From networking.stuff at googlemail.com Fri Jan 2 08:02:46 2009 From: networking.stuff at googlemail.com (Chintan Shah) Date: Fri, 2 Jan 2009 18:32:46 +0530 Subject: [c-nsp] Etherchannel port across SUP and line card Message-ID: <1e7e04890901020502u4d1a5bd6sa72f7db058e8778b@mail.gmail.com> Hello guys, I had intially Gi5/1 ( SUP720 1Gig port) part of etherchannel between 6500. Later I added Gi7/3 ( 6724 line card) to etherchannel but Gi7/3 is not taking part in to etherchannel and givign belwo error in shwo log : Jan 2 11:35:30.087 UTC: %EC-SP-5-CANNOT_BUNDLE2: Gi7/3 is not compatible with Gi5/1 and will be suspended (qos-card types of Gi7/3 do not match Gi5/1)? To resovle issue, I configured "no mls qos channel-consistency" under port-channel interface and gi7/3 became part of etherchannel. I dont have Qos configured on either Gi5/1 or Gi7/3 however I have globally mls qos enabled and uplink port of line card on on slot 7 has service policy. But I don't see logic behind above error. Also the w/a i used may work today but if in case i want to ahve mls qos on 6500 etherchannel , wil that caus any issue ? From A.L.M.Buxey at lboro.ac.uk Fri Jan 2 08:51:18 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 2 Jan 2009 13:51:18 +0000 Subject: [c-nsp] Etherchannel port across SUP and line card In-Reply-To: <1e7e04890901020502u4d1a5bd6sa72f7db058e8778b@mail.gmail.com> References: <1e7e04890901020502u4d1a5bd6sa72f7db058e8778b@mail.gmail.com> Message-ID: <20090102135118.GA24898@lboro.ac.uk> Hi, ou are trying to run an etherchannel across 2 different cards - they have different capabilities - the etherchannel needs to be constructed using similar interfaces - which you've now done by turning the QoS stuff off. using the same blade would 'fix' things (but remove resiliency) buying a card with same featureset (QoS wise) would also aid things alan From petelists at templin.org Fri Jan 2 09:55:27 2009 From: petelists at templin.org (Pete Templin) Date: Fri, 02 Jan 2009 08:55:27 -0600 Subject: [c-nsp] Etherchannel port across SUP and line card In-Reply-To: <1e7e04890901020502u4d1a5bd6sa72f7db058e8778b@mail.gmail.com> References: <1e7e04890901020502u4d1a5bd6sa72f7db058e8778b@mail.gmail.com> Message-ID: <495E2ADF.9060904@templin.org> Chintan Shah wrote: > Jan 2 11:35:30.087 UTC: %EC-SP-5-CANNOT_BUNDLE2: Gi7/3 is not compatible > with Gi5/1 and will be suspended (qos-card types of Gi7/3 do not match > Gi5/1)? > > I dont have Qos configured on either Gi5/1 or Gi7/3 however I have globally > mls qos enabled and uplink port of line card on on slot 7 has service > policy. But I don't see logic behind above error. Also the w/a i used may > work today but if in case i want to ahve mls qos on 6500 etherchannel , wil > that caus any issue ? The error isn't saying that you have mismatched QoS _configurations_, merely that you're using ports with mismatch QoS _capabilities_. Combining GEC with QoS will require that your EtherChannels are on ports of similar (possibly identical) QoS capabilities. pt From Jeff.Wojciechowski at midlandpaper.com Fri Jan 2 12:36:34 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Fri, 2 Jan 2009 11:36:34 -0600 Subject: [c-nsp] Determine SFP type through CLI Message-ID: <7C8983063EE93A4495960C5CD1EE039C1932D37B@XBOX.midlandpaper.com> Hello All: Is there an easy way to determine the model of an SFP installed on a 3560 through the CLI? Ideally I want to match what I have installed in another 3560 that's in production. I want to add a gigabit Ethernet (copper) trunk port to another 3560 so should I be using the GLC-T, GLC-T= or something else? Thank you, Jeff Wojciechowski ------------------------------------------------------------------------------------------------------------------------------------------------------------ This electronic mail (including any attachments) may contain information that is privileged, confidential, or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please delete the original message in its entirety (including any attachments) and notify us immediately by reply email so that we may correct our internal records. Midland Paper Company accepts no responsibility for any loss or damage from use of this electronic mail, including any damage resulting from a computer virus. From markom at markom.info Fri Jan 2 13:17:03 2009 From: markom at markom.info (Marko Milivojevic) Date: Fri, 2 Jan 2009 18:17:03 +0000 Subject: [c-nsp] Determine SFP type through CLI In-Reply-To: <7C8983063EE93A4495960C5CD1EE039C1932D37B@XBOX.midlandpaper.com> References: <7C8983063EE93A4495960C5CD1EE039C1932D37B@XBOX.midlandpaper.com> Message-ID: On Fri, Jan 2, 2009 at 17:36, Jeff Wojciechowski wrote: > Is there an easy way to determine the model of an SFP installed on a 3560 through the CLI? > > Ideally I want to match what I have installed in another 3560 that's in production. > I want to add a gigabit Ethernet (copper) trunk port to another 3560 so should I > be using the GLC-T, GLC-T= or something else? Have you tried "show inventory"? Is that the information that you are looking for? -- Marko CCIE #18427 (SP) // + DE wannabe My network blog: http://cisco.markom.info/ From MatlockK at exempla.org Fri Jan 2 13:16:44 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Fri, 2 Jan 2009 11:16:44 -0700 Subject: [c-nsp] Determine SFP type through CLI References: <7C8983063EE93A4495960C5CD1EE039C1932D37B@XBOX.midlandpaper.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C70489E7F2@LMC-MAIL2.exempla.org> 2 Ways I see to get it on the 3560 I have here (12.2(37)SE1 code) "show int transceiver properties" or "show int status" Either one gives me the SPF type I have in there. Ken ________________________________ From: cisco-nsp-bounces at puck.nether.net on behalf of Jeff Wojciechowski Sent: Fri 1/2/2009 10:36 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Determine SFP type through CLI Hello All: Is there an easy way to determine the model of an SFP installed on a 3560 through the CLI? Ideally I want to match what I have installed in another 3560 that's in production. I want to add a gigabit Ethernet (copper) trunk port to another 3560 so should I be using the GLC-T, GLC-T= or something else? Thank you, Jeff Wojciechowski ------------------------------------------------------------------------------------------------------------------------------------------------------------ This electronic mail (including any attachments) may contain information that is privileged, confidential, or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please delete the original message in its entirety (including any attachments) and notify us immediately by reply email so that we may correct our internal records. Midland Paper Company accepts no responsibility for any loss or damage from use of this electronic mail, including any damage resulting from a computer virus. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Jeff.Wojciechowski at midlandpaper.com Fri Jan 2 13:20:05 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Fri, 2 Jan 2009 12:20:05 -0600 Subject: [c-nsp] Determine SFP type through CLI In-Reply-To: References: <7C8983063EE93A4495960C5CD1EE039C1932D37B@XBOX.midlandpaper.com> Message-ID: <7C8983063EE93A4495960C5CD1EE039C1932D393@XBOX.midlandpaper.com> Sort of... NAME: "GigabitEthernet2/0/3", DESCR: "10/100/1000BaseTX SFP" PID: , VID: , SN: xxxxxxxxxxxxxx Doesn?t show the exact model number (GLC-T, GLC-T=, etc) Is there a difference between the 2? Thanks, -Jeff -----Original Message----- From: markom at gmail.com [mailto:markom at gmail.com] On Behalf Of Marko Milivojevic Sent: Friday, January 02, 2009 12:17 PM To: Jeff Wojciechowski Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Determine SFP type through CLI On Fri, Jan 2, 2009 at 17:36, Jeff Wojciechowski wrote: > Is there an easy way to determine the model of an SFP installed on a 3560 through the CLI? > > Ideally I want to match what I have installed in another 3560 that's in production. > I want to add a gigabit Ethernet (copper) trunk port to another 3560 so should I > be using the GLC-T, GLC-T= or something else? Have you tried "show inventory"? Is that the information that you are looking for? -- Marko CCIE #18427 (SP) // + DE wannabe My network blog: http://cisco.markom.info/ ------------------------------------------------------------------------------------------------------------------------------------------------------------ This electronic mail (including any attachments) may contain information that is privileged, confidential, or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please delete the original message in its entirety (including any attachments) and notify us immediately by reply email so that we may correct our internal records. Midland Paper Company accepts no responsibility for any loss or damage from use of this electronic mail, including any damage resulting from a computer virus. From sidney.boumendil at gmail.com Fri Jan 2 13:22:26 2009 From: sidney.boumendil at gmail.com (Sidney Boumendil) Date: Fri, 2 Jan 2009 19:22:26 +0100 Subject: [c-nsp] Determine SFP type through CLI In-Reply-To: <7C8983063EE93A4495960C5CD1EE039C1932D393@XBOX.midlandpaper.com> References: <7C8983063EE93A4495960C5CD1EE039C1932D37B@XBOX.midlandpaper.com> <7C8983063EE93A4495960C5CD1EE039C1932D393@XBOX.midlandpaper.com> Message-ID: <41522e900901021022n6b660e51i12665ea8e53caf2a@mail.gmail.com> No difference. = means spare parts. Sidney On Fri, Jan 2, 2009 at 7:20 PM, Jeff Wojciechowski < Jeff.Wojciechowski at midlandpaper.com> wrote: > Sort of... > > NAME: "GigabitEthernet2/0/3", DESCR: "10/100/1000BaseTX SFP" > PID: , VID: , SN: xxxxxxxxxxxxxx > > Doesn't show the exact model number (GLC-T, GLC-T=, etc) Is there a > difference between the 2? > > Thanks, > > -Jeff > > -----Original Message----- > From: markom at gmail.com [mailto:markom at gmail.com] On Behalf Of Marko > Milivojevic > Sent: Friday, January 02, 2009 12:17 PM > To: Jeff Wojciechowski > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Determine SFP type through CLI > > On Fri, Jan 2, 2009 at 17:36, Jeff Wojciechowski > wrote: > > Is there an easy way to determine the model of an SFP installed on a 3560 > through the CLI? > > > > Ideally I want to match what I have installed in another 3560 that's in > production. > > I want to add a gigabit Ethernet (copper) trunk port to another 3560 so > should I > > be using the GLC-T, GLC-T= or something else? > > Have you tried "show inventory"? Is that the information that you are > looking for? > > -- > Marko > CCIE #18427 (SP) // + DE wannabe > My network blog: http://cisco.markom.info/ > > > ------------------------------------------------------------------------------------------------------------------------------------------------------------ > This electronic mail (including any attachments) may contain information > that is privileged, confidential, or otherwise protected from disclosure to > anyone > other than its intended recipient(s). Any dissemination or use of this > electronic mail or its contents (including any attachments) by persons other > than > the intended recipient(s) is strictly prohibited. If you have received > this message in error, please delete the original message in its entirety > (including > any attachments) and notify us immediately by reply email so that we may > correct our internal records. Midland Paper Company accepts no > responsibility > for any loss or damage from use of this electronic mail, including any > damage resulting from a computer virus. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mksmith at adhost.com Fri Jan 2 13:22:37 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Fri, 2 Jan 2009 10:22:37 -0800 Subject: [c-nsp] IPv6 HSRP Support in 12.0S? Message-ID: <17838240D9A5544AAA5FF95F8D520316054781F6@ad-exh01.adhost.lan> Hello: Does anyone know if IPv6 HSRP support will ever be written into the 12.0S code, specifically for GSR's? Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From markom at markom.info Fri Jan 2 13:22:49 2009 From: markom at markom.info (Marko Milivojevic) Date: Fri, 2 Jan 2009 18:22:49 +0000 Subject: [c-nsp] Determine SFP type through CLI In-Reply-To: <7C8983063EE93A4495960C5CD1EE039C1932D393@XBOX.midlandpaper.com> References: <7C8983063EE93A4495960C5CD1EE039C1932D37B@XBOX.midlandpaper.com> <7C8983063EE93A4495960C5CD1EE039C1932D393@XBOX.midlandpaper.com> Message-ID: On Fri, Jan 2, 2009 at 18:20, Jeff Wojciechowski wrote: > Sort of... > > NAME: "GigabitEthernet2/0/3", DESCR: "10/100/1000BaseTX SFP" > PID: , VID: , SN: xxxxxxxxxxxxxx > > Doesn't show the exact model number (GLC-T, GLC-T=, etc) Is there a difference between the 2? Not really... "=" at the end of the Cisco part numbers usually identifies "spare part". It has something to do with ordering, sales and prices an absolutely nothing to do with technology :-). -- Marko CCIE #18427 (SP) // + DE wannabe My network blog: http://cisco.markom.info/ From Jeff.Wojciechowski at midlandpaper.com Fri Jan 2 13:22:32 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Fri, 2 Jan 2009 12:22:32 -0600 Subject: [c-nsp] Determine SFP type through CLI In-Reply-To: <41522e900901021022n6b660e51i12665ea8e53caf2a@mail.gmail.com> References: <7C8983063EE93A4495960C5CD1EE039C1932D37B@XBOX.midlandpaper.com> <7C8983063EE93A4495960C5CD1EE039C1932D393@XBOX.midlandpaper.com> <41522e900901021022n6b660e51i12665ea8e53caf2a@mail.gmail.com> Message-ID: <7C8983063EE93A4495960C5CD1EE039C1932D397@XBOX.midlandpaper.com> Perfect....thanks everyone. -Jeff From: Sidney Boumendil [mailto:sidney.boumendil at gmail.com] Sent: Friday, January 02, 2009 12:22 PM To: Jeff Wojciechowski Cc: Marko Milivojevic; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Determine SFP type through CLI No difference. = means spare parts. Sidney On Fri, Jan 2, 2009 at 7:20 PM, Jeff Wojciechowski > wrote: Sort of... NAME: "GigabitEthernet2/0/3", DESCR: "10/100/1000BaseTX SFP" PID: , VID: , SN: xxxxxxxxxxxxxx Doesn't show the exact model number (GLC-T, GLC-T=, etc) Is there a difference between the 2? Thanks, -Jeff -----Original Message----- From: markom at gmail.com [mailto:markom at gmail.com] On Behalf Of Marko Milivojevic Sent: Friday, January 02, 2009 12:17 PM To: Jeff Wojciechowski Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Determine SFP type through CLI On Fri, Jan 2, 2009 at 17:36, Jeff Wojciechowski > wrote: > Is there an easy way to determine the model of an SFP installed on a 3560 through the CLI? > > Ideally I want to match what I have installed in another 3560 that's in production. > I want to add a gigabit Ethernet (copper) trunk port to another 3560 so should I > be using the GLC-T, GLC-T= or something else? Have you tried "show inventory"? Is that the information that you are looking for? -- Marko CCIE #18427 (SP) // + DE wannabe My network blog: http://cisco.markom.info/ ------------------------------------------------------------------------------------------------------------------------------------------------------------ This electronic mail (including any attachments) may contain information that is privileged, confidential, or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please delete the original message in its entirety (including any attachments) and notify us immediately by reply email so that we may correct our internal records. Midland Paper Company accepts no responsibility for any loss or damage from use of this electronic mail, including any damage resulting from a computer virus. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ------------------------------------------------------------------------------------------------------------------------------------------------------------ This electronic mail (including any attachments) may contain information that is privileged, confidential, or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please delete the original message in its entirety (including any attachments) and notify us immediately by reply email so that we may correct our internal records. Midland Paper Company accepts no responsibility for any loss or damage from use of this electronic mail, including any damage resulting from a computer virus. From gkg at gmx.de Fri Jan 2 13:26:20 2009 From: gkg at gmx.de (Garry) Date: Fri, 02 Jan 2009 19:26:20 +0100 Subject: [c-nsp] Determine SFP type through CLI In-Reply-To: <7C8983063EE93A4495960C5CD1EE039C1932D37B@XBOX.midlandpaper.com> References: <7C8983063EE93A4495960C5CD1EE039C1932D37B@XBOX.midlandpaper.com> Message-ID: <495E5C4C.5070506@gmx.de> Jeff Wojciechowski wrote: > Hello All: > > Is there an easy way to determine the model of an SFP installed on a 3560 through the CLI? > > Ideally I want to match what I have installed in another 3560 that's in production. I want to add a gigabit Ethernet (copper) trunk port to another 3560 so should I be using the GLC-T, GLC-T= or something else? > "show int" will give some limited information: switch#show int g0/25 GigabitEthernet0/25 is up, line protocol is up (connected) [..] Full-duplex, 1000Mb/s, link type is force-up, media type is 1000BaseSX SFP or: GigabitEthernet0/28 is up, line protocol is up (connected) [..] Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseLX SFP if the transceiver implements the features, you can add "transceiver" option to above command to get additional monitoring information ... -garry From r.engehausen at gmail.com Sat Jan 3 01:28:37 2009 From: r.engehausen at gmail.com (Roy) Date: Fri, 02 Jan 2009 22:28:37 -0800 Subject: [c-nsp] 2851 and nat Message-ID: <495F0595.9030100@gmail.com> I have a 2851 that I am trying to configure for incoming nat (from Internet to the inside). I copied the configs from another router (not 2851) that is working fine. The only difference is that the inside interface is now on a VLAN. An extract of the config is below: Any ideas welcome --------------- interface GigabitEthernet0/0 description Internet ip address 66.zz.zz.zz 255.255.255.240 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface GigabitEthernet0/1 no ip address ip nat inside ip virtual-reassembly duplex auto speed auto ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 172.21.xx.xx 255.255.255.0 ip nat inside ip virtual-reassembly no snmp trap link-status ip nat inside source static tcp 172.21.xx.xx 22 62.zz.zz.zz 3673 extendable ip nat inside source static tcp 172.21.yy.yy 22 62.zz.zz.zz 3674 extendable From furry13 at gmail.com Sat Jan 3 08:22:09 2009 From: furry13 at gmail.com (Jen Linkova) Date: Sun, 4 Jan 2009 00:22:09 +1100 Subject: [c-nsp] IPv6 HSRP Support in 12.0S? In-Reply-To: <17838240D9A5544AAA5FF95F8D520316054781F6@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D520316054781F6@ad-exh01.adhost.lan> Message-ID: <6b86f99d0901030522n704211b2nb25e64016a1c484b@mail.gmail.com> On Sat, Jan 3, 2009 at 5:22 AM, Michael K. Smith - Adhost wrote: > Does anyone know if IPv6 HSRP support will ever be written into the 12.0S code, specifically for GSR's? AFAIK, IPv6 has some built-in alternatives for HSRP. In most cases you could use anycast or Neighbor Discovery (Router Advertisement, to be precise). -- SY, Jen Linkova aka Furry From trejrco at gmail.com Sat Jan 3 10:11:49 2009 From: trejrco at gmail.com (trejrco at gmail.com) Date: Sat, 3 Jan 2009 15:11:49 +0000 Subject: [c-nsp] IPv6 HSRP Support in 12.0S? In-Reply-To: <6b86f99d0901030522n704211b2nb25e64016a1c484b@mail.gmail.com> References: <17838240D9A5544AAA5FF95F8D520316054781F6@ad-exh01.adhost.lan><6b86f99d0901030522n704211b2nb25e64016a1c484b@mail.gmail.com> Message-ID: <1947145410-1230995518-cardhu_decombobulator_blackberry.rim.net-1570157600-@bxe307.bisx.prod.on.blackberry> Some don't like the lack of granularity in the NUD base psuedo-FHRP ... It doesn't just get you FHR, but forces routers to send more RAs, etc. Having said that, yes it works! /TJ Sent from my Verizon Wireless BlackBerry -----Original Message----- From: "Jen Linkova" Date: Sun, 4 Jan 2009 00:22:09 To: Michael K. Smith - Adhost Cc: cisco-nsp Subject: Re: [c-nsp] IPv6 HSRP Support in 12.0S? On Sat, Jan 3, 2009 at 5:22 AM, Michael K. Smith - Adhost wrote: > Does anyone know if IPv6 HSRP support will ever be written into the 12.0S code, specifically for GSR's? AFAIK, IPv6 has some built-in alternatives for HSRP. In most cases you could use anycast or Neighbor Discovery (Router Advertisement, to be precise). -- SY, Jen Linkova aka Furry _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nrauhauser at gmail.com Sat Jan 3 17:56:26 2009 From: nrauhauser at gmail.com (neal rauhauser) Date: Sat, 3 Jan 2009 17:56:26 -0500 Subject: [c-nsp] 1k customers down, radius auth on ubr7223 Message-ID: <9515c62d0901031456j2751f99dj9d17b679208ac2cb@mail.gmail.com> I've just stepped into a real mess - cable modem provider who lost their techs ten days ago ... and on Thursday their entire FreeRadius setup just mysteriously vanished ... on two different boxes(!) Can someone quickly tip me as to how to let cable modems work without requiring radius auth? The hardware is ubr7223 ... -- mailto:Neal at layer3arts.com // GoogleTalk: nrauhauser at gmail.com IM: nealrauhauser From gkg at gmx.de Sun Jan 4 04:44:13 2009 From: gkg at gmx.de (Garry) Date: Sun, 04 Jan 2009 10:44:13 +0100 Subject: [c-nsp] 1k customers down, radius auth on ubr7223 In-Reply-To: <9515c62d0901031456j2751f99dj9d17b679208ac2cb@mail.gmail.com> References: <9515c62d0901031456j2751f99dj9d17b679208ac2cb@mail.gmail.com> Message-ID: <496084ED.1030304@gmx.de> neal rauhauser wrote: > I've just stepped into a real mess - cable modem provider who lost their > techs ten days ago ... and on Thursday their entire FreeRadius setup just > mysteriously vanished ... on two different boxes(!) Quite a coincidence ... did it take the backups out, too? > Can someone quickly tip me as to how to let cable modems work without > requiring radius auth? The hardware is ubr7223 ... Can't you just set up a "permit all" rule on Radius to permit in anything that tries to authenticate? Untested, but something in the likes of: DEFAULT User-Service-Type := Framed-User, Framed-Protocol := PPP or whatever that box needs to set up a working connection ... I assume it is handing out IPs on its own? -garry From justin at justinshore.com Sun Jan 4 13:51:56 2009 From: justin at justinshore.com (Justin Shore) Date: Sun, 04 Jan 2009 12:51:56 -0600 Subject: [c-nsp] 1k customers down, radius auth on ubr7223 In-Reply-To: <496084ED.1030304@gmx.de> References: <9515c62d0901031456j2751f99dj9d17b679208ac2cb@mail.gmail.com> <496084ED.1030304@gmx.de> Message-ID: <4961054C.9000405@justinshore.com> Garry wrote: > Quite a coincidence ... did it take the backups out, too? I would second this and investigate further. At the very least I would take steps to secure the data on the servers in question in case it comes up down the road. Also make absolutely sure that access to the servers and ubr is restricted to just a couple management IPs, just in case a disgruntled former tech still has remote access to it. I would be very specific with the ACLs and specify a couple previously unused IPs, in case they still have VPN access or some other remote access to what would normally be considered the management network. You can poke holes in the filter later once the customers are back up. >> Can someone quickly tip me as to how to let cable modems work without >> requiring radius auth? The hardware is ubr7223 ... Is this CMTS set up for Telco Return? I can't think of any other reason why you'd need RADIUS. I can't think of any Telco Return systems in production. I wouldn't call it a normal design, not anymore anyway. http://www.ciscosystems.com/en/US/docs/cable/cmts/feature/guide/ufg_telc.html Our CATV environment requires no AUTH from the user. Only registered CMs (ie, logged in our provisioning system) can pull down an IP. Only CPEs on registered CMs can pull down an IP at that point. I don't know how you configure your CMs and ubr for this though. We use Arris CMTSs. Best of luck Justin From helmwork at ruraltel.net Sun Jan 4 15:11:26 2009 From: helmwork at ruraltel.net (Eric Helm) Date: Sun, 04 Jan 2009 14:11:26 -0600 Subject: [c-nsp] 1k customers down, radius auth on ubr7223 In-Reply-To: <9515c62d0901031456j2751f99dj9d17b679208ac2cb@mail.gmail.com> References: <9515c62d0901031456j2751f99dj9d17b679208ac2cb@mail.gmail.com> Message-ID: <496117EE.2060609@ruraltel.net> neal rauhauser wrote: > I've just stepped into a real mess - cable modem provider who lost their > techs ten days ago ... and on Thursday their entire FreeRadius setup just > mysteriously vanished ... on two different boxes(!) > > Can someone quickly tip me as to how to let cable modems work without > requiring radius auth? The hardware is ubr7223 ... > Not sure what the RADIUS is for in a CMTS environment, but this may help out to get you back up quick and dirty: http://www.cisco.com/en/US/tech/tk86/tk804/technologies_configuration_example09186a0080134b34.shtml /Eric From Kris.Amy at EIP.net.au Sun Jan 4 18:31:01 2009 From: Kris.Amy at EIP.net.au (Kris Amy) Date: Mon, 5 Jan 2009 09:31:01 +1000 Subject: [c-nsp] Tunnel from a Cisco behind NAT Message-ID: Hey Folks, Hoping someone here has a solution to this problem. I have a Cisco device that is behind a NAT router already and I am wishing to make a tunnel to another router which is live. I thought of PPTP but it would seem that Cisco does not support client initiated PPTP. Any other ideas? -- Kind Regards, Kris Amy From brett at looney.id.au Sun Jan 4 19:12:32 2009 From: brett at looney.id.au (Brett Looney) Date: Mon, 5 Jan 2009 09:12:32 +0900 Subject: [c-nsp] Tunnel from a Cisco behind NAT In-Reply-To: References: Message-ID: <000301c96eca$539d32b0$fad79810$@id.au> > I have a Cisco device that is behind a NAT router already and I am > wishing to make a tunnel to another router which is live. I have done this with IPSEC. If the NAT is not static (i.e. you can't initiate a session to the router behind the NAT) then you can only bring up the tunnel from that router but it does work... The only caveat is that some NAT devices don't NAT IPSEC correctly but I haven't found any like that for a few years now. Plus, you can enable NAT-T and that helps in most cases. B. From netsecuredata at gmail.com Sun Jan 4 19:23:11 2009 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Sun, 4 Jan 2009 19:23:11 -0500 Subject: [c-nsp] Tunnel from a Cisco behind NAT In-Reply-To: <000301c96eca$539d32b0$fad79810$@id.au> References: <000301c96eca$539d32b0$fad79810$@id.au> Message-ID: You could forward PPTP protocol to router Cisco. What kind of router Cisco do you have? What is IOS version? On Sun, Jan 4, 2009 at 7:12 PM, Brett Looney wrote: > > I have a Cisco device that is behind a NAT router already and I am > > wishing to make a tunnel to another router which is live. > > I have done this with IPSEC. If the NAT is not static (i.e. you can't > initiate a session to the router behind the NAT) then you can only bring up > the tunnel from that router but it does work... > > The only caveat is that some NAT devices don't NAT IPSEC correctly but I > haven't found any like that for a few years now. Plus, you can enable NAT-T > and that helps in most cases. > > B. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- "The network is the computer" From Kris.Amy at EIP.net.au Sun Jan 4 22:37:52 2009 From: Kris.Amy at EIP.net.au (Kris Amy) Date: Mon, 5 Jan 2009 13:37:52 +1000 Subject: [c-nsp] Tunnel from a Cisco behind NAT Message-ID: Hi Folks, I got this working with DMVPN. -- Kind Regards, Kris Amy Enterprise IP Phone: ???07 3123 5510 National: 1300 347 287 Fax: ?????07 3018 0282 Direct: ??07 3123 5511 Email: ???kris.amy at eip.net.au -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jorge Evangelista Sent: Monday, 5 January 2009 10:23 AM To: cisco_nsp Subject: Re: [c-nsp] Tunnel from a Cisco behind NAT You could forward PPTP protocol to router Cisco. What kind of router Cisco do you have? What is IOS version? On Sun, Jan 4, 2009 at 7:12 PM, Brett Looney wrote: > > I have a Cisco device that is behind a NAT router already and I am > > wishing to make a tunnel to another router which is live. > > I have done this with IPSEC. If the NAT is not static (i.e. you can't > initiate a session to the router behind the NAT) then you can only bring up > the tunnel from that router but it does work... > > The only caveat is that some NAT devices don't NAT IPSEC correctly but I > haven't found any like that for a few years now. Plus, you can enable NAT-T > and that helps in most cases. > > B. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- "The network is the computer" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cj11st at gmail.com Mon Jan 5 00:01:20 2009 From: cj11st at gmail.com (Robert Kern) Date: Mon, 5 Jan 2009 06:01:20 +0100 Subject: [c-nsp] PIM SSM MDT doesn't come up Message-ID: Hi all, We would like to set up mVPN in VRF DataRetention with PIM-SSM in the core and in VPN's. HW setup is following: receiver----PE1(7k6)-----P1(CRS-1)-----PE2(7k6)----sender \------P2(CRS-1)----/ PIM-SM is enabled on all physical interfaces and Lo on PE routers, which are also used for MP-BGP peering. Core is BGP-free. PIM-SSM range 239/8 was also done in default and VPN instances. Static IGMPV2 --- IGMPV3 mapping was done in VRF. What I am getting are following mroutes: C7609_PE1#sh ip mroute (10.x.x.7, 239.1.1.1), 4d23h/00:02:32, flags: sPT Incoming interface: Loopback0, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Null (10.x.x.9, 239.1.1.1), 4d23h/stopped, flags: sTIZ * Incoming interface: Null, RPF nbr 0.0.0.0* Outgoing interface list: MVRF DataRetention, Forward/Sparse, 4d23h/00:01:27 (*, 224.0.1.40), 4d23h/00:02:10, RP 0.0.0.0, flags: DCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Loopback0, Forward/Sparse, 4d23h/00:02:10 RP/0/RP0/CPU0:CRS1_P1#sh mrib ipv4 route (*,224.0.0.0/24) Flags: D (*,224.0.1.39) Flags: S (*,224.0.1.40) Flags: S Outgoing Interface List TenGigE0/0/5/0 Flags: II LI *(*,239.0.0.0/8) Flags: D* RP/0/RP0/CPU0:CRS1_P2#sh mrib ipv4 route (*,224.0.0.0/24) Flags: D (*,224.0.1.39) Flags: S (*,224.0.1.40) Flags: S Outgoing Interface List TenGigE0/0/5/0 Flags: II LI *(*,239.0.0.0/8) Flags: D* C7609_PE2#sh ip mroute (10.x.x.9, 239.1.1.1), 5d23h/00:02:34, flags: sPT Incoming interface: Loopback0, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Null (10.x.x.7, 239.1.1.1), 5d23h/stopped, flags: sTIZ * Incoming interface: Null, RPF nbr 0.0.0.0* Outgoing interface list: MVRF DataRetention, Forward/Sparse, 5d23h/00:00:12 (*, 224.0.1.40), 6d20h/00:02:30, RP 0.0.0.0, flags: DCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Loopback0, Forward/Sparse, 6d20h/00:02:30 What could be the reason, that MDT group 239.1.1.1 is not established over the core (PIM-SM on all physical interfaces, PIM-SSM range 239/8)? Thanks, Robert From ariemer at wesenergy.com.au Mon Jan 5 01:45:52 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Mon, 5 Jan 2009 15:45:52 +0900 Subject: [c-nsp] Policing Confusion Message-ID: <0867622C64B50C4B878AB45C95F43F110663071C@MAILWA01.wesenergy.local> Hi guys, I am hoping you can help me out with some confusion I am having with policing. I am testing policing at a remote site with a 512kb WAN connection. What I am trying to achieve is to police virus updates from our server so that this traffic can only obtain 128Kbps of the remote sites bandwidth. I am policing in the outbound direction of the serial WAN interface at the remote site. My question is how does this affect traffic coming 'in' to the WAN interface from the outside? i.e. will this configuration only police traffic going outbound rather than inbound? It seems the policing isn't working as the virus updates are still choking the link. class-map match-all virus-traffic match access-group 181 class-map match-any mission-critical match access-group 180 ! policy-map mission-critical class mission-critical bandwidth 256 class virus-traffic police cir 128000 conform-action transmit exceed-action drop violate-action drop class class-default fair-queue random-detect ! Interface Serial0/0 ip address x.x.x.x/x service-policy output mission-critical I hope this makes sense. Thanks in advance. Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From brad.henshaw at qcn.com.au Mon Jan 5 07:53:05 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Mon, 5 Jan 2009 22:53:05 +1000 Subject: [c-nsp] Policing Confusion Message-ID: <8B25B862BC09784B9B74FB950D4F64D406CC6D@qcnapp01.corp.qcn> Aaron Riemer wrote: > ...I am trying to achieve is to police virus updates > from our server so that this traffic can only obtain > 128Kbps of the remote sites bandwidth. Attaching this as an outbound policy-map at the remote site will only affect traffic outbound from that site. You'll need to either use an outbound policy at your central site where the server is, or use an inbound policy at the remote site. (I have no idea whether input policy-maps are supported on serial interfaces on your platform) If using an outbound policy-map at the central site, use a shape statement - it's friendlier on TCP flows. What model of router are you using and with which IOS version? Regards, Brad From david.freedman at uk.clara.net Mon Jan 5 09:38:17 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 05 Jan 2009 14:38:17 +0000 Subject: [c-nsp] IPv6 HSRP Support in 12.0S? In-Reply-To: <17838240D9A5544AAA5FF95F8D520316054781F6@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D520316054781F6@ad-exh01.adhost.lan> Message-ID: Even when you get it, it is only implemented for link-local addresses so you have to use RA or static routes :( Dave. Michael K. Smith - Adhost wrote: > Hello: > > Does anyone know if IPv6 HSRP support will ever be written into the 12.0S code, specifically for GSR's? > > Regards, > > Mike > > -- > Michael K. Smith - CISSP, GISP > Chief Technical Officer - Adhost Internet LLC > mksmith at adhost.com > w: +1 (206) 404-9500 f: +1 (206) 404-9050 > PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Mon Jan 5 09:58:32 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 5 Jan 2009 15:58:32 +0100 Subject: [c-nsp] IPv6 HSRP Support in 12.0S? In-Reply-To: References: <17838240D9A5544AAA5FF95F8D520316054781F6@ad-exh01.adhost.lan> Message-ID: <20090105145832.GT8535@greenie.muc.de> Hi, On Mon, Jan 05, 2009 at 02:38:17PM +0000, David Freedman wrote: > Even when you get it, it is only implemented for link-local addresses > so you have to use RA or static routes :( Unfortunate, indeed. Do you know whether there is work in progress to get it fixed/improved to handle "global" router IP addresses? While it might not follow the IETF's vision of "how things should be", we prefer to configure our servers' default route towards well-known router addresses (::1), and have them ignore RAs... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From marco at linuxgoeroe.dhs.org Mon Jan 5 09:21:52 2009 From: marco at linuxgoeroe.dhs.org (marco at linuxgoeroe.dhs.org) Date: Mon, 5 Jan 2009 15:21:52 +0100 (CET) Subject: [c-nsp] Policing Confusion In-Reply-To: <8B25B862BC09784B9B74FB950D4F64D406CC6D@qcnapp01.corp.qcn> References: <8B25B862BC09784B9B74FB950D4F64D406CC6D@qcnapp01.corp.qcn> Message-ID: <24151.212.142.33.197.1231165312.squirrel@www.vive-id.nl> > Aaron Riemer wrote: > >> ...I am trying to achieve is to police virus updates >> from our server so that this traffic can only obtain >> 128Kbps of the remote sites bandwidth. > > Attaching this as an outbound policy-map at the remote site will only > affect traffic outbound from that site. You'll need to either use an > outbound policy at your central site where the server is, or use an > inbound policy at the remote site. I think that an inbound policy at the remote end won't help. The policing/shaping can only act when the packets have already been transmitted across the link, eating up the bandwidth in the process. What happens to them afterwards won't affect that (short of messing with TCP windows by selectively delaying/dropping ACKs and higher-order stuff like that, which simple policing won't address). Regards, Marco. From linux.yahoo at gmail.com Mon Jan 5 11:17:40 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Mon, 5 Jan 2009 17:17:40 +0100 Subject: [c-nsp] Cisco 3G Router - IPSec configuration of central site when remote site is dynamic DHCP/3G Message-ID: <7100ed370901050817o451f222fwd6989bd315733bd1@mail.gmail.com> Hello, I need central and remote Cisco IOS configuration example when using a router with 3G module on a remote site. IP adress of remote site is dynamic: DHCP/3G. How to configuration central site IPSec peer configuration when remote site IP @ is dynamic due to DHCP/3G? Central and Remote site are Cisco routers. Thanks & Best Regards, Manu From sethm at rollernet.us Mon Jan 5 11:29:51 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 05 Jan 2009 08:29:51 -0800 Subject: [c-nsp] Cisco 3G Router - IPSec configuration of central site when remote site is dynamic DHCP/3G In-Reply-To: <7100ed370901050817o451f222fwd6989bd315733bd1@mail.gmail.com> References: <7100ed370901050817o451f222fwd6989bd315733bd1@mail.gmail.com> Message-ID: <4962357F.1060609@rollernet.us> Manu Chao wrote: > Hello, > > I need central and remote Cisco IOS configuration example when using a > router with 3G module on a remote site. > IP adress of remote site is dynamic: DHCP/3G. > > How to configuration central site IPSec peer configuration when remote site > IP @ is dynamic due to DHCP/3G? > > Central and Remote site are Cisco routers. > I use DMVPN. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml ~Seth From cisco at peakpeak.com Mon Jan 5 10:38:02 2009 From: cisco at peakpeak.com (Networkers) Date: Mon, 05 Jan 2009 08:38:02 -0700 Subject: [c-nsp] Cisco Software Client -> Router VPN issue. In-Reply-To: Message-ID: I?m trying to solve a problem with setting up the remote VPN access using the Cisco VPN software client. I have gotten it to the point where a user can remotely tunnel to the router from their Doze PC, log in, receive an IP in the 10.x.x.x network, and ping something on the 192.168.100.x network. However, they can?t surf to the outside internet over that tunneld connection. I?ve taken a look at some sample configs on the Cisco site but they all seem to be similar to this. My thinking is that the dial pool doesn?t get NATed properly, but I?m unsure on what to do to the config to fix this. Normal 192.168.100.x Ethernet-connected PCs in the home office can surf and do everything just fine. Can someone offer a tidbit? Thanks! Chris aaa new-model ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ip cef ! username somebody password 0 my_password ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group SomeVPN key my_key pool ourpool ! crypto ipsec transform-set trans1 esp-3des esp-sha-hmac crypto ipsec transform-set trans2 esp-des esp-sha-hmac crypto ipsec transform-set trans3 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set trans3 ! crypto map intmap client authentication list userauthen crypto map intmap isakmp authorization list groupauthor crypto map intmap client configuration address initiate crypto map intmap client configuration address respond crypto map intmap 10 ipsec-isakmp dynamic dynmap ! interface FastEthernet0/0 description Office LAN ip address 192.168.100.100 255.255.255.0 ip nat inside no ip mroute-cache ! interface Serial0/0 ip address my_ip 255.255.255.252 ip nat outside crypto map intmap ! ip local pool ourpool 10.0.0.1 10.0.0.254 ip default-gateway upstream_ip ip nat inside source route-map nonat interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ip access-list extended NATRules deny ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any permit ip 10.0.0.0 0.0.0.255 any ! access-list 2 permit 10.0.0.0 0.0.0.255 access-list 2 permit 192.168.100.0 0.0.0.255 ! route-map nonat permit 11 match ip address NATRules ! end From MatlockK at exempla.org Mon Jan 5 11:48:15 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Mon, 5 Jan 2009 09:48:15 -0700 Subject: [c-nsp] Cisco Software Client -> Router VPN issue. In-Reply-To: References: Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D303A@LMC-MAIL2.exempla.org> Looking at this, I'm making 2 assumptions. 1) The client is connecting on the S0/0 interface to establish the VPN connection and 2) You're not using split-tunneling. If both of those are the case, then this is a classic PIX/ASA 'problem'. You're trying to 'hairpin' the traffic. A PIX/ASA won't allow you to have a packet come in on an interface, and go back out the same interface. In order to allow this, you need to allow split tunneling, and have the end-user only tunnel traffic to your internal network, and use it's own normal internet connection for the rest. Or, figure out a way for the tunnel to terminate on S0/0, and have it somehow send it's internet traffic out the F0/0 interface. For the split tunneling, personally I don't like allowing it, due to the fact that if an end-use has a Trojan on their machine, they have access to both your internal network, and the public internet at the same time, allowing a malicious person to be able to access your internal network interactively. At least disabling split tunneling provides an additional layer or protection. (my $0.02) Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers Sent: Monday, January 05, 2009 8:38 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco Software Client -> Router VPN issue. I?m trying to solve a problem with setting up the remote VPN access using the Cisco VPN software client. I have gotten it to the point where a user can remotely tunnel to the router from their Doze PC, log in, receive an IP in the 10.x.x.x network, and ping something on the 192.168.100.x network. However, they can?t surf to the outside internet over that tunneld connection. I?ve taken a look at some sample configs on the Cisco site but they all seem to be similar to this. My thinking is that the dial pool doesn?t get NATed properly, but I?m unsure on what to do to the config to fix this. Normal 192.168.100.x Ethernet-connected PCs in the home office can surf and do everything just fine. Can someone offer a tidbit? Thanks! Chris aaa new-model ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ip cef ! username somebody password 0 my_password ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group SomeVPN key my_key pool ourpool ! crypto ipsec transform-set trans1 esp-3des esp-sha-hmac crypto ipsec transform-set trans2 esp-des esp-sha-hmac crypto ipsec transform-set trans3 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set trans3 ! crypto map intmap client authentication list userauthen crypto map intmap isakmp authorization list groupauthor crypto map intmap client configuration address initiate crypto map intmap client configuration address respond crypto map intmap 10 ipsec-isakmp dynamic dynmap ! interface FastEthernet0/0 description Office LAN ip address 192.168.100.100 255.255.255.0 ip nat inside no ip mroute-cache ! interface Serial0/0 ip address my_ip 255.255.255.252 ip nat outside crypto map intmap ! ip local pool ourpool 10.0.0.1 10.0.0.254 ip default-gateway upstream_ip ip nat inside source route-map nonat interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ip access-list extended NATRules deny ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any permit ip 10.0.0.0 0.0.0.255 any ! access-list 2 permit 10.0.0.0 0.0.0.255 access-list 2 permit 192.168.100.0 0.0.0.255 ! route-map nonat permit 11 match ip address NATRules ! end _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Mon Jan 5 11:53:32 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 05 Jan 2009 16:53:32 +0000 Subject: [c-nsp] IPv6 HSRP Support in 12.0S? In-Reply-To: <20090105145832.GT8535@greenie.muc.de> References: <17838240D9A5544AAA5FF95F8D520316054781F6@ad-exh01.adhost.lan> <20090105145832.GT8535@greenie.muc.de> Message-ID: <49623B0C.2080506@imperial.ac.uk> Gert Doering wrote: > Hi, > > On Mon, Jan 05, 2009 at 02:38:17PM +0000, David Freedman wrote: >> Even when you get it, it is only implemented for link-local addresses >> so you have to use RA or static routes :( > > Unfortunate, indeed. Do you know whether there is work in progress to > get it fixed/improved to handle "global" router IP addresses? > > While it might not follow the IETF's vision of "how things should be", > we prefer to configure our servers' default route towards well-known > router addresses (::1), and have them ignore RAs... There is significant difference of opinion in the IETF about the value and future of RA in IPv6, as I found out recently when I tried to figure out how IPv6 DHCP was supposed to work (answer: the spec is broken) This thread (if you have an afternoon free) and surrounding threads are worth reading: http://marc.info/?l=ipng&m=122391355810549&w=2 As far as I could tell: * IPv6 and the RA mechanism were spec'ed back when DHCPv4 was not widely used, and IPX autoconfig was the model they were aiming for * Virtually no work has been done in the field since then, so the hard-learnt lessons of the last decade in IPv4 are simply not there in IPv6 * There are a lot of architecture astronauts in the IETF (IPSec for ND - whose idea was that?) * The stateful-address/stateful-other bits in the RA are junk. The posts by David Hankins of the ISC agree with my personal position, including this one: http://marc.info/?l=ipng&m=122406652232186&w=2 From linux.yahoo at gmail.com Mon Jan 5 12:02:23 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Mon, 5 Jan 2009 18:02:23 +0100 Subject: [c-nsp] Cisco 3G Router - IPSec configuration of central site when remote site is dynamic DHCP/3G In-Reply-To: <4962357F.1060609@rollernet.us> References: <7100ed370901050817o451f222fwd6989bd315733bd1@mail.gmail.com> <4962357F.1060609@rollernet.us> Message-ID: <7100ed370901050902s575fca46k4ba5e645ee9d3688@mail.gmail.com> Great, Thanks you all, i will try it. What about using "crypto isakmp identity hostname" command. Remote site can be identitifed by a hostname or FQDN instead of an IP adress, less secure? On Mon, Jan 5, 2009 at 5:29 PM, Seth Mattinen wrote: > Manu Chao wrote: > >> Hello, >> >> I need central and remote Cisco IOS configuration example when using a >> router with 3G module on a remote site. >> IP adress of remote site is dynamic: DHCP/3G. >> >> How to configuration central site IPSec peer configuration when remote >> site >> IP @ is dynamic due to DHCP/3G? >> >> Central and Remote site are Cisco routers. >> >> > I use DMVPN. > > > http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From luan at netcraftsmen.net Mon Jan 5 12:09:17 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Mon, 5 Jan 2009 12:09:17 -0500 Subject: [c-nsp] Cisco Software Client -> Router VPN issue. In-Reply-To: References: Message-ID: <012a01c96f58$5785c700$06915500$@net> Create ACL 101 permit 10.0.0.0 0.0.0.255 any Then under the " crypto isakmp client configuration group SomeVPN" Add "ACL 101" Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] luan at netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers Sent: Monday, January 05, 2009 10:38 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco Software Client -> Router VPN issue. I?m trying to solve a problem with setting up the remote VPN access using the Cisco VPN software client. I have gotten it to the point where a user can remotely tunnel to the router from their Doze PC, log in, receive an IP in the 10.x.x.x network, and ping something on the 192.168.100.x network. However, they can?t surf to the outside internet over that tunneld connection. I?ve taken a look at some sample configs on the Cisco site but they all seem to be similar to this. My thinking is that the dial pool doesn?t get NATed properly, but I?m unsure on what to do to the config to fix this. Normal 192.168.100.x Ethernet-connected PCs in the home office can surf and do everything just fine. Can someone offer a tidbit? Thanks! Chris aaa new-model ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ip cef ! username somebody password 0 my_password ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group SomeVPN key my_key pool ourpool ! crypto ipsec transform-set trans1 esp-3des esp-sha-hmac crypto ipsec transform-set trans2 esp-des esp-sha-hmac crypto ipsec transform-set trans3 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set trans3 ! crypto map intmap client authentication list userauthen crypto map intmap isakmp authorization list groupauthor crypto map intmap client configuration address initiate crypto map intmap client configuration address respond crypto map intmap 10 ipsec-isakmp dynamic dynmap ! interface FastEthernet0/0 description Office LAN ip address 192.168.100.100 255.255.255.0 ip nat inside no ip mroute-cache ! interface Serial0/0 ip address my_ip 255.255.255.252 ip nat outside crypto map intmap ! ip local pool ourpool 10.0.0.1 10.0.0.254 ip default-gateway upstream_ip ip nat inside source route-map nonat interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ip access-list extended NATRules deny ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any permit ip 10.0.0.0 0.0.0.255 any ! access-list 2 permit 10.0.0.0 0.0.0.255 access-list 2 permit 192.168.100.0 0.0.0.255 ! route-map nonat permit 11 match ip address NATRules ! end _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From luan at netcraftsmen.net Mon Jan 5 12:35:58 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Mon, 5 Jan 2009 12:35:58 -0500 Subject: [c-nsp] Cisco Software Client -> Router VPN issue. In-Reply-To: <012a01c96f58$5785c700$06915500$@net> References: <012a01c96f58$5785c700$06915500$@net> Message-ID: <013801c96f5c$11fd3110$35f79330$@net> Uhm, that's split-tunneling. If you want to use internet at the router site then follow this guide: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration _example09186a008073b06b.shtml Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] luan at netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Luan Nguyen Sent: Monday, January 05, 2009 12:09 PM To: 'Networkers'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco Software Client -> Router VPN issue. Create ACL 101 permit 10.0.0.0 0.0.0.255 any Then under the " crypto isakmp client configuration group SomeVPN" Add "ACL 101" Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] luan at netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers Sent: Monday, January 05, 2009 10:38 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco Software Client -> Router VPN issue. I?m trying to solve a problem with setting up the remote VPN access using the Cisco VPN software client. I have gotten it to the point where a user can remotely tunnel to the router from their Doze PC, log in, receive an IP in the 10.x.x.x network, and ping something on the 192.168.100.x network. However, they can?t surf to the outside internet over that tunneld connection. I?ve taken a look at some sample configs on the Cisco site but they all seem to be similar to this. My thinking is that the dial pool doesn?t get NATed properly, but I?m unsure on what to do to the config to fix this. Normal 192.168.100.x Ethernet-connected PCs in the home office can surf and do everything just fine. Can someone offer a tidbit? Thanks! Chris aaa new-model ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ip cef ! username somebody password 0 my_password ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group SomeVPN key my_key pool ourpool ! crypto ipsec transform-set trans1 esp-3des esp-sha-hmac crypto ipsec transform-set trans2 esp-des esp-sha-hmac crypto ipsec transform-set trans3 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set trans3 ! crypto map intmap client authentication list userauthen crypto map intmap isakmp authorization list groupauthor crypto map intmap client configuration address initiate crypto map intmap client configuration address respond crypto map intmap 10 ipsec-isakmp dynamic dynmap ! interface FastEthernet0/0 description Office LAN ip address 192.168.100.100 255.255.255.0 ip nat inside no ip mroute-cache ! interface Serial0/0 ip address my_ip 255.255.255.252 ip nat outside crypto map intmap ! ip local pool ourpool 10.0.0.1 10.0.0.254 ip default-gateway upstream_ip ip nat inside source route-map nonat interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ip access-list extended NATRules deny ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any permit ip 10.0.0.0 0.0.0.255 any ! access-list 2 permit 10.0.0.0 0.0.0.255 access-list 2 permit 192.168.100.0 0.0.0.255 ! route-map nonat permit 11 match ip address NATRules ! end _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tim at pelican.org Mon Jan 5 11:48:37 2009 From: tim at pelican.org (Tim Franklin) Date: Mon, 5 Jan 2009 16:48:37 -0000 (GMT) Subject: [c-nsp] Cisco Software Client -> Router VPN issue. In-Reply-To: References: Message-ID: <1054f982bddc1d1e2793569778ad88c4.squirrel@webmail.pelican.org> On Mon, January 5, 2009 3:38 pm, Networkers wrote: > I?ve taken a look at > some sample configs on the Cisco site but they all seem to be similar to > this. My thinking is that the dial pool doesn?t get NATed properly, but > I?m unsure on what to do to the config to fix this. Normal 192.168.100.x > Ethernet-connected PCs in the home office can surf and do everything just > fine. > > Can someone offer a tidbit? You're correct in that it's the NAT - traffic from the VPN clients isn't going from an 'inside' interface to an 'outside' one, so it won't be NAT'd. Is there any reason they can't just use whatever Internet access they're already using to get the VPN connection, ie split tunnelling? Regards, Tim. From chloekcy2000 at yahoo.ca Mon Jan 5 14:28:56 2009 From: chloekcy2000 at yahoo.ca (chloe K) Date: Mon, 5 Jan 2009 14:28:56 -0500 (EST) Subject: [c-nsp] ASA tftp question Message-ID: <981856.24779.qm@web57411.mail.re1.yahoo.com> Hi I have a problem to backup the running config to tftp How it works? Thank you firewall# copy running-config tftp Usage: copy capture: tftp:/// [pcap] copy http[s]://[:@][:]/ flash[:[image | pdm]] copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] firewall# copy running-config tftp://192.168.0.10 Usage: copy capture: tftp:/// [pcap] copy http[s]://[:@][:]/ flash[:[image | pdm]] copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] firewall# --------------------------------- Now with a new friend-happy design! Try the new Yahoo! Canada Messenger From sethm at rollernet.us Mon Jan 5 14:34:33 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 05 Jan 2009 11:34:33 -0800 Subject: [c-nsp] ASA tftp question In-Reply-To: <981856.24779.qm@web57411.mail.re1.yahoo.com> References: <981856.24779.qm@web57411.mail.re1.yahoo.com> Message-ID: <496260C9.4060900@rollernet.us> chloe K wrote: > Hi > > I have a problem to backup the running config to tftp > > How it works? Thank you > > firewall# copy running-config tftp > Usage: copy capture: tftp:/// [pcap] > copy http[s]://[:@][:]/ > flash[:[image | pdm]] > copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] > > firewall# copy running-config tftp://192.168.0.10 > Usage: copy capture: tftp:/// [pcap] > copy http[s]://[:@][:]/ > flash[:[image | pdm]] > copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] > firewall# > > copy run tftp://location/pathname I hate to be a dick, but really... it says right there. These lowball questions without bothering to research first is rather shocking. ~Seth From netsecuredata at gmail.com Mon Jan 5 15:07:11 2009 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Mon, 5 Jan 2009 15:07:11 -0500 Subject: [c-nsp] Cisco Software Client -> Router VPN issue. In-Reply-To: <1054f982bddc1d1e2793569778ad88c4.squirrel@webmail.pelican.org> References: <1054f982bddc1d1e2793569778ad88c4.squirrel@webmail.pelican.org> Message-ID: I suggest that you configure a proxy server for Internet Traffic, you can use it as cache or accelerator, only if you want user surf to the outside internet over that tunneled connection. By this way, you can control what kind information is allowed when they connect to corporate network. On Mon, Jan 5, 2009 at 11:48 AM, Tim Franklin wrote: > On Mon, January 5, 2009 3:38 pm, Networkers wrote: > > > I?ve taken a look at > > some sample configs on the Cisco site but they all seem to be similar to > > this. My thinking is that the dial pool doesn?t get NATed properly, but > > I?m unsure on what to do to the config to fix this. Normal 192.168.100.x > > Ethernet-connected PCs in the home office can surf and do everything just > > fine. > > > > Can someone offer a tidbit? > > You're correct in that it's the NAT - traffic from the VPN clients isn't > going from an 'inside' interface to an 'outside' one, so it won't be > NAT'd. > > Is there any reason they can't just use whatever Internet access they're > already using to get the VPN connection, ie split tunnelling? > > Regards, > Tim. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- "The network is the computer" From frnkblk at iname.com Mon Jan 5 15:12:50 2009 From: frnkblk at iname.com (Frank Bulk) Date: Mon, 5 Jan 2009 14:12:50 -0600 Subject: [c-nsp] Cisco Software Client -> Router VPN issue. In-Reply-To: References: <1054f982bddc1d1e2793569778ad88c4.squirrel@webmail.pelican.org> Message-ID: We have our PPTP connections terminated to a server inside our network to avoid the PIX hair-pinning restriction. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jorge Evangelista Sent: Monday, January 05, 2009 2:07 PM To: cisco_nsp Subject: Re: [c-nsp] Cisco Software Client -> Router VPN issue. I suggest that you configure a proxy server for Internet Traffic, you can use it as cache or accelerator, only if you want user surf to the outside internet over that tunneled connection. By this way, you can control what kind information is allowed when they connect to corporate network. On Mon, Jan 5, 2009 at 11:48 AM, Tim Franklin wrote: > On Mon, January 5, 2009 3:38 pm, Networkers wrote: > > > I?ve taken a look at > > some sample configs on the Cisco site but they all seem to be similar to > > this. My thinking is that the dial pool doesn?t get NATed properly, but > > I?m unsure on what to do to the config to fix this. Normal 192.168.100.x > > Ethernet-connected PCs in the home office can surf and do everything just > > fine. > > > > Can someone offer a tidbit? > > You're correct in that it's the NAT - traffic from the VPN clients isn't > going from an 'inside' interface to an 'outside' one, so it won't be > NAT'd. > > Is there any reason they can't just use whatever Internet access they're > already using to get the VPN connection, ie split tunnelling? > > Regards, > Tim. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- "The network is the computer" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From knight at ktamerica.com Mon Jan 5 15:21:45 2009 From: knight at ktamerica.com (David Kim) Date: Mon, 5 Jan 2009 12:21:45 -0800 Subject: [c-nsp] =?ks_c_5601-1987?b?yLi9xTogIEFTQSB0ZnRwIHF1ZXN0aW9u?= In-Reply-To: <496260C9.4060900@rollernet.us> References: <981856.24779.qm@web57411.mail.re1.yahoo.com> <496260C9.4060900@rollernet.us> Message-ID: <00e401c96f73$3bdd4990$b397dcb0$@com> Aru you sure you are running tftp server agent on 192.168.0.10? -----?? ???----- ?? ??: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck. nether.net] ?(?) ?? ?? ?? ??: Seth Mattinen ?? ??: Monday, January 05, 2009 11:35 AM ?? ??: cisco-nsp at puck.nether.net ??: Re: [c-nsp] ASA tftp question chloe K wrote: > Hi > > I have a problem to backup the running config to tftp > > How it works? Thank you > > firewall# copy running-config tftp > Usage: copy capture: tftp:/// [pcap] > copy http[s]://[:@][:]/ > flash[:[image | pdm]] > copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] > > firewall# copy running-config tftp://192.168.0.10 > Usage: copy capture: tftp:/// [pcap] > copy http[s]://[:@][:]/ > flash[:[image | pdm]] > copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] > firewall# > > copy run tftp://location/pathname I hate to be a dick, but really... it says right there. These lowball questions without bothering to research first is rather shocking. ~Seth _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mksmith at adhost.com Mon Jan 5 16:33:01 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Mon, 5 Jan 2009 13:33:01 -0800 Subject: [c-nsp] =?ks_c_5601-1987?b?yLi9xTogIEFTQSB0ZnRwIHF1ZXN0aW9u?= In-Reply-To: <00e401c96f73$3bdd4990$b397dcb0$@com> References: <981856.24779.qm@web57411.mail.re1.yahoo.com><496260C9.4060900@rollernet.us> <00e401c96f73$3bdd4990$b397dcb0$@com> Message-ID: <17838240D9A5544AAA5FF95F8D52031605478396@ad-exh01.adhost.lan> The appropriate line would look like: copy running-config tftp://192.168.0.10/ So, if you want it to be firewall-config copy running-config tftp://192.168.0.10/firewall-config If you have a sub-directory on your tftp server like "firewalls" it would be copy running-config tftp://192.168.0.10/firewalls/firewall-config ceteris paribus of course. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of David Kim > Sent: Monday, January 05, 2009 12:22 PM > To: 'Seth Mattinen'; cisco-nsp at puck.nether.net > Subject: [c-nsp] ??: ASA tftp question > > Aru you sure you are running tftp server agent on 192.168.0.10? > > > -----?? ???----- > ?? ??: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck. > nether.net] ?(?) ?? ?? ?? ??: Seth Mattinen > ?? ??: Monday, January 05, 2009 11:35 AM > ?? ??: cisco-nsp at puck.nether.net > ??: Re: [c-nsp] ASA tftp question > > chloe K wrote: > > Hi > > > > I have a problem to backup the running config to tftp > > > > How it works? Thank you > > > > firewall# copy running-config tftp > > Usage: copy capture: tftp:/// [pcap] > > copy http[s]://[:@][:]/ > > flash[:[image | pdm]] > > copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] > > > > firewall# copy running-config tftp://192.168.0.10 > > Usage: copy capture: tftp:/// [pcap] > > copy http[s]://[:@][:]/ > > flash[:[image | pdm]] > > copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] > > firewall# > > > > > > copy run tftp://location/pathname > > I hate to be a dick, but really... it says right there. These lowball > questions without bothering to research first is rather shocking. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From ariemer at wesenergy.com.au Mon Jan 5 18:48:35 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Tue, 6 Jan 2009 08:48:35 +0900 Subject: [c-nsp] Policing Confusion In-Reply-To: <24151.212.142.33.197.1231165312.squirrel@www.vive-id.nl> References: <8B25B862BC09784B9B74FB950D4F64D406CC6D@qcnapp01.corp.qcn> <24151.212.142.33.197.1231165312.squirrel@www.vive-id.nl> Message-ID: <0867622C64B50C4B878AB45C95F43F110663080B@MAILWA01.wesenergy.local> Thanks for all the comments guys you have clarified this for me. It is a bit dissapointing to know that you cant really manipulate the types of traffic inbound only outbound. I understand why though. Thanks, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of marco at linuxgoeroe.dhs.org Sent: Monday, 5 January 2009 11:22 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Policing Confusion > Aaron Riemer wrote: > >> ...I am trying to achieve is to police virus updates >> from our server so that this traffic can only obtain >> 128Kbps of the remote sites bandwidth. > > Attaching this as an outbound policy-map at the remote site will only > affect traffic outbound from that site. You'll need to either use an > outbound policy at your central site where the server is, or use an > inbound policy at the remote site. I think that an inbound policy at the remote end won't help. The policing/shaping can only act when the packets have already been transmitted across the link, eating up the bandwidth in the process. What happens to them afterwards won't affect that (short of messing with TCP windows by selectively delaying/dropping ACKs and higher-order stuff like that, which simple policing won't address). Regards, Marco. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From brett at looney.id.au Mon Jan 5 19:04:59 2009 From: brett at looney.id.au (Brett Looney) Date: Tue, 6 Jan 2009 09:04:59 +0900 Subject: [c-nsp] Policing Confusion In-Reply-To: <0867622C64B50C4B878AB45C95F43F110663080B@MAILWA01.wesenergy.local> References: <8B25B862BC09784B9B74FB950D4F64D406CC6D@qcnapp01.corp.qcn> <24151.212.142.33.197.1231165312.squirrel@www.vive-id.nl> <0867622C64B50C4B878AB45C95F43F110663080B@MAILWA01.wesenergy.local> Message-ID: <021701c96f92$6c3f0eb0$44bd2c10$@id.au> > It is a bit dissapointing to know that you cant really manipulate > the types of traffic inbound only outbound. I understand why though. I've used inbound policing and shaping on heavily congested links with some success - it has the effect of applying back-pressure to the incoming streams - delaying ACKs and dropping packets; therefore slowing down subsequent traffic. It isn't perfect but it does work to a degree - it just isn't as good as outbound. B. From cchurc05 at harris.com Mon Jan 5 19:28:25 2009 From: cchurc05 at harris.com (Church, Charles) Date: Mon, 5 Jan 2009 18:28:25 -0600 Subject: [c-nsp] Policing Confusion In-Reply-To: <021701c96f92$6c3f0eb0$44bd2c10$@id.au> References: <8B25B862BC09784B9B74FB950D4F64D406CC6D@qcnapp01.corp.qcn> <24151.212.142.33.197.1231165312.squirrel@www.vive-id.nl><0867622C64B50C4B878AB45C95F43F110663080B@MAILWA01.wesenergy.local> <021701c96f92$6c3f0eb0$44bd2c10$@id.au> Message-ID: Agree. We've used this inbound as well on our links to our peers for P2P traffic. Works pretty well, as long as it's TCP and you're shaping it. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett Looney Sent: Monday, January 05, 2009 7:05 PM To: 'cisco_nsp' Subject: Re: [c-nsp] Policing Confusion > It is a bit dissapointing to know that you cant really manipulate > the types of traffic inbound only outbound. I understand why though. I've used inbound policing and shaping on heavily congested links with some success - it has the effect of applying back-pressure to the incoming streams - delaying ACKs and dropping packets; therefore slowing down subsequent traffic. It isn't perfect but it does work to a degree - it just isn't as good as outbound. B. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Mon Jan 5 20:24:26 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 06 Jan 2009 03:24:26 +0200 Subject: [c-nsp] Policing Confusion In-Reply-To: References: <8B25B862BC09784B9B74FB950D4F64D406CC6D@qcnapp01.corp.qcn> <24151.212.142.33.197.1231165312.squirrel@www.vive-id.nl><0867622C64B50C4B878AB45C95F43F110663080B@MAILWA01.wesenergy.local> <021701c96f92$6c3f0eb0$44bd2c10$@id.au> Message-ID: <4962B2CA.6050203@forthnet.gr> I have also used -hierarchical- ingress policing (because egress policing/shaping wasn't supported) and it works quite well. I just have to be more restrictive on the policing rates. -- Tassos Church, Charles wrote on 06/01/2009 02:28: > Agree. We've used this inbound as well on our links to our peers for > P2P traffic. Works pretty well, as long as it's TCP and you're shaping > it. > > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett Looney > Sent: Monday, January 05, 2009 7:05 PM > To: 'cisco_nsp' > Subject: Re: [c-nsp] Policing Confusion > > >> It is a bit dissapointing to know that you cant really manipulate >> the types of traffic inbound only outbound. I understand why though. > > I've used inbound policing and shaping on heavily congested links with > some > success - it has the effect of applying back-pressure to the incoming > streams - delaying ACKs and dropping packets; therefore slowing down > subsequent traffic. It isn't perfect but it does work to a degree - it > just > isn't as good as outbound. > > B. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From shariq.qam at gmail.com Tue Jan 6 01:33:06 2009 From: shariq.qam at gmail.com (shariq qamar) Date: Tue, 6 Jan 2009 12:03:06 +0530 Subject: [c-nsp] PIX CPU THRESHOLD SYSLOG Message-ID: <171b010e0901052233v3dfea414l4ad6b60fd64a207f@mail.gmail.com> Dear All , I want to get messages sent to the syslog server when the pix CPU reaches a threshold. This way I am alerted of heavy usage on the pix . i m using PIX 535 with SOFT VER 6.3 Its actually like CPU threshold notification to my syslog server . Thanks in Advance -- Regards, Shariq Qamar, Mob-9871748456 From shariq.qam at gmail.com Tue Jan 6 02:27:10 2009 From: shariq.qam at gmail.com (shariq qamar) Date: Tue, 6 Jan 2009 12:57:10 +0530 Subject: [c-nsp] PIX CPU THRESHOLD SYSLOG In-Reply-To: <7FEDD455961B164D8C4EEA60E229142079327EBE71@EXCHANGE1.intranet.iseek.com.au> References: <171b010e0901052233v3dfea414l4ad6b60fd64a207f@mail.gmail.com> <7FEDD455961B164D8C4EEA60E229142079327EBE71@EXCHANGE1.intranet.iseek.com.au> Message-ID: <171b010e0901052327x7374cf7alefa1b138fc37d2ef@mail.gmail.com> Hi matt , Thanks for immediate response we have a syslog server on which we are using KIWI demon as a SYSLOG client , my requirement is to configure my PIX Firewall in such a way so that it start sending any messeges to syslog specially those messeges when my firewall CPU utilization crossess a paticular threshod define by me . Its actually help me to immediatly know about my firewall utilization incase of crossing threshold . few point i undersand that i need reachability from firewall to syslog server and forewall also need to configure for SNMP traps so that it permits and send SNMP request . Kindly suggest On 1/6/09, Matt Carter wrote: > > hi shariq, > > ever thought about firing up cacti with threshold notification? > (then you get some historical data aswell and a visual respresentation in > addition to your alerting requirement) > > kind regards, > > --matt > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of shariq qamar > > Sent: Tuesday, 6 January 2009 4:33 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] PIX CPU THRESHOLD SYSLOG > > > > Dear All , > > > > I want to get messages sent to the syslog server when the pix CPU > reaches > > a > > threshold. This way I am alerted of heavy usage on the pix . i m using > PIX > > 535 with SOFT VER 6.3 > > > > Its actually like CPU threshold notification to my syslog server . > > > > Thanks in Advance > > > > > > -- > > Regards, > > Shariq Qamar, > > Mob-9871748456 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Regards, Shariq Qamar, Mob-9871748456 From abalashov at evaristesys.com Tue Jan 6 02:30:49 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 06 Jan 2009 02:30:49 -0500 Subject: [c-nsp] PIX CPU THRESHOLD SYSLOG In-Reply-To: <171b010e0901052233v3dfea414l4ad6b60fd64a207f@mail.gmail.com> References: <171b010e0901052233v3dfea414l4ad6b60fd64a207f@mail.gmail.com> Message-ID: <496308A9.1020501@evaristesys.com> A network management/monitoring system would be appropriate for that. Also, it seems a little Philistine to put your name byline (From:) in lower case while obnoxiously capitalising your subject line. shariq qamar wrote: > Dear All , > > I want to get messages sent to the syslog server when the pix CPU reaches a > threshold. This way I am alerted of heavy usage on the pix . i m using PIX > 535 with SOFT VER 6.3 > > Its actually like CPU threshold notification to my syslog server . > > Thanks in Advance > > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 From lists at daniels.id.au Tue Jan 6 04:09:22 2009 From: lists at daniels.id.au (Aaron Daniels - Lists) Date: Tue, 6 Jan 2009 19:09:22 +1000 Subject: [c-nsp] MPLS-VPN migration In-Reply-To: <9e246b4d0812231012r4910467dp472a53048b63355a@mail.gmail.com> References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com> <01d401c960e8$6bc17710$43446530$@id.au> <00d101c961a8$a6858ce0$f390a6a0$@id.au> <9e246b4d0812231012r4910467dp472a53048b63355a@mail.gmail.com> Message-ID: <001201c96fde$7a598600$6f0c9200$@id.au> Hi Tim, > I have heard several people say an iBGP version is messy. What is the > difference? (I'm not opposed to the eBGP config, just like to know > what both look like.) >From memory... We tried route reflectors for the PE-CE iBGP edge. Need to use a route-map to set next-hop-self and there was something else that was qwerky but I can't remember currently. Also, the TAC advised that PE-CE iBGP was not a supported configuration. Thanks, Aaron From cj11st at gmail.com Tue Jan 6 04:17:47 2009 From: cj11st at gmail.com (Robert Kern) Date: Tue, 6 Jan 2009 10:17:47 +0100 Subject: [c-nsp] PIM SSM MDT doesn't come up In-Reply-To: <458B3EC21E4A3044998E917199AACB2FE12AF4@GNBEX02.gnb.ca> References: <458B3EC21E4A3044998E917199AACB2FE12AF4@GNBEX02.gnb.ca> Message-ID: Hi Munroe, thanks very much for sharing your experiences. In our case we have BGP-free core, but what i forgot to mentioned is that we also use MPLS TE what caused us problems with establishing core MDT group (239.1.1.1) for particular VPN. After disabling interfering MPLS TE with multicast traffic, core MDT come up just fine. The customer is checking whether the data flow is correct now. The command te dissable MPLS TE and multicast is: (router ospf xxx) mpls traffic-eng multicast-intact Thanks again, Robert On Mon, Jan 5, 2009 at 9:59 PM, Munroe, James (DSS/MAS) wrote: > Hi Robert, > > I was down this road a few months ago. We use Cisco 7600's (RSP720-3C's > and SUP720-3Bs) as PE's in a large MPLS Metro ring environment. From > Day 1 we've used PIM SSM in the Global RT on each PE which has worked > flawlessly. However, leveraging PIM SSM for the VRF data planes is > something I've had little to no success with. I had tried the TAC call > approach which basically ended in me going back to PIM SM for the VRF > data planes...which works well for us. > > A couple of things to check is to make sure you have the following in > place: > 1. Each PE/RR configured with the BGP MDT address family using the new > SAFI format. I found on the 7k6 platform that using the legacy mVPN > SAFI in the vpnv4 address family was causing incomplete tunnel creation. > > router bgp XXXXXX > address-family vpnv4 > neighbor Core-RR send-community both > neighbor 172.16.129.34 activate > neighbor 172.16.129.35 activate > exit-address-family > ! > address-family ipv4 mdt > neighbor Core-RR send-community extended > neighbor 172.16.129.34 activate > neighbor 172.16.129.35 activate > exit-address-family > > ** vpnv4 and mdt address fams should match especially if you've tweaked > the timers. > > 2. Verify that the GRE tunnels have been created for each mVPN (sh ip > pim mdt / sh ip pim mdt bgp) make sure the mdt defaults match and are > common per vrf per PE and unqiue per vrf. > > 3. PIM SSM is activated for each VRF (ip pim vrf XXXX ssm range XXXX) > > I've attached a couple of good Cisco docs for troubleshooting mVPNs. > > Hope this helps... > > Jim > > > -----Original Message----- > From: Robert Kern [mailto:cj11st at gmail.com] > Sent: Monday, January 05, 2009 1:01 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] PIM SSM MDT doesn't come up > > Hi all, > > We would like to set up mVPN in VRF DataRetention with PIM-SSM in the > core and in VPN's. > > HW setup is following: > > receiver----PE1(7k6)-----P1(CRS-1)-----PE2(7k6)----sender > \------P2(CRS-1)----/ > > PIM-SM is enabled on all physical interfaces and Lo on PE routers, which > are also used for MP-BGP peering. Core is BGP-free. PIM-SSM range 239/8 > was also done in default and VPN instances. Static IGMPV2 --- IGMPV3 > mapping was done in VRF. > What I am getting are following mroutes: > > C7609_PE1#sh ip mroute > > (10.x.x.7, 239.1.1.1), 4d23h/00:02:32, flags: sPT > Incoming interface: Loopback0, RPF nbr 0.0.0.0, RPF-MFD > Outgoing interface list: Null > > (10.x.x.9, 239.1.1.1), 4d23h/stopped, flags: sTIZ > * Incoming interface: Null, RPF nbr 0.0.0.0* > Outgoing interface list: > MVRF DataRetention, Forward/Sparse, 4d23h/00:01:27 > > (*, 224.0.1.40), 4d23h/00:02:10, RP 0.0.0.0, flags: DCL > Incoming interface: Null, RPF nbr 0.0.0.0 > Outgoing interface list: > Loopback0, Forward/Sparse, 4d23h/00:02:10 > > > RP/0/RP0/CPU0:CRS1_P1#sh mrib ipv4 route > > (*,224.0.0.0/24) Flags: D > > (*,224.0.1.39) Flags: S > > (*,224.0.1.40) Flags: S > Outgoing Interface List > TenGigE0/0/5/0 Flags: II LI > > *(*,239.0.0.0/8) Flags: D* > > > RP/0/RP0/CPU0:CRS1_P2#sh mrib ipv4 route > > (*,224.0.0.0/24) Flags: D > > (*,224.0.1.39) Flags: S > > (*,224.0.1.40) Flags: S > Outgoing Interface List > TenGigE0/0/5/0 Flags: II LI > > *(*,239.0.0.0/8) Flags: D* > > > C7609_PE2#sh ip mroute > (10.x.x.9, 239.1.1.1), 5d23h/00:02:34, flags: sPT > Incoming interface: Loopback0, RPF nbr 0.0.0.0, RPF-MFD > Outgoing interface list: Null > > (10.x.x.7, 239.1.1.1), 5d23h/stopped, flags: sTIZ > * Incoming interface: Null, RPF nbr 0.0.0.0* > Outgoing interface list: > MVRF DataRetention, Forward/Sparse, 5d23h/00:00:12 > > (*, 224.0.1.40), 6d20h/00:02:30, RP 0.0.0.0, flags: DCL > Incoming interface: Null, RPF nbr 0.0.0.0 > Outgoing interface list: > Loopback0, Forward/Sparse, 6d20h/00:02:30 > > What could be the reason, that MDT group 239.1.1.1 is not established > over the core (PIM-SM on all physical interfaces, PIM-SSM range 239/8)? > > Thanks, > > Robert > > From shariq.qam at gmail.com Tue Jan 6 04:33:09 2009 From: shariq.qam at gmail.com (shariq qamar) Date: Tue, 6 Jan 2009 15:03:09 +0530 Subject: [c-nsp] pix cpu threshold syslog Message-ID: <171b010e0901060133g3752e9bct4fce1139666aacf1@mail.gmail.com> Hi guys still didnt got the correct answer , as i mention i already have NMS as well as syslog with me i required to configure my firewall in such a way so that it generate snmp traps with respect to CPU utilization threshold . same I m doing with all of my MPLS as well as INTERNET routers approx 1000 devices which are working fine . same config ....done on routers sample config on routers rmon event 1 log trap xyz123 description " CPU on Router has exceeded threshold " owner airteldata rmon event 2 log trap xyz123 description " CPU on Router has normalized " owner airteldata rmon alarm 1 lsystem.57.0 300 absolute rising-threshold 50 1 falling-threshold 30 2 owner airteldata Regards, Shariq Qamar, Mob-9871748456 www.airtelworld.in From abalashov at evaristesys.com Tue Jan 6 04:46:46 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 06 Jan 2009 04:46:46 -0500 Subject: [c-nsp] pix cpu threshold syslog In-Reply-To: <171b010e0901060133g3752e9bct4fce1139666aacf1@mail.gmail.com> References: <171b010e0901060133g3752e9bct4fce1139666aacf1@mail.gmail.com> Message-ID: <49632886.6030603@evaristesys.com> This list is not a source of magical, instant "correct answers," whatever that means. Please spare the grievance. Why is the NMS monitoring CPU load not enough? http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/monitor.html shariq qamar wrote: > Hi guys > > still didnt got the correct answer , as i mention i already have NMS as well > as syslog with me > i required to configure my firewall in such a way so that it generate snmp > traps with respect to CPU utilization threshold . > > same I m doing with all of my MPLS as well as INTERNET routers approx 1000 > devices which are working fine . > > same config ....done on routers > > sample config on routers > > rmon event 1 log trap xyz123 description " CPU on Router has exceeded > threshold " owner airteldata > rmon event 2 log trap xyz123 description " CPU on Router has normalized " > owner airteldata > rmon alarm 1 lsystem.57.0 300 absolute rising-threshold 50 1 > falling-threshold 30 2 owner airteldata > > Regards, > Shariq Qamar, > Mob-9871748456 > www.airtelworld.in > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 From rocker.rockerfeller at gmail.com Tue Jan 6 07:36:36 2009 From: rocker.rockerfeller at gmail.com (Rocker Feller) Date: Tue, 6 Jan 2009 15:36:36 +0300 Subject: [c-nsp] SPLIT ETHERNET Message-ID: <2299bfcb0901060436y452b72e2j608f707eb2f7be0b@mail.gmail.com> Hi, I am looking to understand the term split ethernet and how it works. Anybody having an idea on what it refers to and how it can be implemented? So far the documentation I have seen is ?"It presents a single IP address on multiple Ethernet Interfaces. The split Ethernet function supports the usage of several Ethernet interfaces in different general processor boards" This is the best i can get and would appreciate anybody with a pointer to the right direction. I am fairly new in this cisco field and would appreciate assistance Rock. From adriankok2000 at yahoo.com.hk Tue Jan 6 08:33:18 2009 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Tue, 6 Jan 2009 21:33:18 +0800 (CST) Subject: [c-nsp] tab is not working! Message-ID: <403628.33961.qm@web33307.mail.mud.yahoo.com> Hello I am using putty to connect PIX The tab is not working when I use different commands eg: sh run then tab. it can't be "sh running-config" But In my cisco router, I can type "sh run and then tab" It will be "sh running-config" Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From doon.bulk at inoc.net Tue Jan 6 08:42:44 2009 From: doon.bulk at inoc.net (Patrick Muldoon) Date: Tue, 6 Jan 2009 08:42:44 -0500 Subject: [c-nsp] tab is not working! In-Reply-To: <403628.33961.qm@web33307.mail.mud.yahoo.com> References: <403628.33961.qm@web33307.mail.mud.yahoo.com> Message-ID: <00205D03-5113-4B03-8122-D0A0BE48D60E@inoc.net> On Jan 6, 2009, at 8:33 AM, adrian kok wrote: > Hello > > I am using putty to connect PIX > > The tab is not working when I use different commands > > eg: sh run then tab. it can't be "sh running-config" > > But In my cisco router, I can type "sh run and then > tab" > It will be "sh running-config" > > Thank you Tab-Complete didn't work on a Pix Til version 7.0 of the software IIRC. -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C "Life's disappointments are harder to take when you don't know any swear words." --Calvin & Hobbes From Chris.Kilian at aolbb.co.uk Tue Jan 6 08:38:59 2009 From: Chris.Kilian at aolbb.co.uk (Chris Kilian) Date: Tue, 6 Jan 2009 13:38:59 +0000 Subject: [c-nsp] tab is not working! In-Reply-To: <403628.33961.qm@web33307.mail.mud.yahoo.com> References: <403628.33961.qm@web33307.mail.mud.yahoo.com> Message-ID: <589977100D803D4E8EA5A17F9C7641AF997051EE8B@SGBS201V1.CPWBB.LOCAL> I don't believe the tab option works on any PIX firewalls, not sure about the ASA however Regards Chris Kilian Tier 2 Network Engineer AOL Broadband 80 Hammersmith Road, London, UK, W14 8UD Tel: +44 207 348 4762 Mobile: +44 07515031780 AIM: chriskilianck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of adrian kok Sent: 06 January 2009 13:33 To: cisco-nsp at puck.nether.net Subject: [c-nsp] tab is not working! Hello I am using putty to connect PIX The tab is not working when I use different commands eg: sh run then tab. it can't be "sh running-config" But In my cisco router, I can type "sh run and then tab" It will be "sh running-config" Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ This mail was sent via Mail-SeCure System. ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From Chris.Kilian at aolbb.co.uk Tue Jan 6 08:39:41 2009 From: Chris.Kilian at aolbb.co.uk (Chris Kilian) Date: Tue, 6 Jan 2009 13:39:41 +0000 Subject: [c-nsp] SPLIT ETHERNET In-Reply-To: <2299bfcb0901060436y452b72e2j608f707eb2f7be0b@mail.gmail.com> References: <2299bfcb0901060436y452b72e2j608f707eb2f7be0b@mail.gmail.com> Message-ID: <589977100D803D4E8EA5A17F9C7641AF997051EE8D@SGBS201V1.CPWBB.LOCAL> Are you not referring to something like port-channels here? Regards Chris Kilian Tier 2 Network Engineer AOL Broadband 80 Hammersmith Road, London, UK, W14 8UD Tel: +44 207 348 4762 Mobile: +44 07515031780 AIM: chriskilianck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rocker Feller Sent: 06 January 2009 12:37 To: cisco-nsp at puck.nether.net Subject: [c-nsp] SPLIT ETHERNET Hi, I am looking to understand the term split ethernet and how it works. Anybody having an idea on what it refers to and how it can be implemented? So far the documentation I have seen is ?"It presents a single IP address on multiple Ethernet Interfaces. The split Ethernet function supports the usage of several Ethernet interfaces in different general processor boards" This is the best i can get and would appreciate anybody with a pointer to the right direction. I am fairly new in this cisco field and would appreciate assistance Rock. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ This mail was sent via Mail-SeCure System. ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From drew.weaver at thenap.com Tue Jan 6 11:37:41 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 6 Jan 2009 11:37:41 -0500 Subject: [c-nsp] After memory exhaustion on a line card, any way to get routing protocols to return to life? Message-ID: Howdy, After memory exhaustion on a line card is there any way to get routing protocols such as OSPF to work again on interfaces on that LC? I had OSPF running on a connection between a router and a switch in the lab, and then a BGP "error" with an interface on the same LC caused it to run out of memory. Now, no matter what I do (even though the memory exhaustion issue is gone) I cannot get OSPF to re-establish between the two devices. I've tried reloading the card, clearing the ports, etc etc. Any thoughts? Thanks, -Drew From jared at puck.nether.net Tue Jan 6 11:47:24 2009 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 6 Jan 2009 11:47:24 -0500 Subject: [c-nsp] After memory exhaustion on a line card, any way to get routing protocols to return to life? In-Reply-To: References: Message-ID: <59C33763-C2B1-4EF2-AAB6-502D40B5C930@puck.nether.net> Is it an input queue wedge? Eg 76/75? If so you can increase the queue size some more. If that is the case I would open a tac case and ping psirt. Jared Mauch On Jan 6, 2009, at 11:37 AM, Drew Weaver wrote: > Howdy, > > After memory exhaustion on a line card is there any way to get > routing protocols such as OSPF to work again on interfaces on that LC? > > I had OSPF running on a connection between a router and a switch in > the lab, and then a BGP "error" with an interface on the same LC > caused it to run out of memory. > > Now, no matter what I do (even though the memory exhaustion issue is > gone) I cannot get OSPF to re-establish between the two devices. > > I've tried reloading the card, clearing the ports, etc etc. > > Any thoughts? > > Thanks, > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cordmacleod at gmail.com Tue Jan 6 12:24:43 2009 From: cordmacleod at gmail.com (Cord MacLeod) Date: Tue, 6 Jan 2009 09:24:43 -0800 Subject: [c-nsp] temporary static routes Message-ID: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> I'm looking to inject static routes for a particular period of time into a router then have them expire after a given amount of time. For instance ip route xxx.xxx.xxx.xxx 255.255.255.255 Null0, and have this line removed after 24 hours. Would IOS have a way to do this, or am I looking at having to script this? I'm running 12.2(25)SEB4, RELEASE SOFTWARE (fc1). From geoff at pendery.net Tue Jan 6 12:33:07 2009 From: geoff at pendery.net (Geoffrey Pendery) Date: Tue, 6 Jan 2009 11:33:07 -0600 Subject: [c-nsp] temporary static routes In-Reply-To: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> Message-ID: Embedded Event Manager will let you trigger commands based on lots of events, with timer being one of them. You could have it fire off a "no ip route" command after a certain number of hours. Check it out: http://cisco.com/go/eem -Geoff On Tue, Jan 6, 2009 at 11:24 AM, Cord MacLeod wrote: > I'm looking to inject static routes for a particular period of time into a > router then have them expire after a given amount of time. > > For instance ip route xxx.xxx.xxx.xxx 255.255.255.255 Null0, and have this > line removed after 24 hours. Would IOS have a way to do this, or am I > looking at having to script this? > > I'm running 12.2(25)SEB4, RELEASE SOFTWARE (fc1). > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From vijay.ramcharan at verizonbusiness.com Tue Jan 6 12:46:04 2009 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Tue, 06 Jan 2009 17:46:04 +0000 Subject: [c-nsp] temporary static routes In-Reply-To: References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> Message-ID: I would second EEM for this but your IOS version probably doesn't support it according to Feature Navigator. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Geoffrey Pendery Sent: January 06, 2009 12:33 To: Cord MacLeod Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] temporary static routes Embedded Event Manager will let you trigger commands based on lots of events, with timer being one of them. You could have it fire off a "no ip route" command after a certain number of hours. Check it out: http://cisco.com/go/eem -Geoff On Tue, Jan 6, 2009 at 11:24 AM, Cord MacLeod wrote: > I'm looking to inject static routes for a particular period of time into a > router then have them expire after a given amount of time. > > For instance ip route xxx.xxx.xxx.xxx 255.255.255.255 Null0, and have this > line removed after 24 hours. Would IOS have a way to do this, or am I > looking at having to script this? > > I'm running 12.2(25)SEB4, RELEASE SOFTWARE (fc1). > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Tue Jan 6 13:10:46 2009 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 6 Jan 2009 12:10:46 -0600 Subject: [c-nsp] temporary static routes In-Reply-To: References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> Message-ID: Policy route with a time-based ACL maybe? Just a thought... Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ramcharan, Vijay A Sent: Tuesday, January 06, 2009 12:46 PM To: Cord MacLeod Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] temporary static routes I would second EEM for this but your IOS version probably doesn't support it according to Feature Navigator. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Geoffrey Pendery Sent: January 06, 2009 12:33 To: Cord MacLeod Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] temporary static routes Embedded Event Manager will let you trigger commands based on lots of events, with timer being one of them. You could have it fire off a "no ip route" command after a certain number of hours. Check it out: http://cisco.com/go/eem -Geoff On Tue, Jan 6, 2009 at 11:24 AM, Cord MacLeod wrote: > I'm looking to inject static routes for a particular period of time into a > router then have them expire after a given amount of time. > > For instance ip route xxx.xxx.xxx.xxx 255.255.255.255 Null0, and have this > line removed after 24 hours. Would IOS have a way to do this, or am I > looking at having to script this? > > I'm running 12.2(25)SEB4, RELEASE SOFTWARE (fc1). > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From moua0100 at umn.edu Tue Jan 6 12:59:35 2009 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 06 Jan 2009 11:59:35 -0600 Subject: [c-nsp] temporary static routes In-Reply-To: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> Message-ID: <49639C07.7060605@umn.edu> Use "EEM" with a timer; kinda like an IOS-based "cron" Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Cord MacLeod wrote: > I'm looking to inject static routes for a particular period of time > into a router then have them expire after a given amount of time. > > For instance ip route xxx.xxx.xxx.xxx 255.255.255.255 Null0, and have > this line removed after 24 hours. Would IOS have a way to do this, or > am I looking at having to script this? > > I'm running 12.2(25)SEB4, RELEASE SOFTWARE (fc1). > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff-kell at utc.edu Tue Jan 6 13:29:50 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 06 Jan 2009 13:29:50 -0500 Subject: [c-nsp] temporary static routes In-Reply-To: References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> Message-ID: <4963A31E.3000103@utc.edu> Church, Charles wrote: > Policy route with a time-based ACL maybe? Just a thought... Snortsam can do this (http://snortsam.net). It's really a plugin for snort, plus a "server" that manages timed blocks on a variety of firewalls/devices. You can insert the blocks via a command-line utility though, no snort needed. Theres a plugin for null routes that does this explicitly, as well as a PIX/ASA plugin that will do shuns the same way. There's always the possibility of things getting out of sync... null route issued without the negating "no" equivalent at the proper time. I had somewhere on my to-do list trying to modify that null route plugin to add a specified "tag" value to the route to mark it for "cleanup" purposes (e.g., show run | incl ip route.*Null0 tag 12345). The plugin also does a "write mem" after each change (which might be better off omitted, especially if you have a voluminous feed). Of course the ultimate solution would be a BGP-peering feed of IPs to null that also did the timeouts for you, but as far as I know, that's still the great pie in the sky :-) Jeff From jared at puck.nether.net Tue Jan 6 14:10:18 2009 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 6 Jan 2009 14:10:18 -0500 Subject: [c-nsp] temporary static routes In-Reply-To: <49639C07.7060605@umn.edu> References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> <49639C07.7060605@umn.edu> Message-ID: <20090106191018.GB31709@puck.nether.net> On Tue, Jan 06, 2009 at 11:59:35AM -0600, Ge Moua wrote: > Use "EEM" with a timer; kinda like an IOS-based "cron" There is also kron in IOS. http://www.google.com/search?q=ios+kron -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From cordmacleod at gmail.com Tue Jan 6 14:35:45 2009 From: cordmacleod at gmail.com (Cord MacLeod) Date: Tue, 6 Jan 2009 11:35:45 -0800 Subject: [c-nsp] temporary static routes In-Reply-To: <20090106191018.GB31709@puck.nether.net> References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> <49639C07.7060605@umn.edu> <20090106191018.GB31709@puck.nether.net> Message-ID: <9E3683BC-3423-4BA8-90E2-69482E04DB52@gmail.com> Looks like IOS doesn't support eem for my platform let alone my IOS version. Additionally, kron looks to be what I wanted, save that it can only use privileged mode commands, no global or interface commands, which seems to be a show stopper for injecting null0 routes. Thanks for the feedback! On Jan 6, 2009, at 11:10 AM, Jared Mauch wrote: > On Tue, Jan 06, 2009 at 11:59:35AM -0600, Ge Moua wrote: >> Use "EEM" with a timer; kinda like an IOS-based "cron" > > There is also kron in IOS. > > http://www.google.com/search?q=ios+kron > > > -- > Jared Mauch | pgp key available via finger from jared at puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are > only mine. From A.L.M.Buxey at lboro.ac.uk Tue Jan 6 14:48:05 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Tue, 6 Jan 2009 19:48:05 +0000 Subject: [c-nsp] temporary static routes In-Reply-To: <9E3683BC-3423-4BA8-90E2-69482E04DB52@gmail.com> References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> <49639C07.7060605@umn.edu> <20090106191018.GB31709@puck.nether.net> <9E3683BC-3423-4BA8-90E2-69482E04DB52@gmail.com> Message-ID: <20090106194805.GC31841@lboro.ac.uk> Hi, > Looks like IOS doesn't support eem for my platform let alone my IOS > version. Additionally, kron looks to be what I wanted, save that it can > only use privileged mode commands, no global or interface commands, which > seems to be a show stopper for injecting null0 routes. can you not use kron to: copy tftp://server.somewhere.org/random-config.txt running-config where random-config.txt contains eg int po1 ip access-list TIMED in exit end as an example.... alan From ddunkin at netos.net Tue Jan 6 14:50:38 2009 From: ddunkin at netos.net (Darryl Dunkin) Date: Tue, 6 Jan 2009 11:50:38 -0800 Subject: [c-nsp] temporary static routes References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com><49639C07.7060605@umn.edu> <20090106191018.GB31709@puck.nether.net> <9E3683BC-3423-4BA8-90E2-69482E04DB52@gmail.com> Message-ID: <56F5BC5F404CF84896C447397A1AAF20BE853D@MAIL.nosi.netos.com> If you were not required to confirm your destination interactively, you could store your configuration on an TFTP server and schedule a 'copy tftp running-config'. Unless someone knows a way around this. Otherwise, you're probably better off scripting this via telnet/ssh from another host. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Cord MacLeod Sent: Tuesday, January 06, 2009 11:36 To: Jared Mauch Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] temporary static routes Looks like IOS doesn't support eem for my platform let alone my IOS version. Additionally, kron looks to be what I wanted, save that it can only use privileged mode commands, no global or interface commands, which seems to be a show stopper for injecting null0 routes. Thanks for the feedback! On Jan 6, 2009, at 11:10 AM, Jared Mauch wrote: > On Tue, Jan 06, 2009 at 11:59:35AM -0600, Ge Moua wrote: >> Use "EEM" with a timer; kinda like an IOS-based "cron" > > There is also kron in IOS. > > http://www.google.com/search?q=ios+kron > > > -- > Jared Mauch | pgp key available via finger from jared at puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are > only mine. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From stephens at ameslab.gov Tue Jan 6 14:43:35 2009 From: stephens at ameslab.gov (Douglas C. Stephens) Date: Tue, 06 Jan 2009 13:43:35 -0600 Subject: [c-nsp] temporary static routes In-Reply-To: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> Message-ID: <7.0.1.0.2.20090106130854.0751f040@ameslab.gov> Cord, Our IOS feature set on our routers does not include time-based ACLs. Our ASA and FWSM firewalls have them, but our experience using them was very poor (e.g., hung device when triggered off). We looked at a FOSS RANCID- like solution to push static route directives to our routers, but the time to apply a change to all necessary devices was going to be too high. Instead, we went with a FOSS solution based on MySQL and Quagga (http://www.quagga.net/) that injects the static routes directly into our IGP protocol. Even using Cisco default timing parameters, null routes injected this way percolate through our entire IGP scope in less than ten seconds. At 11:24 AM 1/6/2009, Cord MacLeod wrote: >I'm looking to inject static routes for a particular period of time >into a router then have them expire after a given amount of time. > >For instance ip route xxx.xxx.xxx.xxx 255.255.255.255 Null0, and have >this line removed after 24 hours. Would IOS have a way to do this, or >am I looking at having to script this? > >I'm running 12.2(25)SEB4, RELEASE SOFTWARE (fc1). >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Douglas C. Stephens | Network/DNS/Unix/Windows Admin System Support Specialist | Email Postmaster Information Systems | Phone: (515) 294-6102 Ames Laboratory, US DOE | Email: stephens at ameslab.gov From netsecuredata at gmail.com Tue Jan 6 14:56:43 2009 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Tue, 6 Jan 2009 14:56:43 -0500 Subject: [c-nsp] temporary static routes In-Reply-To: <56F5BC5F404CF84896C447397A1AAF20BE853D@MAIL.nosi.netos.com> References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> <49639C07.7060605@umn.edu> <20090106191018.GB31709@puck.nether.net> <9E3683BC-3423-4BA8-90E2-69482E04DB52@gmail.com> <56F5BC5F404CF84896C447397A1AAF20BE853D@MAIL.nosi.netos.com> Message-ID: If you have a unix or linux server you can use a cron, using expect or perl to execute some command in your cisco router. http://www.ibm.com/developerworks/forums/thread.jspa?threadID=6160&tstart=105 Regards On Tue, Jan 6, 2009 at 2:50 PM, Darryl Dunkin wrote: > If you were not required to confirm your destination interactively, you > could store your configuration on an TFTP server and schedule a 'copy > tftp running-config'. Unless someone knows a way around this. > > Otherwise, you're probably better off scripting this via telnet/ssh from > another host. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Cord MacLeod > Sent: Tuesday, January 06, 2009 11:36 > To: Jared Mauch > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] temporary static routes > > Looks like IOS doesn't support eem for my platform let alone my IOS > version. Additionally, kron looks to be what I wanted, save that it > can only use privileged mode commands, no global or interface > commands, which seems to be a show stopper for injecting null0 routes. > > Thanks for the feedback! > > On Jan 6, 2009, at 11:10 AM, Jared Mauch wrote: > > > On Tue, Jan 06, 2009 at 11:59:35AM -0600, Ge Moua wrote: > >> Use "EEM" with a timer; kinda like an IOS-based "cron" > > > > There is also kron in IOS. > > > > http://www.google.com/search?q=ios+kron > > > > > > -- > > Jared Mauch | pgp key available via finger from jared at puck.nether.net > > clue++; | http://puck.nether.net/~jared/ My statements are > > only mine. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- "The network is the computer" From ddunkin at netos.net Tue Jan 6 15:02:16 2009 From: ddunkin at netos.net (Darryl Dunkin) Date: Tue, 6 Jan 2009 12:02:16 -0800 Subject: [c-nsp] temporary static routes References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com><49639C07.7060605@umn.edu> <20090106191018.GB31709@puck.nether.net><9E3683BC-3423-4BA8-90E2-69482E04DB52@gmail.com><56F5BC5F404CF84896C447397A1AAF20BE853 D@MAIL.nosi.netos.com> Message-ID: <56F5BC5F404CF84896C447397A1AAF20BE8546@MAIL.nosi.netos.com> Expect is great for telnet. If you permit SSH only, clogin included with rancid is a great place to start as well. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jorge Evangelista Sent: Tuesday, January 06, 2009 11:57 To: cisco_nsp Subject: Re: [c-nsp] temporary static routes If you have a unix or linux server you can use a cron, using expect or perl to execute some command in your cisco router. http://www.ibm.com/developerworks/forums/thread.jspa?threadID=6160&tstar t=105 Regards On Tue, Jan 6, 2009 at 2:50 PM, Darryl Dunkin wrote: > If you were not required to confirm your destination interactively, you > could store your configuration on an TFTP server and schedule a 'copy > tftp running-config'. Unless someone knows a way around this. > > Otherwise, you're probably better off scripting this via telnet/ssh from > another host. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Cord MacLeod > Sent: Tuesday, January 06, 2009 11:36 > To: Jared Mauch > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] temporary static routes > > Looks like IOS doesn't support eem for my platform let alone my IOS > version. Additionally, kron looks to be what I wanted, save that it > can only use privileged mode commands, no global or interface > commands, which seems to be a show stopper for injecting null0 routes. > > Thanks for the feedback! > > On Jan 6, 2009, at 11:10 AM, Jared Mauch wrote: > > > On Tue, Jan 06, 2009 at 11:59:35AM -0600, Ge Moua wrote: > >> Use "EEM" with a timer; kinda like an IOS-based "cron" > > > > There is also kron in IOS. > > > > http://www.google.com/search?q=ios+kron > > > > > > -- > > Jared Mauch | pgp key available via finger from jared at puck.nether.net > > clue++; | http://puck.nether.net/~jared/ My statements are > > only mine. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- "The network is the computer" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eric at atlantech.net Tue Jan 6 15:35:35 2009 From: eric at atlantech.net (Eric Van Tol) Date: Tue, 6 Jan 2009 15:35:35 -0500 Subject: [c-nsp] temporary static routes In-Reply-To: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863514034C2B@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Cord MacLeod > Sent: Tuesday, January 06, 2009 12:25 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] temporary static routes > > I'm looking to inject static routes for a particular period of time > into a router then have them expire after a given amount of time. > > For instance ip route xxx.xxx.xxx.xxx 255.255.255.255 Null0, and have > this line removed after 24 hours. Would IOS have a way to do this, or > am I looking at having to script this? > > I'm running 12.2(25)SEB4, RELEASE SOFTWARE (fc1). You could use a free tool like RANCID or Kiwi CatTools to schedule a configuration change at a specific time. We use a commercial product that can do this quite easily, if EEM is not available in IOS. -evt From bstiff at cisco.com Tue Jan 6 17:45:09 2009 From: bstiff at cisco.com (Brian Stiff (bstiff)) Date: Tue, 6 Jan 2009 14:45:09 -0800 Subject: [c-nsp] Cisco Software Client -> Router VPN issue. In-Reply-To: References: Message-ID: Hi Chris- Your guess that NAT (or rather, lack thereof) is playing a part in this problem is correct. To offer Internet connectivity via the hub site for VPN users, you'll need to apply a "NAT on a stick" configuration for the VPN clients' traffic. Refer to this doc for some background: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a 0080094430.shtml You'll need to modify the configuration described in the doc such that the policy route will forward the traffic through a loopback configured as "nat inside", so that the Internet-bound traffic will be handled properly by NAT. Otherwise, split tunneling should fit the bill fine, if you don't care what users are doing on the Internet, and you're not worried about what the Internet is doing to/with VPN client PCs. Regards, -B Brian Stiff 720.562.6462 Technical Marketing Engineer IOS & Router Security Mktg http://www.cisco.com/go/iossecurity Date: Mon, 05 Jan 2009 08:38:02 -0700 From: Networkers Subject: [c-nsp] Cisco Software Client -> Router VPN issue. To: Message-ID: Content-Type: text/plain; charset="ISO-8859-1" I?m trying to solve a problem with setting up the remote VPN access using the Cisco VPN software client. I have gotten it to the point where a user can remotely tunnel to the router from their Doze PC, log in, receive an IP in the 10.x.x.x network, and ping something on the 192.168.100.x network. However, they can?t surf to the outside internet over that tunneld connection. I?ve taken a look at some sample configs on the Cisco site but they all seem to be similar to this. My thinking is that the dial pool doesn?t get NATed properly, but I?m unsure on what to do to the config to fix this. Normal 192.168.100.x Ethernet-connected PCs in the home office can surf and do everything just fine. From bstiff at cisco.com Tue Jan 6 19:01:36 2009 From: bstiff at cisco.com (Brian Stiff (bstiff)) Date: Tue, 6 Jan 2009 16:01:36 -0800 Subject: [c-nsp] IOS IDS Signature Updates, still NIL In-Reply-To: References: Message-ID: Hi Ray- You're absolutely correct, I offered the assurance two weeks before your email (which was, well, two weeks ago, today) that it would only be "several days". Unfortunately, the signature release team is still addressing some problems for which I can't really offer details. However, part of the Cisco IOS IPS product group has worked to manually correct problems that were in the 369 sig release, and an engineer is working to post the file now, such that the file should find its way to cisco.com in short order. While I realize the 369 sigs predate, for instance, some December product security bulletins, the 369 sig package updates the router sig support by a month or so. If you need more recent sigs ASAP, you can apply this sig package. That said, you may see a more recent sig package in the next couple of days, or there may be greater delays. The team is still working to sort out the IOS sig package generation process, so we might see the 375 (or later) package very soon, or the 369 package might have for serve for a longer-term interim package. Apologies for the apparent delay in action. Regards, Brian Brian Stiff 720.562.6462 Technical Marketing Engineer IOS & Router Security Mktg http://www.cisco.com/go/iossecurity Date: Tue, 23 Dec 2008 10:31:31 -0400 From: "Ray Burkholder" Subject: [c-nsp] IOS IDS Signature Updates, still NIL To: Message-ID: <083d01c9650b$271fc950$755f5bf0$@net> Content-Type: text/plain; charset="us-ascii" Some time ago, there was mention that the IOS IPS Version 5 signatures would be updated 'in a few days'. There have been many many 'a few days' come and gone. I was wondering if anyone had any progress report on this. The IOS IPS signatures are about two (2) months out of date now. From cordmacleod at gmail.com Tue Jan 6 19:06:10 2009 From: cordmacleod at gmail.com (Cord MacLeod) Date: Tue, 6 Jan 2009 16:06:10 -0800 Subject: [c-nsp] temporary static routes In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863514034C2B@exchange.aoihq.local> References: <678D6E6C-1957-43B0-A081-8A3E3D0159A7@gmail.com> <2C05E949E19A9146AF7BDF9D44085B863514034C2B@exchange.aoihq.local> Message-ID: Thank you all for the replies, a ton of great information in this thread. On Jan 6, 2009, at 12:35 PM, Eric Van Tol wrote: >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Cord MacLeod >> Sent: Tuesday, January 06, 2009 12:25 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] temporary static routes >> >> I'm looking to inject static routes for a particular period of time >> into a router then have them expire after a given amount of time. >> >> For instance ip route xxx.xxx.xxx.xxx 255.255.255.255 Null0, and have >> this line removed after 24 hours. Would IOS have a way to do this, >> or >> am I looking at having to script this? >> >> I'm running 12.2(25)SEB4, RELEASE SOFTWARE (fc1). > > You could use a free tool like RANCID or Kiwi CatTools to schedule a > configuration change at a specific time. We use a commercial > product that can do this quite easily, if EEM is not available in IOS. > > -evt From booloo at ucsc.edu Tue Jan 6 18:33:58 2009 From: booloo at ucsc.edu (Mark Boolootian) Date: Tue, 6 Jan 2009 15:33:58 -0800 Subject: [c-nsp] QoS help on 2821 Message-ID: <20090106233358.GA44068@root.ucsc.edu> Hi folks, I'm trying to understand the behavior of what I think is a very simple QoS configuration and am hoping someone can explain the behavior I'm seeing and tell me what I'm doing wrong. I have a 2821 running 12.4(22)T with the following policy map: class-map match-all bearer match ip dscp ef class-map match-all signal match ip dscp cs3 policy-map voice-policy class bearer priority percent 15 class signal bandwidth percent 10 class class-default fair-queue This policy map is applied as an outbound service policy on a T-1 interface. I flood the T-1 with 10 Mb/s of unmarked UDP traffic while I have a couple of pings running that are sending CS3 and EF marked ICMP echo requests to a device on the far end of the T-1. I expected the marked traffic to make it through unscathed (modulo some additional serialization delay introduced by the unmarked traffic), but it was all dropped (policy map stats below). The stats claim bandwidth exceeded drops in the case of the priority queue, but I'm sending a 64 byte ICMP echo request once per second, so that seems unlikely. CPU is basically idling on the 2821. There are no input queue drops. Clues? --- dev#sh policy-map int ser 0/0/0:0 Serial0/0/0:0 Service-policy output: voice-policy queue stats for all priority classes: Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/131/131 (pkts output/bytes output) 3027/266376 Class-map: bearer (match-all) 3158 packets, 277904 bytes 5 minute offered rate 1000 bps, drop rate 1000 bps Match: ip dscp ef (46) Priority: 15% (230 kbps), burst bytes 5750, b/w exceed drops: 131 Class-map: signal (match-all) 1627 packets, 143176 bytes 5 minute offered rate 1000 bps, drop rate 1000 bps Match: ip dscp cs3 (24) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/97/97 (pkts output/bytes output) 1530/134640 bandwidth 10% (153 kbps) Class-map: class-default (match-any) 168667 packets, 213899049 bytes 5 minute offered rate 3052000 bps, drop rate 1629000 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops/flowdrops) 999/54745/54501/244 (pkts output/bytes output) 114068/135442123 Fair-queue: per-flow queue limit 16 From brett at looney.id.au Tue Jan 6 18:48:03 2009 From: brett at looney.id.au (Brett Looney) Date: Wed, 7 Jan 2009 08:48:03 +0900 Subject: [c-nsp] SPLIT ETHERNET In-Reply-To: <2299bfcb0901060436y452b72e2j608f707eb2f7be0b@mail.gmail.com> References: <2299bfcb0901060436y452b72e2j608f707eb2f7be0b@mail.gmail.com> Message-ID: <042801c97059$3f74a8a0$be5df9e0$@id.au> > So far the documentation I have seen is > ?> "It presents a single IP address on multiple Ethernet Interfaces. > The split Ethernet function supports the usage of several Ethernet > interfaces in different general processor boards" Where are you seeing this documentation? I quick Google doesn't show up any match for that text that I can see. B. From pshem.k at gmail.com Tue Jan 6 19:43:35 2009 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Wed, 7 Jan 2009 13:43:35 +1300 Subject: [c-nsp] MPLS-VPN migration In-Reply-To: <001201c96fde$7a598600$6f0c9200$@id.au> References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com> <01d401c960e8$6bc17710$43446530$@id.au> <00d101c961a8$a6858ce0$f390a6a0$@id.au> <9e246b4d0812231012r4910467dp472a53048b63355a@mail.gmail.com> <001201c96fde$7a598600$6f0c9200$@id.au> Message-ID: <20fe625b0901061643k1be87f5cs5e4ef4ca49acb6be@mail.gmail.com> 2009/1/6 Aaron Daniels - Lists : > Hi Tim, > >> I have heard several people say an iBGP version is messy. What is the >> difference? (I'm not opposed to the eBGP config, just like to know >> what both look like.) > > >From memory... > We tried route reflectors for the PE-CE iBGP edge. Need to use a route-map > to set next-hop-self and there was something else that was qwerky but I > can't remember currently. There is one more thing that you need to be careful about when running iBGP on PE-CE links to CEs that might be either directly or indirectly multihomed to multiple PEs. Since you have to run route-reflector setup you might accidentally advertise back into the MPLS cloud routes that you learnt from there, thus creating nice routing issues (flaps and loops). kind regards Pshem From cburwell at gmail.com Tue Jan 6 21:02:55 2009 From: cburwell at gmail.com (Chris Burwell) Date: Tue, 6 Jan 2009 21:02:55 -0500 Subject: [c-nsp] SPLIT ETHERNET Message-ID: This sounds like port channel/Etherchannel. HP calls this trunking on their procurve line. When you are talking about switching equipment, this is usually used when you want to incorporate redundant network links. For example, if you want to have to uplink ports from an edge switch back to your core you could put the two ports in an Etherchannel. When you do this, the switch treats the two ports as one. A major advantage of doing this is convergence. If you had a similar setup to what I described above, but instead used STP to block one of the ports and prevent loops, it would take a longer amount (a few seconds with rstp) of time for the switch to fail over to the other port if one should fail (That time is called convergence). With Etherchannel, convergence is really not an issue since the switch treats both ports as one. I hope this helps. - Chris > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rocker Feller > Sent: 06 January 2009 12:37 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SPLIT ETHERNET > > Hi, > > I am looking to understand the term split ethernet and how it works. > > Anybody having an idea on what it refers to and how it can be implemented? > > So far the documentation I have seen is > > ?"It presents a single IP address on multiple Ethernet Interfaces. The split Ethernet function supports the usage of several Ethernet interfaces in different general processor boards" > > This is the best i can get and would appreciate anybody with a pointer to the right direction. > > I am fairly new in this cisco field and would appreciate assistance > > Rock. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mark at noc.mainstreet.net Tue Jan 6 21:45:04 2009 From: mark at noc.mainstreet.net (Mark Kent) Date: Tue, 6 Jan 2009 18:45:04 -0800 (PST) Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC Message-ID: <200901070245.n072j4Ij099702@mainstreet.net> I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2 running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7. I've got them back-to-back, configured as shown below. With a single file transfer (tcp) through the boxes I am able to jam the processor at 99%/96%, which tells me I must be missing something. I checked and the "ip tcp adjust-mss 1360" is working, so it is not fragmentation that is the culprit. I do get about 35Mbs throughput, but I'm bugged that the main cpu is jammed. I did check "sh cry eng acc stat" and see that the HW module is being used, but I would have thought that the actual 2811 cpu would be only modestly busy. Am I missing anything here? Thanks, -mark --- crypto isakmp policy 10 encr aes authentication pre-share group 5 lifetime 300 ! crypto isakmp key foo address 10.10.10.2 no-xauth ! crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac ! crypto map GREVPN local-address FastEthernet0/0 ! ip access-list extended TUNNEL permit gre host 10.10.10.1 host 10.10.10.2 ! crypto map GREVPN 20 ipsec-isakmp set peer 10.10.10.2 set transform-set GREVPN match address TUNNEL ! interface Tunnel0 ip address 192.0.2.1 255.255.255.252 ip mtu 1476 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel destination 10.10.10.2 ! interface FastEthernet0/0 description x-conn to other 2811 ip address 10.10.10.1 255.255.255.252 crypto map GREVPN crypto ipsec fragmentation before-encryption ! interface FastEthernet0/1 ip address ! ip route 192.0.2.2 --- 2811-expt-TWO#sh cry engine acc stat Device: AIM-VPN/SSL-2 Location: AIM Slot: 0 Virtual Private Network (VPN) Module in slot : 0 Statistics for Hardware VPN Module since the last clear of counters 42 seconds ago 126270 packets in 126270 packets out 127941213 bytes in 124977694 bytes out 3006 paks/sec in 3006 paks/sec out 23865 Kbits/sec in 23312 Kbits/sec out 42555 packets decrypted 83715 packets encrypted 5854456 bytes before decrypt 119123238 bytes encrypted 2790517 bytes decrypted 125150696 bytes after encrypt 0 packets decompressed 0 packets compressed 0 bytes before decomp 0 bytes before comp 0 bytes after decomp 0 bytes after comp 0 packets bypass decompr 0 packets bypass compres 0 bytes bypass decompres 0 bytes bypass compressi 0 packets not decompress 0 packets not compressed 0 bytes not decompressed 0 bytes not compressed 1.0:1 compression ratio 1.0:1 overall 4 commands out 4 commands acknowledged Last 5 minutes: 53276 packets in 53276 packets out 1268 paks/sec in 1268 paks/sec out 10792372 bits/sec in 10542446 bits/sec out 1178581 bytes decrypted 50240550 bytes encrypted 235716 Kbits/sec decrypted 10048110 Kbits/sec encrypted 1.0:1 compression ratio 1.0:1 overall Errors: ppq full errors : 0 ppq rx errors : 0 cmdq full errors : 0 cmdq rx errors : 0 ppq down errors : 0 cmdq down errors : 0 no buffer : 0 replay errors : 0 dest overflow : 0 authentication errors : 0 Other error : 0 Raw Input Underrun : 0 IPSEC Unsupported Option: 0 IPV4 Header Length : 0 ESP Pad Length : 0 IPSEC Decompression : 0 AH ESP seq mismatch : 0 AH Header Length : 0 AH ICV Incorrect : 0 IPCOMP CPI Mismatch : 0 IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio: 0 Unexpected Protocol : 0 Dest Buf overflow : 0 IPSEC Pkt is fragment : 0 IPSEC Pkt src count : 0 Invalid IP Version : 0 Unwrappable : 0 SSL Output overrun : 0 SSL Decompress failure : 0 SSL BAD Decomp History : 0 SSL Version Mismatch : 0 SSL Input overrun : 0 SSL Conn Modulo : 0 SSL Input Underrun : 0 SSL Connection closed : 0 SSL Unrecognised content: 0 SSL record header length: 0 PPTP Duplicate packet : 0 PPTP Exceed max missed p: 0 RNG self test fail : 0 DF Bit set : 0 Hash Miscompare : 0 Unwrappable object : 0 Missing attribute : 0 Invalid attrribute value: 0 Bad Attribute : 0 Verification Fail : 0 Decrypt Failure : 0 Invalid Packet : 0 Invalid Key : 0 Input Overrun : 0 Input Underrun : 0 Output buffer overrun : 0 Bad handle value : 0 Invalid parameter : 0 Bad function code : 0 Out of handles : 0 Access denied : 0 Out of memory : 0 NR overflow : 0 pkts dropped : 0 Warnings: sessions_expired : 0 packets_fragmented : 0 general: : 0 HSP details: hsp_operations : 35231 hsp_sessions : 3 From pwu828 at gmail.com Tue Jan 6 22:49:18 2009 From: pwu828 at gmail.com (Patrick Wu) Date: Wed, 7 Jan 2009 14:49:18 +1100 Subject: [c-nsp] PPPoE Mid-session Shaping/Policing Message-ID: Hi Everyone, I have a L2TP/PPPoE setup in a 7206VXR and is working fine. What I now want to do is to implement dynamic shaping/policing on the PPPoE services. ie, I would like to shape/police a PPPoE service without disconnecting the session. I believe this can be implemented using RADIUS attributes? But not sure how it is done exactly if it is possible at all. I'm already using RADIUS attributes to shape/police PPPoE sessions when they login initially, I now need to change the shaper/policer rate mid-session without disconnecting. Any one with any info or point me in the right direction would be appreciated. Thanks! Patrick From cchurc05 at harris.com Tue Jan 6 22:55:42 2009 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 6 Jan 2009 21:55:42 -0600 Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC In-Reply-To: <200901070245.n072j4Ij099702@mainstreet.net> References: <200901070245.n072j4Ij099702@mainstreet.net> Message-ID: Do you really need the GRE? I'm guessing that is the issue, don't think the accelerator will handle that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Kent Sent: Tuesday, January 06, 2009 9:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2 running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7. I've got them back-to-back, configured as shown below. With a single file transfer (tcp) through the boxes I am able to jam the processor at 99%/96%, which tells me I must be missing something. I checked and the "ip tcp adjust-mss 1360" is working, so it is not fragmentation that is the culprit. I do get about 35Mbs throughput, but I'm bugged that the main cpu is jammed. I did check "sh cry eng acc stat" and see that the HW module is being used, but I would have thought that the actual 2811 cpu would be only modestly busy. Am I missing anything here? Thanks, -mark --- crypto isakmp policy 10 encr aes authentication pre-share group 5 lifetime 300 ! crypto isakmp key foo address 10.10.10.2 no-xauth ! crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac ! crypto map GREVPN local-address FastEthernet0/0 ! ip access-list extended TUNNEL permit gre host 10.10.10.1 host 10.10.10.2 ! crypto map GREVPN 20 ipsec-isakmp set peer 10.10.10.2 set transform-set GREVPN match address TUNNEL ! interface Tunnel0 ip address 192.0.2.1 255.255.255.252 ip mtu 1476 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel destination 10.10.10.2 ! interface FastEthernet0/0 description x-conn to other 2811 ip address 10.10.10.1 255.255.255.252 crypto map GREVPN crypto ipsec fragmentation before-encryption ! interface FastEthernet0/1 ip address ! ip route 192.0.2.2 --- 2811-expt-TWO#sh cry engine acc stat Device: AIM-VPN/SSL-2 Location: AIM Slot: 0 Virtual Private Network (VPN) Module in slot : 0 Statistics for Hardware VPN Module since the last clear of counters 42 seconds ago 126270 packets in 126270 packets out 127941213 bytes in 124977694 bytes out 3006 paks/sec in 3006 paks/sec out 23865 Kbits/sec in 23312 Kbits/sec out 42555 packets decrypted 83715 packets encrypted 5854456 bytes before decrypt 119123238 bytes encrypted 2790517 bytes decrypted 125150696 bytes after encrypt 0 packets decompressed 0 packets compressed 0 bytes before decomp 0 bytes before comp 0 bytes after decomp 0 bytes after comp 0 packets bypass decompr 0 packets bypass compres 0 bytes bypass decompres 0 bytes bypass compressi 0 packets not decompress 0 packets not compressed 0 bytes not decompressed 0 bytes not compressed 1.0:1 compression ratio 1.0:1 overall 4 commands out 4 commands acknowledged Last 5 minutes: 53276 packets in 53276 packets out 1268 paks/sec in 1268 paks/sec out 10792372 bits/sec in 10542446 bits/sec out 1178581 bytes decrypted 50240550 bytes encrypted 235716 Kbits/sec decrypted 10048110 Kbits/sec encrypted 1.0:1 compression ratio 1.0:1 overall Errors: ppq full errors : 0 ppq rx errors : 0 cmdq full errors : 0 cmdq rx errors : 0 ppq down errors : 0 cmdq down errors : 0 no buffer : 0 replay errors : 0 dest overflow : 0 authentication errors : 0 Other error : 0 Raw Input Underrun : 0 IPSEC Unsupported Option: 0 IPV4 Header Length : 0 ESP Pad Length : 0 IPSEC Decompression : 0 AH ESP seq mismatch : 0 AH Header Length : 0 AH ICV Incorrect : 0 IPCOMP CPI Mismatch : 0 IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio: 0 Unexpected Protocol : 0 Dest Buf overflow : 0 IPSEC Pkt is fragment : 0 IPSEC Pkt src count : 0 Invalid IP Version : 0 Unwrappable : 0 SSL Output overrun : 0 SSL Decompress failure : 0 SSL BAD Decomp History : 0 SSL Version Mismatch : 0 SSL Input overrun : 0 SSL Conn Modulo : 0 SSL Input Underrun : 0 SSL Connection closed : 0 SSL Unrecognised content: 0 SSL record header length: 0 PPTP Duplicate packet : 0 PPTP Exceed max missed p: 0 RNG self test fail : 0 DF Bit set : 0 Hash Miscompare : 0 Unwrappable object : 0 Missing attribute : 0 Invalid attrribute value: 0 Bad Attribute : 0 Verification Fail : 0 Decrypt Failure : 0 Invalid Packet : 0 Invalid Key : 0 Input Overrun : 0 Input Underrun : 0 Output buffer overrun : 0 Bad handle value : 0 Invalid parameter : 0 Bad function code : 0 Out of handles : 0 Access denied : 0 Out of memory : 0 NR overflow : 0 pkts dropped : 0 Warnings: sessions_expired : 0 packets_fragmented : 0 general: : 0 HSP details: hsp_operations : 35231 hsp_sessions : 3 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From chris at chrisserafin.com Tue Jan 6 23:06:29 2009 From: chris at chrisserafin.com (ChrisSerafin) Date: Tue, 06 Jan 2009 22:06:29 -0600 Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC In-Reply-To: References: <200901070245.n072j4Ij099702@mainstreet.net> Message-ID: <49642A45.5050005@chrisserafin.com> Unless you need this for legacy IPX or some layer 2 stuff going across the VPN, why not use the 'good ole, plain ole' IPSEC VPN? Chris Serafin chris at chrisserafin.com Church, Charles wrote: > Do you really need the GRE? I'm guessing that is the issue, don't think > the accelerator will handle that. > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Kent > Sent: Tuesday, January 06, 2009 9:45 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC > > > I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2 > running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7. I've got them > back-to-back, configured as shown below. > > With a single file transfer (tcp) through the boxes I am able to jam > the processor at 99%/96%, which tells me I must be missing something. > > I checked and the "ip tcp adjust-mss 1360" is working, so it is not > fragmentation that is the culprit. I do get about 35Mbs throughput, > but I'm bugged that the main cpu is jammed. I did check "sh cry eng > acc stat" and see that the HW module is being used, but I would have > thought that the actual 2811 cpu would be only modestly busy. > > Am I missing anything here? > > Thanks, > -mark > > --- > > crypto isakmp policy 10 > encr aes > authentication pre-share > group 5 > lifetime 300 > ! > crypto isakmp key foo address 10.10.10.2 no-xauth > ! > crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac > ! > crypto map GREVPN local-address FastEthernet0/0 > ! > ip access-list extended TUNNEL > permit gre host 10.10.10.1 host 10.10.10.2 > ! > crypto map GREVPN 20 ipsec-isakmp > set peer 10.10.10.2 > set transform-set GREVPN > match address TUNNEL > ! > interface Tunnel0 > ip address 192.0.2.1 255.255.255.252 > ip mtu 1476 > ip tcp adjust-mss 1360 > tunnel source FastEthernet0/0 > tunnel destination 10.10.10.2 > ! > interface FastEthernet0/0 > description x-conn to other 2811 > ip address 10.10.10.1 255.255.255.252 > crypto map GREVPN > crypto ipsec fragmentation before-encryption > ! > interface FastEthernet0/1 > ip address > ! > ip route 192.0.2.2 > > --- > > 2811-expt-TWO#sh cry engine acc stat > > Device: AIM-VPN/SSL-2 > Location: AIM Slot: 0 > Virtual Private Network (VPN) Module in slot : 0 > Statistics for Hardware VPN Module since the last clear > of counters 42 seconds ago > 126270 packets in 126270 packets out > > 127941213 bytes in 124977694 bytes out > > 3006 paks/sec in 3006 paks/sec out > > 23865 Kbits/sec in 23312 Kbits/sec out > > 42555 packets decrypted 83715 packets > encrypted > 5854456 bytes before decrypt 119123238 bytes encrypted > > 2790517 bytes decrypted 125150696 bytes after > encrypt > 0 packets decompressed 0 packets > compressed > 0 bytes before decomp 0 bytes before > comp > 0 bytes after decomp 0 bytes after comp > > 0 packets bypass decompr 0 packets bypass > compres > 0 bytes bypass decompres 0 bytes bypass > compressi > 0 packets not decompress 0 packets not > compressed > 0 bytes not decompressed 0 bytes not > compressed > 1.0:1 compression ratio 1.0:1 overall > 4 commands out 4 commands > acknowledged > Last 5 minutes: > 53276 packets in 53276 packets out > > 1268 paks/sec in 1268 paks/sec out > > 10792372 bits/sec in 10542446 bits/sec out > > 1178581 bytes decrypted 50240550 bytes encrypted > > 235716 Kbits/sec decrypted 10048110 Kbits/sec > encrypted > 1.0:1 compression ratio 1.0:1 overall > > Errors: > ppq full errors : 0 ppq rx errors : > 0 > cmdq full errors : 0 cmdq rx errors : > 0 > ppq down errors : 0 cmdq down errors : > 0 > no buffer : 0 replay errors : > 0 > dest overflow : 0 authentication errors : > 0 > Other error : 0 Raw Input Underrun : > 0 > IPSEC Unsupported Option: 0 IPV4 Header Length : > 0 > ESP Pad Length : 0 IPSEC Decompression : > 0 > AH ESP seq mismatch : 0 AH Header Length : > 0 > AH ICV Incorrect : 0 IPCOMP CPI Mismatch : > 0 > IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio: > 0 > Unexpected Protocol : 0 Dest Buf overflow : > 0 > IPSEC Pkt is fragment : 0 IPSEC Pkt src count : > 0 > Invalid IP Version : 0 Unwrappable : > 0 > SSL Output overrun : 0 SSL Decompress failure : > 0 > SSL BAD Decomp History : 0 SSL Version Mismatch : > 0 > SSL Input overrun : 0 SSL Conn Modulo : > 0 > SSL Input Underrun : 0 SSL Connection closed : > 0 > SSL Unrecognised content: 0 SSL record header length: > 0 > PPTP Duplicate packet : 0 PPTP Exceed max missed p: > 0 > RNG self test fail : 0 DF Bit set : > 0 > Hash Miscompare : 0 Unwrappable object : > 0 > Missing attribute : 0 Invalid attrribute value: > 0 > Bad Attribute : 0 Verification Fail : > 0 > Decrypt Failure : 0 Invalid Packet : > 0 > Invalid Key : 0 Input Overrun : > 0 > Input Underrun : 0 Output buffer overrun : > 0 > Bad handle value : 0 Invalid parameter : > 0 > Bad function code : 0 Out of handles : > 0 > Access denied : 0 Out of memory : > 0 > NR overflow : 0 pkts dropped : > 0 > > Warnings: > sessions_expired : 0 packets_fragmented : > 0 > general: : 0 > > HSP details: > hsp_operations : 35231 hsp_sessions : > 3 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.176 / Virus Database: 270.10.3/1878 - Release Date: 1/6/2009 7:56 AM > > From ariemer at wesenergy.com.au Tue Jan 6 23:27:32 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Wed, 7 Jan 2009 13:27:32 +0900 Subject: [c-nsp] QoS help on 2821 In-Reply-To: <20090106233358.GA44068@root.ucsc.edu> References: <20090106233358.GA44068@root.ucsc.edu> Message-ID: <0867622C64B50C4B878AB45C95F43F1106668D43@MAILWA01.wesenergy.local> Could other traffic be marked with either EF or CS3 here? How are you marking the traffic? I would have a separate policy on the inbound interface that actually marks some of the traffic to test. Let me know how you go I am interested :) Cheers, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Boolootian Sent: Wednesday, 7 January 2009 8:34 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] QoS help on 2821 Hi folks, I'm trying to understand the behavior of what I think is a very simple QoS configuration and am hoping someone can explain the behavior I'm seeing and tell me what I'm doing wrong. I have a 2821 running 12.4(22)T with the following policy map: class-map match-all bearer match ip dscp ef class-map match-all signal match ip dscp cs3 policy-map voice-policy class bearer priority percent 15 class signal bandwidth percent 10 class class-default fair-queue This policy map is applied as an outbound service policy on a T-1 interface. I flood the T-1 with 10 Mb/s of unmarked UDP traffic while I have a couple of pings running that are sending CS3 and EF marked ICMP echo requests to a device on the far end of the T-1. I expected the marked traffic to make it through unscathed (modulo some additional serialization delay introduced by the unmarked traffic), but it was all dropped (policy map stats below). The stats claim bandwidth exceeded drops in the case of the priority queue, but I'm sending a 64 byte ICMP echo request once per second, so that seems unlikely. CPU is basically idling on the 2821. There are no input queue drops. Clues? --- dev#sh policy-map int ser 0/0/0:0 Serial0/0/0:0 Service-policy output: voice-policy queue stats for all priority classes: Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/131/131 (pkts output/bytes output) 3027/266376 Class-map: bearer (match-all) 3158 packets, 277904 bytes 5 minute offered rate 1000 bps, drop rate 1000 bps Match: ip dscp ef (46) Priority: 15% (230 kbps), burst bytes 5750, b/w exceed drops: 131 Class-map: signal (match-all) 1627 packets, 143176 bytes 5 minute offered rate 1000 bps, drop rate 1000 bps Match: ip dscp cs3 (24) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/97/97 (pkts output/bytes output) 1530/134640 bandwidth 10% (153 kbps) Class-map: class-default (match-any) 168667 packets, 213899049 bytes 5 minute offered rate 3052000 bps, drop rate 1629000 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops/flowdrops) 999/54745/54501/244 (pkts output/bytes output) 114068/135442123 Fair-queue: per-flow queue limit 16 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From brhedlun at cisco.com Tue Jan 6 23:40:39 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Tue, 06 Jan 2009 22:40:39 -0600 Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC In-Reply-To: <49642A45.5050005@chrisserafin.com> Message-ID: On 1/6/09 10:06 PM, "ChrisSerafin" wrote: > Unless you need this for legacy IPX or some layer 2 stuff going across > the VPN, why not use the 'good ole, plain ole' IPSEC VPN? Plain IPSEC VPN does not work well for dynamic routing and any-to-any VPN's. If dynamic routing is required you can go tunnel-less with GET VPN. However if routing private IP addresses across a public cloud is required you cannot escape the tunnel. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From chris at chrisserafin.com Wed Jan 7 00:25:19 2009 From: chris at chrisserafin.com (ChrisSerafin) Date: Tue, 06 Jan 2009 23:25:19 -0600 Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC In-Reply-To: References: Message-ID: <49643CBF.9010106@chrisserafin.com> I can understand the dynamic routing but why should remote spoke sites need this unless they have multiple egress points? I would use a floating static at the remotes if needed and peer your HQ hub VPN router with dynamic routing....have the HQ router redistrubute statics via dynamic routing...? That's what I do....just a thought. --Chris Brad Hedlund wrote: > On 1/6/09 10:06 PM, "ChrisSerafin" wrote: > > >> Unless you need this for legacy IPX or some layer 2 stuff going across >> the VPN, why not use the 'good ole, plain ole' IPSEC VPN? >> > > Plain IPSEC VPN does not work well for dynamic routing and any-to-any VPN's. > If dynamic routing is required you can go tunnel-less with GET VPN. However > if routing private IP addresses across a public cloud is required you cannot > escape the tunnel. > > Cheers, > > Brad Hedlund > bhedlund at cisco.com > http://www.internetworkexpert.org > > > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.176 / Virus Database: 270.10.3/1878 - Release Date: 1/6/2009 7:56 AM > > From marty at supine.com Tue Jan 6 23:50:10 2009 From: marty at supine.com (Martin Barry) Date: Wed, 7 Jan 2009 15:50:10 +1100 Subject: [c-nsp] nopassword but still being prompted Message-ID: <20090107045010.GC10921@cotterpin.mamista.net> I have a monitoring check to ensure no one leaves debugging on on the routers. It uses configuration like username ... nopassword ... autocommand show debug but for some reason I still get prompt for a password. This wasn't happening previously but I can't put my finger on what has changed. Any ideas? cheers Marty From brhedlun at cisco.com Wed Jan 7 00:47:52 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Tue, 06 Jan 2009 23:47:52 -0600 Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC In-Reply-To: <49643CBF.9010106@chrisserafin.com> Message-ID: On 1/6/09 11:25 PM, "ChrisSerafin" wrote: > I can understand the dynamic routing but why should remote spoke sites > need this unless they have multiple egress points? A spoke could have a single egress interface but connect to multiple hubs - active/active data centers using Route Health Injection (RHI), for example. Dynamic routing at the spoke allows failover between data centers to be fast, predictable, and easy. Hope this clarifies. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From jsa at aua.auc.dk Wed Jan 7 02:22:38 2009 From: jsa at aua.auc.dk (Jens S Andersen) Date: Wed, 07 Jan 2009 08:22:38 +0100 (CET) Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC In-Reply-To: "Your message dated Tue, 06 Jan 2009 18:45:04 -0800 (PST)" <200901070245.n072j4Ij099702@mainstreet.net> Message-ID: <01N40AMAKB6O8XWINI@aua.auc.dk> Hi Do a show ip traffic If Frags: keeps incrementing try to reduce ip mtu and mss size. Fragmented packets are reassembled by the cpu and then handed over to the AIM for decryption. I configure my gre/ipsec with ip mtu 1418 and adjust-mss 1300 -Jens >I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2 >running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7. I've got them >back-to-back, configured as shown below. >With a single file transfer (tcp) through the boxes I am able to jam >the processor at 99%/96%, which tells me I must be missing something. >I checked and the "ip tcp adjust-mss 1360" is working, so it is not >fragmentation that is the culprit. I do get about 35Mbs throughput, >but I'm bugged that the main cpu is jammed. I did check "sh cry eng >acc stat" and see that the HW module is being used, but I would have >thought that the actual 2811 cpu would be only modestly busy. >Am I missing anything here? >Thanks, >-mark >--- > crypto isakmp policy 10 > encr aes > authentication pre-share > group 5 > lifetime 300 > ! > crypto isakmp key foo address 10.10.10.2 no-xauth > ! > crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac > ! > crypto map GREVPN local-address FastEthernet0/0 > ! > ip access-list extended TUNNEL > permit gre host 10.10.10.1 host 10.10.10.2 > ! > crypto map GREVPN 20 ipsec-isakmp > set peer 10.10.10.2 > set transform-set GREVPN > match address TUNNEL > ! > interface Tunnel0 > ip address 192.0.2.1 255.255.255.252 > ip mtu 1476 > ip tcp adjust-mss 1360 > tunnel source FastEthernet0/0 > tunnel destination 10.10.10.2 > ! > interface FastEthernet0/0 > description x-conn to other 2811 > ip address 10.10.10.1 255.255.255.252 > crypto map GREVPN > crypto ipsec fragmentation before-encryption > ! > interface FastEthernet0/1 > ip address > ! > ip route 192.0.2.2 >--- > 2811-expt-TWO#sh cry engine acc stat > Device: AIM-VPN/SSL-2 > Location: AIM Slot: 0 > Virtual Private Network (VPN) Module in slot : 0 > Statistics for Hardware VPN Module since the last clear > of counters 42 seconds ago > 126270 packets in 126270 packets out > 127941213 bytes in 124977694 bytes out > 3006 paks/sec in 3006 paks/sec out > 23865 Kbits/sec in 23312 Kbits/sec out > 42555 packets decrypted 83715 packets encrypted > 5854456 bytes before decrypt 119123238 bytes encrypted > 2790517 bytes decrypted 125150696 bytes after encrypt > 0 packets decompressed 0 packets compressed > 0 bytes before decomp 0 bytes before comp > 0 bytes after decomp 0 bytes after comp > 0 packets bypass decompr 0 packets bypass compres > 0 bytes bypass decompres 0 bytes bypass compressi > 0 packets not decompress 0 packets not compressed > 0 bytes not decompressed 0 bytes not compressed > 1.0:1 compression ratio 1.0:1 overall > 4 commands out 4 commands acknowledged > Last 5 minutes: > 53276 packets in 53276 packets out > 1268 paks/sec in 1268 paks/sec out > 10792372 bits/sec in 10542446 bits/sec out > 1178581 bytes decrypted 50240550 bytes encrypted > 235716 Kbits/sec decrypted 10048110 Kbits/sec encrypted > 1.0:1 compression ratio 1.0:1 overall > Errors: > ppq full errors : 0 ppq rx errors : 0 > cmdq full errors : 0 cmdq rx errors : 0 > ppq down errors : 0 cmdq down errors : 0 > no buffer : 0 replay errors : 0 > dest overflow : 0 authentication errors : 0 > Other error : 0 Raw Input Underrun : 0 > IPSEC Unsupported Option: 0 IPV4 Header Length : 0 > ESP Pad Length : 0 IPSEC Decompression : 0 > AH ESP seq mismatch : 0 AH Header Length : 0 > AH ICV Incorrect : 0 IPCOMP CPI Mismatch : 0 > IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio: 0 > Unexpected Protocol : 0 Dest Buf overflow : 0 > IPSEC Pkt is fragment : 0 IPSEC Pkt src count : 0 > Invalid IP Version : 0 Unwrappable : 0 > SSL Output overrun : 0 SSL Decompress failure : 0 > SSL BAD Decomp History : 0 SSL Version Mismatch : 0 > SSL Input overrun : 0 SSL Conn Modulo : 0 > SSL Input Underrun : 0 SSL Connection closed : 0 > SSL Unrecognised content: 0 SSL record header length: 0 > PPTP Duplicate packet : 0 PPTP Exceed max missed p: 0 > RNG self test fail : 0 DF Bit set : 0 > Hash Miscompare : 0 Unwrappable object : 0 > Missing attribute : 0 Invalid attrribute value: 0 > Bad Attribute : 0 Verification Fail : 0 > Decrypt Failure : 0 Invalid Packet : 0 > Invalid Key : 0 Input Overrun : 0 > Input Underrun : 0 Output buffer overrun : 0 > Bad handle value : 0 Invalid parameter : 0 > Bad function code : 0 Out of handles : 0 > Access denied : 0 Out of memory : 0 > NR overflow : 0 pkts dropped : 0 > Warnings: > sessions_expired : 0 packets_fragmented : 0 > general: : 0 > HSP details: > hsp_operations : 35231 hsp_sessions : 3 >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ Jens S Andersen Email: jsa at adm.aau.dk Aalborg University Telf: 9940 9464 Selma Lagerl?fs Vej 300, 4.1.03 Fax: 9940 7593 9220 Aalborg Denmark From rocker.rockerfeller at gmail.com Wed Jan 7 02:52:39 2009 From: rocker.rockerfeller at gmail.com (Rocker Feller) Date: Wed, 7 Jan 2009 10:52:39 +0300 Subject: [c-nsp] SPLIT ETHERNET In-Reply-To: <042801c97059$3f74a8a0$be5df9e0$@id.au> References: <2299bfcb0901060436y452b72e2j608f707eb2f7be0b@mail.gmail.com> <042801c97059$3f74a8a0$be5df9e0$@id.au> Message-ID: <2299bfcb0901062352m4ad9e731kdc26eb9062784a2d@mail.gmail.com> Yes this documentation is an excerpt I have from erricsson.for their GSM Unfortunately that is as far as is explained and yes google reveals no results. And a diagram to explain MGW is media gateway and GPB is ?General Processor Board so this particular switch sits at the core of the network and is the one that connects to the other networks. At any particular time only one ethernet is active at a time and the second provides redundancy. My question is how do I avoid an ip conflict on the switch an ?Ericsson Media Gateway for Mobile Networks (M-MGw) R5. Thanks On Wed, Jan 7, 2009 at 2:48 AM, Brett Looney wrote: > > So far the documentation I have seen is > > > ?> "It presents a single IP address on multiple Ethernet Interfaces. > > The split Ethernet function supports the usage of several Ethernet > > interfaces in different general processor boards" > > Where are you seeing this documentation? I quick Google doesn't show up any > match for that text that I can see. > > B. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From brett at looney.id.au Wed Jan 7 03:33:38 2009 From: brett at looney.id.au (Brett Looney) Date: Wed, 7 Jan 2009 17:33:38 +0900 Subject: [c-nsp] SPLIT ETHERNET In-Reply-To: <2299bfcb0901062352m4ad9e731kdc26eb9062784a2d@mail.gmail.com> References: <2299bfcb0901060436y452b72e2j608f707eb2f7be0b@mail.gmail.com> <042801c97059$3f74a8a0$be5df9e0$@id.au> <2299bfcb0901062352m4ad9e731kdc26eb9062784a2d@mail.gmail.com> Message-ID: <04ef01c970a2$a5d43310$f17c9930$@id.au> > At any particular time only one ethernet is active at a time and the second provides redundancy. > My question is how do I avoid an ip conflict on the switch an ?Ericsson Media Gateway for Mobile Networks (M-MGw) R5. You don't need to do anything special at all. Just make sure that the two ports from the media gateway and the two ports from your upstream routers are in the same VLAN on the switches and you're fine. This is standard active/standby networking server stuff - as long as the media gateway really only has one interface active at any one time the network will be ok. B. From peter at rathlev.dk Wed Jan 7 05:24:31 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 07 Jan 2009 11:24:31 +0100 Subject: [c-nsp] IOS reliability Message-ID: <1231323871.4231.0.camel@localhost.localdomain> Hello, We've been asked to asses some network parameters regarding a SLA for an important business system. We've worked out the "usual" stuff with MTBF and line reliability and so forth. What we don't have is some kind of statistical material on the stability of the IOS software we're running. The closest we've come to this is the DCAP and Safe Harbour ducuments, but they're focusing on functionallity and don't seem concerned with long term stability as much. It seems a little naive assuming a box keeps running as long as noone makes any changes. (Though I don't recall this being any very big problem...) We're mostly running C6k with 12.2SXF and 7200 with 12.4 main, and I know it's very complicated to give some figures, but do any of you know of any studies regarding IOS stability in general? Otherwise we could of course just assume the stability, and mention that unprovoked software crashes are negligible. Or are we making our lives overly complicated this way? :-) Thanks, Peter From A.L.M.Buxey at lboro.ac.uk Wed Jan 7 06:18:06 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 7 Jan 2009 11:18:06 +0000 Subject: [c-nsp] IOS reliability In-Reply-To: <1231323871.4231.0.camel@localhost.localdomain> References: <1231323871.4231.0.camel@localhost.localdomain> Message-ID: <20090107111806.GG29801@lboro.ac.uk> hi, there can be the occasional bug or glitch - mainly (in our experience) due to new types of traffic on the network. our main downtimes are due to power outage (in excess of our UPS 6hr capability) and firmware updates. however, you can help to negate any IOS issue by eg using dual supervisors in the 6500 platform, or by using eg s720-10G virtual router architecture. - or in the 3750 world, by having dual-homed stacks etc. ie use resiliency to work around any possible IOS/platform issues (this is true for any chosen network vendor!) of course, this then comes down to the classic 'if you run the same version on both boxes they'll get hit by the same bug' perennial question - I'm always happy to run a slightly newer version alongside the old trusted....and safeharbor is always a good option unless you cant use it (eg new a feature thats not in a safeharbor release!) alan From peter at rathlev.dk Wed Jan 7 09:38:44 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 07 Jan 2009 15:38:44 +0100 Subject: [c-nsp] IOS reliability In-Reply-To: <20090107111806.GG29801@lboro.ac.uk> References: <1231323871.4231.0.camel@localhost.localdomain> <20090107111806.GG29801@lboro.ac.uk> Message-ID: <1231339124.4231.80.camel@localhost.localdomain> On Wed, 2009-01-07 at 11:18 +0000, A.L.M.Buxey at lboro.ac.uk wrote: > there can be the occasional bug or glitch - mainly (in > our experience) due to new types of traffic on the network. > our main downtimes are due to power outage (in excess of > our UPS 6hr capability) and firmware updates. > > however, you can help to negate any IOS issue by eg > using dual supervisors in the 6500 platform, or by > using eg s720-10G virtual router architecture. - or > in the 3750 world, by having dual-homed stacks etc. > > ie use resiliency to work around any possible IOS/platform > issues (this is true for any chosen network vendor!) We have duplicated chassis' everywhere, relying on StackWise/STP/HSRP/ BGP (depeding on the situation) to take care of failures. This gives us some figures on how long time the network will take to converge, but of course it doesn't tell us how often this will happen. :-) > of course, this then comes down to the classic 'if you run > the same version on both boxes they'll get hit by the same > bug' perennial question - I'm always happy to run a slightly > newer version alongside the old trusted....and safeharbor > is always a good option unless you cant use it (eg new a feature > thats not in a safeharbor release!) We've given this some thought, especially since the failover relies only on chassis independent protocols, but haven't gotten around to doing something about it. But we'll consider closer in the future. Thanks for the input. Regards, Peter From ross at kallisti.us Wed Jan 7 09:52:56 2009 From: ross at kallisti.us (Ross Vandegrift) Date: Wed, 7 Jan 2009 09:52:56 -0500 Subject: [c-nsp] IOS reliability In-Reply-To: <20090107111806.GG29801@lboro.ac.uk> References: <1231323871.4231.0.camel@localhost.localdomain> <20090107111806.GG29801@lboro.ac.uk> Message-ID: <20090107145256.GA18768@kallisti.us> On Wed, Jan 07, 2009 at 11:18:06AM +0000, A.L.M.Buxey at lboro.ac.uk wrote: > ...and safeharbor is always a good option unless you cant use it (eg > new a feature thats not in a safeharbor release!) Don't put too much stock on the "Safe Harbor" label. We have an internal control to only run Safe Harbor code on our 6500s. I've seen more crashes from the 12.2S train than any other IOS, probably by an order of magnitude. Most of the crashes have been related to SNMP. For many MIBs, if you poll an object at the same time it is changed/removed, there's a race condition somewhere that kills IOS. It's really horrible - we're just slowly whittling away at our SNMP view, losing management capabilites to keep the damn things from falling over. According to TAC, these crashes are rare and hard to trigger. We've done it twice in a lab and four times in production. On the upside, if you don't use SNMP, you're probably golden! -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From luan at netcraftsmen.net Wed Jan 7 09:56:58 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 7 Jan 2009 09:56:58 -0500 Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC In-Reply-To: <200901070245.n072j4Ij099702@mainstreet.net> References: <200901070245.n072j4Ij099702@mainstreet.net> Message-ID: <03ce01c970d8$30397ad0$90ac7070$@net> >From what you said about the process CPU 99/96, the routers aren't doing anything processed intensive. Assuming that was what you meant: CPU utilization for five seconds: 99/96. Getting 35Mbs VPN throughput for the 2811 with AIM-VPN/SSL-2 is best case scenario for that model already. You could try to use IPSEC Profile configuration instead of the legacy crypto-map on the WAN interface, and try different IOS to see if you get improvement. That might improve throughput a bit: minimal if at all. If you need more VPN throughput, I would suggest try different hardware platform. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] luan at netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Kent Sent: Tuesday, January 06, 2009 9:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2 running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7. I've got them back-to-back, configured as shown below. With a single file transfer (tcp) through the boxes I am able to jam the processor at 99%/96%, which tells me I must be missing something. I checked and the "ip tcp adjust-mss 1360" is working, so it is not fragmentation that is the culprit. I do get about 35Mbs throughput, but I'm bugged that the main cpu is jammed. I did check "sh cry eng acc stat" and see that the HW module is being used, but I would have thought that the actual 2811 cpu would be only modestly busy. Am I missing anything here? Thanks, -mark --- crypto isakmp policy 10 encr aes authentication pre-share group 5 lifetime 300 ! crypto isakmp key foo address 10.10.10.2 no-xauth ! crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac ! crypto map GREVPN local-address FastEthernet0/0 ! ip access-list extended TUNNEL permit gre host 10.10.10.1 host 10.10.10.2 ! crypto map GREVPN 20 ipsec-isakmp set peer 10.10.10.2 set transform-set GREVPN match address TUNNEL ! interface Tunnel0 ip address 192.0.2.1 255.255.255.252 ip mtu 1476 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel destination 10.10.10.2 ! interface FastEthernet0/0 description x-conn to other 2811 ip address 10.10.10.1 255.255.255.252 crypto map GREVPN crypto ipsec fragmentation before-encryption ! interface FastEthernet0/1 ip address ! ip route 192.0.2.2 --- 2811-expt-TWO#sh cry engine acc stat Device: AIM-VPN/SSL-2 Location: AIM Slot: 0 Virtual Private Network (VPN) Module in slot : 0 Statistics for Hardware VPN Module since the last clear of counters 42 seconds ago 126270 packets in 126270 packets out 127941213 bytes in 124977694 bytes out 3006 paks/sec in 3006 paks/sec out 23865 Kbits/sec in 23312 Kbits/sec out 42555 packets decrypted 83715 packets encrypted 5854456 bytes before decrypt 119123238 bytes encrypted 2790517 bytes decrypted 125150696 bytes after encrypt 0 packets decompressed 0 packets compressed 0 bytes before decomp 0 bytes before comp 0 bytes after decomp 0 bytes after comp 0 packets bypass decompr 0 packets bypass compres 0 bytes bypass decompres 0 bytes bypass compressi 0 packets not decompress 0 packets not compressed 0 bytes not decompressed 0 bytes not compressed 1.0:1 compression ratio 1.0:1 overall 4 commands out 4 commands acknowledged Last 5 minutes: 53276 packets in 53276 packets out 1268 paks/sec in 1268 paks/sec out 10792372 bits/sec in 10542446 bits/sec out 1178581 bytes decrypted 50240550 bytes encrypted 235716 Kbits/sec decrypted 10048110 Kbits/sec encrypted 1.0:1 compression ratio 1.0:1 overall Errors: ppq full errors : 0 ppq rx errors : 0 cmdq full errors : 0 cmdq rx errors : 0 ppq down errors : 0 cmdq down errors : 0 no buffer : 0 replay errors : 0 dest overflow : 0 authentication errors : 0 Other error : 0 Raw Input Underrun : 0 IPSEC Unsupported Option: 0 IPV4 Header Length : 0 ESP Pad Length : 0 IPSEC Decompression : 0 AH ESP seq mismatch : 0 AH Header Length : 0 AH ICV Incorrect : 0 IPCOMP CPI Mismatch : 0 IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio: 0 Unexpected Protocol : 0 Dest Buf overflow : 0 IPSEC Pkt is fragment : 0 IPSEC Pkt src count : 0 Invalid IP Version : 0 Unwrappable : 0 SSL Output overrun : 0 SSL Decompress failure : 0 SSL BAD Decomp History : 0 SSL Version Mismatch : 0 SSL Input overrun : 0 SSL Conn Modulo : 0 SSL Input Underrun : 0 SSL Connection closed : 0 SSL Unrecognised content: 0 SSL record header length: 0 PPTP Duplicate packet : 0 PPTP Exceed max missed p: 0 RNG self test fail : 0 DF Bit set : 0 Hash Miscompare : 0 Unwrappable object : 0 Missing attribute : 0 Invalid attrribute value: 0 Bad Attribute : 0 Verification Fail : 0 Decrypt Failure : 0 Invalid Packet : 0 Invalid Key : 0 Input Overrun : 0 Input Underrun : 0 Output buffer overrun : 0 Bad handle value : 0 Invalid parameter : 0 Bad function code : 0 Out of handles : 0 Access denied : 0 Out of memory : 0 NR overflow : 0 pkts dropped : 0 Warnings: sessions_expired : 0 packets_fragmented : 0 general: : 0 HSP details: hsp_operations : 35231 hsp_sessions : 3 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Wed Jan 7 10:57:02 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 07 Jan 2009 15:57:02 +0000 Subject: [c-nsp] IOS reliability In-Reply-To: <20090107145256.GA18768@kallisti.us> References: <1231323871.4231.0.camel@localhost.localdomain> <20090107111806.GG29801@lboro.ac.uk> <20090107145256.GA18768@kallisti.us> Message-ID: <4964D0CE.90005@imperial.ac.uk> Ross Vandegrift wrote: > On Wed, Jan 07, 2009 at 11:18:06AM +0000, A.L.M.Buxey at lboro.ac.uk wrote: >> ...and safeharbor is always a good option unless you cant use it (eg >> new a feature thats not in a safeharbor release!) > > Don't put too much stock on the "Safe Harbor" label. We have an > internal control to only run Safe Harbor code on our 6500s. I've seen > more crashes from the 12.2S train than any other IOS, probably by an > order of magnitude. > > Most of the crashes have been related to SNMP. For many MIBs, if you > poll an object at the same time it is changed/removed, there's a race > condition somewhere that kills IOS. It's really horrible - we're just > slowly whittling away at our SNMP view, losing management capabilites > to keep the damn things from falling over. > > According to TAC, these crashes are rare and hard to trigger. We've > done it twice in a lab and four times in production. On the upside, > if you don't use SNMP, you're probably golden! > I've never triggered a crash over SNMP on a 6500 12.2sx IOS, and we do some pretty extensive and aggressive MIB polling. What MIBs have you had problems with? In answer to the OPs question, I think it would be difficult to define an MTBF for IOS because it's going to be dependent on the features enabled and traffic patterns, but I generally observe 3 patterns of behaviour: 1. known-bad IOS versions e.g. SXF15, SXF2a/3, which have obvious crash-bugs that you can trivially trigger and find very quickly (in the lab, hopefully). 2. known-good IOS versions, which seem (for a given feature set and traffic pattern) to be more or less indestructible. SXF9, and SXF10 fitted the bill for us (MPLS L3 VPN, MVPN, >300 SVIs, >5000 ARP/FDB entries, multi-gigabit, IMIX traffic including default VRF exposed to the internet but protected via CoPP). 10x routers running SXF10 with this traffic mix run for >1 year, so I guess the MTBF is on the order of 10^5 hours. 3. buggy IOS versions which suddenly reach a threshold then "go bad". We ran into memory leak problems on SXF6 where a box which had been running for >1 year suddenly started dying as the number of SVIs or ARP/FDB entries got "too big". In short - if the version runs for >2 weeks with a representative config and traffic load, I make an assumption of MTBF >10^4 hours, and our experiences support this. From lgeyer at gmail.com Wed Jan 7 11:05:48 2009 From: lgeyer at gmail.com (Laurent Geyer) Date: Wed, 7 Jan 2009 11:05:48 -0500 Subject: [c-nsp] IOS reliability In-Reply-To: <20090107145256.GA18768@kallisti.us> References: <1231323871.4231.0.camel@localhost.localdomain> <20090107111806.GG29801@lboro.ac.uk> <20090107145256.GA18768@kallisti.us> Message-ID: <39647f4d0901070805h72a99aaex5281f2c42ab95cd4@mail.gmail.com> On Wed, Jan 7, 2009 at 9:52 AM, Ross Vandegrift wrote: > On Wed, Jan 07, 2009 at 11:18:06AM +0000, A.L.M.Buxey at lboro.ac.uk wrote: > > Most of the crashes have been related to SNMP. For many MIBs, if you > poll an object at the same time it is changed/removed, there's a race > condition somewhere that kills IOS. It's really horrible - we're just > slowly whittling away at our SNMP view, losing management capabilites > to keep the damn things from falling over. > > According to TAC, these crashes are rare and hard to trigger. We've > done it twice in a lab and four times in production. On the upside, > if you don't use SNMP, you're probably golden! Interesting, haven't necessarily crashed a box with SNMP yet, but I've seen the collection process triggering 100% CPU utilization following a link state change. CPU utilization normalized after disabling, or rather disallowing SNMP access for a brief period. - Laurent From psirt at cisco.com Wed Jan 7 11:00:00 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 07 Jan 2009 17:00:00 +0100 Subject: [c-nsp] Cisco Security Advisory: Cisco Global Site Selector Appliances DNS Vulnerability Message-ID: <200901071701.gss@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Global Site Selector Appliances DNS Vulnerability Advisory ID: cisco-sa-20090107-gss http://www.cisco.com/warp/public/707/cisco-sa-20090107-gss.shtml Revision 1.0 For Public Release 2009 January 07 1600 UTC (GMT) - --------------------------------------------------------------------- Summary ======= The Cisco Application Control Engine Global Site Selector (GSS) contains a vulnerability when processing specific Domain Name System (DNS) requests that may lead to a crash of the DNS service on the GSS. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090107-gss.shtml Affected Products ================= All versions of GSS system software prior to 3.0(1) are affected by this vulnerability. If the GSS is configured with the optional Cisco Network Registrar (CNR) software, the device is not vulnerable. Vulnerable Products +------------------ The following GSS products are affected by this vulnerability: * Cisco GSS 4480 Global Site Selector * Cisco GSS 4490 Global Site Selector * Cisco GSS 4491 Global Site Selector * Cisco GSS 4492R Global Site Selector In order to determine the software that runs on a GSS device, users should log in to the device and issue the show version command to display the system software banner. The version is indicated on the line starting with Version. The following example shows a GSS that runs system software 2.0(1): gss.cisco.com#show version Global Site Selector (GSS) Model Number: GSS-4491-k9 Copyright (c) 1999-2007 by Cisco Systems, Inc. Version 2.0(1) Uptime: 19 Hours 18 Minutes and 14 seconds gss.cisco.com# In order to determine if CNR is enabled on the GSS device, users should log in to the device and issue the show running-config | grep cnr command to display the system CNR configuration. If CNR is enabled, cnr enable will be displayed in the output. If CNR is disabled, no cnr enable will be displayed. The following example shows a GSS that does not have CNR enabled: GSS.cisco.com#show running-config | grep cnr no cnr enable GSS.cisco.com# Products Confirmed Not Vulnerable +-------------------------------- The following products have been confirmed not vulnerable: * Cisco Global Site Selector using interaction with Cisco Network Registrar * Cisco Application Control Engine Module * Cisco Network Registrar * Cisco Content Services Switch (CSS) No other Cisco products are currently known to be affected by this vulnerability. Details ======= The Cisco GSS platform allows customers to leverage global content deployment across multiple distributed and mirrored data locations, optimizing site selection, improving Domain Name System (DNS) responsiveness, and ensuring data center availability. The GSS is inserted into the traditional DNS hierarchy and is closely integrated with the Cisco CSS, Cisco Content Switching Module (CSM), or third-party server load balancers (SLBs) to monitor the health and load of the SLBs in customers data centers. The GSS uses this information and user-specified routing algorithms to select the best-suited and least-loaded data center in real time. A vulnerability exists in the GSS when processing a specific sequence of DNS requests. An exploit of the vulnerability may result in a crash of the DNS service on the GSS. When the DNS server crashes, an error message will appear in the logs similar to the following example: Dec 18 04:47:21 gss NMR-6-LAUNCHSVR_EXIT[27261] dnsserver' has exited [ExitUnknown(139)]" This vulnerability is documented in Cisco Bug ID: CSCsj70093 This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3819. Vulnerability Scoring Details ============================== Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsj70093: GSS DNS service may crash when processing specific DNS requests. CVSS Base Score - 7.8 Access Vector : Network Access Complexity : Low Authentication : None Confidentiality Impact: None Integrity Impact : None Availability Impact : Complete CVSS Temporal Score - 6.4 Exploitability : Functional Remediation Level : Official-Fix Report Confidence : Confirmed Impact ====== Successful exploitation of the vulnerability may result in a crash of the GSS DNS service. Repeated exploitation may result in a sustained denial of service (DoS) attack. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------+ | GSS | First Fixed | Recommended | | Major | Release | Release | | Version | | | |---------+---------------+-------------| | | Vulnerable; | | | 1.x(y) | Migrate to | 3.0(2) | | | 3.0(1) or | | | | later | | |---------+---------------+-------------| | | Vulnerable; | | | 2.x(y) | Migrate to | 3.0(2) | | | 3.0(1) or | | | | later | | |---------+---------------+-------------| | 3.x(y) | Not | | | | Vulnerable | | +---------------------------------------+ GSS fixed system software is available for download from http://www.cisco.com/cgi-bin/tablebuild.pl/gss-3des?psrtdcat20e2 Workarounds =========== A workaround for this vulnerability includes setting the property "ServerConfig.dnsserver.returnError" to disabled (or zero). The following example shows how to set the property to disabled. It is enabled by default: GSS#config terminal GSS(config)#$sserver.returnError 0 GSS(config)#property set ServerConfig.dnsserver.returnError 0 GSS(config)#exit GSS#write memory Note: Negative responses (NXDOMAIN and NODATA) will not be sent out by the GSS with this setting disabled. Also, by using the DNS server statistics (show statistics dns global), it will not be possible to differentiate between the NXDOMAIN or NODATA mismatches because both of these will increment the DNSQueriesUnmatched counter. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is aware of active exploitations where malicious use of the vulnerability described in this advisory has occurred. This vulnerability was discovered by investigating customer TAC service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090107-gss.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-January-07 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAklk0GkACgkQ86n/Gc8U/uC6pgCcCgB77Z4FQULx2eaebHFGykP5 9f4AoIpdxXVA12D+KcCAxNZphQk/ICNc =YvIZ -----END PGP SIGNATURE----- From ross at kallisti.us Wed Jan 7 11:45:45 2009 From: ross at kallisti.us (Ross Vandegrift) Date: Wed, 7 Jan 2009 11:45:45 -0500 Subject: [c-nsp] IOS reliability In-Reply-To: <4964D0CE.90005@imperial.ac.uk> References: <1231323871.4231.0.camel@localhost.localdomain> <20090107111806.GG29801@lboro.ac.uk> <20090107145256.GA18768@kallisti.us> <4964D0CE.90005@imperial.ac.uk> Message-ID: <20090107164545.GB19396@kallisti.us> On Wed, Jan 07, 2009 at 03:57:02PM +0000, Phil Mayers wrote: > What MIBs have you had problems with? The two that have bitten us in multiple places, with different configs, are the OSPF Link-State DB in the OSPF-MIB, and Real/Vserver data from the SLB-MIB. Both of these things can obviously change unexpectedly during polls. I believe that I've seen the high CPU issue Laurent mentioned, but it's hard to say, because it's on a pair of switches that have a generally elevated CPU - tough to be sure if it was the same. Ross -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From asturluismi at gmail.com Wed Jan 7 12:53:44 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 07 Jan 2009 18:53:44 +0100 Subject: [c-nsp] Feedback requested about experiences with Easynet as provider Message-ID: <1231350824.7217.5.camel@dsba-ipso> Hi all, Well, first of all, sorry if this not the correct place to ask the next question -IMHO I think is the best places to look for a professional answer-: is there anyone here with experiences with EasyNet as service provider? We are thinking on contract a new leased line (100mb) and I would like to know how is EasyNet, specially under critical situations like outages, time to answer properly to technical questions.... and stuff like that. Regarding Easynet, positive and negative comments are welcome. From streiner at cluebyfour.org Wed Jan 7 13:43:48 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 7 Jan 2009 13:43:48 -0500 (EST) Subject: [c-nsp] Feedback requested about experiences with Easynet as provider In-Reply-To: <1231350824.7217.5.camel@dsba-ipso> References: <1231350824.7217.5.camel@dsba-ipso> Message-ID: On Wed, 7 Jan 2009, luismi wrote: > Well, first of all, sorry if this not the correct place to ask the next > question -IMHO I think is the best places to look for a professional > answer-: is there anyone here with experiences with EasyNet as service > provider? > > We are thinking on contract a new leased line (100mb) and I would like > to know how is EasyNet, specially under critical situations like > outages, time to answer properly to technical questions.... and stuff > like that. You may have better luck getting the answers you seek in other forms, such as NANOG, or various web forums. jms From ptimmins at clearrate.com Wed Jan 7 14:09:14 2009 From: ptimmins at clearrate.com (Paul G. Timmins) Date: Wed, 7 Jan 2009 14:09:14 -0500 Subject: [c-nsp] Backing up a 15454 over TL1 - Database Is Busy Message-ID: I have a ONS that I am backing up over TL1. If I run the program I wrote to handle the TL1 manually, it works after a couple of tries. If I connect in directly and type the commands, it runs properly almost every time. Running from cron, I always get an error about the database being busy. Anyone here ever done this before? Have any pointers? -----Original Message----- WARNING Only authorized persons may use this system for legal and proper purposes as determined solely by Clear Rate. By using this system, you consent to monitoring. > ACT-USER::monitoring:A286::*********************; XXXXXXXXX-CR-ONS1 2009-01-07 19:00:01 M A286 COMPLD "monitoring:2009-01-07 17-00-02,0" ; XXXXXXXXX-CR-ONS1 2009-01-07 19:00:01 A 0 REPT EVT SESSION "XXXXXXXXXX-CR-ONS1:NO," /* TL1 Agent Copyright (c) 1999-2007 Cisco Systems, Inc. WARNING Only authorized persons may use this system for legal and proper purposes as determined solely by Clear Rate. By using this system, you consent to monitoring. User monitoring logged in from x.x.x.x */ ; End of login COPY-RFILE::RFILE-DB:A998::TYPE=RFBU,DEST="FTP://redactedurlcontainingus ernameandpassword/ons1-backup.pkg"; Config Downloaded CANC-USER::monitoring:A595; XXXXXX-CR-ONS1 2009-01-07 19:00:01 M A998 DENY SROF /* Database Is Busy */ ; Logged out From masood at nexlinx.net.pk Wed Jan 7 15:08:40 2009 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Thu, 8 Jan 2009 01:08:40 +0500 Subject: [c-nsp] JUNOS funny or bad poetry Message-ID: <094001c97103$bf36f3e0$3da4dba0$@net.pk> JUNOS guys promise they would not make it boring! If you don't want to configure something on JUNOS, spend some time with JUNOS haiku. http://weblogs.com.pk/jahil/archive/2009/01/07/juniper-junos-funny-poetry.as px From kloch at kl.net Wed Jan 7 15:29:23 2009 From: kloch at kl.net (Kevin Loch) Date: Wed, 07 Jan 2009 15:29:23 -0500 Subject: [c-nsp] IOS reliability In-Reply-To: <1231323871.4231.0.camel@localhost.localdomain> References: <1231323871.4231.0.camel@localhost.localdomain> Message-ID: <496510A3.1010803@kl.net> Peter Rathlev wrote: > > We're mostly running C6k with 12.2SXF and 7200 with 12.4 main, and I > know it's very complicated to give some figures, but do any of you know > of any studies regarding IOS stability in general? Its a lot like the reliability of hard drives. If it runs for three weeks it will probably run for three years. - Kevin From mbowe at pipeline.com.au Wed Jan 7 18:57:00 2009 From: mbowe at pipeline.com.au (Michael Bowe) Date: Thu, 8 Jan 2009 10:57:00 +1100 Subject: [c-nsp] PPPoE Mid-session Shaping/Policing References: Message-ID: > Date: Wed, 7 Jan 2009 14:49:18 +1100 > From: "Patrick Wu" > I have a L2TP/PPPoE setup in a 7206VXR and is working fine. What I now > want > to do is to implement dynamic shaping/policing on the PPPoE services. ie, > I > would like to shape/police a PPPoE service without disconnecting the > session. > > I believe this can be implemented using RADIUS attributes? But not sure > how > it is done exactly if it is possible at all. I'm already using RADIUS > attributes to shape/police PPPoE sessions when they login initially, I now > need to change the shaper/policer rate mid-session without disconnecting. On our systems we need to slow the user to 64/64 once they have exceeded their monthly download limit. We have separate peak and off-peak time periods so you sometimes need to toggle the user's speed a couple of times per day. Kicking the session to apply the new limit is no good, that makes for unhappy customers. It look a lot of reading, but in the end I got a working solution based on : * 12.2SB IOS * ISG ( http://www.cisco.com/en/US/docs/ios/12_2sb/isg/configuration/guide/isg_c.html ) * RADIUS CoA ( http://www.cisco.com/en/US/docs/ios/12_2sb/isg/coa/guide/isgcoa3.html ) Be warned the ISG doco is pretty painful. It took me a long time to get a good understanding of how all the pieces fit into the puzzle. Once it was up and running though, its been working very well. Michael. From justin at justinshore.com Wed Jan 7 22:23:33 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 07 Jan 2009 21:23:33 -0600 Subject: [c-nsp] IOS Initial setup function & DHCP Message-ID: <496571B5.304@justinshore.com> Can any Cisco people tell me if when a router or switch (router in this case) is at the initial setup prompt after the very first power-on if the router enables DHCP on it's interfaces? I believe I had a brand-new 7201 running a 12.4T attempt a DHCP DISCOVER while it was at the initial setup yes/no prompt. All interfaces were up by default until I said 'no' to the prompt at which time all interfaces were shutdown. Can anyone tell me if an IOS device will attempt to use DHCP during the 'setup' process? The reason I ask would take too long for me to explain tonight. If I'm right though it kicked a configuration problem in just the right spot to set off a major multi-hour outage for us. Thanks Justin From willay at gmail.com Thu Jan 8 04:02:55 2009 From: willay at gmail.com (William) Date: Thu, 8 Jan 2009 09:02:55 +0000 Subject: [c-nsp] Feedback requested about experiences with Easynet as provider In-Reply-To: <1231350824.7217.5.camel@dsba-ipso> References: <1231350824.7217.5.camel@dsba-ipso> Message-ID: Fantastic experience with Easynet, with a proper SLA they keep you well informed and the support desk is very friendly, helpful and full of information. Most of my experience has been with their ADSL products and EtherStream, I'd recommend them any time. 2009/1/7 luismi : > Hi all, > > Well, first of all, sorry if this not the correct place to ask the next > question -IMHO I think is the best places to look for a professional > answer-: is there anyone here with experiences with EasyNet as service > provider? > > We are thinking on contract a new leased line (100mb) and I would like > to know how is EasyNet, specially under critical situations like > outages, time to answer properly to technical questions.... and stuff > like that. > > Regarding Easynet, positive and negative comments are welcome. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Thu Jan 8 04:12:28 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 8 Jan 2009 10:12:28 +0100 Subject: [c-nsp] IOS Initial setup function & DHCP In-Reply-To: <496571B5.304@justinshore.com> References: <496571B5.304@justinshore.com> Message-ID: <20090108091228.GF104@greenie.muc.de> Hi, On Wed, Jan 07, 2009 at 09:23:33PM -0600, Justin Shore wrote: > Can any Cisco people tell me if when a router or switch (router in this > case) is at the initial setup prompt after the very first power-on if > the router enables DHCP on it's interfaces? I believe I had a brand-new I can't answer this for the general case, but I do know that routers have been doing SLARP on serial lines to acquire IP addresses "since ever"... Given that the most current IOS versions tend to have web-based config on-by-default, it wouldn't surprise me to see DHCP requests. But for a definite answer, I'd just sniff the packets on the router's ethernet ports while booting... > The reason I ask would take too long for me to explain tonight. If I'm > right though it kicked a configuration problem in just the right spot to > set off a major multi-hour outage for us. Ouch. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From td_miles at yahoo.com Thu Jan 8 05:02:36 2009 From: td_miles at yahoo.com (Tony) Date: Thu, 8 Jan 2009 02:02:36 -0800 (PST) Subject: [c-nsp] IOS Initial setup function & DHCP In-Reply-To: <496571B5.304@justinshore.com> Message-ID: <713835.5754.qm@web110107.mail.gq1.yahoo.com> I don't have any personal experience, this is just reading the doco. This guide references "autoinstall" in section 6 "configure the router": http://www.cisco.com/en/US/docs/routers/7200/install_and_upgrade/7201_quick_start/11363q.html This next doc gives more info on the "autoinstall" process: http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config_overview_ps6350_TSD_Products_Configuration_Guide_Chapter.html including the pre-requisite: "A DHCP server is available on the network to provide IP addresses to networking devices that are using AutoInstall over a LAN connection." Given the above, I'd say it's highly likely that your shiny new 7201 did issue a DHCP request when it was booted up :( regards, Tony. --- On Thu, 8/1/09, Justin Shore wrote: > From: Justin Shore > Subject: [c-nsp] IOS Initial setup function & DHCP > To: "'Cisco-nsp'" > Date: Thursday, 8 January, 2009, 2:23 PM > Can any Cisco people tell me if when a router or switch > (router in this case) is at the initial setup prompt after > the very first power-on if the router enables DHCP on > it's interfaces? I believe I had a brand-new 7201 > running a 12.4T attempt a DHCP DISCOVER while it was at the > initial setup yes/no prompt. All interfaces were up by > default until I said 'no' to the prompt at which > time all interfaces were shutdown. Can anyone tell me if an > IOS device will attempt to use DHCP during the > 'setup' process? > > The reason I ask would take too long for me to explain > tonight. If I'm right though it kicked a configuration > problem in just the right spot to set off a major multi-hour > outage for us. > > Thanks > Justin From vinzoda.hitesh at gmail.com Thu Jan 8 06:18:37 2009 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Thu, 8 Jan 2009 16:48:37 +0530 Subject: [c-nsp] VLAN 1 through routed ports Message-ID: Can vlan 1 pass through routed ports.... between layer 3 switches. ..?? From gert at greenie.muc.de Thu Jan 8 06:37:01 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 8 Jan 2009 12:37:01 +0100 Subject: [c-nsp] VLAN 1 through routed ports In-Reply-To: References: Message-ID: <20090108113701.GG104@greenie.muc.de> Hi, On Thu, Jan 08, 2009 at 04:48:37PM +0530, Hitesh Vinzoda wrote: > Can vlan 1 pass through routed ports.... between layer 3 switches. ..?? By definition a VLAN (which is a L2 thing) can't pass through routed ports. If you need that, you need to setup some sort of bridging-over-L3, either with EoMPLS or L2TPv3. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From vinzoda.hitesh at gmail.com Thu Jan 8 08:46:19 2009 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Thu, 8 Jan 2009 19:16:19 +0530 Subject: [c-nsp] VLAN 1 through routed ports In-Reply-To: <20090108113701.GG104@greenie.muc.de> References: <20090108113701.GG104@greenie.muc.de> Message-ID: I m havin old setup of two 6509 connected together by means of routed ports. On one of the 6509 i have vlan 1 with user subnet configured on it along with DHCP. now when i connect anything on vlan 1 on 2nd 6509, the desktop is leased with the IP of vlan 1 configured on 6509-1. any idea why i m gettin ip leased through DHCP. note: no helper commands are used on vlan 1 of 6509-2 and no ip address exists on SVI vlan 1. Regards On Thu, Jan 8, 2009 at 5:07 PM, Gert Doering wrote: > Hi, > > On Thu, Jan 08, 2009 at 04:48:37PM +0530, Hitesh Vinzoda wrote: > > Can vlan 1 pass through routed ports.... between layer 3 switches. ..?? > > By definition a VLAN (which is a L2 thing) can't pass through routed ports. > > If you need that, you need to setup some sort of bridging-over-L3, either > with EoMPLS or L2TPv3. > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > From gert at greenie.muc.de Thu Jan 8 09:00:19 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 8 Jan 2009 15:00:19 +0100 Subject: [c-nsp] VLAN 1 through routed ports In-Reply-To: References: <20090108113701.GG104@greenie.muc.de> Message-ID: <20090108140019.GJ104@greenie.muc.de> Hi, On Thu, Jan 08, 2009 at 07:16:19PM +0530, Hitesh Vinzoda wrote: > I m havin old setup of two 6509 connected together by means of routed ports. > On one of the 6509 i have vlan 1 with user subnet configured on it along > with DHCP. now when i connect anything on vlan 1 on 2nd 6509, the desktop is > leased with the IP of vlan 1 configured on 6509-1. any idea why i m gettin > ip leased through DHCP. > > note: no helper commands are used on vlan 1 of 6509-2 and no ip address > exists on SVI vlan 1. Could be a trunk port between those 6509s. Check with "show mac-address vlan 1" or "show spanning-tree vlan 1" on which ports vlan 1 is active where it shouldn't be. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From justin at justinshore.com Thu Jan 8 12:22:29 2009 From: justin at justinshore.com (Justin Shore) Date: Thu, 08 Jan 2009 11:22:29 -0600 Subject: [c-nsp] VLAN 1 through routed ports In-Reply-To: <20090108140019.GJ104@greenie.muc.de> References: <20090108113701.GG104@greenie.muc.de> <20090108140019.GJ104@greenie.muc.de> Message-ID: <49663655.80701@justinshore.com> Gert Doering wrote: > Hi, > > On Thu, Jan 08, 2009 at 07:16:19PM +0530, Hitesh Vinzoda wrote: >> I m havin old setup of two 6509 connected together by means of routed ports. >> On one of the 6509 i have vlan 1 with user subnet configured on it along >> with DHCP. now when i connect anything on vlan 1 on 2nd 6509, the desktop is >> leased with the IP of vlan 1 configured on 6509-1. any idea why i m gettin >> ip leased through DHCP. >> >> note: no helper commands are used on vlan 1 of 6509-2 and no ip address >> exists on SVI vlan 1. > > Could be a trunk port between those 6509s. > > Check with "show mac-address vlan 1" or "show spanning-tree vlan 1" on > which ports vlan 1 is active where it shouldn't be. And by all means DO NOT USE VLAN 1. That's what bit me in the ass last night. An unconfigured 7600 LAN port with switchport, mode access and no access vlan defined was a piece in the puzzle of the cluster that was my evening last night. VLAN 1 is evil and anyone that uses it intentionally is a fool. On a related side note, can VLAN 1 be disabled? If the state is set to suspended or the vlan is 'shutdown' in vlan sub-config mode, would that actually shutdown VLAN 1? If a default config access-mode switchport in VLAN by default receives a packet, does it drop it? I'm looking for ways to prevent what happened last night and since I can't remove VLAN 1 from the trunk ports in question I'd like to figure out how to disable the VLAN. The other option would be to change the VLAN used by default for the access VLAN when one isn't configured on a port. Is there a config option for that? Thanks Justin From peter at rathlev.dk Thu Jan 8 14:04:28 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 08 Jan 2009 20:04:28 +0100 Subject: [c-nsp] IOS reliability In-Reply-To: References: <1231323871.4231.0.camel@localhost.localdomain> Message-ID: <1231441468.3501.15.camel@localhost.localdomain> Thank you all for the input. Especially Gary who wrote off list: > IOS reliability, as for most software, depends to a large extent on > how often one exercises those parts of the software that simply are > less used and tested. I have never run into problems with any IOS for > the simple case of forwarding packets. > Add in a routing protocol, or complex prioritization and queueing, or > packet modification(s), (or Appletalk or IPX!), and one will be using > code paths that may be less common, and more likely to have bugs or > side effects. I think is a very good argument and will include it in our descriptions. > I have never seen a list of the IOS features that indicate how many > customers are using them, and therefore how extensively tested those > code paths are "in the real world", and the matrix of those features > (customer uses CoPP + MQC + ISIS, etc), and what the MTBF numbers are. > I doubt anyone has that info. That's too bad. I guess some data mining in all the TAC cases could give some idea about the maturity of features / feature combinations. > In other words, my guess is is that you are on your own. (Are you > happier now?) Very much so. :-) Thanks! Regards, Peter From justin at justinshore.com Thu Jan 8 14:24:48 2009 From: justin at justinshore.com (Justin Shore) Date: Thu, 08 Jan 2009 13:24:48 -0600 Subject: [c-nsp] IOS Initial setup function & DHCP In-Reply-To: <20090108091228.GF104@greenie.muc.de> References: <496571B5.304@justinshore.com> <20090108091228.GF104@greenie.muc.de> Message-ID: <49665300.3070200@justinshore.com> Gert Doering wrote: >> set off a major multi-hour outage for us. > > Ouch. Definitely. To be clear, it wasn't the fault of the 7201. It just did something at a point where I didn't think it would do anything. The problem as it turns out is partly due to what I eluded to earlier: VLAN 1. I connected the 7201 to an interface on each of our 7600. I rigged up the console port so I could get into it remotely and work on it from home. One of the ports was shut. The other port was unshut and had previously been used to stage a CMTS. I had removed the access vlan from that port so all it had was switchport and mode access. That put the int in VLAN 1. I never use VLAN 1. On devices that create a VLAN 1 SVI I also shut it and label it with "DO NOT USE". I never gave it a second thought when I plugged in that router though. I expected all its interfaces to be down; I didn't anticipate some autoinstall process to run DHCP. Even if it did do that and I expected it I wouldn't have thought it would be a problem. The 7600s are connected via a trunk with no VLAN restrictions. In each 7600 is a SSC-400 with a 2G IPSec SPA. A VPN SPA essentially. It's running in VRF mode. I talked about this one the list once before. A Cisco AS SME came out to help with the initial config of the SPA and other special SMs in the 7600s. He configured a list of VLANs on both virtual interfaces of the SPAs. One int is the encrypted outside and the other int is the unencrypted inside. The 2 ints configure like 1Q trunks with allowed VLANs. He configured them manually but as it turns out in VRF Mode they are self-configuring. His major goof was that he configured the same VLANs on both virtual interfaces. Packets were recirculated by the IPSec SPA as fast as it could process them. That didn't hurt the chassis per say. It created a lot of packet loss on client VPN sessions but the RP didn't get hit so I never noticed it. Then one day I turned up a new SVI with HSRP configured that happened to be in that list of VLANs. As soon as I did that the CPU went to 100% and the RP got bogged down. It ultimately crashed the RP. I did a packet capture of the IPSec SPA ints during that time and was getting close to 1m pps of the same HSRP hello packet. The RP has to process those which is what killed the RP. We removed all the cyrpto config, rebooted and put it all back in there WO/ modifying the 2 virtual interfaces and that fixed the problem. Last night's problem stemmed from that initial fix. When the IOS configures the 2 IPSec SPA virtual ints in VRF Mode it also includes some default VLANs, namely 1002-1005 and 1. It includes those VLANs on both virtual interfaces. Why, I'm not sure. You shouldn't ever have the same VLANs on both ints at the same time. 1002-1005 doesn't matter; few people will run into those being used today. VLAN 1 is a problem though. While I didn't intend to use VLAN 1 it got used nonetheless. The DHCP DISCOVER from the new 7201 I connected is the packet that was being recirculated indefinitely by the VPN SPAs. Each 7600 thought that the source MAC on the DHCP packet belonged to other 7600, punted the packet across the trunk which was flooded out all ports associated with VLAN 1 on that 7600 which included both sides of the SPA. Rinse and repeat. The port-channel between the 7600s was overwhelmed as a result and had massive output drops on both sides. The default config presents a fairly easy way to cause this problem. My questions for the Cisco.com people lurking on c-nsp are: 1) is there any technical reason why VLAN 1 should be allowed on the IPSec SPA at all or at least on both virtual interfaces? 2) is there any way to remove VLAN 1 from the virtual interfaces without pissing off the IOS process that auto-configures those 2 interfaces? #2 worries be. Our TAC engineer told us that if we alter the virtual ints' config at all that the auto-config process would break. I can't think of any reason why VLAN 1 should be allowed on the IPSec SPA at all. I definitely can't think of any reason why it should be allowed on both virtual interfaces. That's just setting the system up for failure. So that's what happened last night. We were down for 2 full hours. The packet loss caused the firewalls in front of our class5 phone switch to freak out and fight over who was the master (dropping keepalive packets and each thought the other was dead). It did the same thing to the FWSMs in the 7600s. The outage took out almost all voice for the entire telco. Any suggestions on how to fix this? I won't leave a switchport at the default of VLAN 1 again but that's a minor thing that set off a config problem. How do I address the misconfiguration that the auto-config does on the IPSec SPA ports? Thanks to Gert and Tony for replying earlier. Justin From ecables at gmail.com Thu Jan 8 16:52:50 2009 From: ecables at gmail.com (Eric Cables) Date: Thu, 8 Jan 2009 13:52:50 -0800 Subject: [c-nsp] Procurve DHCP relay question Message-ID: I'm in the middle of a transition from HP -> Cisco, with an HP 2848 as the "core", so sorry if this e-mail is off topic. I am having a hard time getting DHCP relay to work, and was hoping someone with HP experience could chime in with some assistance. I've created a new VLAN, and have specified a helper-address to point to a DHCP server that manages dozens of scopes. The new VLAN functions fine, assuming users are given a static address, but DHCP does not appear to work at all. To troubleshoot I pointed the helper-address to a system with Wireshark, but I don't see any requests coming in when a user on the new VLAN requests a new DHCP address, indicating that the request is not being forwarded properly. Is there any debugging available on the procurve to troubleshoot this further? I've read a number of documents describing how to configure DHCP relay on a procurve, and as far as I can tell the recommendations match my configuration. Here are the features enabled on the 2848: - 'ip routing' is enabled - 'dhcp-relay' does not show in a 'show run', indicating it is enabled (the default) - A 'ip helper-address x.x.x.x' statement is configured on the VLAN interface - There is a route back to the destination helper-address - Connectivity works on the VLAN in question, assuming users are statically configured Any advice would be appreciated.. -- Eric Cables From td_miles at yahoo.com Thu Jan 8 18:18:01 2009 From: td_miles at yahoo.com (Tony) Date: Thu, 8 Jan 2009 15:18:01 -0800 (PST) Subject: [c-nsp] VLAN 1 through routed ports In-Reply-To: <49663655.80701@justinshore.com> Message-ID: <233557.32745.qm@web110106.mail.gq1.yahoo.com> --- On Fri, 9/1/09, Justin Shore wrote: > > On a related side note, can VLAN 1 be disabled? If the > state is set to suspended or the vlan is 'shutdown' > in vlan sub-config mode, would that actually shutdown VLAN > 1? If a default config access-mode switchport in VLAN by > default receives a packet, does it drop it? I'm looking > for ways to prevent what happened last night and since I > can't remove VLAN 1 from the trunk ports in question > I'd like to figure out how to disable the VLAN. The > other option would be to change the VLAN used by default for > the access VLAN when one isn't configured on a port. Is > there a config option for that? > You can configure the default vlan to something else using "switchport trunk native vlan" command: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html#wp1034721 You might also consider whether the command "vlan dot1q tag native" is appropriate in the circumstances ? It can be enabled globally and disabled on a per interface basis if required. "The vlan dot1q tag native command is a global command that configures the switch to tag native VLAN traffic, and admit only 802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the native VLAN." http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/dot1qtnl.html#wp1006255 >From the description it appears that it will drop any untagged VLAN ingress traffic. Whether this helps or not depends whether traffic in VLAN-1 is tagged or untagged. Assuming it's the default VLAN on your new piece of equipment then I "think" it will be untagged. Again, this is all theoretical from my PoV. If the above doesn't help, perhaps it will at least point you in the right direction. regards, Tony. From chunt at reachone.com Thu Jan 8 21:09:07 2009 From: chunt at reachone.com (Christopher Hunt) Date: Thu, 08 Jan 2009 18:09:07 -0800 Subject: [c-nsp] mulitlink ppp stays up but stops responding when any link is dropped Message-ID: <4966B1C3.6020102@reachone.com> Does anyone understand why the far end of a Mutlilink interface would stay up but stop responding to a ping _for_approx_60_secs_ when any of the individual T1 interfaces in the bundle go down? The near end, the Multi2 interface on the 7200, continues to respond to a ping the entire time. The output of "sh int multi2" indicates that packets are flowing out and IN but I'm not able to ping several hosts (all i tried) at the far end. Here's a sanitized copy of the config which hasn't changed recently. !!!7200!!!! interface Serial2/6:0 ip vrf forwarding TestCust no ip address encapsulation ppp ppp multilink ppp multilink group 2 ! interface Serial2/7:0 ip vrf forwarding TestCust no ip address encapsulation ppp ppp multilink ppp multilink group 2 interface Multilink2 ip vrf forwarding TestCust ip address 10.10.12.1 255.255.255.252 ppp multilink ppp multilink group 2 service-policy input IN-POLICY01 service-policy output OUT-POLICY-10M rtr1#sh int multi2 Multilink2 is up, line protocol is up Hardware is multilink group interface Internet address is 10.10.12.1/30 MTU 1500 bytes, BW 1536 Kbit, DLY 100000 usec, reliability 255/255, txload 9/255, rxload 6/255 Encapsulation PPP, LCP Open, multilink Open Open: IPCP, loopback not set Keepalive set (10 sec) DTR is pulsed for 2 seconds on reset !!!!2800!!!! interface Multilink1 bandwidth 3072 ip address 10.10.12.2 255.255.255.252 ip nbar protocol-discovery no cdp enable ppp multilink ppp multilink group 1 service-policy output 2T1_VOIP_Policy ! interface Serial0/0/0:0 no ip address encapsulation ppp ppp multilink ppp multilink group 1 ! interface Serial0/0/1:0 no ip address encapsulation ppp ppp multilink ppp multilink group 1 Thanks a bunch... -- Christopher Hunt ReachONE Internet, Inc. (360)456-5640 http://www.reachone.com From steve at ibctech.ca Thu Jan 8 20:13:38 2009 From: steve at ibctech.ca (Steve Bertrand) Date: Thu, 08 Jan 2009 20:13:38 -0500 Subject: [c-nsp] Procurve DHCP relay question In-Reply-To: References: Message-ID: <4966A4C2.2070909@ibctech.ca> Eric Cables wrote: > I'm in the middle of a transition from HP -> Cisco, with an HP 2848 as the > "core", so sorry if this e-mail is off topic. I am having a hard time > getting DHCP relay to work, and was hoping someone with HP experience could > chime in with some assistance. > > I've created a new VLAN, and have specified a helper-address to point to a > DHCP server that manages dozens of scopes. The new VLAN functions fine, > assuming users are given a static address, but DHCP does not appear to work > at all. > > To troubleshoot I pointed the helper-address to a system with Wireshark, but > I don't see any requests coming in when a user on the new VLAN requests a > new DHCP address, indicating that the request is not being forwarded > properly. Is there any debugging available on the procurve to troubleshoot > this further? > > I've read a number of documents describing how to configure DHCP relay on a > procurve, and as far as I can tell the recommendations match my > configuration. > > Here are the features enabled on the 2848: > - 'ip routing' is enabled > - 'dhcp-relay' does not show in a 'show run', indicating it is enabled (the > default) > - A 'ip helper-address x.x.x.x' statement is configured on the VLAN > interface > - There is a route back to the destination helper-address > - Connectivity works on the VLAN in question, assuming users are statically > configured I've got a 'J4904A' HP ProCurve 2848 that I can do some quick testing with... Can you provide a 'sh run' from both units? Also specify what type of Cisco you are running, and its version. Is this simply a replacement of a switch you are trying to achieve? Steve From engel.labiro at gmail.com Fri Jan 9 05:33:09 2009 From: engel.labiro at gmail.com (Engelhard Labiro) Date: Fri, 9 Jan 2009 19:33:09 +0900 Subject: [c-nsp] Fwd: VLAN 1 through routed ports In-Reply-To: <74b0c3330901090230s2b4fea51w2fc9cfa61ea5433@mail.gmail.com> References: <20090108113701.GG104@greenie.muc.de> <20090108140019.GJ104@greenie.muc.de> <49663655.80701@justinshore.com> <74b0c3330901090230s2b4fea51w2fc9cfa61ea5433@mail.gmail.com> Message-ID: <74b0c3330901090233x66a7987dg35d49453e8514573@mail.gmail.com> On Fri, Jan 9, 2009 at 2:22 AM, Justin Shore wrote: > And by all means DO NOT USE VLAN 1. That's what bit me in the ass last > night. An unconfigured 7600 LAN port with switchport, mode access and no > access vlan defined was a piece in the puzzle of the cluster that was my > evening last night. VLAN 1 is evil and anyone that uses it intentionally is > a fool. agreed. ours always shutdown vlan 1 and define other vlan as native in trunk ports. this we can sure that "user" traffic is not using vlan 1. > On a related side note, can VLAN 1 be disabled? If the state is set to > suspended or the vlan is 'shutdown' in vlan sub-config mode, would that > actually shutdown VLAN 1? If you shutdown vlan 1, the "control" traffic is still tagged with vlan 1, eg CDP, VTP. But your "user" traffic will not tagged with vlan 1 if you defined other vlan as native >If a default config access-mode switchport in > VLAN by default receives a packet, does it drop it? I believe "control" traffic (CDP, VTP) will not be dropped from the port. > I'm looking for ways to > prevent what happened last night and since I can't remove VLAN 1 from the > trunk ports in question I'd like to figure out how to disable the VLAN. The > other option would be to change the VLAN used by default for the access VLAN > when one isn't configured on a port. Is there a config option for that? I think best practice is an "access" port must belong to a vlan other than default (vlan 1 in cisco). This is simple with command "interface range" and "switchport access vlan XXX". HTH Engel From jeremy at evilrouters.net Fri Jan 9 07:40:00 2009 From: jeremy at evilrouters.net (Jeremy L. Gaddis) Date: Fri, 9 Jan 2009 07:40:00 -0500 (EST) Subject: [c-nsp] Procurve DHCP relay question In-Reply-To: References: Message-ID: On Thu, 8 Jan 2009, Eric Cables wrote: > I'm in the middle of a transition from HP -> Cisco, with an HP 2848 as the > "core", so sorry if this e-mail is off topic. I am having a hard time > getting DHCP relay to work, and was hoping someone with HP experience could > chime in with some assistance. > > I've created a new VLAN, and have specified a helper-address to point to a > DHCP server that manages dozens of scopes. The new VLAN functions fine, > assuming users are given a static address, but DHCP does not appear to work > at all. Hi Eric, I'm not sure how helpful this might be (it seems you've already taken the necessary steps), but here's a cut and paste from a production switch doing the same thing (a 5400 in this case): vlan 4071 name "VLAN4071" ip helper-address 10.144.16.2 ip address 10.144.1.65 255.255.255.192 tagged A1-A4,Trk1 exit HTH, -j -- Jeremy L. Gaddis http://evilrouters.net From nick.jon.griffin at gmail.com Fri Jan 9 10:49:16 2009 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Fri, 9 Jan 2009 09:49:16 -0600 Subject: [c-nsp] 6500 and VSS In-Reply-To: <9e246b4d0812291045p28232493ndfe4ba00ad8d9d6e@mail.gmail.com> References: <20081225105617.GB8535@greenie.muc.de> <9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com> <9e246b4d0812250857i54a4cfa1ya5fce4c00b090425@mail.gmail.com> <6E31172B4025564D861CD73627500BAC02E2FB38@pru-mail02.pe.net> <7C8AE13CAD9741738D4CDE444B92DFC5@flamdt1> <164030B85F3A8B40B960817918CB021001BC712A@UTHEVS4.mail.uthouston.edu> <9e246b4d0812291045p28232493ndfe4ba00ad8d9d6e@mail.gmail.com> Message-ID: So, I'm building this 6509/VSS in the configuration tool on cisco's web site, and I'm getting an error that concerns me. Whenever I select advance ip services, sxi, I think it's telling me I must also have a secondary supervisor, basically for anything other than ip base? Is this other's experience, those of you using aip services and higher, do you all have redundant sup's in a single chassis? My hope was for aipservices and a single 10G sup in each chassis. Thanks! Nick Griffin On Mon, Dec 29, 2008 at 12:45 PM, Tim Durack wrote: > On Mon, Dec 29, 2008 at 1:40 PM, Murphy, William > wrote: > > I was told by Cisco that SXI support both v6 and MPLS with VSS... Can > > anyone else confirm this, and if so is anyone using VSS with these > features > > in a production network? Thanks... > > SXI does not. SXI(n) might. > > Tim:> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From William.Murphy at uth.tmc.edu Fri Jan 9 10:50:44 2009 From: William.Murphy at uth.tmc.edu (Murphy, William ) Date: Fri, 9 Jan 2009 09:50:44 -0600 Subject: [c-nsp] 6500 and VSS In-Reply-To: References: <20081225105617.GB8535@greenie.muc.de> <9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com> <9e246b4d0812250857i54a4cfa1ya5fce4c00b090425@mail.gmail.com> <6E31172B4025564D861CD73627500BAC02E2FB38@pru-mail02.pe.net> <7C8AE13CAD9741738D4CDE444B92DFC5@flamdt1> <164030B85F3A8B40B960817918CB021001BC712A@UTHEVS4.mail.uthouston.edu> <9e246b4d0812291045p28232493ndfe4ba00ad8d9d6e@mail.gmail.com> Message-ID: <164030B85F3A8B40B960817918CB021001BC76E7@UTHEVS4.mail.uthouston.edu> Probably just a bug in the configuration tool. We are running SXI advanced IP services with a single VSS720 Sup in each chassis. From: Nick Griffin [mailto:nick.jon.griffin at gmail.com] Sent: Friday, January 09, 2009 9:49 AM To: Tim Durack Cc: Murphy, William ; cisco-nsp Subject: Re: [c-nsp] 6500 and VSS So, I'm building this 6509/VSS in the configuration tool on cisco's web site, and I'm getting an error that concerns me. Whenever I select advance ip services, sxi, I think it's telling me I must also have a secondary supervisor, basically for anything other than ip base? Is this other's experience, those of you using aip services and higher, do you all have redundant sup's in a single chassis? My hope was for aipservices and a single 10G sup in each chassis. Thanks! Nick Griffin On Mon, Dec 29, 2008 at 12:45 PM, Tim Durack wrote: On Mon, Dec 29, 2008 at 1:40 PM, Murphy, William wrote: > I was told by Cisco that SXI support both v6 and MPLS with VSS... Can > anyone else confirm this, and if so is anyone using VSS with these features > in a production network? Thanks... SXI does not. SXI(n) might. Tim:> _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4327 bytes Desc: not available URL: From nick.jon.griffin at gmail.com Fri Jan 9 10:56:16 2009 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Fri, 9 Jan 2009 09:56:16 -0600 Subject: [c-nsp] 6500 and VSS In-Reply-To: <164030B85F3A8B40B960817918CB021001BC76E7@UTHEVS4.mail.uthouston.edu> References: <9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com> <9e246b4d0812250857i54a4cfa1ya5fce4c00b090425@mail.gmail.com> <6E31172B4025564D861CD73627500BAC02E2FB38@pru-mail02.pe.net> <7C8AE13CAD9741738D4CDE444B92DFC5@flamdt1> <164030B85F3A8B40B960817918CB021001BC712A@UTHEVS4.mail.uthouston.edu> <9e246b4d0812291045p28232493ndfe4ba00ad8d9d6e@mail.gmail.com> <164030B85F3A8B40B960817918CB021001BC76E7@UTHEVS4.mail.uthouston.edu> Message-ID: Thanks, guess I posted this a bit pre-mature, it seems on the netpro forum that we are probably still waiting for VSS dual sup support. On Fri, Jan 9, 2009 at 9:50 AM, Murphy, William wrote: > Probably just a bug in the configuration tool? We are running SXI > advanced IP services with a single VSS720 Sup in each chassis? > > > > *From:* Nick Griffin [mailto:nick.jon.griffin at gmail.com] > *Sent:* Friday, January 09, 2009 9:49 AM > *To:* Tim Durack > *Cc:* Murphy, William ; cisco-nsp > *Subject:* Re: [c-nsp] 6500 and VSS > > > > So, I'm building this 6509/VSS in the configuration tool on cisco's web > site, and I'm getting an error that concerns me. Whenever I select advance > ip services, sxi, I think it's telling me I must also have a secondary > supervisor, basically for anything other than ip base? Is this other's > experience, those of you using aip services and higher, do you all have > redundant sup's in a single chassis? My hope was for aipservices and a > single 10G sup in each chassis. > > > > Thanks! > > > > Nick Griffin > > On Mon, Dec 29, 2008 at 12:45 PM, Tim Durack wrote: > > On Mon, Dec 29, 2008 at 1:40 PM, Murphy, William > wrote: > > I was told by Cisco that SXI support both v6 and MPLS with VSS... Can > > anyone else confirm this, and if so is anyone using VSS with these > features > > in a production network? Thanks... > > SXI does not. SXI(n) might. > > > Tim:> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From jeremyparr at gmail.com Fri Jan 9 11:26:23 2009 From: jeremyparr at gmail.com (Jeremy Parr) Date: Fri, 9 Jan 2009 11:26:23 -0500 Subject: [c-nsp] Dual Homing and NAT via route-maps Message-ID: <91dee5fc0901090826x7fea8d5aw39793abd7ae9bff0@mail.gmail.com> One can multi-home a router via object tracking, this works just fine. When NAT is added to the mix, things seem to get ugly and broken. The "ip nat inside" statement isn't applied with an access list as the argument, but rather a route-map. As soon as the ip nat statement is in use, the router can no longer be sshed to, or telneted to on either external interface. Port forwards to internal hosts continue to work. Below is an example config. If the line "ip nat inside source route-map BGC interface FastEthernet0 overload" is removed, or the line "route-map BGC permit 10", I am able to telnet/ssh to the router. Any ideas? I have tested this on various IOS revisions, currently running bleeding edge 12.4(11)XW9, but the latest in the T train behaves the same. version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ! ! ! ! ip cef ! ! ! multilink bundle-name authenticated ! ! archive log config hidekeys ! ! ! track 1 rtr 1 reachability ! ! ! interface FastEthernet0 ip address 172.16.10.99 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet1 ip address 1.1.1.2 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet2 ! interface FastEthernet3 shutdown ! interface FastEthernet4 ! interface FastEthernet5 shutdown ! interface FastEthernet6 shutdown ! interface FastEthernet7 shutdown ! interface FastEthernet8 shutdown ! interface FastEthernet9 shutdown ! interface Dot11Radio0 no ip address shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio1 no ip address shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root ! interface Vlan1 no ip address ip nat inside ip virtual-reassembly ! interface Async1 no ip address encapsulation slip ! router eigrp 1 network 192.168.1.0 auto-summary ! ip route 0.0.0.0 0.0.0.0 172.16.10.1 track 1 ip route 0.0.0.0 0.0.0.0 1.1.1.1 254 ! ! no ip http server no ip http secure-server ip nat inside source route-map BGC interface FastEthernet0 overload ip nat inside source route-map Backup interface FastEthernet1 overload ! ip sla 1 icmp-echo 172.16.10.1 timeout 1000 threshold 2 frequency 3 ip sla schedule 1 life forever start-time now ! ! ! route-map Backup permit 10 match interface FastEthernet1 ! route-map BGC permit 10 match interface FastEthernet0 ! ! ! ! control-plane ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 password beans login ! ! webvpn cef end From rodunn at cisco.com Fri Jan 9 12:22:54 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 9 Jan 2009 12:22:54 -0500 Subject: [c-nsp] Dual Homing and NAT via route-maps In-Reply-To: <91dee5fc0901090826x7fea8d5aw39793abd7ae9bff0@mail.gmail.com> References: <91dee5fc0901090826x7fea8d5aw39793abd7ae9bff0@mail.gmail.com> Message-ID: <20090109172254.GO8455@rtp-cse-489.cisco.com> Get 'debug ip nat detailed' when you try to do the SSH. I bet it's one of those "denying locally generated packets" form bein'g nat'ed on the way back out issues. Try putting a deny in the route-map instance referencing an ACL that blocks any packets with a src ip of the outside interface addresses. Or explicitly match the ip inside subnet and deny all others. Rodney On Fri, Jan 09, 2009 at 11:26:23AM -0500, Jeremy Parr wrote: > One can multi-home a router via object tracking, this works just fine. > When NAT is added to the mix, things seem to get ugly and broken. The > "ip nat inside" statement isn't applied with an access list as the > argument, but rather a route-map. As soon as the ip nat statement is > in use, the router can no longer be sshed to, or telneted to on either > external interface. Port forwards to internal hosts continue to work. > Below is an example config. If the line "ip nat inside source > route-map BGC interface FastEthernet0 overload" is removed, or the > line "route-map BGC permit 10", I am able to telnet/ssh to the router. > Any ideas? I have tested this on various IOS revisions, currently > running bleeding edge 12.4(11)XW9, but the latest in the T train > behaves the same. > > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname Router > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > ! > ! > ! > ! > ! > ! > ip cef > ! > ! > ! > multilink bundle-name authenticated > ! > ! > archive > log config > hidekeys > ! > ! > ! > track 1 rtr 1 reachability > ! > ! > ! > interface FastEthernet0 > ip address 172.16.10.99 255.255.255.0 > ip nat outside > ip virtual-reassembly > duplex auto > speed auto > ! > interface FastEthernet1 > ip address 1.1.1.2 255.255.255.0 > ip nat outside > ip virtual-reassembly > duplex auto > speed auto > ! > interface FastEthernet2 > ! > interface FastEthernet3 > shutdown > ! > interface FastEthernet4 > ! > interface FastEthernet5 > shutdown > ! > interface FastEthernet6 > shutdown > ! > interface FastEthernet7 > shutdown > ! > interface FastEthernet8 > shutdown > ! > interface FastEthernet9 > shutdown > ! > interface Dot11Radio0 > no ip address > shutdown > speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 > 36.0 48.0 54.0 > station-role root > ! > interface Dot11Radio1 > no ip address > shutdown > speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 > station-role root > ! > interface Vlan1 > no ip address > ip nat inside > ip virtual-reassembly > ! > interface Async1 > no ip address > encapsulation slip > ! > router eigrp 1 > network 192.168.1.0 > auto-summary > ! > ip route 0.0.0.0 0.0.0.0 172.16.10.1 track 1 > ip route 0.0.0.0 0.0.0.0 1.1.1.1 254 > ! > ! > no ip http server > no ip http secure-server > ip nat inside source route-map BGC interface FastEthernet0 overload > ip nat inside source route-map Backup interface FastEthernet1 overload > ! > ip sla 1 > icmp-echo 172.16.10.1 > timeout 1000 > threshold 2 > frequency 3 > ip sla schedule 1 life forever start-time now > ! > ! > ! > route-map Backup permit 10 > match interface FastEthernet1 > ! > route-map BGC permit 10 > match interface FastEthernet0 > ! > ! > ! > ! > control-plane > ! > ! > line con 0 > line 1 > modem InOut > stopbits 1 > speed 115200 > flowcontrol hardware > line aux 0 > line vty 0 4 > password beans > login > ! > > ! > webvpn cef > end > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Fri Jan 9 12:28:08 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 9 Jan 2009 12:28:08 -0500 Subject: [c-nsp] TLU/PLU memory on engine 2 line card (12000) Message-ID: I know that the packet RAM and route RAM are different but what is the difference between TLU/PLU memory and packet memory? I was just upgrading an E2 card and noticed that on the diagram it specifically indicates that slot 7 (PLU) and slot 8 (TLU) are not user serviceable but all 6 of the DIMMS (appear to be) identical. By user serviceable do they mean that you just can't upgrade them? Thanks, -Drew From jhigham at epri.com Fri Jan 9 12:33:49 2009 From: jhigham at epri.com (Higham, Josh) Date: Fri, 9 Jan 2009 09:33:49 -0800 Subject: [c-nsp] Fwd: VLAN 1 through routed ports In-Reply-To: <74b0c3330901090233x66a7987dg35d49453e8514573@mail.gmail.com> References: <20090108113701.GG104@greenie.muc.de><20090108140019.GJ104@greenie.muc.de> <49663655.80701@justinshore.com><74b0c3330901090230s2b4fea51w2fc9cfa61ea5433@mail.gmail.com> <74b0c3330901090233x66a7987dg35d49453e8514573@mail.gmail.com> Message-ID: <4C3B8C75B5899943AEC675BA6DD4627301770579@uspalex02.epri.com> > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > Engelhard Labiro > > On Fri, Jan 9, 2009 at 2:22 AM, Justin Shore > wrote: > > > And by all means DO NOT USE VLAN 1. That's what bit me in > the ass last > > night. An unconfigured 7600 LAN port with switchport, mode > access and no > > access vlan defined was a piece in the puzzle of the > cluster that was my > > evening last night. VLAN 1 is evil and anyone that uses it > intentionally is > > a fool. > > agreed. ours always shutdown vlan 1 and define other vlan as native in > trunk ports. > this we can sure that "user" traffic is not using vlan 1. [...] > If you shutdown vlan 1, the "control" traffic is still tagged with > vlan 1, eg CDP, VTP. > But your "user" traffic will not tagged with vlan 1 if you defined > other vlan as native Either I'm misunderstanding what you are saying, or this is incorrect. The native VLAN identifier just dictates what frames are tagged, it doesn't control whether they are sent. So if the native vlan is 999, with a default config port is in vlan 1, if the port receives traffic it will still be sent over the trunk, but tagged with vlan 1 (rather than untagged if vlan 1 was native). Changing the native VLAN would not have prevented the problem that Justin is describing. The only solution to that is making sure that vlan 1 isn't used in production, so even if frames are generated there is no destination. Shutting down the vlan 1 SVI will make sure that no traffic from VLAN 1 is routed, which is a way of enforcing the policy restriction described above. Thanks, Josh From chloekcy2000 at yahoo.ca Fri Jan 9 14:05:04 2009 From: chloekcy2000 at yahoo.ca (chloe K) Date: Fri, 9 Jan 2009 14:05:04 -0500 (EST) Subject: [c-nsp] PIX question Message-ID: <599174.58675.qm@web57415.mail.re1.yahoo.com> Hi all I enable the http and snmp community in dmz 192 network http server enable http 192.168.0.0 255.255.255.0 dmz snmp-server community aaabbbb but I can't access both (httpd and snmpwalk) in any hosts of 192.168.0.0 network What am I doing wrong? Thank you --------------------------------- Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail From brhedlun at cisco.com Fri Jan 9 15:16:18 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Fri, 09 Jan 2009 14:16:18 -0600 Subject: [c-nsp] PIX question In-Reply-To: <599174.58675.qm@web57415.mail.re1.yahoo.com> Message-ID: On 1/9/09 1:05 PM, "chloe K" wrote: > Hi all > > I enable the http and snmp community in dmz 192 network > > http server enable > http 192.168.0.0 255.255.255.0 dmz > > snmp-server community aaabbbb > > but I can't access both (httpd and snmpwalk) in any hosts of 192.168.0.0 > network > > What am I doing wrong? What you have done is enable the PIX itself to be managed via HTTP and allowed host on the 192.168.0.0 DMZ to manage the PIX with HTTP. You have also tuned on SNMP management of the PIX itself. If you want the PIX to pass HTTP and SNMP traffic to the hosts on the 192.168.0.0 network you will need to allow that traffic in an access list applied to the appropriate interfaces. Like this: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/nwacc ess.html Hope this helps. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From moua0100 at umn.edu Fri Jan 9 14:56:15 2009 From: moua0100 at umn.edu (Ge Moua) Date: Fri, 09 Jan 2009 13:56:15 -0600 Subject: [c-nsp] PIX question In-Reply-To: <599174.58675.qm@web57415.mail.re1.yahoo.com> References: <599174.58675.qm@web57415.mail.re1.yahoo.com> Message-ID: <4967ABDF.5020401@umn.edu> Could be a routing issue on the pix; do you get any syslog msgs about "no route . . . "; traffic could be coming in on the "dmz" interface but leaving out the default route to say like the "outside" interface. If this is indeed the case then create a route statement: "route 255.255.255.255 dmz" Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services chloe K wrote: > Hi all > > I enable the http and snmp community in dmz 192 network > > http server enable > http 192.168.0.0 255.255.255.0 dmz > > snmp-server community aaabbbb > > but I can't access both (httpd and snmpwalk) in any hosts of 192.168.0.0 network > > What am I doing wrong? > > Thank you > > > --------------------------------- > Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From chloekcy2000 at yahoo.ca Fri Jan 9 15:42:54 2009 From: chloekcy2000 at yahoo.ca (chloe K) Date: Fri, 9 Jan 2009 15:42:54 -0500 (EST) Subject: [c-nsp] PIX question In-Reply-To: Message-ID: <61741.74118.qm@web57414.mail.re1.yahoo.com> Thank you for your doc info You mean I have to put access-list before http and snmp can work access-list ANY extended permit ip any any access-group ANY in interface dmz ls it OK? One question, Why the telnet and ssh are working now? Thank you again Brad Hedlund wrote: On 1/9/09 1:05 PM, "chloe K" wrote: > Hi all > > I enable the http and snmp community in dmz 192 network > > http server enable > http 192.168.0.0 255.255.255.0 dmz > > snmp-server community aaabbbb > > but I can't access both (httpd and snmpwalk) in any hosts of 192.168.0.0 > network > > What am I doing wrong? What you have done is enable the PIX itself to be managed via HTTP and allowed host on the 192.168.0.0 DMZ to manage the PIX with HTTP. You have also tuned on SNMP management of the PIX itself. If you want the PIX to pass HTTP and SNMP traffic to the hosts on the 192.168.0.0 network you will need to allow that traffic in an access list applied to the appropriate interfaces. Like this: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/nwacc ess.html Hope this helps. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org --------------------------------- Looking for the perfect gift? Give the gift of Flickr! From chloekcy2000 at yahoo.ca Fri Jan 9 15:41:17 2009 From: chloekcy2000 at yahoo.ca (chloe K) Date: Fri, 9 Jan 2009 15:41:17 -0500 (EST) Subject: [c-nsp] PIX question In-Reply-To: Message-ID: <523750.97244.qm@web57401.mail.re1.yahoo.com> Thank you for your doc info You mean I have to put access-list before http and snmp can work access-list ANY extended permit ip any any access-group ANY in interface dmz ls it OK? One question, Why the telnet and ssh are working? Thank you again Brad Hedlund wrote: On 1/9/09 1:05 PM, "chloe K" wrote: > Hi all > > I enable the http and snmp community in dmz 192 network > > http server enable > http 192.168.0.0 255.255.255.0 dmz > > snmp-server community aaabbbb > > but I can't access both (httpd and snmpwalk) in any hosts of 192.168.0.0 > network > > What am I doing wrong? What you have done is enable the PIX itself to be managed via HTTP and allowed host on the 192.168.0.0 DMZ to manage the PIX with HTTP. You have also tuned on SNMP management of the PIX itself. If you want the PIX to pass HTTP and SNMP traffic to the hosts on the 192.168.0.0 network you will need to allow that traffic in an access list applied to the appropriate interfaces. Like this: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/nwacc ess.html Hope this helps. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! From marc at sniff.de Fri Jan 9 16:08:12 2009 From: marc at sniff.de (Marc Binderberger) Date: Fri, 9 Jan 2009 16:08:12 -0500 Subject: [c-nsp] TLU/PLU memory on engine 2 line card (12000) In-Reply-To: References: Message-ID: <2B7EE832-EFC7-449B-A40E-FFFA71E6B538@sniff.de> Hi Drew, PLU (pointer lookup) and TLU (table lookup) is memory used by the layer3 ASIC. It contains your FIB/MFIB/LFIB data (read: your CEF and labels). The packet memory keeps - the packet :-) > By user serviceable do they mean that you just can't upgrade them? by non-user-upgradable, correct, you cannot upgrade it. Not sure what happens if you try it but likely the card refuses to work. Regards, Marc On 9-Jan-09, at 12:28 PM, Drew Weaver wrote: > I know that the packet RAM and route RAM are different but what is > the difference between TLU/PLU memory and packet memory? > > I was just upgrading an E2 card and noticed that on the diagram it > specifically indicates that slot 7 (PLU) and slot 8 (TLU) are not > user serviceable but all 6 of the DIMMS (appear to be) identical. > > By user serviceable do they mean that you just can't upgrade them? > > Thanks, > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From brhedlun at cisco.com Fri Jan 9 16:41:58 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Fri, 09 Jan 2009 15:41:58 -0600 Subject: [c-nsp] PIX question In-Reply-To: <523750.97244.qm@web57401.mail.re1.yahoo.com> Message-ID: On 1/9/09 2:41 PM, "chloe K" wrote: > One question, Why the telnet and ssh are working? > You mean I have to put access-list before http and snmp can work OK. I may have misunderstood your original question. It now sounds like you are trying to enable management of the PIX with HTTPS and SNMP and it is not working. No, you do not need to configure an access-list to allow management traffic to the PIX. Secondly, even though you are typing 'http server enable', you can only manage the PIX/ASA with HTTPS. So try accessing the PIX with https:// not http:// For SNMP to work you might be missing the command 'snmp server enable' This should help: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgacc ess.html Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From cburwell at gmail.com Fri Jan 9 18:30:58 2009 From: cburwell at gmail.com (Chris Burwell) Date: Fri, 9 Jan 2009 18:30:58 -0500 Subject: [c-nsp] cisco-nsp Digest, Vol 74, Issue 20 In-Reply-To: References: Message-ID: Hi Eric, There are a few basic things that should be checked first. I don't mean to insult anyone, but I sometimes overlook some simple steps when I dive into a problem. First, ensure you have the latest software (as HP calls it) running on the switch. This is freely available from the Procurve website (no login is needed). Second, console into the switch and see if you can ping the DHCP server from the command prompt. If you cannot, then the switch does not know how to reach the DHCP server. Finally, check to see that you have the proper route for the VLAN on the switch. For example on our core 8212zl, I have to add the following statement for each VLAN: vlan 800 ip ospf 192.168.0.1 area 0.0.0.1 exit Obviously this is the statement used for OSPF on an 8212zl, so your config might be different (particularly if you're using a different routing protocol. - Chris > Date: Thu, 8 Jan 2009 13:52:50 -0800 > From: "Eric Cables" > Subject: [c-nsp] Procurve DHCP relay question > To: "cisco-nsp at puck.nether.net" > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > I'm in the middle of a transition from HP -> Cisco, with an HP 2848 as the > "core", so sorry if this e-mail is off topic. I am having a hard time > getting DHCP relay to work, and was hoping someone with HP experience could > chime in with some assistance. > > I've created a new VLAN, and have specified a helper-address to point to a > DHCP server that manages dozens of scopes. The new VLAN functions fine, > assuming users are given a static address, but DHCP does not appear to work > at all. > > To troubleshoot I pointed the helper-address to a system with Wireshark, but > I don't see any requests coming in when a user on the new VLAN requests a > new DHCP address, indicating that the request is not being forwarded > properly. Is there any debugging available on the procurve to troubleshoot > this further? > > I've read a number of documents describing how to configure DHCP relay on a > procurve, and as far as I can tell the recommendations match my > configuration. > > Here are the features enabled on the 2848: > - 'ip routing' is enabled > - 'dhcp-relay' does not show in a 'show run', indicating it is enabled (the > default) > - A 'ip helper-address x.x.x.x' statement is configured on the VLAN > interface > - There is a route back to the destination helper-address > - Connectivity works on the VLAN in question, assuming users are statically > configured > > Any advice would be appreciated.. > > -- Eric Cables From cburwell at gmail.com Fri Jan 9 18:52:34 2009 From: cburwell at gmail.com (Chris Burwell) Date: Fri, 9 Jan 2009 18:52:34 -0500 Subject: [c-nsp] Logical Router Segmentation Message-ID: I am looking for a bit of guidance on logically segmenting an existing router. Currently I have a core network router that has fiber connections to all of our buildings. Each building is in it's own VLAN. We run OSPF on the router and all VLANS are in the same area 0.0.0.1. In the future things are going to change, one of which will be our ISP. So we will have two fiber connections to the outside world. One will go to the internet VIA a yet to be named ISP, while the other will go to an external entity that provides some services to us. Since money is tight right now, I want to try to use our current hardware for the new setup. What I am unsure about is how everything would be setup. I know that the two external connections will be in their own VLAN, but it is the routing part that I am trying to wrap my head around. Would we have to run a separate routing instance for the two external connections? I ask this because once the outbound traffic makes it past our firewall, the router is going to have to make a decision on if the traffic should be routed to the external entity or to the internet. Would we be able to accomplish this with our current routing setup? The setup will be the two external connections on their own VLAN. A third connection will also be a part of that VLAN, and this will provide the "outside" link on our firewall. From there the firewall will connect to another port on our internal network (which is again on it's own VLAN, but this VLAN is part of our internal OSPF area). SO outbound traffic would travel into the internal interface on the firewall, out the external interface and back into our core router. >From here the decision needs to be made on what link the packet should be forwarded out of. I appreciate any help! - Chris From ecables at gmail.com Fri Jan 9 19:09:33 2009 From: ecables at gmail.com (Eric Cables) Date: Fri, 9 Jan 2009 16:09:33 -0800 Subject: [c-nsp] cisco-nsp Digest, Vol 74, Issue 20 In-Reply-To: References: Message-ID: I haven't updated the sw yet, maybe that will yield some results. I have confirmed that I can ping the DHCP server from the switch, and vice versa. I'll check out the software image, and see how behind it is. Thanks for the tips.. -- Eric Cables On Fri, Jan 9, 2009 at 3:30 PM, Chris Burwell wrote: > Hi Eric, > > There are a few basic things that should be checked first. I don't > mean to insult anyone, but I sometimes overlook some simple steps when > I dive into a problem. > > First, ensure you have the latest software (as HP calls it) running on > the switch. This is freely available from the Procurve website (no > login is needed). > > Second, console into the switch and see if you can ping the DHCP > server from the command prompt. If you cannot, then the switch does > not know how to reach the DHCP server. > > Finally, check to see that you have the proper route for the VLAN on > the switch. For example on our core 8212zl, I have to add the > following statement for each VLAN: > > vlan 800 > ip ospf 192.168.0.1 area 0.0.0.1 > exit > > Obviously this is the statement used for OSPF on an 8212zl, so your > config might be different (particularly if you're using a different > routing protocol. > > - Chris > > > Date: Thu, 8 Jan 2009 13:52:50 -0800 > > From: "Eric Cables" > > Subject: [c-nsp] Procurve DHCP relay question > > To: "cisco-nsp at puck.nether.net" > > Message-ID: > > > > Content-Type: text/plain; charset=ISO-8859-1 > > > > I'm in the middle of a transition from HP -> Cisco, with an HP 2848 as > the > > "core", so sorry if this e-mail is off topic. I am having a hard time > > getting DHCP relay to work, and was hoping someone with HP experience > could > > chime in with some assistance. > > > > I've created a new VLAN, and have specified a helper-address to point to > a > > DHCP server that manages dozens of scopes. The new VLAN functions fine, > > assuming users are given a static address, but DHCP does not appear to > work > > at all. > > > > To troubleshoot I pointed the helper-address to a system with Wireshark, > but > > I don't see any requests coming in when a user on the new VLAN requests a > > new DHCP address, indicating that the request is not being forwarded > > properly. Is there any debugging available on the procurve to > troubleshoot > > this further? > > > > I've read a number of documents describing how to configure DHCP relay on > a > > procurve, and as far as I can tell the recommendations match my > > configuration. > > > > Here are the features enabled on the 2848: > > - 'ip routing' is enabled > > - 'dhcp-relay' does not show in a 'show run', indicating it is enabled > (the > > default) > > - A 'ip helper-address x.x.x.x' statement is configured on the VLAN > > interface > > - There is a route back to the destination helper-address > > - Connectivity works on the VLAN in question, assuming users are > statically > > configured > > > > Any advice would be appreciated.. > > > > -- Eric Cables > From brhedlun at cisco.com Fri Jan 9 19:10:50 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Fri, 09 Jan 2009 18:10:50 -0600 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: Message-ID: On 1/9/09 5:52 PM, "Chris Burwell" wrote: > I am looking for a bit of guidance on logically segmenting an existing > router. > I appreciate any help! Chris, I think it would help if you drew this up in a Visio, saved it as a PDF, and uploaded it to a URL for folks to look at as they read your overview and questions. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From chloekcy2000 at yahoo.ca Fri Jan 9 19:37:29 2009 From: chloekcy2000 at yahoo.ca (chloe K) Date: Fri, 9 Jan 2009 19:37:29 -0500 (EST) Subject: [c-nsp] PIX question In-Reply-To: Message-ID: <218606.61762.qm@web57411.mail.re1.yahoo.com> Yes. you are right it works now. https works fine But I can't logon in http as user pix and pw Do I need to do anything? snmp works fine. But I can't get CPU info in cacti? It only shows the interface. Do you have any idea? Thank you again Brad Hedlund wrote: On 1/9/09 2:41 PM, "chloe K" wrote: > One question, Why the telnet and ssh are working? > You mean I have to put access-list before http and snmp can work OK. I may have misunderstood your original question. It now sounds like you are trying to enable management of the PIX with HTTPS and SNMP and it is not working. No, you do not need to configure an access-list to allow management traffic to the PIX. Secondly, even though you are typing 'http server enable', you can only manage the PIX/ASA with HTTPS. So try accessing the PIX with https:// not http:// For SNMP to work you might be missing the command 'snmp server enable' This should help: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgacc ess.html Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org --------------------------------- Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail From cburwell at gmail.com Fri Jan 9 21:54:36 2009 From: cburwell at gmail.com (Chris Burwell) Date: Fri, 9 Jan 2009 21:54:36 -0500 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: References: Message-ID: Brad, Thank you for the suggestion! http://www.hiddenone.net/Topology.pdf That PDF has two pages. Page one represents our current topology and page two represents what I would like to do. The red lines on page two represent what would be outside of our network (the two connections). - Chris On Fri, Jan 9, 2009 at 7:10 PM, Brad Hedlund wrote: > On 1/9/09 5:52 PM, "Chris Burwell" wrote: > >> I am looking for a bit of guidance on logically segmenting an existing >> router. >> I appreciate any help! > > Chris, > I think it would help if you drew this up in a Visio, saved it as a PDF, and > uploaded it to a URL for folks to look at as they read your overview and > questions. > > > Cheers, > Brad Hedlund > bhedlund at cisco.com > http://www.internetworkexpert.org > > > From brhedlun at cisco.com Sat Jan 10 01:45:01 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Sat, 10 Jan 2009 00:45:01 -0600 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: Message-ID: On 1/9/09 8:54 PM, "Chris Burwell" wrote: > http://www.hiddenone.net/Topology.pdf Chris, Thanks for the diagram. I can now visualize what you are trying to do. For this to work as diagramed you will need to create two separate routing instances on the "District Router", one for internal, one for external. You would associate the internal VLANs to the internal instance, and the external connections and their respective VLANs to the external routing instance. With a Cisco switch this would be easy to accomplish with a feature called VRF-Lite, which creates separate discrete routing table instances, and allows you to then you define which VLANs and interfaces belong to which routing instances. If the "District Router" is not Cisco, and does not support a feature like VRF-Lite, you might need to buy a separate L3 switch or router to support the external connections on the outside of the firewall. If a full BGP table is NOT required, you might be able to do this on the cheap, such as a Cisco 3560. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From stephens at ameslab.gov Sat Jan 10 01:55:57 2009 From: stephens at ameslab.gov (Douglas C. Stephens) Date: Sat, 10 Jan 2009 00:55:57 -0600 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: References: Message-ID: <6.2.3.4.2.20090110001200.04098f18@imap.ameslab.gov> Chris, Does your switch or router have VRF-lite in its feature set? I had a similar problem wrapping my brain around layer-3 segmentation. What you describe seems similar in concept to problems I faced in the past couple of years. I found some docs at Cisco that were close to what I wanted to, and they covered Policy-Based Routing and VRF as two solutions. A lot of what those documents talked about re. VRF was using either MPLS or GRE tunnels. That seemed a bit heavy for my campus LAN. So I found instead VRF-lite, which worked without all that MPLS and GRE stuff. I implemented VRF-lite in my core switch/routers because it was going to be easier to implement and maintain than PBR and traditional VRF. Basically, VRF and VRF-lite create alternate independent RIBs (route tables) in your switch or router. Unless you configure some way to explicitly share or leak routes between each of them and your global table, they won't. So you could create a totally separate routing process (OSPF, BGP, static routes, whatever) that is independent of your main OSPF IGP. As far as your existing internal OSPF, your switch/router's OSPF area 0 is an ASBR with a default route leading out to your content filter and firewall. What you might do with this is to create a VRF definition for your external connections, including the one coming back from the "outside" of your firewall. ip vrf externalzone rd 111:222 Then put your group of "external zone" interfaces into int fa1/0 ip vrf forwarding externalzone ip address 10.0.0.1 255.255.255.0 exit int fa2/0 ip vrf forwarding externalzone ip address 10.0.1.1 255.255.255.0 exit int fa3/0 ip vrf forwarding externalzone ip address 10.0.2.1 255.255.255.0 exit Then you set up your routing for the VRF. I'll show you OSPF and static routes. router ospf 333 vrf externalzone log-adjacency-changes capability vrf-lite area 0 stub no-summary passive-interface default network 10.0.0.0 0.0.0.255 area 0 network 10.0.1.0 0.0.0.255 area 0 network 10.0.2.0 0.0.0.255 area 0 distribute-list deny-def-route out ip route vrf externalzone 0.0.0.0 0.0.0.0 ip route vrf externalzone 0.0.0.0 0.0.0.0 20 ip route vrf externalzone 10.0.2.2 It works for VLAN SVIs as well as L3 routed physical ports. Just make sure your switch/router has VRF-line in its feature set. If you have this feature available, here are some links to other web pages that can help you understand it better. http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns658/net_qanda0900aecd804a16ae.html http://www.cisco.com/en/US/netsol/ns658/networking_solutions_package.html http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080851cc6.pdf http://www.ciscosystems.com/en/US/docs/optical/15000r4_0/ethernet/454/guide/vrf.pdf http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/cheatsheet.shtml At 05:52 PM 1/9/2009, Chris Burwell wrote: >I am looking for a bit of guidance on logically segmenting an existing >router. Currently I have a core network router that has fiber >connections to all of our buildings. Each building is in it's own >VLAN. We run OSPF on the router and all VLANS are in the same area >0.0.0.1. > >In the future things are going to change, one of which will be our >ISP. So we will have two fiber connections to the outside world. One >will go to the internet VIA a yet to be named ISP, while the other >will go to an external entity that provides some services to us. Since >money is tight right now, I want to try to use our current hardware >for the new setup. > >What I am unsure about is how everything would be setup. I know that >the two external connections will be in their own VLAN, but it is the >routing part that I am trying to wrap my head around. Would we have to >run a separate routing instance for the two external connections? I >ask this because once the outbound traffic makes it past our firewall, >the router is going to have to make a decision on if the traffic >should be routed to the external entity or to the internet. Would we >be able to accomplish this with our current routing setup? > >The setup will be the two external connections on their own VLAN. A >third connection will also be a part of that VLAN, and this will >provide the "outside" link on our firewall. From there the firewall >will connect to another port on our internal network (which is again >on it's own VLAN, but this VLAN is part of our internal OSPF area). SO >outbound traffic would travel into the internal interface on the >firewall, out the external interface and back into our core router. > >From here the decision needs to be made on what link the packet should >be forwarded out of. > >I appreciate any help! > >- Chris >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Douglas C. Stephens | UNIX/Windows/Email Admin System Support Specialist | Network/DNS Admin Information Systems | Phone: (515) 294-6102 Ames Laboratory, US DOE | Email: stephens at ameslab.gov From ajajaja3 at gmail.com Sat Jan 10 03:07:07 2009 From: ajajaja3 at gmail.com (PJG) Date: Sat, 10 Jan 2009 18:07:07 +1000 Subject: [c-nsp] 6500 VSS with redundant FWSM Message-ID: <331bb49e0901100007m161ce08av71a75f55ac2b7785@mail.gmail.com> Hi guys, Any good design doco / link / advise for this hardware configuration? The VSS 1440 is expected to be the new core of a data center. Thanks, Joe From cphillips at wbsconnect.com Sat Jan 10 02:18:24 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Fri, 09 Jan 2009 23:18:24 -0800 Subject: [c-nsp] MPLS support for WS-X6182-2PA? Message-ID: <49684BC0.9030605@wbsconnect.com> Hello, Can anyone tell me if the WS-X6182-2PA support MPLS and Cisco conveniently forgot to mention it on their website? ;) Thanks in advance. -- Chris Phillips From oboehmer at cisco.com Sat Jan 10 04:20:10 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 10 Jan 2009 10:20:10 +0100 Subject: [c-nsp] MPLS support for WS-X6182-2PA? In-Reply-To: <49684BC0.9030605@wbsconnect.com> References: <49684BC0.9030605@wbsconnect.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406A71B44@xmb-ams-333.emea.cisco.com> Chris Phillips <> wrote on Saturday, January 10, 2009 08:18: > Hello, > > Can anyone tell me if the WS-X6182-2PA support MPLS and Cisco > conveniently forgot to mention it on their website? ;) MPLS is supported on FlexWAN, see for example http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_conf ig/flexmpls.html oli From cburwell at gmail.com Sat Jan 10 09:57:36 2009 From: cburwell at gmail.com (Chris Burwell) Date: Sat, 10 Jan 2009 09:57:36 -0500 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: <6.2.3.4.2.20090110001200.04098f18@imap.ameslab.gov> References: <6.2.3.4.2.20090110001200.04098f18@imap.ameslab.gov> Message-ID: Brad & Doug, The information provided helps me understand how everything would be setup a bit better. The problem I think I will run into will be the fact that our "district router" is an HP Procurve 8212zl. I am fairly certain the 8212zl can accomplish what was described here, the problem will be finding documentation on how to configure everything. - Chris On Sat, Jan 10, 2009 at 1:55 AM, Douglas C. Stephens wrote: > Chris, > > Does your switch or router have VRF-lite in its feature set? > > I had a similar problem wrapping my brain around layer-3 segmentation. What > you describe seems similar in concept to problems I faced in the past couple > of years. I found some docs at Cisco that were close to what I wanted to, > and they covered Policy-Based Routing and VRF as two solutions. A lot of > what those documents talked about re. VRF was using either MPLS or GRE > tunnels. That seemed a bit heavy for my campus LAN. So I found instead > VRF-lite, which worked without all that MPLS and GRE stuff. I implemented > VRF-lite in my core switch/routers because it was going to be easier to > implement and maintain than PBR and traditional VRF. > > Basically, VRF and VRF-lite create alternate independent RIBs (route tables) > in your switch or router. Unless you configure some way to explicitly share > or leak routes between each of them and your global table, they won't. > So you could create a totally separate routing process (OSPF, BGP, static > routes, whatever) that is independent of your main OSPF IGP. As far as your > existing internal OSPF, your switch/router's OSPF area 0 is an ASBR with a > default route leading out to your content filter and firewall. > > What you might do with this is to create a VRF definition for your external > connections, including the one coming back from the "outside" of your > firewall. > > ip vrf externalzone > rd 111:222 > > Then put your group of "external zone" interfaces into > > int fa1/0 > ip vrf forwarding externalzone > ip address 10.0.0.1 255.255.255.0 > exit > int fa2/0 > ip vrf forwarding externalzone > ip address 10.0.1.1 255.255.255.0 > exit > int fa3/0 > ip vrf forwarding externalzone > ip address 10.0.2.1 255.255.255.0 > exit > > Then you set up your routing for the VRF. I'll show you OSPF and static > routes. > > router ospf 333 vrf externalzone > log-adjacency-changes > capability vrf-lite > area 0 stub no-summary > passive-interface default > network 10.0.0.0 0.0.0.255 area 0 > network 10.0.1.0 0.0.0.255 area 0 > network 10.0.2.0 0.0.0.255 area 0 > distribute-list deny-def-route out > > ip route vrf externalzone 0.0.0.0 0.0.0.0 > ip route vrf externalzone 0.0.0.0 0.0.0.0 20 > ip route vrf externalzone 10.0.2.2 > > > It works for VLAN SVIs as well as L3 routed physical ports. Just make sure > your switch/router has VRF-line in its feature set. > > If you have this feature available, here are some links to other web pages > that can help you understand it better. > > http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns658/net_qanda0900aecd804a16ae.html > > http://www.cisco.com/en/US/netsol/ns658/networking_solutions_package.html > > http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080851cc6.pdf > > http://www.ciscosystems.com/en/US/docs/optical/15000r4_0/ethernet/454/guide/vrf.pdf > > http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml > > http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml > > http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml > > http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/cheatsheet.shtml > > > > At 05:52 PM 1/9/2009, Chris Burwell wrote: >> >> I am looking for a bit of guidance on logically segmenting an existing >> router. Currently I have a core network router that has fiber >> connections to all of our buildings. Each building is in it's own >> VLAN. We run OSPF on the router and all VLANS are in the same area >> 0.0.0.1. >> >> In the future things are going to change, one of which will be our >> ISP. So we will have two fiber connections to the outside world. One >> will go to the internet VIA a yet to be named ISP, while the other >> will go to an external entity that provides some services to us. Since >> money is tight right now, I want to try to use our current hardware >> for the new setup. >> >> What I am unsure about is how everything would be setup. I know that >> the two external connections will be in their own VLAN, but it is the >> routing part that I am trying to wrap my head around. Would we have to >> run a separate routing instance for the two external connections? I >> ask this because once the outbound traffic makes it past our firewall, >> the router is going to have to make a decision on if the traffic >> should be routed to the external entity or to the internet. Would we >> be able to accomplish this with our current routing setup? >> >> The setup will be the two external connections on their own VLAN. A >> third connection will also be a part of that VLAN, and this will >> provide the "outside" link on our firewall. From there the firewall >> will connect to another port on our internal network (which is again >> on it's own VLAN, but this VLAN is part of our internal OSPF area). SO >> outbound traffic would travel into the internal interface on the >> firewall, out the external interface and back into our core router. >> >From here the decision needs to be made on what link the packet should >> be forwarded out of. >> >> I appreciate any help! >> >> - Chris >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- > Douglas C. Stephens | UNIX/Windows/Email Admin > System Support Specialist | Network/DNS Admin > Information Systems | Phone: (515) 294-6102 > Ames Laboratory, US DOE | Email: stephens at ameslab.gov > From rolf-web at internet.ao Sat Jan 10 11:01:20 2009 From: rolf-web at internet.ao (Rolf Mendelsohn) Date: Sat, 10 Jan 2009 17:01:20 +0100 Subject: [c-nsp] Cisco 2800 / 3800 memory types Message-ID: <200901101701.21086.rolf-web@internet.ao> Hi Guys, Sorry to bother with a trivial question, just bothering me atm & I don't have 3 different C2800's on my desk atm to test with. Is the RAM identical for the C2811, C2821 & C2851. I know that on the Cisco pricelist & ordering the part numbers are unique, but so are the part number's for flash memory (which definately works in C2800, C3800, etc. etc. Can anybody confirm that the RAM on these routers is interchangable?? Tx /rolf From tvarriale at comcast.net Sat Jan 10 11:56:33 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Sat, 10 Jan 2009 10:56:33 -0600 Subject: [c-nsp] 6500 VSS with redundant FWSM References: <331bb49e0901100007m161ce08av71a75f55ac2b7785@mail.gmail.com> Message-ID: <78C883AB3636486181B0E3BDB14916E2@flamdt01> I don't know of any but the FWSM act just like they did without VSS. So, there isn't much of a design issue. Put one in each chassis and configure as normal. tv ----- Original Message ----- From: "PJG" To: Sent: Saturday, January 10, 2009 2:07 AM Subject: [c-nsp] 6500 VSS with redundant FWSM > Hi guys, > > Any good design doco / link / advise for this hardware configuration? > > The VSS 1440 is expected to be the new core of a data center. > > > Thanks, > Joe > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From brhedlun at cisco.com Sat Jan 10 12:58:55 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Sat, 10 Jan 2009 11:58:55 -0600 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: Message-ID: On 1/10/09 8:57 AM, "Chris Burwell" wrote: > I am fairly certain the 8212zl can accomplish what was described here, > the problem will be finding documentation on how to configure > everything. Chris, I would be curious to see what you come up with. The 8212 feature list on HP's website doesn't show anything similar to VRF-Lite. I'm pretty sure VRF-Lite like capabilities are unique to Cisco. Let me know if you find otherwise. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From cburwell at gmail.com Sat Jan 10 17:13:36 2009 From: cburwell at gmail.com (Chris Burwell) Date: Sat, 10 Jan 2009 17:13:36 -0500 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: <263419481.20090110235542@ml.lv> References: <263419481.20090110235542@ml.lv> Message-ID: Interesting. A vendor mentioned that the 8212zl would be able to do some logical segmenting. He did not mention VRF specifically, but I reached out to him to see if he could get me the specifics of how this would be configured. I'll see what he comes back with and report back. It has been rumored that HP will be releasing a module for the 8212zl some time this spring/summer. This module is supposed to me the 8212zl more of a complete router as well as adding other services such as IPS. It is possible that this module will add VRF support. This is just speculation on my part. - Chris On Sat, Jan 10, 2009 at 4:55 PM, Aivars wrote: > 8212 has no VRF lite. HP has promised and put on their road map VRF lite a > long time ago but its still not there. > > Aivars > > Saturday, January 10, 2009, 7:58:55 PM, you wrote: > > BH> On 1/10/09 8:57 AM, "Chris Burwell" wrote: > >>> I am fairly certain the 8212zl can accomplish what was described here, >>> the problem will be finding documentation on how to configure >>> everything. > > BH> Chris, > BH> I would be curious to see what you come up with. The 8212 feature list on > BH> HP's website doesn't show anything similar to VRF-Lite. I'm pretty sure > BH> VRF-Lite like capabilities are unique to Cisco. Let me know if you find > BH> otherwise. > > > BH> Cheers, > BH> Brad Hedlund > BH> bhedlund at cisco.com > BH> http://www.internetworkexpert.org > > BH> _______________________________________________ > BH> cisco-nsp mailing list cisco-nsp at puck.nether.net > BH> https://puck.nether.net/mailman/listinfo/cisco-nsp > BH> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From aivars at ml.lv Sat Jan 10 16:55:42 2009 From: aivars at ml.lv (Aivars) Date: Sat, 10 Jan 2009 23:55:42 +0200 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: References: Message-ID: <263419481.20090110235542@ml.lv> 8212 has no VRF lite. HP has promised and put on their road map VRF lite a long time ago but its still not there. Aivars Saturday, January 10, 2009, 7:58:55 PM, you wrote: BH> On 1/10/09 8:57 AM, "Chris Burwell" wrote: >> I am fairly certain the 8212zl can accomplish what was described here, >> the problem will be finding documentation on how to configure >> everything. BH> Chris, BH> I would be curious to see what you come up with. The 8212 feature list on BH> HP's website doesn't show anything similar to VRF-Lite. I'm pretty sure BH> VRF-Lite like capabilities are unique to Cisco. Let me know if you find BH> otherwise. BH> Cheers, BH> Brad Hedlund BH> bhedlund at cisco.com BH> http://www.internetworkexpert.org BH> _______________________________________________ BH> cisco-nsp mailing list cisco-nsp at puck.nether.net BH> https://puck.nether.net/mailman/listinfo/cisco-nsp BH> archive at http://puck.nether.net/pipermail/cisco-nsp/ From dwinkworth at att.net Sat Jan 10 18:43:13 2009 From: dwinkworth at att.net (Derick Winkworth) Date: Sat, 10 Jan 2009 17:43:13 -0600 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: References: Message-ID: <49693291.9090401@att.net> You might be able to do this without vrf-lite, with something like PBR... You only have two "domains" and each domain only has two logical interfaces. So you could create four policies, one for each interface that sets the egress interface that you want all traffic coming into that interface to go to... so in the case of the internet interface... the policy would just direct all inbound packets to the firewall ethernet interface... Chris Burwell wrote: > Brad, > > Thank you for the suggestion! > > http://www.hiddenone.net/Topology.pdf > > That PDF has two pages. Page one represents our current topology and > page two represents what I would like to do. The red lines on page two > represent what would be outside of our network (the two connections). > > - Chris > > On Fri, Jan 9, 2009 at 7:10 PM, Brad Hedlund wrote: > >> On 1/9/09 5:52 PM, "Chris Burwell" wrote: >> >> >>> I am looking for a bit of guidance on logically segmenting an existing >>> router. >>> I appreciate any help! >>> >> Chris, >> I think it would help if you drew this up in a Visio, saved it as a PDF, and >> uploaded it to a URL for folks to look at as they read your overview and >> questions. >> >> >> Cheers, >> Brad Hedlund >> bhedlund at cisco.com >> http://www.internetworkexpert.org >> >> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.176 / Virus Database: 270.10.5/1885 - Release Date: 1/9/2009 7:59 PM > > From mksmith at adhost.com Sat Jan 10 20:44:20 2009 From: mksmith at adhost.com (Michael K. Smith) Date: Sat, 10 Jan 2009 17:44:20 -0800 Subject: [c-nsp] PIX question In-Reply-To: <218606.61762.qm@web57411.mail.re1.yahoo.com> Message-ID: On 1/9/09 4:37 PM, "chloe K" wrote: > Yes. you are right > > it works now. https works fine > > But I can't logon in http as user pix and pw > Do I need to do anything? > > snmp works fine. But I can't get CPU info in cacti? > > It only shows the interface. Do you have any idea? > > Thank you again username password privilege 15 aaa authentication enable console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL With the above, you will use a local user for access via ssh and http, as well as for enable access. With the user specified with privilege 15 you will be able to do everything on the PIX. Remember, with the commands above, when you type "enable" you will use the password of the user, not the enable password on the device. And, you can add as many users as you like Regards, Mike From hank at efes.iucc.ac.il Sun Jan 11 03:28:28 2009 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Sun, 11 Jan 2009 10:28:28 +0200 Subject: [c-nsp] Softnet replacement? Message-ID: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> I was informed that Cisco no longer sells Softnet support. What should I be asking for in order to open TAC cases directly (not via our Cisco Gold Partner) as well as to be able to download new IOS versions? Thanks, Hank From gert at greenie.muc.de Sun Jan 11 04:20:35 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 11 Jan 2009 10:20:35 +0100 Subject: [c-nsp] Softnet replacement? In-Reply-To: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> Message-ID: <20090111092034.GR104@greenie.muc.de> Hi, On Sun, Jan 11, 2009 at 10:28:28AM +0200, Hank Nussbacher wrote: > I was informed that Cisco no longer sells Softnet support. What should I > be asking for in order to open TAC cases directly (not via our Cisco Gold > Partner) as well as to be able to download new IOS versions? "Softnet" is a term unknown to me. If I assume a typo, and that you wanted to type "Smartnet" - Cisco still seems to sell these. The rules have changed, though - in earlier times, we could buy something called "packaged smartnet", which came with some paperwork and magic numbers on it, and you had to enter the license key into the SCC web interface. The pricing was based on "categories", depending on router/switch model. These days, when we buy the same service, we get a specific quote for the type of hardware we use (no more categories), and if we accept, our distributor(!) goes to SCC and activates the smartnet contract for us. On one hand, this is making the process easier (less messing with SCC), on the other hand, it's making it more messy (extra effort requried to attach the new contract to your CCO login). [Insert rant about unusability of SCC here, at least for infrequent users, but it's not like web usability is a priority for anyone at Cisco] gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From avayner at cisco.com Sun Jan 11 05:24:33 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 11 Jan 2009 11:24:33 +0100 Subject: [c-nsp] Softnet replacement? In-Reply-To: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> Message-ID: <78C984F8939D424697B15E4B1C1BB3D703FB7F@xmb-ams-331.emea.cisco.com> Hank, I think you are referring to SmartNet... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hank Nussbacher Sent: Sunday, January 11, 2009 10:28 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Softnet replacement? I was informed that Cisco no longer sells Softnet support. What should I be asking for in order to open TAC cases directly (not via our Cisco Gold Partner) as well as to be able to download new IOS versions? Thanks, Hank _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Sun Jan 11 06:41:59 2009 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Sun, 11 Jan 2009 13:41:59 +0200 Subject: [c-nsp] Softnet replacement? In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D703FB7F@xmb-ams-331.emea.ci sco.com> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> Message-ID: <5.1.0.14.2.20090111134107.0576f948@efes.iucc.ac.il> At 11:24 AM 11-01-09 +0100, Arie Vayner (avayner) wrote: >Hank, > >I think you are referring to SmartNet... That provides RMA which we do not need. We want *only* TAC access and IOS downloads. Softnet provided that option - which Cisco has abolished. -Hank >Arie > >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hank Nussbacher >Sent: Sunday, January 11, 2009 10:28 >To: cisco-nsp at puck.nether.net >Subject: [c-nsp] Softnet replacement? > >I was informed that Cisco no longer sells Softnet support. What should >I >be asking for in order to open TAC cases directly (not via our Cisco >Gold >Partner) as well as to be able to download new IOS versions? > >Thanks, >Hank > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From lists at daniels.id.au Sun Jan 11 07:10:39 2009 From: lists at daniels.id.au (Aaron Daniels - Lists) Date: Sun, 11 Jan 2009 22:10:39 +1000 Subject: [c-nsp] Softnet replacement? In-Reply-To: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> Message-ID: <000c01c973e5$a0ab3690$e201a3b0$@id.au> Hi Hank, > I was informed that Cisco no longer sells Softnet support. What should > I > be asking for in order to open TAC cases directly (not via our Cisco > Gold > Partner) as well as to be able to download new IOS versions? We use Co-brand maintenance, which is purchased from a partner but direct to the Cisco TAC. I believe you can get SW only as well. Thanks, Aaron Daniels From gkg at gmx.de Sun Jan 11 07:30:41 2009 From: gkg at gmx.de (Garry) Date: Sun, 11 Jan 2009 13:30:41 +0100 Subject: [c-nsp] Softnet replacement? In-Reply-To: <5.1.0.14.2.20090111134107.0576f948@efes.iucc.ac.il> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111134107.0576f948@efes.iucc.ac.il> Message-ID: <4969E671.5030809@gmx.de> Hank Nussbacher wrote: > At 11:24 AM 11-01-09 +0100, Arie Vayner (avayner) wrote: >> Hank, >> >> I think you are referring to SmartNet... > > That provides RMA which we do not need. We want *only* TAC access and > IOS downloads. Softnet provided that option - which Cisco has abolished. We've set up some smartnet contracts software-only just recently ... they are TAC & Software updates (Product code is under "SW" - Software Mainenance) ... from what I see on SCC, I can still get quotes, so I assume that's what would work for you there ... OTOH, they also still list HASW (HAS SoftNet) in there as well ... *shrug* -garry From gert at greenie.muc.de Sun Jan 11 08:19:22 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 11 Jan 2009 14:19:22 +0100 Subject: [c-nsp] Softnet replacement? In-Reply-To: <5.1.0.14.2.20090111134107.0576f948@efes.iucc.ac.il> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111134107.0576f948@efes.iucc.ac.il> Message-ID: <20090111131922.GS104@greenie.muc.de> Hi, On Sun, Jan 11, 2009 at 01:41:59PM +0200, Hank Nussbacher wrote: > That provides RMA which we do not need. We want *only* TAC access and IOS > downloads. Softnet provided that option - which Cisco has abolished. Oh. Interesting. Softnet would have been what we've been asking Cisco for for years - but it has never been offered to us :-( (With a high number of similar boxes, hardware RMA quickly becomes more expensive than just having a spare box - but IOS downloads + bugfixes is definitely a useful thing to have). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From will at harg.net Sun Jan 11 07:27:57 2009 From: will at harg.net (Will Hargrave) Date: Sun, 11 Jan 2009 12:27:57 +0000 Subject: [c-nsp] Softnet replacement? In-Reply-To: <5.1.0.14.2.20090111134107.0576f948@efes.iucc.ac.il> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111134107.0576f948@efes.iucc.ac.il> Message-ID: <4969E5CD.3070609@harg.net> Hank Nussbacher wrote: > That provides RMA which we do not need. We want *only* TAC access and > IOS downloads. Softnet provided that option - which Cisco has abolished. In the past i've bought 'SASU' which is Software Application Support plus Upgrades. However on recent pricing it came out the same price as 8x5xNBD smartnet which includes hardware replacement too... From hank at efes.iucc.ac.il Sun Jan 11 09:05:55 2009 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Sun, 11 Jan 2009 16:05:55 +0200 (IST) Subject: [c-nsp] Softnet replacement? In-Reply-To: <000c01c973e5$a0ab3690$e201a3b0$@id.au> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <000c01c973e5$a0ab3690$e201a3b0$@id.au> Message-ID: On Sun, 11 Jan 2009, Aaron Daniels - Lists wrote: > Hi Hank, > >> I was informed that Cisco no longer sells Softnet support. What should >> I >> be asking for in order to open TAC cases directly (not via our Cisco >> Gold >> Partner) as well as to be able to download new IOS versions? > > We use Co-brand maintenance, which is purchased from a partner but direct to > the Cisco TAC. > I believe you can get SW only as well. Is that AU specific? Is there a product number one can order or some webpage explaining what it is? -Hank From hank at efes.iucc.ac.il Sun Jan 11 09:06:42 2009 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Sun, 11 Jan 2009 16:06:42 +0200 (IST) Subject: [c-nsp] Softnet replacement? In-Reply-To: <4969E5CD.3070609@harg.net> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111134107.0576f948@efes.iucc.ac.il> <4969E5CD.3070609@harg.net> Message-ID: On Sun, 11 Jan 2009, Will Hargrave wrote: > Hank Nussbacher wrote: > >> That provides RMA which we do not need. We want *only* TAC access and >> IOS downloads. Softnet provided that option - which Cisco has abolished. > > In the past i've bought 'SASU' which is Software Application Support > plus Upgrades. > > However on recent pricing it came out the same price as 8x5xNBD smartnet > which includes hardware replacement too... Same price = not worth it. -Hank From bennetb at gmail.com Sun Jan 11 11:19:54 2009 From: bennetb at gmail.com (Brandon Bennett) Date: Sun, 11 Jan 2009 09:19:54 -0700 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: References: Message-ID: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> Vrf-lite is just a Cisco term for utilizing VRFs when no MPLS is present. Any vendor who supports VRFs support "VRF-lite". In all honesty it's a stupid term as VRF technology isn't tied to MPLS at all. Yes vrf is required for l3 vpns but so is mBGP and we don't have mBGP-lite :) -Brandon Sent from my iPhone On Jan 10, 2009, at 10:58 AM, Brad Hedlund wrote: > On 1/10/09 8:57 AM, "Chris Burwell" wrote: > >> I am fairly certain the 8212zl can accomplish what was described >> here, >> the problem will be finding documentation on how to configure >> everything. > > Chris, > I would be curious to see what you come up with. The 8212 feature > list on > HP's website doesn't show anything similar to VRF-Lite. I'm pretty > sure > VRF-Lite like capabilities are unique to Cisco. Let me know if you > find > otherwise. > > > Cheers, > Brad Hedlund > bhedlund at cisco.com > http://www.internetworkexpert.org > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Sun Jan 11 11:37:57 2009 From: justin at justinshore.com (Justin Shore) Date: Sun, 11 Jan 2009 10:37:57 -0600 Subject: [c-nsp] Fwd: VLAN 1 through routed ports In-Reply-To: <4C3B8C75B5899943AEC675BA6DD4627301770579@uspalex02.epri.com> References: <20090108113701.GG104@greenie.muc.de><20090108140019.GJ104@greenie.muc.de> <49663655.80701@justinshore.com><74b0c3330901090230s2b4fea51w2fc9cfa61ea5433@mail.gmail.com> <74b0c3330901090233x66a7987dg35d49453e8514573@mail.gmail.com> <4C3B8C75B5899943AEC675BA6DD4627301770579@uspalex02.epri.com> Message-ID: <496A2065.9010106@justinshore.com> Higham, Josh wrote: > Either I'm misunderstanding what you are saying, or this is incorrect. > > The native VLAN identifier just dictates what frames are tagged, it > doesn't control whether they are sent. So if the native vlan is 999, > with a default config port is in vlan 1, if the port receives traffic it > will still be sent over the trunk, but tagged with vlan 1 (rather than > untagged if vlan 1 was native). > > Changing the native VLAN would not have prevented the problem that > Justin is describing. The only solution to that is making sure that > vlan 1 isn't used in production, so even if frames are generated there > is no destination. I think Engel may have mis-read my email and thought I was on a trunk port in which case what he wrote would have been correct. In my case though I was on an access port. Most of that port's config had been wiped clean leaving only switchport and mode access. I could avoid the issue in the future (assuming that the VPN SPA's broken default config can't be fixed) by assigning all my unused access ints to a dummy VLAN. That would get them out of VLAN 1 and avoid the problem. I usually have all unused ints shutdown when not in use but in this case it was an int I'd previously used for testing and instead wiped the int config clean but left it up. > Shutting down the vlan 1 SVI will make sure that no traffic from VLAN 1 > is routed, which is a way of enforcing the policy restriction described > above. I always shut the VLAN 1 SVI on devices that have it by default (switches for example) and never create it on those that don't. I'm curious though about shutting down the L2 VLAN though. That would prove to be helpful. Another helpful thing would be if Cisco would not put an access port into admin up state if an access VLAN hasn't been explicitly defined. If a VLAN hasn't been manually defined then IMHO the interface's config is incomplete and should not be allowed up. Another option would be if Cisco would add the ability to define the default VLAN used on all ports that don't have an explicit access VLAN defined. That would be helpful as well. Justin From gert at greenie.muc.de Sun Jan 11 11:56:21 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 11 Jan 2009 17:56:21 +0100 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> References: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> Message-ID: <20090111165620.GT104@greenie.muc.de> Hi, On Sun, Jan 11, 2009 at 09:19:54AM -0700, Brandon Bennett wrote: > In all honesty it's a stupid term as VRF technology isn't tied to MPLS > at all. Yes vrf is required for l3 vpns but so is mBGP and we don't > have mBGP-lite :) Well, mBGP is not strictly required... you can do L3 VPNs just fine with any other routing protocol (which is VRF aware), but it might be less convenient - and is certainly scaling less well. (You'd need dedicated per-VRF links between your PE routers, of course) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From brhedlun at cisco.com Sun Jan 11 12:02:09 2009 From: brhedlun at cisco.com (Brad Hedlund (brhedlun)) Date: Sun, 11 Jan 2009 11:02:09 -0600 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> References: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> Message-ID: The term "VRF-Lite" comes from when Cisco started delivering VRF capabilities across all Catalyst L3 platforms, even the low end. Many vendors do support VRF on their high end routers and switches, but few have comprehensive VRF support from the high end all the to the low end. MBGP is not required for L3 VPN's. That's the beauty of VRF-Lite end to end. A customer can deploy a handfull of L3 VPN's within their own campus without MPLS or BGP. Sent from my iPhone Brad Hedlund On Jan 11, 2009, at 10:20 AM, "Brandon Bennett" wrote: > Vrf-lite is just a Cisco term for utilizing VRFs when no MPLS is > present. Any vendor who supports VRFs support "VRF-lite". > > In all honesty it's a stupid term as VRF technology isn't tied to > MPLS at all. Yes vrf is required for l3 vpns but so is mBGP and we > don't have mBGP-lite :) > > -Brandon > > Sent from my iPhone > > On Jan 10, 2009, at 10:58 AM, Brad Hedlund wrote: > >> On 1/10/09 8:57 AM, "Chris Burwell" wrote: >> >>> I am fairly certain the 8212zl can accomplish what was described >>> here, >>> the problem will be finding documentation on how to configure >>> everything. >> >> Chris, >> I would be curious to see what you come up with. The 8212 feature >> list on >> HP's website doesn't show anything similar to VRF-Lite. I'm pretty >> sure >> VRF-Lite like capabilities are unique to Cisco. Let me know if you >> find >> otherwise. >> >> >> Cheers, >> Brad Hedlund >> bhedlund at cisco.com >> http://www.internetworkexpert.org >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Sun Jan 11 12:22:42 2009 From: justin at justinshore.com (Justin Shore) Date: Sun, 11 Jan 2009 11:22:42 -0600 Subject: [c-nsp] Softnet replacement? In-Reply-To: <20090111131922.GS104@greenie.muc.de> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111134107.0576f948@efes.iucc.ac.il> <20090111131922.GS104@greenie.muc.de> Message-ID: <496A2AE2.2090400@justinshore.com> Gert Doering wrote: > Hi, > > On Sun, Jan 11, 2009 at 01:41:59PM +0200, Hank Nussbacher wrote: >> That provides RMA which we do not need. We want *only* TAC access and IOS >> downloads. Softnet provided that option - which Cisco has abolished. > > Oh. Interesting. Softnet would have been what we've been asking Cisco > for for years - but it has never been offered to us :-( > > (With a high number of similar boxes, hardware RMA quickly becomes more > expensive than just having a spare box - but IOS downloads + bugfixes > is definitely a useful thing to have). There is a SmartNet option with software, TAC support, and no advanced replacement in SP Base. Specifically you want SP-SW for your device. To give you an idea of the price difference for a 7201 with no on-site support, 24x7x4 is $3226, 8x5xNBD is $2016, 10-day return-to-factory (RTF) is $1764, and finally software and TAC wo/ replacement is $1638 (MSRP on all). If you're big enough to justify a sparing strategy then SP-SW is for you. We're aren't big enough at this point to eat the cost of a failed router so I implemented a sparing strategy with the 10-day RTF SmartNet. I took all our gear and grouped it together in groups of common devices that could be covered by a single spare. That gave me 5 different devices that I had to buy for spares. I covered all those devices with 10-day RTF coverage. The remaining items that we simply didn't have enough of to justify buying a spare (7600s for example) we bought 24x7x4 or 8x5xNBD depending on the device. In the end everything we have is covered with a sufficient amount of support or a spare to ensure that we're only down for a few hours. We saved money and used it to buy more hardware (spares) which will allow me to build a lab. So far so good... Justin From ecables at gmail.com Sun Jan 11 12:28:15 2009 From: ecables at gmail.com (Eric Cables) Date: Sun, 11 Jan 2009 11:28:15 -0600 Subject: [c-nsp] Procurve DHCP relay question In-Reply-To: References: Message-ID: Thanks all for the feedback. Turns out the software revision on the switch (0.8.58) was part of a revision window that had dhcp relay OFF by default. I upgraded to the latest revision, which had it enabled. On 1/9/09, Jeremy L. Gaddis wrote: > On Thu, 8 Jan 2009, Eric Cables wrote: >> I'm in the middle of a transition from HP -> Cisco, with an HP 2848 as the >> "core", so sorry if this e-mail is off topic. I am having a hard time >> getting DHCP relay to work, and was hoping someone with HP experience >> could >> chime in with some assistance. >> >> I've created a new VLAN, and have specified a helper-address to point to a >> DHCP server that manages dozens of scopes. The new VLAN functions fine, >> assuming users are given a static address, but DHCP does not appear to >> work >> at all. > > > Hi Eric, > > I'm not sure how helpful this might be (it seems you've already taken the > necessary steps), but here's a cut and paste from a production switch > doing the same thing (a 5400 in this case): > > vlan 4071 > name "VLAN4071" > ip helper-address 10.144.16.2 > ip address 10.144.1.65 255.255.255.192 > tagged A1-A4,Trk1 > exit > > HTH, > -j > > -- > Jeremy L. Gaddis > http://evilrouters.net > > -- Sent from my mobile device -- Eric Cables From dwinkworth at att.net Sun Jan 11 13:58:51 2009 From: dwinkworth at att.net (Derick Winkworth) Date: Sun, 11 Jan 2009 12:58:51 -0600 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: References: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> Message-ID: <496A416B.8060501@att.net> Juniper supports it well. The EX series 1U switches are pretty decent actually. But, again... he might be able to get this done without VRFs... Brad Hedlund (brhedlun) wrote: > The term "VRF-Lite" comes from when Cisco started delivering VRF > capabilities across all Catalyst L3 platforms, even the low end. > > Many vendors do support VRF on their high end routers and switches, > but few have comprehensive VRF support from the high end all the to > the low end. > > MBGP is not required for L3 VPN's. That's the beauty of VRF-Lite end > to end. A customer can deploy a handfull of L3 VPN's within their own > campus without MPLS or BGP. > > Sent from my iPhone > > Brad Hedlund > > > On Jan 11, 2009, at 10:20 AM, "Brandon Bennett" > wrote: > >> Vrf-lite is just a Cisco term for utilizing VRFs when no MPLS is >> present. Any vendor who supports VRFs support "VRF-lite". >> >> In all honesty it's a stupid term as VRF technology isn't tied to >> MPLS at all. Yes vrf is required for l3 vpns but so is mBGP and we >> don't have mBGP-lite :) >> >> -Brandon >> >> Sent from my iPhone >> >> On Jan 10, 2009, at 10:58 AM, Brad Hedlund wrote: >> >>> On 1/10/09 8:57 AM, "Chris Burwell" wrote: >>> >>>> I am fairly certain the 8212zl can accomplish what was described here, >>>> the problem will be finding documentation on how to configure >>>> everything. >>> >>> Chris, >>> I would be curious to see what you come up with. The 8212 feature >>> list on >>> HP's website doesn't show anything similar to VRF-Lite. I'm pretty >>> sure >>> VRF-Lite like capabilities are unique to Cisco. Let me know if you >>> find >>> otherwise. >>> >>> >>> Cheers, >>> Brad Hedlund >>> bhedlund at cisco.com >>> http://www.internetworkexpert.org >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.176 / Virus Database: 270.10.5/1886 - Release Date: 1/10/2009 6:01 PM > > From brhedlun at cisco.com Sun Jan 11 14:22:51 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Sun, 11 Jan 2009 13:22:51 -0600 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: <496A416B.8060501@att.net> Message-ID: On 1/11/09 12:58 PM, "Derick Winkworth" wrote: > But, again... he might be able to get this done without VRFs... Yes, possibly. At the expense of dynamic routing. Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From cburwell at gmail.com Sun Jan 11 16:14:51 2009 From: cburwell at gmail.com (Chris Burwell) Date: Sun, 11 Jan 2009 16:14:51 -0500 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: <496A416B.8060501@att.net> References: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> <496A416B.8060501@att.net> Message-ID: More than likely we will go in the direction of adding an additional layer 3 device off of the external interface of our firewall. We will use this layer 3 device to make the decision as to which interface the traffic should be forwarded onto. We could probably accomplish this with a Procurve layer 3 switch, which can handle the basic routing as well as the traffic for a minimal amount. Everything is still up in the air right now. I still need to have several meetings with both our proposed ISP as well as the network admin from the IU. From there I should have the proper information to make a solid recommendation. As I said before, I will report back what I find about HPs support of VRF-Lite (or something similar). - Chris On Sun, Jan 11, 2009 at 1:58 PM, Derick Winkworth wrote: > Juniper supports it well. The EX series 1U switches are pretty decent > actually. > > But, again... he might be able to get this done without VRFs... > > Brad Hedlund (brhedlun) wrote: >> The term "VRF-Lite" comes from when Cisco started delivering VRF >> capabilities across all Catalyst L3 platforms, even the low end. >> >> Many vendors do support VRF on their high end routers and switches, >> but few have comprehensive VRF support from the high end all the to >> the low end. >> >> MBGP is not required for L3 VPN's. That's the beauty of VRF-Lite end >> to end. A customer can deploy a handfull of L3 VPN's within their own >> campus without MPLS or BGP. >> >> Sent from my iPhone >> >> Brad Hedlund >> >> >> On Jan 11, 2009, at 10:20 AM, "Brandon Bennett" >> wrote: >> >>> Vrf-lite is just a Cisco term for utilizing VRFs when no MPLS is >>> present. Any vendor who supports VRFs support "VRF-lite". >>> >>> In all honesty it's a stupid term as VRF technology isn't tied to >>> MPLS at all. Yes vrf is required for l3 vpns but so is mBGP and we >>> don't have mBGP-lite :) >>> >>> -Brandon >>> >>> Sent from my iPhone >>> >>> On Jan 10, 2009, at 10:58 AM, Brad Hedlund wrote: >>> >>>> On 1/10/09 8:57 AM, "Chris Burwell" wrote: >>>> >>>>> I am fairly certain the 8212zl can accomplish what was described here, >>>>> the problem will be finding documentation on how to configure >>>>> everything. >>>> >>>> Chris, >>>> I would be curious to see what you come up with. The 8212 feature >>>> list on >>>> HP's website doesn't show anything similar to VRF-Lite. I'm pretty >>>> sure >>>> VRF-Lite like capabilities are unique to Cisco. Let me know if you >>>> find >>>> otherwise. >>>> >>>> >>>> Cheers, >>>> Brad Hedlund >>>> bhedlund at cisco.com >>>> http://www.internetworkexpert.org >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> ------------------------------------------------------------------------ >> >> >> No virus found in this incoming message. >> Checked by AVG - http://www.avg.com >> Version: 8.0.176 / Virus Database: 270.10.5/1886 - Release Date: 1/10/2009 6:01 PM >> >> > From justin at justinshore.com Sun Jan 11 16:34:14 2009 From: justin at justinshore.com (Justin Shore) Date: Sun, 11 Jan 2009 15:34:14 -0600 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: References: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> <496A416B.8060501@att.net> Message-ID: <496A65D6.2010800@justinshore.com> You could also route out to IU via a DMZ interface on the firewall. Depending on what services they're providing to you, you may be required (by law in many cases) to encrypt the transmission of data to IU. This would be the case if you were a medical institution transmitting data to an offsite data warehousing facility (HIPAA) or if you were an educational institution and this facility was providing you with data warehousing again, internal email hosting, grading and attendance apps, etc (FERPA and/or HIPAA). Justin Chris Burwell wrote: > More than likely we will go in the direction of adding an additional > layer 3 device off of the external interface of our firewall. We will > use this layer 3 device to make the decision as to which interface the > traffic should be forwarded onto. > > We could probably accomplish this with a Procurve layer 3 switch, > which can handle the basic routing as well as the traffic for a > minimal amount. Everything is still up in the air right now. I still > need to have several meetings with both our proposed ISP as well as > the network admin from the IU. From there I should have the proper > information to make a solid recommendation. > > As I said before, I will report back what I find about HPs support of > VRF-Lite (or something similar). From skeeve at skeeve.org Sun Jan 11 16:40:20 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Mon, 12 Jan 2009 08:40:20 +1100 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: References: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> <496A416B.8060501@att.net> Message-ID: <005001c97435$33f59130$9be0b390$@org> Speaking on VRF-Lite. What is the easiest way to link two VRF's on two separate routers in layer 2 - so each VRF can see the arp and so on from the other? ...Skeeve -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Burwell Sent: Monday, 12 January 2009 8:15 AM To: Derick Winkworth Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Logical Router Segmentation More than likely we will go in the direction of adding an additional layer 3 device off of the external interface of our firewall. We will use this layer 3 device to make the decision as to which interface the traffic should be forwarded onto. We could probably accomplish this with a Procurve layer 3 switch, which can handle the basic routing as well as the traffic for a minimal amount. Everything is still up in the air right now. I still need to have several meetings with both our proposed ISP as well as the network admin from the IU. From there I should have the proper information to make a solid recommendation. As I said before, I will report back what I find about HPs support of VRF-Lite (or something similar). - Chris On Sun, Jan 11, 2009 at 1:58 PM, Derick Winkworth wrote: > Juniper supports it well. The EX series 1U switches are pretty decent > actually. > > But, again... he might be able to get this done without VRFs... > > Brad Hedlund (brhedlun) wrote: >> The term "VRF-Lite" comes from when Cisco started delivering VRF >> capabilities across all Catalyst L3 platforms, even the low end. >> >> Many vendors do support VRF on their high end routers and switches, >> but few have comprehensive VRF support from the high end all the to >> the low end. >> >> MBGP is not required for L3 VPN's. That's the beauty of VRF-Lite end >> to end. A customer can deploy a handfull of L3 VPN's within their own >> campus without MPLS or BGP. >> >> Sent from my iPhone >> >> Brad Hedlund >> >> >> On Jan 11, 2009, at 10:20 AM, "Brandon Bennett" >> wrote: >> >>> Vrf-lite is just a Cisco term for utilizing VRFs when no MPLS is >>> present. Any vendor who supports VRFs support "VRF-lite". >>> >>> In all honesty it's a stupid term as VRF technology isn't tied to >>> MPLS at all. Yes vrf is required for l3 vpns but so is mBGP and we >>> don't have mBGP-lite :) >>> >>> -Brandon >>> >>> Sent from my iPhone >>> >>> On Jan 10, 2009, at 10:58 AM, Brad Hedlund wrote: >>> >>>> On 1/10/09 8:57 AM, "Chris Burwell" wrote: >>>> >>>>> I am fairly certain the 8212zl can accomplish what was described here, >>>>> the problem will be finding documentation on how to configure >>>>> everything. >>>> >>>> Chris, >>>> I would be curious to see what you come up with. The 8212 feature >>>> list on >>>> HP's website doesn't show anything similar to VRF-Lite. I'm pretty >>>> sure >>>> VRF-Lite like capabilities are unique to Cisco. Let me know if you >>>> find >>>> otherwise. >>>> >>>> >>>> Cheers, >>>> Brad Hedlund >>>> bhedlund at cisco.com >>>> http://www.internetworkexpert.org >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> ------------------------------------------------------------------------ >> >> >> No virus found in this incoming message. >> Checked by AVG - http://www.avg.com >> Version: 8.0.176 / Virus Database: 270.10.5/1886 - Release Date: 1/10/2009 6:01 PM >> >> > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cburwell at gmail.com Sun Jan 11 16:50:41 2009 From: cburwell at gmail.com (Chris Burwell) Date: Sun, 11 Jan 2009 16:50:41 -0500 Subject: [c-nsp] Procurve DHCP relay question Message-ID: That's great to hear Eric! I ran into some DHCP issues when using MAC authentication over RADIUS on a 5412zl this summer. In my case a simple software upgrade did the trick as well! - Chris > Message: 3 > Date: Sun, 11 Jan 2009 11:28:15 -0600 > From: "Eric Cables" > Subject: Re: [c-nsp] Procurve DHCP relay question > To: "Jeremy L. Gaddis" , > "cisco-nsp at puck.nether.net" > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Thanks all for the feedback. Turns out the software revision on the > switch (0.8.58) was part of a revision window that had dhcp relay OFF > by default. I upgraded to the latest revision, which had it enabled. > > On 1/9/09, Jeremy L. Gaddis wrote: >> On Thu, 8 Jan 2009, Eric Cables wrote: >>> I'm in the middle of a transition from HP -> Cisco, with an HP 2848 as the >>> "core", so sorry if this e-mail is off topic. I am having a hard time >>> getting DHCP relay to work, and was hoping someone with HP experience >>> could >>> chime in with some assistance. >>> >>> I've created a new VLAN, and have specified a helper-address to point to a >>> DHCP server that manages dozens of scopes. The new VLAN functions fine, >>> assuming users are given a static address, but DHCP does not appear to >>> work >>> at all. >> >> >> Hi Eric, >> >> I'm not sure how helpful this might be (it seems you've already taken the >> necessary steps), but here's a cut and paste from a production switch >> doing the same thing (a 5400 in this case): >> >> vlan 4071 >> name "VLAN4071" >> ip helper-address 10.144.16.2 >> ip address 10.144.1.65 255.255.255.192 >> tagged A1-A4,Trk1 >> exit >> >> HTH, >> -j >> >> -- >> Jeremy L. Gaddis >> http://evilrouters.net >> >> > > -- > Sent from my mobile device > > > -- Eric Cables From brhedlun at cisco.com Sun Jan 11 17:12:49 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Sun, 11 Jan 2009 16:12:49 -0600 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: <005001c97435$33f59130$9be0b390$@org> Message-ID: On 1/11/09 3:40 PM, "Skeeve Stevens" wrote: > What is the easiest way to link two VRF's on two separate routers in layer 2 > - so each VRF can see the arp and so on from the other? 802.1Q Tagging. Either using subinterfaces on routed ports, or SVI's on L2 trunking ports. http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ PathIsol.html#wp80090 Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From hank at efes.iucc.ac.il Sun Jan 11 17:33:09 2009 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Mon, 12 Jan 2009 00:33:09 +0200 (IST) Subject: [c-nsp] Softnet replacement? In-Reply-To: <496A2AE2.2090400@justinshore.com> References: <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111102653.00af7e60@efes.iucc.ac.il> <5.1.0.14.2.20090111134107.0576f948@efes.iucc.ac.il> <20090111131922.GS104@greenie.muc.de> <496A2AE2.2090400@justinshore.com> Message-ID: On Sun, 11 Jan 2009, Justin Shore wrote: > There is a SmartNet option with software, TAC support, and no advanced > replacement in SP Base. Specifically you want SP-SW for your device. To give > you an idea of the price difference for a 7201 with no on-site support, > 24x7x4 is $3226, 8x5xNBD is $2016, 10-day return-to-factory (RTF) is $1764, > and finally software and TAC wo/ replacement is $1638 (MSRP on all). If > you're big enough to justify a sparing strategy then SP-SW is for you. Thanks! That's exactly what I was looking for. -Hank From ltd at cisco.com Sun Jan 11 17:35:10 2009 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 12 Jan 2009 09:35:10 +1100 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: <005001c97435$33f59130$9be0b390$@org> References: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> <496A416B.8060501@att.net> <005001c97435$33f59130$9be0b390$@org> Message-ID: <496A741E.7000904@cisco.com> Skeeve Stevens wrote: > Speaking on VRF-Lite. > > What is the easiest way to link two VRF's on two separate routers in layer 2 > - so each VRF can see the arp and so on from the other? > i think you've missed a critical bit of understanding here; VRF is a layer 3 concept. if you wanted to connect two routers together at L2 and push multiple VRFs between them, assuming its ethernet between those two routers, logically you'd use 802.1Q VLAN trunking. cheers, lincoln. From bennetb at gmail.com Sun Jan 11 19:57:54 2009 From: bennetb at gmail.com (Brandon Bennett) Date: Sun, 11 Jan 2009 17:57:54 -0700 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: References: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> Message-ID: I should of specified rfc2547 vpns. Sent from my iPhone On Jan 11, 2009, at 10:02 AM, "Brad Hedlund (brhedlun)" wrote: > The term "VRF-Lite" comes from when Cisco started delivering VRF > capabilities across all Catalyst L3 platforms, even the low end. > > Many vendors do support VRF on their high end routers and switches, > but few have comprehensive VRF support from the high end all the to > the low end. > > MBGP is not required for L3 VPN's. That's the beauty of VRF-Lite end > to end. A customer can deploy a handfull of L3 VPN's within their > own campus without MPLS or BGP. > > Sent from my iPhone > > Brad Hedlund > > > On Jan 11, 2009, at 10:20 AM, "Brandon Bennett" > wrote: > >> Vrf-lite is just a Cisco term for utilizing VRFs when no MPLS is >> present. Any vendor who supports VRFs support "VRF-lite". >> >> In all honesty it's a stupid term as VRF technology isn't tied to >> MPLS at all. Yes vrf is required for l3 vpns but so is mBGP and >> we don't have mBGP-lite :) >> >> -Brandon >> >> Sent from my iPhone >> >> On Jan 10, 2009, at 10:58 AM, Brad Hedlund >> wrote: >> >>> On 1/10/09 8:57 AM, "Chris Burwell" wrote: >>> >>>> I am fairly certain the 8212zl can accomplish what was described >>>> here, >>>> the problem will be finding documentation on how to configure >>>> everything. >>> >>> Chris, >>> I would be curious to see what you come up with. The 8212 feature >>> list on >>> HP's website doesn't show anything similar to VRF-Lite. I'm >>> pretty sure >>> VRF-Lite like capabilities are unique to Cisco. Let me know if >>> you find >>> otherwise. >>> >>> >>> Cheers, >>> Brad Hedlund >>> bhedlund at cisco.com >>> http://www.internetworkexpert.org >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ From bennetb at gmail.com Sun Jan 11 20:05:05 2009 From: bennetb at gmail.com (Brandon Bennett) Date: Sun, 11 Jan 2009 18:05:05 -0700 Subject: [c-nsp] Logical Router Segmentation In-Reply-To: References: <2D550C67-963D-4A7A-A037-D6A4EDAC8BF4@gmail.com> Message-ID: <798AF92E-4CC8-453D-8AB3-4F401CC64C5A@gmail.com> Sent from my iPhone On Jan 11, 2009, at 10:02 AM, "Brad Hedlund (brhedlun)" wrote: > The term "VRF-Lite" comes from when Cisco started delivering VRF > capabilities across all Catalyst L3 platforms, even the low end. Exactly. It's cisco marketing speak. It's just another name for VRF to the rest of us. > Many vendors do support VRF on their high end routers and switches, > but few have comprehensive VRF support from the high end all the to > the low end. Juniper EX series supports it. Not many other brands I would trust my L3 infastruture to. > > > MBGP is not required for L3 VPN's. That's the beauty of VRF-Lite end > to end. A customer can deploy a handfull of L3 VPN's within their > own campus without MPLS or BGP. I should of specified RFC2547 vpns as that's what I was using as a comparison. I guess at the heart if this email is the fact I lothe the vrf-lite term or Multi-vrf (ie describing dot1q Or frame-relay in conjunction with vrfs) > > > Sent from my iPhone > > Brad Hedlund > > > On Jan 11, 2009, at 10:20 AM, "Brandon Bennett" > wrote: > >> Vrf-lite is just a Cisco term for utilizing VRFs when no MPLS is >> present. Any vendor who supports VRFs support "VRF-lite". >> >> In all honesty it's a stupid term as VRF technology isn't tied to >> MPLS at all. Yes vrf is required for l3 vpns but so is mBGP and >> we don't have mBGP-lite :) >> >> -Brandon >> >> Sent from my iPhone >> >> On Jan 10, 2009, at 10:58 AM, Brad Hedlund >> wrote: >> >>> On 1/10/09 8:57 AM, "Chris Burwell" wrote: >>> >>>> I am fairly certain the 8212zl can accomplish what was described >>>> here, >>>> the problem will be finding documentation on how to configure >>>> everything. >>> >>> Chris, >>> I would be curious to see what you come up with. The 8212 feature >>> list on >>> HP's website doesn't show anything similar to VRF-Lite. I'm >>> pretty sure >>> VRF-Lite like capabilities are unique to Cisco. Let me know if >>> you find >>> otherwise. >>> >>> >>> Cheers, >>> Brad Hedlund >>> bhedlund at cisco.com >>> http://www.internetworkexpert.org >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ From matt at iseek.com.au Sun Jan 11 19:14:55 2009 From: matt at iseek.com.au (Matt Carter) Date: Mon, 12 Jan 2009 10:14:55 +1000 Subject: [c-nsp] Fwd: VLAN 1 through routed ports In-Reply-To: <496A2065.9010106@justinshore.com> References: <20090108113701.GG104@greenie.muc.de><20090108140019.GJ104@greenie.muc.de> <49663655.80701@justinshore.com><74b0c3330901090230s2b4fea51w2fc9cfa61ea5433@mail.gmail.com> <74b0c3330901090233x66a7987dg35d49453e8514573@mail.gmail.com> <4C3B8C75B5899943AEC675BA6DD4627301770579@uspalex02.epri.com> <496A2065.9010106@justinshore.com> Message-ID: <7FEDD455961B164D8C4EEA60E2291420793B9750D8@EXCHANGE1.intranet.iseek.com.au> > I think Engel may have mis-read my email and thought I was on a trunk > port in which case what he wrote would have been correct. In my case > though I was on an access port. Most of that port's config had been > wiped clean leaving only switchport and mode access. I could avoid the > issue in the future (assuming that the VPN SPA's broken default config > can't be fixed) by assigning all my unused access ints to a dummy VLAN. > That would get them out of VLAN 1 and avoid the problem. I usually > have all unused ints shutdown when not in use but in this case it was an > int I'd previously used for testing and instead wiped the int config > clean but left it up. > hi all, the problem with this train of thought in my experience is that the dummy vlan (eg 4094 may be a nice choice) may be auto-created upon you typing switchport mode access, switchport access vlan .. (depending on your platform/code) - obviously its easy enough to conf the ports in their default dummy state and then delete vlan 4094 that was auto created at the end - but if you de-provision a port, and return it to the dummy vlan the switch may auto create the vlan in that process. (again depending on platform/code ) one solution to this (in a VTP transparent mode environment) may simply be prevent the dummy vlan from being trunked beyond the access switch, containing the dummy vlan connectivity to the local device. its not going to prevent two ports that have been unshut in the dummy vlan talking to each other on the same device, but they aren't going to be getting very far beyond that. just an idea. ... i like you don't like having ports sitting in vlan 1, regardless of whether they are shut down or not, curious what other people on the list thoughts are on this subject.. kind regards, --matt From skeeve at skeeve.org Sun Jan 11 20:34:28 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Mon, 12 Jan 2009 12:34:28 +1100 Subject: [c-nsp] Max number of users on Aironet 1252AG Message-ID: <001601c97455$e93ad940$bbb08bc0$@org> Hey all, I need to come up with a quick solution for a large scale temporary wireless solution. It is for some roving festivals and the request has been for 4000 connections. but I think I can talk them down. What I am wondering is. How many simultaneous users can a 1252AG handle? And is there any difference in capacity if I use lightweight units and backend into a Wireless access controller? In fact. how many users can they (4402) handle? Any other suggestions guys? .Skeeve -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum From ney25 at hotmail.com Sun Jan 11 20:54:21 2009 From: ney25 at hotmail.com (Jack) Date: Mon, 12 Jan 2009 09:54:21 +0800 Subject: [c-nsp] Max number of users on Aironet 1252AG In-Reply-To: <001601c97455$e93ad940$bbb08bc0$@org> References: <001601c97455$e93ad940$bbb08bc0$@org> Message-ID: Hi Skeeve, in the Past I implemented Wism / WLC in the Campus, I used 50 users for 1 AP but I have seen a lot of intermittent problem and connectivity issue occurred. so, I got the advice from Cisco which adjust the AP only can handle up to max 25-30, this then solving the connectivity issue. but I would suggest you create multiple VLANs for Wireless (for instance Zone A - VLAN 10, Zone B - VLAN 11) if you have more than 500 users. Otherwise, when all users connect at the same time then you will have another problem like unicast floolding. Regards, Jack -------------------------------------------------- From: "Skeeve Stevens" Sent: Monday, 12 January, 2009 9:34 AM To: Subject: [c-nsp] Max number of users on Aironet 1252AG > Hey all, > > I need to come up with a quick solution for a large scale temporary > wireless > solution. > > It is for some roving festivals and the request has been for 4000 > connections. but I think I can talk them down. > > What I am wondering is. How many simultaneous users can a 1252AG handle? > And is there any difference in capacity if I use lightweight units and > backend into a Wireless access controller? In fact. how many users can > they > (4402) handle? > > Any other suggestions guys? > > .Skeeve > > -- > Skeeve Stevens, RHCE > skeeve at skeeve.org / www.skeeve.org > Cell +61 (0)414 753 383 / skype://skeeve > > eintellego - skeeve at eintellego.net - www.eintellego.net > -- > I'm a groove licked love child king of the verse > Si vis pacem, para bellum > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From td_miles at yahoo.com Sun Jan 11 22:15:09 2009 From: td_miles at yahoo.com (Tony) Date: Sun, 11 Jan 2009 19:15:09 -0800 (PST) Subject: [c-nsp] Max number of users on Aironet 1252AG In-Reply-To: <001601c97455$e93ad940$bbb08bc0$@org> Message-ID: <92875.3455.qm@web110106.mail.gq1.yahoo.com> --- On Mon, 12/1/09, Skeeve Stevens wrote: > From: Skeeve Stevens > Subject: [c-nsp] Max number of users on Aironet 1252AG > To: cisco-nsp at puck.nether.net > Date: Monday, 12 January, 2009, 12:34 PM > Hey all, > > I need to come up with a quick solution for a large scale > temporary wireless > solution. > > It is for some roving festivals and the request has been > for 4000 > connections. but I think I can talk them down. Is this 4000 simultaneous connections (all using it at once), or total number of users that will be in attendance and maybe wanting to use a wifi connection at some point ? If it's total number, any idea on how many might be connected at any point in time ? > > What I am wondering is. How many simultaneous users can a > 1252AG handle? A previous poster suggested 25-30 users per AP. A quick search reveals quite a few credible sites with similar figures. I'm sure you can do the math, that's quite a few AP's. MS suggests an average of 2-4 users "is a good average to maximize the performance while still effectively utilizing the wireless LAN" :) http://technet.microsoft.com/en-us/library/bb457091.aspx > And is there any difference in capacity if I use > lightweight units and > backend into a Wireless access controller? In fact. how > many users can they > (4402) handle? Doesn't appear to be a "user" limit on the 4400 range. They are limited based on how many AP's they can control. 4402 comes in 12, 25 & 50 AP models. 4404 is for up to 100 AP's. http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps6307/product_data_sheet0900aecd802570b0_ps6366_Products_Data_Sheet.html regards, Tony. From A.L.M.Buxey at lboro.ac.uk Mon Jan 12 04:05:37 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 12 Jan 2009 09:05:37 +0000 Subject: [c-nsp] Max number of users on Aironet 1252AG In-Reply-To: <001601c97455$e93ad940$bbb08bc0$@org> References: <001601c97455$e93ad940$bbb08bc0$@org> Message-ID: <20090112090537.GC19930@lboro.ac.uk> hi, around 30 users per wifi channel on the AP - eg 30 on 802.11a, 30 on 802.11b/g is the reasonable value per AP - thats for 1242, 1131, 1252 etc. the wireless controller doesnt have a limit as such for number of users - especially if you DONT use it as the captive portal etc and just use it to control the APs (use a seperate Linux box, for example, as a captive portal). however, it DOES have a limit on the number of APs it can support - decided by a licence. if you are talking about 4000 concurrent users then I'd immediately state you want at least 8 subnets with 510 users in each - eg /23's from a /16 class B private...as that wireless is going to massively swamped by broadcast activity - especially with windows laptops... 16 /24's might be even better..however mobility between APs would then get interesting. alan From sha90w at gmail.com Mon Jan 12 05:17:20 2009 From: sha90w at gmail.com (Michail Litvak) Date: Mon, 12 Jan 2009 12:17:20 +0200 Subject: [c-nsp] CVR-X2-SFP In-Reply-To: References: Message-ID: On Thu, Mar 13, 2008 at 6:55 PM, Michail Litvak wrote: > Does anyone try to use CVR-X2-SFP (Cisco TwinGig Converter Module) with > cat6500 WS-X6708-10GE module. > I try to insert it but have "bad EEPROM". Let me return to this topic. We have new SUP VS-S720-10G with two X2 10G onboard ports - do anyone known about support CVR-X2-SFP in this ports ? Thanks. -- MYL2-RIPE From rens at autempspourmoi.be Mon Jan 12 06:34:30 2009 From: rens at autempspourmoi.be (Rens) Date: Mon, 12 Jan 2009 12:34:30 +0100 Subject: [c-nsp] Cisco 3560G and none-Cisco SFP Message-ID: Hi, I have tried using none-Cisco SFP (1000-SX, Foundry and ProLabs ) on a Cisco 3560G switch and I keep getting this error: 5d23h: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port 65538 has bad crc 5d23h: %PM-4-ERR_DISABLE: gbic-invalid error detected on Gi0/2, putting Gi0/2 in err-disable state Gi0/2 err-disabled 200 auto auto unknown The version I run is: System image file is "flash:c3560-ipbase-mz.122-25.SEE3/c3560-ipbase-mz.122-25.SEE3.bin" Anyone else have experienced a problem like this? Any easy fixes? Regards, Rens From blahu77 at gmail.com Mon Jan 12 08:23:25 2009 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Mon, 12 Jan 2009 13:23:25 +0000 Subject: [c-nsp] Cisco 3560G and none-Cisco SFP In-Reply-To: References: Message-ID: <383357750901120523x1beb5c52q5f860d70a2136951@mail.gmail.com> Rens. > I have tried using none-Cisco SFP (1000-SX, Foundry and ProLabs ) on a Cisco > 3560G switch and I keep getting this error: > > > > 5d23h: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port 65538 has bad > crc > > 5d23h: %PM-4-ERR_DISABLE: gbic-invalid error detected on Gi0/2, putting > Gi0/2 in err-disable state > Gi0/2 err-disabled 200 auto auto unknown errdisable recovery cause gbic-invalid service unsupported-transceiver should help... -mat -- pgp-key 0x1C655CAB From peter at rathlev.dk Mon Jan 12 08:28:17 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 12 Jan 2009 14:28:17 +0100 Subject: [c-nsp] Cisco 3560G and none-Cisco SFP In-Reply-To: References: Message-ID: <1231766897.6646.10.camel@localhost.localdomain> On Mon, 2009-01-12 at 12:34 +0100, Rens wrote: > 5d23h: %PM-4-ERR_DISABLE: gbic-invalid error detected on Gi0/2, putting > Gi0/2 in err-disable state > > Gi0/2 err-disabled 200 auto auto unknown > > The version I run is: > > System image file is > "flash:c3560-ipbase-mz.122-25.SEE3/c3560-ipbase-mz.122-25.SEE3.bin" > > Anyone else have experienced a problem like this? Any easy fixes? You could use the unsupported command "service unsupported-transceiver". Beware that there's a reason the command is hiddden and unsupported -- with an unsupported SFP in the chassis Cisco can/may/will deny you support for the device. Regards, Peter From pete at bytemark.co.uk Mon Jan 12 07:38:36 2009 From: pete at bytemark.co.uk (Peter Taphouse) Date: Mon, 12 Jan 2009 12:38:36 +0000 Subject: [c-nsp] Cisco 3560G and none-Cisco SFP In-Reply-To: References: Message-ID: <496B39CC.7030705@bytemark.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, > Anyone else have experienced a problem like this? Any easy fixes? If it's just a non cisco serial number, then try "service unsupported-transceiver" Cheers, - -- Peter Taphouse Bytemark Hosting http://www.bytemark.co.uk/ tel. +44 (0) 845 004 3 004 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJaznMIAZ7OKeBB58RAvTKAJ4oNpY+5Jjv4MCyeek7ZUlqQR88agCfQZ54 3eoSy5Sl9FV1RcNGJ/wkETk= =sRDn -----END PGP SIGNATURE----- From rubensk at gmail.com Mon Jan 12 08:38:13 2009 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Mon, 12 Jan 2009 11:38:13 -0200 Subject: [c-nsp] MPLS fast reroute without full mesh traffic engineering Message-ID: <6bb5f5b10901120538u292ad7f2vc7de4a5f133810c1@mail.gmail.com> I'm trying to map US Patent 7230913 (http://www.patentstorm.us/patents/7230913.html) to an specific IOS feature... it sounded to me like AutoTunnel, is that so ? Rubens From kharananda at subisu.net.np Mon Jan 12 09:07:21 2009 From: kharananda at subisu.net.np (kharananda) Date: Mon, 12 Jan 2009 19:52:21 +0545 Subject: [c-nsp] l2tp problem in Cisco 1841 Message-ID: <496B4E99.4080904@subisu.net.np> Dear All, Is there any issue with L2TP in Cisco1841 ? I am using "c1841-adventerprisek9-mz.124-16.bin" IOS. I am facing drops after few successive ping packets. While defining pseudowire-class I tried L2TP sourced from connected interface "ip local interface fa 0/0". Alternatively I also tried sourced from loopback "ip local interface loopback 0". But got the same result. I also tried with global config "ip tcp path-mtu-discovery" to address if it is MTU issue. Can someone please help me in this regards?? Regards, Khara Nanda Luitel. From philxor at gmail.com Mon Jan 12 09:06:51 2009 From: philxor at gmail.com (Phil Bedard) Date: Mon, 12 Jan 2009 09:06:51 -0500 Subject: [c-nsp] MPLS fast reroute without full mesh traffic engineering In-Reply-To: <6bb5f5b10901120538u292ad7f2vc7de4a5f133810c1@mail.gmail.com> References: <6bb5f5b10901120538u292ad7f2vc7de4a5f133810c1@mail.gmail.com> Message-ID: <7A2ACD1F-93A6-4A4B-A627-4BEDDCD3A2A5@gmail.com> autotunnel primary one-hop. The one-hop portion being the important part. Phil On Jan 12, 2009, at 8:38 AM, Rubens Kuhl Jr. wrote: > I'm trying to map US Patent 7230913 > (http://www.patentstorm.us/patents/7230913.html) to an specific IOS > feature... it sounded to me like AutoTunnel, is that so ? > > > Rubens > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From leigh.bogardis at aciernet.com Mon Jan 12 09:10:32 2009 From: leigh.bogardis at aciernet.com (Leigh Bogardis -Aciernet) Date: Mon, 12 Jan 2009 15:10:32 +0100 Subject: [c-nsp] General enquiry re updates to IOS Message-ID: <496B4F58.5090209@aciernet.com> Hi, Firstly, thanks to everyone on this list. The real world solutions offered to the sorts of problems here are great. My problem is not so much technical as procedural, I'm wondering if Cisco offer automated notices on IOS upgrades/updates. I.e. an email sent out when a new version is released automagically... with best regards LB -- * Leigh Bogardis * Ing?nieur R?seau : CCNP CCDA ZAC de la Butte - 2 Rue Edison - 91620 NOZAY - France *T?l. :* +33 (0)1 6901 5372 *Fax :* +33 (0)1 6980 6423 *Portable :* +33 (0)6 0356 9596 *E.* leigh.bogardis at aciernet.com *http://www.aciernet.com* From rubensk at gmail.com Mon Jan 12 09:25:56 2009 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Mon, 12 Jan 2009 12:25:56 -0200 Subject: [c-nsp] MPLS fast reroute without full mesh traffic engineering In-Reply-To: <7A2ACD1F-93A6-4A4B-A627-4BEDDCD3A2A5@gmail.com> References: <6bb5f5b10901120538u292ad7f2vc7de4a5f133810c1@mail.gmail.com> <7A2ACD1F-93A6-4A4B-A627-4BEDDCD3A2A5@gmail.com> Message-ID: <6bb5f5b10901120625m1458494eibc20e5df36b42050@mail.gmail.com> Very interesting. After reading the document, though, I couldn't fully understand if primary onehop is enough to achieve low latency switchover(most likely not), or how to create backup onehop tunnels, or if only primary onehop tunnels are allowed and backup tunnels are still full-meshed. Rubens On Mon, Jan 12, 2009 at 12:06 PM, Phil Bedard wrote: > autotunnel primary one-hop. The one-hop portion being the important part. > > Phil > > On Jan 12, 2009, at 8:38 AM, Rubens Kuhl Jr. wrote: > >> I'm trying to map US Patent 7230913 >> (http://www.patentstorm.us/patents/7230913.html) to an specific IOS >> feature... it sounded to me like AutoTunnel, is that so ? >> >> >> Rubens >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From oboehmer at cisco.com Mon Jan 12 09:34:31 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 12 Jan 2009 15:34:31 +0100 Subject: [c-nsp] MPLS fast reroute without full mesh traffic engineering In-Reply-To: <6bb5f5b10901120625m1458494eibc20e5df36b42050@mail.gmail.com> References: <6bb5f5b10901120538u292ad7f2vc7de4a5f133810c1@mail.gmail.com><7A2ACD1F-93A6-4A4B-A627-4BEDDCD3A2A5@gmail.com> <6bb5f5b10901120625m1458494eibc20e5df36b42050@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406AEADE2@xmb-ams-333.emea.cisco.com> you obviously need MPLS-TE backup tunnels to achieve fastest convergence, and auto-tunnel backup addresses this. These backup tunnels are created dynamically and based on demand, i.e. if there are links not used by primary tunnels, backup tunnels won't be built. Backup tunnels will never be fully-meshed, they're NHOP/NNHOP only.. To get traffic into tunnels (in order to protect it), you can use one-hop primaries OR auto-tunnel mesh OR manual tunnels. oli Rubens Kuhl Jr. <> wrote on Monday, January 12, 2009 15:26: > Very interesting. After reading the document, though, I couldn't > fully understand if primary onehop is enough to achieve low latency > switchover(most likely not), or how to create backup onehop tunnels, > or if only primary onehop tunnels are allowed and backup tunnels are > still full-meshed. > > > Rubens > > > > On Mon, Jan 12, 2009 at 12:06 PM, Phil Bedard > wrote: >> autotunnel primary one-hop. The one-hop portion being the important >> part. >> >> Phil >> >> On Jan 12, 2009, at 8:38 AM, Rubens Kuhl Jr. wrote: >> >>> I'm trying to map US Patent 7230913 >>> (http://www.patentstorm.us/patents/7230913.html) to an specific IOS >>> feature... it sounded to me like AutoTunnel, is that so ? >>> >>> >>> Rubens >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From clement at cavadore.net Mon Jan 12 08:51:45 2009 From: clement at cavadore.net (Clement Cavadore) Date: Mon, 12 Jan 2009 14:51:45 +0100 Subject: [c-nsp] ME3400 & IPv6 Message-ID: <1231768305.23873.11.camel@lanternes.corp.alionis.net> Hi folks, I have read on cisco website that ME3400 is not supposed to support IPv6. However, using the last IOS, 12.2(25)SEG3 METROIPACCESS on my lab, I can notice that there are some (basic) IPv6 commands. I can configure ipv6 addresses to the interfaces, have a working inbound telnet in v6, a working traceroute ipv6 to the outside world using a default ::/0 ipv6 route, access lists, etc.. but I didn't manage to get a real (static) routing through the ME (and there is no "ipv6 router ospf XXX"). Am I forgetting a magic config key, such as "ipv6 unicast-routing" (which does not seems to exist) Here is what a debug ipv6 packets gives me when I try to configure a static routing through the ME: *Mar 1 05:30:32.682: IPV6: source 2A01:290:800:6970::2 (GigabitEthernet0/2) *Mar 1 05:30:32.682: dest 2001:7A8:800:FFFF::1 (GigabitEthernet0/1) *Mar 1 05:30:32.682: traffic class 0, flow 0x0, len 104+14, prot 58, hops 64, not a router? It seems that the ME "knows" what to do with the packet, but... Am I missing something ? FYI, both of the ports have been tried as "nni" or "uni". Thanks, -- Cl?ment Cavadore From peter at rathlev.dk Mon Jan 12 09:56:51 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 12 Jan 2009 15:56:51 +0100 Subject: [c-nsp] cisco.com password management Message-ID: <1231772211.7582.10.camel@localhost.localdomain> Am I the only one being presented to a new "password management" feature on tools.cisco.com? They're asking: > As part of our ongoing effort to keep your account secure, we are now > requiring you to set up two security questions before you reset your > password. You will only need to do this once. In the future you can > use your security questions to verify your identify on Cisco.com or if > you ever need assistance retrieving your password. > > As a safeguarding measure, please provide your e-mail address and > password to continue this security enrollment process; you will be > automatically redirected to your requested Cisco.com page upon > completion > > NOTE: Security questions do not replace your user ID and password; > they provide added protection to prevent unauthorized account access. This is obviously bollocks. Security questions _DO_ replace my user ID and password if they can be used to get access to an account. What part of Cisco made this up? Why are they in charge? Regards, Peter From dr at cluenet.de Mon Jan 12 10:11:01 2009 From: dr at cluenet.de (Daniel Roesen) Date: Mon, 12 Jan 2009 16:11:01 +0100 Subject: [c-nsp] cisco.com password management In-Reply-To: <1231772211.7582.10.camel@localhost.localdomain> References: <1231772211.7582.10.camel@localhost.localdomain> Message-ID: <20090112151101.GA25149@srv03.cluenet.de> On Mon, Jan 12, 2009 at 03:56:51PM +0100, Peter Rathlev wrote: > This is obviously bollocks. Security questions _DO_ replace my user ID > and password if they can be used to get access to an account. Indeed. Those "security questions" definately LOWER the security on accounts, as a) I won't provide CSCO with any challenge+response only _I_ would know, and b) if I don't, others know as well, so it's in fact sharing passwords. The only way out are to trick those systems by crafting the questions in a secure way, where challenge+response effectively equals passwords again. Sigh. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From willay at gmail.com Mon Jan 12 10:13:08 2009 From: willay at gmail.com (William) Date: Mon, 12 Jan 2009 15:13:08 +0000 Subject: [c-nsp] PIX 6x translation issue Message-ID: Hi there chaps, I have a PIX running 6x software with 3 interfaces: outside - sec0 (public IP address) inside - sec100 (10.1.1.253/24) office - sec90 (10.75.4.253/24) At the moment I have it configured so hosts on the inside interface can access the internet (natted to interface ip on outside) and access various networks over VPN (no nat). Hosts on the office network can also access the internet (natted the same as inside). What I'm trying to figure out is how I can get hosts on the office network to access hosts on the inside network without their addresses being translated. I've built an access-list and applied it to the office interface which is straight forward and I've added the following static: static (office,inside) 10.75.4.0 10.75.4.0 netmask 255.255.255.0 0 0 However I'm not getting any connectivity, so I added: access-list office_outbound_nat0_acl permit ip host 10.75.4.1 10.1.1.0 255.255.255.0 nat (office) 0 access-list office_outbound_nat0_acl At the moment I'm not getting any hits on office_outbound_nat0_acl and no traffic is getting across either, the logs say: 305005: No translation group found for icmp src office:10.75.4.1 dst inside:10.1.1.250 (type 8, code 0) Which matches up with the traffic I'm sending! Can someone assist me so I know what I'm doing wrong? Thank you for your time. W. From willay at gmail.com Mon Jan 12 10:12:53 2009 From: willay at gmail.com (William) Date: Mon, 12 Jan 2009 15:12:53 +0000 Subject: [c-nsp] PIX 6x translation issue Message-ID: Hi there chaps, I have a PIX running 6x software with 3 interfaces: outside - sec0 (public IP address) inside - sec100 (10.1.1.253/24) office - sec90 (10.75.4.253/24) At the moment I have it configured so hosts on the inside interface can access the internet (natted to interface ip on outside) and access various networks over VPN (no nat). Hosts on the office network can also access the internet (natted the same as inside). What I'm trying to figure out is how I can get hosts on the office network to access hosts on the inside network without their addresses being translated. I've built an access-list and applied it to the office interface which is straight forward and I've added the following static: static (office,inside) 10.75.4.0 10.75.4.0 netmask 255.255.255.0 0 0 However I'm not getting any connectivity, so I added: access-list office_outbound_nat0_acl permit ip host 10.75.4.1 10.1.1.0 255.255.255.0 nat (office) 0 access-list office_outbound_nat0_acl At the moment I'm not getting any hits on office_outbound_nat0_acl and no traffic is getting across either, the logs say: 305005: No translation group found for icmp src office:10.75.4.1 dst inside:10.1.1.250 (type 8, code 0) Which matches up with the traffic I'm sending! Can someone assist me so I know what I'm doing wrong? Thank you for your time. W. From rens at autempspourmoi.be Mon Jan 12 10:42:22 2009 From: rens at autempspourmoi.be (Rens) Date: Mon, 12 Jan 2009 16:42:22 +0100 Subject: [c-nsp] 3500XL Message-ID: <1EDA5013A4444E73B6570616FF9C9136@EU.corp.clearwire.com> Hi, Does anyone know if a 3500XL supports QinQ? I can't seem to find this info on the net. It's actually hard to find a list of all switches (older and newer models) if they support QinQ or not, where could I find this? Regards, Rens From mksmith at adhost.com Mon Jan 12 11:01:06 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Mon, 12 Jan 2009 08:01:06 -0800 Subject: [c-nsp] PIX 6x translation issue In-Reply-To: References: Message-ID: <17838240D9A5544AAA5FF95F8D520316054789C8@ad-exh01.adhost.lan> Hello William: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of William > Sent: Monday, January 12, 2009 7:13 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] PIX 6x translation issue > > Hi there chaps, > > I have a PIX running 6x software with 3 interfaces: > > outside - sec0 (public IP address) > inside - sec100 (10.1.1.253/24) > office - sec90 (10.75.4.253/24) > > > At the moment I have it configured so hosts on the inside interface > can access the internet (natted to interface ip on outside) and access > various networks over VPN (no nat). Hosts on the office network can > also access the internet (natted the same as inside). > > What I'm trying to figure out is how I can get hosts on the office > network to access hosts on the inside network without their addresses > being translated. I've built an access-list and applied it to the > office interface which is straight forward and I've added the > following static: > access-list office-to-inside permit ip 10.75.4.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list inside-to-office permit ip 10.1.1.0 255.255.255.0 10.75.4.0 255.255.255.0 access-group inside-to-office in interface inside access-group office-to-inside in interface office nat (office) 0 access-list office-to-inside You can tighten that down to a single host as you had in your example as well. Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From sthaug at nethelp.no Mon Jan 12 12:23:20 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 12 Jan 2009 18:23:20 +0100 (CET) Subject: [c-nsp] 3500XL In-Reply-To: <1EDA5013A4444E73B6570616FF9C9136@EU.corp.clearwire.com> References: <1EDA5013A4444E73B6570616FF9C9136@EU.corp.clearwire.com> Message-ID: <20090112.182320.74751410.sthaug@nethelp.no> > Does anyone know if a 3500XL supports QinQ? It does not. > I can't seem to find this info on the net. That may be because 3500XL is more or less end-of-everything. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From justin at justinshore.com Mon Jan 12 12:54:47 2009 From: justin at justinshore.com (Justin Shore) Date: Mon, 12 Jan 2009 11:54:47 -0600 Subject: [c-nsp] uRPF inside of a VRF Message-ID: <496B83E7.8030900@justinshore.com> Last night we ran into some trouble with some of our VRFs. When I examined all interfaces related to the service I noticed significant numbers of verification drops. uRPF was recently configured on the interfaces. Does uRPF and VRFs not play nice together? Here's one of the SVIs with a problem: interface Vlan2102 description dc-categroup inside firewall ip vrf forwarding dc-categroup ip address 172.17.0.2 255.255.255.0 ip verify unicast source reachable-via rx allow-default 150 no ip redirects no ip unreachables no ip proxy-arp standby version 2 standby 2102 ip 172.17.0.1 standby 2102 priority 255 standby 2102 preempt That SVI is attached to the inside of the FWSM context that serves that customer. The SVI on the outside of the FWSM context doesn't have any verification drops and neither does another SVI that's used for client VPN termination. Access-list 150 was created some time back to troubleshoot a different issue, a DHCP issue. It's supposed to drop and log hits. access-list 150 remark uRPF DENY & LOG-INPUT access-list 150 permit udp any eq bootpc any eq bootps access-list 150 deny ip any any log-input Most drops are not logged however. I'm not sure why other than possibly that the DFC on the linecard is doing the dropping so the Sup doesn't know about the packet and therefore can't log it. Last night it happened on another SVI in an identical scenario (SVI behind the FWSM). I can't for the life of me figure out why it's dropping packets or what they are. Any ideas what's causing this, if uRPF and VRFs don't mix or how I go about seeing what it's dropping besides legit traffic? The hardware is 6700 series linecards in 7600s running SRB1. Could I be hitting a bug? Thanks Justin From James.Munroe at gnb.ca Mon Jan 12 12:28:16 2009 From: James.Munroe at gnb.ca (Munroe, James (DSS/MAS)) Date: Mon, 12 Jan 2009 13:28:16 -0400 Subject: [c-nsp] ME3400 & IPv6 In-Reply-To: <1231768305.23873.11.camel@lanternes.corp.alionis.net> References: <1231768305.23873.11.camel@lanternes.corp.alionis.net> Message-ID: <458B3EC21E4A3044998E917199AACB2FE12B42@GNBEX02.gnb.ca> 12.2(50)SE will have IPv6 support for the ME-3400/3400E series. -----Original Message----- From: Clement Cavadore [mailto:clement at cavadore.net] Sent: Monday, January 12, 2009 9:52 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ME3400 & IPv6 Hi folks, I have read on cisco website that ME3400 is not supposed to support IPv6. However, using the last IOS, 12.2(25)SEG3 METROIPACCESS on my lab, I can notice that there are some (basic) IPv6 commands. I can configure ipv6 addresses to the interfaces, have a working inbound telnet in v6, a working traceroute ipv6 to the outside world using a default ::/0 ipv6 route, access lists, etc.. but I didn't manage to get a real (static) routing through the ME (and there is no "ipv6 router ospf XXX"). Am I forgetting a magic config key, such as "ipv6 unicast-routing" (which does not seems to exist) Here is what a debug ipv6 packets gives me when I try to configure a static routing through the ME: *Mar 1 05:30:32.682: IPV6: source 2A01:290:800:6970::2 (GigabitEthernet0/2) *Mar 1 05:30:32.682: dest 2001:7A8:800:FFFF::1 (GigabitEthernet0/1) *Mar 1 05:30:32.682: traffic class 0, flow 0x0, len 104+14, prot 58, hops 64, not a router? It seems that the ME "knows" what to do with the packet, but... Am I missing something ? FYI, both of the ports have been tried as "nni" or "uni". Thanks, -- Cl?ment Cavadore From eric at atlantech.net Mon Jan 12 14:13:01 2009 From: eric at atlantech.net (Eric Van Tol) Date: Mon, 12 Jan 2009 14:13:01 -0500 Subject: [c-nsp] ME3400 & IPv6 In-Reply-To: <458B3EC21E4A3044998E917199AACB2FE12B42@GNBEX02.gnb.ca> References: <1231768305.23873.11.camel@lanternes.corp.alionis.net> <458B3EC21E4A3044998E917199AACB2FE12B42@GNBEX02.gnb.ca> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863514034C67@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Munroe, James (DSS/MAS) > Sent: Monday, January 12, 2009 12:28 PM > To: Clement Cavadore; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ME3400 & IPv6 > > 12.2(50)SE will have IPv6 support for the ME-3400/3400E series. > Sent unicast by mistake: This is good news - any idea when 12.2(50)SE is going to be released? -evt From clement at cavadore.net Mon Jan 12 14:19:21 2009 From: clement at cavadore.net (Clement Cavadore) Date: Mon, 12 Jan 2009 20:19:21 +0100 Subject: [c-nsp] ME3400 & IPv6 In-Reply-To: <458B3EC21E4A3044998E917199AACB2FE12B42@GNBEX02.gnb.ca> References: <1231768305.23873.11.camel@lanternes.corp.alionis.net> <458B3EC21E4A3044998E917199AACB2FE12B42@GNBEX02.gnb.ca> Message-ID: <1231787961.23873.37.camel@lanternes.corp.alionis.net> Hi, On Mon, 2009-01-12 at 13:28 -0400, Munroe, James (DSS/MAS) wrote: > 12.2(50)SE will have IPv6 support for the ME-3400/3400E series. And what about 12.2(25), which actually has IPv6 commands ? Is that a "partial" support ? Or am I missing something ? Btw, this is a good news for 12.2(50)SE :) Cl?ment From adriankok2000 at yahoo.com.hk Mon Jan 12 13:22:40 2009 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Tue, 13 Jan 2009 02:22:40 +0800 (CST) Subject: [c-nsp] urgent help for cisco800 Message-ID: <139327.98553.qm@web33301.mail.mud.yahoo.com> Hi I use the usb to serial cable + console cable to connect the cisco800. the setting is speed: 9600 parity bit: no control: None data bit: 8 I can see the boot info in the hyperterminal but the keyboard is not responing. I reboot many times and the keyboard is still not working. Any idea and suggeston? ls the hyperminal issue? or any setting problem Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From p.mayers at imperial.ac.uk Mon Jan 12 14:30:16 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 12 Jan 2009 19:30:16 +0000 Subject: [c-nsp] uRPF inside of a VRF In-Reply-To: <496B83E7.8030900@justinshore.com> References: <496B83E7.8030900@justinshore.com> Message-ID: <496B9A48.4010109@imperial.ac.uk> Justin Shore wrote: > Last night we ran into some trouble with some of our VRFs. When I > examined all interfaces related to the service I noticed significant > numbers of verification drops. uRPF was recently configured on the > interfaces. Does uRPF and VRFs not play nice together? > > Here's one of the SVIs with a problem: > > interface Vlan2102 > description dc-categroup inside firewall > ip vrf forwarding dc-categroup > ip address 172.17.0.2 255.255.255.0 > ip verify unicast source reachable-via rx allow-default 150 > no ip redirects > no ip unreachables > no ip proxy-arp > standby version 2 > standby 2102 ip 172.17.0.1 > standby 2102 priority 255 > standby 2102 preempt > > That SVI is attached to the inside of the FWSM context that serves that > customer. The SVI on the outside of the FWSM context doesn't have any > verification drops and neither does another SVI that's used for client > VPN termination. Access-list 150 was created some time back to > troubleshoot a different issue, a DHCP issue. It's supposed to drop and > log hits. > > access-list 150 remark uRPF DENY & LOG-INPUT > access-list 150 permit udp any eq bootpc any eq bootps > access-list 150 deny ip any any log-input We have no problems with uRPF and SVIs inside a VRF (but we're not using FWSMs) on our 6500s. One thing you should note - by default, when adding an ACL to the uRPF command, packets matching "deny" ACEs are forwarded in software - that is, for your ACL above, the process is: * if traffic matches 1st ACE (a permit) permit in hardware * else if traffic matches 2nd ACE (deny) punt to MSFC for RPF check * this will obviously be most packets, and will go slow See: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/secure.html#wp1088735 There's a global command "mls ip cef rpf hw-enable-rpf-acl" to invert this behaviour (punt the denies to MSFC). This is a pretty stupid default IMHO, and I wonder if it's that behaviour causing your uRPF counters to mis-report? The other obvious suggestion is to fire up an xSPAN session to see if you are actually getting RPF-invalid packets - we get quite a lot of invalid DHCP renews for example, as clients move between wireless and wired, or different wired subnets, or as things acquire 169.254. addresses. From rgolodner at infratection.com Mon Jan 12 14:33:36 2009 From: rgolodner at infratection.com (Richard Golodner) Date: Mon, 12 Jan 2009 13:33:36 -0600 Subject: [c-nsp] urgent help for cisco800 In-Reply-To: <139327.98553.qm@web33301.mail.mud.yahoo.com> References: <139327.98553.qm@web33301.mail.mud.yahoo.com> Message-ID: <011f01c974ec$aa23b320$fe6b1960$@com> On Monday January 11th, Adrian Kok asked: "I use the usb to serial cable + console cable to connect the cisco800. the setting is speed: 9600 parity bit: no control: None data bit: 8 I can see the boot info in the hyperterminal but the keyboard is not responing. I reboot many times and the keyboard is still not working. Any idea and suggeston?" Adrian, I use the USB to serial converter from Black Box and it works great as long as I keep the correct drivers on the various machines I use. Could you tell us what manufacturer or model you are using and maybe some of the other bright people may have something to add. I have also found that the converter works well, but it is a lot slower than a direct connection. Hope this helps some. Sincerely, Richard Golodner From geoff at pendery.net Mon Jan 12 14:39:58 2009 From: geoff at pendery.net (Geoffrey Pendery) Date: Mon, 12 Jan 2009 13:39:58 -0600 Subject: [c-nsp] urgent help for cisco800 In-Reply-To: <139327.98553.qm@web33301.mail.mud.yahoo.com> References: <139327.98553.qm@web33301.mail.mud.yahoo.com> Message-ID: I had issues with the 1200 APs requiring a different Flow Control setting than the rest of the IOS boxes, and the behavior manifest as "I can see the output, but it won't take my input - particularly carriage returns" Try Hardware, then XonXoff, for flow control. Can't hurt. -Geoff On Mon, Jan 12, 2009 at 12:22 PM, adrian kok wrote: > Hi > > I use the usb to serial cable + console cable to > connect the cisco800. > > the setting is > speed: 9600 > parity bit: no > control: None > data bit: 8 > > I can see the boot info in the hyperterminal but the > keyboard is not responing. > I reboot many times and the keyboard is still not > working. > > Any idea and suggeston? > > ls the hyperminal issue? or any setting problem > > Thank you > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From td_miles at yahoo.com Mon Jan 12 17:08:09 2009 From: td_miles at yahoo.com (Tony) Date: Mon, 12 Jan 2009 14:08:09 -0800 (PST) Subject: [c-nsp] PIX 6x translation issue In-Reply-To: Message-ID: <394618.11266.qm@web110112.mail.gq1.yahoo.com> Hi William, You're close I think... --- On Tue, 13/1/09, William wrote: > From: William > Subject: [c-nsp] PIX 6x translation issue > To: "cisco-nsp at puck.nether.net" > Date: Tuesday, 13 January, 2009, 2:12 AM > Hi there chaps, > > I have a PIX running 6x software with 3 interfaces: > > outside - sec0 (public IP address) > inside - sec100 (10.1.1.253/24) > office - sec90 (10.75.4.253/24) > > > What I'm trying to figure out is how I can get hosts on > the office > network to access hosts on the inside network without their > addresses > being translated. I've built an access-list and applied > it to the > office interface which is straight forward and I've > added the > following static: > > static (office,inside) 10.75.4.0 10.75.4.0 netmask > 255.255.255.0 0 0 > I believe you need "static (inside, office)". > However I'm not getting any connectivity, so I added: > > access-list office_outbound_nat0_acl permit ip host > 10.75.4.1 10.1.1.0 > 255.255.255.0 > nat (office) 0 access-list office_outbound_nat0_acl If you create the static properly, you won't need the "nat 0" statement. You need to remember the rules: * If you want to allow OUTSIDE hosts in, then use "static" + "acl" commands.. This also allows INSIDE hosts out using the same static if it's applicable and ACL's allow it. * If you want to allow INSIDE hosts out, then use "global" + "nat" commands.. I'm using OUTSIDE & INSIDE to refer to generic lower or higher security interfaces. I've probably confused you now, this document explains it a lot better: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml regards, Tony. From rubensk at gmail.com Mon Jan 12 18:27:07 2009 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Mon, 12 Jan 2009 21:27:07 -0200 Subject: [c-nsp] ME3400 & IPv6 In-Reply-To: <1231787961.23873.37.camel@lanternes.corp.alionis.net> References: <1231768305.23873.11.camel@lanternes.corp.alionis.net> <458B3EC21E4A3044998E917199AACB2FE12B42@GNBEX02.gnb.ca> <1231787961.23873.37.camel@lanternes.corp.alionis.net> Message-ID: <6bb5f5b10901121527m5c302dc4i905d861998dbcc91@mail.gmail.com> Could it be IPv6 control-plane support but not forwarding support ? As for IPv6 on the ME-3400, I wonder if it will be hardware (Mpps) or software (kpps) support... ME-3400E most likely has IPv6 hardware forwarding, but as for the ME-3400, it might not. Rubens On Mon, Jan 12, 2009 at 5:19 PM, Clement Cavadore wrote: > Hi, > > On Mon, 2009-01-12 at 13:28 -0400, Munroe, James (DSS/MAS) wrote: >> 12.2(50)SE will have IPv6 support for the ME-3400/3400E series. > > And what about 12.2(25), which actually has IPv6 commands ? > Is that a "partial" support ? Or am I missing something ? > > Btw, this is a good news for 12.2(50)SE :) > > Cl?ment > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Mon Jan 12 18:41:48 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 13 Jan 2009 00:41:48 +0100 Subject: [c-nsp] PIX 6x translation issue In-Reply-To: References: Message-ID: <1231803708.8486.5.camel@localhost.localdomain> On Mon, 2009-01-12 at 15:13 +0000, William wrote: > What I'm trying to figure out is how I can get hosts on the office > network to access hosts on the inside network without their addresses > being translated. I've built an access-list and applied it to the > office interface which is straight forward and I've added the > following static: > > static (office,inside) 10.75.4.0 10.75.4.0 netmask 255.255.255.0 0 0 As Tony says, you need to swap those interface names, so it says "static (,) netmask " as per the documentation. > However I'm not getting any connectivity, so I added: > > access-list office_outbound_nat0_acl permit ip host 10.75.4.1 10.1.1.0 > 255.255.255.0 > nat (office) 0 access-list office_outbound_nat0_acl > > At the moment I'm not getting any hits on office_outbound_nat0_acl and > no traffic is getting across either, the logs say: > > 305005: No translation group found for icmp src office:10.75.4.1 dst > inside:10.1.1.250 (type 8, code 0) You need to reverse the access-list and put the NAT-statement on the other interface. You always define those things "from" the higher security level "to" the lower. Then you control what's allowed with access lists. Thus, it's: access-list nonat permit ip 10.1.1.0 255.255.255.0 host 10.75.4.1 nat (inside) 0 access-list nonat > Which matches up with the traffic I'm sending! Can someone assist me > so I know what I'm doing wrong? It may seem reverse compared to logic, but that's how PIX/ASA does it. :-) Regards, Peter From pshem.k at gmail.com Mon Jan 12 19:17:30 2009 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Tue, 13 Jan 2009 13:17:30 +1300 Subject: [c-nsp] MPLS speakers behind unreliable link Message-ID: <20fe625b0901121617l3af0dbas8aef533ff74f4a8b@mail.gmail.com> Hi, We're in early stages of a project that is supposed to connect multiple small MPLS-speaking devices over DSL links. Currently we're investigating various options (lab trials will come later) and I would like to get your input. If you find the idea to be completely ridiculous - let me know ;-) The whole network will consist of 500-1500 PE devices (28xx and possibly some other vendor counterpart) using DSL. Those devices will connect the the core MPLS network to provide end-to-end connectivity for the end users in various sites. Bandwidth requirements are very low (up to 20Mb/s per site). We're considering two main scenarios: (remote PE is a small device at the end of the DSL line, local P/PE is a bigger device connected over GigE or POS to the MPLS core). 1. The core network provides a single VPLS domain all remote PE belong to. That VPLS domain is used to run separate MPLS between the remote PEs. The biggest problem we can see so far is the fact that this will create a very big broadcast domain, possibly spanning over 1000km, with many devices directly attached to it over DSL and as a result - quite unstable. We're not sure if ISIS or OSPF can handle such situation gracefully. 2. Somehow connecting all the remote PEs to local P/PEs (multiple remote PEs connected to one local P/PE) and using local PE as sort of aggregation point, that would hid the instability of the DSL network. We haven't done anything like this before, so I'm not even sure if it can work - using ISIS create L1 domains from the remote PEs, make the local P/PEs a L1L2 devices and use L2 to connect to the core. Would label distribution work in a scenario like that assuming LDP for the next-hop and MP-BGP for vpn information? After all a ISIS L1 is a completely stub network, so it shouldn't see any routes from L2. Is that the case also for LDP (i.e. LDP will not generate a label for a FEC (prefix) that is not advertised into a L1 domain?) The main reason for this setup is cost and expected reliability. We can not use L2TP since some of the remote PEs will provide PWE3 using a vendor specific solution, all they can use for transport is MPLS (or IP). Thanks for your input, kind regards Pshem From adi.siswanto at indosatm2.com Mon Jan 12 19:57:37 2009 From: adi.siswanto at indosatm2.com (adi.siswanto) Date: Tue, 13 Jan 2009 07:57:37 +0700 Subject: [c-nsp] Max number of users on Aironet 1252AG In-Reply-To: <001601c97455$e93ad940$bbb08bc0$@org> References: <001601c97455$e93ad940$bbb08bc0$@org> Message-ID: <1231808257.10007.0.camel@adisis> maybe you can try other solution like wifi array (www.xirrus.com) On Mon, 2009-01-12 at 12:34 +1100, Skeeve Stevens wrote: > Hey all, > > I need to come up with a quick solution for a large scale temporary wireless > solution. > > It is for some roving festivals and the request has been for 4000 > connections. but I think I can talk them down. > > What I am wondering is. How many simultaneous users can a 1252AG handle? > And is there any difference in capacity if I use lightweight units and > backend into a Wireless access controller? In fact. how many users can they > (4402) handle? > > Any other suggestions guys? > > .Skeeve > > -- > Skeeve Stevens, RHCE > skeeve at skeeve.org / www.skeeve.org > Cell +61 (0)414 753 383 / skype://skeeve > > eintellego - skeeve at eintellego.net - www.eintellego.net > -- > I'm a groove licked love child king of the verse > Si vis pacem, para bellum > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ IM2Prime UNLIMITED, Internet Broadband Paskabayar. Informasi lengkap klik: http://www.indosatm2.com/prime Disclaimer This is an e-mail from PT Indosat Mega Media intended solely for the named addressee(s). It is confidential and may contain legally privileged information. Therefore, any unauthorized use, disclosure or copying of this information is strictly prohibited. PT Indosat Mega Media does not accept liability for any email loss or files damage. From ariemer at wesenergy.com.au Mon Jan 12 20:19:20 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Tue, 13 Jan 2009 10:19:20 +0900 Subject: [c-nsp] PIX IP Options Message-ID: <0867622C64B50C4B878AB45C95F43F110669C0FC@MAILWA01.wesenergy.local> Guys, Quick question how do you permit IP options through the PIX firewall? I have a host on the outside that needs to do a record route option via icmp but it is being blocked. It doesn't look like it supports an ACL like routers to allow this option through. Error below. "Deny IP from x.x.x.x to x.x.x.x, IP options: "Record Route"" PIX-506E - Pix 6.3(4) Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From rens at autempspourmoi.be Tue Jan 13 02:30:38 2009 From: rens at autempspourmoi.be (Rens) Date: Tue, 13 Jan 2009 08:30:38 +0100 Subject: [c-nsp] 3500XL In-Reply-To: <20090112.182320.74751410.sthaug@nethelp.no> References: <1EDA5013A4444E73B6570616FF9C9136@EU.corp.clearwire.com> <20090112.182320.74751410.sthaug@nethelp.no> Message-ID: What about the 2970 or 2960? -----Original Message----- From: sthaug at nethelp.no [mailto:sthaug at nethelp.no] Sent: lundi 12 janvier 2009 18:23 To: rens at autempspourmoi.be Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3500XL > Does anyone know if a 3500XL supports QinQ? It does not. > I can't seem to find this info on the net. That may be because 3500XL is more or less end-of-everything. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From oboehmer at cisco.com Tue Jan 13 03:00:05 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 13 Jan 2009 09:00:05 +0100 Subject: [c-nsp] MPLS speakers behind unreliable link In-Reply-To: <20fe625b0901121617l3af0dbas8aef533ff74f4a8b@mail.gmail.com> References: <20fe625b0901121617l3af0dbas8aef533ff74f4a8b@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB089@xmb-ams-333.emea.cisco.com> Pshem Kowalczyk <> wrote on Tuesday, January 13, 2009 01:18: > Hi, > > We're in early stages of a project that is supposed to connect > multiple small MPLS-speaking devices over DSL links. Currently we're > investigating various options (lab trials will come later) and I would > like to get your input. If you find the idea to be completely > ridiculous - let me know ;-) > > The whole network will consist of 500-1500 PE devices (28xx and > possibly some other vendor counterpart) using DSL. Those devices will > connect the the core MPLS network to provide end-to-end connectivity > for the end users in various sites. Bandwidth requirements are very > low (up to 20Mb/s per site). > > We're considering two main scenarios: > (remote PE is a small device at the end of the DSL line, local P/PE is > a bigger device connected over GigE or POS to the MPLS core). > > 1. The core network provides a single VPLS domain all remote PE belong > to. That VPLS domain is used to run separate MPLS between the remote > PEs. The biggest problem we can see so far is the fact that this will > create a very big broadcast domain, possibly spanning over 1000km, > with many devices directly attached to it over DSL and as a result - > quite unstable. We're not sure if ISIS or OSPF can handle such > situation gracefully. Ack, 500-1500 peers on the same LAN is doomed to fail. You could, however, create multiple VPLS LANs, and interconnect them using dedicated routers. Still not a nice approach.. > > 2. Somehow connecting all the remote PEs to local P/PEs (multiple > remote PEs connected to one local P/PE) and using local PE as sort of > aggregation point, that would hid the instability of the DSL network. > We haven't done anything like this before, so I'm not even sure if it > can work - using ISIS create L1 domains from the remote PEs, make the > local P/PEs a L1L2 devices and use L2 to connect to the core. Would > label distribution work in a scenario like that assuming LDP for the > next-hop and MP-BGP for vpn information? After all a ISIS L1 is a > completely stub network, so it shouldn't see any routes from L2. Is > that the case also for LDP (i.e. LDP will not generate a label for a > FEC (prefix) that is not advertised into a L1 domain?) This would work, but you would need to leak the BGP next-hops (or L2 PW router-IDs) from the L2 into the L1 areas to provide an end-to-end LSP. I would consider this a reasonable approach. Make sure you use a dedicated loopback address range for all your remote devices so you can easily create an ACL for route leaking ("redistribute isis ip level-2 into level-1 distribute-list "). Obviously, the result of link flaps (i.e. loopbacks coming and going) would still be propagated throughout the whole domain, but you can use a less aggressive prc-interval setting on your nodes. So achieving aggressive, sub-second ISIS convergence could be a challenge if the network is not stable. oli From cphillips at wbsconnect.com Tue Jan 13 03:49:38 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Tue, 13 Jan 2009 00:49:38 -0800 Subject: [c-nsp] 3500XL In-Reply-To: References: <1EDA5013A4444E73B6570616FF9C9136@EU.corp.clearwire.com> <20090112.182320.74751410.sthaug@nethelp.no> Message-ID: <496C55A2.3060809@wbsconnect.com> They don't support it either. The 3550-24 and 3550-12G are the lowest-end switches that support it. Rens wrote: > What about the 2970 or 2960? > > -----Original Message----- > From: sthaug at nethelp.no [mailto:sthaug at nethelp.no] > Sent: lundi 12 janvier 2009 18:23 > To: rens at autempspourmoi.be > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 3500XL > >> Does anyone know if a 3500XL supports QinQ? > > It does not. > >> I can't seem to find this info on the net. > > That may be because 3500XL is more or less end-of-everything. > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Chris Phillips Senior IP Engineer & Peering Coordinator WBS Connect cphillips at wbsconnect.com (866) WBS-CONX (720) 259-8361 - direct (303) 968-4383 - mobile www.wbsconnect.com www.wbstoday.com blog Ranked #1 as the "Fastest Growing privately held company in Colorado" - 2008 Denver Business Journal - From pete at bytemark.co.uk Tue Jan 13 03:31:52 2009 From: pete at bytemark.co.uk (Peter Taphouse) Date: Tue, 13 Jan 2009 08:31:52 +0000 Subject: [c-nsp] 3500XL In-Reply-To: References: <1EDA5013A4444E73B6570616FF9C9136@EU.corp.clearwire.com> <20090112.182320.74751410.sthaug@nethelp.no> Message-ID: <496C5178.2090202@bytemark.co.uk> Rens wrote: > What about the 2970 or 2960? 2970 - yes 2960 - no I don't know how much density you're after or what mtu you need, but if you need a few cheap gige qinq ports, then second hand 3550-12T or 3550-12G work a treat (max mtu 2000). HTH, -- Peter Taphouse Bytemark Hosting http://www.bytemark-hosting.co.uk tel. +44 (0) 845 004 3 004 From mmg at transtelco.net Tue Jan 13 05:32:48 2009 From: mmg at transtelco.net (=?iso-8859-1?Q?Manuel_Mar=EDn?=) Date: Tue, 13 Jan 2009 05:32:48 -0500 Subject: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL Message-ID: <4502F03F8260234AB94179D6E1BDD0CF341FE43B01@VMBX113.ihostexchange.net> Hi, We are experiencing a weird issue with a cisco 6513 with either SXH or SXI software version. We have some SVI interfaces and a couple of trunks ports 802.1Qs connected to other ciscos 3750s. everything seems to be working but suddenly we get the following error and all SVIs change to administratively down. We can't downgrade to SXF because we have to use the MUX-UNI feature in order to use sub interfaces in a switch port. Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) -Traceback= 40F0CC34 40F6E3CC 40698CB4 40F6E7BC 40F87BF8 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (!pm_vlan_port_forward_gbitlist_test(vd, pd->globalNumber): ../switch/pm/pm_vlan.c: 1372: pm_vlan_rem_port) -Traceback= 40F0CC34 40F63C18 40F87C18 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 40ACF674 40AD0120 Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) Attahced is an example of a vlan interface interface Vlan156 description "Test" bandwidth 1500 ip address X.X.X.X 255.255.255.252 service-policy input 1.5Mbps service-policy output 1.5Mbps ip access-group Proteccion-NMS out end Any advice would be greatly appreciated Thanks in advance From asturluismi at gmail.com Tue Jan 13 05:56:06 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 13 Jan 2009 11:56:06 +0100 Subject: [c-nsp] 3750 or 3560? Message-ID: <1231844166.12543.7.camel@dsba-ipso> Hi, I have a stack based on two 3750 and a 2960 connected to that stack using a cross etherchannel. I have now a requirement and I need PVLANs but they are not supported in the 2960 (as far as I was reading at cisco.com) So, I am thinking on replace the 2960 but I am not sure if I should replace it with a 3750 or 3560. High availability is a must and put another 3750 it could be a risk because a far as I read too, a failure in one of the devices of the stack can take down all the stack and that is a situation I would like to avoid, but in the other hand I think that a need 3750 could have some benefits, as a simply management, better perfomance... I would like to see comments or suggestions. Thanks From adam at skywitelecomm.com Tue Jan 13 06:05:56 2009 From: adam at skywitelecomm.com (Adam Botbyl) Date: Tue, 13 Jan 2009 05:05:56 -0600 Subject: [c-nsp] 3845 and NMD-36-ESW VLAN Dropped Packets?!? Message-ID: I am having a issue that is quite confusing me. Don't know if anyone has seen/fixed this issue before. I have a 3845 with 2xNMD-36-ESW's When both inserted (base config) VLAN1 drops packets and I cannot pass traffic off any interface on the NMD-36-ESW's. I can still pass over the internal Gi0/X's, but to get back on the NMD, I have to remove one and Power Cycle the router. Each NMD works perfect individually. I threw them both in a 3660, and all ports were functional. Really stumped here, any guidance welcome! --Adam --- BEGIN RELEVANT INFORMATION --- 192.1.0.2 is connected via a NMD-36-ESW to FA2/24 core-dfw1#ping 192.1.0.2 rep 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 192.1.0.2, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/4 ms core-dfw1#sh int vla1 Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 001e.bee0.9020 (bia 001e.bee0.9020) Internet address is 192.1.0.1/24 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:02, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 2 packets/sec 5 minute output rate 1000 bits/sec, 2 packets/sec 225098 packets input, 43267505 bytes, 0 no buffer Received 104 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 321552 packets output, 153382305 bytes, 0 underruns 0 output errors, 1 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out core-dfw1# *Jan 13 11:09:38.987: %OIR-6-INSCARD: Card inserted in slot 4, interfaces administratively shut down core-dfw1#ping 192.1.0.2 rep 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 192.1.0.2, timeout is 2 seconds: ........ Success rate is 0 percent (0/8) core-dfw1#sh int vla1 Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 001e.bee0.9020 (bia 001e.bee0.9020) Internet address is 192.1.0.1/24 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:01:35, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 8 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 225100 packets input, 43267633 bytes, 0 no buffer Received 104 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 321552 packets output, 153382305 bytes, 0 underruns 0 output errors, 1 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out core-dfw1#sh int fa2/24 FastEthernet2/24 is up, line protocol is up Hardware is Fast Ethernet, address is 000c.3020.6f52 (bia 000c.3020.6f52) MTU 1500 bytes, BW 10000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 10Mb/s ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 240 packets input, 22670 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 6972 packets output, 459301 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out core-dfw1#sh ve Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9_SNA-M), Version 12.4(23), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Sun 09-Nov-08 03:02 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1) core-dfw1 uptime is 3 hours, 35 minutes System returned to ROM by reload at 01:34:21 CST Tue Jan 13 2009 System image file is "flash:c3845-adventerprisek9_sna-mz.124-23.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export at cisco.com. Cisco 3845 (revision 1.0) with 1007616K/40960K bytes of memory. Processor board ID FTX1208A1GM 72 FastEthernet interfaces 2 Gigabit Ethernet interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 479K bytes of NVRAM. 250880K bytes of ATA System CompactFlash (Read/Write) Configuration register is 0x2102 core-dfw1#sh diag 3845 Backplane EEPROM: Hardware Revision : 1.0 Top Assy. Part Number : 800-23093-01 Board Revision : B0 Deviation Number : 0 Fab Version : 04 PCB Serial Number : FOC12023YBB RMA Test History : 00 RMA Number : 0-0-0-0 RMA History : 00 Part Number : 73-8639-04 CLEI Code : IPME110BRA Chassis Serial Number : FTX1208A1GM Product (FRU) Number : CISCO3845 Version Identifier : V01 Hardware date code : 20080113 EEPROM format version 4 EEPROM contents (hex): 0x00: 04 FF 40 04 2B 41 01 00 C0 46 03 20 00 5A 35 01 0x10: 42 42 30 88 00 00 00 00 02 04 C1 8B 46 4F 43 31 0x20: 32 30 32 33 59 42 42 03 00 81 00 00 00 00 04 00 0x30: 82 49 21 BF 04 C6 8A 49 50 4D 45 31 31 30 42 52 0x40: 41 C2 8B 46 54 58 31 32 30 38 41 31 47 4D CB 92 0x50: 43 49 53 43 4F 33 38 34 35 20 20 20 20 20 20 20 0x60: 20 20 89 56 30 31 20 83 01 32 65 F1 FF FF FF FF 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF Backplane Registers ------------------- Backplane Revision: 00BE Power Supply Status: 0107 -48V PS and Env Status: FFFF -48V Isolation Control: 0007 Backplane Cookie: 000C ENM/Backplane FPGA Revision: 00BE ENM/Backplane FPGA Int0 Status: FFFF ENM/Backplane FPGA Int2 Status: 00FF ENM/Backplane FPGA Int4 Status : EF00 ENM Interrupt Mask: 000A ENM/BP FPGA Interrupt 4 Mask: 0040 ENM1 Test Port: 00C3 ENM2 Test Port: 00C3 ENM3 Test Port: 0083 ENM3 Test Port: 00C3 ENM LED Control: 00AA ENM OIR Control: 0000 ENM OIR Status: 9922 ENM PCI Speed Status 0005 Backplane FPGA Diag Int Control: FFFF ENM1 OIR State Machine Status: 41C4 ENM2 OIR State Machine Status: 41C4 ENM3 OIR State Machine Status: 0000 ENM4 OIR State Machine Status: 0000 Backplane Voltage Margin: 0000 Slot 0: C3845 Mother board 1GE(TX,SFP),1GE(TX), integrated VPN and 4W Port adapter, 2 ports Port adapter is analyzed Port adapter insertion time 03:35:28 ago Onboard VPN : FW ver01100200 EEPROM contents at hardware discovery: PCB Serial Number : FOC11525SQ2 Hardware Revision : 1.4 Top Assy. Part Number : 800-23616-06 Board Revision : B0 Deviation Number : 0 Fab Version : 05 RMA Test History : 00 RMA Number : 0-0-0-0 RMA History : 00 Processor type : 69 CLEI Code : IPME110BRA Product (FRU) Number : CISCO3845-MB Version Identifier : V06 Chassis MAC Address : 001e.bee0.9020 MAC Address block size : 48 Part Number : 73-8799-09 Hardware date code : 20080102 Chassis Serial Number : FTX1208A1GM EEPROM format version 4 EEPROM contents (hex): 0x00: 04 FF C1 8B 46 4F 43 31 31 35 32 35 53 51 32 40 0x10: 04 2C 41 01 04 C0 46 03 20 00 5C 40 06 42 42 30 0x20: 88 00 00 00 00 02 05 03 00 81 00 00 00 00 04 00 0x30: 09 69 C6 8A 49 50 4D 45 31 31 30 42 52 41 CB 8C 0x40: 43 49 53 43 4F 33 38 34 35 2D 4D 42 89 56 30 36 0x50: 20 D9 02 40 C1 C3 06 00 1E BE E0 90 20 43 00 30 0x60: 82 49 22 5F 09 83 01 32 65 E6 C2 8B 46 54 58 31 0x70: 32 30 38 41 31 47 4D FF FF FF FF FF FF FF FF FF Slot 2: FastEthernet Port adapter, 36 ports Port adapter is analyzed Port adapter insertion time 03:35:29 ago EEPROM contents at hardware discovery: Hardware Revision : 1.0 Top Assy. Part Number : 800-15157-01 Board Revision : B1 Deviation Number : 0-0 Fab Version : 02 PCB Serial Number : JAD072003RM RMA Test History : 00 RMA Number : 0-0-0-0 RMA History : 00 Base MAC Address : 000c.3020.6f3a MAC Address block size : 38 Product (FRU) Number : NMD-36-ESW= EEPROM format version 4 EEPROM contents (hex): 0x00: 04 FF 40 02 B1 41 01 00 C0 46 03 20 00 3B 35 01 0x10: 42 42 31 80 00 00 00 00 02 02 C1 8B 4A 41 44 30 0x20: 37 32 30 30 33 52 4D 03 00 81 00 00 00 00 04 00 0x30: CF 06 00 0C 30 20 6F 3A 43 00 26 FF FF FF FF FF 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF Slot 4: FastEthernet Port adapter, 36 ports Port adapter is analyzed Port adapter insertion time 00:01:53 ago EEPROM contents at hardware discovery: Hardware Revision : 1.0 Top Assy. Part Number : 800-15157-01 Board Revision : B1 Deviation Number : 0-0 Fab Version : 02 PCB Serial Number : JAD072003QK RMA Test History : 00 RMA Number : 0-0-0-0 RMA History : 00 Base MAC Address : 000c.3020.7505 MAC Address block size : 38 Product (FRU) Number : NMD-36-ESW= EEPROM format version 4 EEPROM contents (hex): 0x00: 04 FF 40 02 B1 41 01 00 C0 46 03 20 00 3B 35 01 0x10: 42 42 31 80 00 00 00 00 02 02 C1 8B 4A 41 44 30 0x20: 37 32 30 30 33 51 4B 03 00 81 00 00 00 00 04 00 0x30: CF 06 00 0C 30 20 75 05 43 00 26 FF FF FF FF FF 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF From p.mayers at imperial.ac.uk Tue Jan 13 06:35:46 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 13 Jan 2009 11:35:46 +0000 Subject: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL In-Reply-To: <4502F03F8260234AB94179D6E1BDD0CF341FE43B01@VMBX113.ihostexchange.net> References: <4502F03F8260234AB94179D6E1BDD0CF341FE43B01@VMBX113.ihostexchange.net> Message-ID: <496C7C92.3050808@imperial.ac.uk> Manuel Mar?n wrote: > Hi, > > We are experiencing a weird issue with a cisco 6513 with either SXH or SXI software version. We have some SVI interfaces and a couple of trunks ports 802.1Qs connected to other ciscos 3750s. everything seems to be working but suddenly we get the following error and all SVIs change to administratively down. We can't downgrade to SXF because we have to use the MUX-UNI feature in order to use sub interfaces in a switch port. > > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) > -Traceback= 40F0CC34 40F6E3CC 40698CB4 40F6E7BC 40F87BF8 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (!pm_vlan_port_forward_gbitlist_test(vd, pd->globalNumber): ../switch/pm/pm_vlan.c: 1372: pm_vlan_rem_port) > -Traceback= 40F0CC34 40F63C18 40F87C18 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 40ACF674 40AD0120 > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) That's a traceback, so you want to open a TAC case. If you could show more config i.e. of the gig ports as well it might give a hint, but if I had to take a wild guess I'd say it's a bug in the MUX-UNI. From jeff at ocjtech.us Tue Jan 13 11:06:50 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Tue, 13 Jan 2009 10:06:50 -0600 Subject: [c-nsp] High CPU utilization caused by the TPLUS process Message-ID: <935ead450901130806qfec9aaxb83416a2eb9f662e@mail.gmail.com> Several times in the past month we have had high CPU utilization caused by the TPLUS process, which I think is caused by stuck CLI users. As far as I can tell the only way to remedy the problem is to reload the switch and/or router (this affects many different systems with very different software versions and hardware). "clear line X" and "disconnect ssh X" have no effect. Is there some way to recover from this situation other than reloading the switch? This output is typical of a switch/router that has the problem: ankeny-b2-sw1#who Line User Host(s) Idle Location * 1 vty 0 jcollie idle 00:00:00 161.210.45.126 2 vty 1 rancid idle 3d08h 161.210.221.251 Interface User Mode Idle Peer Address ankeny-b2-sw1#clear line vty 1 [confirm] [OK] ankeny-b2-sw1#who Line User Host(s) Idle Location * 1 vty 0 jcollie idle 00:00:00 161.210.45.126 2 vty 1 rancid idle 3d08h 161.210.221.251 Interface User Mode Idle Peer Address ankeny-b2-sw1#disconnect ssh vty 1 ankeny-b2-sw1#who Line User Host(s) Idle Location * 1 vty 0 jcollie idle 00:00:00 161.210.45.126 2 vty 1 rancid idle 3d08h 161.210.221.251 Interface User Mode Idle Peer Address ankeny-b2-sw1#show proc cpu sorted CPU utilization for five seconds: 69%/1%; one minute: 70%; five minutes: 71% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 247 192022762 147173137 1304 55.91% 57.62% 58.09% 0 TPLUS 187 11656575 55566492 209 4.47% 3.43% 3.35% 0 IP Input 129 11183422 27874303 401 1.59% 1.33% 1.34% 0 Hulc LED Process 181 958624 2471735 387 0.31% 0.09% 0.06% 0 CDP Protocol 232 7068788 2597774 2721 0.31% 0.51% 0.48% 0 Marvell wk-a Pow 58 2491351 62102425 40 0.15% 0.21% 0.21% 0 Fifo Error Detec 108 2095 2987 701 0.15% 0.12% 0.06% 1 SSH Process 72 400916 34843451 11 0.15% 0.05% 0.05% 0 HLFM address lea 95 2556520 2458104 1040 0.15% 0.19% 0.20% 0 hpm counter proc 31 320900 3003540 106 0.15% 0.01% 0.00% 0 Net Background 137 514826 237111 2171 0.15% 0.04% 0.04% 0 HQM Stack Proces 41 847968 29029606 29 0.15% 0.21% 0.22% 0 Transport Port A 193 3316744 3842208 863 0.15% 0.14% 0.15% 0 Spanning Tree 259 117317 12823251 9 0.15% 0.03% 0.01% 0 PM Callback 14 57 7 8142 0.00% 0.00% 0.00% 0 Entity MIB API 13 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager 12 0 2 0 0.00% 0.00% 0.00% 0 AAA high-capacit 11 132 7673 17 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT 10 0 1 0 0.00% 0.00% 0.00% 0 CEF MIB API 15 9 648 13 0.00% 0.00% 0.00% 0 EEM ED Syslog 9 134263 239511 560 0.00% 0.01% 0.00% 0 ARP Input -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" From mksmith at adhost.com Tue Jan 13 11:15:54 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Tue, 13 Jan 2009 08:15:54 -0800 Subject: [c-nsp] 3750 or 3560? In-Reply-To: <1231844166.12543.7.camel@dsba-ipso> References: <1231844166.12543.7.camel@dsba-ipso> Message-ID: <17838240D9A5544AAA5FF95F8D52031605478B21@ad-exh01.adhost.lan> Hello: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of luismi > Sent: Tuesday, January 13, 2009 2:56 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 3750 or 3560? > > Hi, > > I have a stack based on two 3750 and a 2960 connected to that stack > using a cross etherchannel. > I have now a requirement and I need PVLANs but they are not supported in > the 2960 (as far as I was reading at cisco.com) > > So, I am thinking on replace the 2960 but I am not sure if I should > replace it with a 3750 or 3560. > > High availability is a must and put another 3750 it could be a risk > because a far as I read too, a failure in one of the devices of the > stack can take down all the stack and that is a situation I would like > to avoid, but in the other hand I think that a need 3750 could have some > benefits, as a simply management, better perfomance... > > I would like to see comments or suggestions. > > Thanks > AFAIK the real difference between the 3750 and 3560 is the 3750's ability to stack. If you are not going to stack the switch then the 3560 will suffice for your needs. Please see: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/prod_qas09186a00801b0971.html Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From techconfig at yahoo.com Tue Jan 13 11:29:25 2009 From: techconfig at yahoo.com (Mark Tech) Date: Tue, 13 Jan 2009 08:29:25 -0800 (PST) Subject: [c-nsp] 7600 interfaces not showing as down Message-ID: <878787.8129.qm@web44816.mail.sp1.yahoo.com> Hi I have some WS-X6748-SFP? and WS-X6748-GE-TX installed on a 7600 chassis.If I remove a cable on an interface, there is nothing in the log to say that the interface is down, is there a way around this? Regards Mark From dsinn at dsinn.com Tue Jan 13 11:33:25 2009 From: dsinn at dsinn.com (David Sinn) Date: Tue, 13 Jan 2009 08:33:25 -0800 Subject: [c-nsp] 3845 and NMD-36-ESW VLAN Dropped Packets?!? In-Reply-To: References: Message-ID: <6683B9FF-76B5-4A6B-8B0E-2251A28206A8@dsinn.