	>
	>        Is it possible to aggregate and then load balance
unequal
	> ethernet
	>       circuits like so:
	>
	>       I have two ethenet circuits on my Cisco router. Both
have
	> equal
	> costs to
	>       the next hop.
	>
	>       Ethernet Circuit #1- 200M
	>       Ethernet Circuit #2 - 100M
	>
	>       Can I aggregate both ethernet circuits so that the total
	> amount
	> of
	>       bandwidth available to the next hop is is 300M?
	>       Can I then load balance it so both circuits are equally
	> utilized?
	>
	>       For example...
	>
	>       * If I have 150M of traffic flowing to the next hop then
	> the
	> router
	>       would spread the load across both links like so:
	>
	>       100M through Ethernet Circuit #1.
	>       50M through Ethernet Circuit #2.
	>
	>       * The formula to use for this would be something like:
	>
	>       Utilization / Total Bandwidth = percentage of
utilization
	> required per
	>       link
	>       150/300 = 0.5
	>
	>       0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
	>       0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
	>
	>       * If there was a total of 250M of traffic flowing to the
	> next
	> hop, and
	>       applying the formula above, the router would work out
that
	> the
	> load
	>       distributed across both ethernet links would be:
	>
	>       166M through Ethernet Circuit #1.
	>       84M through Ethernet Circuit #2.
	>
	>       Any ideas???
	>
	>       Thanks.
	>
	>       Andy
	
	
	
	
	
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/
	



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From td_miles at yahoo.com  Mon Feb 16 04:03:33 2009
From: td_miles at yahoo.com (Tony)
Date: Mon, 16 Feb 2009 01:03:33 -0800 (PST)
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654BFC@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <250176.21315.qm@web110109.mail.gq1.yahoo.com>


Hi Andy,

What happens when one link goes down depends on a few variables. In the simplest case it works as you would expect. Eg:


ip route 0.0.0.0 0.0.0.0 ATM0.1 5
ip route 0.0.0.0 0.0.0.0 Tunnel0 5

router#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "static", distance 5, metric 0 (connected), candidate default path
  Routing Descriptor Blocks:
  * directly connected, via ATM0.1
      Route metric is 0, traffic share count is 1
    directly connected, via Tunnel0
      Route metric is 0, traffic share count is 1


router#conf t
router(config)#int tun0
router(config-if)#shut
router#sho ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "static", distance 5, metric 0 (connected), candidate default path
  Routing Descriptor Blocks:
  * directly connected, via ATM0.1
      Route metric is 0, traffic share count is 1


In this case shutting down the tunnel0 interface removed the route to that interface from the list of valid routes and there is no load sharing anymore.



regards,
Tony.

--- On Mon, 16/2/09, Andy Saykao <andy.saykao at staff.netspace.net.au> wrote:

> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> Subject: RE: Load Balancing of Unequal Ethernet Bandwidth
> To: td_miles at yahoo.com
> Cc: cisco-nsp at puck.nether.net
> Date: Monday, 16 February, 2009, 6:39 PM
> Hi Tony,
> 
> Thanks for that.
> 
> Yeah I saw at an example of that at:
> 
> http://blog.ioshints.info/2007/02/unequal-load-split-with-static-routes.
> html
> 
> It's a nice trick to know. Although when one link goes
> down, I believe
> you'll lose packets (or they may be delayed or resent)
> as the
> load-sharing algorithm uses round-robin to distribute the
> load and
> doesn't take into account whether the link has gone
> down or not.
> 
> Cheers.
> 
> Andy 
> 
> -----Original Message-----
> From: Tony [mailto:td_miles at yahoo.com] 
> Sent: Monday, 16 February 2009 6:02 PM
> To: Andy Saykao
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
> Bandwidth
> 
> 
> Hi Andy,
> 
> What do you run as IGP then so that we can help you out ?
> 
> If static routes, then you can do it using by having
> multiple routes
> that are to the same destination.
> 
> eg. on 2x serial links you might have:
> 
> serial1 = 200Mbps (10.1.1.1/30)
> serial2 = 100Mbps (10.1.1.5/3)
> 
> You would then add static routes like this:
>  ip route x y serial1
>  ip route x y 10.1.1.2
>  ip route x y serial2 
> 
> This way when you do "show ip route x" you would
> see something like:
> 
> * directly connected via serial1
>       Route metric is 0, traffic share count is 1
> * directly connected via serial2
>       Route metric is 0, traffic share count is 1
> *  10.1.1.2
>       Route metric is 0, traffic share count is 1
> 
> Your router would then divide the traffic into three with
> one third
> going to each of the destinations configured. The fact that
> two of those
> destinations are the same link means that two thirds will
> go down your
> 200Mbps link and one third down your 100Mbps link.
> 
> This is fairly basic and doesn't scale very well, but
> will work.
> 
> 
> regards,
> Tony.
> 
> 
> --- On Mon, 16/2/09, Andy Saykao
> <andy.saykao at staff.netspace.net.au>
> wrote:
> 
> > From: Andy Saykao
> <andy.saykao at staff.netspace.net.au>
> > Subject: Re: [c-nsp] Load Balancing of Unequal
> Ethernet Bandwidth
> > To: "Ben Steele"
> <illcritikz at gmail.com>
> > Cc: cisco-nsp at puck.nether.net
> > Date: Monday, 16 February, 2009, 5:39 PM Hi Ben,
> >  
> > When I googled around, there were many discussions
> abvout using the 
> > variance command with eigrp but we don't run eigrp
> internally as our 
> > IGP.
> >  
> > This is a typical setup where we need to upgrade some
> of our links, so
> 
> > we might upgrade 50M on the second leg and end up with
> a situation 
> > where the first leg is100M and the second leg is 150M.
> As you may 
> > know, some providers aren't so flexible so you
> can't just upgrade 25M 
> > on each leg because they increment by 50M per leg
> only. Hence my 
> > question if it was possible to load balance across
> unequal ethernet 
> > circuits without buying additional bandwidth for both
> circuits.
> >  
> > Thanks.
> >  
> > Andy
> > 
> >  
> > ________________________________
> > 
> > From: Ben Steele [mailto:illcritikz at gmail.com]
> > Sent: Monday, 16 February 2009 5:29 PM
> > To: Andy Saykao
> > Subject: Re: [c-nsp] Load Balancing of Unequal
> Ethernet Bandwidth
> > 
> > 
> > You could do this with variance in eigrp, just add
> variance
> > 2 into the
> > eigrp config and it will load balance on a 2:1 ratio,
> if
> > your links are
> > equally matched in terms of latency you can look at
> > enabling per-packet
> > load sharing on the 2 egress interfaces to get an even
> more
> > granular
> > distribution, this can wreck some havoc with unequal
> paths
> > and out of
> > sequence packets though, however if equally similar in
> > characteristics
> > then performance is usually very good. 
> > 
> > Ben
> > 
> > 
> > On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
> > <andy.saykao at staff.netspace.net.au> wrote:
> > 
> > 
> > 	 Is it possible to aggregate and then load balance
> unequal
> > ethernet
> > 	circuits like so:
> > 	
> > 	I have two ethenet circuits on my Cisco router. Both
> have
> > equal
> > costs to
> > 	the next hop.
> > 	
> > 	Ethernet Circuit #1- 200M
> > 	Ethernet Circuit #2 - 100M
> > 	
> > 	Can I aggregate both ethernet circuits so that the
> total
> > amount
> > of
> > 	bandwidth available to the next hop is is 300M?
> > 	Can I then load balance it so both circuits are
> equally
> > utilized?
> > 	
> > 	For example...
> > 	
> > 	* If I have 150M of traffic flowing to the next hop
> then
> > the
> > router
> > 	would spread the load across both links like so:
> > 	
> > 	100M through Ethernet Circuit #1.
> > 	50M through Ethernet Circuit #2.
> > 	
> > 	* The formula to use for this would be something
> like:
> > 	
> > 	Utilization / Total Bandwidth = percentage of
> utilization
> > required per
> > 	link
> > 	150/300 = 0.5
> > 	
> > 	0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
> > 	0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
> > 	
> > 	* If there was a total of 250M of traffic flowing to
> the
> > next
> > hop, and
> > 	applying the formula above, the router would work out
> that
> > the
> > load
> > 	distributed across both ethernet links would be:
> > 	
> > 	166M through Ethernet Circuit #1.
> > 	84M through Ethernet Circuit #2.
> > 	
> > 	Any ideas???
> > 	
> > 	Thanks.
> > 	
> > 	Andy
> 
> 
> 
>       
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email
> Security System.
> For more information please visit
> http://www.messagelabs.com/email 
> ______________________________________________________________________
> 
> This email and any files transmitted with it are
> confidential and intended
>  solely for the use of the individual or entity to whom
> they are addressed. 
> Please notify the sender immediately by email if you have
> received this 
> email by mistake and delete this email from your system.
> Please note that
>  any views or opinions presented in this email are solely
> those of the
>  author and do not necessarily represent those of the
> organisation. 
> Finally, the recipient should check this email and any
> attachments for 
> the presence of viruses. The organisation accepts no
> liability for any 
> damage caused by any virus transmitted by this email.


      


From avayner at cisco.com  Mon Feb 16 07:58:15 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 16 Feb 2009 13:58:15 +0100
Subject: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654BFD@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03654BFD@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D73AA10F@xmb-ams-331.emea.cisco.com>

One trick you could do is to use VLANs to virtualized the links...
On the 100M link run a single VLAN while on the 200M link run 2 sub
interfaces, each on a different VLAN.

This would create 3 equal cost paths (well, you need to set the cost
manually to be the same) and you would get automatic load sharing.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Saykao
Sent: Monday, February 16, 2009 09:47
To: Ben Steele; td_miles at yahoo.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth

Tony - we run OSPF as our IGP.
 
Ben - on our WAN link we run BGP. We also have ethernet circuits between
our POPS in each capital city which we run OSPF over.
 
I'll give that link a read. Thanks

________________________________

From: Ben Steele [mailto:illcritikz at gmail.com] 
Sent: Monday, 16 February 2009 6:06 PM
To: td_miles at yahoo.com
Cc: Andy Saykao; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth


Alternatively if you are using BGP, have a look at BGP Link Bandwidth
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftbgplb.h
tml 


On Mon, Feb 16, 2009 at 5:32 PM, Tony <td_miles at yahoo.com> wrote:



	Hi Andy,
	
	What do you run as IGP then so that we can help you out ?
	
	If static routes, then you can do it using by having multiple
routes that are to the same destination.
	
	eg. on 2x serial links you might have:
	
	serial1 = 200Mbps (10.1.1.1/30)
	serial2 = 100Mbps (10.1.1.5/3)
	
	You would then add static routes like this:
	 ip route x y serial1
	 ip route x y 10.1.1.2
	 ip route x y serial2
	
	This way when you do "show ip route x" you would see something
like:
	
	* directly connected via serial1
	     Route metric is 0, traffic share count is 1
	* directly connected via serial2
	     Route metric is 0, traffic share count is 1
	*  10.1.1.2
	     Route metric is 0, traffic share count is 1
	
	Your router would then divide the traffic into three with one
third going to each of the destinations configured. The fact that two of
those destinations are the same link means that two thirds will go down
your 200Mbps link and one third down your 100Mbps link.
	
	This is fairly basic and doesn't scale very well, but will work.
	
	
	regards,
	Tony.
	
	
	--- On Mon, 16/2/09, Andy Saykao
<andy.saykao at staff.netspace.net.au> wrote:
	
	> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
	
	> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
Bandwidth
	
	> To: "Ben Steele" <illcritikz at gmail.com>
	> Cc: cisco-nsp at puck.nether.net
	> Date: Monday, 16 February, 2009, 5:39 PM
	
	> Hi Ben,
	>
	> When I googled around, there were many discussions abvout
	> using the
	> variance command with eigrp but we don't run eigrp
	> internally as our
	> IGP.
	>
	> This is a typical setup where we need to upgrade some of
	> our links, so
	> we might upgrade 50M on the second leg and end up with a
	> situation where
	> the first leg is100M and the second leg is 150M. As you may
	> know, some
	> providers aren't so flexible so you can't just
	> upgrade 25M on each leg
	> because they increment by 50M per leg only. Hence my
	> question if it was
	> possible to load balance across unequal ethernet circuits
	> without buying
	> additional bandwidth for both circuits.
	>
	> Thanks.
	>
	> Andy
	>
	>
	> ________________________________
	>
	> From: Ben Steele [mailto:illcritikz at gmail.com]
	> Sent: Monday, 16 February 2009 5:29 PM
	> To: Andy Saykao
	> Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet
	> Bandwidth
	>
	>
	> You could do this with variance in eigrp, just add variance
	> 2 into the
	> eigrp config and it will load balance on a 2:1 ratio, if
	> your links are
	> equally matched in terms of latency you can look at
	> enabling per-packet
	> load sharing on the 2 egress interfaces to get an even more
	> granular
	> distribution, this can wreck some havoc with unequal paths
	> and out of
	> sequence packets though, however if equally similar in
	> characteristics
	> then performance is usually very good.
	>
	> Ben
	>
	>
	> On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao
	> <andy.saykao at staff.netspace.net.au> wrote:
	>
	>
	>        Is it possible to aggregate and then load balance
unequal
	> ethernet
	>       circuits like so:
	>
	>       I have two ethenet circuits on my Cisco router. Both
have
	> equal
	> costs to
	>       the next hop.
	>
	>       Ethernet Circuit #1- 200M
	>       Ethernet Circuit #2 - 100M
	>
	>       Can I aggregate both ethernet circuits so that the total
	> amount
	> of
	>       bandwidth available to the next hop is is 300M?
	>       Can I then load balance it so both circuits are equally
	> utilized?
	>
	>       For example...
	>
	>       * If I have 150M of traffic flowing to the next hop then
	> the
	> router
	>       would spread the load across both links like so:
	>
	>       100M through Ethernet Circuit #1.
	>       50M through Ethernet Circuit #2.
	>
	>       * The formula to use for this would be something like:
	>
	>       Utilization / Total Bandwidth = percentage of
utilization
	> required per
	>       link
	>       150/300 = 0.5
	>
	>       0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M
	>       0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M
	>
	>       * If there was a total of 250M of traffic flowing to the
	> next
	> hop, and
	>       applying the formula above, the router would work out
that
	> the
	> load
	>       distributed across both ethernet links would be:
	>
	>       166M through Ethernet Circuit #1.
	>       84M through Ethernet Circuit #2.
	>
	>       Any ideas???
	>
	>       Thanks.
	>
	>       Andy
	
	
	
	
	
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/
	



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


This email and any files transmitted with it are confidential and
intended
 solely for the use of the individual or entity to whom they are
addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note
that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From avayner at cisco.com  Mon Feb 16 07:59:32 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 16 Feb 2009 13:59:32 +0100
Subject: [c-nsp] Router requirement
In-Reply-To: <49985B91.6060706@whole-uk.com>
References: <49985B91.6060706@whole-uk.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D73AA110@xmb-ams-331.emea.cisco.com>

Pete,

You are looking for a CPE and not a service aggregation point, right?
Can you provide a bit more info about what kind of services this CPE
would be terminating?

What kind of interfaces do you need to support? (copper/fiber? FE/GE?)

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pete Barnwell
Sent: Sunday, February 15, 2009 20:15
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Router requirement

Hi,

Wonder if anybody can help me with selecting the right router for CPE?
It needs to be able to handle 100Mb/s delivered over FE, doing a bit of
QoS and a few ACLs but no dynamic routing protocols.

Thanks

Pete

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From avayner at cisco.com  Mon Feb 16 11:24:03 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 16 Feb 2009 17:24:03 +0100
Subject: [c-nsp] Router requirement
In-Reply-To: <4999924C.6060708@whole-uk.com>
References: <49985B91.6060706@whole-uk.com>
	<78C984F8939D424697B15E4B1C1BB3D73AA110@xmb-ams-331.emea.cisco.com>
	<4999924C.6060708@whole-uk.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D73AA23C@xmb-ams-331.emea.cisco.com>

Peter,

So would something like the ME3400 would be relevant:
http://www.cisco.com/en/US/products/ps6580/index.html

Note that there is a small model with only 2 ports, which is supposed to
take a CPE role: ME-3400G-2CS-A

Arie

-----Original Message-----
From: Pete Barnwell [mailto:peter at whole-uk.com] 
Sent: Monday, February 16, 2009 18:20
To: Arie Vayner (avayner)
Subject: Re: [c-nsp] Router requirement

Arie Vayner (avayner) wrote:
> Pete,
> 
> You are looking for a CPE and not a service aggregation point, right?
> Can you provide a bit more info about what kind of services this CPE
> would be terminating?
> 
> What kind of interfaces do you need to support? (copper/fiber? FE/GE?)

Hi Arie,

Yes, CPE. It's to terminate a LAN extension that is handed off as Copper
FE to us by the Telco. We need to handle a mix of data & voice - inm
this particular instance a fair chunk of the bandwidth is VPN, but
that's terminated on an existing device. We just need to be able to
priority queue the voice traffic, really.

Regards

Pete


From vegasnetman at gmail.com  Mon Feb 16 11:55:31 2009
From: vegasnetman at gmail.com (Ozar)
Date: Mon, 16 Feb 2009 08:55:31 -0800
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
Message-ID: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>

I am starting to see random BGP neighbor messages from multiple neighbors on
different boxes.

%BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or corrupt
AS path) 516 bytes

I dont see much documentation on this, and we are in the process of opening
a TAC case, just curious if anyone else has seen these and may be able to
shed some light.


Thanks

From Grzegorz at Janoszka.pl  Mon Feb 16 12:14:08 2009
From: Grzegorz at Janoszka.pl (Grzegorz Janoszka)
Date: Mon, 16 Feb 2009 18:14:08 +0100
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
Message-ID: <49999EE0.20001@Janoszka.pl>

Ozar wrote:
> I am starting to see random BGP neighbor messages from multiple neighbors on
> different boxes.
> 
> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or corrupt
> AS path) 516 bytes
> 
> I dont see much documentation on this, and we are in the process of opening
> a TAC case, just curious if anyone else has seen these and may be able to
> shed some light.

No, it is not software error, it is extremly long as-path:

AS path: 3356 29113 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 
47868 47868 47868 47868 I

-- 
Grzegorz Janoszka

From zeusdadog at gmail.com  Mon Feb 16 12:27:35 2009
From: zeusdadog at gmail.com (Jay Nakamura)
Date: Mon, 16 Feb 2009 12:27:35 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
Message-ID: <9418aca70902160927o6dcb7d29x313aaa1615f8e55e@mail.gmail.com>

(Forgot to CC c-nsp)

Someone is advertising a block with insane long prepend.  We added it to our
filter list and it seems most providers have filtered out that route by now.

Our 28xx decided to flip out with IBGP.  IOS 12.4(21).  Is this a bug?  Is
there a bugID on this or a workaround to filter insane route?  Can I filter
prefix by how big it is?

It's this route.

#sh ip bgp 94.125.216.0
BGP routing table entry for 94.125.216.0/21, version 92436
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Not advertised to any peer

    x.x.x.x from y.y.y.y (z.z.z.z)
      Origin IGP, metric 10, localpref 100, valid, external, best
      Community: 13697912 13697913
  209 1299 29113 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 4

On Mon, Feb 16, 2009 at 11:55 AM, Ozar <vegasnetman at gmail.com> wrote:

> I am starting to see random BGP neighbor messages from multiple neighbors
> on
> different boxes.
>
> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
> corrupt
> AS path) 516 bytes
>
> I dont see much documentation on this, and we are in the process of opening
> a TAC case, just curious if anyone else has seen these and may be able to
> shed some light.
>
>
> Thanks
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jzp-cnsp at rsuc.gweep.net  Mon Feb 16 13:07:19 2009
From: jzp-cnsp at rsuc.gweep.net (Joe Provo)
Date: Mon, 16 Feb 2009 13:07:19 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <49999EE0.20001@Janoszka.pl>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl>
Message-ID: <20090216180719.GA54362@gweep.net>

On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
> Ozar wrote:
> >I am starting to see random BGP neighbor messages from multiple neighbors 
> >on
> >different boxes.
> >
> >%BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or 
> >corrupt
> >AS path) 516 bytes
[snip]
> No, it is not software error, it is extremly long as-path:

The message itself, correct.  The flapping sessions observed on some
code, the long path is indeed triggering some bug. It is immaterial 
if it is the revival of an ld bug or a new one, there are folks 
flapping over this (and related) paths.  Providers without some level 
of sanity filters (really need many-multiples the current diameter of 
the net?) should be shamed into limiting their customer's prepends.

-- 
             RSUC / GweepNet / Spunk / FnB / Usenix / SAGE

From tomas at caslavsky.cz  Mon Feb 16 13:07:01 2009
From: tomas at caslavsky.cz (Tomas Caslavsky)
Date: Mon, 16 Feb 2009 19:07:01 +0100
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <9418aca70902160927o6dcb7d29x313aaa1615f8e55e@mail.gmail.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<9418aca70902160927o6dcb7d29x313aaa1615f8e55e@mail.gmail.com>
Message-ID: <4999AB45.6080006@caslavsky.cz>

Hello,

I have spoken with AS29113 admin and they will fix( block or what  ) 
issue with their customer AS47868

Regards

Tomas


Jay Nakamura wrote:
> (Forgot to CC c-nsp)
>
> Someone is advertising a block with insane long prepend.  We added it to our
> filter list and it seems most providers have filtered out that route by now.
>
> Our 28xx decided to flip out with IBGP.  IOS 12.4(21).  Is this a bug?  Is
> there a bugID on this or a workaround to filter insane route?  Can I filter
> prefix by how big it is?
>
> It's this route.
>
> #sh ip bgp 94.125.216.0
> BGP routing table entry for 94.125.216.0/21, version 92436
> Paths: (2 available, best #1, table Default-IP-Routing-Table)
> Flag: 0x820
>   Not advertised to any peer
>
>     x.x.x.x from y.y.y.y (z.z.z.z)
>       Origin IGP, metric 10, localpref 100, valid, external, best
>       Community: 13697912 13697913
>   209 1299 29113 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 4
>
> On Mon, Feb 16, 2009 at 11:55 AM, Ozar <vegasnetman at gmail.com> wrote:
>
>   
>> I am starting to see random BGP neighbor messages from multiple neighbors
>> on
>> different boxes.
>>
>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
>> corrupt
>> AS path) 516 bytes
>>
>> I dont see much documentation on this, and we are in the process of opening
>> a TAC case, just curious if anyone else has seen these and may be able to
>> shed some light.
>>
>>
>> Thanks
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From rodunn at cisco.com  Mon Feb 16 13:51:01 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 16 Feb 2009 13:51:01 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <4999AB45.6080006@caslavsky.cz>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<9418aca70902160927o6dcb7d29x313aaa1615f8e55e@mail.gmail.com>
	<4999AB45.6080006@caslavsky.cz>
Message-ID: <20090216185101.GA6184@rtp-cse-489.cisco.com>

I've got a few questions I'm still trying to answer in my head
on this one.

a) Why it got down the udpate path so far if the default maxas limit is 75?

b) Were the notifications to tear the sessions down only on really old IOS
   code that doesn't have the changes to just mark them invalid.


Does anyone have the 'sh ip bgp nei <x.x.x.>' output from a router
that ***SENT*** a notification on receiving the update?

If so, what was the upstream code version that propagated the update
to you.

Rodney



On Mon, Feb 16, 2009 at 07:07:01PM +0100, Tomas Caslavsky wrote:
> Hello,
> 
> I have spoken with AS29113 admin and they will fix( block or what  ) 
> issue with their customer AS47868
> 
> Regards
> 
> Tomas
> 
> 
> Jay Nakamura wrote:
> >(Forgot to CC c-nsp)
> >
> >Someone is advertising a block with insane long prepend.  We added it to 
> >our
> >filter list and it seems most providers have filtered out that route by 
> >now.
> >
> >Our 28xx decided to flip out with IBGP.  IOS 12.4(21).  Is this a bug?  Is
> >there a bugID on this or a workaround to filter insane route?  Can I filter
> >prefix by how big it is?
> >
> >It's this route.
> >
> >#sh ip bgp 94.125.216.0
> >BGP routing table entry for 94.125.216.0/21, version 92436
> >Paths: (2 available, best #1, table Default-IP-Routing-Table)
> >Flag: 0x820
> >  Not advertised to any peer
> >
> >    x.x.x.x from y.y.y.y (z.z.z.z)
> >      Origin IGP, metric 10, localpref 100, valid, external, best
> >      Community: 13697912 13697913
> >  209 1299 29113 47868 47868 47868 47868 47868 47868 47868 47868 47868 
> >  47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
> >47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 4
> >
> >On Mon, Feb 16, 2009 at 11:55 AM, Ozar <vegasnetman at gmail.com> wrote:
> >
> >  
> >>I am starting to see random BGP neighbor messages from multiple neighbors
> >>on
> >>different boxes.
> >>
> >>%BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
> >>corrupt
> >>AS path) 516 bytes
> >>
> >>I dont see much documentation on this, and we are in the process of 
> >>opening
> >>a TAC case, just curious if anyone else has seen these and may be able to
> >>shed some light.
> >>
> >>
> >>Thanks
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>    
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From tdonahue at vonsystems.com  Mon Feb 16 13:25:32 2009
From: tdonahue at vonsystems.com (Tim Donahue)
Date: Mon, 16 Feb 2009 13:25:32 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090216180719.GA54362@gweep.net>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>	<49999EE0.20001@Janoszka.pl>
	<20090216180719.GA54362@gweep.net>
Message-ID: <4999AF9C.5070800@vonsystems.com>

Joe Provo wrote:
> On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
>> Ozar wrote:
>>> I am starting to see random BGP neighbor messages from multiple neighbors 
>>> on
>>> different boxes.
>>>
>>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or 
>>> corrupt
>>> AS path) 516 bytes
> [snip]
>> No, it is not software error, it is extremly long as-path:
> 
> The message itself, correct.  The flapping sessions observed on some
> code, the long path is indeed triggering some bug. It is immaterial 
> if it is the revival of an ld bug or a new one, there are folks 
> flapping over this (and related) paths.  Providers without some level 
> of sanity filters (really need many-multiples the current diameter of 
> the net?) should be shamed into limiting their customer's prepends.
> 

According to the NANOG thread on this, it would seem that the bug would
be CSCdr54230.

Tim

From rodunn at cisco.com  Mon Feb 16 14:07:38 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 16 Feb 2009 14:07:38 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <4999AF9C.5070800@vonsystems.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
Message-ID: <20090216190738.GC6184@rtp-cse-489.cisco.com>

That would have to be *real* old code.

That was fixed back in the 12.1(4) 

and 12.0(10)S3 days.