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The router will not internally bridge between the two modules. By having them both on VLAN-1 the router doesn't know which one is the real VLAN-1. If you want them both on the same subnet you need to run a interconnect external between each module: http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aca3e.html "If multiple EtherSwitches are used in a single chassis external stacking is required." David On Jan 13, 2009, at 3:05 AM, Adam Botbyl wrote: > I am having a issue that is quite confusing me. Don't know if anyone > has seen/fixed this issue before. > > I have a 3845 with 2xNMD-36-ESW's > When both inserted (base config) VLAN1 drops packets and I cannot > pass traffic off any interface on the NMD-36-ESW's. > I can still pass over the internal Gi0/X's, but to get back on the > NMD, I have to remove one and Power Cycle the router. > > Each NMD works perfect individually. I threw them both in a 3660, > and all ports were functional. > > Really stumped here, any guidance welcome! > > --Adam > > > --- BEGIN RELEVANT INFORMATION --- > 192.1.0.2 is connected via a NMD-36-ESW to FA2/24 > > core-dfw1#ping 192.1.0.2 rep 100 > > Type escape sequence to abort. > Sending 100, 100-byte ICMP Echos to 192.1.0.2, timeout is 2 seconds: > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > Success rate is 100 percent (100/100), round-trip min/avg/max = > 1/1/4 ms > core-dfw1#sh int vla1 > Vlan1 is up, line protocol is up > Hardware is EtherSVI, address is 001e.bee0.9020 (bia 001e.bee0.9020) > Internet address is 192.1.0.1/24 > MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:00:02, output never, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 5 minute input rate 1000 bits/sec, 2 packets/sec > 5 minute output rate 1000 bits/sec, 2 packets/sec > 225098 packets input, 43267505 bytes, 0 no buffer > Received 104 broadcasts, 0 runts, 0 giants, 0 throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 321552 packets output, 153382305 bytes, 0 underruns > 0 output errors, 1 interface resets > 0 unknown protocol drops > 0 output buffer failures, 0 output buffers swapped out > core-dfw1# > *Jan 13 11:09:38.987: %OIR-6-INSCARD: Card inserted in slot 4, > interfaces administratively shut down > core-dfw1#ping 192.1.0.2 rep 100 > > Type escape sequence to abort. > Sending 100, 100-byte ICMP Echos to 192.1.0.2, timeout is 2 seconds: > ........ > Success rate is 0 percent (0/8) > core-dfw1#sh int vla1 > Vlan1 is up, line protocol is up > Hardware is EtherSVI, address is 001e.bee0.9020 (bia 001e.bee0.9020) > Internet address is 192.1.0.1/24 > MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:01:35, output never, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 8 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 5 minute input rate 0 bits/sec, 0 packets/sec > 5 minute output rate 0 bits/sec, 0 packets/sec > 225100 packets input, 43267633 bytes, 0 no buffer > Received 104 broadcasts, 0 runts, 0 giants, 0 throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 321552 packets output, 153382305 bytes, 0 underruns > 0 output errors, 1 interface resets > 0 unknown protocol drops > 0 output buffer failures, 0 output buffers swapped out > core-dfw1#sh int fa2/24 > FastEthernet2/24 is up, line protocol is up > Hardware is Fast Ethernet, address is 000c.3020.6f52 (bia 000c. > 3020.6f52) > MTU 1500 bytes, BW 10000 Kbit/sec, DLY 100 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Half-duplex, 10Mb/s > ARP type: ARPA, ARP Timeout 04:00:00 > Last input never, output never, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 5 minute input rate 0 bits/sec, 0 packets/sec > 5 minute output rate 0 bits/sec, 0 packets/sec > 240 packets input, 22670 bytes, 0 no buffer > Received 0 broadcasts, 0 runts, 0 giants, 0 throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 0 input packets with dribble condition detected > 6972 packets output, 459301 bytes, 0 underruns > 0 output errors, 0 collisions, 2 interface resets > 0 unknown protocol drops > 0 babbles, 0 late collision, 0 deferred > 0 lost carrier, 0 no carrier > 0 output buffer failures, 0 output buffers swapped out > core-dfw1#sh ve > Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9_SNA-M), > Version 12.4(23), RELEASE SOFTWARE (fc1) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2008 by Cisco Systems, Inc. > Compiled Sun 09-Nov-08 03:02 by prod_rel_team > > ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1) > > core-dfw1 uptime is 3 hours, 35 minutes > System returned to ROM by reload at 01:34:21 CST Tue Jan 13 2009 > System image file is "flash:c3845-adventerprisek9_sna-mz.124-23.bin" > > > This product contains cryptographic features and is subject to United > States and local country laws governing import, export, transfer and > use. Delivery of Cisco cryptographic products does not imply > third-party authority to import, export, distribute or use encryption. > Importers, exporters, distributors and users are responsible for > compliance with U.S. and local country laws. By using this product you > agree to comply with applicable laws and regulations. If you are > unable > to comply with U.S. and local laws, return this product immediately. > > A summary of U.S. laws governing Cisco cryptographic products may be > found at: > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html > > If you require further assistance please contact us by sending email > to > export at cisco.com. > > Cisco 3845 (revision 1.0) with 1007616K/40960K bytes of memory. > Processor board ID FTX1208A1GM > 72 FastEthernet interfaces > 2 Gigabit Ethernet interfaces > 1 Virtual Private Network (VPN) Module > DRAM configuration is 64 bits wide with parity enabled. > 479K bytes of NVRAM. > 250880K bytes of ATA System CompactFlash (Read/Write) > > Configuration register is 0x2102 > core-dfw1#sh diag > 3845 Backplane EEPROM: > Hardware Revision : 1.0 > Top Assy. Part Number : 800-23093-01 > Board Revision : B0 > Deviation Number : 0 > Fab Version : 04 > PCB Serial Number : FOC12023YBB > RMA Test History : 00 > RMA Number : 0-0-0-0 > RMA History : 00 > Part Number : 73-8639-04 > CLEI Code : IPME110BRA > Chassis Serial Number : FTX1208A1GM > Product (FRU) Number : CISCO3845 > Version Identifier : V01 > Hardware date code : 20080113 > EEPROM format version 4 > EEPROM contents (hex): > 0x00: 04 FF 40 04 2B 41 01 00 C0 46 03 20 00 5A 35 01 > 0x10: 42 42 30 88 00 00 00 00 02 04 C1 8B 46 4F 43 31 > 0x20: 32 30 32 33 59 42 42 03 00 81 00 00 00 00 04 00 > 0x30: 82 49 21 BF 04 C6 8A 49 50 4D 45 31 31 30 42 52 > 0x40: 41 C2 8B 46 54 58 31 32 30 38 41 31 47 4D CB 92 > 0x50: 43 49 53 43 4F 33 38 34 35 20 20 20 20 20 20 20 > 0x60: 20 20 89 56 30 31 20 83 01 32 65 F1 FF FF FF FF > 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > > Backplane Registers > ------------------- > Backplane Revision: 00BE > Power Supply Status: 0107 > -48V PS and Env Status: FFFF > -48V Isolation Control: 0007 > Backplane Cookie: 000C > ENM/Backplane FPGA Revision: 00BE > ENM/Backplane FPGA Int0 Status: FFFF > ENM/Backplane FPGA Int2 Status: 00FF > ENM/Backplane FPGA Int4 Status : EF00 > ENM Interrupt Mask: 000A > ENM/BP FPGA Interrupt 4 Mask: 0040 > ENM1 Test Port: 00C3 > ENM2 Test Port: 00C3 > ENM3 Test Port: 0083 > ENM3 Test Port: 00C3 > ENM LED Control: 00AA > ENM OIR Control: 0000 > ENM OIR Status: 9922 > ENM PCI Speed Status 0005 > Backplane FPGA Diag Int Control: FFFF > ENM1 OIR State Machine Status: 41C4 > ENM2 OIR State Machine Status: 41C4 > ENM3 OIR State Machine Status: 0000 > ENM4 OIR State Machine Status: 0000 > Backplane Voltage Margin: 0000 > > Slot 0: > C3845 Mother board 1GE(TX,SFP),1GE(TX), integrated VPN and 4W > Port adapter, 2 ports > Port adapter is analyzed > Port adapter insertion time 03:35:28 ago > Onboard VPN : FW ver01100200 > EEPROM contents at hardware discovery: > PCB Serial Number : FOC11525SQ2 > Hardware Revision : 1.4 > Top Assy. Part Number : 800-23616-06 > Board Revision : B0 > Deviation Number : 0 > Fab Version : 05 > RMA Test History : 00 > RMA Number : 0-0-0-0 > RMA History : 00 > Processor type : 69 > CLEI Code : IPME110BRA > Product (FRU) Number : CISCO3845-MB > Version Identifier : V06 > Chassis MAC Address : 001e.bee0.9020 > MAC Address block size : 48 > Part Number : 73-8799-09 > Hardware date code : 20080102 > Chassis Serial Number : FTX1208A1GM > EEPROM format version 4 > EEPROM contents (hex): > 0x00: 04 FF C1 8B 46 4F 43 31 31 35 32 35 53 51 32 40 > 0x10: 04 2C 41 01 04 C0 46 03 20 00 5C 40 06 42 42 30 > 0x20: 88 00 00 00 00 02 05 03 00 81 00 00 00 00 04 00 > 0x30: 09 69 C6 8A 49 50 4D 45 31 31 30 42 52 41 CB 8C > 0x40: 43 49 53 43 4F 33 38 34 35 2D 4D 42 89 56 30 36 > 0x50: 20 D9 02 40 C1 C3 06 00 1E BE E0 90 20 43 00 30 > 0x60: 82 49 22 5F 09 83 01 32 65 E6 C2 8B 46 54 58 31 > 0x70: 32 30 38 41 31 47 4D FF FF FF FF FF FF FF FF FF > > Slot 2: > FastEthernet Port adapter, 36 ports > Port adapter is analyzed > Port adapter insertion time 03:35:29 ago > EEPROM contents at hardware discovery: > Hardware Revision : 1.0 > Top Assy. Part Number : 800-15157-01 > Board Revision : B1 > Deviation Number : 0-0 > Fab Version : 02 > PCB Serial Number : JAD072003RM > RMA Test History : 00 > RMA Number : 0-0-0-0 > RMA History : 00 > Base MAC Address : 000c.3020.6f3a > MAC Address block size : 38 > Product (FRU) Number : NMD-36-ESW= > EEPROM format version 4 > EEPROM contents (hex): > 0x00: 04 FF 40 02 B1 41 01 00 C0 46 03 20 00 3B 35 01 > 0x10: 42 42 31 80 00 00 00 00 02 02 C1 8B 4A 41 44 30 > 0x20: 37 32 30 30 33 52 4D 03 00 81 00 00 00 00 04 00 > 0x30: CF 06 00 0C 30 20 6F 3A 43 00 26 FF FF FF FF FF > 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > Slot 4: > FastEthernet Port adapter, 36 ports > Port adapter is analyzed > Port adapter insertion time 00:01:53 ago > EEPROM contents at hardware discovery: > Hardware Revision : 1.0 > Top Assy. Part Number : 800-15157-01 > Board Revision : B1 > Deviation Number : 0-0 > Fab Version : 02 > PCB Serial Number : JAD072003QK > RMA Test History : 00 > RMA Number : 0-0-0-0 > RMA History : 00 > Base MAC Address : 000c.3020.7505 > MAC Address block size : 38 > Product (FRU) Number : NMD-36-ESW= > EEPROM format version 4 > EEPROM contents (hex): > 0x00: 04 FF 40 02 B1 41 01 00 C0 46 03 20 00 3B 35 01 > 0x10: 42 42 31 80 00 00 00 00 02 02 C1 8B 4A 41 44 30 > 0x20: 37 32 30 30 33 51 4B 03 00 81 00 00 00 00 04 00 > 0x30: CF 06 00 0C 30 20 75 05 43 00 26 FF FF FF FF FF > 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAklswlUACgkQLa9jIE3ZamPSJwCg4SbXmevkJm38VWO0cF26HSBR pLsAni/vn/J/q8kCv1UMZbkpNsXDw1ov =p7/R -----END PGP SIGNATURE----- From jared at puck.nether.net Tue Jan 13 11:34:29 2009 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 13 Jan 2009 11:34:29 -0500 Subject: [c-nsp] 7600 interfaces not showing as down In-Reply-To: <878787.8129.qm@web44816.mail.sp1.yahoo.com> References: <878787.8129.qm@web44816.mail.sp1.yahoo.com> Message-ID: <20090113163429.GA43252@puck.nether.net> On Tue, Jan 13, 2009 at 08:29:25AM -0800, Mark Tech wrote: > Hi > I have some WS-X6748-SFP? and WS-X6748-GE-TX installed on a 7600 chassis.If I remove a cable on an interface, there is nothing in the log to say that the interface is down, is there a way around this? > Set the per-interface logging level. - jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From mauritz at three6five.com Tue Jan 13 11:43:33 2009 From: mauritz at three6five.com (Mauritz Lewies) Date: Tue, 13 Jan 2009 18:43:33 +0200 Subject: [c-nsp] 3845 and NMD-36-ESW VLAN Dropped Packets?!? In-Reply-To: <6683B9FF-76B5-4A6B-8B0E-2251A28206A8@dsinn.com> References: <6683B9FF-76B5-4A6B-8B0E-2251A28206A8@dsinn.com> Message-ID: <1231865013.1333.9.camel@mauritzlewies> Hi What is intrachassis stacking? A. Intrachassis stacking is the ability to connect multiple EtherSwitch modules via the Gigabit Ethernet connection in the same router. For example, to stack intrachassis is to place two EtherSwitch modules in the same router and connect the modules via the Gigabit Ethernet uplink. Cisco IOS Software Releases 12.2(11)T, 12.3(4)T, and later support this functionality. Two modules in any router is the limit for an intrachassis stack. An intrachassis stack requires a Gigabit Ethernet interface on each module. You must connect the modules externally with the Gigabit Ethernet interfaces and a crossover cable. Intrachassis stacks allow all the Fast Ethernet and Gigabit Ethernet interfaces to participate in the same Layer 2 (L2) domain. On Tue, 2009-01-13 at 08:33 -0800, David Sinn wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The router will not internally bridge between the two modules. By > having them both on VLAN-1 the router doesn't know which one is the > real VLAN-1. > > If you want them both on the same subnet you need to run a > interconnect external between each module: > > http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aca3e.html > > "If multiple EtherSwitches are used in a single chassis external > stacking is required." > > David > > On Jan 13, 2009, at 3:05 AM, Adam Botbyl wrote: > > > I am having a issue that is quite confusing me. Don't know if anyone > > has seen/fixed this issue before. > > > > I have a 3845 with 2xNMD-36-ESW's > > When both inserted (base config) VLAN1 drops packets and I cannot > > pass traffic off any interface on the NMD-36-ESW's. > > I can still pass over the internal Gi0/X's, but to get back on the > > NMD, I have to remove one and Power Cycle the router. > > > > Each NMD works perfect individually. I threw them both in a 3660, > > and all ports were functional. > > > > Really stumped here, any guidance welcome! > > > > --Adam > > > > > > --- BEGIN RELEVANT INFORMATION --- > > 192.1.0.2 is connected via a NMD-36-ESW to FA2/24 > > > > core-dfw1#ping 192.1.0.2 rep 100 > > > > Type escape sequence to abort. > > Sending 100, 100-byte ICMP Echos to 192.1.0.2, timeout is 2 seconds: > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > Success rate is 100 percent (100/100), round-trip min/avg/max = > > 1/1/4 ms > > core-dfw1#sh int vla1 > > Vlan1 is up, line protocol is up > > Hardware is EtherSVI, address is 001e.bee0.9020 (bia 001e.bee0.9020) > > Internet address is 192.1.0.1/24 > > MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, > > reliability 255/255, txload 1/255, rxload 1/255 > > Encapsulation ARPA, loopback not set > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input 00:00:02, output never, output hang never > > Last clearing of "show interface" counters never > > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 5 minute input rate 1000 bits/sec, 2 packets/sec > > 5 minute output rate 1000 bits/sec, 2 packets/sec > > 225098 packets input, 43267505 bytes, 0 no buffer > > Received 104 broadcasts, 0 runts, 0 giants, 0 throttles > > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > 321552 packets output, 153382305 bytes, 0 underruns > > 0 output errors, 1 interface resets > > 0 unknown protocol drops > > 0 output buffer failures, 0 output buffers swapped out > > core-dfw1# > > *Jan 13 11:09:38.987: %OIR-6-INSCARD: Card inserted in slot 4, > > interfaces administratively shut down > > core-dfw1#ping 192.1.0.2 rep 100 > > > > Type escape sequence to abort. > > Sending 100, 100-byte ICMP Echos to 192.1.0.2, timeout is 2 seconds: > > ........ > > Success rate is 0 percent (0/8) > > core-dfw1#sh int vla1 > > Vlan1 is up, line protocol is up > > Hardware is EtherSVI, address is 001e.bee0.9020 (bia 001e.bee0.9020) > > Internet address is 192.1.0.1/24 > > MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, > > reliability 255/255, txload 1/255, rxload 1/255 > > Encapsulation ARPA, loopback not set > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input 00:01:35, output never, output hang never > > Last clearing of "show interface" counters never > > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 8 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 5 minute input rate 0 bits/sec, 0 packets/sec > > 5 minute output rate 0 bits/sec, 0 packets/sec > > 225100 packets input, 43267633 bytes, 0 no buffer > > Received 104 broadcasts, 0 runts, 0 giants, 0 throttles > > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > 321552 packets output, 153382305 bytes, 0 underruns > > 0 output errors, 1 interface resets > > 0 unknown protocol drops > > 0 output buffer failures, 0 output buffers swapped out > > core-dfw1#sh int fa2/24 > > FastEthernet2/24 is up, line protocol is up > > Hardware is Fast Ethernet, address is 000c.3020.6f52 (bia 000c. > > 3020.6f52) > > MTU 1500 bytes, BW 10000 Kbit/sec, DLY 100 usec, > > reliability 255/255, txload 1/255, rxload 1/255 > > Encapsulation ARPA, loopback not set > > Keepalive set (10 sec) > > Half-duplex, 10Mb/s > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input never, output never, output hang never > > Last clearing of "show interface" counters never > > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 5 minute input rate 0 bits/sec, 0 packets/sec > > 5 minute output rate 0 bits/sec, 0 packets/sec > > 240 packets input, 22670 bytes, 0 no buffer > > Received 0 broadcasts, 0 runts, 0 giants, 0 throttles > > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > 0 input packets with dribble condition detected > > 6972 packets output, 459301 bytes, 0 underruns > > 0 output errors, 0 collisions, 2 interface resets > > 0 unknown protocol drops > > 0 babbles, 0 late collision, 0 deferred > > 0 lost carrier, 0 no carrier > > 0 output buffer failures, 0 output buffers swapped out > > core-dfw1#sh ve > > Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9_SNA-M), > > Version 12.4(23), RELEASE SOFTWARE (fc1) > > Technical Support: http://www.cisco.com/techsupport > > Copyright (c) 1986-2008 by Cisco Systems, Inc. > > Compiled Sun 09-Nov-08 03:02 by prod_rel_team > > > > ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1) > > > > core-dfw1 uptime is 3 hours, 35 minutes > > System returned to ROM by reload at 01:34:21 CST Tue Jan 13 2009 > > System image file is "flash:c3845-adventerprisek9_sna-mz.124-23.bin" > > > > > > This product contains cryptographic features and is subject to United > > States and local country laws governing import, export, transfer and > > use. Delivery of Cisco cryptographic products does not imply > > third-party authority to import, export, distribute or use encryption. > > Importers, exporters, distributors and users are responsible for > > compliance with U.S. and local country laws. By using this product you > > agree to comply with applicable laws and regulations. If you are > > unable > > to comply with U.S. and local laws, return this product immediately. > > > > A summary of U.S. laws governing Cisco cryptographic products may be > > found at: > > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html > > > > If you require further assistance please contact us by sending email > > to > > export at cisco.com. > > > > Cisco 3845 (revision 1.0) with 1007616K/40960K bytes of memory. > > Processor board ID FTX1208A1GM > > 72 FastEthernet interfaces > > 2 Gigabit Ethernet interfaces > > 1 Virtual Private Network (VPN) Module > > DRAM configuration is 64 bits wide with parity enabled. > > 479K bytes of NVRAM. > > 250880K bytes of ATA System CompactFlash (Read/Write) > > > > Configuration register is 0x2102 > > core-dfw1#sh diag > > 3845 Backplane EEPROM: > > Hardware Revision : 1.0 > > Top Assy. Part Number : 800-23093-01 > > Board Revision : B0 > > Deviation Number : 0 > > Fab Version : 04 > > PCB Serial Number : FOC12023YBB > > RMA Test History : 00 > > RMA Number : 0-0-0-0 > > RMA History : 00 > > Part Number : 73-8639-04 > > CLEI Code : IPME110BRA > > Chassis Serial Number : FTX1208A1GM > > Product (FRU) Number : CISCO3845 > > Version Identifier : V01 > > Hardware date code : 20080113 > > EEPROM format version 4 > > EEPROM contents (hex): > > 0x00: 04 FF 40 04 2B 41 01 00 C0 46 03 20 00 5A 35 01 > > 0x10: 42 42 30 88 00 00 00 00 02 04 C1 8B 46 4F 43 31 > > 0x20: 32 30 32 33 59 42 42 03 00 81 00 00 00 00 04 00 > > 0x30: 82 49 21 BF 04 C6 8A 49 50 4D 45 31 31 30 42 52 > > 0x40: 41 C2 8B 46 54 58 31 32 30 38 41 31 47 4D CB 92 > > 0x50: 43 49 53 43 4F 33 38 34 35 20 20 20 20 20 20 20 > > 0x60: 20 20 89 56 30 31 20 83 01 32 65 F1 FF FF FF FF > > 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > > > > > Backplane Registers > > ------------------- > > Backplane Revision: 00BE > > Power Supply Status: 0107 > > -48V PS and Env Status: FFFF > > -48V Isolation Control: 0007 > > Backplane Cookie: 000C > > ENM/Backplane FPGA Revision: 00BE > > ENM/Backplane FPGA Int0 Status: FFFF > > ENM/Backplane FPGA Int2 Status: 00FF > > ENM/Backplane FPGA Int4 Status : EF00 > > ENM Interrupt Mask: 000A > > ENM/BP FPGA Interrupt 4 Mask: 0040 > > ENM1 Test Port: 00C3 > > ENM2 Test Port: 00C3 > > ENM3 Test Port: 0083 > > ENM3 Test Port: 00C3 > > ENM LED Control: 00AA > > ENM OIR Control: 0000 > > ENM OIR Status: 9922 > > ENM PCI Speed Status 0005 > > Backplane FPGA Diag Int Control: FFFF > > ENM1 OIR State Machine Status: 41C4 > > ENM2 OIR State Machine Status: 41C4 > > ENM3 OIR State Machine Status: 0000 > > ENM4 OIR State Machine Status: 0000 > > Backplane Voltage Margin: 0000 > > > > Slot 0: > > C3845 Mother board 1GE(TX,SFP),1GE(TX), integrated VPN and 4W > > Port adapter, 2 ports > > Port adapter is analyzed > > Port adapter insertion time 03:35:28 ago > > Onboard VPN : FW ver01100200 > > EEPROM contents at hardware discovery: > > PCB Serial Number : FOC11525SQ2 > > Hardware Revision : 1.4 > > Top Assy. Part Number : 800-23616-06 > > Board Revision : B0 > > Deviation Number : 0 > > Fab Version : 05 > > RMA Test History : 00 > > RMA Number : 0-0-0-0 > > RMA History : 00 > > Processor type : 69 > > CLEI Code : IPME110BRA > > Product (FRU) Number : CISCO3845-MB > > Version Identifier : V06 > > Chassis MAC Address : 001e.bee0.9020 > > MAC Address block size : 48 > > Part Number : 73-8799-09 > > Hardware date code : 20080102 > > Chassis Serial Number : FTX1208A1GM > > EEPROM format version 4 > > EEPROM contents (hex): > > 0x00: 04 FF C1 8B 46 4F 43 31 31 35 32 35 53 51 32 40 > > 0x10: 04 2C 41 01 04 C0 46 03 20 00 5C 40 06 42 42 30 > > 0x20: 88 00 00 00 00 02 05 03 00 81 00 00 00 00 04 00 > > 0x30: 09 69 C6 8A 49 50 4D 45 31 31 30 42 52 41 CB 8C > > 0x40: 43 49 53 43 4F 33 38 34 35 2D 4D 42 89 56 30 36 > > 0x50: 20 D9 02 40 C1 C3 06 00 1E BE E0 90 20 43 00 30 > > 0x60: 82 49 22 5F 09 83 01 32 65 E6 C2 8B 46 54 58 31 > > 0x70: 32 30 38 41 31 47 4D FF FF FF FF FF FF FF FF FF > > > > Slot 2: > > FastEthernet Port adapter, 36 ports > > Port adapter is analyzed > > Port adapter insertion time 03:35:29 ago > > EEPROM contents at hardware discovery: > > Hardware Revision : 1.0 > > Top Assy. Part Number : 800-15157-01 > > Board Revision : B1 > > Deviation Number : 0-0 > > Fab Version : 02 > > PCB Serial Number : JAD072003RM > > RMA Test History : 00 > > RMA Number : 0-0-0-0 > > RMA History : 00 > > Base MAC Address : 000c.3020.6f3a > > MAC Address block size : 38 > > Product (FRU) Number : NMD-36-ESW= > > EEPROM format version 4 > > EEPROM contents (hex): > > 0x00: 04 FF 40 02 B1 41 01 00 C0 46 03 20 00 3B 35 01 > > 0x10: 42 42 31 80 00 00 00 00 02 02 C1 8B 4A 41 44 30 > > 0x20: 37 32 30 30 33 52 4D 03 00 81 00 00 00 00 04 00 > > 0x30: CF 06 00 0C 30 20 6F 3A 43 00 26 FF FF FF FF FF > > 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > > > Slot 4: > > FastEthernet Port adapter, 36 ports > > Port adapter is analyzed > > Port adapter insertion time 00:01:53 ago > > EEPROM contents at hardware discovery: > > Hardware Revision : 1.0 > > Top Assy. Part Number : 800-15157-01 > > Board Revision : B1 > > Deviation Number : 0-0 > > Fab Version : 02 > > PCB Serial Number : JAD072003QK > > RMA Test History : 00 > > RMA Number : 0-0-0-0 > > RMA History : 00 > > Base MAC Address : 000c.3020.7505 > > MAC Address block size : 38 > > Product (FRU) Number : NMD-36-ESW= > > EEPROM format version 4 > > EEPROM contents (hex): > > 0x00: 04 FF 40 02 B1 41 01 00 C0 46 03 20 00 3B 35 01 > > 0x10: 42 42 31 80 00 00 00 00 02 02 C1 8B 4A 41 44 30 > > 0x20: 37 32 30 30 33 51 4B 03 00 81 00 00 00 00 04 00 > > 0x30: CF 06 00 0C 30 20 75 05 43 00 26 FF FF FF FF FF > > 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Darwin) > > iEYEARECAAYFAklswlUACgkQLa9jIE3ZamPSJwCg4SbXmevkJm38VWO0cF26HSBR > pLsAni/vn/J/q8kCv1UMZbkpNsXDw1ov > =p7/R > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From chip.gwyn at gmail.com Tue Jan 13 12:10:40 2009 From: chip.gwyn at gmail.com (chip) Date: Tue, 13 Jan 2009 12:10:40 -0500 Subject: [c-nsp] 7600 interfaces not showing as down In-Reply-To: <878787.8129.qm@web44816.mail.sp1.yahoo.com> References: <878787.8129.qm@web44816.mail.sp1.yahoo.com> Message-ID: <64a8ad980901130910t752e60a4qffa656f7dc0fa48d@mail.gmail.com> add: logging event link-status under each int --chip On Tue, Jan 13, 2009 at 11:29 AM, Mark Tech wrote: > Hi > I have some WS-X6748-SFP and WS-X6748-GE-TX installed on a 7600 chassis.If > I remove a cable on an interface, there is nothing in the log to say that > the interface is down, is there a way around this? > > Regards > > Mark > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Just my $.02, your mileage may vary, batteries not included, etc.... From adam at skywitelecomm.com Tue Jan 13 12:18:47 2009 From: adam at skywitelecomm.com (Adam Botbyl) Date: Tue, 13 Jan 2009 11:18:47 -0600 Subject: [c-nsp] 3845 and NMD-36-ESW VLAN Dropped Packets?!? In-Reply-To: <1231865013.1333.9.camel@mauritzlewies> References: <6683B9FF-76B5-4A6B-8B0E-2251A28206A8@dsinn.com> <1231865013.1333.9.camel@mauritzlewies> Message-ID: Mauritz & David, Thank you both... I could have sworn I tried that as well.. Looking at what I was trying it with was not a cross over cable. Problem solved! :) I guess what through me for the biggest loop is not having to x-connect in the 3660...and now having to in the 3845. Thanks Again! --Adam -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mauritz Lewies Sent: Tuesday, January 13, 2009 10:44 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3845 and NMD-36-ESW VLAN Dropped Packets?!? Hi What is intrachassis stacking? A. Intrachassis stacking is the ability to connect multiple EtherSwitch modules via the Gigabit Ethernet connection in the same router. For example, to stack intrachassis is to place two EtherSwitch modules in the same router and connect the modules via the Gigabit Ethernet uplink. Cisco IOS Software Releases 12.2(11)T, 12.3(4)T, and later support this functionality. Two modules in any router is the limit for an intrachassis stack. An intrachassis stack requires a Gigabit Ethernet interface on each module. You must connect the modules externally with the Gigabit Ethernet interfaces and a crossover cable. Intrachassis stacks allow all the Fast Ethernet and Gigabit Ethernet interfaces to participate in the same Layer 2 (L2) domain. On Tue, 2009-01-13 at 08:33 -0800, David Sinn wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The router will not internally bridge between the two modules. By > having them both on VLAN-1 the router doesn't know which one is the > real VLAN-1. > > If you want them both on the same subnet you need to run a > interconnect external between each module: > > http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aca3e.html > > "If multiple EtherSwitches are used in a single chassis external > stacking is required." > > David > > On Jan 13, 2009, at 3:05 AM, Adam Botbyl wrote: > > > I am having a issue that is quite confusing me. Don't know if anyone > > has seen/fixed this issue before. > > > > I have a 3845 with 2xNMD-36-ESW's > > When both inserted (base config) VLAN1 drops packets and I cannot > > pass traffic off any interface on the NMD-36-ESW's. > > I can still pass over the internal Gi0/X's, but to get back on the > > NMD, I have to remove one and Power Cycle the router. > > > > Each NMD works perfect individually. I threw them both in a 3660, > > and all ports were functional. > > > > Really stumped here, any guidance welcome! > > > > --Adam > > > > > > --- BEGIN RELEVANT INFORMATION --- > > 192.1.0.2 is connected via a NMD-36-ESW to FA2/24 > > > > core-dfw1#ping 192.1.0.2 rep 100 > > > > Type escape sequence to abort. > > Sending 100, 100-byte ICMP Echos to 192.1.0.2, timeout is 2 seconds: > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > Success rate is 100 percent (100/100), round-trip min/avg/max = > > 1/1/4 ms > > core-dfw1#sh int vla1 > > Vlan1 is up, line protocol is up > > Hardware is EtherSVI, address is 001e.bee0.9020 (bia 001e.bee0.9020) > > Internet address is 192.1.0.1/24 > > MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, > > reliability 255/255, txload 1/255, rxload 1/255 > > Encapsulation ARPA, loopback not set > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input 00:00:02, output never, output hang never > > Last clearing of "show interface" counters never > > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 5 minute input rate 1000 bits/sec, 2 packets/sec > > 5 minute output rate 1000 bits/sec, 2 packets/sec > > 225098 packets input, 43267505 bytes, 0 no buffer > > Received 104 broadcasts, 0 runts, 0 giants, 0 throttles > > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > 321552 packets output, 153382305 bytes, 0 underruns > > 0 output errors, 1 interface resets > > 0 unknown protocol drops > > 0 output buffer failures, 0 output buffers swapped out > > core-dfw1# > > *Jan 13 11:09:38.987: %OIR-6-INSCARD: Card inserted in slot 4, > > interfaces administratively shut down > > core-dfw1#ping 192.1.0.2 rep 100 > > > > Type escape sequence to abort. > > Sending 100, 100-byte ICMP Echos to 192.1.0.2, timeout is 2 seconds: > > ........ > > Success rate is 0 percent (0/8) > > core-dfw1#sh int vla1 > > Vlan1 is up, line protocol is up > > Hardware is EtherSVI, address is 001e.bee0.9020 (bia 001e.bee0.9020) > > Internet address is 192.1.0.1/24 > > MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, > > reliability 255/255, txload 1/255, rxload 1/255 > > Encapsulation ARPA, loopback not set > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input 00:01:35, output never, output hang never > > Last clearing of "show interface" counters never > > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 8 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 5 minute input rate 0 bits/sec, 0 packets/sec > > 5 minute output rate 0 bits/sec, 0 packets/sec > > 225100 packets input, 43267633 bytes, 0 no buffer > > Received 104 broadcasts, 0 runts, 0 giants, 0 throttles > > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > 321552 packets output, 153382305 bytes, 0 underruns > > 0 output errors, 1 interface resets > > 0 unknown protocol drops > > 0 output buffer failures, 0 output buffers swapped out > > core-dfw1#sh int fa2/24 > > FastEthernet2/24 is up, line protocol is up > > Hardware is Fast Ethernet, address is 000c.3020.6f52 (bia 000c. > > 3020.6f52) > > MTU 1500 bytes, BW 10000 Kbit/sec, DLY 100 usec, > > reliability 255/255, txload 1/255, rxload 1/255 > > Encapsulation ARPA, loopback not set > > Keepalive set (10 sec) > > Half-duplex, 10Mb/s > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input never, output never, output hang never > > Last clearing of "show interface" counters never > > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 5 minute input rate 0 bits/sec, 0 packets/sec > > 5 minute output rate 0 bits/sec, 0 packets/sec > > 240 packets input, 22670 bytes, 0 no buffer > > Received 0 broadcasts, 0 runts, 0 giants, 0 throttles > > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > 0 input packets with dribble condition detected > > 6972 packets output, 459301 bytes, 0 underruns > > 0 output errors, 0 collisions, 2 interface resets > > 0 unknown protocol drops > > 0 babbles, 0 late collision, 0 deferred > > 0 lost carrier, 0 no carrier > > 0 output buffer failures, 0 output buffers swapped out > > core-dfw1#sh ve > > Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9_SNA-M), > > Version 12.4(23), RELEASE SOFTWARE (fc1) > > Technical Support: http://www.cisco.com/techsupport > > Copyright (c) 1986-2008 by Cisco Systems, Inc. > > Compiled Sun 09-Nov-08 03:02 by prod_rel_team > > > > ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1) > > > > core-dfw1 uptime is 3 hours, 35 minutes > > System returned to ROM by reload at 01:34:21 CST Tue Jan 13 2009 > > System image file is "flash:c3845-adventerprisek9_sna-mz.124-23.bin" > > > > > > This product contains cryptographic features and is subject to United > > States and local country laws governing import, export, transfer and > > use. Delivery of Cisco cryptographic products does not imply > > third-party authority to import, export, distribute or use encryption. > > Importers, exporters, distributors and users are responsible for > > compliance with U.S. and local country laws. By using this product you > > agree to comply with applicable laws and regulations. If you are > > unable > > to comply with U.S. and local laws, return this product immediately. > > > > A summary of U.S. laws governing Cisco cryptographic products may be > > found at: > > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html > > > > If you require further assistance please contact us by sending email > > to > > export at cisco.com. > > > > Cisco 3845 (revision 1.0) with 1007616K/40960K bytes of memory. > > Processor board ID FTX1208A1GM > > 72 FastEthernet interfaces > > 2 Gigabit Ethernet interfaces > > 1 Virtual Private Network (VPN) Module > > DRAM configuration is 64 bits wide with parity enabled. > > 479K bytes of NVRAM. > > 250880K bytes of ATA System CompactFlash (Read/Write) > > > > Configuration register is 0x2102 > > core-dfw1#sh diag > > 3845 Backplane EEPROM: > > Hardware Revision : 1.0 > > Top Assy. Part Number : 800-23093-01 > > Board Revision : B0 > > Deviation Number : 0 > > Fab Version : 04 > > PCB Serial Number : FOC12023YBB > > RMA Test History : 00 > > RMA Number : 0-0-0-0 > > RMA History : 00 > > Part Number : 73-8639-04 > > CLEI Code : IPME110BRA > > Chassis Serial Number : FTX1208A1GM > > Product (FRU) Number : CISCO3845 > > Version Identifier : V01 > > Hardware date code : 20080113 > > EEPROM format version 4 > > EEPROM contents (hex): > > 0x00: 04 FF 40 04 2B 41 01 00 C0 46 03 20 00 5A 35 01 > > 0x10: 42 42 30 88 00 00 00 00 02 04 C1 8B 46 4F 43 31 > > 0x20: 32 30 32 33 59 42 42 03 00 81 00 00 00 00 04 00 > > 0x30: 82 49 21 BF 04 C6 8A 49 50 4D 45 31 31 30 42 52 > > 0x40: 41 C2 8B 46 54 58 31 32 30 38 41 31 47 4D CB 92 > > 0x50: 43 49 53 43 4F 33 38 34 35 20 20 20 20 20 20 20 > > 0x60: 20 20 89 56 30 31 20 83 01 32 65 F1 FF FF FF FF > > 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > > > > > Backplane Registers > > ------------------- > > Backplane Revision: 00BE > > Power Supply Status: 0107 > > -48V PS and Env Status: FFFF > > -48V Isolation Control: 0007 > > Backplane Cookie: 000C > > ENM/Backplane FPGA Revision: 00BE > > ENM/Backplane FPGA Int0 Status: FFFF > > ENM/Backplane FPGA Int2 Status: 00FF > > ENM/Backplane FPGA Int4 Status : EF00 > > ENM Interrupt Mask: 000A > > ENM/BP FPGA Interrupt 4 Mask: 0040 > > ENM1 Test Port: 00C3 > > ENM2 Test Port: 00C3 > > ENM3 Test Port: 0083 > > ENM3 Test Port: 00C3 > > ENM LED Control: 00AA > > ENM OIR Control: 0000 > > ENM OIR Status: 9922 > > ENM PCI Speed Status 0005 > > Backplane FPGA Diag Int Control: FFFF > > ENM1 OIR State Machine Status: 41C4 > > ENM2 OIR State Machine Status: 41C4 > > ENM3 OIR State Machine Status: 0000 > > ENM4 OIR State Machine Status: 0000 > > Backplane Voltage Margin: 0000 > > > > Slot 0: > > C3845 Mother board 1GE(TX,SFP),1GE(TX), integrated VPN and 4W > > Port adapter, 2 ports > > Port adapter is analyzed > > Port adapter insertion time 03:35:28 ago > > Onboard VPN : FW ver01100200 > > EEPROM contents at hardware discovery: > > PCB Serial Number : FOC11525SQ2 > > Hardware Revision : 1.4 > > Top Assy. Part Number : 800-23616-06 > > Board Revision : B0 > > Deviation Number : 0 > > Fab Version : 05 > > RMA Test History : 00 > > RMA Number : 0-0-0-0 > > RMA History : 00 > > Processor type : 69 > > CLEI Code : IPME110BRA > > Product (FRU) Number : CISCO3845-MB > > Version Identifier : V06 > > Chassis MAC Address : 001e.bee0.9020 > > MAC Address block size : 48 > > Part Number : 73-8799-09 > > Hardware date code : 20080102 > > Chassis Serial Number : FTX1208A1GM > > EEPROM format version 4 > > EEPROM contents (hex): > > 0x00: 04 FF C1 8B 46 4F 43 31 31 35 32 35 53 51 32 40 > > 0x10: 04 2C 41 01 04 C0 46 03 20 00 5C 40 06 42 42 30 > > 0x20: 88 00 00 00 00 02 05 03 00 81 00 00 00 00 04 00 > > 0x30: 09 69 C6 8A 49 50 4D 45 31 31 30 42 52 41 CB 8C > > 0x40: 43 49 53 43 4F 33 38 34 35 2D 4D 42 89 56 30 36 > > 0x50: 20 D9 02 40 C1 C3 06 00 1E BE E0 90 20 43 00 30 > > 0x60: 82 49 22 5F 09 83 01 32 65 E6 C2 8B 46 54 58 31 > > 0x70: 32 30 38 41 31 47 4D FF FF FF FF FF FF FF FF FF > > > > Slot 2: > > FastEthernet Port adapter, 36 ports > > Port adapter is analyzed > > Port adapter insertion time 03:35:29 ago > > EEPROM contents at hardware discovery: > > Hardware Revision : 1.0 > > Top Assy. Part Number : 800-15157-01 > > Board Revision : B1 > > Deviation Number : 0-0 > > Fab Version : 02 > > PCB Serial Number : JAD072003RM > > RMA Test History : 00 > > RMA Number : 0-0-0-0 > > RMA History : 00 > > Base MAC Address : 000c.3020.6f3a > > MAC Address block size : 38 > > Product (FRU) Number : NMD-36-ESW= > > EEPROM format version 4 > > EEPROM contents (hex): > > 0x00: 04 FF 40 02 B1 41 01 00 C0 46 03 20 00 3B 35 01 > > 0x10: 42 42 31 80 00 00 00 00 02 02 C1 8B 4A 41 44 30 > > 0x20: 37 32 30 30 33 52 4D 03 00 81 00 00 00 00 04 00 > > 0x30: CF 06 00 0C 30 20 6F 3A 43 00 26 FF FF FF FF FF > > 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > > > Slot 4: > > FastEthernet Port adapter, 36 ports > > Port adapter is analyzed > > Port adapter insertion time 00:01:53 ago > > EEPROM contents at hardware discovery: > > Hardware Revision : 1.0 > > Top Assy. Part Number : 800-15157-01 > > Board Revision : B1 > > Deviation Number : 0-0 > > Fab Version : 02 > > PCB Serial Number : JAD072003QK > > RMA Test History : 00 > > RMA Number : 0-0-0-0 > > RMA History : 00 > > Base MAC Address : 000c.3020.7505 > > MAC Address block size : 38 > > Product (FRU) Number : NMD-36-ESW= > > EEPROM format version 4 > > EEPROM contents (hex): > > 0x00: 04 FF 40 02 B1 41 01 00 C0 46 03 20 00 3B 35 01 > > 0x10: 42 42 31 80 00 00 00 00 02 02 C1 8B 4A 41 44 30 > > 0x20: 37 32 30 30 33 51 4B 03 00 81 00 00 00 00 04 00 > > 0x30: CF 06 00 0C 30 20 75 05 43 00 26 FF FF FF FF FF > > 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Darwin) > > iEYEARECAAYFAklswlUACgkQLa9jIE3ZamPSJwCg4SbXmevkJm38VWO0cF26HSBR > pLsAni/vn/J/q8kCv1UMZbkpNsXDw1ov > =p7/R > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From techconfig at yahoo.com Tue Jan 13 11:43:16 2009 From: techconfig at yahoo.com (Mark Tech) Date: Tue, 13 Jan 2009 08:43:16 -0800 (PST) Subject: [c-nsp] 7600 interfaces not showing as down References: <878787.8129.qm@web44816.mail.sp1.yahoo.com> <20090113163429.GA43252@puck.nether.net> Message-ID: <393045.76102.qm@web44802.mail.sp1.yahoo.com> Hi Jared, thanks for the quick reply, could you be a bit more specific as I'm not sure what you mean Regards Mark ----- Original Message ---- From: Jared Mauch To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Tuesday, January 13, 2009 4:34:29 PM Subject: Re: [c-nsp] 7600 interfaces not showing as down On Tue, Jan 13, 2009 at 08:29:25AM -0800, Mark Tech wrote: > Hi > I have some WS-X6748-SFP? and WS-X6748-GE-TX installed on a 7600 chassis.If I remove a cable on an interface, there is nothing in the log to say that the interface is down, is there a way around this? > ??? Set the per-interface logging level. ??? - jared -- Jared Mauch? | pgp key available via finger from jared at puck.nether.net clue++;? ? ? | http://puck.nether.net/~jared/? My statements are only mine. From peter at rathlev.dk Tue Jan 13 12:46:59 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 13 Jan 2009 18:46:59 +0100 Subject: [c-nsp] 7600 interfaces not showing as down In-Reply-To: <64a8ad980901130910t752e60a4qffa656f7dc0fa48d@mail.gmail.com> References: <878787.8129.qm@web44816.mail.sp1.yahoo.com> <64a8ad980901130910t752e60a4qffa656f7dc0fa48d@mail.gmail.com> Message-ID: <1231868819.12678.3.camel@localhost.localdomain> On Tue, 2009-01-13 at 08:29 -0800, Mark Tech wrote: > I have some WS-X6748-SFP and WS-X6748-GE-TX installed on a 7600 > chassis.If I remove a cable on an interface, there is nothing in the > log to say that the interface is down, is there a way around this? On Tue, 2009-01-13 at 12:10 -0500, chip wrote: > add: > logging event link-status > > under each int You could also use "logging event link-status default" in global config. Then you don't have to configure each interface. Regards, Peter From chris at chrisserafin.com Tue Jan 13 13:34:53 2009 From: chris at chrisserafin.com (ChrisSerafin) Date: Tue, 13 Jan 2009 12:34:53 -0600 Subject: [c-nsp] PIX logging Message-ID: <496CDECD.1010105@chrisserafin.com> I'm trying to setup a cluster pf PIX 515 to send all traffic logs to an external syslog server for event correlation. I'm not seeing any traffic hit the syslog server tho.... Here is my config: logging timestamp logging console debugging logging monitor debugging logging buffered warnings logging trap informational logging history informational logging facility 6 logging host inside 10.0.8.100 ! located on the inside interface Does anyone else log all traffic to an external source and see what's wrong with my config? Thanks, Chris Serafin From Gregori.Parker at theplatform.com Tue Jan 13 13:39:10 2009 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Tue, 13 Jan 2009 10:39:10 -0800 Subject: [c-nsp] PIX logging In-Reply-To: <496CDECD.1010105@chrisserafin.com> References: <496CDECD.1010105@chrisserafin.com> Message-ID: <1A9866F953006D45AEE0166066114E091524FD9B@TPMAIL02.corp.theplatform.com> Did you perform a 'logging on' to actually enable the logging? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ChrisSerafin Sent: Tuesday, January 13, 2009 10:35 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] PIX logging I'm trying to setup a cluster pf PIX 515 to send all traffic logs to an external syslog server for event correlation. I'm not seeing any traffic hit the syslog server tho.... Here is my config: logging timestamp logging console debugging logging monitor debugging logging buffered warnings logging trap informational logging history informational logging facility 6 logging host inside 10.0.8.100 ! located on the inside interface Does anyone else log all traffic to an external source and see what's wrong with my config? Thanks, Chris Serafin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mmg at transtelco.net Tue Jan 13 13:49:30 2009 From: mmg at transtelco.net (=?iso-8859-1?Q?Manuel_Mar=EDn?=) Date: Tue, 13 Jan 2009 13:49:30 -0500 Subject: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL In-Reply-To: <496C7C92.3050808@imperial.ac.uk> References: <4502F03F8260234AB94179D6E1BDD0CF341FE43B01@VMBX113.ihostexchange.net> <496C7C92.3050808@imperial.ac.uk> Message-ID: <4502F03F8260234AB94179D6E1BDD0CF341FE43C30@VMBX113.ihostexchange.net> Hi Phil Attached are the SVI and interface configs #TRUNK TO CISCO 3750 interface GigabitEthernet6/24 description "Barrancas" switchport switchport trunk encapsulation dot1q switchport trunk native vlan 1000 mls qos vlan-based no cdp enable end #SUBint configured for EoMPLS interface GigabitEthernet2/2.578 encapsulation dot1Q 578 xconnect 172.16.10.2 4505 encapsulation mpls service-policy input 2Mbps service-policy output 2Mbps end interface GigabitEthernet2/2.576 encapsulation dot1Q 576 xconnect 172.16.10.4 4501 encapsulation mpls end #SVIS (Most of the have a policier and an access-list attached) interface Vlan102 description "Victory Packaging [Voip]" ip address 10.10.1.73 255.255.255.252 ip access-group Proteccion-VoipMngt out service-policy input 2Mbps service-policy output 2Mbps end Anyone else has experience running MUX-UNI with cisco 6500s or with a similar issue? Thanks -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: Tuesday, January 13, 2009 4:36 AM To: Manuel Mar?n Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL Manuel Mar?n wrote: > Hi, > > We are experiencing a weird issue with a cisco 6513 with either SXH or SXI software version. We have some SVI interfaces and a couple of trunks ports 802.1Qs connected to other ciscos 3750s. everything seems to be working but suddenly we get the following error and all SVIs change to administratively down. We can't downgrade to SXF because we have to use the MUX-UNI feature in order to use sub interfaces in a switch port. > > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) > -Traceback= 40F0CC34 40F6E3CC 40698CB4 40F6E7BC 40F87BF8 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (!pm_vlan_port_forward_gbitlist_test(vd, pd->globalNumber): ../switch/pm/pm_vlan.c: 1372: pm_vlan_rem_port) > -Traceback= 40F0CC34 40F63C18 40F87C18 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 40ACF674 40AD0120 > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) That's a traceback, so you want to open a TAC case. If you could show more config i.e. of the gig ports as well it might give a hint, but if I had to take a wild guess I'd say it's a bug in the MUX-UNI. From mksmith at adhost.com Tue Jan 13 14:04:39 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Tue, 13 Jan 2009 11:04:39 -0800 Subject: [c-nsp] PIX logging In-Reply-To: <496CDECD.1010105@chrisserafin.com> References: <496CDECD.1010105@chrisserafin.com> Message-ID: <17838240D9A5544AAA5FF95F8D52031605478B7A@ad-exh01.adhost.lan> Hello Chris: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of ChrisSerafin > Sent: Tuesday, January 13, 2009 10:35 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] PIX logging > > I'm trying to setup a cluster pf PIX 515 to send all traffic logs to an > external syslog server for event correlation. I'm not seeing any traffic > hit the syslog server tho.... > > Here is my config: > logging timestamp > logging console debugging > logging monitor debugging > logging buffered warnings > logging trap informational > logging history informational > logging facility 6 > logging host inside 10.0.8.100 ! located on the inside interface > > > Does anyone else log all traffic to an external source and see what's > wrong with my config? > There was a another email about 'logging on' and you should also be aware that the PIX uses different facility numbering than you would anticipate on a unix server. If you are intending to go to Local6 you should use 'logging facility 22' For reference, see http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094030.shtml#logfacility Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From justin at justinshore.com Tue Jan 13 14:07:58 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 13 Jan 2009 13:07:58 -0600 Subject: [c-nsp] PIX logging In-Reply-To: <1A9866F953006D45AEE0166066114E091524FD9B@TPMAIL02.corp.theplatform.com> References: <496CDECD.1010105@chrisserafin.com> <1A9866F953006D45AEE0166066114E091524FD9B@TPMAIL02.corp.theplatform.com> Message-ID: <496CE68E.9020709@justinshore.com> Or logging enable if you're running v7 or later code. Also, disable console logging or at the very least set it to something like emergencies or errors. Console logging is a painful thing to enable and in some cases (IOS routers) it's the cause of major slowdowns. Justin Gregori Parker wrote: > Did you perform a 'logging on' to actually enable the logging? > >> Does anyone else log all traffic to an external source and see what's >> wrong with my config? From tvarriale at comcast.net Tue Jan 13 14:08:11 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 13 Jan 2009 13:08:11 -0600 Subject: [c-nsp] PIX logging References: <496CDECD.1010105@chrisserafin.com> <1A9866F953006D45AEE0166066114E091524FD9B@TPMAIL02.corp.theplatform.com> Message-ID: <1E385384029D4210AED04F8D7A3659E6@flamdt01> That's the only thing I see missing. fyi logging on is old school...logging enable is new but is still accepted either way. tv ----- Original Message ----- From: "Gregori Parker" To: "ChrisSerafin" ; Sent: Tuesday, January 13, 2009 12:39 PM Subject: Re: [c-nsp] PIX logging > Did you perform a 'logging on' to actually enable the logging? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ChrisSerafin > Sent: Tuesday, January 13, 2009 10:35 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] PIX logging > > I'm trying to setup a cluster pf PIX 515 to send all traffic logs to an > external syslog server for event correlation. I'm not seeing any traffic > > hit the syslog server tho.... > > Here is my config: > logging timestamp > logging console debugging > logging monitor debugging > logging buffered warnings > logging trap informational > logging history informational > logging facility 6 > logging host inside 10.0.8.100 ! located on the inside interface > > > Does anyone else log all traffic to an external source and see what's > wrong with my config? > > Thanks, > Chris Serafin > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Tue Jan 13 14:15:32 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 13 Jan 2009 13:15:32 -0600 Subject: [c-nsp] High CPU utilization caused by the TPLUS process In-Reply-To: <935ead450901130806qfec9aaxb83416a2eb9f662e@mail.gmail.com> References: <935ead450901130806qfec9aaxb83416a2eb9f662e@mail.gmail.com> Message-ID: <496CE854.3080003@justinshore.com> Jeffrey Ollie wrote: > Several times in the past month we have had high CPU utilization > caused by the TPLUS process, which I think is caused by stuck CLI > users. As far as I can tell the only way to remedy the problem is to > reload the switch and/or router (this affects many different systems > with very different software versions and hardware). "clear line X" > and "disconnect ssh X" have no effect. Is there some way to recover > from this situation other than reloading the switch? This output is > typical of a switch/router that has the problem: The TPLUS process is tacacs if I recall correctly. What do your tacacs server logs indicate is happening during the high CPU time? How are these users connecting? If it's async of VTY have you configured an idle exec timeout for those sessions? That should boot of idle users automatically. Justin From jeff at ocjtech.us Tue Jan 13 14:22:09 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Tue, 13 Jan 2009 13:22:09 -0600 Subject: [c-nsp] High CPU utilization caused by the TPLUS process In-Reply-To: <496CE854.3080003@justinshore.com> References: <935ead450901130806qfec9aaxb83416a2eb9f662e@mail.gmail.com> <496CE854.3080003@justinshore.com> Message-ID: <935ead450901131122l43ab083fqe38023e2df958afb@mail.gmail.com> On Tue, Jan 13, 2009 at 1:15 PM, Justin Shore wrote: > Jeffrey Ollie wrote: >> >> Several times in the past month we have had high CPU utilization >> caused by the TPLUS process, which I think is caused by stuck CLI >> users. As far as I can tell the only way to remedy the problem is to >> reload the switch and/or router (this affects many different systems >> with very different software versions and hardware). "clear line X" >> and "disconnect ssh X" have no effect. Is there some way to recover >> from this situation other than reloading the switch? This output is >> typical of a switch/router that has the problem: > > The TPLUS process is tacacs if I recall correctly. What do your tacacs > server logs indicate is happening during the high CPU time? > > How are these users connecting? SSH. > If it's async of VTY have you configured an idle exec timeout for those sessions? Yes. I set the exec-timeout to 30 minutes and it works in the normal case. > That should boot of idle users automatically. Unfortunately it does not. -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" From jeff at ocjtech.us Tue Jan 13 14:26:11 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Tue, 13 Jan 2009 13:26:11 -0600 Subject: [c-nsp] High CPU utilization caused by the TPLUS process In-Reply-To: <496CE854.3080003@justinshore.com> References: <935ead450901130806qfec9aaxb83416a2eb9f662e@mail.gmail.com> <496CE854.3080003@justinshore.com> Message-ID: <935ead450901131126m3de83325l3c65a45c1218ad5c@mail.gmail.com> Oops, forgot to respond to one question: On Tue, Jan 13, 2009 at 1:15 PM, Justin Shore wrote: > What do your tacacs server logs indicate is happening during the high CPU time? They show nothing. -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" From mike-cisconsplist at tiedyenetworks.com Tue Jan 13 14:27:24 2009 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Tue, 13 Jan 2009 11:27:24 -0800 Subject: [c-nsp] subscriber termination issues Message-ID: <496CEB1C.8020809@tiedyenetworks.com> Howdy, We are presently a PPPoE / freeRadius shop and have a custom in-house solution for pppoe subscriber termination (linux + custom scripts) that provides us with some very nice features, but at the cost of the risk of x86 cots hardware, no failover, and not gonna scale up as we begin to deploy ADSL. I would like to consider a cisco solution for PPPoE (and DHCP) but I don't know how or if the features I depend on would be supported or implementable under cisco, so here I am. We have a walled garden system that is applied to customers for different reasons that intercepts web requests and displays messages, such as "your account is seriously past due" or "Your service is disconnected due to AUP violations / virus activity", and such. It works by applying separate routing to that specific customer so that their packets are redirected thru the garden gateway. With cisco I think I can apply radius attributes to specify other gateways for the customer, but that requires killing the PPPoE session (under cisco), and that is not desirable. And for DHCP customers, I wouldn't even know where to begin to implement the same feature unless cisco can somehow create an pseudo interface of some kind and let me route that too. Secondly, we also provide one of three separate filtering rules to our subscriber accounts to enforce things like no direct-to-mx virus spam bots / no access to internal nets, or no mx filtering at all. Under the linux system it's radius + custom scripts to process the custom attributes and linux iptables to apply the filtering to the customer pppoe interface, but we're clueless where to start looking for a compatible cisco feature set. Lastly, we actually provide great customer support and have built in tools (and have trained folks) to do packet captures in order to identify customer misconfiguration, locked up / insane home routers spewing garbage or disobeying protocol, and other common customer side troubles that keep our phones warm. My linux pppoe server lets my techs look people up by account name and also initiate a dump on that customer (internally, tcpdump on their mac address). I am wondering what or if there are compatible or superior cisco tools for doing same or similar operations in order to more fully support the customer base. This is important - I am not willing to spend 4 hours on the phone diagnosing the fact that the customer has a wrong dns server statically programmed into some device somewhere, I want to be able to do a dump and catch him in the act and then move on to the next call. Any takers? Thanks. From gert at greenie.muc.de Tue Jan 13 14:57:15 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 13 Jan 2009 20:57:15 +0100 Subject: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL In-Reply-To: <4502F03F8260234AB94179D6E1BDD0CF341FE43C30@VMBX113.ihostexchange.net> References: <4502F03F8260234AB94179D6E1BDD0CF341FE43B01@VMBX113.ihostexchange.net> <496C7C92.3050808@imperial.ac.uk> <4502F03F8260234AB94179D6E1BDD0CF341FE43C30@VMBX113.ihostexchange.net> Message-ID: <20090113195715.GE28188@greenie.muc.de> Hi, On Tue, Jan 13, 2009 at 01:49:30PM -0500, Manuel Mar?n wrote: > Anyone else has experience running MUX-UNI with cisco 6500s or with a similar issue? We're using MUX-UNI here with SXH3a, and so far, no nasty surprises. (But we're only lightly using it - 1 VLAN on the trunk, and a few EoMPLS subinterfaces) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From tdurack at gmail.com Tue Jan 13 15:12:36 2009 From: tdurack at gmail.com (Tim Durack) Date: Tue, 13 Jan 2009 15:12:36 -0500 Subject: [c-nsp] 6500 12.2SX* Port-Channel Private VLAN support In-Reply-To: <9e246b4d0711071723n57888316gada835761c33f3b0@mail.gmail.com> References: <5EB3F2186312524B9473E17C1B5D642317C5B56C@USNWK101MSX.ww017.siemens.net> <9e246b4d0710241036h696cc777uc81d2f1d21931ca8@mail.gmail.com> <02f401c82192$3cd65380$fe00000a@speedy> <9e246b4d0711071723n57888316gada835761c33f3b0@mail.gmail.com> Message-ID: <9e246b4d0901131212g71bd4049x79e8ecf1ff71a84b@mail.gmail.com> (Resurrecting an old email chain.) I'm trying to use private-vlans on a SUP720 with SVIs, without success. Config looks like: interface GigabitEthernet1/5 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 3,48,348,648,948 switchport private-vlan mapping 48 948 switchport mode trunk switchport nonegotiate channel-group 48 mode active spanning-tree guard root end interface Port-channel48 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 3,48,348,648,948 switchport mode trunk switchport nonegotiate mls qos trust dscp lacp fast-switchover spanning-tree guard root end interface Vlan48 description USR_48 ip address 10.1.48.3 255.255.255.0 ip directed-broadcast 100 ip pim sparse-mode private-vlan mapping 948 arp timeout 300 standby delay minimum 30 reload 60 standby version 2 standby 0 ip 10.1.48.1 standby 0 priority 90 standby 0 preempt delay minimum 300 reload 300 end I can see arp entries being learned: RTR-1#sh ip arp vl48 Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.48.3 3 001b.0de7.7780 ARPA Vlan48 Internet 10.1.48.2 - 001b.0de7.7bc0 ARPA Vlan48 Internet 10.1.48.1 - 0000.0c9f.f000 ARPA Vlan48 Internet 10.1.48.4 2 0019.bb0d.4d00 ARPA Vlan48 pv 948 Internet 10.1.48.254 1 001e.3718.0cbb ARPA Vlan48 pv 948 But I cannot ping devices in the private-vlan, nor can devices ping the SVI. I know the Cisco docs say private-vlans and etherchannels don't mix, but they aren't very clear. I've tried without the etherchannel with the same problem. Any ideas? On Wed, Nov 7, 2007 at 8:23 PM, Tim Durack wrote: > On Nov 7, 2007 6:02 PM, Matt Buford wrote: >> > Good to know. I actually want to do something like: >> [...] >> >> interface Port-channel1 >> >> switchport trunk encapsulation dot1q >> >> switchport mode dynamic desirable >> >> switchport private-vlan host-association 44 400 >> >> switchport mode private-vlan host >> >> I'm confused about something else here. Why do you have dot1q listed when >> your switchport mode is not trunk? You need to choose between vlan >> tagging/trunking, or untagged private vlan host port. You can't be both. > > That's because I'm not used to the Cisco way of doing things. For me > it's just tagged or untagged :-) > >> As for the Etherchannel restriction, my guess is that it is simply an ASIC >> restriction. Heck, on many (or all?) of the faste cards you can't even do >> Etherchannel in the same group of 12 ports as a pvlan host port. Since I >> use pvlan host ports heavily toward customers, I'm forced to just say that I >> do not support VLAN tagging downstream - ever. If I supported even 1, then >> suddenly I'd have a group of 11 other ports that techs would have to >> remember can't be used for any regular pvlan customers. On cards like >> ES-X6148-GE-TX the features are incompatible across groups of 24 ports! Too >> confusing, so I just don't allow tagging. The only tagging I do is on gbic >> based gig ports, which each have their own ASIC. >> >> You *CAN* tag private vlans through etherchannels. You just can't make an >> etherchannel into a pvlan host port. > > Okay - that's what I'm looking for. This is a distribution switch, > hosts will be attached to a connected access switch. > > There will be no "host" ports on the distribution, just "trunk" ports. > If I can group VLANs, I can maintain the same IP subnet, applying > different ACLs at the access layer. > >> From a production distribution level switch - trimmed down a bit: >> >> vlan 900 >> name pvlan >> private-vlan primary >> private-vlan association 901-902,905 >> ! >> vlan 901 >> name pvlan-isolated >> private-vlan isolated >> ! >> ! not bothering to list the other parts of this pvlan >> ! >> interface Port-channel1 >> switchport >> switchport trunk encapsulation dot1q >> switchport mode trunk >> no ip address >> ! >> interface GigabitEthernet7/1 >> switchport >> switchport trunk encapsulation dot1q >> switchport mode trunk >> no ip address >> channel-group 1 mode desirable >> ! >> interface GigabitEthernet7/12 >> switchport >> switchport trunk encapsulation dot1q >> switchport mode trunk >> no ip address >> channel-group 1 mode desirable >> >> Then, downstream of Po1 there is another 6500 in an access layer role which >> also contains vlan 900-902,905 and uses these for pvlan host ports. > > This seems logical, but the documentation isn't entirely clear. I'll > give this a shot! > > Tim:> > From pshem.k at gmail.com Tue Jan 13 15:18:40 2009 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Wed, 14 Jan 2009 09:18:40 +1300 Subject: [c-nsp] MPLS speakers behind unreliable link In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB089@xmb-ams-333.emea.cisco.com> References: <20fe625b0901121617l3af0dbas8aef533ff74f4a8b@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB089@xmb-ams-333.emea.cisco.com> Message-ID: <20fe625b0901131218y1cd19ad3x9ee5b7b5efe0d3c3@mail.gmail.com> Hi Oli, 2009/1/13 Oliver Boehmer (oboehmer) : > Pshem Kowalczyk <> wrote on Tuesday, January 13, 2009 01:18: {cut} >> 2. Somehow connecting all the remote PEs to local P/PEs (multiple >> remote PEs connected to one local P/PE) and using local PE as sort of >> aggregation point, that would hid the instability of the DSL network. >> We haven't done anything like this before, so I'm not even sure if it >> can work - using ISIS create L1 domains from the remote PEs, make the >> local P/PEs a L1L2 devices and use L2 to connect to the core. Would >> label distribution work in a scenario like that assuming LDP for the >> next-hop and MP-BGP for vpn information? After all a ISIS L1 is a >> completely stub network, so it shouldn't see any routes from L2. Is >> that the case also for LDP (i.e. LDP will not generate a label for a >> FEC (prefix) that is not advertised into a L1 domain?) > > This would work, but you would need to leak the BGP next-hops (or L2 PW > router-IDs) from the L2 into the L1 areas to provide an end-to-end LSP. > I would consider this a reasonable approach. Make sure you use a > dedicated loopback address range for all your remote devices so you can > easily create an ACL for route leaking ("redistribute isis ip level-2 > into level-1 distribute-list "). > > Obviously, the result of link flaps (i.e. loopbacks coming and going) > would still be propagated throughout the whole domain, but you can use a > less aggressive prc-interval setting on your nodes. So achieving > aggressive, sub-second ISIS convergence could be a challenge if the > network is not stable. What if I only distributed an aggregate out from the L1L2 device to cover all of the L1 loopbacks? Obviously this way the L1L2 box would have to do a L3 lookup, but this way there would be no flaps visible at all. I could do the same in the other direction (by injecting only loopbacks aggregate) into L1 domain. Or am I completely wrong here? kind regards Pshem From justin at justinshore.com Tue Jan 13 15:37:49 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 13 Jan 2009 14:37:49 -0600 Subject: [c-nsp] High CPU utilization caused by the TPLUS process In-Reply-To: <935ead450901131122l43ab083fqe38023e2df958afb@mail.gmail.com> References: <935ead450901130806qfec9aaxb83416a2eb9f662e@mail.gmail.com> <496CE854.3080003@justinshore.com> <935ead450901131122l43ab083fqe38023e2df958afb@mail.gmail.com> Message-ID: <496CFB9D.10102@justinshore.com> Jeffrey Ollie wrote: >> That should boot of idle users automatically. > > Unfortunately it does not. It sounds to me like a good time to call TAC. When the feature doesn't work as it's supposed to then it's time to involve TAC. I'm getting ready to do the same thing with 2 such features right now. Justin From oboehmer at cisco.com Tue Jan 13 15:39:14 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 13 Jan 2009 21:39:14 +0100 Subject: [c-nsp] MPLS speakers behind unreliable link In-Reply-To: <20fe625b0901131218y1cd19ad3x9ee5b7b5efe0d3c3@mail.gmail.com> References: <20fe625b0901121617l3af0dbas8aef533ff74f4a8b@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB089@xmb-ams-333.emea.cisco.com> <20fe625b0901131218y1cd19ad3x9ee5b7b5efe0d3c3@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB6C2@xmb-ams-333.emea.cisco.com> Pshem Kowalczyk wrote on Tuesday, January 13, 2009 21:19: > Hi Oli, > > 2009/1/13 Oliver Boehmer (oboehmer) : >> Pshem Kowalczyk <> wrote on Tuesday, January 13, 2009 01:18: > > {cut} > >>> 2. Somehow connecting all the remote PEs to local P/PEs (multiple >>> remote PEs connected to one local P/PE) and using local PE as sort >>> of aggregation point, that would hid the instability of the DSL >>> network. We haven't done anything like this before, so I'm not even >>> sure if it can work - using ISIS create L1 domains from the remote >>> PEs, make the local P/PEs a L1L2 devices and use L2 to connect to >>> the core. Would label distribution work in a scenario like that >>> assuming LDP for the next-hop and MP-BGP for vpn information? After >>> all a ISIS L1 is a completely stub network, so it shouldn't see any >>> routes from L2. Is that the case also for LDP (i.e. LDP will not >>> generate a label for a FEC (prefix) that is not advertised into a >>> L1 domain?) >> >> This would work, but you would need to leak the BGP next-hops (or L2 >> PW router-IDs) from the L2 into the L1 areas to provide an >> end-to-end LSP. I would consider this a reasonable approach. Make >> sure you use a dedicated loopback address range for all your remote >> devices so you can easily create an ACL for route leaking >> ("redistribute isis ip level-2 into level-1 distribute-list "). >> >> Obviously, the result of link flaps (i.e. loopbacks coming and going) >> would still be propagated throughout the whole domain, but you can >> use a less aggressive prc-interval setting on your nodes. So >> achieving aggressive, sub-second ISIS convergence could be a >> challenge if the network is not stable. > > What if I only distributed an aggregate out from the L1L2 device to > cover all of the L1 loopbacks? Obviously this way the L1L2 box would > have to do a L3 lookup, but this way there would be no flaps visible > at all. I could do the same in the other direction (by injecting only > loopbacks aggregate) into L1 domain. Or am I completely wrong here? unfortunately this doesn't work (yet [1]). Any aggregate breaks the end-to-end LSP that you need between the PEs for L2VPN/L3VPN services. So you would at least advertise the /32 loopbacks throughout the network. oli [1] http://tools.ietf.org/id/draft-swallow-mpls-aggregate-fec-01.txt From jeff at ocjtech.us Tue Jan 13 16:02:10 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Tue, 13 Jan 2009 15:02:10 -0600 Subject: [c-nsp] High CPU utilization caused by the TPLUS process In-Reply-To: <496CFB9D.10102@justinshore.com> References: <935ead450901130806qfec9aaxb83416a2eb9f662e@mail.gmail.com> <496CE854.3080003@justinshore.com> <935ead450901131122l43ab083fqe38023e2df958afb@mail.gmail.com> <496CFB9D.10102@justinshore.com> Message-ID: <935ead450901131302n27bd3b3dse2c36c791b5fb3df@mail.gmail.com> On Tue, Jan 13, 2009 at 2:37 PM, Justin Shore wrote: > Jeffrey Ollie wrote: >>> >>> That should boot of idle users automatically. >> >> Unfortunately it does not. > > It sounds to me like a good time to call TAC. When the feature doesn't work > as it's supposed to then it's time to involve TAC. I'm getting ready to do > the same thing with 2 such features right now. I've done so, but no love so far. -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" From avayner at cisco.com Tue Jan 13 16:56:13 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 13 Jan 2009 22:56:13 +0100 Subject: [c-nsp] subscriber termination issues In-Reply-To: <496CEB1C.8020809@tiedyenetworks.com> References: <496CEB1C.8020809@tiedyenetworks.com> Message-ID: <78C984F8939D424697B15E4B1C1BB3D70B942B@xmb-ams-331.emea.cisco.com> Mike, The complexity and the economics of the solution would widely vary according to the scale you need to achieve, so if you could provide this info, it would be helpful. On the more general approach, this is a real whole solution, and not just a set of features you turn in 10 minutes, so I would strongly suggest you work with a local Cisco representative (either an integration partner or maybe even Cisco pre sales people) Now, to the technical details. I think what you are mostly looking for is called ISG in Cisco terminology (Intelligent Service Gateway), and the reference document is here: http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/12_2sr/isg_1 2_2sr_book.html http://www.cisco.com/web/HR/expo08/pdf/Damjan_Marion_ISG_Deployment_Mode ls.pdf It's a big document, but I suggest you take a quick look in it before going a bit deeper. In general ISG can support both PPPoE and DHCP (called IP Sessions) clients. It can also do other kinds of PPP, like PPP over L2TP coming from a remote LAC. Cisco also has support for PPPoE (but not DHCP sessions) without ISG, but then you do not have the concept of a portal or dynamic services. ISG brings the concept of services per session and portal redirection. Mind you that there are other solutions for just a walled garden we can discuss later on if you are interested. One word about the portal solution: it is separate from the Cisco solution and is delivered by partners. Look at: http://www.broadhop.com http://www.comability.com The later also has a full customer care solution for many of the things you described. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Sent: Tuesday, January 13, 2009 21:27 To: cisco-nsp at puck.nether.net Subject: [c-nsp] subscriber termination issues Howdy, We are presently a PPPoE / freeRadius shop and have a custom in-house solution for pppoe subscriber termination (linux + custom scripts) that provides us with some very nice features, but at the cost of the risk of x86 cots hardware, no failover, and not gonna scale up as we begin to deploy ADSL. I would like to consider a cisco solution for PPPoE (and DHCP) but I don't know how or if the features I depend on would be supported or implementable under cisco, so here I am. We have a walled garden system that is applied to customers for different reasons that intercepts web requests and displays messages, such as "your account is seriously past due" or "Your service is disconnected due to AUP violations / virus activity", and such. It works by applying separate routing to that specific customer so that their packets are redirected thru the garden gateway. With cisco I think I can apply radius attributes to specify other gateways for the customer, but that requires killing the PPPoE session (under cisco), and that is not desirable. And for DHCP customers, I wouldn't even know where to begin to implement the same feature unless cisco can somehow create an pseudo interface of some kind and let me route that too. Secondly, we also provide one of three separate filtering rules to our subscriber accounts to enforce things like no direct-to-mx virus spam bots / no access to internal nets, or no mx filtering at all. Under the linux system it's radius + custom scripts to process the custom attributes and linux iptables to apply the filtering to the customer pppoe interface, but we're clueless where to start looking for a compatible cisco feature set. Lastly, we actually provide great customer support and have built in tools (and have trained folks) to do packet captures in order to identify customer misconfiguration, locked up / insane home routers spewing garbage or disobeying protocol, and other common customer side troubles that keep our phones warm. My linux pppoe server lets my techs look people up by account name and also initiate a dump on that customer (internally, tcpdump on their mac address). I am wondering what or if there are compatible or superior cisco tools for doing same or similar operations in order to more fully support the customer base. This is important - I am not willing to spend 4 hours on the phone diagnosing the fact that the customer has a wrong dns server statically programmed into some device somewhere, I want to be able to do a dump and catch him in the act and then move on to the next call. Any takers? Thanks. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Tue Jan 13 17:04:13 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 13 Jan 2009 16:04:13 -0600 Subject: [c-nsp] subscriber termination issues In-Reply-To: <496CEB1C.8020809@tiedyenetworks.com> References: <496CEB1C.8020809@tiedyenetworks.com> Message-ID: <496D0FDD.7000503@justinshore.com> Mike wrote: > Howdy, > Lastly, we actually provide great customer support and have built in > tools (and have trained folks) to do packet captures in order to > identify customer misconfiguration, locked up / insane home routers > spewing garbage or disobeying protocol, and other common customer side > troubles that keep our phones warm. My linux pppoe server lets my techs > look people up by account name and also initiate a dump on that customer > (internally, tcpdump on their mac address). I am wondering what or if > there are compatible or superior cisco tools for doing same or similar > operations in order to more fully support the customer base. This is > important - I am not willing to spend 4 hours on the phone diagnosing > the fact that the customer has a wrong dns server statically programmed > into some device somewhere, I want to be able to do a dump and catch him > in the act and then move on to the next call. Mike, I'm afraid I can't help you with the first 2 problems though I am definitely interested in setting up a walled garden myself for much the same reasons you already have. On the 3rd topic I do have some input. I currently do something similar myself with a set of span ports on our core routers. This allows me to capture customer traffic and diagnose issues much more effectively without taking the customer's word for what is happening (frankly the customer is always wrong when it comes to technical details). I usually leave my monitor sessions set up spanning the interfaces connected to our border routers but I swing them around as needed to face other devices. Depending on your network design you could do something similar. That gets your guys back to tcpdump which they're already familiar with. The downside is that they will have to pick out the target host by IP (implying that they have to determine the IP in advance). The dump may also not catch the right interfaces (like the interface heading to where your DNS server resides) which requires the tech to realize this and for someone to have to change the monitor session. The last one can be mitigated with careful network design (ie, not using SVIs in your core for server farms and instead routing downstream to another server farm router/switch). Other option is a multi-port mirroring appliance. With it you mirror all links from edge devices connecting to your core to a sniffing server. That's a bit of a kludge as well I'm afraid. Perhaps it will prompt a better idea though. Justin From scott.wolfe at cybera.net Tue Jan 13 17:46:11 2009 From: scott.wolfe at cybera.net (Scott Wolfe) Date: Tue, 13 Jan 2009 16:46:11 -0600 Subject: [c-nsp] subscriber termination issues In-Reply-To: <496CEB1C.8020809@tiedyenetworks.com> References: <496CEB1C.8020809@tiedyenetworks.com> Message-ID: <48FAC036AD7B7642BB2944FB9AE674A30410B38A@EXCHANGE.nashville.cybera.net> At the risk of making a few people on this list upset for suggesting this, but you may also want to look into a Juniper solution. Specifically, the E-Series routers do a great job with B-RAS services in our network. We bring in PPPoE sessions from ADSL circuits and it works great. Also, Juniper has a product for dynamic policy creation called SDX. We use the product to setup walled gardens for our WiFi HotSpot solutions for customers who have connections on our E-Series routers. Scott Wolfe Cybera, Inc -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Sent: Tuesday, January 13, 2009 1:27 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] subscriber termination issues Howdy, We are presently a PPPoE / freeRadius shop and have a custom in-house solution for pppoe subscriber termination (linux + custom scripts) that provides us with some very nice features, but at the cost of the risk of x86 cots hardware, no failover, and not gonna scale up as we begin to deploy ADSL. I would like to consider a cisco solution for PPPoE (and DHCP) but I don't know how or if the features I depend on would be supported or implementable under cisco, so here I am. We have a walled garden system that is applied to customers for different reasons that intercepts web requests and displays messages, such as "your account is seriously past due" or "Your service is disconnected due to AUP violations / virus activity", and such. It works by applying separate routing to that specific customer so that their packets are redirected thru the garden gateway. With cisco I think I can apply radius attributes to specify other gateways for the customer, but that requires killing the PPPoE session (under cisco), and that is not desirable. And for DHCP customers, I wouldn't even know where to begin to implement the same feature unless cisco can somehow create an pseudo interface of some kind and let me route that too. Secondly, we also provide one of three separate filtering rules to our subscriber accounts to enforce things like no direct-to-mx virus spam bots / no access to internal nets, or no mx filtering at all. Under the linux system it's radius + custom scripts to process the custom attributes and linux iptables to apply the filtering to the customer pppoe interface, but we're clueless where to start looking for a compatible cisco feature set. Lastly, we actually provide great customer support and have built in tools (and have trained folks) to do packet captures in order to identify customer misconfiguration, locked up / insane home routers spewing garbage or disobeying protocol, and other common customer side troubles that keep our phones warm. My linux pppoe server lets my techs look people up by account name and also initiate a dump on that customer (internally, tcpdump on their mac address). I am wondering what or if there are compatible or superior cisco tools for doing same or similar operations in order to more fully support the customer base. This is important - I am not willing to spend 4 hours on the phone diagnosing the fact that the customer has a wrong dns server statically programmed into some device somewhere, I want to be able to do a dump and catch him in the act and then move on to the next call. Any takers? Thanks. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sluggaro at gmail.com Tue Jan 13 17:50:37 2009 From: sluggaro at gmail.com (Adam g) Date: Tue, 13 Jan 2009 14:50:37 -0800 Subject: [c-nsp] Management Interface 2960 Message-ID: <8981cd330901131450v45adeeb9k6e47a70d5a04edb9@mail.gmail.com> Is there anyway to use a loopback interface as a management interface on a 2960? The option to create the loopback is there, but no management is available when I try to telnet. I've never used a loopback on a pure layer 2 device before, just curious to see if it was possible. Thanks From brad.henshaw at qcn.com.au Tue Jan 13 19:15:19 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Wed, 14 Jan 2009 10:15:19 +1000 Subject: [c-nsp] Policing Confusion Message-ID: <8B25B862BC09784B9B74FB950D4F64D406CC87@qcnapp01.corp.qcn> Aaron Riemer wrote: > Thanks for all the comments guys you have clarified this for me. > It is a bit dissapointing to know that you cant really manipulate > the types of traffic inbound only outbound. I understand why though. Just to revive this one while cleaning out my e-mail, another option depending on your model of router might be to restrain TCP-based flows to your remote sites by using traffic shaping on egress into your LANs (i.e. use a shaping output policy on the LAN interface at the remote sites). In terms of config cleanliness this is a bit messy but might do the job if you don't want to use an inbound WAN policer or complex output policy at the central site. Regards, Brad From James.Baker at chelmer.co.nz Tue Jan 13 19:33:50 2009 From: James.Baker at chelmer.co.nz (James Baker) Date: Wed, 14 Jan 2009 13:33:50 +1300 Subject: [c-nsp] Management Interface 2960 In-Reply-To: <8981cd330901131450v45adeeb9k6e47a70d5a04edb9@mail.gmail.com> References: <8981cd330901131450v45adeeb9k6e47a70d5a04edb9@mail.gmail.com> Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD86988B@chmaexch.chelmer.co.nz> Hi Adam Loopback is only available on Layer 3 devices. Refer: http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_a_loopb ack_interface_in_Cisco_Catalyst_switch James -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adam g Sent: Wednesday, 14 January 2009 11:51 a.m. To: cisco-nsp at puck.nether.net Subject: [c-nsp] Management Interface 2960 Is there anyway to use a loopback interface as a management interface on a 2960? The option to create the loopback is there, but no management is available when I try to telnet. I've never used a loopback on a pure layer 2 device before, just curious to see if it was possible. Thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ---------- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ##################################################################################### From bitkraft at gmail.com Tue Jan 13 21:44:54 2009 From: bitkraft at gmail.com (Brian Spade) Date: Tue, 13 Jan 2009 18:44:54 -0800 Subject: [c-nsp] High CPU utilization caused by the TPLUS process In-Reply-To: <935ead450901131302n27bd3b3dse2c36c791b5fb3df@mail.gmail.com> References: <935ead450901130806qfec9aaxb83416a2eb9f662e@mail.gmail.com> <496CE854.3080003@justinshore.com> <935ead450901131122l43ab083fqe38023e2df958afb@mail.gmail.com> <496CFB9D.10102@justinshore.com> <935ead450901131302n27bd3b3dse2c36c791b5fb3df@mail.gmail.com> Message-ID: <505b616c0901131844x2cc90a45gd8f1a62d87c5c8a2@mail.gmail.com> Try clearing the TCP process on the router. On Tue, Jan 13, 2009 at 1:02 PM, Jeffrey Ollie wrote: > On Tue, Jan 13, 2009 at 2:37 PM, Justin Shore > wrote: > > Jeffrey Ollie wrote: > >>> > >>> That should boot of idle users automatically. > >> > >> Unfortunately it does not. > > > > It sounds to me like a good time to call TAC. When the feature doesn't > work > > as it's supposed to then it's time to involve TAC. I'm getting ready to > do > > the same thing with 2 such features right now. > > I've done so, but no love so far. > > -- > Jeff Ollie > > "You know, I used to think it was awful that life was so unfair. Then > I thought, wouldn't it be much worse if life were fair, and all the > terrible things that happen to us come because we actually deserve > them? So, now I take great comfort in the general hostility and > unfairness of the universe." > > -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ismath.shaan at gmail.com Tue Jan 13 22:26:24 2009 From: ismath.shaan at gmail.com (Basha) Date: Wed, 14 Jan 2009 12:26:24 +0900 Subject: [c-nsp] Router Per Destination Load balancing Message-ID: Hi Guys, Say I have 2 512kbps links between 2 routers and I am doing per destination load balancing, I start a session which require more than 512 kbps traffic, how does the router handle the excess traffic? does it send it via the other link? does it drop the traffic? Shaun From td_miles at yahoo.com Tue Jan 13 22:42:40 2009 From: td_miles at yahoo.com (Tony) Date: Tue, 13 Jan 2009 19:42:40 -0800 (PST) Subject: [c-nsp] Router Per Destination Load balancing In-Reply-To: Message-ID: <940628.36808.qm@web110106.mail.gq1.yahoo.com> --- On Wed, 14/1/09, Basha wrote: > From: Basha > Subject: [c-nsp] Router Per Destination Load balancing > To: cisco-nsp at puck.nether.net > Date: Wednesday, 14 January, 2009, 2:26 PM > > Say I have 2 512kbps links between 2 routers and I am doing > per destination > load balancing, I start a session which require more than > 512 kbps traffic, > how does the router handle the excess traffic? does it send > it via the other > link? does it drop the traffic? > If you are doing per-destination sharing then the behaviour will be the same (for that traffic) as if you didn't have the 2nd 512k link. The traffic will queue until it exceeds buffers and then be dropped. Depending on what sort of traffic it is, a higher level protocol may notice the dropped packets and implement some sort of flow control to slow the session down (but that has nothing to do with the router). regards, Tony. From jeff at ocjtech.us Tue Jan 13 23:07:40 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Tue, 13 Jan 2009 22:07:40 -0600 Subject: [c-nsp] High CPU utilization caused by the TPLUS process In-Reply-To: <505b616c0901131844x2cc90a45gd8f1a62d87c5c8a2@mail.gmail.com> References: <935ead450901130806qfec9aaxb83416a2eb9f662e@mail.gmail.com> <496CE854.3080003@justinshore.com> <935ead450901131122l43ab083fqe38023e2df958afb@mail.gmail.com> <496CFB9D.10102@justinshore.com> <935ead450901131302n27bd3b3dse2c36c791b5fb3df@mail.gmail.com> <505b616c0901131844x2cc90a45gd8f1a62d87c5c8a2@mail.gmail.com> Message-ID: <935ead450901132007l1c068181s2efd8ca78f12fde0@mail.gmail.com> On Tue, Jan 13, 2009 at 8:44 PM, Brian Spade wrote: > Try clearing the TCP process on the router. I tried just about every variation of "clear tcp" I could find, but the stuck CLI user is still there. Is there something I'm missing? AFAICS there is no TCP connection associated with the stuck CLI user anymore. -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" From trejrco at gmail.com Tue Jan 13 23:21:16 2009 From: trejrco at gmail.com (TJ) Date: Tue, 13 Jan 2009 23:21:16 -0500 Subject: [c-nsp] IPv6 HSRP Support in 12.0S? ... into SLAAC In-Reply-To: <49623B0C.2080506@imperial.ac.uk> References: <17838240D9A5544AAA5FF95F8D520316054781F6@ad-exh01.adhost.lan> <20090105145832.GT8535@greenie.muc.de> <49623B0C.2080506@imperial.ac.uk> Message-ID: <002d01c975ff$8b706900$a2513b00$@com> >Gert Doering wrote: >> Hi, >> >> On Mon, Jan 05, 2009 at 02:38:17PM +0000, David Freedman wrote: >>> Even when you get it, it is only implemented for link-local addresses >>> so you have to use RA or static routes :( >> >> Unfortunate, indeed. Do you know whether there is work in progress to >> get it fixed/improved to handle "global" router IP addresses? >> >> While it might not follow the IETF's vision of "how things should be", >> we prefer to configure our servers' default route towards well-known >> router addresses (::1), and have them ignore RAs... And nothing stops manual configuration, with perhaps a minor tweak in the address of that default gateway (IMHO fe80::1 is not the right approach!). > >There is significant difference of opinion in the IETF about the value >and future of RA in IPv6, as I found out recently when I tried to figure >out how IPv6 DHCP was supposed to work (answer: the spec is broken) IMHO, and I could be wrong, I think that was really a very vocal minority ... the vast majority of people I deal with, clients I work with, etc. have no problem with RAs being used, for the default route host configuration anyway. (FWIW - SLAAC vs (stateful) DHCPv6 both have advantages for the rest of the host-config pieces, and I see no reason to not have both be available) > >This thread (if you have an afternoon free) and surrounding threads are >worth reading: > >http://marc.info/?l=ipng&m=122391355810549&w=2 > >As far as I could tell: > > * IPv6 and the RA mechanism were spec'ed back when DHCPv4 was not >widely used, and IPX autoconfig was the model they were aiming for > > * Virtually no work has been done in the field since then, so the >hard-learnt lessons of the last decade in IPv4 are simply not there in IPv6 Or perhaps consensus continues to favor IPv6's current approach? > > * There are a lot of architecture astronauts in the IETF (IPSec for ND >- whose idea was that?) Well, SEND has promise ... > > * The stateful-address/stateful-other bits in the RA are junk. > >The posts by David Hankins of the ISC agree with my personal position, >including this one: > >http://marc.info/?l=ipng&m=122406652232186&w=2 Again, I think we are far from having consensus on RA deprecation ... while the current handling of M & O bits are far from optimal, I don't see the RAs themselves going away. /TJ From techconfig at yahoo.com Wed Jan 14 03:48:19 2009 From: techconfig at yahoo.com (Mark Tech) Date: Wed, 14 Jan 2009 00:48:19 -0800 (PST) Subject: [c-nsp] 7600 interfaces not showing as down References: <878787.8129.qm@web44816.mail.sp1.yahoo.com> <64a8ad980901130910t752e60a4qffa656f7dc0fa48d@mail.gmail.com> <1231868819.12678.3.camel@localhost.localdomain> Message-ID: <963508.43342.qm@web44808.mail.sp1.yahoo.com> Got it, seems to work well, thanks all ----- Original Message ---- From: Peter Rathlev To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Tuesday, January 13, 2009 5:46:59 PM Subject: Re: [c-nsp] 7600 interfaces not showing as down On Tue, 2009-01-13 at 08:29 -0800, Mark Tech wrote: > I have some WS-X6748-SFP? and WS-X6748-GE-TX installed on a 7600 > chassis.If I remove a cable on an interface, there is nothing in the > log to say that the interface is down, is there a way around this? On Tue, 2009-01-13 at 12:10 -0500, chip wrote: > add: >? logging event link-status > > under each int You could also use "logging event link-status default" in global config. Then you don't have to configure each interface. Regards, Peter From hank at efes.iucc.ac.il Wed Jan 14 04:53:01 2009 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Wed, 14 Jan 2009 11:53:01 +0200 Subject: [c-nsp] Where do you buy used Cisco equipment? Message-ID: <5.1.0.14.2.20090114115015.00b021d8@efes.iucc.ac.il> 1) I do not want to hear from resellers - I would like to hear from users - where do you buy your used Cisco equipment? 