On Mon, Feb 16, 2009 at 01:25:32PM -0500, Tim Donahue wrote:
> Joe Provo wrote:
> > On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
> >> Ozar wrote:
> >>> I am starting to see random BGP neighbor messages from multiple neighbors 
> >>> on
> >>> different boxes.
> >>>
> >>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or 
> >>> corrupt
> >>> AS path) 516 bytes
> > [snip]
> >> No, it is not software error, it is extremly long as-path:
> > 
> > The message itself, correct.  The flapping sessions observed on some
> > code, the long path is indeed triggering some bug. It is immaterial 
> > if it is the revival of an ld bug or a new one, there are folks 
> > flapping over this (and related) paths.  Providers without some level 
> > of sanity filters (really need many-multiples the current diameter of 
> > the net?) should be shamed into limiting their customer's prepends.
> > 
> 
> According to the NANOG thread on this, it would seem that the bug would
> be CSCdr54230.
> 
> Tim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From chris at chrisserafin.com  Mon Feb 16 14:21:09 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Mon, 16 Feb 2009 13:21:09 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
	<4995A540.5010007@chrisserafin.com>
	<AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>
Message-ID: <4999BCA5.9070003@chrisserafin.com>

David Hughes wrote:
>
>
> On 14/02/2009, at 2:52 AM, ChrisSerafin wrote:
>
>> I will have a pair of 2960's upstream that will have 2 bonded 
>> etherchannels going into each switch blade from each 2960. The 
>> etherchannels will be trunk links and then I will configure the 
>> internal virtual switchports as trunks going into the XEN 
>> Server....XEN is just like VMware/ESX...... the server tags the VLANs 
>> depending on what network they need to be on.
>>
>>
>> Make sense at all? I've been google'ing until my eyes bleed trying to 
>> get up to speed on these devices.
>
> Yup, that makes perfect sense and is similar to our architecture (if 
> you substitute 6500 for 2960 you'd pretty much have our standard 
> setup).  We run nodes of ESX farms on blades in this configuration.  
> If you are planning on dense virtualisation or multi-node farms then 
> you'll need to be running MST for your spanning tree.  Running any 
> form of per vlan STP will have you running out of STP instances before 
> you run out of vlans you need to trunk to your ESX / Xen boxes.
>
That brings up a good point about STP. If I have 1 etherchannel going 
from each switch blade to each upstream switch, will the switches detect 
the loops or do I need to manually configure this? Thanks for your comments!

--chris

From musmanashraf at gmail.com  Mon Feb 16 14:41:34 2009
From: musmanashraf at gmail.com (M Usman Ashraf)
Date: Tue, 17 Feb 2009 00:41:34 +0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090216190738.GC6184@rtp-cse-489.cisco.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
Message-ID: <9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>

Hi List,

We have just experience the same problem on SRC but with a different reason,

%BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 3/11 (invalid or corrupt AS
path) 518 bytes 50020202 02009531 23012306 71B9BAFC BA

23w4d: BGP: X.X.X.X Bad attributes

Feb 16 21:26:04.918 pst: %BGP-4-MSGDUMP: unsupported or mal-formatted
message received from X.X.X.X:
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 022C 0200 0002 1140 0101 0050 0202
0202
0095 3123 0123 0671 B9BA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA
FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA
FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA
FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA
FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA
FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
FCBA--

Any idea of reason? or what can be a bad message for BGP that can tear down
adjacency ?

Regards,

M Usman Ashraf



On Tue, Feb 17, 2009 at 12:07 AM, Rodney Dunn <rodunn at cisco.com> wrote:

> That would have to be *real* old code.
>
> That was fixed back in the 12.1(4)
>
> and 12.0(10)S3 days.
>
> On Mon, Feb 16, 2009 at 01:25:32PM -0500, Tim Donahue wrote:
> > Joe Provo wrote:
> > > On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
> > >> Ozar wrote:
> > >>> I am starting to see random BGP neighbor messages from multiple
> neighbors
> > >>> on
> > >>> different boxes.
> > >>>
> > >>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
> > >>> corrupt
> > >>> AS path) 516 bytes
> > > [snip]
> > >> No, it is not software error, it is extremly long as-path:
> > >
> > > The message itself, correct.  The flapping sessions observed on some
> > > code, the long path is indeed triggering some bug. It is immaterial
> > > if it is the revival of an ld bug or a new one, there are folks
> > > flapping over this (and related) paths.  Providers without some level
> > > of sanity filters (really need many-multiples the current diameter of
> > > the net?) should be shamed into limiting their customer's prepends.
> > >
> >
> > According to the NANOG thread on this, it would seem that the bug would
> > be CSCdr54230.
> >
> > Tim
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rodunn at cisco.com  Mon Feb 16 15:32:11 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 16 Feb 2009 15:32:11 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
Message-ID: <20090216203211.GK9203@rtp-cse-489.cisco.com>

We are working on that. I'll let you know once I have more.

Rodney

On Tue, Feb 17, 2009 at 12:41:34AM +0500, M Usman Ashraf wrote:
> Hi List,
> 
> We have just experience the same problem on SRC but with a different reason,
> 
> %BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 3/11 (invalid or corrupt AS path)
> 518 bytes 50020202 02009531 23012306 71B9BAFC BA
> 
> 23w4d: BGP: X.X.X.X Bad attributes
> 
> Feb 16 21:26:04.918 pst: %BGP-4-MSGDUMP: unsupported or mal-formatted message
> received from X.X.X.X:
> FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 022C 0200 0002 1140 0101 0050 0202 0202
> 0095 3123 0123 0671 B9BA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> FCBA--
> 
> Any idea of reason? or what can be a bad message for BGP that can tear down
> adjacency ?
> 
> Regards,
> 
> M Usman Ashraf
> 
> 
> 
> On Tue, Feb 17, 2009 at 12:07 AM, Rodney Dunn <rodunn at cisco.com> wrote:
> 
>     That would have to be *real* old code.
>    
>     That was fixed back in the 12.1(4)
>    
>     and 12.0(10)S3 days.
>    
>     On Mon, Feb 16, 2009 at 01:25:32PM -0500, Tim Donahue wrote:
>     > Joe Provo wrote:
>     > > On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
>     > >> Ozar wrote:
>     > >>> I am starting to see random BGP neighbor messages from multiple
>     neighbors
>     > >>> on
>     > >>> different boxes.
>     > >>>
>     > >>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
>     > >>> corrupt
>     > >>> AS path) 516 bytes
>     > > [snip]
>     > >> No, it is not software error, it is extremly long as-path:
>     > >
>     > > The message itself, correct.  The flapping sessions observed on some
>     > > code, the long path is indeed triggering some bug. It is immaterial
>     > > if it is the revival of an ld bug or a new one, there are folks
>     > > flapping over this (and related) paths.  Providers without some level
>     > > of sanity filters (really need many-multiples the current diameter of
>     > > the net?) should be shamed into limiting their customer's prepends.
>     > >
>     >
>     > According to the NANOG thread on this, it would seem that the bug would
>     > be CSCdr54230.
>     >
>     > Tim
>     > _______________________________________________
>     > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>     > https://puck.nether.net/mailman/listinfo/cisco-nsp
>     > archive at http://puck.nether.net/pipermail/cisco-nsp/
>     _______________________________________________
>     cisco-nsp mailing list  cisco-nsp at puck.nether.net
>     https://puck.nether.net/mailman/listinfo/cisco-nsp
>     archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> 
> 

From steve.mcnamara at gmail.com  Mon Feb 16 15:46:03 2009
From: steve.mcnamara at gmail.com (Steve McNamara)
Date: Mon, 16 Feb 2009 20:46:03 +0000
Subject: [c-nsp] WS-SVC-IDSM-2 visio icon
In-Reply-To: <1A9866F953006D45AEE0166066114E09159929F7@TPMAIL02.corp.theplatform.com>
References: <494a4f80902120830y1d9f055elaf506f3a737ce4da@mail.gmail.com>
	<Pine.LNX.4.64.0902121242360.32680@whammy.cluebyfour.org>
	<1A9866F953006D45AEE0166066114E09159929F7@TPMAIL02.corp.theplatform.com>
Message-ID: <494a4f80902161246mf50868aofb4b3c0f7da9fc@mail.gmail.com>

Apologies for the delay in replying, romantic weekends always get in the way :-)

Thanks for the replies, I recognise the FWSM icon is very similar, I
was more concerned that I couldn't find it in the Cisco complete Visio
zip and though there might be another location I could get it from.

Cheers
Steve

On Thu, Feb 12, 2009 at 18:31, Gregori Parker
<Gregori.Parker at theplatform.com> wrote:
> If you're after a physical icon, just doctor the FWSM, there's not much
> difference.
>
> If you're after a logical icon, the generally accepted icon for IDS (at
> least in my world) is the one called "SwitchProbe" in the Cisco logical
> shapes list - it's the cube with a magnifying glass on it.
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M.
> Streiner
> Sent: Thursday, February 12, 2009 9:43 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] WS-SVC-IDSM-2 visio icon
>
> On Thu, 12 Feb 2009, Steve McNamara wrote:
>
>> I'm looking for a Visio icon for a WS-SVC-IDSM-2 icon without any
>> luck. I've downloaded the complete Viso icon zip from
>> http://www.cisco.com/en/US/products/prod_visio_icon_list.html, but
>> there's no icon for this module? There are other service modules such
>> as NAM1 & 2 in the 6500 shape stencil, but not this one. Does anyone
>> know where it can be found or have any other suggestions?
>
> If it comes down to it, you can always make one on your own.  I've had
> to
> do that in several cases.
>
> jms
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From markom at markom.info  Mon Feb 16 16:00:02 2009
From: markom at markom.info (Marko Milivojevic)
Date: Mon, 16 Feb 2009 21:00:02 +0000
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090216203211.GK9203@rtp-cse-489.cisco.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
Message-ID: <d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>

On Mon, Feb 16, 2009 at 20:32, Rodney Dunn <rodunn at cisco.com> wrote:
> We are working on that. I'll let you know once I have more.

We've got one of these on our node running SRB3. It was trigerred on
only one session when being announced to a customer.

From rodunn at cisco.com  Mon Feb 16 16:05:37 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 16 Feb 2009 16:05:37 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
	<d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>
Message-ID: <20090216210537.GS9203@rtp-cse-489.cisco.com>

One of those what?

All I want is:

sh ver
sh log
sh ip bgp <nei>

on a box that SENT the BGP notification on receipt of the update.

Don't send it if the BGP session when down because the notification
was received.

rodney

On Mon, Feb 16, 2009 at 09:00:02PM +0000, Marko Milivojevic wrote:
> On Mon, Feb 16, 2009 at 20:32, Rodney Dunn <rodunn at cisco.com> wrote:
> > We are working on that. I'll let you know once I have more.
> 
> We've got one of these on our node running SRB3. It was trigerred on
> only one session when being announced to a customer.

From justin at justinshore.com  Mon Feb 16 16:45:29 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 16 Feb 2009 15:45:29 -0600
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090216210537.GS9203@rtp-cse-489.cisco.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>	<49999EE0.20001@Janoszka.pl>
	<20090216180719.GA54362@gweep.net>	<4999AF9C.5070800@vonsystems.com>	<20090216190738.GC6184@rtp-cse-489.cisco.com>	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>	<20090216203211.GK9203@rtp-cse-489.cisco.com>	<d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>
	<20090216210537.GS9203@rtp-cse-489.cisco.com>
Message-ID: <4999DE79.8020508@justinshore.com>

I don't know if it's related or not but one of my borders and another 
nearly identical box much further into the network logged these with 18 
seconds of each other:

Feb 16 10:23:38 10.64.0.1 968577: 968585: Feb 16 10:23:37 CST: 
%BGP-6-BIGCHUNK: Big chunk pool request (522) for aspath. Replenishing 
with malloc

Both are running 12.4(15)Tn releases.

Justin



Rodney Dunn wrote:
> One of those what?
> 
> All I want is:
> 
> sh ver
> sh log
> sh ip bgp <nei>
> 
> on a box that SENT the BGP notification on receipt of the update.
> 
> Don't send it if the BGP session when down because the notification
> was received.
> 
> rodney
> 
> On Mon, Feb 16, 2009 at 09:00:02PM +0000, Marko Milivojevic wrote:
>> On Mon, Feb 16, 2009 at 20:32, Rodney Dunn <rodunn at cisco.com> wrote:
>>> We are working on that. I'll let you know once I have more.
>> We've got one of these on our node running SRB3. It was trigerred on
>> only one session when being announced to a customer.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From euang+cisco-nsp at lists.eusahues.co.uk  Mon Feb 16 16:58:50 2009
From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway)
Date: Mon, 16 Feb 2009 21:58:50 +0000
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <4999DE79.8020508@justinshore.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
	<d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>
	<20090216210537.GS9203@rtp-cse-489.cisco.com>
	<4999DE79.8020508@justinshore.com>
Message-ID: <20090216215850.GA9884@hyperion.eusahues.co.uk>

On Mon, Feb 16, 2009 at 03:45:29PM -0600, Justin Shore wrote:
> I don't know if it's related or not but one of my borders and another 
> nearly identical box much further into the network logged these with 18 
> seconds of each other:
> Feb 16 10:23:38 10.64.0.1 968577: 968585: Feb 16 10:23:37 CST: 
> %BGP-6-BIGCHUNK: Big chunk pool request (522) for aspath. Replenishing with 
> malloc

Related, but that's just an informational "I've had to go and do a rather
unexpectedly large request for memory, but I have, just thought I would
mention it" message.

-- 
Euan Galloway

From ibrahim.abozaid at gmail.com  Mon Feb 16 17:00:17 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 17 Feb 2009 00:00:17 +0200
Subject: [c-nsp] VRF-Lite and VRF Source-select
Message-ID: <a48927f70902161400l4075a92at7a7553ed768f79c9@mail.gmail.com>

Hi All

I was reading about VRF Source-select feature and want to know is this this
supported with VRF-Lite or needs MPLS-VPN backbone ?

best regards
--Ibrahim

From David at hughes.com.au  Mon Feb 16 16:52:44 2009
From: David at hughes.com.au (David Hughes)
Date: Tue, 17 Feb 2009 07:52:44 +1000
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <4999BCA5.9070003@chrisserafin.com>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
	<4995A540.5010007@chrisserafin.com>
	<AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>
	<4999BCA5.9070003@chrisserafin.com>
Message-ID: <3DF1BB5A-9A67-43A1-9F2F-0C6D712912DA@hughes.com.au>


On 17/02/2009, at 5:21 AM, ChrisSerafin wrote:

> That brings up a good point about STP. If I have 1 etherchannel  
> going from each switch blade to each upstream switch, will the  
> switches detect the loops or do I need to manually configure this?  
> Thanks for your comments!

The blade switches operate as separate switches and can be viewed as  
if they were your normal 29xx or 35xx access switch depending on the  
CIGESM you buy (well, with a couple of caveats about their management  
interfaces).  If the switches are connected to your network via a  
single etherchannel then there's no possibility of a loop - other than  
a mis-configured etherchannel.  You don't get loops but you don't get  
any redundancy at the network layer.  In this setup I assume you are  
using some form of NIC teaming and failover on the blades themselves  
for redundancy.  That's not going to pick up a failed uplink on your  
primary switching path as most teaming drivers only look at link state  
on the NIC.

If you are following a "normal" dual attached model where each access  
switch (be it a top of rack switch or a blade switch module) is  
uplinked to 2 different switches then you get link redundancy but  
naturally need STP.  If you are running dense virtualisation or vm  
server farms then the STP you should be running is MST.


Thanks

David
...

From rodunn at cisco.com  Mon Feb 16 20:20:52 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 16 Feb 2009 20:20:52 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <4999DE79.8020508@justinshore.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
	<d163b99c0902161300n32ecf2eeofb71114860d4289c@mail.gmail.com>
	<20090216210537.GS9203@rtp-cse-489.cisco.com>
	<4999DE79.8020508@justinshore.com>
Message-ID: <20090217012052.GG11958@rtp-cse-489.cisco.com>

That's fine. It just means we fell back to malloc a block that could
hold it.

On Mon, Feb 16, 2009 at 03:45:29PM -0600, Justin Shore wrote:
> I don't know if it's related or not but one of my borders and another 
> nearly identical box much further into the network logged these with 
> 18 seconds of each other:
> 
> Feb 16 10:23:38 10.64.0.1 968577: 968585: Feb 16 10:23:37 CST: 
> %BGP-6-BIGCHUNK: Big chunk pool request (522) for aspath. 
> Replenishing with malloc
> 
> Both are running 12.4(15)Tn releases.
> 
> Justin
> 
> 
> 
> Rodney Dunn wrote:
> >One of those what?
> >
> >All I want is:
> >
> >sh ver
> >sh log
> >sh ip bgp <nei>
> >
> >on a box that SENT the BGP notification on receipt of the update.
> >
> >Don't send it if the BGP session when down because the notification
> >was received.
> >
> >rodney
> >
> >On Mon, Feb 16, 2009 at 09:00:02PM +0000, Marko Milivojevic wrote:
> >>On Mon, Feb 16, 2009 at 20:32, Rodney Dunn <rodunn at cisco.com> wrote:
> >>>We are working on that. I'll let you know once I have more.
> >>We've got one of these on our node running SRB3. It was trigerred on
> >>only one session when being announced to a customer.
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/

From cayers at ena.com  Mon Feb 16 21:30:36 2009
From: cayers at ena.com (Cory Ayers)
Date: Mon, 16 Feb 2009 20:30:36 -0600
Subject: [c-nsp] Router requirement
In-Reply-To: <4998F62B.6070105@gmx.de>
References: <49985B91.6060706@whole-uk.com> <4998F62B.6070105@gmx.de>
Message-ID: <A7B0A9F02975A74A845FE85D0B95B8FA0C5B13C6@misex01.ena.com>

We have a 2801 that holds at ~35% CPU while pushing 70Mbps+ from port to
port day in/out:  basic QOS, BGP for default origination only, 12.4(1c)
Advanced IP Services K9.  Naturally if you add NAT, NBAR, extensive QOS,
etc. these numbers will change dramatically.  IMO a 2821 would
definitely do the job and provide copper Gigabit capabilities, although
not wire speed.  However, depending on what you're trying to do, the
ME3400-2CS-A might be the best choice with both optical and electrical
hand-offs and scalability to Gigabit.  We typically prefer a 2800 at the
edge for links <100Mbps for features like NAT, and go with a switch for
anything >100Mbps.

Cory


>>Pete Barnwell wrote:
>> Hi,
>> 
>> Wonder if anybody can help me with selecting the right router for
CPE?
>> It needs to be able to handle 100Mb/s delivered over FE, doing a bit
of
>> QoS and a few ACLs but no dynamic routing protocols.
>
>If you can live with a worst-case scenario of 87MBit, a 2821 might be
>decent choice, too. Typical throughput, even with moderate QoS/ACL
>should be well over 100M (maybe even with a 2811). Otherwise, a 3825
>with its two 1G interfaces built in would be a real good alternative to
>the rather pricey 72k ...

>-garry

From kwbales at kwbales.net  Mon Feb 16 23:52:26 2009
From: kwbales at kwbales.net (Kurt Bales)
Date: Tue, 17 Feb 2009 15:52:26 +1100
Subject: [c-nsp] VPDN Multihop
Message-ID: <b1ce0b8d0902162052q244ffecbla755d8e03c15e576@mail.gmail.com>

Hi All,

There is probably an obvious answer to this, but I am failing to make
it work the way I want so I'm asking the resident experts.

We are a wholesale ISP taking DSL tails as L2TP from carriers.

We have an LNS which is currently setup to switch these sessions to
downstream channel partners based on match against the domain/REALM.

For one of the realms on which we receive L2TP sessions, we would like
to select a destination (either locally terminated or
switched-to-channel-partner) on a per-account basis. These currently
are switched to us on a per-account basis by our upstream provider
doing per-account authentication and A/V pairs to forward the
sessions. Their A/V pairs are setting a tunnel-id for these.


We thought was to leverage the "multihop-hostname" command under a
request-dialin configured VPDN-group.

The documentation on CCO seems to imply that it can be used to match
against a VPDN tunnel-id, but we could not get that to work.

"multihop-hostname

To enable a tunnel switch to initiate a tunnel based on the hostname
or tunnel ID associated with an ingress tunnel, use the
multihop-hostname command in VPDN request-dialin subgroup
configuration mode. To disable this option, use the no form of this
command."

We tried configuring up a vpdn-group with a multihop
hostname/initiate-to/local name/l2tp tunnel password, surely that
would be enough to correctly match and therefore switch the session
across to the downstream LNS?

Unfortunately we could not get it to work, the error coming back was
complaining that it could not assign a virtual-template to the
session, which would seem to imply an attempt to terminate the session
locally

Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize
action (1 pending sessions) Feb 17 12:14:18: SSS PM
[uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb
17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for
registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need
More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need
More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD)
IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN
uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17
12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18:
L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18:
L2TUN APP: uid:606handle/665997Stopping service selection Feb 17
12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP
_____:06839:000070B5:
Feb 17 12:14:18: L2TP _____:06839:000070B5: Shutting down session
Feb 17 12:14:18: L2TP _____:06839:000070B5:   Result Code
Feb 17 12:14:18: L2TP _____:06839:000070B5:     Call disconnected,
refer to error msg (2)
Feb 17 12:14:18: L2TP _____:06839:000070B5:   Error Code
Feb 17 12:14:18: L2TP _____:06839:000070B5:     Insufficient resources (4)
Feb 17 12:14:18: L2TP _____:06839:000070B5:   Vendor Error
Feb 17 12:14:18: L2TP _____:06839:000070B5:     None (0)
Feb 17 12:14:18: L2TP _____:06839:000070B5:   Optional Message
Feb 17 12:14:18: L2TP _____:06839:000070B5:     "No virtual-template specified"
Feb 17 12:14:18: L2TP _____:06839:000070B5:



vpdn enable
vpdn multihop
vpdn aaa attribute nas-port vpdn-nas
vpdn redirect
vpdn logging
vpdn logging local
vpdn logging tunnel-drop
vpdn history failure table-size 50
vpdn session-limit 2048
vpdn search-order multihop-hostname domain
vpdn domain-delimiter @ suffix
vpdn domain-delimiter / prefix !
vpdn-group customer3
request-dialin
 protocol l2tp
 multihop hostname <tunnel-name>
initiate-to ip <downstream LNS IP> priority 1
local name <my hostname>
l2tp tunnel password 0 <mumble> !




Any thoughts/suggestions?


Regards,

Kurt Bales

From illcritikz at gmail.com  Tue Feb 17 00:17:12 2009
From: illcritikz at gmail.com (Ben Steele)
Date: Tue, 17 Feb 2009 15:47:12 +1030
Subject: [c-nsp] VPDN Multihop
In-Reply-To: <b1ce0b8d0902162052q244ffecbla755d8e03c15e576@mail.gmail.com>
References: <b1ce0b8d0902162052q244ffecbla755d8e03c15e576@mail.gmail.com>
Message-ID: <4422cf660902162117n208606c4n2f3858ba32dd643e@mail.gmail.com>

Try it with "vpdn authen-before-forward"
Ben

On Tue, Feb 17, 2009 at 3:22 PM, Kurt Bales <kwbales at kwbales.net> wrote:

> Hi All,
>
> There is probably an obvious answer to this, but I am failing to make
> it work the way I want so I'm asking the resident experts.
>
> We are a wholesale ISP taking DSL tails as L2TP from carriers.
>
> We have an LNS which is currently setup to switch these sessions to
> downstream channel partners based on match against the domain/REALM.
>
> For one of the realms on which we receive L2TP sessions, we would like
> to select a destination (either locally terminated or
> switched-to-channel-partner) on a per-account basis. These currently
> are switched to us on a per-account basis by our upstream provider
> doing per-account authentication and A/V pairs to forward the
> sessions. Their A/V pairs are setting a tunnel-id for these.
>
>
> We thought was to leverage the "multihop-hostname" command under a
> request-dialin configured VPDN-group.
>
> The documentation on CCO seems to imply that it can be used to match
> against a VPDN tunnel-id, but we could not get that to work.
>
> "multihop-hostname
>
> To enable a tunnel switch to initiate a tunnel based on the hostname
> or tunnel ID associated with an ingress tunnel, use the
> multihop-hostname command in VPDN request-dialin subgroup
> configuration mode. To disable this option, use the no form of this
> command."
>
> We tried configuring up a vpdn-group with a multihop
> hostname/initiate-to/local name/l2tp tunnel password, surely that
> would be enough to correctly match and therefore switch the session
> across to the downstream LNS?
>
> Unfortunately we could not get it to work, the error coming back was
> complaining that it could not assign a virtual-template to the
> session, which would seem to imply an attempt to terminate the session
> locally
>
> Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize
> action (1 pending sessions) Feb 17 12:14:18: SSS PM
> [uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb
> 17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for
> registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need
> More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need
> More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD)
> IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN
> uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17
> 12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18:
> L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18:
> L2TUN APP: uid:606handle/665997Stopping service selection Feb 17
> 12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP
> _____:06839:000070B5:
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Shutting down session
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Result Code
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     Call disconnected,
> refer to error msg (2)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Error Code
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     Insufficient resources (4)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Vendor Error
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     None (0)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Optional Message
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     "No virtual-template
> specified"
> Feb 17 12:14:18: L2TP _____:06839:000070B5:
>
>
>
> vpdn enable
> vpdn multihop
> vpdn aaa attribute nas-port vpdn-nas
> vpdn redirect
> vpdn logging
> vpdn logging local
> vpdn logging tunnel-drop
> vpdn history failure table-size 50
> vpdn session-limit 2048
> vpdn search-order multihop-hostname domain
> vpdn domain-delimiter @ suffix
> vpdn domain-delimiter / prefix !
> vpdn-group customer3
> request-dialin
>  protocol l2tp
>  multihop hostname <tunnel-name>
> initiate-to ip <downstream LNS IP> priority 1
> local name <my hostname>
> l2tp tunnel password 0 <mumble> !
>
>
>
>
> Any thoughts/suggestions?
>
>
> Regards,
>
> Kurt Bales
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From skeeve at skeeve.org  Tue Feb 17 05:53:03 2009
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Tue, 17 Feb 2009 21:53:03 +1100
Subject: [c-nsp] VPDN Multihop
In-Reply-To: <4422cf660902162117n208606c4n2f3858ba32dd643e@mail.gmail.com>
References: <b1ce0b8d0902162052q244ffecbla755d8e03c15e576@mail.gmail.com>
	<4422cf660902162117n208606c4n2f3858ba32dd643e@mail.gmail.com>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAAFxEgeYNE4FMuwARfYkzCTIBAAAAAA==@skeeve.org>

This is a global variable and will result in all services requiring auth
before being forwarded... if they have any VPDN groups which auto forward,
it will break them all.