2) How do you handle IOS downloads for used equipment? What do you need to buy from Cisco for this? 3) What about servicing? Does Cisco offer service contracts on someone buying used equipment? Thanks, Hank From gabbarsingh9009 at yahoo.com Wed Jan 14 05:17:46 2009 From: gabbarsingh9009 at yahoo.com (Gabbar) Date: Wed, 14 Jan 2009 02:17:46 -0800 (PST) Subject: [c-nsp] CCIE tracks Message-ID: <786893.37962.qm@web46214.mail.sp1.yahoo.com> Hi, Anyone working in a service provider or telco and done the CCIE (service provider)? I'm thinking of doing this, but am not sure of value/differences with say the CCIE (routing/switching) track. Any comments, opinions will be appreciated. Regards, Gabb. Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox From eng_mssk at hotmail.com Wed Jan 14 06:04:49 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Wed, 14 Jan 2009 13:04:49 +0200 Subject: [c-nsp] CCIE tracks In-Reply-To: <786893.37962.qm@web46214.mail.sp1.yahoo.com> References: <786893.37962.qm@web46214.mail.sp1.yahoo.com> Message-ID: hey man , please contact dewan at fasttelco.net he has 2 CCIE , service provider and R&S Best Regards, Mohammad Khalil > Date: Wed, 14 Jan 2009 02:17:46 -0800 > From: gabbarsingh9009 at yahoo.com > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] CCIE tracks > > Hi, > > Anyone working in a service provider or telco and done the CCIE (service provider)? I'm thinking of doing this, but am not sure of value/differences with say the CCIE (routing/switching) track. > > Any comments, opinions will be appreciated. > > > Regards, > Gabb. > > > > Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/events.aspx From kharananda at subisu.net.np Wed Jan 14 06:20:52 2009 From: kharananda at subisu.net.np (kharananda) Date: Wed, 14 Jan 2009 17:05:52 +0545 Subject: [c-nsp] L2TP problem in Cisco 1841 Message-ID: <496DCA94.7050404@subisu.net.np> Dear All, Is there any issue with L2TP in Cisco1841 ? I am using "c1841-adventerprisek9-mz.124-16.bin" IOS. I am facing drops after few successive ping packets. Can it be MTU issues?? I tried with global config "ip tcp path-mtu-discovery" to address if it is MTU issue but in vain. Regards, Khara Nanda Luitel. From baimoung at inet.co.th Wed Jan 14 05:30:30 2009 From: baimoung at inet.co.th (Charuntorn Baimoung) Date: Wed, 14 Jan 2009 17:30:30 +0700 (ICT) Subject: [c-nsp] SNMP OID cpu&mem on 6500 In-Reply-To: <786893.37962.qm@web46214.mail.sp1.yahoo.com> References: <786893.37962.qm@web46214.mail.sp1.yahoo.com> Message-ID: Hi How can I know SNMP OID cpu&men and maybe pps on 6500 each module. Somebody help me. Thanks, Charuntorn ------------------------------------------ Network Operation Center (NC) Internet Thailand Public Company Limited Tel : +662-257-7111 Fax : +662-257-7275 ------------------------------------------ From ahasa at abcom.al Wed Jan 14 06:32:08 2009 From: ahasa at abcom.al (Aljula Hasa) Date: Wed, 14 Jan 2009 12:32:08 +0100 Subject: [c-nsp] Stream Association Failed: Requested codec=0x5=g711ulaw, Negotiated codec=0xFFFFFFFF=No Code Message-ID: <200901141132.n0EBW9SU023482@icc.icc-al.org> Hi, I am trying to run TCL IVR v2.0 script. The voice/audio is not heard. TCL IVR application seems to run ok but don't hear voice for the reason Stream Association Failed: Requested codec=0x5=g711ulaw, Negotiated codec=0xFFFFFFFF=No Code. How to set codec g711ulaw in gateway? The dial-peer is pots. From b.turnbow at twt.it Wed Jan 14 07:14:14 2009 From: b.turnbow at twt.it (Brian Turnbow) Date: Wed, 14 Jan 2009 13:14:14 +0100 Subject: [c-nsp] Stream Association Failed: Requested codec=0x5=g711ulaw, Negotiated codec=0xFFFFFFFF=No Code In-Reply-To: <200901141132.n0EBW9SU023482@icc.icc-al.org> References: <200901141132.n0EBW9SU023482@icc.icc-al.org> Message-ID: A dial peer pots cannot have a codec You need to place it the voip dial peer. The defualt codec is g729 , you can change it by setting a default codec clas using voice class codec Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aljula Hasa Sent: mercoled? 14 gennaio 2009 12.32 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Stream Association Failed: Requested codec=0x5=g711ulaw,Negotiated codec=0xFFFFFFFF=No Code Hi, I am trying to run TCL IVR v2.0 script. The voice/audio is not heard. TCL IVR application seems to run ok but don't hear voice for the reason Stream Association Failed: Requested codec=0x5=g711ulaw, Negotiated codec=0xFFFFFFFF=No Code. How to set codec g711ulaw in gateway? The dial-peer is pots. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dave.kruger at za.verizonbusiness.com Wed Jan 14 07:35:37 2009 From: dave.kruger at za.verizonbusiness.com (Dave Kruger) Date: Wed, 14 Jan 2009 14:35:37 +0200 Subject: [c-nsp] CCIE tracks In-Reply-To: <786893.37962.qm@web46214.mail.sp1.yahoo.com> References: <786893.37962.qm@web46214.mail.sp1.yahoo.com> Message-ID: <496DDC19.7060104@za.verizonbusiness.com> Hey Gabb I've worked for two internet providers (one was a telco) - and attempted the SP lab exam in November. And I must say, majority of the topics in the blueprint are used in the real world. I haven't attempted R&S yet - but from what I understand SP concentrates more on bgp, and in particular MBGP and mpls (way I understand it is there is no vrf configuration in R&S) where VPN's are very important for SP, as you can also see from the lab exam blueprint: http://www.cisco.com/web/learning/le3/ccie/sp/lab_exam_blueprint.html compared to http://www.cisco.com/web/learning/le3/ccie/rs/lab_exam_blueprint.html Now I've read people complaining about CCIE SP being the "forgotten" or "lost" CCIE track - because the blueprint hasn't been updated for the while, the lab uses old IOS's (http://www.cisco.com/web/learning/le3/ccie/sp/lab_equipment.html) and the equipment isn't really typcal equipment that big service providers use. Even though this is all true - the concepts and technologies tested in the exam and used in the real world aren't really that platform Dependant, and the ones that are are only slightly different (like dcef on distributed platforms vs cef on the ones used in the lab). (IOS-XR is obviously a different story........) And you wont ever get a single exam that cover all the topics/technologies typically used by a company. The exam gives you a good foundation, the concepts won't be too foreign for you when you encounter them on a bigger/other platforms And apparently there are plans to update the blueprint for SP, so if you aren't too much in a hurry, maybe wait a bit longer for that. -- Regards, Dave Kruger Internet Architect Verizon Business 240 Main Avenue Newlands 7700 South Africa Telephone +27 21 658 8700 Customer Service 08600 88638 http://www.www.isp.co.za http://www.verizonbusiness.com/za Verizon Business - global capability. personal accountability. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information: www.verizonbusiness.com/za/contact/legal/ > Date: Wed, 14 Jan 2009 02:17:46 -0800 > From: gabbarsingh9009 at yahoo.com > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] CCIE tracks > > Hi, > > Anyone working in a service provider or telco and done the CCIE (service provider)? I'm thinking of doing this, but am not sure of value/differences with say the CCIE (routing/switching) track. > > Any comments, opinions will be appreciated. > > > Regards, > Gabb. > > > > Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/-- From Anton.Schweitzer at o2.com Wed Jan 14 08:02:46 2009 From: Anton.Schweitzer at o2.com (Anton.Schweitzer at o2.com) Date: Wed, 14 Jan 2009 14:02:46 +0100 Subject: [c-nsp] X25 / PAD / Aux Port Problem Message-ID: Hi, we need to connect a cash box to a cisco router. It seems there is an solution using the aux port auf the router for this. I got a config for a router but something seems missing or not correct. We want to use service pad to-xot and pad from-xot The thing is that im a total X25 idiot, so maybe somebody can tell me whts missing or wrong : We used the blue console cable to connect the aux port to the cash box, which is a pc com port. > service pad to-xot > service pad from-xot > ! > ! > x29 profile pos 1:0 2:0 3:0 4:5 5:0 6:5 7:6 8:0 9:0 10:0 12:0 13:0 14:0 15:0 16:0 17:0 18:0 19:0 20:0 21:0 22:0 > ! > x25 route .*01.....$ substitute-source 4123 xot 192.168.1.1xot-keepalive-period 20 xot-keepalive-tries 3 xot-source Loopback2 > x25 route 0232.*$ substitute-source 4125 xot 192.1.1.65xot-keepalive-period 20 xot-keepalive-tries 3 xot-source Loopback2 > x25 host Kunde_A 12345678 > ! > line aux 0 > session-timeout 1 > no motd-banner > exec-timeout 0 0 > no flush-at-activation > script startup clear > authorization exec aux > login authentication aux > modem Dialin > rotary 6 > autocommand x28 profile pos noescape > transport input pad > transport output all > escape-character BREAK > stopbits 1 We used the blue console cable to connect the aux port to the cash box, which is a pc com port. If somebody can explain how it should work at all would be a great HELP Cheers and Thx Anton Anton Schweitzer Senior Specialist BS Projekt & Service Customer Design o2 (Germany) GmbH & Co.OHG Georg Brauchle-Ring 23-25, D-80992 M?nchen Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 anton.schweitzer at o2.com Ein Beitrag zum Umweltschutz. Nicht jede E-Mail muss ausgedruckt werden. http://www.o2engagiert-fuer-morgen.de Telef?nica o2 Germany GmbH & Co. OHG ? Georg-Brauchle-Ring 23-25 ? 80992 M?nchen ? Deutschland ? www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht M?nchen HRA 70343. Gesellschafter: Telef?nica o2 Germany Management GmbH. Amtsgericht M?nchen HRB 109061 und Telef?nica o2 Germany Verwaltungs GmbH. Amtsgericht M?nchen HRB 121389, beide ebenda. Gesch?ftsf?hrer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. Andr? Krause. Lutz Sch?ler. Carsten Wreth. From snar at snar.spb.ru Wed Jan 14 07:09:04 2009 From: snar at snar.spb.ru (Alexandre Snarskii) Date: Wed, 14 Jan 2009 15:09:04 +0300 Subject: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL In-Reply-To: <4502F03F8260234AB94179D6E1BDD0CF341FE43C30@VMBX113.ihostexchange.net> References: <4502F03F8260234AB94179D6E1BDD0CF341FE43B01@VMBX113.ihostexchange.net> <496C7C92.3050808@imperial.ac.uk> <4502F03F8260234AB94179D6E1BDD0CF341FE43C30@VMBX113.ihostexchange.net> Message-ID: <20090114120904.GA97088@snar.spb.ru> On Tue, Jan 13, 2009 at 01:49:30PM -0500, Manuel Mar?n wrote: > Hi Phil > > Attached are the SVI and interface configs > > > #TRUNK TO CISCO 3750 > interface GigabitEthernet6/24 > description "Barrancas" > switchport > switchport trunk encapsulation dot1q > switchport trunk native vlan 1000 > mls qos vlan-based > no cdp enable > end > > > #SUBint configured for EoMPLS > interface GigabitEthernet2/2.578 > encapsulation dot1Q 578 > xconnect 172.16.10.2 4505 encapsulation mpls > service-policy input 2Mbps > service-policy output 2Mbps > end > interface GigabitEthernet2/2.576 > encapsulation dot1Q 576 > xconnect 172.16.10.4 4501 encapsulation mpls > end > > #SVIS (Most of the have a policier and an access-list attached) > > interface Vlan102 > description "Victory Packaging [Voip]" > ip address 10.10.1.73 255.255.255.252 > ip access-group Proteccion-VoipMngt out > service-policy input 2Mbps > service-policy output 2Mbps > end > > > Anyone else has experience running MUX-UNI with cisco 6500s or > with a similar issue? We're running MUX-UNI on 6509's since SRA1 IOS, now some of new installations running SXH3[a]. No issues like yours. Those new installations usually have 30-50 vc's configured... PS: if MUX-UNI is required feature - you may try to downgrade to SRA7.. > > Thanks > > -----Original Message----- > From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] > Sent: Tuesday, January 13, 2009 4:36 AM > To: Manuel Mar?n > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL > > Manuel Mar?n wrote: > > Hi, > > > > We are experiencing a weird issue with a cisco 6513 with either SXH or SXI software version. We have some SVI interfaces and a couple of trunks ports 802.1Qs connected to other ciscos 3750s. everything seems to be working but suddenly we get the following error and all SVIs change to administratively down. We can't downgrade to SXF because we have to use the MUX-UNI feature in order to use sub interfaces in a switch port. > > > > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) > > -Traceback= 40F0CC34 40F6E3CC 40698CB4 40F6E7BC 40F87BF8 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 > > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (!pm_vlan_port_forward_gbitlist_test(vd, pd->globalNumber): ../switch/pm/pm_vlan.c: 1372: pm_vlan_rem_port) > > -Traceback= 40F0CC34 40F63C18 40F87C18 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 40ACF674 40AD0120 > > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) > > That's a traceback, so you want to open a TAC case. > > If you could show more config i.e. of the gig ports as well it might > give a hint, but if I had to take a wild guess I'd say it's a bug in the > MUX-UNI. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rblayzor.bulk at inoc.net Wed Jan 14 08:58:58 2009 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Wed, 14 Jan 2009 08:58:58 -0500 Subject: [c-nsp] Securing a shared IP SAN Message-ID: <9A8C6A5E-4648-47FA-88E6-C01386877935@inoc.net> I have a project where I need to implement a shared IP SAN (ISCSI) network of about a dozen users with various clients. Since everything is in one colo, I'd like to keep this simple by keeping it layer2 as much as possible and not get into the mess of having the client have to use routes to get our our IP SAN targets. Both the ISCSI SAN targets and all the initiators will be connected via our 6509's. Initially the idea was to just put each user into their own VLAN and just trunk up to the ISCSI SAN targets and just multi-home the IP SAN box. Since then, I've learned that the IP SAN boxes do not support VLAN tagging. (long story). It was suggested to me to then just setup everything as routed L3 in a VRF and just control access with everything via ACL's. While I can do this, I don't want to get into the complexity of having the users have to setup routes to get to the SAN, etc. I also have a concern of IP routing performance vs L2 switching performance. The other idea I had was to create one VLAN, and one larger subnet and designate IP blocks within that subnet to the clients. I could easily throw ACL's on the ingress switchports to limit access via a extended IP ACL, but I had an issue of limiting invalid ARP's for IP's from the clients. ie: clients doing ARP spoofing or poisoning if they get pwnd. I know you can do ARP filtering on the VLAN level, but how can I accomplish limiting ARP for only certain ranges of IP's on a per interface level, while still maintaining the ability to do the L3 ACL on the ingress? I'm not overly concerned what mac-addresses are ARPing for IP's on the switchport, I can control that with port- security, but I'm concerned with them sending arps for ranges of IP's they're not allowed to use. Of course I'm open to any other suggestions on securing this at L2, keeping in mind two things. The ISCSI target cannot talk VLANing and cannot be multihomed. (I guess it makes best use via MPIO in the ISCSI protocol) It would of been a lot easier if it just supported 802.3ad and VLANing, but I don't have that option. Also there may be just one or more than one client behind each switch port, (ie: servers from another switch may be connected to the 6509). TIA -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From ross at kallisti.us Wed Jan 14 10:14:07 2009 From: ross at kallisti.us (Ross Vandegrift) Date: Wed, 14 Jan 2009 10:14:07 -0500 Subject: [c-nsp] Securing a shared IP SAN In-Reply-To: <9A8C6A5E-4648-47FA-88E6-C01386877935@inoc.net> References: <9A8C6A5E-4648-47FA-88E6-C01386877935@inoc.net> Message-ID: <20090114151406.GA8727@kallisti.us> On Wed, Jan 14, 2009 at 08:58:58AM -0500, Robert Blayzor wrote: > Of course I'm open to any other suggestions on securing this at L2, > keeping in mind two things. The ISCSI target cannot talk VLANing and > cannot be multihomed. (I guess it makes best use via MPIO in the > ISCSI protocol) It would of been a lot easier if it just supported > 802.3ad and VLANing, but I don't have that option. Also there may be > just one or more than one client behind each switch port, (ie: servers > from another switch may be connected to the 6509). I realize that I'm not answering your question, but... I'd strongly suggest you reconsider the bias against L3 serperation. It's vastly simpler and, so long as you are doing hardware forwarding on the 6500, it has no performance impact. I've got a few VLANs of iSCSI installations that work like this and it's great. Once the server guys know they'll need a static route for the iSCSI storage, you're done with that difficulty. You may find that you need multiple VLANs anyhow, depending on the storage system's requirements for iSCSI multipath and redundant storage gateways. You may not be using these features now, but you will probably want them in the future. Your performance issues are going to be from saturating links anyway. Make sure you don't have traffic boomeranging up and down the same link. The easiest way to insure this is either to cable the storage system directly to the 6500, or cable it to a dedicated access-layer switch that has a port-channel back to the 6500. -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From rblayzor.bulk at inoc.net Wed Jan 14 10:30:51 2009 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Wed, 14 Jan 2009 10:30:51 -0500 Subject: [c-nsp] Securing a shared IP SAN In-Reply-To: <20090114151406.GA8727@kallisti.us> References: <9A8C6A5E-4648-47FA-88E6-C01386877935@inoc.net> <20090114151406.GA8727@kallisti.us> Message-ID: <05EC1737-B091-4079-931C-45D20C5AD28B@inoc.net> On Jan 14, 2009, at 10:14 AM, Ross Vandegrift wrote: > I'd strongly suggest you reconsider the bias against L3 serperation. > It's vastly simpler and, so long as you are doing hardware forwarding > on the 6500, it has no performance impact. I've got a few VLANs of > iSCSI installations that work like this and it's great. Once the > server guys know they'll need a static route for the iSCSI storage, > you're done with that difficulty. I do realize that L3 in the grand scheme of things makes security easier (at least on the network side), it does come with more admin overhead. Where we may have the routing capacity today, we may not tomorrow. We're actually looking at pvlans for this now. That would prevent the customers from only seeing each other, and only being able to access the targets on the promiscuous ports. We would then be able to use arp inspection and arp ACL's to limit the IP address they can arp for, and we'd also be able to ACL their ingress. Doing L3 routing is not out of the question. Something we can easily do with a VRF. We just want to remove the extra step of having them have to add the routes on each device to access the SAN. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From SIngram at clayton.com Wed Jan 14 10:31:52 2009 From: SIngram at clayton.com (Scott Ingram) Date: Wed, 14 Jan 2009 10:31:52 -0500 Subject: [c-nsp] BGP default-originate route Message-ID: I'm trying to assess the best options on implementing site redundancy to the " network default-originate " for all my MPLS sites Internet traffic. I'm trying to validate if I could have 2 CE's within the MPLS network using the default-originate and supply the best path. IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information. From eng_mssk at hotmail.com Wed Jan 14 10:56:16 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Wed, 14 Jan 2009 17:56:16 +0200 Subject: [c-nsp] Cisco ACS Message-ID: Hey all , im trying to use Cisco ACS v3.3 as a radius with modification of av-pair attributes ?? can this be done ? anyone has a document that assist in this ?? thanks in advance _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us From ian.mackinnon at lumison.net Wed Jan 14 11:07:01 2009 From: ian.mackinnon at lumison.net (Ian MacKinnon) Date: Wed, 14 Jan 2009 16:07:01 +0000 Subject: [c-nsp] GRE on Cat-4948 switch Message-ID: <496E0DA5.1020204@lumison.net> Hi All, Does anybody have any idea the impact of running multiple GRE tunnels on a 4948 switch? I can see that it will be processed by software rather than hardware, but just how much of a problem is this likely to be? I am only talking about a max of 100M of GRE traffic, amongst a couple of Gig of total traffic. thanks -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From psirt at cisco.com Wed Jan 14 11:00:00 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 14 Jan 2009 17:00:00 +0100 Subject: [c-nsp] Cisco Security Advisory: Cisco ONS Platform Crafted Packet Vulnerability Message-ID: <200901141701.ons@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco ONS Platform Crafted Packet Vulnerability Advisory ID: cisco-sa-20090114-ons http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml Revision 1.0 For Public Release 2009 January 14 1600 UTC (GMT) - --------------------------------------------------------------------- Summary ======= The Cisco ONS 15300 series Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiservice Platform, and the Cisco ONS 15600 Multiservice Switching Platform contains a vulnerability when processing TCP traffic streams that may result in a reload of the device control card. Cisco has released free software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. Several mitigations exist that can limit the exposure of this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml Affected Products ================= Vulnerable Products +------------------ The following Cisco ONS products are vulnerable if running affected software versions: * Cisco ONS 15310-CL and 15310-MA * Cisco ONS 15327 * Cisco ONS 15454 and 15454 SDH * Cisco ONS 15600 Consult the section "Software Versions and Fixes" within this advisory for affected software versions. To determine your software version, view the Help > About window on the CTC management software). Products Confirmed Not Vulnerable +-------------------------------- The following Cisco ONS products are confirmed not vulnerable: * Cisco ONS 15800 Series * Cisco ONS 15500 Series Extended Service Platform * Cisco ONS 15302 * Cisco ONS 15305 * Cisco ONS 15200 Series Metro DWDM Systems * Cisco ONS 15190 Series IP Transport Concentrator No other Cisco products are currently known to be affected by this vulnerability. Details ======= The affected Cisco 15310-CL, 15310-MA, ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 hardware is managed through the CTX, CTX2500, XTC, TCC/TCC+/TCC2/TCC2P, TCCi/TCC2/TCC2P, and TSC control cards respectively. These control cards are usually connected to a Data Communications Network (DCN). In this context the term DCN is used to denote the network that transports management information between a management station and the network entity (NE). This definition of DCN is sometimes referred to as Management Communication Network (MCN). The DCN is usually physically or logically separated from the optical data network and isolated from the Internet. This limits the exposure to the exploitation of this vulnerability from the Internet. A crafted stream of TCP traffic to the control cards on a node will result in a reset of the corresponding control cards on this node. A complete 3-way handshake is required on any open TCP port to be able to exploit this vulnerability. The timing for the data channels traversing the switch is provided by the control cards. When an active and a standby Cisco ONS 15310-MA, ONS 15310-CL, ONS 15327, ONS 15454 or ONS 15454 SDH control card reloads at the same time, the synchronous data channels traversing the switch drop traffic until the card comes back online. Asynchronous data channels traversing the switch are not impacted. Manageability functions provided by the network element using the CTX, CTX2500, XTC or TCC/ TCC+/TCC2/TCC2P control cards are not available until the control card comes back online. On the Cisco ONS 15600 hardware, whenever both the active and standby control cards are rebooting at the same time, there is no impact to the data channels traversing the switch because the TSC performs a software reset which does not impact the timing being provided by the TSC for the data channels. Manageability functions provided by the network element through the TSC control cards are not available until the control card comes back online. This vulnerability is documented in Cisco bug ID CSCsr41128 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3818. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CVSS Base Score - 7.8 Access Vector : Network Access Complexity : Low Authentication : None Confidentiality Impact: None Integrity Impact : None Availability Impact : Complete CVSS Temporal Score - 6.4 Exploitability : Functional Remediation Level : Official-Fix Report Confidence : Confirmed Impact ====== Successful exploitation of this vulnerability will result in a reset of the node's control card. Repeated attempts to exploit this vulnerability could result in a sustained DoS condition, dropping the synchronous data channels traversing the switch (Cisco ONS 15310-MA, ONS 15310-CL, ONS 15327, ONS 15454, ONS 15454 SDH) and preventing manageability functions provided by the network element control cards (all ONS switches) until the control card comes back online. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------------+ | Affected Major Release | First Fixed Release | |---------------------------------+---------------------------------------| | 7.0 | Note: Releases prior to 7.0.2 are not | | | vulnerable. First fixed in 7.0.7 | |---------------------------------+---------------------------------------| | 7.2 | Note: Releases prior to 7.2.2 are not | | | vulnerable. First fixed in 7.2.3 | |---------------------------------+---------------------------------------| | 8.0 | Vulnerable; migrate to 8.5.3 or | | | later. | |---------------------------------+---------------------------------------| | 8.5 | Note: Releases prior to 8.5.1 are not | | | vulnerable. First fixed in 8.5.3 | |---------------------------------+---------------------------------------| | 9.0 | Not vulnerable. | +-------------------------------------------------------------------------+ Note: Releases prior to 7.0 are not affected by this vulnerability. Workarounds =========== There are no workarounds for this vulnerability. The following general mitigation actions help prevent remote exploitation: * Isolate DCN: Ensuring the DCN is physically or logically separated from the customer network and isolated from the Internet will limit the exposure to the exploitation of these vulnerabilities from the Internet or customer networks. * Apply Transit Access Control Lists: Apply access control lists (ACLs) on routers / switches / firewalls installed in front of the vulnerable network devices such that TCP/IP traffic destined for the CTX, CTX2500, XTC, TCC2 /TCC2+/TCC2P, or TSC control cards on the ONS is allowed only from the network management workstations. For examples on how to apply ACLs on Cisco routers, refer to the white paper "Transit Access Control Lists: Filtering at Your Edge", which is available at the following link: http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090114-ons.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found by reviewing Cisco TAC service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-January-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkluC5MACgkQ86n/Gc8U/uCIiwCfb0TgaYDql8VEjtERKMaqgHOm h0oAniEObgEKjHbo+CHnJxfFFKhCr17o =7xLg -----END PGP SIGNATURE----- From mmg at transtelco.net Wed Jan 14 11:59:50 2009 From: mmg at transtelco.net (=?iso-8859-1?Q?Manuel_Mar=EDn?=) Date: Wed, 14 Jan 2009 11:59:50 -0500 Subject: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL In-Reply-To: <20090114120904.GA97088@snar.spb.ru> References: <4502F03F8260234AB94179D6E1BDD0CF341FE43B01@VMBX113.ihostexchange.net> <496C7C92.3050808@imperial.ac.uk> <4502F03F8260234AB94179D6E1BDD0CF341FE43C30@VMBX113.ihostexchange.net> <20090114120904.GA97088@snar.spb.ru> Message-ID: <4502F03F8260234AB94179D6E1BDD0CF341FE43E87@VMBX113.ihostexchange.net> Does the SRA IOS version works for the cisco 6513? Checking the cisco download section for the cisco 6513 it seems that only SXH, SXF and SXI are available for 6513 with WS-SUP720-3BXL -----Original Message----- From: Alexandre Snarskii [mailto:snar at snar.spb.ru] Sent: Wednesday, January 14, 2009 5:09 AM To: Manuel Mar?n Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL On Tue, Jan 13, 2009 at 01:49:30PM -0500, Manuel Mar?n wrote: > Hi Phil > > Attached are the SVI and interface configs > > > #TRUNK TO CISCO 3750 > interface GigabitEthernet6/24 > description "Barrancas" > switchport > switchport trunk encapsulation dot1q > switchport trunk native vlan 1000 > mls qos vlan-based > no cdp enable > end > > > #SUBint configured for EoMPLS > interface GigabitEthernet2/2.578 > encapsulation dot1Q 578 > xconnect 172.16.10.2 4505 encapsulation mpls > service-policy input 2Mbps > service-policy output 2Mbps > end > interface GigabitEthernet2/2.576 > encapsulation dot1Q 576 > xconnect 172.16.10.4 4501 encapsulation mpls > end > > #SVIS (Most of the have a policier and an access-list attached) > > interface Vlan102 > description "Victory Packaging [Voip]" > ip address 10.10.1.73 255.255.255.252 > ip access-group Proteccion-VoipMngt out > service-policy input 2Mbps > service-policy output 2Mbps > end > > > Anyone else has experience running MUX-UNI with cisco 6500s or > with a similar issue? We're running MUX-UNI on 6509's since SRA1 IOS, now some of new installations running SXH3[a]. No issues like yours. Those new installations usually have 30-50 vc's configured... PS: if MUX-UNI is required feature - you may try to downgrade to SRA7.. > > Thanks > > -----Original Message----- > From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] > Sent: Tuesday, January 13, 2009 4:36 AM > To: Manuel Mar?n > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL > > Manuel Mar?n wrote: > > Hi, > > > > We are experiencing a weird issue with a cisco 6513 with either SXH or SXI software version. We have some SVI interfaces and a couple of trunks ports 802.1Qs connected to other ciscos 3750s. everything seems to be working but suddenly we get the following error and all SVIs change to administratively down. We can't downgrade to SXF because we have to use the MUX-UNI feature in order to use sub interfaces in a switch port. > > > > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) > > -Traceback= 40F0CC34 40F6E3CC 40698CB4 40F6E7BC 40F87BF8 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 > > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (!pm_vlan_port_forward_gbitlist_test(vd, pd->globalNumber): ../switch/pm/pm_vlan.c: 1372: pm_vlan_rem_port) > > -Traceback= 40F0CC34 40F63C18 40F87C18 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 40ACF674 40AD0120 > > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager Internal Software Error (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) > > That's a traceback, so you want to open a TAC case. > > If you could show more config i.e. of the gig ports as well it might > give a hint, but if I had to take a wild guess I'd say it's a bug in the > MUX-UNI. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From toebivankenoebi at gmail.com Wed Jan 14 12:04:08 2009 From: toebivankenoebi at gmail.com (=?ISO-8859-1?Q?Tobias_K=F6nig?=) Date: Wed, 14 Jan 2009 18:04:08 +0100 Subject: [c-nsp] IPv6 redistribute bgp into ospf Message-ID: <5a9bb9700901140904l456e32e7p81cf8cb68b2144fe@mail.gmail.com> Hi there I ran into a problem when trying to redistribute a bgp ipv6 route into ospf. The scenario looks the following: router0 <-- ospf (10:10:10::4/126) --> router1 <-- bgp (10:10:10::/126) --> router2 Router2 advertises an ipv6 prefix (20:20:20::/48) via ibgp to router1, this part works flawlessly. Router1 should then redistribute that route into its ospf process and advertise it to router0, which unfortunately it doesn't. (When redistributing a static route on router1 into ospf, router0 sees that prefix). Maybe someone of you got any idea of what could be wrong or can provide a hint on where to find detailed infos. You can find the according configs at the bottom. The config was tested with the following platforms and IOS -> always the same result: c2800nm-advipservicesk9-mz.124-19 c3640-js-mz.124-23.bin c3640-ik9s-mz.124-19.bin Thanks in advance for any inputs. Cheers Tobias ---- sh ipv6 route R0#sh ipv6 route C 10:10:10::4/126 [0/0] via ::, FastEthernet0/0 R1#sh ipv6 route C 10:10:10::/126 [0/0] via ::, FastEthernet1/0 C 10:10:10::4/126 [0/0] via ::, FastEthernet0/0 B 20:20:20::/48 [200/0] via 10:10:10::2 R2#sh ipv6 route B ::/0 [200/0] via 10:10:10::1 C 10:10:10::/126 [0/0] via ::, FastEthernet0/0 S 20:20:20::/48 [1/0] via ::, Null0 Config: ===== router0: ---- interface FastEthernet0/0 ipv6 address 10:10:10::5/126 ipv6 enable ipv6 ospf 1 area 0 ipv6 router ospf 1 router-id 10.10.10.0 log-adjacency-changes passive-interface default no passive-interface FastEthernet0/0 ---- router1: ---- interface FastEthernet0/0 ipv6 address 10:10:10::6/126 ipv6 enable ipv6 ospf 1 area 0 ! interface FastEthernet1/0 ipv6 address 10:10:10::1/126 ipv6 enable ! router bgp 10 bgp router-id 10.10.10.1 bgp log-neighbor-changes neighbor 10:10:10::2 remote-as 10 neighbor 10:10:10::2 version 4 ! address-family ipv4 no neighbor 10:10:10::2 activate no auto-summary no synchronization exit-address-family ! address-family ipv6 neighbor 10:10:10::2 activate neighbor 10:10:10::2 send-community neighbor 10:10:10::2 default-originate neighbor 10:10:10::2 soft-reconfiguration inbound no synchronization exit-address-family ipv6 router ospf 1 router-id 10.10.10.1 log-adjacency-changes passive-interface default no passive-interface FastEthernet0/0 redistribute bgp 10 ---- router2: ---- interface FastEthernet0/0 ipv6 address 10:10:10::2/126 ipv6 enable ! router bgp 10 bgp router-id 10.10.10.2 bgp log-neighbor-changes neighbor 10:10:10::1 remote-as 10 neighbor 10:10:10::1 version 4 ! address-family ipv4 no neighbor 10:10:10::1 activate no auto-summary no synchronization exit-address-family ! address-family ipv6 neighbor 10:10:10::1 activate neighbor 10:10:10::1 send-community neighbor 10:10:10::1 soft-reconfiguration inbound network 20:20:20::/48 exit-address-family ! ipv6 route 20:20:20::/48 Null0 ---- From psirt at cisco.com Wed Jan 14 12:15:00 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wednesday, 14 January 2009 11:15:00 -0600 Subject: [c-nsp] Cisco Security Advisory: IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities Message-ID: <200901141115.ironport@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities Advisory ID: cisco-sa-20090114-ironport Revision 1.0 For Public Release 2009 January 14 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= IronPort PXE Encryption is an e-mail encryption solution that is designed to secure e-mail communications without the need for a Public Key Infrastructure (PKI) or special agents on receiving systems. When an e-mail message is targeted for encryption, the PXE encryption engine on an IronPort e-mail gateway encrypts the original e-mail message as an HTML file and attaches it to a notification e-mail message that is sent to the recipient. The per-message key used to decrypt the HTML file attachment is stored on a local IronPort Encryption Appliance, PostX software installation or the Cisco Registered Envelope Service, which is a Cisco-managed software service. PXE Encryption Privacy Vulnerabilities +------------------------------------- The IronPort PXE Encryption solution is affected by two vulnerabilities that could allow unauthorized individuals to view the contents of secure e-mail messages. To exploit the vulnerabilities, attackers must first intercept secure e-mail messages on the network or via a compromised e-mail account. IronPort Encryption Appliance Administration Interface Vulnerabilities +--------------------------------------------------------------------- IronPort Encryption Appliance devices contain two vulnerabilities that could allow unauthorized users to gain access to the IronPort Encryption Appliance administration interface and modify other users' settings. These vulnerabilities do not affect Cisco Registered Envelope Service users. Cisco has released free software updates that address these vulnerabilities. There are no workarounds for the vulnerabilities that are described in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml Affected Products ================= Vulnerable Products +------------------ The following IronPort Encryption Appliance/PostX versions are affected by these vulnerabilities: * All PostX 6.2.1 versions prior to 6.2.1.1 * All PostX 6.2.2 versions prior to 6.2.2.3 * All IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1 * All IronPort Encryption Appliance/PostX 6.2.5 versions * All IronPort Encryption Appliance/PostX 6.2.6 versions * All IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7 * All IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4 * All IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2 The version of software that is running on an IronPort Encryption Appliance is located on the About page of the IronPort Encryption Appliance administration interface. Note: Customers should contact IronPort support to determine which software fixes are applicable for their environment. Please consult the Obtaining Fixed Software section of this advisory for more information. Products Confirmed Not Vulnerable +-------------------------------- IronPort C, M and S-Series appliances are not affected by these vulnerabilities. Although C-Series appliances can be configured to use a local IronPort Encryption Appliance for per-message key retention, the C-Series appliances are not vulnerable. The Cisco Registered Envelope Service is not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Note: IronPort tracks bugs using an internal system that is not available to customers. The IronPort bug tracking identifiers are provided for reference only. PXE Encryption Privacy Vulnerabilities +------------------------------------- Individual PXE Encryption users are vulnerable to two message privacy vulnerabilities that could allow an attacker to gain access to sensitive information. All the vulnerabilities require an attacker to first intercept a secure e-mail message as a condition for successful exploitation. Attackers can obtain secure e-mail messages by monitoring a network or a compromised user e-mail account. The IronPort Encryption Appliance contains a logic error that could allow an attacker to obtain the unique, per-message decryption key that is used to protect the content of an intercepted secure e-mail message without user interaction. Using the decryption key, an attacker could decrypt the contents of the secure e-mail message. This vulnerability is documented in IronPort bug 8062 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0053. By modifying the contents of intercepted secure e-mail messages or by forging a close copy of the e-mail message, it may be possible for an attacker to convince a user to view a modified secure e-mail message and then cause the exposure of the user's credentials and message content. Please see the Workarounds section for more information on mitigations available to reduce exposure to these phishing-style attacks. This vulnerability is documented in IronPort bug 8149 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0054. IronPort Encryption Appliance Administration Interface Vulnerabilities +--------------------------------------------------------------------- The administration interface of IronPort Encryption Appliance devices contains a cross-site request forgery (CSRF) vulnerability that could allow an attacker to modify a user's IronPort Encryption Appliance preferences, including their user name and personal security pass phrase, if the user is logged into the IronPort Encryption Appliance administration interface. Exploitation of the vulnerability will not allow an attacker to change a user's password. This vulnerability is documented in IronPort bug 5806 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055. The administration interface of IronPort Encryption Appliance devices also contains a cross-site request forgery (CSRF) vulnerability that could allow an attacker to execute a command and modify a user's IronPort Encryption Appliance preferences, including their user name and personal security pass phrase, under certain circumstances when a user logs out of the IronPort Encryption Appliance administration interface. Exploitation of the vulnerability will not allow an attacker to change a user's password. This vulnerability is documented in IronPort bug 6403 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss PXE Encryption Message Decryption Vulnerability - IronPort Bug 8062 CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed PXE Encryption Phishing Vulnerabilities - IronPort Bug 8149 CVSS Base Score - 6.1 Access Vector - Network Access Complexity - High Authentication - None Confidentiality Impact - Complete Integrity Impact - Partial Availability Impact - None CVSS Temporal Score - 5 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed IronPort Encryption Appliance CSRF Vulnerability - IronPort Bug 5806 CVSS Base Score - 5.8 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - None CVSS Temporal Score - 4.8 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed IronPort Encryption Appliance Logout Action CSRF Vulnerability - IronPort Bug 6403 CVSS Base Score - 5.8 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - None CVSS Temporal Score - 4.8 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed Impact ====== PXE Encryption Privacy Vulnerabilities +------------------------------------- Successful exploitation of these vulnerabilities could allow an attacker to obtain user credentials and view the contents of intercepted secure e-mail messages, which could result in the disclosure of sensitive information. IronPort Encryption Appliance Administration Interface Vulnerabilities +--------------------------------------------------------------------- Successful exploitation of these vulnerabilities could allow an attacker to access user accounts on an IronPort Encryption Appliance device, which could result in the modification of user preferences. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. Workarounds =========== There are no workarounds for the vulnerabilities that are described in this advisory. There are mitigations available to help prevent exploitation of the PXE Encryption phishing-style vulnerability. Phishing attacks can be greatly reduced if DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) are implemented on IronPort e-mail gateways to help ensure message integrity and source origin. Additionally, the PXE Encryption solution contains an anti-phishing Secure Pass Phrase feature to ensure that secure notification e-mail messages are valid. This feature is enabled by recipients when configuring their PXE user profile. Cisco has released a best practices document that describes several techniques to mitigate against the phishing-style attacks that is available at the following link: http://www.cisco.com/web/about/security/intelligence/bpiron.html Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. The affected products in this advisory are directly supported by IronPort, and not via the Cisco TAC organization. Customers should contact IronPort technical support at the link below to obtain software fixes. IronPort technical support will assist customers in determining the correct fixes and installation procedures. Customers should direct all warranty questions to IronPort technical support. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. http://www.ironport.com/support/contact_support.html Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. J.B. Snyder of Brintech reported a method for obtaining PXE Encryption user credentials via a phishing-style attack to Cisco. All other vulnerabilities were discovered by Cisco or reported by customers. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-January-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFJbhoo86n/Gc8U/uARAjuxAJ4oLc1JjS7N9728Ueb6JB7Y2LVJtACfaSfA A6WIz481vajHya3jIlp+/Xc= =cFJ6 -----END PGP SIGNATURE----- From brhedlun at cisco.com Wed Jan 14 12:14:20 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Wed, 14 Jan 2009 11:14:20 -0600 Subject: [c-nsp] BGP default-originate route In-Reply-To: Message-ID: On 1/14/09 9:31 AM, "Scott Ingram" wrote: > I'm trying to assess the best options on implementing site redundancy to the > " network default-originate " for all my MPLS sites Internet traffic. I'm > trying to validate if I could have 2 CE's within the MPLS network using the > default-originate and supply the best path. Scott, This is possible, but depending on what exactly you are trying to accomplish will determine what amount of cooperation is needed from your SP, or not. You can send two default routes from two different CE locations, but the SP routing protocol will make the best path decision as to which site will receive the internet traffic. Do you not care which site gets the internet traffic and just let it run haphazardly? If so, fire away and see what happens. Do you want regional selectivity? This might "just work" as well with default routing behavior within SP. For example where all east cost PE's find the east cost CE default route as the lowest metric without any special configuration. Do you want load balancing, sending half of your sites to different locations? Or do you want one site primary and the other standby only? Unless you want it haphazard you will likely want to talk with your SP engineer to discuss the routing options. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From SIngram at clayton.com Wed Jan 14 12:19:07 2009 From: SIngram at clayton.com (Scott Ingram) Date: Wed, 14 Jan 2009 12:19:07 -0500 Subject: [c-nsp] BGP default-originate route References: Message-ID: Brad, Thanks for the reply and the thought process. I think to keep it simple all I want is to do "one site primary and the other standby only". ________________________________ From: Brad Hedlund [mailto:brhedlun at cisco.com] Sent: Wed 1/14/2009 12:14 PM To: Scott Ingram; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP default-originate route On 1/14/09 9:31 AM, "Scott Ingram" wrote: > I'm trying to assess the best options on implementing site redundancy to the > " network default-originate " for all my MPLS sites Internet traffic. I'm > trying to validate if I could have 2 CE's within the MPLS network using the > default-originate and supply the best path. Scott, This is possible, but depending on what exactly you are trying to accomplish will determine what amount of cooperation is needed from your SP, or not. You can send two default routes from two different CE locations, but the SP routing protocol will make the best path decision as to which site will receive the internet traffic. Do you not care which site gets the internet traffic and just let it run haphazardly? If so, fire away and see what happens. Do you want regional selectivity? This might "just work" as well with default routing behavior within SP. For example where all east cost PE's find the east cost CE default route as the lowest metric without any special configuration. Do you want load balancing, sending half of your sites to different locations? Or do you want one site primary and the other standby only? Unless you want it haphazard you will likely want to talk with your SP engineer to discuss the routing options. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information. From cisco-nsp at slepicka.net Wed Jan 14 12:28:06 2009 From: cisco-nsp at slepicka.net (James Slepicka) Date: Wed, 14 Jan 2009 11:28:06 -0600 Subject: [c-nsp] GRE on Cat-4948 switch In-Reply-To: <496E0DA5.1020204@lumison.net> References: <496E0DA5.1020204@lumison.net> Message-ID: <496E20A6.9030501@slepicka.net> 4948 is essentially a fixed-config 4500 w/ SupV (400MHz processor). I don't have numbers on that, but I did ask Cisco about GRE performance on the Sup6-e (1.3GHz proc) and was told that it can do about 160k 64-byte packets/second. That's less than 100Mb, though I'm not sure how packet size impacts CPU utilization. Ian MacKinnon wrote: > Hi All, > > Does anybody have any idea the impact of running multiple GRE tunnels > on a 4948 switch? > > I can see that it will be processed by software rather than hardware, > but just how much of a problem is this likely to be? > > I am only talking about a max of 100M of GRE traffic, amongst a couple > of Gig of total traffic. > > thanks > > > -- > > This email and any files transmitted with it are confidential and > intended > solely for the use of the individual or entity to whom they are > addressed. > If you have received this email in error please notify the sender. Any > offers or quotation of service are subject to formal specification. > Errors and omissions excepted. Please note that any views or opinions > presented in this email are solely those of the author and do not > necessarily represent those of Lumison and nPlusOne. > Finally, the recipient should check this email and any attachments for > the > presence of viruses. Lumison and nPlusOne accept no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From brhedlun at cisco.com Wed Jan 14 12:49:31 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Wed, 14 Jan 2009 11:49:31 -0600 Subject: [c-nsp] BGP default-originate route In-Reply-To: Message-ID: On 1/14/09 11:19 AM, "Scott Ingram" wrote: > I think to keep it simple > all I want is to do "one site primary and the other standby only". Scott, I'm sure the SP guys will jump in at this point but that should be a fairly straight forward setup, where the standby site's PE is configured to crank up the metric for the default route from that location, such as padding ASN or manipulating MED, or any other BGP setting. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From good1 at live.com Wed Jan 14 12:56:37 2009 From: good1 at live.com (Andrew Jimmy) Date: Wed, 14 Jan 2009 22:56:37 +0500 Subject: [c-nsp] AS53 Cards Message-ID: I'm intrested in buying the following cards AS535-DFC-8CE1 AS5XM-VUFC-108NP But supplier is quoting for instead: AS54-DFC-8CE1 and AS54-DFC/VUFC-108NP Is there any difference between the above mentioned cards. From achatz at forthnet.gr Wed Jan 14 13:09:40 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 14 Jan 2009 20:09:40 +0200 Subject: [c-nsp] 7600 ES+ availability Message-ID: <496E2A64.4050501@forthnet.gr> Hi, Does anyone have any news about 7600 ES+ cards availability and/or pricing scheme? I believe they are to come out end of January, but i haven't heard anything from our AM lately and i'm a little bit worried. -- Tassos From jlewis at lewis.org Wed Jan 14 13:41:26 2009 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 14 Jan 2009 13:41:26 -0500 (EST) Subject: [c-nsp] 3560 QoS/shaping Message-ID: I'm configuring my first 3560s, and am a little shocked to see that per-port output policing (via service-policy output ) as we've done for years on 3550s isn't permitted on the 3560. Trying it results in police command is not supported for this interface Configuration failed! Warning: Assigning a policy map to the output side of an interface not supported This is two completely separate errors...the first saying you can't police the output of a port, the second saying you can't even define an output service-policy for a port. It appears the 3560-way to do this is to use srr-queue bandwidth shape on the interface, but the syntax for this command isn't nearly as flexible as being able to create a number of arbitrarily sized policing service policies, applying one to each policed port...and only allows shaping classified traffic by dscp marking it on input and then shaping it to port-rate/N where N is an integer from 0 to 65535. I suppose that's fine if I want to shape classified traffic to 1/2, 1/3, 1/4, etc. of the interface rate...but what if the interface rate is 100mbit/s and I want to shape a class of traffic on a particular port's egress to 60mbit/s? Is this possible on the 3560? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From decklandv at gmail.com Wed Jan 14 14:02:13 2009 From: decklandv at gmail.com (Rado Vasilev) Date: Wed, 14 Jan 2009 19:02:13 +0000 Subject: [c-nsp] vrf source selection Message-ID: <0A8969BF-29ED-4361-897C-5486807EBCDF@gmail.com> Hi All, I'd appreciate your feedback on Cisco's vrf selection feature ( http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/vrfselec.html ). I'm planning to use it on 7609/Sup720-3B/PFC3 for diverting traffic over LDP LSP (MPLS L3 VPN) to wholesale ISP partners. I'm interested if anyone is using this feature in their production networks, are there any caveats for the feature/platform combination or any performance limitations. Many thanks, Radi From justin at justinshore.com Wed Jan 14 14:24:25 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 14 Jan 2009 13:24:25 -0600 Subject: [c-nsp] GRE on Cat-4948 switch In-Reply-To: <496E0DA5.1020204@lumison.net> References: <496E0DA5.1020204@lumison.net> Message-ID: <496E3BE9.7050709@justinshore.com> Ian MacKinnon wrote: > Hi All, > > Does anybody have any idea the impact of running multiple GRE tunnels on > a 4948 switch? > > I can see that it will be processed by software rather than hardware, > but just how much of a problem is this likely to be? > > I am only talking about a max of 100M of GRE traffic, amongst a couple > of Gig of total traffic. I think one of the actual cisco.com guys would have to speak up to answer this question properly with figures on CPU speed, processing times, etc. I would say with an off-the-cuff figure is that process switching 100M would swamp most CPUs that Cisco has on the market. I'm fairly confident that our Sup720-3BXLs wouldn't take kindly to it. The experts would probably have a better answer for you though. Justin From kevin at gannons.net Wed Jan 14 15:06:14 2009 From: kevin at gannons.net (kevin gannon) Date: Wed, 14 Jan 2009 20:06:14 +0000 Subject: [c-nsp] OSPF domain-id secondary ? Message-ID: <17eef0950901141206m6b900a92j5c818129c0c8f00d@mail.gmail.com> I noticed this option today but can not find a real life use for it ? Anyone using it and might shed some light ? regards Kevin From chris at chrisserafin.com Wed Jan 14 15:09:21 2009 From: chris at chrisserafin.com (ChrisSerafin) Date: Wed, 14 Jan 2009 14:09:21 -0600 Subject: [c-nsp] Sourcing TACACS and Syslog on PIX (6.x) to go over VPN Message-ID: <496E4671.4000300@chrisserafin.com> If I have a Tacacs and syslogs servers available via VPN and would like a remote PIX running 6.x code, how would I source the traffic? I see you can source the interface, but will this send it through the VPN or just send it out the inside interface? *tacacs-server (inside) host 171.68.118.101 cisco timeout 5 Thanks, Chris Serafin chris at chrisserafin.com * From sluggaro at gmail.com Wed Jan 14 15:58:17 2009 From: sluggaro at gmail.com (Adam g) Date: Wed, 14 Jan 2009 12:58:17 -0800 Subject: [c-nsp] Management Interface 2960 In-Reply-To: <64396C74FCE435468BE2AF5A73F9C2FD86988B@chmaexch.chelmer.co.nz> References: <8981cd330901131450v45adeeb9k6e47a70d5a04edb9@mail.gmail.com> <64396C74FCE435468BE2AF5A73F9C2FD86988B@chmaexch.chelmer.co.nz> Message-ID: <8981cd330901141258ma781601gdddff97947631245@mail.gmail.com> hmm. Then is there any purpose for having a loopback interface on a 2960? I am able to configure one, along with the default gateway. On Tue, Jan 13, 2009 at 4:33 PM, James Baker wrote: > Hi Adam > > Loopback is only available on Layer 3 devices. Refer: > > http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_a_loopb > ack_interface_in_Cisco_Catalyst_switch > > > James > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adam g > Sent: Wednesday, 14 January 2009 11:51 a.m. > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Management Interface 2960 > > Is there anyway to use a loopback interface as a management interface on > a > 2960? The option to create the loopback is there, but no management is > available when I try to telnet. I've never used a loopback on a pure > layer > 2 device before, just curious to see if it was possible. > > Thanks > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ---------- > > The information contained in this e-mail and any attachments is > confidential > and is intended for the attention and use of the named addressee(s) only. > Any views expressed in this message are those of the individual sender and > may not necessarily reflect the views of Chelmer Limited. > > > ##################################################################################### > This e-mail message has been scanned for Viruses and Content and cleared > by NetIQ MailMarshal > > ##################################################################################### > From pavel.skovajsa at gmail.com Wed Jan 14 16:34:28 2009 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Wed, 14 Jan 2009 22:34:28 +0100 Subject: [c-nsp] What to do with old Cisco kit Message-ID: <323aca890901141334s63c56ff3lbb491292b67eca87@mail.gmail.com> Hello all, Can you please recommend a process by which one should properly dispose old Cisco kit, preferably by selling to refurbishing vendors etc. South Africa or EMEA preffered. Regards, Pavel Skovajsa From nick.geyer at eds.com Wed Jan 14 16:59:47 2009 From: nick.geyer at eds.com (Geyer, Nick) Date: Thu, 15 Jan 2009 08:59:47 +1100 Subject: [c-nsp] GRE on Cat-4948 switch In-Reply-To: <496E0DA5.1020204@lumison.net> References: <496E0DA5.1020204@lumison.net> Message-ID: <83027F7A5EB4D6449A1393A94E4D41DA046A23CF@aubwm232.apac.corp.eds.com> I tried this once as a 'last shot' solution for a problem I was encountering, across gig network with sustained traffic rate over the tunnel of around 80Mbps. CPU instantly skyrocketed and the switch cried no more. The switch had very minimal other traffic (around 20Mbps) and very basic config, no ACL's and all static routing with a little bit of RIP. Based on that first hand experience, I would say that the impact will be a non functioning network and would highly recommend against doing it. Regards, Nick. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ian MacKinnon Sent: Thursday, 15 January 2009 3:07 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] GRE on Cat-4948 switch Hi All, Does anybody have any idea the impact of running multiple GRE tunnels on a 4948 switch? I can see that it will be processed by software rather than hardware, but just how much of a problem is this likely to be? I am only talking about a max of 100M of GRE traffic, amongst a couple of Gig of total traffic. thanks -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From david at hughes.com.au Wed Jan 14 18:23:46 2009 From: david at hughes.com.au (David Hughes) Date: Thu, 15 Jan 2009 09:23:46 +1000 Subject: [c-nsp] Max number of users on Aironet 1252AG In-Reply-To: <92875.3455.qm@web110106.mail.gq1.yahoo.com> References: <92875.3455.qm@web110106.mail.gq1.yahoo.com> Message-ID: <13BD9027-4B80-4802-9334-BA49D2720A41@hughes.com.au> On 12/01/2009, at 1:15 PM, Tony wrote: > A previous poster suggested 25-30 users per AP. A quick search > reveals quite a few credible sites with similar figures. I'm sure > you can do the math, that's quite a few AP's. Yup, 30 per 1200 class AP is a fair number. Thats the sort of density we work with for the AusNOG meeting network and it works out OK. And tech meetings like that are probably going to hit the wireless infrastructure harder than a generic "festival". David ... From alexmoya at bellsouth.net Wed Jan 14 18:27:25 2009 From: alexmoya at bellsouth.net (Alex Moya) Date: Wed, 14 Jan 2009 18:27:25 -0500 Subject: [c-nsp] Sourcing TACACS and Syslog on PIX (6.x) to go over VPN In-Reply-To: <496E4671.4000300@chrisserafin.com> References: <496E4671.4000300@chrisserafin.com> Message-ID: Make sure to source it from a ip addres that can send traffic over the VPN Sent from my iPhone On Jan 14, 2009, at 3:09 PM, ChrisSerafin wrote: > If I have a Tacacs and syslogs servers available via VPN and would > like a remote PIX running 6.x code, how would I source the traffic? > > I see you can source the interface, but will this send it through > the VPN or just send it out the inside interface? > > *tacacs-server (inside) host 171.68.118.101 cisco timeout 5 > > > Thanks, > Chris Serafin > chris at chrisserafin.com > * > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From amsoares at netcabo.pt Wed Jan 14 18:33:46 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 14 Jan 2009 23:33:46 -0000 Subject: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL In-Reply-To: <4502F03F8260234AB94179D6E1BDD0CF341FE43E87@VMBX113.ihostexchange.net> References: <4502F03F8260234AB94179D6E1BDD0CF341FE43B01@VMBX113.ihostexchange.net><496C7C92.3050808@imperial.ac.uk><4502F03F8260234AB94179D6E1BDD0CF341FE43C30@VMBX113.ihostexchange.net><20090114120904.GA97088@snar.spb.ru> <4502F03F8260234AB94179D6E1BDD0CF341FE43E87@VMBX113.ihostexchange.net> Message-ID: <6A0452755E7B4197A7293356A11059BC@int.convex.pt> Yes they work. You need to look under the 7600 IOS options. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Manuel Mar?n Sent: quarta-feira, 14 de Janeiro de 2009 17:00 To: Alexandre Snarskii Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL Does the SRA IOS version works for the cisco 6513? Checking the cisco download section for the cisco 6513 it seems that only SXH, SXF and SXI are available for 6513 with WS-SUP720-3BXL -----Original Message----- From: Alexandre Snarskii [mailto:snar at snar.spb.ru] Sent: Wednesday, January 14, 2009 5:09 AM To: Manuel Mar?n Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs WS-SUP720-3BXL On Tue, Jan 13, 2009 at 01:49:30PM -0500, Manuel Mar?n wrote: > Hi Phil > > Attached are the SVI and interface configs > > > #TRUNK TO CISCO 3750 > interface GigabitEthernet6/24 > description "Barrancas" > switchport > switchport trunk encapsulation dot1q > switchport trunk native vlan 1000 > mls qos vlan-based > no cdp enable > end > > > #SUBint configured for EoMPLS > interface GigabitEthernet2/2.578 > encapsulation dot1Q 578 > xconnect 172.16.10.2 4505 encapsulation mpls service-policy input > 2Mbps service-policy output 2Mbps end interface > GigabitEthernet2/2.576 encapsulation dot1Q 576 xconnect 172.16.10.4 > 4501 encapsulation mpls end > > #SVIS (Most of the have a policier and an access-list attached) > > interface Vlan102 > description "Victory Packaging [Voip]" > ip address 10.10.1.73 255.255.255.252 ip access-group > Proteccion-VoipMngt out service-policy input 2Mbps service-policy > output 2Mbps end > > > Anyone else has experience running MUX-UNI with cisco 6500s or with a > similar issue? We're running MUX-UNI on 6509's since SRA1 IOS, now some of new installations running SXH3[a]. No issues like yours. Those new installations usually have 30-50 vc's configured... PS: if MUX-UNI is required feature - you may try to downgrade to SRA7.. > > Thanks > > -----Original Message----- > From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] > Sent: Tuesday, January 13, 2009 4:36 AM > To: Manuel Mar?n > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 6513 SVI issues with SXH4 and SXI SUPs > WS-SUP720-3BXL > > Manuel Mar?n wrote: > > Hi, > > > > We are experiencing a weird issue with a cisco 6513 with either SXH or SXI software version. We have some SVI interfaces and a couple of trunks ports 802.1Qs connected to other ciscos 3750s. everything seems to be working but suddenly we get the following error and all SVIs change to administratively down. We can't downgrade to SXF because we have to use the MUX-UNI feature in order to use sub interfaces in a switch port. > > > > Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port Manager > > Internal Software Error > > (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: > > ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) -Traceback= > > 40F0CC34 40F6E3CC 40698CB4 40F6E7BC 40F87BF8 40F84BE0 40F59780 > > 40698CB4 40F5ECEC 40F436AC 41099040 40ACD52C 40AD41E8 413F3278 > > 40AD33E4 40AD2C08 Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: > > Port Manager Internal Software Error > > (!pm_vlan_port_forward_gbitlist_test(vd, pd->globalNumber): > > ../switch/pm/pm_vlan.c: 1372: pm_vlan_rem_port) -Traceback= 40F0CC34 > > 40F63C18 40F87C18 40F84BE0 40F59780 40698CB4 40F5ECEC 40F436AC > > 41099040 40ACD52C 40AD41E8 413F3278 40AD33E4 40AD2C08 40ACF674 > > 40AD0120 Jan 13 02:51:04.630 MST: %PM-SP-3-INTERNALERROR: Port > > Manager Internal Software Error > > (pm_vlan_port_forward_gbitlist_find_first(vd) == -1: > > ../switch/pm/pm_vlan_sm.c: 504: vlan_invalid_action) > > That's a traceback, so you want to open a TAC case. > > If you could show more config i.e. of the gig ports as well it might > give a hint, but if I had to take a wild guess I'd say it's a bug in > the MUX-UNI. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From td_miles at yahoo.com Wed Jan 14 18:59:31 2009 From: td_miles at yahoo.com (Tony) Date: Wed, 14 Jan 2009 15:59:31 -0800 (PST) Subject: [c-nsp] Sourcing TACACS and Syslog on PIX (6.x) to go over VPN In-Reply-To: <496E4671.4000300@chrisserafin.com> Message-ID: <423393.41392.qm@web110101.mail.gq1.yahoo.com> --- On Thu, 15/1/09, ChrisSerafin wrote: > From: ChrisSerafin > Subject: [c-nsp] Sourcing TACACS and Syslog on PIX (6.x) to go over VPN > To: cisco-nsp at puck.nether.net > Date: Thursday, 15 January, 2009, 7:09 AM > If I have a Tacacs and syslogs servers available via VPN and > would like a remote PIX running 6.x code, how would I source > the traffic? > Lucky for you Cisco has a document that tells you exactly how to set this up with sample configs and everything: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml If you don't already know about the list of example configurations and guides, you can find them here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html They cover most of the things that ordinary people want to do and are usually fairly detailed with the explanation. regards, Tony. From brad.henshaw at qcn.com.au Wed Jan 14 22:12:31 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Thu, 15 Jan 2009 13:12:31 +1000 Subject: [c-nsp] 3560 QoS/shaping Message-ID: <8B25B862BC09784B9B74FB950D4F64D406CC94@qcnapp01.corp.qcn> Jon Lewis wrote: > I'm configuring my first 3560s... > you can't police the output of a port > you can't even define an output service-policy for a port. This is correct as far as I'm aware. > It appears the 3560-way to do this is to use srr-queue bandwidth > shape on the interface, but the syntax for this command isn't > nearly as flexible... > Is this possible on the 3560? You can try the 'srr-queue bandwidth limit' to rate-limit traffic on egress but this is only done at the port level for ALL traffic and has its own limitations as it's percentage-based. The only option other than what you've suggested and the srr-queue bandwidth limit is to apply ingress policers on all of the relevant ports. You /might/ be able to get away with using an aggregate policer in this situation but I have no idea whether this would be supported at ingress on the 3560. You'd need a 3750ME for anything much more advanced -- and even then, this functionality is limited to two of the gig ports. I think the 3400ME's support egress policies but they have their own limits and retardations in this respect. Regards, Brad From mtinka at globaltransit.net Wed Jan 14 22:18:39 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 15 Jan 2009 11:18:39 +0800 Subject: [c-nsp] MPLS speakers behind unreliable link In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB6C2@xmb-ams-333.emea.cisco.com> References: <20fe625b0901121617l3af0dbas8aef533ff74f4a8b@mail.gmail.com> <20fe625b0901131218y1cd19ad3x9ee5b7b5efe0d3c3@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB6C2@xmb-ams-333.emea.cisco.com> Message-ID: <200901151118.44213.mtinka@globaltransit.net> On Wednesday 14 January 2009 04:39:14 am Oliver Boehmer (oboehmer) wrote: > http://tools.ietf.org/id/draft-swallow-mpls-aggregate-fec Interesting. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From jlewis at lewis.org Wed Jan 14 22:31:41 2009 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 14 Jan 2009 22:31:41 -0500 (EST) Subject: [c-nsp] 3560 QoS/shaping In-Reply-To: <8B25B862BC09784B9B74FB950D4F64D406CC94@qcnapp01.corp.qcn> References: <8B25B862BC09784B9B74FB950D4F64D406CC94@qcnapp01.corp.qcn> Message-ID: On Thu, 15 Jan 2009, Brad Henshaw wrote: >> you can't police the output of a port >> you can't even define an output service-policy for a port. > > This is correct as far as I'm aware. This is awfully disappointing considering the 3560 is supposed to be the successor to the 3550. > You can try the 'srr-queue bandwidth limit' to rate-limit traffic on > egress but this is only done at the port level for ALL traffic and has > its own limitations as it's percentage-based. In the general case for our usual usage of 3550s, that'll likely do. The deployment I'm getting ready for now is a bit of a special case, and rate-limiting all traffic on an egress port won't cut it. > The only option other than what you've suggested and the srr-queue > bandwidth limit is to apply ingress policers on all of the relevant > ports. You /might/ be able to get away with using an aggregate policer > in this situation but I have no idea whether this would be supported at > ingress on the 3560. That also won't work in this special case, as the rate-limiting/shaping is only to be done on a class of traffic, and only if that traffic has to egress through a particular port. Under normal conditions, the traffic won't need to be shaped. Only when the prefered path becomes unavailable, will shaping on a backup path come into play. > You'd need a 3750ME for anything much more advanced -- and even then, > this functionality is limited to two of the gig ports. I think the > 3400ME's support egress policies but they have their own limits and > retardations in this respect. The 6500 PFC3 can do policing on ingress/egress. Is there anything between the 6500 and 3550 that does? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From ben.steele at internode.on.net Wed Jan 14 22:45:52 2009 From: ben.steele at internode.on.net (Ben Steele) Date: Thu, 15 Jan 2009 14:15:52 +1030 Subject: [c-nsp] 3560 QoS/shaping In-Reply-To: References: <8B25B862BC09784B9B74FB950D4F64D406CC94@qcnapp01.corp.qcn> Message-ID: <009f01c976c3$c44fe380$4cefaa80$@steele@internode.on.net> The 6500 PFC3 can do policing on ingress/egress. Is there anything between the 6500 and 3550 that does? 4948 Will From brad.henshaw at qcn.com.au Wed Jan 14 23:57:32 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Thu, 15 Jan 2009 14:57:32 +1000 Subject: [c-nsp] 3560 QoS/shaping Message-ID: <8B25B862BC09784B9B74FB950D4F64D406CC98@qcnapp01.corp.qcn> Jon Lewis wrote: > That also won't work in this special case, as the > rate-limiting/shaping is only to be done on a class of traffic, > and only if that traffic has to egress through a particular > port. Under normal conditions, the traffic won't need to be > shaped. In that case I think you're boned. Can you kludge up a dedicated interface for this traffic (in this scenario) to egress? > > You'd need a 3750ME for anything much more advanced -- and even then, > > this functionality is limited to two of the gig ports. I think the > > 3400ME's support egress policies but they have their own limits and > > retardations in this respect. > The 6500 PFC3 can do policing on ingress/egress. Is there anything > between the 6500 and 3550 that does? Only the 3750ME (on ES ports) at any decent granularity that I'm aware of - others on the list might have more to add. >From memory the 4948 can do rate-based shaping of its egress queues but that would likely require messing with DSCP markings and DSCP-queue maps. Regards, Brad From yanf787 at yahoo.com Thu Jan 15 00:02:11 2009 From: yanf787 at yahoo.com (Yan Filyurin) Date: Wed, 14 Jan 2009 21:02:11 -0800 (PST) Subject: [c-nsp] 3560 QoS/shaping Message-ID: <481650.81069.qm@web54003.mail.re2.yahoo.com> Not that I am mentioning anything that hasn't been discovered, but here are two great articles about it: http://blog.internetworkexpert.com/2008/02/23/catalyst-qos-3550-explained/#more-81 http://blog.internetworkexpert.com/tag/3550/ Neither one of them answers your question, but I think with 3560 (and 3750 non uplink ports have the same capability) you might not police, but you can easily direct any packet marking into any of the four queues and through shaping you can control it. In other words, you get very similar capabilities to class based queuing. In other words, could you configure one shaped queue and then put all the packets there based on COS or DSCP and then even define thresholds for different traffic. And you can also allocate buffers for various queues. Another alternative to ingress policing is storm control. Yan ________________________________ From: Brad Henshaw To: Jon Lewis ; cisco-nsp at puck.nether.net Sent: Wednesday, January 14, 2009 10:12:31 PM Subject: Re: [c-nsp] 3560 QoS/shaping Jon Lewis wrote: > I'm configuring my first 3560s... > you can't police the output of a port > you can't even define an output service-policy for a port. This is correct as far as I'm aware. > It appears the 3560-way to do this is to use srr-queue bandwidth > shape on the interface, but the syntax for this command isn't > nearly as flexible... > Is this possible on the 3560? You can try the 'srr-queue bandwidth limit' to rate-limit traffic on egress but this is only done at the port level for ALL traffic and has its own limitations as it's percentage-based. The only option other than what you've suggested and the srr-queue bandwidth limit is to apply ingress policers on all of the relevant ports. You /might/ be able to get away with using an aggregate policer in this situation but I have no idea whether this would be supported at ingress on the 3560. You'd need a 3750ME for anything much more advanced -- and even then, this functionality is limited to two of the gig ports. I think the 3400ME's support egress policies but they have their own limits and retardations in this respect. Regards, Brad _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From yanf787 at yahoo.com Thu Jan 15 00:05:04 2009 From: yanf787 at yahoo.com (Yan Filyurin) Date: Wed, 14 Jan 2009 21:05:04 -0800 (PST) Subject: [c-nsp] 3560 QoS/shaping References: <8B25B862BC09784B9B74FB950D4F64D406CC98@qcnapp01.corp.qcn> Message-ID: <399746.69457.qm@web54002.mail.re2.yahoo.com> What's the difference between normal and special condition. As in are you able to do something with it, where it could go either to a shaped queue or a shared queue based on its DSCP for example? ________________________________ From: Brad Henshaw To: Jon Lewis Cc: cisco-nsp at puck.nether.net Sent: Wednesday, January 14, 2009 11:57:32 PM Subject: Re: [c-nsp] 3560 QoS/shaping Jon Lewis wrote: > That also won't work in this special case, as the > rate-limiting/shaping is only to be done on a class of traffic, > and only if that traffic has to egress through a particular > port. Under normal conditions, the traffic won't need to be > shaped. In that case I think you're boned. Can you kludge up a dedicated interface for this traffic (in this scenario) to egress? > > You'd need a 3750ME for anything much more advanced -- and even then, > > this functionality is limited to two of the gig ports. I think the > > 3400ME's support egress policies but they have their own limits and > > retardations in this respect. > The 6500 PFC3 can do policing on ingress/egress. Is there anything > between the 6500 and 3550 that does? Only the 3750ME (on ES ports) at any decent granularity that I'm aware of - others on the list might have more to add. >From memory the 4948 can do rate-based shaping of its egress queues but that would likely require messing with DSCP markings and DSCP-queue maps. Regards, Brad _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Anton.Schweitzer at o2.com Thu Jan 15 03:07:48 2009 From: Anton.Schweitzer at o2.com (Anton.Schweitzer at o2.com) Date: Thu, 15 Jan 2009 09:07:48 +0100 Subject: [c-nsp] X25 / PAD / Aux Port Problem Message-ID: Hi, we need to connect a cash box to a cisco router. It seems there is an solution using the aux port auf the router for this. I got a config for a router but something seems missing or not correct. We want to use service pad to-xot and pad from-xot The thing is that im a total X25 idiot, so maybe somebody can tell me whts missing or wrong : We used the blue console cable to connect the aux port to the cash box, which is a pc com port. > service pad to-xot > service pad from-xot > ! > ! > x29 profile pos 1:0 2:0 3:0 4:5 5:0 6:5 7:6 8:0 9:0 10:0 12:0 13:0 14:0 15:0 16:0 17:0 18:0 19:0 20:0 21:0 22:0 > ! > x25 route .*01.....$ substitute-source 4123 xot 192.168.1.1xot-keepalive-period 20 xot-keepalive-tries 3 xot-source Loopback2 > x25 route 0232.*$ substitute-source 4125 xot 192.1.1.65xot-keepalive-period 20 xot-keepalive-tries 3 xot-source Loopback2 > x25 host Kunde_A 12345678 > ! > line aux 0 > session-timeout 1 > no motd-banner > exec-timeout 0 0 > no flush-at-activation > script startup clear > authorization exec aux > login authentication aux > modem Dialin > rotary 6 > autocommand x28 profile pos noescape > transport input pad > transport output all > escape-character BREAK > stopbits 1 We used the blue console cable to connect the aux port to the cash box, which is a pc com port. If somebody can explain how it should work at all would be a great HELP Cheers and Thx Anton Anton Schweitzer Senior Specialist BS Projekt & Service Customer Design o2 (Germany) GmbH & Co.OHG Georg Brauchle-Ring 23-25, D-80992 M?nchen Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 anton.schweitzer at o2.com Ein Beitrag zum Umweltschutz. Nicht jede E-Mail muss ausgedruckt werden. http://www.o2engagiert-fuer-morgen.de Telef?nica o2 Germany GmbH & Co. OHG ? Georg-Brauchle-Ring 23-25 ? 80992 M?nchen ? Deutschland ? www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht M?nchen HRA 70343. Gesellschafter: Telef?nica o2 Germany Management GmbH. Amtsgericht M?nchen HRB 109061 und Telef?nica o2 Germany Verwaltungs GmbH. Amtsgericht M?nchen HRB 121389, beide ebenda. Gesch?ftsf?hrer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. Andr? Krause. Lutz Sch?ler. Carsten Wreth. From mleber at he.net Thu Jan 15 03:22:45 2009 From: mleber at he.net (Mike Leber) Date: Thu, 15 Jan 2009 00:22:45 -0800 Subject: [c-nsp] IPv6 redistribute bgp into ospf In-Reply-To: <5a9bb9700901140904l456e32e7p81cf8cb68b2144fe@mail.gmail.com> References: <5a9bb9700901140904l456e32e7p81cf8cb68b2144fe@mail.gmail.com> Message-ID: <496EF255.1070801@he.net> Hi Tobias, Not that the load of redistribution with IPv6 would be much due to the table size of IPv6, however I'd generally recommend a design that avoids the need to redistribute BGP tables into other routing protocols (also especially avoid redistributing any other routing protocols into BGP). Alternative #1: Typically router0 in your scenario would be a non BGP speaking customer aggregation router that either can't run BGP or that you don't want to run BGP. I'd suggest having router1 inject a default (default-originate) into ospf and then have router0 use that instead for reaching the Internet at large as well as any routes carried in BGP and not ospf. This would eliminate the need to redistribute BGP into ospf. Alternative #2: If the /48 route is not meant to be announced to the Internet at large (and either on an interface or statically routed) then I'd suggest carrying it in ospf on all three routers and not in BGP. Alternative #3: I'd suggest running BGP on all three routers (probably not applicable to your situation). Mike. Tobias K?nig wrote: > Hi there > > I ran into a problem when trying to redistribute a bgp ipv6 route into ospf. > > The scenario looks the following: > > router0 <-- ospf (10:10:10::4/126) --> router1 <-- bgp (10:10:10::/126) --> > router2 > > Router2 advertises an ipv6 prefix (20:20:20::/48) via ibgp to router1, this > part works flawlessly. > Router1 should then redistribute that route into its ospf process and > advertise it to router0, which unfortunately it doesn't. > (When redistributing a static route on router1 into ospf, router0 sees that > prefix). > > Maybe someone of you got any idea of what could be wrong or can provide a > hint on where to find detailed infos. > > You can find the according configs at the bottom. The config was tested with > the following platforms and IOS -> always the same result: > c2800nm-advipservicesk9-mz.124-19 > c3640-js-mz.124-23.bin > c3640-ik9s-mz.124-19.bin > > Thanks in advance for any inputs. > > Cheers > > Tobias > > > ---- sh ipv6 route > R0#sh ipv6 route > C 10:10:10::4/126 [0/0] > via ::, FastEthernet0/0 > > R1#sh ipv6 route > C 10:10:10::/126 [0/0] > via ::, FastEthernet1/0 > C 10:10:10::4/126 [0/0] > via ::, FastEthernet0/0 > B 20:20:20::/48 [200/0] > via 10:10:10::2 > > R2#sh ipv6 route > B ::/0 [200/0] > via 10:10:10::1 > C 10:10:10::/126 [0/0] > via ::, FastEthernet0/0 > S 20:20:20::/48 [1/0] > via ::, Null0 > > Config: > ===== > router0: > ---- > interface FastEthernet0/0 > ipv6 address 10:10:10::5/126 > ipv6 enable > ipv6 ospf 1 area 0 > > ipv6 router ospf 1 > router-id 10.10.10.0 > log-adjacency-changes > passive-interface default > no passive-interface FastEthernet0/0 > ---- > > router1: > ---- > interface FastEthernet0/0 > ipv6 address 10:10:10::6/126 > ipv6 enable > ipv6 ospf 1 area 0 > ! > interface FastEthernet1/0 > ipv6 address 10:10:10::1/126 > ipv6 enable > ! > router bgp 10 > bgp router-id 10.10.10.1 > bgp log-neighbor-changes > neighbor 10:10:10::2 remote-as 10 > neighbor 10:10:10::2 version 4 > ! > address-family ipv4 > no neighbor 10:10:10::2 activate > no auto-summary > no synchronization > exit-address-family > ! > address-family ipv6 > neighbor 10:10:10::2 activate > neighbor 10:10:10::2 send-community > neighbor 10:10:10::2 default-originate > neighbor 10:10:10::2 soft-reconfiguration inbound > no synchronization > exit-address-family > > ipv6 router ospf 1 > router-id 10.10.10.1 > log-adjacency-changes > passive-interface default > no passive-interface FastEthernet0/0 > redistribute bgp 10 > ---- > > router2: > ---- > interface FastEthernet0/0 > ipv6 address 10:10:10::2/126 > ipv6 enable > ! > router bgp 10 > bgp router-id 10.10.10.2 > bgp log-neighbor-changes > neighbor 10:10:10::1 remote-as 10 > neighbor 10:10:10::1 version 4 > ! > address-family ipv4 > no neighbor 10:10:10::1 activate > no auto-summary > no synchronization > exit-address-family > ! > address-family ipv6 > neighbor 10:10:10::1 activate > neighbor 10:10:10::1 send-community > neighbor 10:10:10::1 soft-reconfiguration inbound > network 20:20:20::/48 > exit-address-family > ! > ipv6 route 20:20:20::/48 Null0 > ---- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- +---------------- H U R R I C A N E - E L E C T R I C ----------------+ | Mike Leber Wholesale IPv4 and IPv6 Transit 510 580 4100 | | Hurricane Electric AS6939 | | mleber at he.net Internet Backbone & Colocation http://he.net | +---------------------------------------------------------------------+ From ian.mackinnon at lumison.net Thu Jan 15 03:53:56 2009 From: ian.mackinnon at lumison.net (Ian MacKinnon) Date: Thu, 15 Jan 2009 08:53:56 +0000 Subject: [c-nsp] GRE on Cat-4948 switch In-Reply-To: <83027F7A5EB4D6449A1393A94E4D41DA046A23CF@aubwm232.apac.corp.eds.com> References: <496E0DA5.1020204@lumison.net> <83027F7A5EB4D6449A1393A94E4D41DA046A23CF@aubwm232.apac.corp.eds.com> Message-ID: <496EF9A4.2040208@lumison.net> thanks everybody, good information. Ian On 14/01/2009 21:59, Geyer, Nick wrote: > I tried this once as a 'last shot' solution for a problem I was > encountering, across gig network with sustained traffic rate over the > tunnel of around 80Mbps. CPU instantly skyrocketed and the switch cried > no more. The switch had very minimal other traffic (around 20Mbps) and > very basic config, no ACL's and all static routing with a little bit of > RIP. > > Based on that first hand experience, I would say that the impact will be > a non functioning network and would highly recommend against doing it. > > Regards, > > Nick. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ian MacKinnon > Sent: Thursday, 15 January 2009 3:07 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] GRE on Cat-4948 switch > > Hi All, > > Does anybody have any idea the impact of running multiple GRE tunnels on > > a 4948 switch? > > I can see that it will be processed by software rather than hardware, > but just how much of a problem is this likely to be? > > I am only talking about a max of 100M of GRE traffic, amongst a couple > of Gig of total traffic. > > thanks > > > -- > > This email and any files transmitted with it are confidential and > intended > solely for the use of the individual or entity to whom they are > addressed. > If you have received this email in error please notify the sender. Any > offers or quotation of service are subject to formal specification. > Errors and omissions excepted. Please note that any views or opinions > presented in this email are solely those of the author and do not > necessarily represent those of Lumison and nPlusOne. > Finally, the recipient should check this email and any attachments for > the > presence of viruses. Lumison and nPlusOne accept no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From mtinka at globaltransit.net Thu Jan 15 03:54:18 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 15 Jan 2009 16:54:18 +0800 Subject: [c-nsp] IPv6 redistribute bgp into ospf In-Reply-To: <496EF255.1070801@he.net> References: <5a9bb9700901140904l456e32e7p81cf8cb68b2144fe@mail.gmail.com> <496EF255.1070801@he.net> Message-ID: <200901151654.25078.mtinka@globaltransit.net> On Thursday 15 January 2009 04:22:45 pm Mike Leber wrote: > Not that the load of redistribution with IPv6 would be > much due to the table size of IPv6, however I'd generally > recommend a design that avoids the need to redistribute > BGP tables into other routing protocols (also especially > avoid redistributing any other routing protocols into > BGP). Agree. Don't redistribute between routing protocols, if you can avoid it (at least where the global routing table is concerned). Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From maillist at thelan.no Thu Jan 15 03:05:46 2009 From: maillist at thelan.no (Harald Firing Karlsen) Date: Thu, 15 Jan 2009 09:05:46 +0100 Subject: [c-nsp] GRE on Cat-4948 switch In-Reply-To: <496E3BE9.7050709@justinshore.com> References: <496E0DA5.1020204@lumison.net> <496E3BE9.7050709@justinshore.com> Message-ID: <496EEE5A.9040909@thelan.no> Justin Shore wrote: > Ian MacKinnon wrote: >> Hi All, >> >> Does anybody have any idea the impact of running multiple GRE tunnels >> on a 4948 switch? >> >> I can see that it will be processed by software rather than hardware, >> but just how much of a problem is this likely to be? >> >> I am only talking about a max of 100M of GRE traffic, amongst a >> couple of Gig of total traffic. Thats impossible to say without knowing what kind of traffic. If it's a lot of small packets you will get a high PPS and thus a high overhead which causes high CPU load. The 4948 might be able to do 100Mbit of GRE-traffic under ideal conditions (only 1500B+ packets, etc), but without knowing/controlling the traffic 100% it is very risky. > > I think one of the actual cisco.com guys would have to speak up to > answer this question properly with figures on CPU speed, processing > times, etc. I would say with an off-the-cuff figure is that process > switching 100M would swamp most CPUs that Cisco has on the market. > I'm fairly confident that our Sup720-3BXLs wouldn't take kindly to > it. The experts would probably have a better answer for you though. Well, the SUP720-3BXL does GRE in hardware, so pushing 100Mbit+ on a SUP720-3BXL shouldn't be a problem. -- Harald Firing Karlsen From toebivankenoebi at gmail.com Thu Jan 15 04:30:33 2009 From: toebivankenoebi at gmail.com (=?ISO-8859-1?Q?Tobias_K=F6nig?=) Date: Thu, 15 Jan 2009 10:30:33 +0100 Subject: [c-nsp] IPv6 redistribute bgp into ospf In-Reply-To: <200901151654.25078.mtinka@globaltransit.net> References: <5a9bb9700901140904l456e32e7p81cf8cb68b2144fe@mail.gmail.com> <496EF255.1070801@he.net> <200901151654.25078.mtinka@globaltransit.net> Message-ID: <5a9bb9700901150130g74d40673x1ca36c6b441da430@mail.gmail.com> Thanks a lot for your answers so far. I'm aware that redistribution should be avoided in general if possible. Unfortunately I need the setup to be exactly as described in my first post (at least for now). We're trying to change the setup so that we don't have deal with redistribution at all, but even if we're able to accomplish this in the near future, I'm keen on finding out why the described setup doesn't work that way. Cheers Tobias From lukasz at bromirski.net Thu Jan 15 04:59:47 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Thu, 15 Jan 2009 10:59:47 +0100 Subject: [c-nsp] GRE on Cat-4948 switch In-Reply-To: <496E0DA5.1020204@lumison.net> References: <496E0DA5.1020204@lumison.net> Message-ID: <496F0913.90801@bromirski.net> On 2009-01-14 17:07, Ian MacKinnon wrote: > Hi All, > > Does anybody have any idea the impact of running multiple GRE tunnels on > a 4948 switch It is supported but the routing is in software. On a platform architected to forward traffic in hardware, doing software switching is bad thing to do. > I can see that it will be processed by software rather than hardware, > but just how much of a problem is this likely to be? Routing through CPU on 4948 gives about 30kpps with 100% CPU load. -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From shariq.qam at gmail.com Thu Jan 15 06:07:32 2009 From: shariq.qam at gmail.com (shariq qamar) Date: Thu, 15 Jan 2009 16:37:32 +0530 Subject: [c-nsp] backup server required for ISP . Message-ID: <171b010e0901150307s3e042003yf84ac318cca12de3@mail.gmail.com> Hi guys , Kindly suggest the best backup server used in BIG ISP environment for equipments configuration backup , command execution across network in one go should also support vernders Juniper as well as Cisco . server sholud handle more then 2000 network routers -- Regards, Shariq Qamar, Mob-9871748456 From erik at infopact.nl Thu Jan 15 06:13:54 2009 From: erik at infopact.nl (E. Versaevel) Date: Thu, 15 Jan 2009 12:13:54 +0100 Subject: [c-nsp] backup server required for ISP . In-Reply-To: <171b010e0901150307s3e042003yf84ac318cca12de3@mail.gmail.com> References: <171b010e0901150307s3e042003yf84ac318cca12de3@mail.gmail.com> Message-ID: <496F1A72.8050008@infopact.nl> I'm facing something similar, for backup of internet connected equipment we use a inhouse build perl script which saves the output of show running-config/show startup-config. Challenge is config backup for devices inside a VRF :) Erik Versaevel From achatz at forthnet.gr Thu Jan 15 06:34:07 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 15 Jan 2009 13:34:07 +0200 Subject: [c-nsp] backup server required for ISP . In-Reply-To: <171b010e0901150307s3e042003yf84ac318cca12de3@mail.gmail.com> References: <171b010e0901150307s3e042003yf84ac318cca12de3@mail.gmail.com> Message-ID: <496F1F2F.8020308@forthnet.gr> rancid should be the best for free (which includes clogin) http://www.shrubbery.net/rancid/ http://www.shrubbery.net/rancid/man/elogin.1.html -- Tassos shariq qamar wrote on 15/01/2009 13:07: > Hi guys , > > Kindly suggest the best backup server used in BIG ISP environment for > equipments configuration backup , command execution across network in one go > > should also support vernders Juniper as well as Cisco . > > server sholud handle more then 2000 network routers > > From willay at gmail.com Thu Jan 15 07:25:18 2009 From: willay at gmail.com (William) Date: Thu, 15 Jan 2009 12:25:18 +0000 Subject: [c-nsp] Per packet load balancing with low latency applications Message-ID: Hello list, I've been looking at using per packet load balancing with a couple of serial links to use with a low latency market data application, in all the cisco docs they seem to mention how VoIP/Video applications may chuck their dummy out with packets arriving out of sequence. My question is what would cause the packets to arrive out of sequence? And has anyone been in my position before? what was the outcome? Per packet is going to be used because there will only be one machine on each end of the link talking to each other. Any more information/real life experiences on the matter are welcome. Thanks for your time. W From jzp-cnsp at rsuc.gweep.net Thu Jan 15 07:33:05 2009 From: jzp-cnsp at rsuc.gweep.net (Joe Provo) Date: Thu, 15 Jan 2009 07:33:05 -0500 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: References: Message-ID: <20090115123305.GA93892@gweep.net> On Thu, Jan 15, 2009 at 12:25:18PM +0000, William wrote: > Hello list, > > I've been looking at using per packet load balancing with a couple of > serial links to use with a low latency market data application, in all > the cisco docs they seem to mention how VoIP/Video applications may > chuck their dummy out with packets arriving out of sequence. My > question is what would cause the packets to arrive out of sequence? > And has anyone been in my position before? what was the outcome? If these are wide-area links, latecy can vary due to grooming or other re-provisioning. If they are protected links, expect at some point during their life to switch ntependently and wind up with differing latencies. > Per packet is going to be used because there will only be one machine > on each end of the link talking to each other. Look at link-layer aggregation methods (mlpp for ptp, LAG for ether, etc) or getting a bigger pipe instead. Simple is good. > Any more information/real life experiences on the matter are welcome. In my experience, per-packet always kills goodput. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From mt at vol.cz Thu Jan 15 07:13:53 2009 From: mt at vol.cz (Marek Tyban) Date: Thu, 15 Jan 2009 13:13:53 +0100 (CET) Subject: [c-nsp] backup server required for ISP . In-Reply-To: <496F1A72.8050008@infopact.nl> References: <171b010e0901150307s3e042003yf84ac318cca12de3@mail.gmail.com> <496F1A72.8050008@infopact.nl> Message-ID: <20090115124747.E54757@k3.vol.cz> On Thu, 15 Jan 2009, E. Versaevel wrote: > I'm facing something similar, for backup of internet connected equipment > we use a inhouse build perl script which saves the output of show > running-config/show startup-config. Challenge is config backup for > devices inside a VRF :) you should have something like management VRF for access to devices inside a VRF (?). Marek > Erik Versaevel > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Thu Jan 15 08:38:13 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 15 Jan 2009 08:38:13 -0500 Subject: [c-nsp] Fabric Enabled Vs. Non-Fabric Enabled. Message-ID: Hello all, I have a couple of 6513s in my lab with WS-X6348-RJ-45, this is not a fabric enabled card. I have read that the older non-fabric enabled cards suffer from issues with input output buffer overflow which leads to queue drops and packet loss, etc. My question is, how do you know if the fabric enabled/non fabric enabled (and thus the 128k packet buffer memory on the WS-X6348-RJ-45) is causing the IQD and OQD counters to go up on show int sum and not another problem like a counter bug? And are there ever any other types of things that you've seen which can cause that counter to increment besides packet loss? Such as BPDUFILTER, etc? I know this discussion has been beaten to death but I can't really find any actual concrete evidence that says that the reason for those counters incrementing is because of the packet buffer size on the cards. I have no problem upgrading the cards, but I need to make sure that the issues I am seeing when pushing test traffic will be diminished by upgrading. I am running Version 12.2(18)SXD7b and the show platform capacity command is apparently not included in this release. Thanks, -Drew From James.Munroe at gnb.ca Thu Jan 15 08:12:07 2009 From: James.Munroe at gnb.ca (Munroe, James (DSS/MAS)) Date: Thu, 15 Jan 2009 09:12:07 -0400 Subject: [c-nsp] ME3400 & IPv6 In-Reply-To: <6bb5f5b10901121527m5c302dc4i905d861998dbcc91@mail.gmail.com> References: <1231768305.23873.11.camel@lanternes.corp.alionis.net> <458B3EC21E4A3044998E917199AACB2FE12B42@GNBEX02.gnb.ca> <1231787961.23873.37.camel@lanternes.corp.alionis.net> <6bb5f5b10901121527m5c302dc4i905d861998dbcc91@mail.gmail.com> Message-ID: <458B3EC21E4A3044998E917199AACB2FE12B5E@GNBEX02.gnb.ca> Here is what I got from Cisco: Yes, IPv6 will be enabled in hardware and is supported on both the ME-3400E and ME-3400. Will support RIP for IPv6 (RIPng),IPv6 ACL, DHCPv6 Individual Address Assignment, IPv6 Neighbor Discovery (RFC 2461), IPv6 CEFv6 Switching (RFC2460, RFC2461), IPv6 Routing-Unicast Routing: (RFC2460), IPv6 Routing: OSPF for IPv6 (OSPFv3) RFC2740, IPv6 Static Routing, IPv6 Routing and Management, IPv6 RIPing, IPv6 OSPF, IPv6 Unicast/CLI show/ debug, IPv6 EIGRP, Stateless Auto Config - part of Neighbor Discover, Default Router Preference, Ipv6 HOST functions - Part of the Ipv6 Routing Unfortunately I need VRF-Lite support with IPv6 which is not in this release :-( Hope this helps... Jim -----Original Message----- From: Rubens Kuhl Jr. [mailto:rubensk at gmail.com] Sent: Monday, January 12, 2009 7:27 PM To: Clement Cavadore Cc: Munroe, James (DSS/MAS); cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ME3400 & IPv6 Could it be IPv6 control-plane support but not forwarding support ? As for IPv6 on the ME-3400, I wonder if it will be hardware (Mpps) or software (kpps) support... ME-3400E most likely has IPv6 hardware forwarding, but as for the ME-3400, it might not. Rubens On Mon, Jan 12, 2009 at 5:19 PM, Clement Cavadore wrote: > Hi, > > On Mon, 2009-01-12 at 13:28 -0400, Munroe, James (DSS/MAS) wrote: >> 12.2(50)SE will have IPv6 support for the ME-3400/3400E series. > > And what about 12.2(25), which actually has IPv6 commands ? > Is that a "partial" support ? Or am I missing something ? > > Btw, this is a good news for 12.2(50)SE :) > > Cl?ment > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From brhedlun at cisco.com Thu Jan 15 10:09:54 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Thu, 15 Jan 2009 09:09:54 -0600 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: Message-ID: On 1/15/09 6:25 AM, "William" wrote: > My > question is what would cause the packets to arrive out of sequence? Path #1 might have a little more congestion than Path #2, which would cause Packet #1 sent down Path #1 to sit in a buffer an extra millisecond or two than Packet #2 sent down Path #2 with no congestion. This results in Packet #2 arriving at the destination before Packet #1. The result of this being poor application performance. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org From willay at gmail.com Thu Jan 15 10:16:56 2009 From: willay at gmail.com (William) Date: Thu, 15 Jan 2009 15:16:56 +0000 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: References: Message-ID: Hi Brad, Thanks for your input. Is there anything else I can use to achieve my goal? I'm pretty sure getting a bigger circuit will be a last resort. Regards, W 2009/1/15 Brad Hedlund : > On 1/15/09 6:25 AM, "William" wrote: > >> My >> question is what would cause the packets to arrive out of sequence? > > Path #1 might have a little more congestion than Path #2, which would cause > Packet #1 sent down Path #1 to sit in a buffer an extra millisecond or two > than Packet #2 sent down Path #2 with no congestion. This results in Packet > #2 arriving at the destination before Packet #1. The result of this being > poor application performance. > > Cheers, > > Brad Hedlund > bhedlund at cisco.com > http://www.internetworkexpert.org > > > From tvarriale at comcast.net Thu Jan 15 10:43:16 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 15 Jan 2009 09:43:16 -0600 Subject: [c-nsp] Per packet load balancing with low latency applications References: Message-ID: <913B8E300CD448C6BD800B84E5C38740@flamdt01> Yes, age old question. Use layer 2 technologies such as MLPPP. You can use layer 3 technologies but you expose yourself to it not working. I've seen it work and not work. tv ----- Original Message ----- From: "William" To: Sent: Thursday, January 15, 2009 6:25 AM Subject: [c-nsp] Per packet load balancing with low latency applications > Hello list, > > I've been looking at using per packet load balancing with a couple of > serial links to use with a low latency market data application, in all > the cisco docs they seem to mention how VoIP/Video applications may > chuck their dummy out with packets arriving out of sequence. My > question is what would cause the packets to arrive out of sequence? > And has anyone been in my position before? what was the outcome? > > Per packet is going to be used because there will only be one machine > on each end of the link talking to each other. > > Any more information/real life experiences on the matter are welcome. > > Thanks for your time. > > W > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From A.L.M.Buxey at lboro.ac.uk Thu Jan 15 11:13:08 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Thu, 15 Jan 2009 16:13:08 +0000 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: <913B8E300CD448C6BD800B84E5C38740@flamdt01> References: <913B8E300CD448C6BD800B84E5C38740@flamdt01> Message-ID: <20090115161308.GC9810@lboro.ac.uk> Hi, > Yes, age old question. > > Use layer 2 technologies such as MLPPP. yep - you caan then choose the appropriate load balancing method so media streams for the same target go down them same pipe. missing packets are generally okay for most modern streaming systems...they ignore them..you might get a little glitch if you are unlucky....but packets arriving out of order? ouch. alan From willay at gmail.com Thu Jan 15 11:24:22 2009 From: willay at gmail.com (William) Date: Thu, 15 Jan 2009 16:24:22 +0000 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: <884322.76675.qm@web54007.mail.re2.yahoo.com> References: <884322.76675.qm@web54007.mail.re2.yahoo.com> Message-ID: The application will be using TCP, time to look into MLPPP then! 2009/1/15 Yan Filyurin : > Look for ways to aggregate multiple physical circuits into one logical that > has a native way to load balance and still insure that packets are not out > of sequence like MLPPP or MLFR since they have their own sequencing that > prevents out of order arrival, not to mention a bunch of things like > fragmentation and interleaving that is great for voice. As far as market > data application goes, is it by any chance multicast and UDP, which could > potentially make it subject to the same constraints as voice. You could > always do all kinds of things to influence various types of traffic going > over just a single link with redundancy and all or just do per destination. > I would vote for MLPPP. > > Like the previous email said, you can use L3 technologies such as tunneling > with sequence datagrams, but all it will do is drop packets that are out of > order, thus moving the problem further from the application, but still > creating it. I've only read about it. I am sure everyone here will vote for > MLPPP. > > Yan > > ________________________________ > From: William > To: Brad Hedlund > Cc: "cisco-nsp at puck.nether.net" > Sent: Thursday, January 15, 2009 10:16:56 AM > Subject: Re: [c-nsp] Per packet load balancing with low latency applications > > Hi Brad, > > Thanks for your input. > > Is there anything else I can use to achieve my goal? I'm pretty sure > getting a bigger circuit will be a last resort. > > Regards, > > W > > 2009/1/15 Brad Hedlund : >> On 1/15/09 6:25 AM, "William" wrote: >> >>> My >>> question is what would cause the packets to arrive out of sequence? >> >> Path #1 might have a little more congestion than Path #2, which would >> cause >> Packet #1 sent down Path #1 to sit in a buffer an extra millisecond or two >> than Packet #2 sent down Path #2 with no congestion. This results in >> Packet >> #2 arriving at the destination before Packet #1. The result of this being >> poor application performance. >> >> Cheers, >> >> Brad Hedlund >> bhedlund at cisco.com >> http://www.internetworkexpert.org >> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From willay at gmail.com Thu Jan 15 11:55:48 2009 From: willay at gmail.com (William) Date: Thu, 15 Jan 2009 16:55:48 +0000 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: <20090115161308.GC9810@lboro.ac.uk> References: <913B8E300CD448C6BD800B84E5C38740@flamdt01> <20090115161308.GC9810@lboro.ac.uk> Message-ID: Can anyone point me to some decent documentation on setting up MLPPP with serial links? Google/Cisco.com is not liking my key words today. Thanks for your time. W 2009/1/15 : > Hi, >> Yes, age old question. >> >> Use layer 2 technologies such as MLPPP. > > yep - you caan then choose the appropriate load balancing > method so media streams for the same target go down them same pipe. > missing packets are generally okay for most modern streaming > systems...they ignore them..you might get a little glitch if you > are unlucky....but packets arriving out of order? ouch. > > alan > From yanf787 at yahoo.com Thu Jan 15 11:08:01 2009 From: yanf787 at yahoo.com (Yan Filyurin) Date: Thu, 15 Jan 2009 08:08:01 -0800 (PST) Subject: [c-nsp] Per packet load balancing with low latency applications References: Message-ID: <884322.76675.qm@web54007.mail.re2.yahoo.com> Look for ways to aggregate multiple physical circuits into one logical that has a native way to load balance and still insure that packets are not out of sequence like MLPPP or MLFR since they have their own sequencing that prevents out of order arrival, not to mention a bunch of things like fragmentation and interleaving that is great for voice. As far as market data application goes, is it by any chance multicast and UDP, which could potentially make it subject to the same constraints as voice. You could always do all kinds of things to influence various types of traffic going over just a single link with redundancy and all or just do per destination. I would vote for MLPPP. Like the previous email said, you can use L3 technologies such as tunneling with sequence datagrams, but all it will do is drop packets that are out of order, thus moving the problem further from the application, but still creating it. I've only read about it. I am sure everyone here will vote for MLPPP. Yan ________________________________ From: William To: Brad Hedlund Cc: "cisco-nsp at puck.nether.net" Sent: Thursday, January 15, 2009 10:16:56 AM Subject: Re: [c-nsp] Per packet load balancing with low latency applications Hi Brad, Thanks for your input. Is there anything else I can use to achieve my goal? I'm pretty sure getting a bigger circuit will be a last resort. Regards, W 2009/1/15 Brad Hedlund : > On 1/15/09 6:25 AM, "William" wrote: > >> My >> question is what would cause the packets to arrive out of sequence? > > Path #1 might have a little more congestion than Path #2, which would cause > Packet #1 sent down Path #1 to sit in a buffer an extra millisecond or two > than Packet #2 sent down Path #2 with no congestion. This results in Packet > #2 arriving at the destination before Packet #1. The result of this being > poor application performance. > > Cheers, > > Brad Hedlund > bhedlund at cisco.com > http://www.internetworkexpert.org > > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From malitsky at netabn.com Thu Jan 15 12:20:48 2009 From: malitsky at netabn.com (Michael Malitsky) Date: Thu, 15 Jan 2009 11:20:48 -0600 Subject: [c-nsp] Per packet load balancing with low latency In-Reply-To: References: Message-ID: <79AF0C3901752A49881FE4CB31F7AA40012801D0@abn-borg2.NETABN.LOCAL> Don't have a link handy, but here is a sample of the config we use. You can view status using show ppp multilink interface Multilink1 description Multiplexed Logical Connection to remote site ip address 1.1.1.1 255.255.255.0 ip access-group inbound in ip access-group outbound out ip verify unicast source reachable-via rx no ip redirects no ip unreachables no ip proxy-arp no peer neighbor-route fair-queue 1024 256 0 ppp multilink ppp multilink fragment disable ppp multilink group 1 interface Serial1/0/19:0 description Connected to remote site (circuit 1) no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation ppp no fair-queue ppp multilink ppp multilink group 1 interface Serial1/0/21:0 description Connected to remote site (circuit 2) no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation ppp no fair-queue ppp multilink ppp multilink group 1 Sincerely, Michael Malitsky > Message: 8 > Date: Thu, 15 Jan 2009 16:55:48 +0000 > From: William > Subject: Re: [c-nsp] Per packet load balancing with low latency > applications > To: "cisco-nsp at puck.nether.net" > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Can anyone point me to some decent documentation on setting up MLPPP > with serial links? Google/Cisco.com is not liking my key words today. > > Thanks for your time. > > W > > 2009/1/15 : > > Hi, > >> Yes, age old question. > >> > >> Use layer 2 technologies such as MLPPP. > > > > yep - you caan then choose the appropriate load balancing > > method so media streams for the same target go down them same pipe. > > missing packets are generally okay for most modern streaming > > systems...they ignore them..you might get a little glitch if you > > are unlucky....but packets arriving out of order? ouch. > > > > alan > > From tvarriale at comcast.net Thu Jan 15 12:37:38 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 15 Jan 2009 11:37:38 -0600 Subject: [c-nsp] Per packet load balancing with low latency References: <79AF0C3901752A49881FE4CB31F7AA40012801D0@abn-borg2.NETABN.LOCAL> Message-ID: William, Note that some of those config items are optional. The base config from Michael would be: > interface Multilink1 > description Multiplexed Logical Connection to remote site > ip address 1.1.1.1 255.255.255.0 > no ip redirects > no ip proxy-arp > ppp multilink > ppp multilink fragment disable > ppp multilink group 1 > interface Serial1/0/19:0 > description Connected to remote site (circuit 1) > no ip address > no ip redirects > encapsulation ppp > ppp multilink > ppp multilink group 1 Be careful with URPF. You may not need to modify your queues...probably don't unless you understand it. And please, do not disable unreachables. tv ----- Original Message ----- From: "Michael Malitsky" To: Sent: Thursday, January 15, 2009 11:20 AM Subject: Re: [c-nsp] Per packet load balancing with low latency > Don't have a link handy, but here is a sample of the config we use. You > can view status using > > show ppp multilink > > > > interface Multilink1 > description Multiplexed Logical Connection to remote site > ip address 1.1.1.1 255.255.255.0 > ip access-group inbound in > ip access-group outbound out > ip verify unicast source reachable-via rx > no ip redirects > no ip unreachables > no ip proxy-arp > no peer neighbor-route > fair-queue 1024 256 0 > ppp multilink > ppp multilink fragment disable > ppp multilink group 1 > > interface Serial1/0/19:0 > description Connected to remote site (circuit 1) > no ip address > no ip redirects > no ip unreachables > no ip proxy-arp > encapsulation ppp > no fair-queue > ppp multilink > ppp multilink group 1 > > interface Serial1/0/21:0 > description Connected to remote site (circuit 2) > no ip address > no ip redirects > no ip unreachables > no ip proxy-arp > encapsulation ppp > no fair-queue > ppp multilink > ppp multilink group 1 > > > > > > > Sincerely, > Michael Malitsky > >> Message: 8 >> Date: Thu, 15 Jan 2009 16:55:48 +0000 >> From: William >> Subject: Re: [c-nsp] Per packet load balancing with low latency >> applications >> To: "cisco-nsp at puck.nether.net" >> Message-ID: >> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Can anyone point me to some decent documentation on setting up MLPPP >> with serial links? Google/Cisco.com is not liking my key words today. >> >> Thanks for your time. >> >> W >> >> 2009/1/15 : >> > Hi, >> >> Yes, age old question. >> >> >> >> Use layer 2 technologies such as MLPPP. >> > >> > yep - you caan then choose the appropriate load balancing >> > method so media streams for the same target go down them same pipe. >> > missing packets are generally okay for most modern streaming >> > systems...they ignore them..you might get a little glitch if you >> > are unlucky....but packets arriving out of order? ouch. >> > >> > alan >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From masood at nexlinx.net.pk Thu Jan 15 12:43:58 2009 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Thu, 15 Jan 2009 22:43:58 +0500 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: <20090115123305.GA93892@gweep.net> References: <20090115123305.GA93892@gweep.net> Message-ID: <007f01c97738$de518c50$9af4a4f0$@net.pk> Using CRTP along with MLPPP will have positive impact on your voice and low latency issues. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Provo Sent: Thursday, January 15, 2009 5:33 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Per packet load balancing with low latency applications On Thu, Jan 15, 2009 at 12:25:18PM +0000, William wrote: > Hello list, > > I've been looking at using per packet load balancing with a couple of > serial links to use with a low latency market data application, in all > the cisco docs they seem to mention how VoIP/Video applications may > chuck their dummy out with packets arriving out of sequence. My > question is what would cause the packets to arrive out of sequence? > And has anyone been in my position before? what was the outcome? If these are wide-area links, latecy can vary due to grooming or other re-provisioning. If they are protected links, expect at some point during their life to switch ntependently and wind up with differing latencies. > Per packet is going to be used because there will only be one machine > on each end of the link talking to each other. Look at link-layer aggregation methods (mlpp for ptp, LAG for ether, etc) or getting a bigger pipe instead. Simple is good. > Any more information/real life experiences on the matter are welcome. In my experience, per-packet always kills goodput. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From SIngram at clayton.com Thu Jan 15 13:15:53 2009 From: SIngram at clayton.com (Scott Ingram) Date: Thu, 15 Jan 2009 13:15:53 -0500 Subject: [c-nsp] BGP default-originate route References: Message-ID: Thanks.... Would anyone from the SP area like to add any comments? ________________________________ From: Brad Hedlund [mailto:brhedlun at cisco.com] Sent: Wed 1/14/2009 12:49 PM To: Scott Ingram; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP default-originate route On 1/14/09 11:19 AM, "Scott Ingram" wrote: > I think to keep it simple > all I want is to do "one site primary and the other standby only". Scott, I'm sure the SP guys will jump in at this point but that should be a fairly straight forward setup, where the standby site's PE is configured to crank up the metric for the default route from that location, such as padding ASN or manipulating MED, or any other BGP setting. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information. From masood at nexlinx.net.pk Thu Jan 15 14:05:38 2009 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Fri, 16 Jan 2009 00:05:38 +0500 Subject: [c-nsp] BGP default-originate route In-Reply-To: References: Message-ID: <00c301c97744$44295250$cc7bf6f0$@net.pk> The default route is not announced to BGP neighbors, even if it's in the IP routing table and BGP table. This was true in old IOS releases, 12.4 and 12.2SRC announce BGP default route like any other network. To announce a default route to a BGP neighbor, you can configure neighbor default-originate. More information about the BGP default route by IVAN (truly geek) http://wiki.nil.com/BGP_default_route Regards, Masood -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Ingram Sent: Thursday, January 15, 2009 11:16 PM To: Brad Hedlund; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP default-originate route Thanks.... Would anyone from the SP area like to add any comments? ________________________________ From: Brad Hedlund [mailto:brhedlun at cisco.com] Sent: Wed 1/14/2009 12:49 PM To: Scott Ingram; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP default-originate route On 1/14/09 11:19 AM, "Scott Ingram" wrote: > I think to keep it simple > all I want is to do "one site primary and the other standby only". Scott, I'm sure the SP guys will jump in at this point but that should be a fairly straight forward setup, where the standby site's PE is configured to crank up the metric for the default route from that location, such as padding ASN or manipulating MED, or any other BGP setting. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From SIngram at clayton.com Thu Jan 15 14:13:15 2009 From: SIngram at clayton.com (Scott Ingram) Date: Thu, 15 Jan 2009 14:13:15 -0500 Subject: [c-nsp] BGP default-originate route References: <00c301c97744$44295250$cc7bf6f0$@net.pk> Message-ID: once I have in place my default-originate statement on my CE#1 can I then add the same default-originate to CE#2? I would like to do this for failover if the primary path changes. Scott Ingram Manager, IT Operations Clayton 2 Corporate Drive Shelton, CT 06484 work: 203.926.8148 cell: 203.258.2037 singram at clayton.com www.clayton.com ________________________________ From: Masood Ahmad Shah [mailto:masood at nexlinx.net.pk] Sent: Thu 1/15/2009 2:05 PM To: Scott Ingram; 'Brad Hedlund'; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] BGP default-originate route The default route is not announced to BGP neighbors, even if it's in the IP routing table and BGP table. This was true in old IOS releases, 12.4 and 12.2SRC announce BGP default route like any other network. To announce a default route to a BGP neighbor, you can configure neighbor default-originate. More information about the BGP default route by IVAN (truly geek) http://wiki.nil.com/BGP_default_route Regards, Masood -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Ingram Sent: Thursday, January 15, 2009 11:16 PM To: Brad Hedlund; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP default-originate route Thanks.... Would anyone from the SP area like to add any comments? ________________________________ From: Brad Hedlund [mailto:brhedlun at cisco.com] Sent: Wed 1/14/2009 12:49 PM To: Scott Ingram; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP default-originate route On 1/14/09 11:19 AM, "Scott Ingram" wrote: > I think to keep it simple > all I want is to do "one site primary and the other standby only". Scott, I'm sure the SP guys will jump in at this point but that should be a fairly straight forward setup, where the standby site's PE is configured to crank up the metric for the default route from that location, such as padding ASN or manipulating MED, or any other BGP setting. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information. From Jeff.Wojciechowski at midlandpaper.com Thu Jan 15 14:32:23 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Thu, 15 Jan 2009 13:32:23 -0600 Subject: [c-nsp] Per packet load balancing with low latency Message-ID: <7C8983063EE93A4495960C5CD1EE039C19669D35@XBOX.midlandpaper.com> Will, We have 3xT1 set up with MLPPP with mixed voice and data going over the MLPPP link. We had some issues with uneven traffic distribution between 2 T1s on a vwic2fmt-t1 and a wic1DSUT1v2 for the 3rd causing jitter . Even though Cisco said that having different types of controllers shouldn't matter, when we replaced the wic with the vwic our jitter problems went away. With that said I would recommend matching the controllers for each of the links. Jeff Wojciechowski ________________________________ This electronic mail (including any attachments) may contain information that is privileged, confidential, or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please delete the original message in its entirety (including any attachments) and notify us immediately by reply email so that we may correct our internal records. Midland Paper Company accepts no responsibility for any loss or damage from use of this electronic mail, including any damage resulting from a computer virus. From mauritz at three6five.com Thu Jan 15 14:40:21 2009 From: mauritz at three6five.com (Mauritz Lewies) Date: Thu, 15 Jan 2009 21:40:21 +0200 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: <884322.76675.qm@web54007.mail.re2.yahoo.com> References: <884322.76675.qm@web54007.mail.re2.yahoo.com> Message-ID: <1232048421.7153.15.camel@mauritzlewies> Hi Out of personal experience MLPPP sounds great in theory and technically should be a viable solution. However, Cisco has never really been able to deliver a bug free MLPPP implementation... We have had situations of per-packet, moving to MLPPP, going back to per-session and eventually having to aggregate into larger single links. IOS has just never really worked with MLPPP and I strongly advise against. On Thu, 2009-01-15 at 08:08 -0800, Yan Filyurin wrote: > Look for ways to aggregate multiple physical circuits into one logical that has a native way to load balance and still insure that packets are not out of sequence like MLPPP or MLFR since they have their own sequencing that prevents out of order arrival, not to mention a bunch of things like fragmentation and interleaving that is great for voice. As far as market data application goes, is it by any chance multicast and UDP, which could potentially make it subject to the same constraints as voice. You could always do all kinds of things to influence various types of traffic going over just a single link with redundancy and all or just do per destination. I would vote for MLPPP. > > Like the previous email said, you can use L3 technologies such as tunneling with sequence datagrams, but all it will do is drop packets that are out of order, thus moving the problem further from the application, but still creating it. I've only read about it. I am sure everyone here will vote for MLPPP. > > Yan > > > > > ________________________________ > From: William > To: Brad Hedlund > Cc: "cisco-nsp at puck.nether.net" > Sent: Thursday, January 15, 2009 10:16:56 AM > Subject: Re: [c-nsp] Per packet load balancing with low latency applications > > Hi Brad, > > Thanks for your input. > > Is there anything else I can use to achieve my goal? I'm pretty sure > getting a bigger circuit will be a last resort. > > Regards, > > W > > 2009/1/15 Brad Hedlund : > > On 1/15/09 6:25 AM, "William" wrote: > > > >> My > >> question is what would cause the packets to arrive out of sequence? > > > > Path #1 might have a little more congestion than Path #2, which would cause > > Packet #1 sent down Path #1 to sit in a buffer an extra millisecond or two > > than Packet #2 sent down Path #2 with no congestion. This results in Packet > > #2 arriving at the destination before Packet #1. The result of this being > > poor application performance. > > > > Cheers, > > > > Brad Hedlund > > bhedlund at cisco.com > > http://www.internetworkexpert.org > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From malitsky at netabn.com Thu Jan 15 14:42:20 2009 From: malitsky at netabn.com (Michael Malitsky) Date: Thu, 15 Jan 2009 13:42:20 -0600 Subject: [c-nsp] Per packet load balancing with low latency In-Reply-To: References: Message-ID: <79AF0C3901752A49881FE4CB31F7AA400128021B@abn-borg2.NETABN.LOCAL> Tony, I'll agree with the comments on uRPF and queuing - you should know why you want these changes before making them. However, disabling IP Unreachables is now one of the baseline measures for infrastructure protection, and recommended as such by Cisco. I'll agree in advance that there may be situations where IP unreachables are desired, or situations where infrastructure protection is not important, but by and large disabling it seems to be a good step. If you disagree, I'd appreciate an explanation. Sincerely, Michael Malitsky > Message: 3 > Date: Thu, 15 Jan 2009 11:37:38 -0600 > From: "Tony Varriale" > Subject: Re: [c-nsp] Per packet load balancing with low latency > To: > Message-ID: > Content-Type: text/plain; format=flowed; charset="iso-8859-1"; > reply-type=original > > William, > > Note that some of those config items are optional. The base config > from > Michael would be: > > > interface Multilink1 > > description Multiplexed Logical Connection to remote site > > ip address 1.1.1.1 255.255.255.0 > > no ip redirects > > no ip proxy-arp > > ppp multilink > > ppp multilink fragment disable > > ppp multilink group 1 > > > interface Serial1/0/19:0 > > description Connected to remote site (circuit 1) > > no ip address > > no ip redirects > > encapsulation ppp > > ppp multilink > > ppp multilink group 1 > > > Be careful with URPF. You may not need to modify your > queues...probably > don't unless you understand it. > > And please, do not disable unreachables. > > tv > > ----- Original Message ----- > From: "Michael Malitsky" > To: > Sent: Thursday, January 15, 2009 11:20 AM > Subject: Re: [c-nsp] Per packet load balancing with low latency > > > > Don't have a link handy, but here is a sample of the config we use. > You > > can view status using > > > > show ppp multilink > > > > > > > > interface Multilink1 > > description Multiplexed Logical Connection to remote site > > ip address 1.1.1.1 255.255.255.0 > > ip access-group inbound in > > ip access-group outbound out > > ip verify unicast source reachable-via rx > > no ip redirects > > no ip unreachables > > no ip proxy-arp > > no peer neighbor-route > > fair-queue 1024 256 0 > > ppp multilink > > ppp multilink fragment disable > > ppp multilink group 1 > > > > interface Serial1/0/19:0 > > description Connected to remote site (circuit 1) > > no ip address > > no ip redirects > > no ip unreachables > > no ip proxy-arp > > encapsulation ppp > > no fair-queue > > ppp multilink > > ppp multilink group 1 > > > > interface Serial1/0/21:0 > > description Connected to remote site (circuit 2) > > no ip address > > no ip redirects > > no ip unreachables > > no ip proxy-arp > > encapsulation ppp > > no fair-queue > > ppp multilink > > ppp multilink group 1 > > > > > > > > > > > > > > Sincerely, > > Michael Malitsky > > > >> Message: 8 > >> Date: Thu, 15 Jan 2009 16:55:48 +0000 > >> From: William > >> Subject: Re: [c-nsp] Per packet load balancing with low latency > >> applications > >> To: "cisco-nsp at puck.nether.net" > >> Message-ID: > >> > >> Content-Type: text/plain; charset=ISO-8859-1 > >> > >> Can anyone point me to some decent documentation on setting up MLPPP > >> with serial links? Google/Cisco.com is not liking my key words > today. > >> > >> Thanks for your time. > >> > >> W > >> > >> 2009/1/15 : > >> > Hi, > >> >> Yes, age old question. > >> >> > >> >> Use layer 2 technologies such as MLPPP. > >> > > >> > yep - you caan then choose the appropriate load balancing > >> > method so media streams for the same target go down them same > pipe. > >> > missing packets are generally okay for most modern streaming > >> > systems...they ignore them..you might get a little glitch if you > >> > are unlucky....but packets arriving out of order? ouch. > >> > > >> > alan > >> > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From good1 at live.com Thu Jan 15 15:02:49 2009 From: good1 at live.com (Andrew Jimmy) Date: Fri, 16 Jan 2009 01:02:49 +0500 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: <1232048421.7153.15.camel@mauritzlewies> References: <884322.76675.qm@web54007.mail.re2.yahoo.com> <1232048421.7153.15.camel@mauritzlewies> Message-ID: I'm using MLPPP along with CRTP on Juniper routers (using AS PIC), And it is working like a charm... yea true MLPPP stuff is complicated on Cisco devices which is CPU hungry ... -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mauritz Lewies Sent: Friday, January 16, 2009 12:40 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Per packet load balancing with low latency applications Hi Out of personal experience MLPPP sounds great in theory and technically should be a viable solution. However, Cisco has never really been able to deliver a bug free MLPPP implementation... We have had situations of per-packet, moving to MLPPP, going back to per-session and eventually having to aggregate into larger single links. IOS has just never really worked with MLPPP and I strongly advise against. On Thu, 2009-01-15 at 08:08 -0800, Yan Filyurin wrote: > Look for ways to aggregate multiple physical circuits into one logical that has a native way to load balance and still insure that packets are not out of sequence like MLPPP or MLFR since they have their own sequencing that prevents out of order arrival, not to mention a bunch of things like fragmentation and interleaving that is great for voice. As far as market data application goes, is it by any chance multicast and UDP, which could potentially make it subject to the same constraints as voice. You could always do all kinds of things to influence various types of traffic going over just a single link with redundancy and all or just do per destination. I would vote for MLPPP. > > Like the previous email said, you can use L3 technologies such as tunneling with sequence datagrams, but all it will do is drop packets that are out of order, thus moving the problem further from the application, but still creating it. I've only read about it. I am sure everyone here will vote for MLPPP. > > Yan > > > > > ________________________________ > From: William > To: Brad Hedlund > Cc: "cisco-nsp at puck.nether.net" > Sent: Thursday, January 15, 2009 10:16:56 AM > Subject: Re: [c-nsp] Per packet load balancing with low latency applications > > Hi Brad, > > Thanks for your input. > > Is there anything else I can use to achieve my goal? I'm pretty sure > getting a bigger circuit will be a last resort. > > Regards, > > W > > 2009/1/15 Brad Hedlund : > > On 1/15/09 6:25 AM, "William" wrote: > > > >> My > >> question is what would cause the packets to arrive out of sequence? > > > > Path #1 might have a little more congestion than Path #2, which would cause > > Packet #1 sent down Path #1 to sit in a buffer an extra millisecond or two > > than Packet #2 sent down Path #2 with no congestion. This results in Packet > > #2 arriving at the destination before Packet #1. The result of this being > > poor application performance. > > > > Cheers, > > > > Brad Hedlund > > bhedlund at cisco.com > > http://www.internetworkexpert.org > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Thu Jan 15 15:10:48 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 15 Jan 2009 14:10:48 -0600 Subject: [c-nsp] Per packet load balancing with low latency References: <79AF0C3901752A49881FE4CB31F7AA400128021B@abn-borg2.NETABN.LOCAL> Message-ID: <77D9873D48BA45DDAB65A10B747106D9@flamdt01> Unfortuantely, not everything Cisco recommends translates well into real world implementations. Feel free to read RFC 1191. That should explain everything. BCP says don't turn off for this reason. As for the security aspect, there have been a few vulnerabilities that were not really exploited and then fixed. The pros of leaving this on far out way any potential, never really attacked, security issue. And, if you do get seriously attacked by this method somehow, there are products on the market that can effectively mitigate it (as well as many others). tv ----- Original Message ----- From: "Michael Malitsky" To: Sent: Thursday, January 15, 2009 1:42 PM Subject: Re: [c-nsp] Per packet load balancing with low latency > Tony, > > I'll agree with the comments on uRPF and queuing - you should know why > you want these changes before making them. > > However, disabling IP Unreachables is now one of the baseline measures > for infrastructure protection, and recommended as such by Cisco. I'll > agree in advance that there may be situations where IP unreachables are > desired, or situations where infrastructure protection is not important, > but by and large disabling it seems to be a good step. If you disagree, > I'd appreciate an explanation. > > Sincerely, > Michael Malitsky > > >> Message: 3 >> Date: Thu, 15 Jan 2009 11:37:38 -0600 >> From: "Tony Varriale" >> Subject: Re: [c-nsp] Per packet load balancing with low latency >> To: >> Message-ID: >> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; >> reply-type=original >> >> William, >> >> Note that some of those config items are optional. The base config >> from >> Michael would be: >> >> > interface Multilink1 >> > description Multiplexed Logical Connection to remote site >> > ip address 1.1.1.1 255.255.255.0 >> > no ip redirects >> > no ip proxy-arp >> > ppp multilink >> > ppp multilink fragment disable >> > ppp multilink group 1 >> >> > interface Serial1/0/19:0 >> > description Connected to remote site (circuit 1) >> > no ip address >> > no ip redirects >> > encapsulation ppp >> > ppp multilink >> > ppp multilink group 1 >> >> >> Be careful with URPF. You may not need to modify your >> queues...probably >> don't unless you understand it. >> >> And please, do not disable unreachables. >> >> tv >> >> ----- Original Message ----- >> From: "Michael Malitsky" >> To: >> Sent: Thursday, January 15, 2009 11:20 AM >> Subject: Re: [c-nsp] Per packet load balancing with low latency >> >> >> > Don't have a link handy, but here is a sample of the config we use. >> You >> > can view status using >> > >> > show ppp multilink >> > >> > >> > >> > interface Multilink1 >> > description Multiplexed Logical Connection to remote site >> > ip address 1.1.1.1 255.255.255.0 >> > ip access-group inbound in >> > ip access-group outbound out >> > ip verify unicast source reachable-via rx >> > no ip redirects >> > no ip unreachables >> > no ip proxy-arp >> > no peer neighbor-route >> > fair-queue 1024 256 0 >> > ppp multilink >> > ppp multilink fragment disable >> > ppp multilink group 1 >> > >> > interface Serial1/0/19:0 >> > description Connected to remote site (circuit 1) >> > no ip address >> > no ip redirects >> > no ip unreachables >> > no ip proxy-arp >> > encapsulation ppp >> > no fair-queue >> > ppp multilink >> > ppp multilink group 1 >> > >> > interface Serial1/0/21:0 >> > description Connected to remote site (circuit 2) >> > no ip address >> > no ip redirects >> > no ip unreachables >> > no ip proxy-arp >> > encapsulation ppp >> > no fair-queue >> > ppp multilink >> > ppp multilink group 1 >> > >> > >> > >> > >> > >> > >> > Sincerely, >> > Michael Malitsky >> > >> >> Message: 8 >> >> Date: Thu, 15 Jan 2009 16:55:48 +0000 >> >> From: William >> >> Subject: Re: [c-nsp] Per packet load balancing with low latency >> >> applications >> >> To: "cisco-nsp at puck.nether.net" >> >> Message-ID: >> >> >> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> >> >> Can anyone point me to some decent documentation on setting up > MLPPP >> >> with serial links? Google/Cisco.com is not liking my key words >> today. >> >> >> >> Thanks for your time. >> >> >> >> W >> >> >> >> 2009/1/15 : >> >> > Hi, >> >> >> Yes, age old question. >> >> >> >> >> >> Use layer 2 technologies such as MLPPP. >> >> > >> >> > yep - you caan then choose the appropriate load balancing >> >> > method so media streams for the same target go down them same >> pipe. >> >> > missing packets are generally okay for most modern streaming >> >> > systems...they ignore them..you might get a little glitch if you >> >> > are unlucky....but packets arriving out of order? ouch. >> >> > >> >> > alan >> >> > >> > >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Thu Jan 15 15:37:55 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 15 Jan 2009 14:37:55 -0600 Subject: [c-nsp] Per packet load balancing with low latency applications References: <884322.76675.qm@web54007.mail.re2.yahoo.com><1232048421.7153.15.camel@mauritzlewies> Message-ID: <7D0B2A5AB2E546CDA378B9EF6CE2D232@flamdt01> Turn off fragmentation. You'll see your CPU drop way down. tv ----- Original Message ----- From: "Andrew Jimmy" To: ; Sent: Thursday, January 15, 2009 2:02 PM Subject: Re: [c-nsp] Per packet load balancing with low latency applications > I'm using MLPPP along with CRTP on Juniper routers (using AS PIC), And it > is > working like a charm... yea true MLPPP stuff is complicated on Cisco > devices > which is CPU hungry ... > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mauritz Lewies > Sent: Friday, January 16, 2009 12:40 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Per packet load balancing with low latency > applications > > Hi > > Out of personal experience MLPPP sounds great in theory and technically > should be a viable solution. However, Cisco has never really been able > to deliver a bug free MLPPP implementation... > > We have had situations of per-packet, moving to MLPPP, going back to > per-session and eventually having to aggregate into larger single links. > IOS has just never really worked with MLPPP and I strongly advise > against. > > > > > On Thu, 2009-01-15 at 08:08 -0800, Yan Filyurin wrote: > >> Look for ways to aggregate multiple physical circuits into one logical > that has a native way to load balance and still insure that packets are > not > out of sequence like MLPPP or MLFR since they have their own sequencing > that prevents out of order arrival, not to mention a bunch of things like > fragmentation and interleaving that is great for voice. As far as market > data application goes, is it by any chance multicast and UDP, which could > potentially make it subject to the same constraints as voice. You could > always do all kinds of things to influence various types of traffic going > over just a single link with redundancy and all or just do per > destination. > I would vote for MLPPP. >> >> Like the previous email said, you can use L3 technologies such as > tunneling with sequence datagrams, but all it will do is drop packets that > are out of order, thus moving the problem further from the application, > but > still creating it. I've only read about it. I am sure everyone here will > vote for MLPPP. >> >> Yan >> >> >> >> >> ________________________________ >> From: William >> To: Brad Hedlund >> Cc: "cisco-nsp at puck.nether.net" >> Sent: Thursday, January 15, 2009 10:16:56 AM >> Subject: Re: [c-nsp] Per packet load balancing with low latency > applications >> >> Hi Brad, >> >> Thanks for your input. >> >> Is there anything else I can use to achieve my goal? I'm pretty sure >> getting a bigger circuit will be a last resort. >> >> Regards, >> >> W >> >> 2009/1/15 Brad Hedlund : >> > On 1/15/09 6:25 AM, "William" wrote: >> > >> >> My >> >> question is what would cause the packets to arrive out of sequence? >> > >> > Path #1 might have a little more congestion than Path #2, which would > cause >> > Packet #1 sent down Path #1 to sit in a buffer an extra millisecond or > two >> > than Packet #2 sent down Path #2 with no congestion. This results in > Packet >> > #2 arriving at the destination before Packet #1. The result of this > being >> > poor application performance. >> > >> > Cheers, >> > >> > Brad Hedlund >> > bhedlund at cisco.com >> > http://www.internetworkexpert.org >> > >> > >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mauritz at three6five.com Thu Jan 15 15:59:19 2009 From: mauritz at three6five.com (Mauritz Lewies) Date: Thu, 15 Jan 2009 22:59:19 +0200 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: <7D0B2A5AB2E546CDA378B9EF6CE2D232@flamdt01> References: <884322.76675.qm@web54007.mail.re2.yahoo.com> <1232048421.7153.15.camel@mauritzlewies> <7D0B2A5AB2E546CDA378B9EF6CE2D232@flamdt01> Message-ID: <1232053159.7153.61.camel@mauritzlewies> But then you might as well use per-packet load balancing... On Thu, 2009-01-15 at 14:37 -0600, Tony Varriale wrote: > Turn off fragmentation. You'll see your CPU drop way down. > > tv > ----- Original Message ----- > From: "Andrew Jimmy" > To: ; > Sent: Thursday, January 15, 2009 2:02 PM > Subject: Re: [c-nsp] Per packet load balancing with low latency applications > > > > I'm using MLPPP along with CRTP on Juniper routers (using AS PIC), And it > > is > > working like a charm... yea true MLPPP stuff is complicated on Cisco > > devices > > which is CPU hungry ... > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mauritz Lewies > > Sent: Friday, January 16, 2009 12:40 AM > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Per packet load balancing with low latency > > applications > > > > Hi > > > > Out of personal experience MLPPP sounds great in theory and technically > > should be a viable solution. However, Cisco has never really been able > > to deliver a bug free MLPPP implementation... > > > > We have had situations of per-packet, moving to MLPPP, going back to > > per-session and eventually having to aggregate into larger single links. > > IOS has just never really worked with MLPPP and I strongly advise > > against. > > > > > > > > > > On Thu, 2009-01-15 at 08:08 -0800, Yan Filyurin wrote: > > > >> Look for ways to aggregate multiple physical circuits into one logical > > that has a native way to load balance and still insure that packets are > > not > > out of sequence like MLPPP or MLFR since they have their own sequencing > > that prevents out of order arrival, not to mention a bunch of things like > > fragmentation and interleaving that is great for voice. As far as market > > data application goes, is it by any chance multicast and UDP, which could > > potentially make it subject to the same constraints as voice. You could > > always do all kinds of things to influence various types of traffic going > > over just a single link with redundancy and all or just do per > > destination. > > I would vote for MLPPP. > >> > >> Like the previous email said, you can use L3 technologies such as > > tunneling with sequence datagrams, but all it will do is drop packets that > > are out of order, thus moving the problem further from the application, > > but > > still creating it. I've only read about it. I am sure everyone here will > > vote for MLPPP. > >> > >> Yan > >> > >> > >> > >> > >> ________________________________ > >> From: William > >> To: Brad Hedlund > >> Cc: "cisco-nsp at puck.nether.net" > >> Sent: Thursday, January 15, 2009 10:16:56 AM > >> Subject: Re: [c-nsp] Per packet load balancing with low latency > > applications > >> > >> Hi Brad, > >> > >> Thanks for your input. > >> > >> Is there anything else I can use to achieve my goal? I'm pretty sure > >> getting a bigger circuit will be a last resort. > >> > >> Regards, > >> > >> W > >> > >> 2009/1/15 Brad Hedlund : > >> > On 1/15/09 6:25 AM, "William" wrote: > >> > > >> >> My > >> >> question is what would cause the packets to arrive out of sequence? > >> > > >> > Path #1 might have a little more congestion than Path #2, which would > > cause > >> > Packet #1 sent down Path #1 to sit in a buffer an extra millisecond or > > two > >> > than Packet #2 sent down Path #2 with no congestion. This results in > > Packet > >> > #2 arriving at the destination before Packet #1. The result of this > > being > >> > poor application performance. > >> > > >> > Cheers, > >> > > >> > Brad Hedlund > >> > bhedlund at cisco.com > >> > http://www.internetworkexpert.org > >> > > >> > > >> > > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > >> > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From SIngram at clayton.com Thu Jan 15 16:06:28 2009 From: SIngram at clayton.com (Scott Ingram) Date: Thu, 15 Jan 2009 16:06:28 -0500 Subject: [c-nsp] BGP default-originate route References: <00c301c97744$44295250$cc7bf6f0$@net.pk> Message-ID: Here is what I came up with.... route-map Internet-path permit 10 ! set Internet-path prepend 65 65 ! router bgp 65 ! neighbor X.X.X.X remote-as 65 ! neighbor X.X.X.X route-map Internet-path out <<<<<<<< wrote: > I think to keep it simple > all I want is to do "one site primary and the other standby only". Scott, I'm sure the SP guys will jump in at this point but that should be a fairly straight forward setup, where the standby site's PE is configured to crank up the metric for the default route from that location, such as padding ASN or manipulating MED, or any other BGP setting. Cheers, Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information. From bitkraft at gmail.com Thu Jan 15 16:11:52 2009 From: bitkraft at gmail.com (Brian Spade) Date: Thu, 15 Jan 2009 13:11:52 -0800 Subject: [c-nsp] High CPU utilization caused by the TPLUS process In-Reply-To: <935ead450901132007l1c068181s2efd8ca78f12fde0@mail.gmail.com> References: <935ead450901130806qfec9aaxb83416a2eb9f662e@mail.gmail.com> <496CE854.3080003@justinshore.com> <935ead450901131122l43ab083fqe38023e2df958afb@mail.gmail.com> <496CFB9D.10102@justinshore.com> <935ead450901131302n27bd3b3dse2c36c791b5fb3df@mail.gmail.com> <505b616c0901131844x2cc90a45gd8f1a62d87c5c8a2@mail.gmail.com> <935ead450901132007l1c068181s2efd8ca78f12fde0@mail.gmail.com> Message-ID: <505b616c0901151311v68800105u21c5473a5c005149@mail.gmail.com> Ah OK, you already tried that then. I was referencing: http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2ae4.shtml /bs On Tue, Jan 13, 2009 at 8:07 PM, Jeffrey Ollie wrote: > On Tue, Jan 13, 2009 at 8:44 PM, Brian Spade wrote: > > Try clearing the TCP process on the router. > > I tried just about every variation of "clear tcp" I could find, but > the stuck CLI user is still there. Is there something I'm missing? > AFAICS there is no TCP connection associated with the stuck CLI user > anymore. > > -- > Jeff Ollie > > "You know, I used to think it was awful that life was so unfair. Then > I thought, wouldn't it be much worse if life were fair, and all the > terrible things that happen to us come because we actually deserve > them? So, now I take great comfort in the general hostility and > unfairness of the universe." > > -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tkacprzynski at SpencerStuart.com Thu Jan 15 17:12:41 2009 From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com) Date: Thu, 15 Jan 2009 16:12:41 -0600 Subject: [c-nsp] BGP Question In-Reply-To: <505b616c0901151311v68800105u21c5473a5c005149@mail.gmail.com> Message-ID: Hello, I'm trying to figure out if this configuration can be accomplished. Topology CPE-----------CE-----------PE -------- Internet ASN 1 ASN 3 I'm trying to figure out a way where CPE and PE is peering with each other, where CE is not using iBGP between PE but can still filter some of the routes from PE. The PE can't really have any "custom" configuration except simple neighboring. I have more flexibility with the CE. The PE basically has a lot of summary routes that I need to make more specific, but can't really change much on the PE, the idea is to use the CE to modify them then send the CPE more specific routes based on the summary routes. The requirement for more specific routers is there to eliminate some asymmetric routing (other links not shown). I was looking at Local-AS and whether that could help. Not sure. Any suggestions are greatly appreciated. Thank you Tom From arla at rn.dk Thu Jan 15 17:24:01 2009 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Thu, 15 Jan 2009 23:24:01 +0100 Subject: [c-nsp] BGP Question In-Reply-To: References: <505b616c0901151311v68800105u21c5473a5c005149@mail.gmail.com> Message-ID: <8D68760F464FFD40A01BF2FB374E4A280165524E2718@SRVEXC02.aas.its.nja.dk> If an EBGP peer is more than one hop away from the local router, you must specify the next hop to the peer so that the two systems can establish a BGP session. neighbor x.x.x.x remote-as xxx neighbor x.x.x.x ebgp-multihop /Arne -----Oprindelig meddelelse----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne af tkacprzynski at spencerstuart.com Sendt: 15. januar 2009 23:13 Til: cisco-nsp at puck.nether.net Emne: [c-nsp] BGP Question Hello, I'm trying to figure out if this configuration can be accomplished. Topology CPE-----------CE-----------PE -------- Internet ASN 1 ASN 3 I'm trying to figure out a way where CPE and PE is peering with each other, where CE is not using iBGP between PE but can still filter some of the routes from PE. The PE can't really have any "custom" configuration except simple neighboring. I have more flexibility with the CE. The PE basically has a lot of summary routes that I need to make more specific, but can't really change much on the PE, the idea is to use the CE to modify them then send the CPE more specific routes based on the summary routes. The requirement for more specific routers is there to eliminate some asymmetric routing (other links not shown). I was looking at Local-AS and whether that could help. Not sure. Any suggestions are greatly appreciated. Thank you Tom _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From brandon at sterling.net Thu Jan 15 17:24:13 2009 From: brandon at sterling.net (Brandon Price) Date: Thu, 15 Jan 2009 14:24:13 -0800 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: <7D0B2A5AB2E546CDA378B9EF6CE2D232@flamdt01> References: <884322.76675.qm@web54007.mail.re2.yahoo.com><1232048421.7153.15.camel@mauritzlewies> <7D0B2A5AB2E546CDA378B9EF6CE2D232@flamdt01> Message-ID: What are the negative ramifications of turning off fragmentation? Brandon -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale Sent: Thursday, January 15, 2009 12:38 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Per packet load balancing with low latency applications Turn off fragmentation. You'll see your CPU drop way down. tv ----- Original Message ----- From: "Andrew Jimmy" To: ; Sent: Thursday, January 15, 2009 2:02 PM Subject: Re: [c-nsp] Per packet load balancing with low latency applications > I'm using MLPPP along with CRTP on Juniper routers (using AS PIC), And it > is > working like a charm... yea true MLPPP stuff is complicated on Cisco > devices > which is CPU hungry ... > From malitsky at netabn.com Thu Jan 15 18:24:46 2009 From: malitsky at netabn.com (Michael Malitsky) Date: Thu, 15 Jan 2009 17:24:46 -0600 Subject: [c-nsp] Per packet load balancing with low latency In-Reply-To: References: Message-ID: <79AF0C3901752A49881FE4CB31F7AA4001280256@abn-borg2.NETABN.LOCAL> PMTUD is certainly not the panacea it's made out to be. It doesn't work more often than not (yes, due to some device in the path not supporting it). Given the questionable usefulness, I still support it on Internet-facing links. However, private infrastructure, where MLPPP is frequently used, is far more deterministic and usually does not require PMTUD. BCP says if you don't need it, turn it off. Besides, considering that MLPPP is often a low-budget solution (as opposed to a larger link), so procuring additional security product may not be in the cards either (even if technologically possible). The above is my experience. Sincerely, Michael Malitsky > Date: Thu, 15 Jan 2009 14:10:48 -0600 > From: "Tony Varriale" > Subject: Re: [c-nsp] Per packet load balancing with low latency > To: > Message-ID: <77D9873D48BA45DDAB65A10B747106D9 at flamdt01> > Content-Type: text/plain; format=flowed; charset="iso-8859-1"; > reply-type=original > > Unfortuantely, not everything Cisco recommends translates well into > real world implementations. > > Feel free to read RFC 1191. That should explain everything. BCP says > don't turn off for this reason. > > As for the security aspect, there have been a few vulnerabilities that > were not really exploited and then fixed. The pros of leaving this on far > out way any potential, never really attacked, security issue. > > And, if you do get seriously attacked by this method somehow, there are > products on the market that can effectively mitigate it (as well as > many others). > > tv > > ----- Original Message ----- > From: "Michael Malitsky" > To: > Sent: Thursday, January 15, 2009 1:42 PM > Subject: Re: [c-nsp] Per packet load balancing with low latency > > > > Tony, > > > > I'll agree with the comments on uRPF and queuing - you should know > > why you want these changes before making them. > > > > However, disabling IP Unreachables is now one of the baseline > > measures for infrastructure protection, and recommended as such by Cisco. > > I'll agree in advance that there may be situations where IP unreachables > > are desired, or situations where infrastructure protection is not > > important, but by and large disabling it seems to be a good step. If you > > disagree, I'd appreciate an explanation. > > > > Sincerely, > > Michael Malitsky From lmeade at signal.ca Thu Jan 15 19:21:07 2009 From: lmeade at signal.ca (Leslie Meade) Date: Thu, 15 Jan 2009 16:21:07 -0800 Subject: [c-nsp] QOS VLAN In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB089@xmb-ams-333.emea.cisco.com> References: <20fe625b0901121617l3af0dbas8aef533ff74f4a8b@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB089@xmb-ams-333.emea.cisco.com> Message-ID: I have a 6509e with a sup 32, and I want to control how much bandwidth is available to each vlan. My uploading is working fine but I do not know understand why my users on this vlan or any vlan still pulls down lots of data. I have been told that I cannot do this because the equipment is not suited to my needs. This is what I have policy-map 4_Mb_Internet class class-default police cir 4194000 bc 491515 be 491515 conform-action transmit exceed-action drop violate-action drop interface Vlan4 description 2012 Camera Feed ip address 10.1.4.2 255.255.255.0 ip access-group Productions in ip helper-address 10.1.6.10 no ip redirects no ip unreachables ip flow ingress ip route-cache flow no ip mroute-cache mls netflow sampling standby 15 ip 10.1.4.1 standby 15 priority 250 standby 15 preempt service-policy input 4_Mb_Internet service-policy output 4_Mb_Internet Any one point me in the right direction Leslie From peter at rathlev.dk Thu Jan 15 20:07:36 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 16 Jan 2009 02:07:36 +0100 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: References: Message-ID: <1232068056.4278.6.camel@localhost.localdomain> On Thu, 2009-01-15 at 12:25 +0000, William wrote: > Per packet is going to be used because there will only be one machine > on each end of the link talking to each other. As an alternative to MLPPP: Even though only two hosts communicate a per session CEF load sharing would work (somewhat) as long as they have several sessions open. Or should one session (TCP) be able to use all of the bandwidth? In that case MLPPP is the way to go. Regards, Peter From matt at iseek.com.au Thu Jan 15 21:04:22 2009 From: matt at iseek.com.au (Matt Carter) Date: Fri, 16 Jan 2009 12:04:22 +1000 Subject: [c-nsp] carrier load balancing packets across unequal path lengths Message-ID: <7FEDD455961B164D8C4EEA60E229142079421D4DA8@EXCHANGE1.intranet.iseek.com.au> hi all , i have an issue where a carrier that provides transit has decided to begin load balancing traffic across unequal path lengths. ie, instead of ??? ?--R3-- ?? /?????? ?\ R1 ??????????R2 ?? \?????? ?/ ??? ?--R4-- we are seeing something a lot more like this R1-----R3------R2 ? \? ????????? / ??? --R4 / \ / R5 as a result packets going via R4 & R5 are arriving with a different TTL and out of order to the tune of 30 ms or so. its throwing our monitoring tools out of wack because one minute a host is at hop 11, the next it's at 10. (watching path changes to bgp beacons) . with data payloads consider a voice stream of 10 packets egressing at 20ms interval where by every other packet is being sent via the longer path 1 2 3 4 5 6 7 8 9 10 aside from the TTL issue we end up with packets arriving like this 1 x = x 2 x+20+30 = +50 3 x+40 = +40 4 x+60+30 = +90 5 x+80 = +80 6 x+100+30 = +130 7 x+120 = +120 8 x+140+30 = +170 9 x+160 = +160 10 x+180+30 = +210 so for the original 1 through 10 packets that were egressed sequentially ends up arriving as 1 , 3 , 2 , 5 , 4 , 7 , 6 , 9 , 8 , 10 the carrier i'm dealing with doesn't seem to even comprehend that this is a problem .. can't say i've ever had that kind of reponse before and i'm left a little bewildered.. i'm used to hiding all this stuff away in the MPLS core and preserving the customer TTL's.. anyone else interacting with carriers who seem to think this is perfectly ok network design?? thoughts/comments/suggestions?? kind regards, --matt From jashton at esnet.com Thu Jan 15 21:06:05 2009 From: jashton at esnet.com (James Ashton) Date: Thu, 15 Jan 2009 21:06:05 -0500 Subject: [c-nsp] backup server required for ISP . In-Reply-To: <171b010e0901150307s3e042003yf84ac318cca12de3@mail.gmail.com> References: <171b010e0901150307s3e042003yf84ac318cca12de3@mail.gmail.com> Message-ID: <490B0AB46362B947A2947D5CB5E7F2A10229D3E7E1@exchange.esnet.com> Its pretty hard to beat Rancid. http://www.shrubbery.net/rancid/ ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of shariq qamar [shariq.qam at gmail.com] Sent: Thursday, January 15, 2009 6:07 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] backup server required for ISP . Hi guys , Kindly suggest the best backup server used in BIG ISP environment for equipments configuration backup , command execution across network in one go should also support vernders Juniper as well as Cisco . server sholud handle more then 2000 network routers -- Regards, Shariq Qamar, Mob-9871748456 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kelvin_team at yahoo.com Thu Jan 15 23:16:59 2009 From: kelvin_team at yahoo.com (Kelvin Goei) Date: Thu, 15 Jan 2009 20:16:59 -0800 (PST) Subject: [c-nsp] Input error from Cisco Switch and Juniper Router Message-ID: <938836.32031.qm@web110112.mail.gq1.yahoo.com> Hi All, We are experiencing issue with connectivity between Cisco Switch to Juniper Router. We are seeing the input error keep increasing in our Cisco Switch. cisco ===== 3863152 input errors, 49850 CRC, 0 frame, 0 overrun, 0 we are running 1000BaseLX on both side. Juniper Side ============ input errors: Errors: 918618, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 7345203, L3 incompletes: 918618, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 anyone experince this before? we already try to change the sfp and patch cable on cisco side, although the fibre core between the cisco sw and juniper already tested, we will conduct test again. Is possible any feature mismatch between cisco and juniper causing the error rather than the physicall link it self? Thanks all for the help. Regards, Kelvin. From frnkblk at iname.com Thu Jan 15 23:17:23 2009 From: frnkblk at iname.com (Frank Bulk) Date: Thu, 15 Jan 2009 22:17:23 -0600 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: References: Message-ID: What about using a product that delivers Ethernet over n T-1s, like units from RAD? Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of William Sent: Thursday, January 15, 2009 6:25 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Per packet load balancing with low latency applications Hello list, I've been looking at using per packet load balancing with a couple of serial links to use with a low latency market data application, in all the cisco docs they seem to mention how VoIP/Video applications may chuck their dummy out with packets arriving out of sequence. My question is what would cause the packets to arrive out of sequence? And has anyone been in my position before? what was the outcome? Per packet is going to be used because there will only be one machine on each end of the link talking to each other. Any more information/real life experiences on the matter are welcome. Thanks for your time. W _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Thu Jan 15 23:35:08 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 16 Jan 2009 12:35:08 +0800 Subject: [c-nsp] Input error from Cisco Switch and Juniper Router In-Reply-To: <938836.32031.qm@web110112.mail.gq1.yahoo.com> References: <938836.32031.qm@web110112.mail.gq1.yahoo.com> Message-ID: <200901161235.14641.mtinka@globaltransit.net> On Friday 16 January 2009 12:16:59 pm Kelvin Goei wrote: > Juniper Side > ============ > input errors: > Errors: 918618, Drops: 0, Framing errors: 0, Runts: 0, > Policed discards: 7345203, L3 incompletes: 918618, > L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO > errors: 0, Resource errors: 0 From the Juniper side, 'L3 incompletes' and 'Policed discards' indicates some protocol running on the Cisco side which is not enabled or supported on the Juniper side. As a start, make sure you don't have CDP enabled on the Cisco port. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From aalejandro at worldnetpr.com Fri Jan 16 01:29:45 2009 From: aalejandro at worldnetpr.com (Abel Alejandro) Date: Fri, 16 Jan 2009 02:29:45 -0400 Subject: [c-nsp] MPLS Interworking 7206VXR / Tellabs 8860 Message-ID: Hello, I am trying to setup an interworking mpls circuit using a Cisco 7206VXR and Tellabs 8860 as the PE's. One side is Ethernet-VLAN and the other is PPP. The circuit tries to get up but the Cisco keeps tearing it down giving the following errors: 02:41:26: %LDP-5-NBRCHG: LDP Neighbor 192.168.10.253:0 (3) is UP 02:41:31: %LDP-5-NBRCHG: LDP Neighbor 192.168.10.253:0 (3) is DOWN (Received error notification from peer: Malformat TLV) 02:41:33: %LDP-5-NBRCHG: LDP Neighbor 192.168.10.253:0 (1) is UP 02:41:33: %LDP-5-NBRCHG: LDP Neighbor 192.168.10.253:0 (1) is DOWN (Received error notification from peer: Malformat TLV) Anyone has any pointer in the right direction or knows if this is even supported? Thanks, Abel. From oboehmer at cisco.com Fri Jan 16 02:12:15 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 16 Jan 2009 08:12:15 +0100 Subject: [c-nsp] Per packet load balancing with low latency applications In-Reply-To: <1232053159.7153.61.camel@mauritzlewies> References: <884322.76675.qm@web54007.mail.re2.yahoo.com><1232048421.7153.15.camel@mauritzlewies><7D0B2A5AB2E546CDA378B9EF6CE2D232@flamdt01> <1232053159.7153.61.camel@mauritzlewies> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406B36CDF@xmb-ams-333.emea.cisco.com> Nope. even if the sender doesn't fragment packets, the receiver will still make sure packets are put into the correct order (MLPPP considers all frames being "fragments" and numbers them accordingly). I think disabling fragmentation can lead to slightly increased latency (and possibly jitter), for example when a 1500 byte and a 40 byte packets are sent in this sequence, and the receiver needs to wait for the 1500 byte packet to arrive completely before forwarding the small packet.. I wouldn't consider MLPPP as being especially CPU-hungry these days.. oli Mauritz Lewies <> wrote on Thursday, January 15, 2009 21:59: > But then you might as well use per-packet load balancing... > > > > On Thu, 2009-01-15 at 14:37 -0600, Tony Varriale wrote: > >> Turn off fragmentation. You'll see your CPU drop way down. >> >> tv >> ----- Original Message ----- >> From: "Andrew Jimmy" >> To: ; >> Sent: Thursday, January 15, 2009 2:02 PM >> Subject: Re: [c-nsp] Per packet load balancing with low latency >> applications >> >> >>> I'm using MLPPP along with CRTP on Juniper routers (using AS PIC), >>> And it is working like a charm... yea true MLPPP stuff is >>> complicated on Cisco devices which is CPU hungry ... >>> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mauritz >>> Lewies Sent: Friday, January 16, 2009 12:40 AM >>> To: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] Per packet load balancing with low latency >>> applications >>> >>> Hi >>> >>> Out of personal experience MLPPP sounds great in theory and >>> technically should be a viable solution. However, Cisco has never >>> really been able >>> to deliver a bug free MLPPP implementation... >>> >>> We have had situations of per-packet, moving to MLPPP, going back to >>> per-session and eventually having to aggregate into larger single >>> links. IOS has just never really worked with MLPPP and I strongly >>> advise against. >>> >>> >>> >>> >>> On Thu, 2009-01-15 at 08:08 -0800, Yan Filyurin wrote: >>> >>>> Look for ways to aggregate multiple physical circuits into one >>>> logical >>> that has a native way to load balance and still insure that packets >>> are not out of sequence like MLPPP or MLFR since they have their >>> own sequencing that prevents out of order arrival, not to mention a >>> bunch of things like fragmentation and interleaving that is great >>> for voice. As far as market data application goes, is it by any >>> chance multicast and UDP, which could potentially make it subject >>> to the same constraints as voice. You could always do all kinds of >>> things to influence various types of traffic going over just a >>> single link with redundancy and all or just do per destination. I >>> would vote for MLPPP. >>>> >>>> Like the previous email said, you can use L3 technologies such as >>> tunneling with sequence datagrams, but all it will do is drop >>> packets that are out of order, thus moving the problem further from >>> the application, but still creating it. I've only read about it. I >>> am sure everyone here will vote for MLPPP. >>>> >>>> Yan >>>> >>>> >>>> >>>> >>>> ________________________________ >>>> From: William >>>> To: Brad Hedlund >>>> Cc: "cisco-nsp at puck.nether.net" >>>> Sent: Thursday, January 15, 2009 10:16:56 AM >>>> Subject: Re: [c-nsp] Per packet load balancing with low latency >>>> applications >>>> >>>> Hi Brad, >>>> >>>> Thanks for your input. >>>> >>>> Is there anything else I can use to achieve my goal? I'm pretty >>>> sure getting a bigger circuit will be a last resort. >>>> >>>> Regards, >>>> >>>> W >>>> >>>> 2009/1/15 Brad Hedlund : >>>>> On 1/15/09 6:25 AM, "William" wrote: >>>>> >>>>>> My >>>>>> question is what would cause the packets to arrive out of >>>>>> sequence? >>>>> >>>>> Path #1 might have a little more congestion than Path #2, which >>>>> would cause Packet #1 sent down Path #1 to sit in a buffer an >>>>> extra millisecond or two than Packet #2 sent down Path #2 with no >>>>> congestion. This results in Packet #2 arriving at the >>>>> destination before Packet #1. The result of this being poor >>>>> application performance. >>>>> >>>>> Cheers, >>>>> >>>>> Brad Hedlund >>>>> bhedlund at cisco.com >>>>> http://www.internetworkexpert.org >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gsinl at yahoo.com Fri Jan 16 02:45:52 2009 From: gsinl at yahoo.com (Gaurav Prakash) Date: Fri, 16 Jan 2009 13:15:52 +0530 (IST) Subject: [c-nsp] QOS VLAN Message-ID: <228202.34734.qm@web95109.mail.in2.yahoo.com> Hi, I think you shud check if policing input is supported or not ? Else try Rate-limiting interface inbound.. regards, Gaurav ------------------ ?Message: 1 Date: Thu, 15 Jan 2009 16:21:07 -0800 From: "Leslie Meade" Subject: [c-nsp] QOS VLAN To: "cisco-nsp" Message-ID: ??? Content-Type: text/plain; charset="utf-8" I have a 6509e with a sup 32, and I want to control how much bandwidth is available to each vlan. My uploading is working fine but I do not know understand why my users on this vlan or any vlan still pulls down lots of data. I have been told that I cannot do this because the equipment is not suited to my needs. This is what I have policy-map 4_Mb_Internet ? class class-default ? police cir 4194000 bc 491515 be 491515 conform-action transmit exceed-action drop violate-action drop interface Vlan4 description 2012 Camera Feed ip address 10.1.4.2 255.255.255.0 ip access-group Productions in ip helper-address 10.1.6.10 no ip redirects no ip unreachables ip flow ingress ip route-cache flow no ip mroute-cache mls netflow sampling standby 15 ip 10.1.4.1 standby 15 priority 250 standby 15 preempt service-policy input 4_Mb_Internet service-policy output 4_Mb_Internet Any one point me in the right direction Leslie Save our Earth Check out the all-new Messenger 9.0! Go to http://in.messenger.yahoo.com/ From mt at vol.cz Fri Jan 16 03:08:26 2009 From: mt at vol.cz (Marek Tyban) Date: Fri, 16 Jan 2009 09:08:26 +0100 (CET) Subject: [c-nsp] QOS VLAN In-Reply-To: References: <20fe625b0901121617l3af0dbas8aef533ff74f4a8b@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB089@xmb-ams-333.emea.cisco.com> Message-ID: <20090116085954.L86034@k3.vol.cz> Hello Leslie, to accomplish this you need enable vlan based QoS (mls qos vlan-based). m. On Thu, 15 Jan 2009, Leslie Meade wrote: > I have a 6509e with a sup 32, and I want to control how much bandwidth > is available to each vlan. My uploading is working fine but I do not > know understand why my users on this vlan or any vlan still pulls down > lots of data. I have been told that I cannot do this because the > equipment is not suited to my needs. > > This is what I have > > policy-map 4_Mb_Internet > class class-default > police cir 4194000 bc 491515 be 491515 conform-action transmit exceed-action drop violate-action drop > > interface Vlan4 > description 2012 Camera Feed > ip address 10.1.4.2 255.255.255.0 > ip access-group Productions in > ip helper-address 10.1.6.10 > no ip redirects > no ip unreachables > ip flow ingress > ip route-cache flow > no ip mroute-cache > mls netflow sampling > standby 15 ip 10.1.4.1 > standby 15 priority 250 > standby 15 preempt > service-policy input 4_Mb_Internet > service-policy output 4_Mb_Internet > > > Any one point me in the right direction > > Leslie > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From toebivankenoebi at gmail.com Fri Jan 16 05:03:14 2009 From: toebivankenoebi at gmail.com (=?ISO-8859-1?Q?Tobias_K=F6nig?=) Date: Fri, 16 Jan 2009 11:03:14 +0100 Subject: [c-nsp] IPv6 redistribute bgp into ospf In-Reply-To: <80d99a100901151500m119942cbg8502cb5b2cf951e7@mail.gmail.com> References: <5a9bb9700901140904l456e32e7p81cf8cb68b2144fe@mail.gmail.com> <496EF255.1070801@he.net> <200901151654.25078.mtinka@globaltransit.net> <5a9bb9700901150130g74d40673x1ca36c6b441da430@mail.gmail.com> <80d99a100901151459u646ba670u4757623648d75475@mail.gmail.com> <80d99a100901151500m119942cbg8502cb5b2cf951e7@mail.gmail.com> Message-ID: <5a9bb9700901160203l54c2965ewd788d17118b8d7de@mail.gmail.com> Hi Ron Thanks a lot, that was about it, you just made my day ;) Indeed forgot to put that in the address-family ipv6.. R0>sh ipv6 route OE2 20:20:20::/48 [110/1] via FE80::CE05:7FF:FEE8:0, FastEthernet0/0 Cheers Tobias From yanf787 at yahoo.com Fri Jan 16 08:13:43 2009 From: yanf787 at yahoo.com (Yan Filyurin) Date: Fri, 16 Jan 2009 05:13:43 -0800 (PST) Subject: [c-nsp] Per packet load balancing with low latency applications References: Message-ID: <567058.60537.qm@web54007.mail.re2.yahoo.com> Or any other external inverse multiplexer. Plus as old and outdated that technology might be, apparently Cisco still supports IMA. While it requires different hardware, that could be an alternative. http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/ioh/nm/nm_etima.htm http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/ConntIMA.html#wpxref64698 I've never used IMA in practice on an actual router, but when when using it with external devices, it worked great. But it was 6 years ago, so times have changed since then. Yan ________________________________ From: Frank Bulk To: William ; cisco-nsp at puck.nether.net Sent: Thursday, January 15, 2009 11:17:23 PM Subject: Re: [c-nsp] Per packet load balancing with low latency applications What about using a product that delivers Ethernet over n T-1s, like units from RAD? Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of William Sent: Thursday, January 15, 2009 6:25 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Per packet load balancing with low latency applications Hello list, I've been looking at using per packet load balancing with a couple of serial links to use with a low latency market data application, in all the cisco docs they seem to mention how VoIP/Video applications may chuck their dummy out with packets arriving out of sequence. My question is what would cause the packets to arrive out of sequence? And has anyone been in my position before? what was the outcome? Per packet is going to be used because there will only be one machine on each end of the link talking to each other. Any more information/real life experiences on the matter are welcome. Thanks for your time. W _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Fri Jan 16 08:20:26 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Fri, 16 Jan 2009 14:20:26 +0100 Subject: [c-nsp] carrier load balancing packets across unequal path lengths In-Reply-To: <7FEDD455961B164D8C4EEA60E229142079421D4DA8@EXCHANGE1.intranet.iseek.com.au> References: <7FEDD455961B164D8C4EEA60E229142079421D4DA8@EXCHANGE1.intranet.iseek.com.au> Message-ID: <78C984F8939D424697B15E4B1C1BB3D70E521B@xmb-ams-331.emea.cisco.com> Matt, In general using unequal paths for load sharing is a valid solution, BUT, this should not introduce packet reordering. This means that the routers on SP environments should not be operating in per-packet load balancing, but should be using some hash function to make sure that the same session always takes the same path. Actually, most SP-grade devices (Cisco 6500/7600/GSR etc) don't even support the per-packet option... I suggest you have a chat with your SP again. You could use this document for reference (1st best match on Google...): http://networks.cs.ucdavis.edu/~yslee/reference/a-2-laor-network-2002.pdf Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matt Carter Sent: Friday, January 16, 2009 04:04 To: Cisco Mailing list Subject: [c-nsp] carrier load balancing packets across unequal path lengths hi all , i have an issue where a carrier that provides transit has decided to begin load balancing traffic across unequal path lengths. ie, instead of ??? ?--R3-- ?? /?????? ?\ R1 ??????????R2 ?? \?????? ?/ ??? ?--R4-- we are seeing something a lot more like this R1-----R3------R2 ? \? ????????? / ??? --R4 / \ / R5 as a result packets going via R4 & R5 are arriving with a different TTL and out of order to the tune of 30 ms or so. its throwing our monitoring tools out of wack because one minute a host is at hop 11, the next it's at 10. (watching path changes to bgp beacons) . with data payloads consider a voice stream of 10 packets egressing at 20ms interval where by every other packet is being sent via the longer path 1 2 3 4 5 6 7 8 9 10 aside from the TTL issue we end up with packets arriving like this 1 x = x 2 x+20+30 = +50 3 x+40 = +40 4 x+60+30 = +90 5 x+80 = +80 6 x+100+30 = +130 7 x+120 = +120 8 x+140+30 = +170 9 x+160 = +160 10 x+180+30 = +210 so for the original 1 through 10 packets that were egressed sequentially ends up arriving as 1 , 3 , 2 , 5 , 4 , 7 , 6 , 9 , 8 , 10 the carrier i'm dealing with doesn't seem to even comprehend that this is a problem .. can't say i've ever had that kind of reponse before and i'm left a little bewildered.. i'm used to hiding all this stuff away in the MPLS core and preserving the customer TTL's.. anyone else interacting with carriers who seem to think this is perfectly ok network design?? thoughts/comments/suggestions?? kind regards, --matt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rjs at eng.gxn.net Fri Jan 16 07:57:19 2009 From: rjs at eng.gxn.net (Rob Shakir) Date: Fri, 16 Jan 2009 12:57:19 +0000 Subject: [c-nsp] BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH Message-ID: <20090116125718.GB26415@bronze.eng.gxn.net> Strict RFC 4893 (4-byte ASN support) BGP4 implementations are vulnerable to a session reset by distant (not directly connected) ASes. This vulnerability is a feature of the standard, and unless immediate action is taken an increasingly significant number of networks will be open to attack. Accidental triggering of this vulnerability has already been seen in the wild, although the limited number of RFC 4893 deployments has limited its effect. Summary: It is possible to cause BGP sessions to remotely reset by injecting invalid data into the AS4_PATH attribute provided to store 4-byte ASN paths. Since AS4_PATH is an optional transitive attribute, the invalid data will be transited through many intermediate ASes which will not examine the content. To be vulnerable, an operator does not have to be actively using 4-byte AS support. This problem was first reported by Andy Davidson on NANOG in December 2008 [0], furthermore we have been able to demonstrate that a device running Cisco IOS release 12.0(32)S12 behaves as per this description. Details: When a prefix is learnt from a BGP neighbour that does not support 4-byte ASNs, the AS4_PATH attribute is retained, and appended to UPDATE messages sent to other neighbours [1, 3]. RFC4893 specifies that AS_CONFED_SEQUENCE and AS_CONFED_SET are invalid in an AS4_PATH, the intention of which is to ensure that an AS with a mix of AS4-aware BGP speakers, and AS4-unaware BGP speakers does not propagate confederation AS paths outside of the confederation [1, 3]. Upon receiving an invalid BGP UPDATE message, a BGP speaker must send a NOTIFICATION message [2, 6.3], after a NOTIFICATION message, the BGP connection is closed [2, 4.5]. Analysis of the Reported Path: On 10th December 2008, a BGP update was propagated with illegal/invalid confederation attributes in the AS4_PATH. When this update was received by AS4 aware BGP speakers, the RFCs described above were interpreted literally and the session was torn down. Because the illegal attributes were learned on a transit session, an affected network can have global reachability impaired. Please note that the analysis of this path describes what we expect to have happened in this case, it has not been confirmed by any of the ASNs involved. 