...Skeeve

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele
Sent: Tuesday, 17 February 2009 4:17 PM
To: Kurt Bales
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VPDN Multihop

Try it with "vpdn authen-before-forward"
Ben

On Tue, Feb 17, 2009 at 3:22 PM, Kurt Bales <kwbales at kwbales.net> wrote:

> Hi All,
>
> There is probably an obvious answer to this, but I am failing to make
> it work the way I want so I'm asking the resident experts.
>
> We are a wholesale ISP taking DSL tails as L2TP from carriers.
>
> We have an LNS which is currently setup to switch these sessions to
> downstream channel partners based on match against the domain/REALM.
>
> For one of the realms on which we receive L2TP sessions, we would like
> to select a destination (either locally terminated or
> switched-to-channel-partner) on a per-account basis. These currently
> are switched to us on a per-account basis by our upstream provider
> doing per-account authentication and A/V pairs to forward the
> sessions. Their A/V pairs are setting a tunnel-id for these.
>
>
> We thought was to leverage the "multihop-hostname" command under a
> request-dialin configured VPDN-group.
>
> The documentation on CCO seems to imply that it can be used to match
> against a VPDN tunnel-id, but we could not get that to work.
>
> "multihop-hostname
>
> To enable a tunnel switch to initiate a tunnel based on the hostname
> or tunnel ID associated with an ingress tunnel, use the
> multihop-hostname command in VPDN request-dialin subgroup
> configuration mode. To disable this option, use the no form of this
> command."
>
> We tried configuring up a vpdn-group with a multihop
> hostname/initiate-to/local name/l2tp tunnel password, surely that
> would be enough to correctly match and therefore switch the session
> across to the downstream LNS?
>
> Unfortunately we could not get it to work, the error coming back was
> complaining that it could not assign a virtual-template to the
> session, which would seem to imply an attempt to terminate the session
> locally
>
> Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize
> action (1 pending sessions) Feb 17 12:14:18: SSS PM
> [uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb
> 17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for
> registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need
> More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need
> More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD)
> IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN
> uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17
> 12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18:
> L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18:
> L2TUN APP: uid:606handle/665997Stopping service selection Feb 17
> 12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP
> _____:06839:000070B5:
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Shutting down session
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Result Code
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     Call disconnected,
> refer to error msg (2)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Error Code
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     Insufficient resources (4)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Vendor Error
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     None (0)
> Feb 17 12:14:18: L2TP _____:06839:000070B5:   Optional Message
> Feb 17 12:14:18: L2TP _____:06839:000070B5:     "No virtual-template
> specified"
> Feb 17 12:14:18: L2TP _____:06839:000070B5:
>
>
>
> vpdn enable
> vpdn multihop
> vpdn aaa attribute nas-port vpdn-nas
> vpdn redirect
> vpdn logging
> vpdn logging local
> vpdn logging tunnel-drop
> vpdn history failure table-size 50
> vpdn session-limit 2048
> vpdn search-order multihop-hostname domain
> vpdn domain-delimiter @ suffix
> vpdn domain-delimiter / prefix !
> vpdn-group customer3
> request-dialin
>  protocol l2tp
>  multihop hostname <tunnel-name>
> initiate-to ip <downstream LNS IP> priority 1
> local name <my hostname>
> l2tp tunnel password 0 <mumble> !
>
>
>
>
> Any thoughts/suggestions?
>
>
> Regards,
>
> Kurt Bales
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From p.mayers at imperial.ac.uk  Tue Feb 17 07:12:09 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 17 Feb 2009 12:12:09 +0000
Subject: [c-nsp] 6500 "Failed SCP dnld"
Message-ID: <499AA999.2020504@imperial.ac.uk>

All,

We recently did an RPR+ upgrade of a 6509e from SXF to SXI. One of the 
linecards (in slot 1) didn't come back, reporting:

%ONLINE-SP-6-INITFAIL: Module 1: Failed to bring up DFC
%C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (Module  Failed 
SCP dnld)

That card worked in a different slot. A different card also failed in 
slot 1.

So we assumed the chassis was bad; however this morning a cold reboot of 
the entire chassis seems to have resolved the issue.

Should we be worried? It seems to pass the GOLD diags in that slot now.

From timothy.arnold at uksolutions.co.uk  Tue Feb 17 08:50:41 2009
From: timothy.arnold at uksolutions.co.uk (Timothy Arnold)
Date: Tue, 17 Feb 2009 13:50:41 +0000
Subject: [c-nsp] eBGP & backup static route
Message-ID: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local>

Hi All,

I?ve got a site with an ADSL connection, and an ISDN backup terminating in to a VRF. I am running an eBGP session across the ADSL link to advertise the local subnet.

#show ip route vrf XXX 10.101.0.0
Routing entry for 10.101.0.0/16
  Known via "bgp 20547", distance 20, metric 0
  Tag 65101, type external
  Last update from 172.31.255.2 00:00:03 ago
  Routing Descriptor Blocks:
  * 172.31.255.2, from 172.31.255.2, 00:00:03 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1

That works great. When the backup kicks in, radius inserts a framed route

#show ip route vrf XXX 10.101.0.0
Routing entry for 10.101.0.0/16
  Known via "static", distance 250, metric 0
  Redistributing via bgp 20547
  Advertised by bgp 20547
  Routing Descriptor Blocks:
  * 172.31.255.10
      Route metric is 0, traffic share count is 1

That works great too.

The issue I have is that it the static route is not replaced by the eBGP learned route when the ADSL returns, even though the distance is lower? It is only replaced when the backup link is terminated.

Any ideas?

Thanks
Tim



Timothy Arnold
Senior Engineer, Network & Security Group, UKSolutions

Telephone: 0845 004 1333, option 2
Email: timothy.arnold at uksolutions.co.uk
Web: http://www.uksolutions.co.uk/
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England Number 3036806
This email must be read in conjunction with the legal & service notices on http://www.uksolutions.co.uk/disclaimer


From saku+cisco-nsp at ytti.fi  Tue Feb 17 08:58:43 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Tue, 17 Feb 2009 15:58:43 +0200
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local>
References: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local>
Message-ID: <20090217135843.GA26612@mx.ytti.net>

On (2009-02-17 13:50 +0000), Timothy Arnold wrote:

> #show ip route vrf XXX 10.101.0.0
> Routing entry for 10.101.0.0/16
>   Known via "bgp 20547", distance 20, metric 0
> #show ip route vrf XXX 10.101.0.0
> Routing entry for 10.101.0.0/16
>   Known via "static", distance 250, metric 0
> 
> The issue I have is that it the static route is not replaced by the eBGP learned route when the ADSL returns, even though the distance is lower? It is only replaced when the backup link is terminated.

If those are different routers, you need to redistribute the static as
inferior BGP route, i.e. reduce local-pref to 80.

-- 
  ++ytti

From oboehmer at cisco.com  Tue Feb 17 09:21:23 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Tue, 17 Feb 2009 15:21:23 +0100
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <20090217135843.GA26612@mx.ytti.net>
References: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local>
	<20090217135843.GA26612@mx.ytti.net>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>

Saku Ytti <> wrote on Tuesday, February 17, 2009 14:59:

> On (2009-02-17 13:50 +0000), Timothy Arnold wrote:
> 
>> #show ip route vrf XXX 10.101.0.0
>> Routing entry for 10.101.0.0/16
>>   Known via "bgp 20547", distance 20, metric 0
>> #show ip route vrf XXX 10.101.0.0
>> Routing entry for 10.101.0.0/16
>>   Known via "static", distance 250, metric 0
>> 
>> The issue I have is that it the static route is not replaced by the
>> eBGP learned route when the ADSL returns, even though the distance
>> is lower? It is only replaced when the backup link is terminated.  
> 
> If those are different routers, you need to redistribute the static as
> inferior BGP route, i.e. reduce local-pref to 80.

don't think this will help as a locally-originated route is preferred
over almost anything due to the higher weight (32768, if I recall
correctly), so the eBGP path will not be installed (and would win over
the static due to admin distance). you need to set the weight on the
eBGP path to be the same (or higher) value or reduce it to zero (to
match the eBGP path) when redistributing the static (not 100% sure if
the latter works, I think it does)..

	oli

From deric.kwok2000 at gmail.com  Tue Feb 17 09:52:12 2009
From: deric.kwok2000 at gmail.com (Deric Kwok)
Date: Tue, 17 Feb 2009 09:52:12 -0500
Subject: [c-nsp] concept question
Message-ID: <40d8a95a0902170652w616e7abv266a66537a3c3be1@mail.gmail.com>

Hi All

I don't know about the vty concept and set valid time in access list

I saw the mailing list about vty 5 10?

Why don't setup vty 0 10?
and there is vty 0 4 and vty 5 10? Why?

and how to set valid time in access list

Thank you for your help

From tim at pelican.org  Tue Feb 17 09:54:17 2009
From: tim at pelican.org (Tim Franklin)
Date: Tue, 17 Feb 2009 14:54:17 -0000 (GMT)
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
References: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local>
	<20090217135843.GA26612@mx.ytti.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
Message-ID: <f55f987a404f512950a48a0cb1faeff9.squirrel@webmail.pelican.org>

On Tue, February 17, 2009 2:21 pm, Oliver Boehmer (oboehmer) wrote:

> don't think this will help as a locally-originated route is preferred
> over almost anything due to the higher weight (32768, if I recall
> correctly), so the eBGP path will not be installed (and would win over
> the static due to admin distance). you need to set the weight on the
> eBGP path to be the same (or higher) value or reduce it to zero (to
> match the eBGP path) when redistributing the static (not 100% sure if
> the latter works, I think it does)..

It does indeed.  'set weight 0 / set local-pref less-than-default' is in
the route-map for pretty much all our redistributing back-up routing
protocols into BGP.

Regards,
Tim.



From timothy.arnold at uksolutions.co.uk  Tue Feb 17 10:53:02 2009
From: timothy.arnold at uksolutions.co.uk (Timothy Arnold)
Date: Tue, 17 Feb 2009 15:53:02 +0000
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
References: <F547661C26C5364D9FA0C481D395CCCE105A2434B7@apps-1.uks.local><20090217135843.GA26612@mx.ytti.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
Message-ID: <F547661C26C5364D9FA0C481D395CCCE105A2434BB@apps-1.uks.local>

> don't think this will help as a locally-originated route is preferred
> over almost anything due to the higher weight (32768, if I recall
> correctly), so the eBGP path will not be installed (and would win over
> the static due to admin distance). you need to set the weight on the
> eBGP path to be the same (or higher) value or reduce it to zero (to
> match the eBGP path) when redistributing the static (not 100% sure if
> the latter works, I think it does)..

Setting the weight to 32768 has solved the problem. I'm going to try and set the weight to 0 on redistributed static routes as that would be a better approach for me!

Thanks
Tim



Timothy Arnold
Senior Engineer, Network & Security Group, UKSolutions

Telephone: 0845 004 1333, option 2
Email: timothy.arnold at uksolutions.co.uk
Web: http://www.uksolutions.co.uk/
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England Number 3036806
This email must be read in conjunction with the legal & service notices on http://www.uksolutions.co.uk/disclaimer

From saku+cisco-nsp at ytti.fi  Tue Feb 17 11:16:41 2009
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Tue, 17 Feb 2009 18:16:41 +0200
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <F547661C26C5364D9FA0C481D395CCCE105A2434BB@apps-1.uks.local>
References: <70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
	<F547661C26C5364D9FA0C481D395CCCE105A2434BB@apps-1.uks.local>
Message-ID: <20090217161641.GA28783@mx.ytti.net>

On (2009-02-17 15:53 +0000), Timothy Arnold wrote:

> > don't think this will help as a locally-originated route is preferred
> > over almost anything due to the higher weight (32768, if I recall
> > correctly), so the eBGP path will not be installed (and would win over
> > the static due to admin distance). you need to set the weight on the
> > eBGP path to be the same (or higher) value or reduce it to zero (to
> > match the eBGP path) when redistributing the static (not 100% sure if
> > the latter works, I think it does)..
> 
> Setting the weight to 32768 has solved the problem. I'm going to try and set the weight to 0 on redistributed static routes as that would be a better approach for me!

Is this one or more boxes? Weight does not travel. So if it is multiple
boxes, only thing you need to do, is to ensure that the backup route is
seen by network as worse as the primary route, when the primary route
comes back.
So if after outage is over, and primary is back on, primary PE still
uses the backup route, it is not because of weight, since the primary
does not experience the weight of the backup.
Only thing setting weight 0 on the backup does, is makes sure that
also local traffic behind backup PE, starts to flow via primary,
instead of choosing the local backup route.

If it is indeed same box (ouch, backup and primary in same box,
I hope not) then resetting weight is needed.
-- 
  ++ytti

From tim at pelican.org  Tue Feb 17 11:59:48 2009
From: tim at pelican.org (Tim Franklin)
Date: Tue, 17 Feb 2009 16:59:48 -0000 (GMT)
Subject: [c-nsp] eBGP & backup static route
In-Reply-To: <20090217161641.GA28783@mx.ytti.net>
References: <70B7A1CCBFA5C649BD562B6D9F7ED78406E59FE2@xmb-ams-333.emea.cisco.com>
	<F547661C26C5364D9FA0C481D395CCCE105A2434BB@apps-1.uks.local>
	<20090217161641.GA28783@mx.ytti.net>
Message-ID: <8a92ae07314b1b5460de9b5e1cf5b481.squirrel@webmail.pelican.org>

On Tue, February 17, 2009 4:16 pm, Saku Ytti wrote:

> Only thing setting weight 0 on the backup does, is makes sure that
> also local traffic behind backup PE, starts to flow via primary,
> instead of choosing the local backup route.

And also forces the backup PE to consider the primary route in his BGP
best-path selection.  If you leave the weight as 32768, the backup PE will
always select the redist-from-static route as the best path, and announce
it to the network, which means you still have to play with other knobs to
make sure the rest of the network picks the primary route (and you're
wasting resource sending the route around / forcing all the other boxes to
make that decision).

Weight 0 lets you contain the route on the backup PE (by decreased
localpref, increased localpref on the primary, whatever other magic) and
never announce it to other BGP speakers.

> If it is indeed same box (ouch, backup and primary in same box,
> I hope not) then resetting weight is needed.

Or if your PE split is on access-type rather than just role.  "DSL PE" is
common - if this site has DSL backup, but other sites in the VPN are DSL
primary, you can get the smaller sites all using the backup connection of
the larger site.

Regards,
Tim.



From vijay.ramcharan at verizonbusiness.com  Tue Feb 17 12:08:55 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Tue, 17 Feb 2009 17:08:55 +0000
Subject: [c-nsp] FWSM w/v4 code
In-Reply-To: <4993440B.4060901@umn.edu>
Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB316F1EB@ASHEVS006.mcilink.com>

Be very careful with "clear configure access-list".  
Running it without the ACL name will remove ALL access-lists, no
prompts, at least on the 3.x version that I ran it on. 

I know it's wishful thinking but it would be nice to be provided a
confirmation prompt for something as detrimental as removing all
access-lists. 
 
Vijay Ramcharan 
  
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ge Moua
Sent: February 11, 2009 16:33
To: Childs, Aaron
Cc: 'cisco-nsp at puck.nether.net'
Subject: Re: [c-nsp] FWSM w/v4 code

That command is deprecated.  New syntax is:
"clear configure <acl_name>"

you can continue to use the old syntax to remove a particular ACE from 
an ACL, use the above to blow away the ACL completely.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Childs, Aaron wrote:
> Good Afternoon,
>
>  
>
> A couple of months ago I upgraded our FWSM to version 4 of the code. I
> applied a new access-list today and wanted to remove an old one.  To
my
> amazement "no access-list blah" is no longer a valid command.  I have
tried
> to ask the oracle of Google and Cisco, but I can't find an answer.
Could
> someone please direct me to the proper documentation?
>
>  
>
> Thank you,
>
>   Aaron
>
>  
>
> -------------
> Aaron Childs
> Assistant Director, Networking
> Westfield State College
>  <http://www.wsc.ma.edu/it/> http://www.wsc.ma.edu/it/
>
>  
>
>   
>
------------------------------------------------------------------------
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From bennetb at gmail.com  Tue Feb 17 14:19:02 2009
From: bennetb at gmail.com (Brandon Bennett)
Date: Tue, 17 Feb 2009 12:19:02 -0700
Subject: [c-nsp] concept question
In-Reply-To: <40d8a95a0902170652w616e7abv266a66537a3c3be1@mail.gmail.com>
References: <40d8a95a0902170652w616e7abv266a66537a3c3be1@mail.gmail.com>
Message-ID: <d81b6b610902171119u3d66a1ebw41f185e70628def0@mail.gmail.com>

>
>
> Why don't setup vty 0 10?
> and there is vty 0 4 and vty 5 10? Why?
>
>
It's just a relic of older IOS's that didn't support more than 5 vtys.  So
you config would still work on these older versions as the first vty 0 4
would go through and 'vty 5 10' stanza would error out.  If it was just vty
'0 10' then no line configs would be passed down and possibly preventing you
from successfuling logging in leading to possible downtime to do a password
recovery or to roll a tech.

Does it matter to you?  No.  You can refer to it as vty 0 <max number here>
and be just fine when configuring your lines.  Just the config will display
in the Lowest Common Denominator and still split them up.

Not sure why so many people get hung up on this point.

-Brandon
CCIE #19406

From rodunn at cisco.com  Tue Feb 17 15:15:20 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 17 Feb 2009 15:15:20 -0500
Subject: [c-nsp] 3/11 (invalid or corrupt AS path)
In-Reply-To: <20090216203211.GK9203@rtp-cse-489.cisco.com>
References: <8cd002180902160855m983c0c8i7783085c7d946f55@mail.gmail.com>
	<49999EE0.20001@Janoszka.pl> <20090216180719.GA54362@gweep.net>
	<4999AF9C.5070800@vonsystems.com>
	<20090216190738.GC6184@rtp-cse-489.cisco.com>
	<9149d2410902161141o1677894fwc49bf9f12d77bcc@mail.gmail.com>
	<20090216203211.GK9203@rtp-cse-489.cisco.com>
Message-ID: <20090217201520.GQ17200@rtp-cse-489.cisco.com>

Here is my update to NANOG...

I'll post again once I have a further update.


Date: Tue, 17 Feb 2009 15:11:57 -0500                                           
From: Rodney Dunn <rodunn at cisco.com>                                            
To: Ivan Pepelnjak <ip at ioshints.info>                                           
Subject: Re: anyone else seeing very long AS paths?                             
Cc: nanog at nanog.org                                                             
                                                                                
Ivan,                                                                           
                                                                                
It is confusing but from what I have tested you have it correct.                
                                                                                
The confusing part comes from multiple issues.                                  
                                                                                
a) The documentation about the default maxas limit being 75 appears to be       
   incorrect. I'll get that fixed.                                              
                                                                                
b) Prior to CSCee30718 there was a hard limit of 255. After that fix            
   AS sets of more than 255 should work.                                        
                                                                                
c) CSCeh13489 implemented the maxas command to mark it as invalid and           
   not send.                                                                    
                                                                                
                                                                                
There does appear to be an issue when you cross the 255 boundary                
and the next hop router sends a notification back.                              
                                                                                
I've got it recreated in the lab and we are working to clearly understand       
why that is. I'll post an update once we have more.                             
                                                                                
The way to prevent it is the upstream device that crosses the 255 boundary      
on sending needs to use the maxas limit command to keep it less than 255.       
                                                                                
It doesn't work on the device that receives the update with the AS path         
larger than 255.                                                                
                                                                                
Rodney                                                                          
                  

-=-



On Mon, Feb 16, 2009 at 03:32:11PM -0500, Rodney Dunn wrote:
> We are working on that. I'll let you know once I have more.
> 
> Rodney
> 
> On Tue, Feb 17, 2009 at 12:41:34AM +0500, M Usman Ashraf wrote:
> > Hi List,
> > 
> > We have just experience the same problem on SRC but with a different reason,
> > 
> > %BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 3/11 (invalid or corrupt AS path)
> > 518 bytes 50020202 02009531 23012306 71B9BAFC BA
> > 
> > 23w4d: BGP: X.X.X.X Bad attributes
> > 
> > Feb 16 21:26:04.918 pst: %BGP-4-MSGDUMP: unsupported or mal-formatted message
> > received from X.X.X.X:
> > FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 022C 0200 0002 1140 0101 0050 0202 0202
> > 0095 3123 0123 0671 B9BA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA FCBA
> > FCBA--
> > 
> > Any idea of reason? or what can be a bad message for BGP that can tear down
> > adjacency ?
> > 
> > Regards,
> > 
> > M Usman Ashraf
> > 
> > 
> > 
> > On Tue, Feb 17, 2009 at 12:07 AM, Rodney Dunn <rodunn at cisco.com> wrote:
> > 
> >     That would have to be *real* old code.
> >    
> >     That was fixed back in the 12.1(4)
> >    
> >     and 12.0(10)S3 days.
> >    
> >     On Mon, Feb 16, 2009 at 01:25:32PM -0500, Tim Donahue wrote:
> >     > Joe Provo wrote:
> >     > > On Mon, Feb 16, 2009 at 06:14:08PM +0100, Grzegorz Janoszka wrote:
> >     > >> Ozar wrote:
> >     > >>> I am starting to see random BGP neighbor messages from multiple
> >     neighbors
> >     > >>> on
> >     > >>> different boxes.
> >     > >>>
> >     > >>> %BGP-3-NOTIFICATION: received from neighbor X.X.X.X 3/11 (invalid or
> >     > >>> corrupt
> >     > >>> AS path) 516 bytes
> >     > > [snip]
> >     > >> No, it is not software error, it is extremly long as-path:
> >     > >
> >     > > The message itself, correct.  The flapping sessions observed on some
> >     > > code, the long path is indeed triggering some bug. It is immaterial
> >     > > if it is the revival of an ld bug or a new one, there are folks
> >     > > flapping over this (and related) paths.  Providers without some level
> >     > > of sanity filters (really need many-multiples the current diameter of
> >     > > the net?) should be shamed into limiting their customer's prepends.
> >     > >
> >     >
> >     > According to the NANOG thread on this, it would seem that the bug would
> >     > be CSCdr54230.
> >     >
> >     > Tim
> >     > _______________________________________________
> >     > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >     > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >     > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >     _______________________________________________
> >     cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >     https://puck.nether.net/mailman/listinfo/cisco-nsp
> >     archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > 
> > 
> > 
> > 

From justin at justinshore.com  Tue Feb 17 15:41:33 2009
From: justin at justinshore.com (Justin Shore)
Date: Tue, 17 Feb 2009 14:41:33 -0600
Subject: [c-nsp] Cat 2350 switches vs everything else
Message-ID: <499B20FD.9040800@justinshore.com>

Does anyone have any comparison docs that cover the new Cat 2350, 3560E 
and 4948-10GE?  I mention those specifically since they all have 10G 
support.  One nice thing I noted about the 2350 is that it has DC power 
support.  I don't know if it has dual PSUs but at least it can run on 
DC.  Prior to that the lowest DC switch I could get was a 4948 (old 
2900s had DC options too I think but those are ancient).

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10116/data_sheet_c78-521169.html

For those not wanting to follow the link, the 2350 supports the TwinGig 
modules in the 10G bays just like the 3560E, 3750E, 4900M and the Sup6E 
in the 4500s.  I also see jumbo frame support on the list.  All good so far.

Justin


From danletkeman at gmail.com  Tue Feb 17 22:35:56 2009
From: danletkeman at gmail.com (Dan Letkeman)
Date: Tue, 17 Feb 2009 21:35:56 -0600
Subject: [c-nsp] ip dns server load information
Message-ID: <dcbb85870902171935v507c5dbcw6f08a82846adf707@mail.gmail.com>

Hello,

I'm interested in using a cisco router as a DNS server and I was
wondering if anyone has real world experience or documentation that
could inform me as to how many users/clients could one router handle
if it were the primary dns server.

Also, i'm wondering if there is a way to have a router act as a slave
dns server?  Or would there be a way to cluster them?

Thanks,
Dan.

From brett at looney.id.au  Wed Feb 18 01:49:58 2009
From: brett at looney.id.au (Brett Looney)
Date: Wed, 18 Feb 2009 15:49:58 +0900
Subject: [c-nsp] ip dns server load information
In-Reply-To: <dcbb85870902171935v507c5dbcw6f08a82846adf707@mail.gmail.com>
References: <dcbb85870902171935v507c5dbcw6f08a82846adf707@mail.gmail.com>
Message-ID: <000001c99195$23564220$6a02c660$@id.au>

> I'm interested in using a cisco router as a DNS server and I was
> wondering if anyone has real world experience or documentation that
> could inform me as to how many users/clients could one router handle
> if it were the primary dns server.

Don't do that for any reasonable number of users. In my experience it is
fine as a SOHO type DNS server (sub 20 users maybe) but under any load it
fails rapidly and unpredictably. If you are using it in a small environment,
make sure the upstream DNS servers are rock solid.

B.


From adrian at creative.net.au  Wed Feb 18 02:33:24 2009
From: adrian at creative.net.au (Adrian Chadd)
Date: Wed, 18 Feb 2009 16:33:24 +0900
Subject: [c-nsp] ip dns server load information
In-Reply-To: <000001c99195$23564220$6a02c660$@id.au>
References: <dcbb85870902171935v507c5dbcw6f08a82846adf707@mail.gmail.com>
	<000001c99195$23564220$6a02c660$@id.au>
Message-ID: <20090218073324.GG14136@skywalker.creative.net.au>

On Wed, Feb 18, 2009, Brett Looney wrote:
> > I'm interested in using a cisco router as a DNS server and I was
> > wondering if anyone has real world experience or documentation that
> > could inform me as to how many users/clients could one router handle
> > if it were the primary dns server.
> 
> Don't do that for any reasonable number of users. In my experience it is
> fine as a SOHO type DNS server (sub 20 users maybe) but under any load it
> fails rapidly and unpredictably. If you are using it in a small environment,
> make sure the upstream DNS servers are rock solid.

Hm, does it still exhibit that weird "will only handle 1 outstanding DNS
request at a time" behaviour that I swore I saw when debugging issues?




Adrian


From gert at greenie.muc.de  Wed Feb 18 11:04:00 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 18 Feb 2009 17:04:00 +0100
Subject: [c-nsp] TestSPRPInbandPing...?
Message-ID: <20090218160400.GY290@greenie.muc.de>

Hi,

should I be worried...??

Feb 18 16:44:38: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
Feb 18 16:45:15: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
Feb 18 16:45:51: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
Feb 18 16:46:28: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
Feb 18 16:47:43: %CONST_DIAG-SP-6-HM_TEST_RECOVERED: Module 5 TestSPRPInbandPing recovered after 9 consecutive failure(s)

(this is on a 6506, Sup720-10G, SXH3a code)

Besides the syslog messages, everything seems well-behaved...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090218/2a7e558f/attachment.bin>

From chris at chrisserafin.com  Wed Feb 18 11:06:50 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Wed, 18 Feb 2009 10:06:50 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <3DF1BB5A-9A67-43A1-9F2F-0C6D712912DA@hughes.com.au>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>
	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>
	<4995A540.5010007@chrisserafin.com>
	<AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>
	<4999BCA5.9070003@chrisserafin.com>
	<3DF1BB5A-9A67-43A1-9F2F-0C6D712912DA@hughes.com.au>
Message-ID: <499C321A.6@chrisserafin.com>

What MST config do you suggest and on what if not all of the switches?

The docs from Cisco go into crazy configurations, and I only need basic 
STP functions: 2 core switches with an etherchannel link from each of 
them to each blade switch.




David Hughes wrote:
>
> On 17/02/2009, at 5:21 AM, ChrisSerafin wrote:
>
>> That brings up a good point about STP. If I have 1 etherchannel going 
>> from each switch blade to each upstream switch, will the switches 
>> detect the loops or do I need to manually configure this? Thanks for 
>> your comments!
>
> The blade switches operate as separate switches and can be viewed as 
> if they were your normal 29xx or 35xx access switch depending on the 
> CIGESM you buy (well, with a couple of caveats about their management 
> interfaces).  If the switches are connected to your network via a 
> single etherchannel then there's no possibility of a loop - other than 
> a mis-configured etherchannel.  You don't get loops but you don't get 
> any redundancy at the network layer.  In this setup I assume you are 
> using some form of NIC teaming and failover on the blades themselves 
> for redundancy.  That's not going to pick up a failed uplink on your 
> primary switching path as most teaming drivers only look at link state 
> on the NIC.
>
> If you are following a "normal" dual attached model where each access 
> switch (be it a top of rack switch or a blade switch module) is 
> uplinked to 2 different switches then you get link redundancy but 
> naturally need STP.  If you are running dense virtualisation or vm 
> server farms then the STP you should be running is MST.
>
>
> Thanks
>
> David
> ...
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.10.25/1957 - Release Date: 02/17/09 07:07:00
>
>   


From jcdarby at usgs.gov  Wed Feb 18 11:23:08 2009
From: jcdarby at usgs.gov (Justin C. Darby)
Date: Wed, 18 Feb 2009 10:23:08 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <499C321A.6@chrisserafin.com>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>	<4995A540.5010007@chrisserafin.com>	<AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>	<4999BCA5.9070003@chrisserafin.com>	<3DF1BB5A-9A67-43A1-9F2F-0C6D712912DA@hughes.com.au>
	<499C321A.6@chrisserafin.com>
Message-ID: <499C35EC.3030801@usgs.gov>

Hi Chris,

I strongly suggest if you want to keep a simple mode of operation you 
use a feature on these things that configures them independently of the 
Bladecenter Advanced Management Module.

It's hard to find in the docs, but, what you want is "platform 
chassis-management protected-mode". The AMM has to support it (the 
switch will tell you if it does not and then you need a firmware upgrade 
to the AMM), but if it does, you can change the settings the AMM is 
configuring your switch for involuntarily (which has been an issue for 
us in the past). If you configure using this, these things work just 
like the catalyst switches you'd expect, without mucking around with the 
AMM.

Good luck (I've got a lot of these things, you'll need it).

Justin

ChrisSerafin wrote:
> What MST config do you suggest and on what if not all of the switches?
>
> The docs from Cisco go into crazy configurations, and I only need 
> basic STP functions: 2 core switches with an etherchannel link from 
> each of them to each blade switch.
>
>
>
>
> David Hughes wrote:
>>
>> On 17/02/2009, at 5:21 AM, ChrisSerafin wrote:
>>
>>> That brings up a good point about STP. If I have 1 etherchannel 
>>> going from each switch blade to each upstream switch, will the 
>>> switches detect the loops or do I need to manually configure this? 
>>> Thanks for your comments!
>>
>> The blade switches operate as separate switches and can be viewed as 
>> if they were your normal 29xx or 35xx access switch depending on the 
>> CIGESM you buy (well, with a couple of caveats about their management 
>> interfaces).  If the switches are connected to your network via a 
>> single etherchannel then there's no possibility of a loop - other 
>> than a mis-configured etherchannel.  You don't get loops but you 
>> don't get any redundancy at the network layer.  In this setup I 
>> assume you are using some form of NIC teaming and failover on the 
>> blades themselves for redundancy.  That's not going to pick up a 
>> failed uplink on your primary switching path as most teaming drivers 
>> only look at link state on the NIC.
>>
>> If you are following a "normal" dual attached model where each access 
>> switch (be it a top of rack switch or a blade switch module) is 
>> uplinked to 2 different switches then you get link redundancy but 
>> naturally need STP.  If you are running dense virtualisation or vm 
>> server farms then the STP you should be running is MST.
>>
>>
>> Thanks
>>
>> David
>> ...
>> ------------------------------------------------------------------------
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 
>> 270.10.25/1957 - Release Date: 02/17/09 07:07:00
>>
>>   
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From p.mayers at imperial.ac.uk  Wed Feb 18 11:23:53 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 18 Feb 2009 16:23:53 +0000
Subject: [c-nsp] TestSPRPInbandPing...?
In-Reply-To: <20090218160400.GY290@greenie.muc.de>
References: <20090218160400.GY290@greenie.muc.de>
Message-ID: <499C3619.8050809@imperial.ac.uk>

Gert Doering wrote:
> Hi,
> 
> should I be worried...??
> 
> Feb 18 16:44:38: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
> Feb 18 16:45:15: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
> Feb 18 16:45:51: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
> Feb 18 16:46:28: %DIAG-SP-3-TEST_FAIL: Module 5: TestSPRPInbandPing{ID=2} has failed. Error code = 0xC3
> Feb 18 16:47:43: %CONST_DIAG-SP-6-HM_TEST_RECOVERED: Module 5 TestSPRPInbandPing recovered after 9 consecutive failure(s)
> 
> (this is on a 6506, Sup720-10G, SXH3a code)
> 
> Besides the syslog messages, everything seems well-behaved...
> 
> gert
> 

Hmm.

My rule of thumb has been that a diag "fail" is not definitive, but a 
"pass" is. SPRPInband is one of the periodic diags (run, IIRC, every 15 
seconds) so it's actually passed a lot of times since you've seen the error.

Was anything else going on at the time? Maybe the SP or RP were busy and 
thus dropped the pings? What does "remote command switch show log | inc 
Feb 18 16:" show?

However, at least on SXI, 10 consecutive failures is the max permitted, 
and in some redundancy modes that can trigger a SUP failover!

From chris at chrisserafin.com  Wed Feb 18 12:33:23 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Wed, 18 Feb 2009 11:33:23 -0600
Subject: [c-nsp] Cisco 3012 IBM Blade Switch Configurations?
In-Reply-To: <499C35EC.3030801@usgs.gov>
References: <49945ABC.7020706@chrisserafin.com>	<E962B013-898E-4AAC-B998-F5E2C3060E12@lixfeld.ca>	<74EBF4E148CC4B3EB0C5E1821348B3E9@mcpick.net>	<B307301B-E874-457D-A321-E3F50C38ABD2@Hughes.com.au>	<4995A540.5010007@chrisserafin.com>	<AB1EAF87-F0DF-41E2-9094-92015AD832E1@hughes.com.au>	<4999BCA5.9070003@chrisserafin.com>	<3DF1BB5A-9A67-43A1-9F2F-0C6D712912DA@hughes.com.au>
	<499C321A.6@chrisserafin.com> <499C35EC.3030801@usgs.gov>
Message-ID: <499C4663.9000804@chrisserafin.com>

Thanks.....running into alot of issues with these devices....I have one 
2960 upstream with etherchannel trunks to each blade switch. I see 
connectivity loss between a server on a blade when all 4 etherchannels 
are up to the other 3 blades switches. When I shut down the other 3 
etherchannels to the other blade switches, the connectivity gets 
restored after a minute.....switching loop? Is the virtual backplane 
creating loops? Here are my configs:

2960:
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel1
 description [ Etherchannel Between 2960 Switches ]
 switchport mode trunk
!
interface Port-channel2
 description [ Etherchannel to BL01 ]
 switchport mode trunk
!
interface Port-channel3
 description { Etherchannel to BL02 ]
 switchport mode trunk
 shutdown
!
interface Port-channel4
 description [ Etherchannel to BL03 ]
 switchport mode trunk
 shutdown
!
interface Port-channel5
 description { Etherchannel to BL04 ]
 switchport mode trunk
 shutdown
!
interface GigabitEthernet0/1
 description [ Etherchannel to 2960-02 ]
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/2
 description [ Etherchannel to 2960-02 ]
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/3
 description [ Etherchannel to BL01 ]
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet0/4
 description [ Etherchannel to BL01 ]
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet0/5
 description [ Etherchannel to BL02 ]
 switchport mode trunk
 shutdown
 channel-group 3 mode on
!
interface GigabitEthernet0/6
 description [ Etherchannel to BL02 ]
 switchport mode trunk
 shutdown
 channel-group 3 mode on
!
interface GigabitEthernet0/7
 description [ Etherchannel to BL03 ]
 switchport mode trunk
 shutdown
 channel-group 4 mode on
!
interface GigabitEthernet0/8
 description [ Etherchannel to BL03 ]
 switchport mode trunk
 shutdown
 channel-group 4 mode on
!
interface GigabitEthernet0/9
 description [ Etherchannel to BL04 ]
 switchport mode trunk
 shutdown
 channel-group 5 mode on
!
interface GigabitEthernet0/10
 description [ Etherchannel to BL04 ]
 switchport mode trunk
 shutdown
 channel-group 5 mode on
!


And each blade is configured like this:
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface Port-channel2
 description [ Etherchannel to 2960-01 ]
 switchport mode trunk
!
interface FastEthernet0
 ip address 192.168.70.21 255.255.255.0
 no ip route-cache cef
 no ip route-cache
!
interface GigabitEthernet0/15
 description [ Etherchannel to 2960-01 ]
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet0/16
 description [ Etherchannel to 2960-01 ]
 switchport mode trunk
 channel-group 2 mode on
!
interface Vlan1
 ip address 10.90.91.21 255.255.255.0
!
ip default-gateway 10.90.91.1
ip classless
ip route 192.168.70.0 255.255.255.0 FastEthernet0
ip http server
!
!




Thanks for all your help on these guys!














































Justin C. Darby wrote:
> Hi Chris,
>
> I strongly suggest if you want to keep a simple mode of operation you 
> use a feature on these things that configures them independently of 
> the Bladecenter Advanced Management Module.
>
> It's hard to find in the docs, but, what you want is "platform 
> chassis-management protected-mode". The AMM has to support it (the 
> switch will tell you if it does not and then you need a firmware 
> upgrade to the AMM), but if it does, you can change the settings the 
> AMM is configuring your switch for involuntarily (which has been an 
> issue for us in the past). If you configure using this, these things 
> work just like the catalyst switches you'd expect, without mucking 
> around with the AMM.
>
> Good luck (I've got a lot of these things, you'll need it).
>
> Justin
>
> ChrisSerafin wrote:
>> What MST config do you suggest and on what if not all of the switches?
>>
>> The docs from Cisco go into crazy configurations, and I only need 
>> basic STP functions: 2 core switches with an etherchannel link from 
>> each of them to each blade switch.
>>
>>
>>
>>
>> David Hughes wrote:
>>>
>>> On 17/02/2009, at 5:21 AM, ChrisSerafin wrote:
>>>
>>>> That brings up a good point about STP. If I have 1 etherchannel 
>>>> going from each switch blade to each upstream switch, will the 
>>>> switches detect the loops or do I need to manually configure this? 
>>>> Thanks for your comments!
>>>
>>> The blade switches operate as separate switches and can be viewed as 
>>> if they were your normal 29xx or 35xx access switch depending on the 
>>> CIGESM you buy (well, with a couple of caveats about their 
>>> management interfaces).  If the switches are connected to your 
>>> network via a single etherchannel then there's no possibility of a 
>>> loop - other than a mis-configured etherchannel.  You don't get 
>>> loops but you don't get any redundancy at the network layer.  In 
>>> this setup I assume you are using some form of NIC teaming and 
>>> failover on the blades themselves for redundancy.  That's not going 
>>> to pick up a failed uplink on your primary switching path as most 
>>> teaming drivers only look at link state on the NIC.
>>>
>>> If you are following a "normal" dual attached model where each 
>>> access switch (be it a top of rack switch or a blade switch module) 
>>> is uplinked to 2 different switches then you get link redundancy but 
>>> naturally need STP.  If you are running dense virtualisation or vm 
>>> server farms then the STP you should be running is MST.
>>>
>>>
>>> Thanks
>>>
>>> David
>>> ...
>>> ------------------------------------------------------------------------ 
>>>
>>>
>>>
>>> No virus found in this incoming message.
>>> Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 
>>> 270.10.25/1957 - Release Date: 02/17/09 07:07:00
>>>
>>>   
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.10.25/1957 - Release Date: 02/17/09 07:07:00
>
>   


From cklam at ias.edu  Wed Feb 18 13:37:19 2009
From: cklam at ias.edu (Christina Klam)
Date: Wed, 18 Feb 2009 13:37:19 -0500
Subject: [c-nsp] %HA_EM-6-LOG: Mandatory.go_nondislp.tcl:
In-Reply-To: <mailman.1.1234976400.48195.cisco-nsp@puck.nether.net>
References: <mailman.1.1234976400.48195.cisco-nsp@puck.nether.net>
Message-ID: <9E9636B2F6649243B154AB4E53BD53000B0A90A3@hecto.itg.ias.edu>

My question is similar to Gert's.  A month ago I upgraded to SXH4 (and then to SXI to see if this was a bug to just SXH4), after which I started to see a ton of drop packets on multiple line cards.  The logs said:

%HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD EEM TCL policy for TestNonDisruptiveLoopback
Jan 13 21:17:00 172.16.4.158 107: Jan 13 21:16:59.655 EST: %HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD EEM TCL policy for TestNonDisruptiveLoopback
Jan 13 21:17:07 172.16.4.158 111: Jan 13 21:17:02.147 EST: %HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD EEM TCL policy for TestNonDisruptiveLoopback
Jan 13 21:17:07 172.16.4.158 112: Jan 13 21:17:03.415 EST: %HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD EEM TCL policy for TestNonDisruptiveLoopback

The only way to stop the line cards from dropping packets was to disable all diagnostic tests.  From that point on however, I have had no error messages in the logs nor any drop packets.  Cisco TAC claims I have a bent pin in one of my line cards or in the (two month old) 6513 chassis itself.  Has anyone else seen these errors?  And if so, how did you address it?  As this is a non-redundant, highly important, fully-populated, production switch, I am hoping that in reality this is software related.

Thank you,
Chris

From everton at lab.ipaccess.diveo.net.br  Wed Feb 18 13:54:26 2009
From: everton at lab.ipaccess.diveo.net.br (Everton da Silva Marques)
Date: Wed, 18 Feb 2009 15:54:26 -0300
Subject: [c-nsp] Mixing WRR with policing under PFC3BXL + CFC +
	WS-X6748-GE-TX
Message-ID: <20090218185426.GA13148@diveo.net.br>

Hi,

Can anyone please point any reference about
how WRR interacts with a policer under
7609 + PFC3BXL + CFC + WS-X6748-GE-TX ?

For instance, given the sample configuration
below, will the policer drop packets which
violate the policer's parameters (thus
preventing WRR from taking effect) ?

policy-map LAB_OUT
 class class-default
  police cir 1000000
!
interface GigabitEthernet1/5
 speed 1000
 wrr-queue bandwidth 1 2 7
 service-policy output LAB_OUT
end

If so, is there a way of instructing WRR to
serve queues at the policer's CIR (as
opposed to the physical link rate) ?

Thanks,
Everton

From avayner at cisco.com  Wed Feb 18 16:35:41 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 18 Feb 2009 22:35:41 +0100
Subject: [c-nsp] Mixing WRR with policing under PFC3BXL + CFC
	+WS-X6748-GE-TX
In-Reply-To: <20090218185426.GA13148@diveo.net.br>
References: <20090218185426.GA13148@diveo.net.br>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D73AAC27@xmb-ams-331.emea.cisco.com>

Everton,

Unfortunately, it would not work like you have described...
The policing is done before the egress queuing, which means that the
policer would be dropping traffic for all the classes equally, as it has
no way to know which traffic belongs to which queue.
This means that your priority traffic would be handled in the same way
as the best effort traffic on the policer.

You could have a separate class per traffic class, and use a separate
policer per class.

Still, this would not have an effect on the egress queuing in the sense
of setting the bandwidth budget.


If you need to have a proper hierarchical policy, with a shaper and some
child classes, you would need to use a SIP module (or ES20 on 7600)

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton da Silva
Marques
Sent: Wednesday, February 18, 2009 20:54
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Mixing WRR with policing under PFC3BXL + CFC
+WS-X6748-GE-TX

Hi,

Can anyone please point any reference about
how WRR interacts with a policer under
7609 + PFC3BXL + CFC + WS-X6748-GE-TX ?

For instance, given the sample configuration
below, will the policer drop packets which
violate the policer's parameters (thus
preventing WRR from taking effect) ?

policy-map LAB_OUT
 class class-default
  police cir 1000000
!
interface GigabitEthernet1/5
 speed 1000
 wrr-queue bandwidth 1 2 7
 service-policy output LAB_OUT
end

If so, is there a way of instructing WRR to
serve queues at the policer's CIR (as
opposed to the physical link rate) ?

Thanks,
Everton
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gmartine at ajax.opentransit.net  Wed Feb 18 16:17:10 2009
From: gmartine at ajax.opentransit.net (German Martinez)
Date: Wed, 18 Feb 2009 16:17:10 -0500
Subject: [c-nsp] BGP-6-ASPATH error messages
In-Reply-To: <5.1.0.14.2.20080330113036.00b13188@efes.iucc.ac.il>
References: <5.1.0.14.2.20080330113036.00b13188@efes.iucc.ac.il>
Message-ID: <20090218211710.GA15542@ajax.opentransit.net>

On Sun Mar 30, 2008, Hank Nussbacher wrote:

It seems this bug is still open.. perhaps is not that important :)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso47162

German


> This will be fixed via:
> 
> CSCso47162
> Externally found enhancement (Sev6) bug: New (N)
> BGP-6-ASPATH message should print offending prefix(es)
> 
> -Hank
> 
> >Is there a reason why when Cisco provides a %BGP-6-ASPATH error message
> >like:
> >
> >%BGP-6-ASPATH: Invalid AS path [chars] received from [int]: [chars]
> >%BGP-6-ASPATH: Long AS path aa bb cc dd  received from x.x.x.x: More than
> >configured MAXAS-LIMIT
> >
> >that they can't include the actual prefix causing the error message to
> >appear?  As is, the error message is not that helpful without the prefix.
> >
> >Is this something I have to open a TAC request for?
> >
> >Thanks,
> >Hank
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090218/006c7d66/attachment.bin>

From rodunn at cisco.com  Wed Feb 18 18:07:30 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 18 Feb 2009 18:07:30 -0500
Subject: [c-nsp] BGP-6-ASPATH error messages
In-Reply-To: <20090218211710.GA15542@ajax.opentransit.net>
References: <5.1.0.14.2.20080330113036.00b13188@efes.iucc.ac.il>
	<20090218211710.GA15542@ajax.opentransit.net>
Message-ID: <20090218230730.GI3397@rtp-cse-489.cisco.com>

I'll look at it but give me a bit. I'm finalizing the writeup for
the real issue.

On Wed, Feb 18, 2009 at 04:17:10PM -0500, German Martinez wrote:
> On Sun Mar 30, 2008, Hank Nussbacher wrote:
> 
> It seems this bug is still open.. perhaps is not that important :)
> 
> http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso47162
> 
> German
> 
> 
> > This will be fixed via:
> > 
> > CSCso47162
> > Externally found enhancement (Sev6) bug: New (N)
> > BGP-6-ASPATH message should print offending prefix(es)
> > 
> > -Hank
> > 
> > >Is there a reason why when Cisco provides a %BGP-6-ASPATH error message
> > >like:
> > >
> > >%BGP-6-ASPATH: Invalid AS path [chars] received from [int]: [chars]
> > >%BGP-6-ASPATH: Long AS path aa bb cc dd  received from x.x.x.x: More than
> > >configured MAXAS-LIMIT
> > >
> > >that they can't include the actual prefix causing the error message to
> > >appear?  As is, the error message is not that helpful without the prefix.
> > >
> > >Is this something I have to open a TAC request for?
> > >
> > >Thanks,
> > >Hank
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/



> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From nrauhauser at gmail.com  Wed Feb 18 20:54:42 2009
From: nrauhauser at gmail.com (neal rauhauser)
Date: Wed, 18 Feb 2009 19:54:42 -0600
Subject: [c-nsp] 7507s: which image for production? For IPv6?
Message-ID: <9515c62d0902181754j487a5d49v7ff09fd8fba259a3@mail.gmail.com>

   I do believe we'll be seeing new code from Cisco before too long and I'm
starting to get ready for that. We've got 12.0S in the field now and I'm
bringing one machine up to 12.2.46a to see how it acts. I've got 256 meg
RSP4s, VIP 2-50 that are getting upgraded to VIP4-80 this week, OC3 and DS3
outside and just 100 mbit inside. The RSP4s work for me - no customers in
APNIC space so we refuse those routes. The fanciest thing we do is netflow -
which image train is most stable?

  I'm often unsupervised in the evening hours and I'm going to have a couple
of leftover machines with a full complement of the older VIPs once the
upgrade is complete. If I'm going to put up IPv6 as a test what's working
best these days?



-- 
mailto:Neal at layer3arts.com //
GoogleTalk: nrauhauser at gmail.com
IM: nealrauhauser

From atstake at gmail.com  Wed Feb 18 21:34:38 2009
From: atstake at gmail.com (Chris)
Date: Thu, 19 Feb 2009 13:34:38 +1100
Subject: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
Message-ID: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>

This switch has temperature sensor but I can't seem to get any
temperature related data out of it via snmp(walk). snmpwalk -c foo -v1
192.168.20.20 works fine and gives me a pile of information and
nothing related to temperature.

I also tried snmpwalk -o enterprises.9.9.13.1.3.1.6.1 and
1.3.6.1.4.1.9.9.13.1.3.1 and enterprises.9.9.13.1.3.1.6.1 and I get no
information.

Does anyone know how to get temperature information out of this box?

Thanks.

From ltd at cisco.com  Wed Feb 18 22:10:26 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Thu, 19 Feb 2009 14:10:26 +1100
Subject: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
In-Reply-To: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>
References: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>
Message-ID: <499CCDA2.7010700@cisco.com>

Chris wrote:
> This switch has temperature sensor but I can't seem to get any
> temperature related data out of it via snmp(walk). snmpwalk -c foo -v1
> 192.168.20.20 works fine and gives me a pile of information and
> nothing related to temperature.
>
> I also tried snmpwalk -o enterprises.9.9.13.1.3.1.6.1 and
> 1.3.6.1.4.1.9.9.13.1.3.1 and enterprises.9.9.13.1.3.1.6.1 and I get no
> information.
>
> Does anyone know how to get temperature information out of this box?
>   

if you're reffering to ENVMON-MIB, then try something like:
    snmpwalk -v2c -cpublic ltd-n7010-1 1.3.6.1.4.1.9.9.91.1.1.1.1.4



cheers,

lincoln.

From atstake at gmail.com  Wed Feb 18 22:42:16 2009
From: atstake at gmail.com (Chris)
Date: Thu, 19 Feb 2009 14:42:16 +1100
Subject: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
In-Reply-To: <499CCDA2.7010700@cisco.com>
References: <8adc88580902181834j2e938bcld5470ea9698eac76@mail.gmail.com>
	<499CCDA2.7010700@cisco.com>
Message-ID: <8adc88580902181942m251817fblefd6ed53f6c82192@mail.gmail.com>

On Thu, Feb 19, 2009 at 2:10 PM, Lincoln Dale <ltd at cisco.com> wrote:
> Chris wrote:
>>
>> This switch has temperature sensor but I can't seem to get any
>> temperature related data out of it via snmp(walk). snmpwalk -c foo -v1
>> 192.168.20.20 works fine and gives me a pile of information and
>> nothing related to temperature.
>>
>> I also tried snmpwalk -o enterprises.9.9.13.1.3.1.6.1 and
>> 1.3.6.1.4.1.9.9.13.1.3.1 and enterprises.9.9.13.1.3.1.6.1 and I get no
>> information.
>>
>> Does anyone know how to get temperature information out of this box?
>>
>
> if you're reffering to ENVMON-MIB, then try something like:
>   snmpwalk -v2c -cpublic ltd-n7010-1 1.3.6.1.4.1.9.9.91.1.1.1.1.4

Thanks. When I try that I get an error: ltd-n7010-1: Unknown Object
Identifier (Sub-id not found: (top) -> ltd-n7010-1)

If I try: snmpwalk -v2c -cpublic 1.3.6.1.4.1.9.9.91.1.1.1.1.4, I get
an error: SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4 = No Such Object
available on this agent at this OID

Thanks for any further help.

From graham at g-rock.net  Wed Feb 18 23:07:47 2009
From: graham at g-rock.net (Graham Wooden)
Date: Wed, 18 Feb 2009 22:07:47 -0600
Subject: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
In-Reply-To: <8adc88580902181942m251817fblefd6ed53f6c82192@mail.gmail.com>
Message-ID: <C5C23733.124C6%graham@g-rock.net>

Chris, what Sup and IOS are you running?

I am running Sup2s with 12.2(18)SXF15a(ADVENTERPRISEK9_WAN-M)and get results
from that base OID.  Mind you, I haven't identified any of these yet ...

graham at snapcase ~]$ snmpwalk -v2c -c publicread nn.nn.nn.nn
1.3.6.1.4.1.9.9.91.1.1.1.1.4

SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.12 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.15 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.19 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.20 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.22 = INTEGER: 110
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.26 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.37 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.38 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.41 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.42 = INTEGER: 29
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.45 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.46 = INTEGER: 31
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.49 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.50 = INTEGER: 30
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.53 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.54 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.57 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.58 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1003 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1004 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1005 = INTEGER: 30
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1006 = INTEGER: 40
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1007 = INTEGER: 30
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1008 = INTEGER: 42
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1012 = INTEGER: 43
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1013 = INTEGER: 43
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1016 = INTEGER: 42
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.1017 = INTEGER: 35
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2003 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2004 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2005 = INTEGER: 29
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2006 = INTEGER: 39
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2007 = INTEGER: 30
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2008 = INTEGER: 40
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2012 = INTEGER: 41
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2013 = INTEGER: 41
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2016 = INTEGER: 40
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.2017 = INTEGER: 34
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.3001 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.3002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.3003 = INTEGER: 37
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.3004 = INTEGER: 32
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4001 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4003 = INTEGER: 37
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4004 = INTEGER: 34
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4005 = INTEGER: 37
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.4006 = INTEGER: 40
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5001 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5003 = INTEGER: 40
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5004 = INTEGER: 38
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5005 = INTEGER: 35
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.5006 = INTEGER: 37
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.6001 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.6002 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.6003 = INTEGER: 45
SNMPv2-SMI::enterprises.9.9.91.1.1.1.1.4.6004 = INTEGER: 36



On 2/18/09 9:42 PM, "Chris" <atstake at gmail.com> wrote:

> On Thu, Feb 1