91.207.218.0/23 Path Attributes - Origin: Incomplete Flags: 0x40 (Well-known, Transitive, Complete) Origin: Incomplete (2) AS_PATH: xx xx 35320 23456 (13 bytes) AS4_PATH: (65044 65057) 196629 (7 bytes) In this data, the AS_PATH indicates that a prefix is announced by an AS4 speaker (as indicated by AS23456) and propagated through by AS35320. The AS4_PATH data shows that the AS4 originator is AS196629, the rest of this path is an AS_CONFED_SEQUENCE [3, 5]. It would appear that in this case, AS196629 peers with AS35320, which is AS4-aware on this border. The prefix is then propagated through AS35320, with the AS4 aware routers appending their ASN to the AS_CONFED_SEQUENCE. This is in contravention of RFC 4893 [1, 3]. The border which announces this route to AS35320's upstream does not appear to be AS4-aware. During normal announcements, the BGP speaker on a border with an upstream ASN that is not part of the confederation will remove the left-most AS_CONFED_SETs or AS_CONFED_SEQUENCEs that exist in the AS_PATH [3, 6.1] and replace them with the confederation identifier. However, due to the fact that both AS_CONFED_SET and AS_CONFED_SEQUENCE are invalid in an AS4_PATH, then no such action is taken on the border between an AS4 aware AS, and a non-AS4 aware AS. In addition, since the AS35320 border is not AS4 aware, then it does not update the AS4_PATH. This malformed UPDATE is then sent to AS35320's upstream, if there are no AS4-aware routers in the path between the AS35320 border, and an AS receiving this update, the AS4_PATH will not have been analysed. The first AS4-aware router to receive this update will reset the session towards the neighbour from whom it receives the update. The border which announces this route to AS35320's upstream does not appear to be AS4-aware; If it were a strict AS4 implementation it would reset the BGP session due to the malformed AS4_PATH, and a broken implementation that treats AS4_PATH as an equivalent of the AS_PATH would sanitise the AS4_PATH. This allows the AS4_PATH containing an AS_CONFED_SET to be passed to neighbouring networks. This escape of an AS_CONFED_SET from a network with only partial AS4 support is exactly the situation that RFC 4893 attempts to avoid by forbidding the presence of an AS_CONFED_SET in the AS4_PATH. In the ideal world the neighbouring network receiving an UPDATE containing this obviously malformed AS4_PATH would reset the session, preventing further propagation and isolating the broken network. Unfortunately the vast majority of networks do not support AS4 so pass on this malformed AS4_PATH to their neighbours. The first AS4-aware router to receive this update will reset the session towards the neighbour from whom it received the update. Cisco IOS Behaviour: In a lab environment, a Cisco 7200 running IOS 12.0(32)S12, which is able to support 4-byte ASNs, was peered with a Cisco 2811 running 12.4(19). When the BGP session to the upstream 2811 is established by the 7200, the following log messages are observed: *Jan 16 11:29:58.531: %BGP-5-ADJCHANGE: neighbor 193.239.32.2 Up *Jan 16 11:30:02.595: %BGP-6-ASPATH: Invalid AS path (65044 65048 65062) 3.21 23456 received from 193.239.32.2: Confederation found in AS4_PATH *Jan 16 11:30:02.595: %BGP-5-ADJCHANGE: neighbor 193.239.32.2 Down BGP Notification sent *Jan 16 11:30:02.595: %BGP-3-NOTIFICATION: sent to neighbor 193.239.32.2 3/1 (update malformed) 27 bytes E0111803 030000FE 140000FE 180000FE 26 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0050 0200 0000 3540 0101 0240 020C 0205 3D25 2114 89F8 5BA0 5BA0 4003 04C1 EF20 02E0 1118 0303 0000 FE14 0000 FE18 0000 FE26 0202 0003 0015 0000 5BA0 175B CFDA The configuration on the 7200 is as follows: router bgp 65123 no synchronization bgp log-neighbor-changes neighbor 193.239.32.2 remote-as 15653 no auto-summary The BGP session will continue to be reset each time the invalid AS4_PATH is received. Possible Impact: During a BGP conversation, it is expected that a neighbour's UPDATE messages are sanitised by the immediate neighbour, during a 'normal' BGP conversation, if a BGP speaker receives an invalid UPDATE, it will teardown the session, and this invalid UPDATE will not propagate any further. In the case of optional transitive attributes such as AS4_PATH, this invalid update can be transited through many ASes, as the content of the invalid attribute in the UPDATE message is not examined. In a hypothetical scenario, an AS4 aware service provider (A) has a transit provider (T) that is not AS4 aware. BGP speaker B, a large distance from A has a bug affecting their equipment that introduces an AS_CONFED_SET in the AS4_PATH. Since B's updates are propagated through to A via T, A will tear down the session to T due to the malformed attribute. This is an out of proportion reaction as the update may affect only one prefix in a full BGP table. If this update is also propagated through A's other transit providers A may lose full-table visibility until one of their transit providers filters the route. Examining the UPDATE message to establish which route caused session teardown may be a non-trivial activity. Conclusion: Whilst this description may be applied to invalid data in any optional transitive element, it has a greater impact with AS4_PATH due to the large number of BGP speakers that currently do not examine any 4-byte ASN data in an UPDATE. There has been a discussion of this matter on the IETF IDR mailing list [4], however, due to availability of Cisco IOS containing AS4 support (12.0(32)S12), and an observation of this problem 'in the wild', we believe that it is of operational concern to those that are planning on deployment of AS4-aware platforms [5]. Any input from the operational community relating to this problem is much appreciated, either publicly, or privately. Regards, Andy Davidson, NetSumo (andy.davidson at netsumo.com), Jonathan Oddy, Hostway UK (jonathan.oddy at hostway.co.uk), Rob Shakir, GX Networks (rjs at eng.gxn.net) References: [0]: Andy Davidson - 91.207.218.0/23 prefix in DFZ - AS3.21 / AS196629 - announced with AS_CONFED_SEQUENCE in AS4_PATH - propagated by 35320, http://markmail.org/message/3ofvjyggayfxezna [1]: rfc4893: BGP Support for Four-octet AS Number Space [2]: rfc4271: A Border Gateway Protocol 4 (BGP-4) [3]: rfc3054: Autonomous System Confederations for BGP [4]: Kaliraj Vairavakkalai, Juniper Networks, [Idr] RFC-4893 handling malformed AS4_PATH attributes, http://www.ietf.org/mail-archive/web/idr/current/msg03368.html [5]: http://as4.cluepon.net/index.php/Software_Support Thanks to Will Hargrave (LONAP) for assistance with this document. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From chloekcy2000 at yahoo.ca Fri Jan 16 09:14:27 2009 From: chloekcy2000 at yahoo.ca (chloe K) Date: Fri, 16 Jan 2009 09:14:27 -0500 (EST) Subject: [c-nsp] 2900 verify flash Message-ID: <112646.79028.qm@web57416.mail.re1.yahoo.com> Hi 1/ How can I verify in 2900 and it is different from other? In router, I can use verify router#verify ? /md5 Compute an md5 signature for a file slot0: File to be verified ==================== 2900#verify / ? % Unrecognized command It is only showing. 2900#verify flash:c2900XL-c3h2s-mz.120-5.WC3b.bin Verified flash:c2900XL-c3h2s-mz.120-5.WC3b.bin but I can not check this file after backup in tftp server is in good condition by md5sum 2/ How can I check the IOS different? It makes me many difficult to handle Thank you --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! From steve.mcnamara at gmail.com Fri Jan 16 09:25:50 2009 From: steve.mcnamara at gmail.com (Steve McNamara) Date: Fri, 16 Jan 2009 14:25:50 +0000 Subject: [c-nsp] 2900 verify flash In-Reply-To: <112646.79028.qm@web57416.mail.re1.yahoo.com> References: <112646.79028.qm@web57416.mail.re1.yahoo.com> Message-ID: <494a4f80901160625l21797d55g98fe044ca1415609@mail.gmail.com> Hi Chloe, You could copy the file back to the tftp server and then compare the md5sum's of the two files. If there is a difference you wouldn't be able to tell if the IOS on the 2900 is the problem of if it was corrupted on the way back :-) Steve On Fri, Jan 16, 2009 at 14:14, chloe K wrote: > Hi > > 1/ How can I verify in 2900 and it is different from other? > > In router, I can use verify > router#verify ? > /md5 Compute an md5 signature for a file > slot0: File to be verified > > ==================== > 2900#verify / ? > % Unrecognized command > > It is only showing. > > 2900#verify flash:c2900XL-c3h2s-mz.120-5.WC3b.bin > Verified flash:c2900XL-c3h2s-mz.120-5.WC3b.bin > > but I can not check this file after backup in tftp server is in good condition by md5sum > > > > 2/ How can I check the IOS different? It makes me many difficult to handle > > > Thank you > > > > > > --------------------------------- > > > Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cchurc05 at harris.com Fri Jan 16 09:48:10 2009 From: cchurc05 at harris.com (Church, Charles) Date: Fri, 16 Jan 2009 08:48:10 -0600 Subject: [c-nsp] 2900 verify flash In-Reply-To: <112646.79028.qm@web57416.mail.re1.yahoo.com> References: <112646.79028.qm@web57416.mail.re1.yahoo.com> Message-ID: Did you actually type out '/md5' in the command, rather than just trying '/'? I've seen some abbreviated commands not work, even if they are unique. On the other hand, I've seen some work that aren't unique. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K Sent: Friday, January 16, 2009 9:14 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 2900 verify flash Hi 1/ How can I verify in 2900 and it is different from other? In router, I can use verify router#verify ? /md5 Compute an md5 signature for a file slot0: File to be verified ==================== 2900#verify / ? % Unrecognized command It is only showing. 2900#verify flash:c2900XL-c3h2s-mz.120-5.WC3b.bin Verified flash:c2900XL-c3h2s-mz.120-5.WC3b.bin but I can not check this file after backup in tftp server is in good condition by md5sum 2/ How can I check the IOS different? It makes me many difficult to handle Thank you --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From chloekcy2000 at yahoo.ca Fri Jan 16 11:43:59 2009 From: chloekcy2000 at yahoo.ca (chloe K) Date: Fri, 16 Jan 2009 11:43:59 -0500 (EST) Subject: [c-nsp] 2900 verify flash In-Reply-To: Message-ID: <476912.49664.qm@web57414.mail.re1.yahoo.com> no luck! 2900#verify /md5 flash:c2900XL-c3h2s-mz.120-5.WC3b.bin ^ % Invalid input detected at '^' marker. 2900# "Church, Charles" wrote: Did you actually type out '/md5' in the command, rather than just trying '/'? I've seen some abbreviated commands not work, even if they are unique. On the other hand, I've seen some work that aren't unique. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K Sent: Friday, January 16, 2009 9:14 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 2900 verify flash Hi 1/ How can I verify in 2900 and it is different from other? In router, I can use verify router#verify ? /md5 Compute an md5 signature for a file slot0: File to be verified ==================== 2900#verify / ? % Unrecognized command It is only showing. 2900#verify flash:c2900XL-c3h2s-mz.120-5.WC3b.bin Verified flash:c2900XL-c3h2s-mz.120-5.WC3b.bin but I can not check this file after backup in tftp server is in good condition by md5sum 2/ How can I check the IOS different? It makes me many difficult to handle Thank you --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --------------------------------- Looking for the perfect gift? Give the gift of Flickr! From lmeade at signal.ca Fri Jan 16 12:13:36 2009 From: lmeade at signal.ca (Leslie Meade) Date: Fri, 16 Jan 2009 09:13:36 -0800 Subject: [c-nsp] QOS VLAN In-Reply-To: <20090116085954.L86034@k3.vol.cz> References: <20fe625b0901121617l3af0dbas8aef533ff74f4a8b@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB089@xmb-ams-333.emea.cisco.com> <20090116085954.L86034@k3.vol.cz> Message-ID: Hmmm I still could not get it to work. But I got it to go on the ASA's Thanks for the help -----Original Message----- From: Marek Tyban [mailto:mt at vol.cz] Sent: Friday, January 16, 2009 12:08 AM To: Leslie Meade Cc: cisco-nsp Subject: Re: [c-nsp] QOS VLAN Hello Leslie, to accomplish this you need enable vlan based QoS (mls qos vlan-based). m. On Thu, 15 Jan 2009, Leslie Meade wrote: > I have a 6509e with a sup 32, and I want to control how much bandwidth > is available to each vlan. My uploading is working fine but I do not > know understand why my users on this vlan or any vlan still pulls down > lots of data. I have been told that I cannot do this because the > equipment is not suited to my needs. > > This is what I have > > policy-map 4_Mb_Internet > class class-default > police cir 4194000 bc 491515 be 491515 conform-action transmit exceed-action drop violate-action drop > > interface Vlan4 > description 2012 Camera Feed > ip address 10.1.4.2 255.255.255.0 > ip access-group Productions in > ip helper-address 10.1.6.10 > no ip redirects > no ip unreachables > ip flow ingress > ip route-cache flow > no ip mroute-cache > mls netflow sampling > standby 15 ip 10.1.4.1 > standby 15 priority 250 > standby 15 preempt > service-policy input 4_Mb_Internet > service-policy output 4_Mb_Internet > > > Any one point me in the right direction > > Leslie > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Fri Jan 16 12:25:28 2009 From: cchurc05 at harris.com (Church, Charles) Date: Fri, 16 Jan 2009 11:25:28 -0600 Subject: [c-nsp] 2900 verify flash In-Reply-To: <476912.49664.qm@web57414.mail.re1.yahoo.com> References: <476912.49664.qm@web57414.mail.re1.yahoo.com> Message-ID: Yeah, I've seen some switch IOS do that too, even recent ones. It claims it supports MD5, but then gives an error. If you allow the switch to serve the file via TFTP, you may be able to verify it via TFTP, something like 'verify /md5 tftp://2.2.2.2/c2900XL-....bin', from a router or switch that supports verify with MD5 correctly. It's a pain, but can't think of any better way. Chuck ________________________________ From: chloe K [mailto:chloekcy2000 at yahoo.ca] Sent: Friday, January 16, 2009 11:44 AM To: Church, Charles; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] 2900 verify flash no luck! 2900#verify /md5 flash:c2900XL-c3h2s-mz.120-5.WC3b.bin ^ % Invalid input detected at '^' marker. 2900# "Church, Charles" wrote: Did you actually type out '/md5' in the command, rather than just trying '/'? I've seen some abbreviated commands not work, even if they are unique. On the other hand, I've seen some work that aren't unique. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K Sent: Friday, January 16, 2009 9:14 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 2900 verify flash Hi 1/ How can I verify in 2900 and it is different from other? In router, I can use verify router#verify ? /md5 Compute an md5 signature for a file slot0: File to be verified ==================== 2900#verify / ? % Unrecognized command It is only showing. 2900#verify flash:c2900XL-c3h2s-mz.120-5.WC3b.bin Verified flash:c2900XL-c3h2s-mz.120-5.WC3b.bin but I can not check this file after backup in tftp server is in good condition by md5sum 2/ How can I check the IOS different? It makes me many difficult to handle Thank you --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ________________________________ Looking for the perfect gift? Give the gift of Flickr! From tvarriale at comcast.net Fri Jan 16 12:31:19 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 16 Jan 2009 11:31:19 -0600 Subject: [c-nsp] Per packet load balancing with low latency References: <79AF0C3901752A49881FE4CB31F7AA4001280256@abn-borg2.NETABN.LOCAL> Message-ID: If you make a policy to only turn it off in certain locations, I could certainly see how it would potentially cause issues. MLPPP or not... Saying you don't need PMTU discovery is not really a good policy to have at a high level regardless of internal or external. But, it's your network you can run it as you wish. I would hope that you would not recommend doing that to others though as it may cause others problems...especially if they don't understand the ramifications. tv ----- Original Message ----- From: "Michael Malitsky" To: Sent: Thursday, January 15, 2009 5:24 PM Subject: Re: [c-nsp] Per packet load balancing with low latency > PMTUD is certainly not the panacea it's made out to be. It doesn't work > more often than not (yes, due to some device in the path not supporting > it). Given the questionable usefulness, I still support it on > Internet-facing links. However, private infrastructure, where MLPPP is > frequently used, is far more deterministic and usually does not require > PMTUD. BCP says if you don't need it, turn it off. Besides, > considering that MLPPP is often a low-budget solution (as opposed to a > larger link), so procuring additional security product may not be in the > cards either (even if technologically possible). > > The above is my experience. > > Sincerely, > Michael Malitsky > > >> Date: Thu, 15 Jan 2009 14:10:48 -0600 >> From: "Tony Varriale" >> Subject: Re: [c-nsp] Per packet load balancing with low latency >> To: >> Message-ID: <77D9873D48BA45DDAB65A10B747106D9 at flamdt01> >> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; >> reply-type=original >> >> Unfortuantely, not everything Cisco recommends translates well into >> real world implementations. >> >> Feel free to read RFC 1191. That should explain everything. BCP says >> don't turn off for this reason. >> >> As for the security aspect, there have been a few vulnerabilities that >> were not really exploited and then fixed. The pros of leaving this on > far >> out way any potential, never really attacked, security issue. >> >> And, if you do get seriously attacked by this method somehow, there > are >> products on the market that can effectively mitigate it (as well as >> many others). >> >> tv >> >> ----- Original Message ----- >> From: "Michael Malitsky" >> To: >> Sent: Thursday, January 15, 2009 1:42 PM >> Subject: Re: [c-nsp] Per packet load balancing with low latency >> >> >> > Tony, >> > >> > I'll agree with the comments on uRPF and queuing - you should know >> > why you want these changes before making them. >> > >> > However, disabling IP Unreachables is now one of the baseline >> > measures for infrastructure protection, and recommended as such by > Cisco. >> > I'll agree in advance that there may be situations where IP > unreachables >> > are desired, or situations where infrastructure protection is not >> > important, but by and large disabling it seems to be a good step. > If you >> > disagree, I'd appreciate an explanation. >> > >> > Sincerely, >> > Michael Malitsky > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Fri Jan 16 12:32:41 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 16 Jan 2009 11:32:41 -0600 Subject: [c-nsp] Per packet load balancing with low latency applications References: <884322.76675.qm@web54007.mail.re2.yahoo.com><1232048421.7153.15.camel@mauritzlewies><7D0B2A5AB2E546CDA378B9EF6CE2D232@flamdt01><1232053159.7153.61.camel@mauritzlewies> <70B7A1CCBFA5C649BD562B6D9F7ED78406B36CDF@xmb-ams-333.emea.cisco.com> Message-ID: <10C3CA75776140A2ADC04C616B28A185@flamdt01> Thanks for your reply. I would agree with you and I've never had an issue with it regarding voice or normal data. tv ----- Original Message ----- From: "Oliver Boehmer (oboehmer)" To: ; Sent: Friday, January 16, 2009 1:12 AM Subject: Re: [c-nsp] Per packet load balancing with low latency applications > Nope. even if the sender doesn't fragment packets, the receiver will > still make sure packets are put into the correct order (MLPPP considers > all frames being "fragments" and numbers them accordingly). > I think disabling fragmentation can lead to slightly increased latency > (and possibly jitter), for example when a 1500 byte and a 40 byte > packets are sent in this sequence, and the receiver needs to wait for > the 1500 byte packet to arrive completely before forwarding the small > packet.. > I wouldn't consider MLPPP as being especially CPU-hungry these days.. > > oli > > Mauritz Lewies <> wrote on Thursday, January 15, 2009 21:59: > >> But then you might as well use per-packet load balancing... >> >> >> >> On Thu, 2009-01-15 at 14:37 -0600, Tony Varriale wrote: >> >>> Turn off fragmentation. You'll see your CPU drop way down. >>> >>> tv >>> ----- Original Message ----- >>> From: "Andrew Jimmy" >>> To: ; >>> Sent: Thursday, January 15, 2009 2:02 PM >>> Subject: Re: [c-nsp] Per packet load balancing with low latency >>> applications >>> >>> >>>> I'm using MLPPP along with CRTP on Juniper routers (using AS PIC), >>>> And it is working like a charm... yea true MLPPP stuff is >>>> complicated on Cisco devices which is CPU hungry ... >>>> >>>> -----Original Message----- >>>> From: cisco-nsp-bounces at puck.nether.net >>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mauritz >>>> Lewies Sent: Friday, January 16, 2009 12:40 AM >>>> To: cisco-nsp at puck.nether.net >>>> Subject: Re: [c-nsp] Per packet load balancing with low latency >>>> applications >>>> >>>> Hi >>>> >>>> Out of personal experience MLPPP sounds great in theory and >>>> technically should be a viable solution. However, Cisco has never >>>> really been able >>>> to deliver a bug free MLPPP implementation... >>>> >>>> We have had situations of per-packet, moving to MLPPP, going back to >>>> per-session and eventually having to aggregate into larger single >>>> links. IOS has just never really worked with MLPPP and I strongly >>>> advise against. >>>> >>>> >>>> >>>> >>>> On Thu, 2009-01-15 at 08:08 -0800, Yan Filyurin wrote: >>>> >>>>> Look for ways to aggregate multiple physical circuits into one >>>>> logical >>>> that has a native way to load balance and still insure that packets >>>> are not out of sequence like MLPPP or MLFR since they have their >>>> own sequencing that prevents out of order arrival, not to mention a >>>> bunch of things like fragmentation and interleaving that is great >>>> for voice. As far as market data application goes, is it by any >>>> chance multicast and UDP, which could potentially make it subject >>>> to the same constraints as voice. You could always do all kinds of >>>> things to influence various types of traffic going over just a >>>> single link with redundancy and all or just do per destination. I >>>> would vote for MLPPP. >>>>> >>>>> Like the previous email said, you can use L3 technologies such as >>>> tunneling with sequence datagrams, but all it will do is drop >>>> packets that are out of order, thus moving the problem further from >>>> the application, but still creating it. I've only read about it. I >>>> am sure everyone here will vote for MLPPP. >>>>> >>>>> Yan >>>>> >>>>> >>>>> >>>>> >>>>> ________________________________ >>>>> From: William >>>>> To: Brad Hedlund >>>>> Cc: "cisco-nsp at puck.nether.net" >>>>> Sent: Thursday, January 15, 2009 10:16:56 AM >>>>> Subject: Re: [c-nsp] Per packet load balancing with low latency >>>>> applications >>>>> >>>>> Hi Brad, >>>>> >>>>> Thanks for your input. >>>>> >>>>> Is there anything else I can use to achieve my goal? I'm pretty >>>>> sure getting a bigger circuit will be a last resort. >>>>> >>>>> Regards, >>>>> >>>>> W >>>>> >>>>> 2009/1/15 Brad Hedlund : >>>>>> On 1/15/09 6:25 AM, "William" wrote: >>>>>> >>>>>>> My >>>>>>> question is what would cause the packets to arrive out of >>>>>>> sequence? >>>>>> >>>>>> Path #1 might have a little more congestion than Path #2, which >>>>>> would cause Packet #1 sent down Path #1 to sit in a buffer an >>>>>> extra millisecond or two than Packet #2 sent down Path #2 with no >>>>>> congestion. This results in Packet #2 arriving at the >>>>>> destination before Packet #1. The result of this being poor >>>>>> application performance. >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Brad Hedlund >>>>>> bhedlund at cisco.com >>>>>> http://www.internetworkexpert.org >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From eric at atlantech.net Fri Jan 16 12:48:42 2009 From: eric at atlantech.net (Eric Van Tol) Date: Fri, 16 Jan 2009 12:48:42 -0500 Subject: [c-nsp] Input error from Cisco Switch and Juniper Router In-Reply-To: <938836.32031.qm@web110112.mail.gq1.yahoo.com> References: <938836.32031.qm@web110112.mail.gq1.yahoo.com> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863514034CD4@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Kelvin Goei > Sent: Thursday, January 15, 2009 11:17 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Input error from Cisco Switch and Juniper Router > > Hi All, > > We are experiencing issue with connectivity between Cisco Switch to > Juniper Router. We are seeing the input error keep increasing in our Cisco > Switch. > CRC errors are normally caused by a physical issue such as a bad cable, port, or light levels. You mentioned that you changed the cable on the Cisco side, what about the Juniper side? Check to make sure that the fiber connectors are clean along the entire path of the RX cable to the Cisco and that your light levels are within spec. Do you know the distance of the cable between the two? Policed discards and L3 incompletes wouldn't cause CRC errors, but as a previous poster mentioned, you'll want to disable CDP/LLDP/STP on the Cisco side to prevent policed discards from accruing. L3 incompletes are an annoying counter on Juniper that are normally impossible to figure out without a packet sniffer, but in my experience have not been service affecting. -evt From tvarriale at comcast.net Fri Jan 16 12:45:28 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 16 Jan 2009 11:45:28 -0600 Subject: [c-nsp] Per packet load balancing with low latency applications References: <884322.76675.qm@web54007.mail.re2.yahoo.com><1232048421.7153.15.camel@mauritzlewies><7D0B2A5AB2E546CDA378B9EF6CE2D232@flamdt01><1232053159.7153.61.camel@mauritzlewies> <70B7A1CCBFA5C649BD562B6D9F7ED78406B36CDF@xmb-ams-333.emea.cisco.com> Message-ID: I should have been more detailed. I agree with you regarding the fragmentation. To ensure minimal jitter and to bypass the serialization delay, some sort of QoS should be implemented to ensure the voice traffic goes first onto the bundle. As a somewhat related note, the 7200s have newer DS3 cards that offload the MLPPP overhead directly to the cards instead of using the main CPU. tv ----- Original Message ----- From: "Oliver Boehmer (oboehmer)" To: ; Sent: Friday, January 16, 2009 1:12 AM Subject: Re: [c-nsp] Per packet load balancing with low latency applications > Nope. even if the sender doesn't fragment packets, the receiver will > still make sure packets are put into the correct order (MLPPP considers > all frames being "fragments" and numbers them accordingly). > I think disabling fragmentation can lead to slightly increased latency > (and possibly jitter), for example when a 1500 byte and a 40 byte > packets are sent in this sequence, and the receiver needs to wait for > the 1500 byte packet to arrive completely before forwarding the small > packet.. > I wouldn't consider MLPPP as being especially CPU-hungry these days.. > > oli > > Mauritz Lewies <> wrote on Thursday, January 15, 2009 21:59: > >> But then you might as well use per-packet load balancing... >> >> >> >> On Thu, 2009-01-15 at 14:37 -0600, Tony Varriale wrote: >> >>> Turn off fragmentation. You'll see your CPU drop way down. >>> >>> tv >>> ----- Original Message ----- >>> From: "Andrew Jimmy" >>> To: ; >>> Sent: Thursday, January 15, 2009 2:02 PM >>> Subject: Re: [c-nsp] Per packet load balancing with low latency >>> applications >>> >>> >>>> I'm using MLPPP along with CRTP on Juniper routers (using AS PIC), >>>> And it is working like a charm... yea true MLPPP stuff is >>>> complicated on Cisco devices which is CPU hungry ... >>>> >>>> -----Original Message----- >>>> From: cisco-nsp-bounces at puck.nether.net >>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mauritz >>>> Lewies Sent: Friday, January 16, 2009 12:40 AM >>>> To: cisco-nsp at puck.nether.net >>>> Subject: Re: [c-nsp] Per packet load balancing with low latency >>>> applications >>>> >>>> Hi >>>> >>>> Out of personal experience MLPPP sounds great in theory and >>>> technically should be a viable solution. However, Cisco has never >>>> really been able >>>> to deliver a bug free MLPPP implementation... >>>> >>>> We have had situations of per-packet, moving to MLPPP, going back to >>>> per-session and eventually having to aggregate into larger single >>>> links. IOS has just never really worked with MLPPP and I strongly >>>> advise against. >>>> >>>> >>>> >>>> >>>> On Thu, 2009-01-15 at 08:08 -0800, Yan Filyurin wrote: >>>> >>>>> Look for ways to aggregate multiple physical circuits into one >>>>> logical >>>> that has a native way to load balance and still insure that packets >>>> are not out of sequence like MLPPP or MLFR since they have their >>>> own sequencing that prevents out of order arrival, not to mention a >>>> bunch of things like fragmentation and interleaving that is great >>>> for voice. As far as market data application goes, is it by any >>>> chance multicast and UDP, which could potentially make it subject >>>> to the same constraints as voice. You could always do all kinds of >>>> things to influence various types of traffic going over just a >>>> single link with redundancy and all or just do per destination. I >>>> would vote for MLPPP. >>>>> >>>>> Like the previous email said, you can use L3 technologies such as >>>> tunneling with sequence datagrams, but all it will do is drop >>>> packets that are out of order, thus moving the problem further from >>>> the application, but still creating it. I've only read about it. I >>>> am sure everyone here will vote for MLPPP. >>>>> >>>>> Yan >>>>> >>>>> >>>>> >>>>> >>>>> ________________________________ >>>>> From: William >>>>> To: Brad Hedlund >>>>> Cc: "cisco-nsp at puck.nether.net" >>>>> Sent: Thursday, January 15, 2009 10:16:56 AM >>>>> Subject: Re: [c-nsp] Per packet load balancing with low latency >>>>> applications >>>>> >>>>> Hi Brad, >>>>> >>>>> Thanks for your input. >>>>> >>>>> Is there anything else I can use to achieve my goal? I'm pretty >>>>> sure getting a bigger circuit will be a last resort. >>>>> >>>>> Regards, >>>>> >>>>> W >>>>> >>>>> 2009/1/15 Brad Hedlund : >>>>>> On 1/15/09 6:25 AM, "William" wrote: >>>>>> >>>>>>> My >>>>>>> question is what would cause the packets to arrive out of >>>>>>> sequence? >>>>>> >>>>>> Path #1 might have a little more congestion than Path #2, which >>>>>> would cause Packet #1 sent down Path #1 to sit in a buffer an >>>>>> extra millisecond or two than Packet #2 sent down Path #2 with no >>>>>> congestion. This results in Packet #2 arriving at the >>>>>> destination before Packet #1. The result of this being poor >>>>>> application performance. >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Brad Hedlund >>>>>> bhedlund at cisco.com >>>>>> http://www.internetworkexpert.org >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From bob at tink.com Fri Jan 16 11:34:45 2009 From: bob at tink.com (Bob Tinkelman) Date: Fri, 16 Jan 2009 11:34:45 -0500 (EST) Subject: [c-nsp] Forcing dhcp lease renewal Message-ID: <01N4D2ZCJDPG9AWLEI@queens.tink.com> For a cisco router with an interface like this: interface FastEthernet0/1 description Verizon EVDO via Cradlepoint CBA250 ip address dhcp I'm looking for a way to force the router to issue a dhcp lease renewal request. I can do this manually, for example via config term int fa0/1 shut no shut exit but I'm looking for a way to trigger this automatically. (Or possibly I'm trying to solve a problem in the wrong way.) Background: We have a good many customers with T1 or multi-T1 service, and with fall-back routing configured over a "cheap path", typically a dynamic-ip cable-modem service or dsl. Our configs use a combination of gre-tunnels (to preserve customer-site address ranges) and sometimes object tracking and policy routing (often to direct web requests to a higher-speed cable-modem service in cases where NATing is acceptable). We've been doing this for a good while and have a set of configs that provide pretty solid service. I have been testing, in a lab environment, a configuration to do the same thing with Verizon's EVDO service using a Cradlepoint CBA250 (Cellular Broadband Adapter). It's not a router; just a "pass-through device". The same configuration that we use with dynamic-ip cable- modems works. However, several times/day, things "break". Output of "show interface", "show dhcp lease", etc., show that the cisco router doesn't think anything's changed. The interface has the same dhcp-assigned ip address and default gateway. But the default gateway is no longer pingable. Doing a "clear int Fa0/1" doesn't help. A "shut" and "no shut" will cause the router to issue a new dhcp request, get a new (and different) ip address and gateway, and start working again. My current working hypothesis is that the EVDO link between the CBA250 and Verizon was interrupted, possibly very briefly, that Verizon noticed and invalidated the dhcp lease, but that no indication of this reached the router. It's a weak hypothesis. I'm bothered by the fact we've never seen this problem with similar cable-modem setups, e.g., with Time Warner and with Cablevision. I've sent email to support at cradlepoint.com even though I really don't see how their equipment could be involved. I could use object tracking to discover when the link over EVDO stops working. But I'm not sure what do to with that info. Is there a way to force a new dhcp request to go out based on object tracking? (To date, I've used object tracking mostly to enable/disable specific ip route commands.) I have the strong feeling that I'm trying to solve this in the wrong way, and that if I really understood what was going wrong, I'd be working in a different direction. So, any hints would be much appreciated - Bob From luan at netcraftsmen.net Fri Jan 16 14:12:08 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Fri, 16 Jan 2009 14:12:08 -0500 Subject: [c-nsp] Forcing dhcp lease renewal In-Reply-To: <01N4D2ZCJDPG9AWLEI@queens.tink.com> References: <01N4D2ZCJDPG9AWLEI@queens.tink.com> Message-ID: <00a501c9780e$538d8a70$faa89f50$@net> Things point to Cradlepoint don't they? I've used Digi ConnectPort with lots of success. Or go with the 3G-Wireless HWIC card or ask VzW for a static IP address. The last thing would be to use object tracking in conjunction with EEM to solve your problem. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] luan at netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bob Tinkelman Sent: Friday, January 16, 2009 11:35 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Forcing dhcp lease renewal For a cisco router with an interface like this: interface FastEthernet0/1 description Verizon EVDO via Cradlepoint CBA250 ip address dhcp I'm looking for a way to force the router to issue a dhcp lease renewal request. I can do this manually, for example via config term int fa0/1 shut no shut exit but I'm looking for a way to trigger this automatically. (Or possibly I'm trying to solve a problem in the wrong way.) Background: We have a good many customers with T1 or multi-T1 service, and with fall-back routing configured over a "cheap path", typically a dynamic-ip cable-modem service or dsl. Our configs use a combination of gre-tunnels (to preserve customer-site address ranges) and sometimes object tracking and policy routing (often to direct web requests to a higher-speed cable-modem service in cases where NATing is acceptable). We've been doing this for a good while and have a set of configs that provide pretty solid service. I have been testing, in a lab environment, a configuration to do the same thing with Verizon's EVDO service using a Cradlepoint CBA250 (Cellular Broadband Adapter). It's not a router; just a "pass-through device". The same configuration that we use with dynamic-ip cable- modems works. However, several times/day, things "break". Output of "show interface", "show dhcp lease", etc., show that the cisco router doesn't think anything's changed. The interface has the same dhcp-assigned ip address and default gateway. But the default gateway is no longer pingable. Doing a "clear int Fa0/1" doesn't help. A "shut" and "no shut" will cause the router to issue a new dhcp request, get a new (and different) ip address and gateway, and start working again. My current working hypothesis is that the EVDO link between the CBA250 and Verizon was interrupted, possibly very briefly, that Verizon noticed and invalidated the dhcp lease, but that no indication of this reached the router. It's a weak hypothesis. I'm bothered by the fact we've never seen this problem with similar cable-modem setups, e.g., with Time Warner and with Cablevision. I've sent email to support at cradlepoint.com even though I really don't see how their equipment could be involved. I could use object tracking to discover when the link over EVDO stops working. But I'm not sure what do to with that info. Is there a way to force a new dhcp request to go out based on object tracking? (To date, I've used object tracking mostly to enable/disable specific ip route commands.) I have the strong feeling that I'm trying to solve this in the wrong way, and that if I really understood what was going wrong, I'd be working in a different direction. So, any hints would be much appreciated - Bob _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From hazzarola at hotmail.com Fri Jan 16 14:53:07 2009 From: hazzarola at hotmail.com (Marco) Date: Fri, 16 Jan 2009 20:53:07 +0100 Subject: [c-nsp] MPLS Overlapping VPN problem (lab simulation) Message-ID: HI, I'm studyng for MPLS exam and I wanted to create a small lab to recreate a scenario with overlapping MPLS-VPN to make some practice. I took this example from the e-course I'm studying(Knowledgenet), but I'm not able to recreate it. I created the following physical topology: ACentral-\ /---BCentral SiteB2---Pe1--P--Pe2--SiteA2 SiteA1---/ \---SiteB1 The traffic flow should be like this: SiteA1---\ /----SiteB1 | ACentral--BCentral | SiteA2---/ \----SiteB2 Notes: -Customer A should see all network of customer B and viceversa -Each customer site cannot communicate directly with the other customers sites. This means that all traffic between customers must pass through Central sites(A and B) for security reason. -There are no restrictions for the intranet traffic. To accomplish those requirements, I created these VRFs on Pe1 (configuration on Pe2 is specular): ip vrf A rd 1:1 route-target export 1:1 route-target import 1:1 ! ip vrf AC !ip vrf BC (on Pe2) rd 1:123 ! rd 2:123 (on Pe2) route-target export 1:1 ! 2:2 on Pe2 route-target export 3:100 ! same on Pe2 route-target import 1:1 ! 2:2 on Pe2 route-target import 3:100 ! same on Pe2 ! ip vrf B rd 2:2 route-target export 2:2 route-target import 2:2 I expected that both PE's VRF (AC and BC) were able to reach every network of the other customer but probably something is missing in the configuration. The problem is that VRF B on Pe2 exports his routes to VRF BC and B1, but VRF BC does not export (with RT 3:100) the received routes to VRF AC and viceversa. Do you think is possible to meet the data flow requirements using this topology? Have you ever see something like this implemented? In my opinion it is not possibible. Hope to receive your comments. Thanks in advance. Marco PS _________________________________________________________________ Vai oltre le parole, scarica Messenger 2009! http://download.live.com/?mkt=it-it From achatz at forthnet.gr Fri Jan 16 15:14:18 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 16 Jan 2009 22:14:18 +0200 Subject: [c-nsp] Forcing dhcp lease renewal In-Reply-To: <00a501c9780e$538d8a70$faa89f50$@net> References: <01N4D2ZCJDPG9AWLEI@queens.tink.com> <00a501c9780e$538d8a70$faa89f50$@net> Message-ID: <4970EA9A.6020705@forthnet.gr> In latest IOS you can use "release dhcp intX" in order to force a immediate release of the DHCP lease. You can also use "renew dhcp intX" if you want to renew the dhcp lease, like in your case. -- Tassos Luan Nguyen wrote on 16/01/2009 21:12: > Things point to Cradlepoint don't they? I've used Digi ConnectPort with > lots of success. > Or go with the 3G-Wireless HWIC card or ask VzW for a static IP address. > The last thing would be to use object tracking in conjunction with EEM to > solve your problem. > > Regards, > > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > [W] http://www.netcraftsmen.net > [M] luan at netcraftsmen.net > [Blog] http://cnc-networksecurity.blogspot.com/ > > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bob Tinkelman > Sent: Friday, January 16, 2009 11:35 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Forcing dhcp lease renewal > > For a cisco router with an interface like this: > interface FastEthernet0/1 > description Verizon EVDO via Cradlepoint CBA250 > ip address dhcp > > I'm looking for a way to force the router to issue a dhcp > lease renewal request. > > I can do this manually, for example via > config term > int fa0/1 > shut > no shut > exit > but I'm looking for a way to trigger this automatically. > > > (Or possibly I'm trying to solve a problem in the wrong way.) > > > > Background: > > We have a good many customers with T1 or multi-T1 service, > and with fall-back routing configured over a "cheap path", > typically a dynamic-ip cable-modem service or dsl. Our > configs use a combination of gre-tunnels (to preserve > customer-site address ranges) and sometimes object tracking > and policy routing (often to direct web requests to a > higher-speed cable-modem service in cases where NATing is > acceptable). We've been doing this for a good while and > have a set of configs that provide pretty solid service. > > I have been testing, in a lab environment, a configuration > to do the same thing with Verizon's EVDO service using a > Cradlepoint CBA250 (Cellular Broadband Adapter). It's not a > router; just a "pass-through device". > > The same configuration that we use with dynamic-ip cable- > modems works. However, several times/day, things "break". > > Output of "show interface", "show dhcp lease", etc., show > that the cisco router doesn't think anything's changed. The > interface has the same dhcp-assigned ip address and default > gateway. But the default gateway is no longer pingable. > > Doing a "clear int Fa0/1" doesn't help. A "shut" and "no > shut" will cause the router to issue a new dhcp request, get > a new (and different) ip address and gateway, and start > working again. > > > My current working hypothesis is that the EVDO link between > the CBA250 and Verizon was interrupted, possibly very > briefly, that Verizon noticed and invalidated the dhcp > lease, but that no indication of this reached the router. > > It's a weak hypothesis. I'm bothered by the fact we've > never seen this problem with similar cable-modem setups, > e.g., with Time Warner and with Cablevision. I've sent > email to support at cradlepoint.com even though I really don't > see how their equipment could be involved. > > > > I could use object tracking to discover when the link over > EVDO stops working. But I'm not sure what do to with that > info. Is there a way to force a new dhcp request to go out > based on object tracking? (To date, I've used object > tracking mostly to enable/disable specific ip route > commands.) > > > I have the strong feeling that I'm trying to solve this in > the wrong way, and that if I really understood what was > going wrong, I'd be working in a different direction. > > So, any hints would be much appreciated > > - Bob > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From vijay.ramcharan at verizonbusiness.com Fri Jan 16 15:05:48 2009 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Fri, 16 Jan 2009 20:05:48 +0000 Subject: [c-nsp] Dual Homing and NAT via route-maps In-Reply-To: <20090109172254.GO8455@rtp-cse-489.cisco.com> References: <91dee5fc0901090826x7fea8d5aw39793abd7ae9bff0@mail.gmail.com> <20090109172254.GO8455@rtp-cse-489.cisco.com> Message-ID: I ran into similar issues a long time ago if trying to NAT overload an interface. The solution is to create a nat pool with that single outside interface IP address and overload on the NAT pool. I can remember at least two instances in the past which have successfully enabled me to reach the router via the outside interface even though it was the outside interface and its IP address was being used as the PAT address. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rodney Dunn Sent: Friday, January 09, 2009 12:23 To: Jeremy Parr Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Dual Homing and NAT via route-maps Get 'debug ip nat detailed' when you try to do the SSH. I bet it's one of those "denying locally generated packets" form bein'g nat'ed on the way back out issues. Try putting a deny in the route-map instance referencing an ACL that blocks any packets with a src ip of the outside interface addresses. Or explicitly match the ip inside subnet and deny all others. Rodney On Fri, Jan 09, 2009 at 11:26:23AM -0500, Jeremy Parr wrote: > One can multi-home a router via object tracking, this works just fine. > When NAT is added to the mix, things seem to get ugly and broken. The > "ip nat inside" statement isn't applied with an access list as the > argument, but rather a route-map. As soon as the ip nat statement is > in use, the router can no longer be sshed to, or telneted to on either > external interface. Port forwards to internal hosts continue to work. > Below is an example config. If the line "ip nat inside source > route-map BGC interface FastEthernet0 overload" is removed, or the > line "route-map BGC permit 10", I am able to telnet/ssh to the router. > Any ideas? I have tested this on various IOS revisions, currently > running bleeding edge 12.4(11)XW9, but the latest in the T train > behaves the same. > > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname Router > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > ! > ! > ! > ! > ! > ! > ip cef > ! > ! > ! > multilink bundle-name authenticated > ! > ! > archive > log config > hidekeys > ! > ! > ! > track 1 rtr 1 reachability > ! > ! > ! > interface FastEthernet0 > ip address 172.16.10.99 255.255.255.0 > ip nat outside > ip virtual-reassembly > duplex auto > speed auto > ! > interface FastEthernet1 > ip address 1.1.1.2 255.255.255.0 > ip nat outside > ip virtual-reassembly > duplex auto > speed auto > ! > interface FastEthernet2 > ! > interface FastEthernet3 > shutdown > ! > interface FastEthernet4 > ! > interface FastEthernet5 > shutdown > ! > interface FastEthernet6 > shutdown > ! > interface FastEthernet7 > shutdown > ! > interface FastEthernet8 > shutdown > ! > interface FastEthernet9 > shutdown > ! > interface Dot11Radio0 > no ip address > shutdown > speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 > 36.0 48.0 54.0 > station-role root > ! > interface Dot11Radio1 > no ip address > shutdown > speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 > station-role root > ! > interface Vlan1 > no ip address > ip nat inside > ip virtual-reassembly > ! > interface Async1 > no ip address > encapsulation slip > ! > router eigrp 1 > network 192.168.1.0 > auto-summary > ! > ip route 0.0.0.0 0.0.0.0 172.16.10.1 track 1 > ip route 0.0.0.0 0.0.0.0 1.1.1.1 254 > ! > ! > no ip http server > no ip http secure-server > ip nat inside source route-map BGC interface FastEthernet0 overload > ip nat inside source route-map Backup interface FastEthernet1 overload > ! > ip sla 1 > icmp-echo 172.16.10.1 > timeout 1000 > threshold 2 > frequency 3 > ip sla schedule 1 life forever start-time now > ! > ! > ! > route-map Backup permit 10 > match interface FastEthernet1 > ! > route-map BGC permit 10 > match interface FastEthernet0 > ! > ! > ! > ! > control-plane > ! > ! > line con 0 > line 1 > modem InOut > stopbits 1 > speed 115200 > flowcontrol hardware > line aux 0 > line vty 0 4 > password beans > login > ! > > ! > webvpn cef > end > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Sat Jan 17 03:19:05 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 17 Jan 2009 09:19:05 +0100 Subject: [c-nsp] MPLS Overlapping VPN problem (lab simulation) In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406B3731A@xmb-ams-333.emea.cisco.com> Marco <> wrote on Friday, January 16, 2009 20:53: > HI, > I'm studyng for MPLS exam and I wanted to create a small lab to > recreate a scenario with overlapping MPLS-VPN to make some practice. > I took this example from the e-course I'm studying(Knowledgenet), but > I'm not able to recreate it. > > [...] > > Notes: > -Customer A should see all network of customer B and viceversa > -Each customer site cannot communicate directly with the other > customers sites. This means that all traffic between customers must > pass through Central sites(A and B) for security reason. > -There are no restrictions for the intranet traffic. > > To accomplish those requirements, I created these VRFs on Pe1 > (configuration on Pe2 is specular): > > ip vrf A > rd 1:1 > route-target export 1:1 > route-target import 1:1 > ! > ip vrf AC !ip vrf BC (on Pe2) > rd 1:123 ! rd 2:123 (on Pe2) > route-target export 1:1 ! 2:2 on Pe2 > route-target export 3:100 ! same on Pe2 > route-target import 1:1 ! 2:2 on Pe2 > route-target import 3:100 ! same on Pe2 > ! > ip vrf B > rd 2:2 > route-target export 2:2 > route-target import 2:2 > > I expected that both PE's VRF (AC and BC) were able to reach every > network of the other customer but probably something is missing in > the configuration. > The problem is that VRF B on Pe2 exports his routes to VRF BC and B1, > but VRF BC does not export (with RT 3:100) the received routes to VRF > AC and viceversa. this is expected. routes imported into a VRF x are not exported by this VRF to other VRFs, so a bit like BGP's rule where routes received from an iBGP speaker are not advertised to other iBGP speakers. So you cannot "loop back" the traffic on the PE itself. Not sure if you can implement this with RT import/export on the PE alone, you could multihome the CE devices for AC/BC and create a second VRF linking the two hub sites, and force the traffic via the CE devices (you could play tricks with loopback cables on the PE as well, but you want to insert a FW/security device somewhere, for example on the CE) CE-AC === PE1 .... PE2 == CE-BC PE1: ip vrf A route-target both 1:1 ! ip vrf B route-target both 2:2 ! ip vrf AC-BC route-target both 3:3 ! int eth0/0 description To AC hub site int ethernet0/0.10 ip vrf forwarding A int eth0/0.20 ip vrf forwarding AC-BC and you create a routing setup on the CE where CE-AC will advertise the routes received from one sub-interface to the other one and vice versa, so it's the CE creating the interconnect. Not sure if there are other options and I haven't had enough coffee to see those :) oli From hazzarola at hotmail.com Sat Jan 17 04:27:18 2009 From: hazzarola at hotmail.com (Marco) Date: Sat, 17 Jan 2009 10:27:18 +0100 Subject: [c-nsp] MPLS Overlapping VPN problem (lab simulation) In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406B3731A@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406B3731A@xmb-ams-333.emea.cisco.com> Message-ID: ---------------------------------------- > Marco <> wrote on Friday, January 16, 2009 20:53: > > this is expected. routes imported into a VRF x are not exported by this > VRF to other VRFs, so a bit like BGP's rule where routes received from > an iBGP speaker are not advertised to other iBGP speakers. So you cannot > "loop back" the traffic on the PE itself. >[...] > oli Ok, I have just realized I completly misundestood the data flow diagram. I thought that if A-central is in VPN with B-central and B-central is in VPN with its remote sites, then A-central should reach B-central and via B-central ALL its sites(A sites) . WRONG!. A-central(vrf AC) sees only B-central(vrf-BC) routes. A separate routing instance(VRF-B), gives B-cental connectivity to sites B1 and B2. Vrf-B routes are imported(RT 2:2) in vrf-BC on Pe2, but are not exported back with RT 3:100 to vrf-AC on Pe1 So easy when you know how it works.My idea of overlapping was just too "large":P It's time for an espresso Thanks Regards _________________________________________________________________ Party? con Eventi! http://events.live.com/?showunauth=1 From frances.cincinattus at gmail.com Sat Jan 17 14:03:22 2009 From: frances.cincinattus at gmail.com (Frances Albemuth) Date: Sat, 17 Jan 2009 11:03:22 -0800 Subject: [c-nsp] Input error from Cisco Switch and Juniper Router In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863514034CD4@exchange.aoihq.local> References: <938836.32031.qm@web110112.mail.gq1.yahoo.com> <2C05E949E19A9146AF7BDF9D44085B863514034CD4@exchange.aoihq.local> Message-ID: IIRC, the L3 incomplete counter will increment on the jnx side for dot1q tags which you haven't configured, as well. So, if the Cisco port isn't configured to limit which VIDs are allowed on the port there's a high likelihood the jnx is going to hear frames with dot1q tags which aren't configured on the interface. If this is a situation one doesn't plan to remedy in the near term one can prevent every L3 incomplete from being counted as an input error by using 'ignore-l3-incompletes' in the interface/(fastether-options|gigether-options) context. This will also cause the interface to stop counting the L3 incomplete packets themselves. I believe this knob was introduced in JunOS 9.0. -FC On Fri, Jan 16, 2009 at 9:48 AM, Eric Van Tol wrote: >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Kelvin Goei >> Sent: Thursday, January 15, 2009 11:17 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Input error from Cisco Switch and Juniper Router >> >> Hi All, >> >> We are experiencing issue with connectivity between Cisco Switch to >> Juniper Router. We are seeing the input error keep increasing in our Cisco >> Switch. >> > > CRC errors are normally caused by a physical issue such as a bad cable, port, or light levels. You mentioned that you changed the cable on the Cisco side, what about the Juniper side? Check to make sure that the fiber connectors are clean along the entire path of the RX cable to the Cisco and that your light levels are within spec. Do you know the distance of the cable between the two? > > Policed discards and L3 incompletes wouldn't cause CRC errors, but as a previous poster mentioned, you'll want to disable CDP/LLDP/STP on the Cisco side to prevent policed discards from accruing. L3 incompletes are an annoying counter on Juniper that are normally impossible to figure out without a packet sniffer, but in my experience have not been service affecting. > > -evt > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Sat Jan 17 19:58:24 2009 From: justin at justinshore.com (Justin Shore) Date: Sat, 17 Jan 2009 18:58:24 -0600 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int Message-ID: <49727EB0.9020500@justinshore.com> I'm having trouble getting EoMPLS to work from a ME3750 to a 7201. I have some signaling but the VC just won't come up. The basic layout is a switchport on the ME3750; the xconnect is in the SVI associated with that switchport on the ME3750. The ME3750's P-facing interfaces are MPLS enabled. The 7600 core is MPLS enabled. The 7201 dual-homes to both core 7600s. The 7201's interfaces are MPLS enabled. I'm trying to terminate the xconnect on a sub-int of an onboard interface that's facing a 4948. I have a laptop on the ME3750 and I'm mapping an access int on the 4948 in the correct VLAN back across another network to my office (so I don't have to sit in a noisy head-end). Here's the ME3750's relevant config: no mpls traffic-eng auto-bw timers frequency 0 mpls label protocol ldp mpls ldp graceful-restart mpls ldp router-id Loopback0 force ! vlan 130 name vlan0130.cox-ptp-EOMPLS ! interface FastEthernet1/0/3 description TO Cox F.7 - 10Mbps Kan-Ed switchport access vlan 130 switchport mode dot1q-tunnel no keepalive no cdp enable spanning-tree portfast spanning-tree bpdufilter enable ! interface GigabitEthernet1/1/1 description TO 7613-1.clr Gi1/11 no switchport ip address ip router isis mpls label protocol ldp mpls ip clns mtu 1496 isis circuit-type level-2-only isis network point-to-point isis metric 100 isis authentication mode md5 isis authentication key-chain ISIS-AUTH isis bfd ! interface Vlan130 description EoMPLS VC 130 to 7201-1.clr Gi0/2.130 no ip address xconnect aaa.bbb.ccc.ddd 130 encapsulation mpls And here's the 7201's relevant config: mpls label protocol ldp mpls ldp graceful-restart mpls ldp router-id Loopback0 force ! interface GigabitEthernet0/2 description TO 4948-1.clr Gi1/45 mtu 9000 no ip address duplex auto speed auto negotiation auto ! interface GigabitEthernet0/2.130 description EoMPLS TO me3750-1.dc Vl130 (Fa1/0/3) - 10Mbps PtP encapsulation dot1Q 130 xconnect 10.64.0.37 130 encapsulation mpls I'll skip the 4948 config but I'll say that vl130 is permitted on Gi1/45, it has been created and it was assigned to my test access interface. None of the other VLANs served from sub-ints are having trouble. When I bring up the xconnect on the me3750 here's what it logs: 000181: Jan 17 18:38:31.914 CST: AToM LDP [10.64.0.43]: Sending label mapping msg 000182: Jan 17 18:38:31.914 CST: AToM LDP [10.64.0.43]: Sending label mapping msg vc type 4, cbit 0, vc id 130, group id 0, vc label 231, status 0x00000000/0x00000000, mtu 1500, peer vlan id 0 , vc handle 0x18000001 Here's what I get on the 7201 when I unshut the sub-int: 003629: Jan 17 18:39:26.401 CST: AToM LDP [10.64.0.37]: Sending label mapping msg vc type 4, cbit 0, vc id 130, group id 0, vc label 223, status 0, mtu 9000, peer vlan id 0 Something just jumped out at me. The MTUs are different. Would that cause an issue? Gi0/2 on the 7201 is set to 9000 because hung off of the 4948 is a set of backhaul radios that I will be doing MPLS across. The customer-facing interface on the ME3750 is set to the default 1500. Do the MTUs have to match up? I'm going to have to do some research. Thanks Justin From cphillips at wbsconnect.com Sat Jan 17 20:13:02 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Sat, 17 Jan 2009 17:13:02 -0800 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <49727EB0.9020500@justinshore.com> References: <49727EB0.9020500@justinshore.com> Message-ID: <4972821E.4060001@wbsconnect.com> The MTU definitely needs to be the same, in my experience. However, I am somewhat new to MPLS and am very much still in the learning process. But, that would be the first thing that I would change. Justin Shore wrote: > I'm having trouble getting EoMPLS to work from a ME3750 to a 7201. I > have some signaling but the VC just won't come up. The basic layout is > a switchport on the ME3750; the xconnect is in the SVI associated with > that switchport on the ME3750. The ME3750's P-facing interfaces are > MPLS enabled. The 7600 core is MPLS enabled. The 7201 dual-homes to > both core 7600s. The 7201's interfaces are MPLS enabled. I'm trying to > terminate the xconnect on a sub-int of an onboard interface that's > facing a 4948. I have a laptop on the ME3750 and I'm mapping an access > int on the 4948 in the correct VLAN back across another network to my > office (so I don't have to sit in a noisy head-end). > > Here's the ME3750's relevant config: > > no mpls traffic-eng auto-bw timers frequency 0 > mpls label protocol ldp > mpls ldp graceful-restart > mpls ldp router-id Loopback0 force > ! > vlan 130 > name vlan0130.cox-ptp-EOMPLS > ! > interface FastEthernet1/0/3 > description TO Cox F.7 - 10Mbps Kan-Ed > switchport access vlan 130 > switchport mode dot1q-tunnel > no keepalive > no cdp enable > spanning-tree portfast > spanning-tree bpdufilter enable > ! > interface GigabitEthernet1/1/1 > description TO 7613-1.clr Gi1/11 > no switchport > ip address > ip router isis > mpls label protocol ldp > mpls ip > clns mtu 1496 > isis circuit-type level-2-only > isis network point-to-point > isis metric 100 > isis authentication mode md5 > isis authentication key-chain ISIS-AUTH > isis bfd > ! > interface Vlan130 > description EoMPLS VC 130 to 7201-1.clr Gi0/2.130 > no ip address > xconnect aaa.bbb.ccc.ddd 130 encapsulation mpls > > > And here's the 7201's relevant config: > > mpls label protocol ldp > mpls ldp graceful-restart > mpls ldp router-id Loopback0 force > ! > interface GigabitEthernet0/2 > description TO 4948-1.clr Gi1/45 > mtu 9000 > no ip address > duplex auto > speed auto > negotiation auto > ! > interface GigabitEthernet0/2.130 > description EoMPLS TO me3750-1.dc Vl130 (Fa1/0/3) - 10Mbps PtP > encapsulation dot1Q 130 > xconnect 10.64.0.37 130 encapsulation mpls > > > I'll skip the 4948 config but I'll say that vl130 is permitted on > Gi1/45, it has been created and it was assigned to my test access > interface. None of the other VLANs served from sub-ints are having > trouble. > > When I bring up the xconnect on the me3750 here's what it logs: > > 000181: Jan 17 18:38:31.914 CST: AToM LDP [10.64.0.43]: Sending label > mapping msg > 000182: Jan 17 18:38:31.914 CST: AToM LDP [10.64.0.43]: Sending label > mapping msg vc type 4, cbit 0, vc id 130, group id 0, vc label 231, > status 0x00000000/0x00000000, mtu 1500, peer vlan id 0 , vc handle > 0x18000001 > > Here's what I get on the 7201 when I unshut the sub-int: > > 003629: Jan 17 18:39:26.401 CST: AToM LDP [10.64.0.37]: Sending label > mapping msg > vc type 4, cbit 0, vc id 130, group id 0, vc label 223, status 0, mtu > 9000, peer vlan id 0 > > > Something just jumped out at me. The MTUs are different. Would that > cause an issue? Gi0/2 on the 7201 is set to 9000 because hung off of > the 4948 is a set of backhaul radios that I will be doing MPLS across. > The customer-facing interface on the ME3750 is set to the default 1500. > Do the MTUs have to match up? I'm going to have to do some research. > > Thanks > Justin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Chris Phillips From justin at justinshore.com Sat Jan 17 20:23:04 2009 From: justin at justinshore.com (Justin Shore) Date: Sat, 17 Jan 2009 19:23:04 -0600 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <49727EB0.9020500@justinshore.com> References: <49727EB0.9020500@justinshore.com> Message-ID: <49728478.3060903@justinshore.com> Justin Shore wrote: > I'm having trouble getting EoMPLS to work from a ME3750 to a 7201. I > have some signaling but the VC just won't come up. The basic layout is > a switchport on the ME3750; the xconnect is in the SVI associated with > that switchport on the ME3750. The ME3750's P-facing interfaces are > MPLS enabled. The 7600 core is MPLS enabled. The 7201 dual-homes to > both core 7600s. The 7201's interfaces are MPLS enabled. I'm trying to > terminate the xconnect on a sub-int of an onboard interface that's > facing a 4948. I have a laptop on the ME3750 and I'm mapping an access > int on the 4948 in the correct VLAN back across another network to my > office (so I don't have to sit in a noisy head-end). > > Something just jumped out at me. The MTUs are different. Would that > cause an issue? Gi0/2 on the 7201 is set to 9000 because hung off of > the 4948 is a set of backhaul radios that I will be doing MPLS across. > The customer-facing interface on the ME3750 is set to the default 1500. > Do the MTUs have to match up? I'm going to have to do some research. The MTU thing got me thinking (dangerous I know). I set the MTU on Gi0/2 on 7201 back to 1500 and the VC immediately came up and passed traffic. The MTU on the sub-int of the 7201 can't be set separately from the physical interface's MTU: % Non-TRISL encapsulated sub-interface GigabitEthernet0/2.130 does not support user settable mtu. MPLS MTU on the sub-int or physical interface doesn't appear to affect EoMPLS VCs either. Is there a way to change the MTU on the sub-int to allow the VC to come up? Along this same train of thought, what's best practice for EoMPLS links when mixed with sub-ints? Should I strive to keep infrastructure links separate from customer links? Ie don't put them together on the same interface even if separate by sub-ints? In this example Gi0/0 and 1 on the 7201 are what dual-home the 7201 to the 7600 core. Gi0/2 connects to the 4948. Gi0/3 is currently unused. I could also connect Gi0/3 to the 4948. In that case I could then dedicate that interface to the infrastructure link (only the radio at this point) on the 4948. Since I'm standardizing on a MTU of 9000 for infrastructure links I could keep them all on the same physical interface of the 7201. For that matter in the short-term I could also just connect the radio directly to the 7201. So what's best practice for EoMPLS on sub-ints? Had I not run into this problem this afternoon I'd have run into it next week during another new deployment. In that case I'll be on a 7206 with only 3 GigE ints but I could make it work. Thoughts? Thanks Justin From justin at justinshore.com Sat Jan 17 20:41:05 2009 From: justin at justinshore.com (Justin Shore) Date: Sat, 17 Jan 2009 19:41:05 -0600 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <4972821E.4060001@wbsconnect.com> References: <49727EB0.9020500@justinshore.com> <4972821E.4060001@wbsconnect.com> Message-ID: <497288B1.9040303@justinshore.com> Chris Phillips wrote: > The MTU definitely needs to be the same, in my experience. However, I > am somewhat new to MPLS and am very much still in the learning process. > But, that would be the first thing that I would change. I'm in the same boat for L2VPNs. I have somewhat better knowledge of L3VPNs at this point. We're just now really diving into L2VPNs. I did change the MTU and that fixed it. That presents a design issue for me which I detailed in a self-reply to the list. I'm now trying to figure out what best practice is for EoMPLS on sub-ints when the sub-int involves customer and infrastructure VLANs. The best answer may be to not mix them. Thoughts? Thanks Justin From decklandv at gmail.com Sat Jan 17 21:02:43 2009 From: decklandv at gmail.com (Rado Vasilev) Date: Sun, 18 Jan 2009 02:02:43 +0000 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <497288B1.9040303@justinshore.com> References: <49727EB0.9020500@justinshore.com> <4972821E.4060001@wbsconnect.com> <497288B1.9040303@justinshore.com> Message-ID: <2F92C44C-4A98-46FB-B296-CCAC135388E2@gmail.com> Justin, You should be able to fix the MTU mismatch issue without changing the interface/sub-interface MTU. conf t interface xxx/x.10 xconnect .. mtu xxx regards, Rado On 18 Jan 2009, at 01:41, Justin Shore wrote: > Chris Phillips wrote: >> The MTU definitely needs to be the same, in my experience. >> However, I am somewhat new to MPLS and am very much still in the >> learning process. But, that would be the first thing that I would >> change. > > I'm in the same boat for L2VPNs. I have somewhat better knowledge > of L3VPNs at this point. We're just now really diving into L2VPNs. > > I did change the MTU and that fixed it. That presents a design > issue for me which I detailed in a self-reply to the list. I'm now > trying to figure out what best practice is for EoMPLS on sub-ints > when the sub-int involves customer and infrastructure VLANs. The > best answer may be to not mix them. Thoughts? > > Thanks > Justin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cphillips at wbsconnect.com Sat Jan 17 21:31:28 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Sat, 17 Jan 2009 18:31:28 -0800 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <2F92C44C-4A98-46FB-B296-CCAC135388E2@gmail.com> References: <49727EB0.9020500@justinshore.com> <4972821E.4060001@wbsconnect.com> <497288B1.9040303@justinshore.com> <2F92C44C-4A98-46FB-B296-CCAC135388E2@gmail.com> Message-ID: <49729480.2080600@wbsconnect.com> Rado, nyc1(config)#int te1/2.1254 nyc1(config-subif)#mtu ? <9216-9216> MTU size in bytes nyc1(config-subif)#mtu 9216 ? nyc1(config-subif)#mtu 9216 % Sub-interface TenGigabitEthernet1/2.1254 does not support user settable mtu Afaik, all sub-interfaces assume the MTU of the primary physical port, and that this cannot be changed. Rado Vasilev wrote: > Justin, > > You should be able to fix the MTU mismatch issue without changing the > interface/sub-interface MTU. > conf t > interface xxx/x.10 > xconnect .. > mtu xxx > > > regards, > Rado > > > On 18 Jan 2009, at 01:41, Justin Shore wrote: > >> Chris Phillips wrote: >>> The MTU definitely needs to be the same, in my experience. However, >>> I am somewhat new to MPLS and am very much still in the learning >>> process. But, that would be the first thing that I would change. >> >> I'm in the same boat for L2VPNs. I have somewhat better knowledge of >> L3VPNs at this point. We're just now really diving into L2VPNs. >> >> I did change the MTU and that fixed it. That presents a design issue >> for me which I detailed in a self-reply to the list. I'm now trying >> to figure out what best practice is for EoMPLS on sub-ints when the >> sub-int involves customer and infrastructure VLANs. The best answer >> may be to not mix them. Thoughts? >> >> Thanks >> Justin >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Chris Phillips Senior IP Engineer & Peering Coordinator WBS Connect cphillips at wbsconnect.com (866) WBS-CONX (720) 259-8361 - direct (303) 968-4383 - mobile www.wbsconnect.com www.wbstoday.com blog Ranked #1 as the "Fastest Growing privately held company in Colorado" - 2008 Denver Business Journal - From decklandv at gmail.com Sat Jan 17 21:36:51 2009 From: decklandv at gmail.com (Rado Vasilev) Date: Sun, 18 Jan 2009 02:36:51 +0000 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <49729480.2080600@wbsconnect.com> References: <49727EB0.9020500@justinshore.com> <4972821E.4060001@wbsconnect.com> <497288B1.9040303@justinshore.com> <2F92C44C-4A98-46FB-B296-CCAC135388E2@gmail.com> <49729480.2080600@wbsconnect.com> Message-ID: <901B59B8-8841-4576-A9D1-72D957DBCFF5@gmail.com> http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1187367 On 18 Jan 2009, at 02:31, Chris Phillips wrote: > Rado, > > nyc1(config)#int te1/2.1254 > nyc1(config-subif)#mtu ? > <9216-9216> MTU size in bytes > > nyc1(config-subif)#mtu 9216 ? > > > nyc1(config-subif)#mtu 9216 > % Sub-interface TenGigabitEthernet1/2.1254 does not support user > settable mtu > > Afaik, all sub-interfaces assume the MTU of the primary physical > port, and that this cannot be changed. > > Rado Vasilev wrote: >> Justin, >> You should be able to fix the MTU mismatch issue without changing >> the interface/sub-interface MTU. >> conf t >> interface xxx/x.10 >> xconnect .. >> mtu xxx >> regards, >> Rado >> On 18 Jan 2009, at 01:41, Justin Shore wrote: >>> Chris Phillips wrote: >>>> The MTU definitely needs to be the same, in my experience. >>>> However, I am somewhat new to MPLS and am very much still in the >>>> learning process. But, that would be the first thing that I >>>> would change. >>> >>> I'm in the same boat for L2VPNs. I have somewhat better knowledge >>> of L3VPNs at this point. We're just now really diving into L2VPNs. >>> >>> I did change the MTU and that fixed it. That presents a design >>> issue for me which I detailed in a self-reply to the list. I'm >>> now trying to figure out what best practice is for EoMPLS on sub- >>> ints when the sub-int involves customer and infrastructure VLANs. >>> The best answer may be to not mix them. Thoughts? >>> >>> Thanks >>> Justin >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- > Chris Phillips > Senior IP Engineer & Peering Coordinator > WBS Connect > cphillips at wbsconnect.com > (866) WBS-CONX > (720) 259-8361 - direct > (303) 968-4383 - mobile > www.wbsconnect.com > www.wbstoday.com blog > > Ranked #1 as the "Fastest Growing privately held company in Colorado" > - 2008 Denver Business Journal - From justin at justinshore.com Sun Jan 18 00:16:31 2009 From: justin at justinshore.com (Justin Shore) Date: Sat, 17 Jan 2009 23:16:31 -0600 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <901B59B8-8841-4576-A9D1-72D957DBCFF5@gmail.com> References: <49727EB0.9020500@justinshore.com> <4972821E.4060001@wbsconnect.com> <497288B1.9040303@justinshore.com> <2F92C44C-4A98-46FB-B296-CCAC135388E2@gmail.com> <49729480.2080600@wbsconnect.com> <901B59B8-8841-4576-A9D1-72D957DBCFF5@gmail.com> Message-ID: <4972BB2F.60203@justinshore.com> Rado, Thanks for the reply. That's a very useful doc. In my particular situation I'm trying to set the MTU on an Ethernet sub-interface. It would appear that this isn't possible (though it would be useful if one could at least fake it and get the VC up when you know that closer to the edge you're taking care of enforcing a set MTU. That doc will definitely come in handy though. Thanks for the input Justin Rado Vasilev wrote: > http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1187367 > > > > > On 18 Jan 2009, at 02:31, Chris Phillips wrote: > >> Rado, >> >> nyc1(config)#int te1/2.1254 >> nyc1(config-subif)#mtu ? >> <9216-9216> MTU size in bytes >> >> nyc1(config-subif)#mtu 9216 ? >> >> >> nyc1(config-subif)#mtu 9216 >> % Sub-interface TenGigabitEthernet1/2.1254 does not support user >> settable mtu >> >> Afaik, all sub-interfaces assume the MTU of the primary physical port, >> and that this cannot be changed. >> >> Rado Vasilev wrote: >>> Justin, >>> You should be able to fix the MTU mismatch issue without changing the >>> interface/sub-interface MTU. >>> conf t >>> interface xxx/x.10 >>> xconnect .. >>> mtu xxx >>> regards, >>> Rado >>> On 18 Jan 2009, at 01:41, Justin Shore wrote: >>>> Chris Phillips wrote: >>>>> The MTU definitely needs to be the same, in my experience. >>>>> However, I am somewhat new to MPLS and am very much still in the >>>>> learning process. But, that would be the first thing that I would >>>>> change. >>>> >>>> I'm in the same boat for L2VPNs. I have somewhat better knowledge >>>> of L3VPNs at this point. We're just now really diving into L2VPNs. >>>> >>>> I did change the MTU and that fixed it. That presents a design >>>> issue for me which I detailed in a self-reply to the list. I'm now >>>> trying to figure out what best practice is for EoMPLS on sub-ints >>>> when the sub-int involves customer and infrastructure VLANs. The >>>> best answer may be to not mix them. Thoughts? >>>> >>>> Thanks >>>> Justin >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> -- >> Chris Phillips >> Senior IP Engineer & Peering Coordinator >> WBS Connect >> cphillips at wbsconnect.com >> (866) WBS-CONX >> (720) 259-8361 - direct >> (303) 968-4383 - mobile >> www.wbsconnect.com >> www.wbstoday.com blog >> >> Ranked #1 as the "Fastest Growing privately held company in Colorado" >> - 2008 Denver Business Journal - > From mtinka at globaltransit.net Sat Jan 17 23:46:45 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 18 Jan 2009 12:46:45 +0800 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <49728478.3060903@justinshore.com> References: <49727EB0.9020500@justinshore.com> <49728478.3060903@justinshore.com> Message-ID: <200901181246.50087.mtinka@globaltransit.net> On Sunday 18 January 2009 09:23:04 am Justin Shore wrote: > The MTU thing got me thinking (dangerous I know). I set > the MTU on Gi0/2 on 7201 back to 1500 and the VC > immediately came up and passed traffic. The MTU on the > sub-int of the 7201 can't be set separately from the > physical interface's MTU: > > % Non-TRISL encapsulated sub-interface > GigabitEthernet0/2.130 does not support user settable > mtu. You can set the 'xconnect' MTU independently on the sub- interface, but you'll need SRC for that: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047362 > MPLS MTU on the sub-int or physical interface doesn't > appear to affect EoMPLS VCs either. That just affects how much MTU is available to the MPLS infrastructure. Some vendors do allow you to ignore MTU mismatch. Whether that's a good or bad thing is an operational matter for your network. We prefer to have them similar. > Along this same train of thought, what's best practice > for EoMPLS links when mixed with sub-ints? Should I > strive to keep infrastructure links separate from > customer links? That's what we do, in the case of edge routers. We'd, at least, use an edge router that has three (3) interfaces - 2x facing upstream to the core, 1x as the 802.1Q trunk to customers (more for customer redundancy, e.t.c.). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From justin at justinshore.com Sun Jan 18 00:57:45 2009 From: justin at justinshore.com (Justin Shore) Date: Sat, 17 Jan 2009 23:57:45 -0600 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <200901181246.50087.mtinka@globaltransit.net> References: <49727EB0.9020500@justinshore.com> <49728478.3060903@justinshore.com> <200901181246.50087.mtinka@globaltransit.net> Message-ID: <4972C4D9.9020408@justinshore.com> Mark Tinka wrote: > You can set the 'xconnect' MTU independently on the sub- > interface, but you'll need SRC for that: > > http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047362 I don't actually run SR code on any of our 7200s. I run 12.4T. I know everyone has their favorites and particular reasons for one over another. In my experience 12.4T has been relatively stable (once you get at least a T1 release out for a given (#) release). Our 7200s are particularly fancy, even the ones terminating OC3s of DSL customers. I may do a feature diff against SRC though to see if it's doable. Is there a particular name for the feature? I can bug our account team to press for it to be included in 12.4T. That would be an extremely helpful feature the more I think about it. > Some vendors do allow you to ignore MTU mismatch. Whether > that's a good or bad thing is an operational matter for your > network. We prefer to have them similar. This could be useful but you're right. It would probably be best if it matched on both sides. It would be handy if there was a solution for working around a mismatch though, even if it isn't recommended best practice. > That's what we do, in the case of edge routers. > > We'd, at least, use an edge router that has three (3) > interfaces - 2x facing upstream to the core, 1x as the > 802.1Q trunk to customers (more for customer redundancy, > e.t.c.). I went ahead and rigged up a second link between the 7201 and 4948. I moved all infrastructure sub-ints to the new link and left the customer sub-ints alone. I set up the infrastructure link with a MTU of 9000 and the customer link at the default of 1500. I did run into one problem during the swap. Since you're an IS-IS guru I'll throw a question your way. I removed 3 sub-ints and added their clones on the other physical interface. The 3 routes associated with the sub-ints were not pushed upstream into the core. I had connected routes on the 7201 but they weren't being propagated on even though 'sh ip route' said they were being redisted. I'm redistributing connected in IS-IS. Previously the ints had no IS-IS config on them. To get those 3 routes pushed into my IGP I had to enable IS-IS on each sub-int with 'ip router isis'. I've seen this flaky behavior before but usually just add IS-IS to the interface and forget it. Any idea what causes this to happen or how to avoid the problem? I've seen a number of flaky IS-IS things happen. My favorite is when one router decides to send 8996 byte IIHs and the other side drops them as being too big. Fixing that usually requires removing all IS-IS config and reapplying it or rebooting. When it works though it's usually very solid. Thanks Justin From vinzoda.hitesh at gmail.com Sun Jan 18 02:16:10 2009 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Sun, 18 Jan 2009 12:46:10 +0530 Subject: [c-nsp] Not Allowing Vlan 1 on trunk ports Message-ID: Dear All Is there a way to supress vlan 1 from passing from a trunk link coz i m not able to shutdown the L2 vlan 1. Regards Ronnie From allan.eising at gmail.com Sun Jan 18 03:38:18 2009 From: allan.eising at gmail.com (Allan Eising) Date: Sun, 18 Jan 2009 09:38:18 +0100 Subject: [c-nsp] Not Allowing Vlan 1 on trunk ports In-Reply-To: References: Message-ID: You could always use: switchport trunk allowed vlan 2-4094, or specify exactly the vlans you want passing over the trunk, eg. interface GigabitEthernet0/14 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 2,10,200-300 ! Allan On Sun, Jan 18, 2009 at 8:16 AM, Hitesh Vinzoda wrote: > Dear All > > Is there a way to supress vlan 1 from passing from a trunk link coz i m not > able to shutdown the L2 vlan 1. > > > Regards > > Ronnie > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From perc69 at gmail.com Sun Jan 18 05:53:49 2009 From: perc69 at gmail.com (Pelle) Date: Sun, 18 Jan 2009 11:53:49 +0100 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <4972C4D9.9020408@justinshore.com> References: <49727EB0.9020500@justinshore.com> <49728478.3060903@justinshore.com> <200901181246.50087.mtinka@globaltransit.net> <4972C4D9.9020408@justinshore.com> Message-ID: <746ca6da0901180253q7bc75f64g376533ff7edb7655@mail.gmail.com> Hi. > To get those 3 routes pushed into my IGP > I had to enable IS-IS on each sub-int with 'ip router isis'. I've seen this > flaky behavior before but usually just add IS-IS to the interface and forget > it. A better idea (and much more deterministic) is using "passive-interface X" (under IS-IS) for the interfaces you want IS-IS to advertise. Doing that you can remove "redistribute connected" as well as "ip router isis Y" for those interfaces you want to advertise, but never want IS-IS to form an adjacency on (the last case). Even better, "passive-interface" gives you the option to enable "advertise passive-interface only" to reduce the number of prefixes a router should advertise. This is very handy in a L3VPN-network where you only need the Loopbacks in IS-IS. Fever prefixes => faster convergence :) If you also would like to have the Core-links in the RIB, use iBGP for that. -- Pelle From ianh at chime.net.au Sun Jan 18 05:18:51 2009 From: ianh at chime.net.au (Ian Henderson) Date: Sun, 18 Jan 2009 19:18:51 +0900 Subject: [c-nsp] Not Allowing Vlan 1 on trunk ports In-Reply-To: References: Message-ID: <100362309621454DAA534950B17E55DB0114E7DF82F7@isp-per-exc01.win2k.iinet.net.au> Hitesh Vinzoda wrote on 2009-01-18: > Is there a way to supress vlan 1 from passing from a trunk link coz i > m not able to shutdown the L2 vlan 1. It depends on the platform and IOS version. If it works, you'll be able to just use a 'switchport trunk allowed vlan 2,5,6-8' or similar. If that command fails, it will tell you to include VLAN 1 and 1002-1005. For example, this is on an a 2950-24 running 12.1(9)EA1. A more modern IOS would work as intended (only trunking VLAN 2, 3, 4, 5): switch-1(config)#int f0/1 switch-1(config-if)#switchport trunk allowed vlan 2-5 Command rejected: Bad VLAN allowed list. VLANs 1,1002-1005 are required. switch-1(config-if)# Rgds, - I. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited From mtinka at globaltransit.net Sun Jan 18 08:07:31 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 18 Jan 2009 21:07:31 +0800 Subject: [c-nsp] EoMPLS from ME3750 to 7201 GigE sub-int In-Reply-To: <4972C4D9.9020408@justinshore.com> References: <49727EB0.9020500@justinshore.com> <200901181246.50087.mtinka@globaltransit.net> <4972C4D9.9020408@justinshore.com> Message-ID: <200901182107.44926.mtinka@globaltransit.net> On Sunday 18 January 2009 01:57:45 pm Justin Shore wrote: > I may do a feature diff against > SRC though to see if it's doable. If you do decide to try SRC, recommend SRC3 as a minimum. Earlier releases are very buggy, and we've seen random system reboots with BFD enabled, which was the worst for us. > Is there a particular name for the feature? From what I can tell at: http://www.cisco.com/en/US/docs/ios/12_2sr/12_2src/12_2_33_src_newfeatlist.html the feature name should be "Per Subinterface MTU for Ethernet over MPLS (EoMPLS)"; but it doesn't seem to show up in FN. At any rate, you can describe what you need to your account team and let them know it's currently coded in SRC. > Since you're > an IS-IS guru... Hardly :-). > I'll throw a question your way. I removed > 3 sub-ints and added their clones on the other physical > interface. The 3 routes associated with the sub-ints > were not pushed upstream into the core. I had connected > routes on the 7201 but they weren't being propagated on > even though 'sh ip route' said they were being redisted. > I'm redistributing connected in IS-IS. Previously the > ints had no IS-IS config on them. To get those 3 routes > pushed into my IGP I had to enable IS-IS on each sub-int > with 'ip router isis'. I've seen this flaky behavior > before but usually just add IS-IS to the interface and > forget it. Any idea what causes this to happen or how to > avoid the problem? I've heard of similar issues regarding redistribution of Connected routes between IS-IS and EIGRP, as well as between IS-IS and OSPF (both cases being a feature, not a bug), but not from the Connected RIB into IS-IS. Suffice it to say, my redistribution experience with IS-IS has been static routes and between levels (route leaking), and both have worked with no problems. I wouldn't foresee any issues redistributing Connected routes, as long as you push them into the right IS-IS level. Your issue sounds like a bug (especially since you say it worked prior to your sub-interface migration) - I'd report it to TAC for some feedback. But as Pelle has mentioned, I'd recommend setting the customer sub-interfaces as 'passive'. Not only do you benefit from injecting the interface prefix into the core, but you also avoid having to run IS-IS on the interface itself, preventing the unnecessary generation of LSP's and Hello's, thus, keeping your IGP lean. Imagine if your customer base on this router grew, and you had to enable IS- IS on each sub-interface :-). Further, this shields you from any nasties, should your customers turn up IS-IS on their interface toward your router and "potentially" become a part of your network. Ultimately, when you have the time, consider using IS-IS just for your infrastructure and Loopback addresses, and use iBGP for your customer interface + assigned prefixes. > I've seen a number of flaky IS-IS > things happen. My favorite is when one router decides to > send 8996 byte IIHs and the other side drops them as > being too big. Did both sides have the same MTU value? If so, I'd disable Hello Padding ('no hello padding' under 'router isis x'). Adjacencies would still form since IOS will pad the first five (5) Hello frames to the full MTU size, in order to detect MTU mismatches. Subsequent Hellos would not be padded. Suffice it to say, IS-IS on SRC has been stable for us, except for CSCsu67637 (IPv6 address for passive interface not in ISIS database). But as mentioned, if you choose to, don't look at anything else besides SRC3. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From eric at roxanne.org Sun Jan 18 09:13:44 2009 From: eric at roxanne.org (Eric Gauthier) Date: Sun, 18 Jan 2009 09:13:44 -0500 Subject: [c-nsp] Not Allowing Vlan 1 on trunk ports In-Reply-To: References: Message-ID: <20090118141344.GA23771@roxanne.org> Ronnie, > switchport trunk allowed vlan 2-4094, or specify exactly the vlans you want > passing over the trunk, eg. > > interface GigabitEthernet0/14 > switchport trunk encapsulation dot1q > switchport mode trunk > switchport trunk allowed vlan 2,10,200-300 > ! Though not exactly what you asked, you should also be careful of the native vlan on an 802.1q interface. In the example above, the native vlan for the port is the default, vlan 1, so any untagged packets will be assigned to vlan 1. The easy fix for this is to just change the native vlan to something else. I can't remember if you do this by setting an access vlan (switchport access vlan X) or if there's a command under "switchport trunk", but I think the configuration might look like: interface GigabitEthernet0/14 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 2,10,200-300 switchport access vlan X switchport trunk native vlan X switchport nonegotiate ! Depending on the IOS version, you might also consider disabling DTP with "switchport nonegotiate". (http://www.cisco.com/en/US/tech/tk389/tk390/tk181/tsd_technology_support_sub-protocol_home.html) Eric :) From A.L.M.Buxey at lboro.ac.uk Sun Jan 18 10:47:47 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Sun, 18 Jan 2009 15:47:47 +0000 Subject: [c-nsp] Not Allowing Vlan 1 on trunk ports In-Reply-To: <20090118141344.GA23771@roxanne.org> References: <20090118141344.GA23771@roxanne.org> Message-ID: <20090118154747.GA16892@lboro.ac.uk> Hi, > interface GigabitEthernet0/14 > switchport trunk encapsulation dot1q > switchport mode trunk > switchport trunk allowed vlan 2,10,200-300 > > switchport access vlan X > switchport trunk native vlan X > switchport nonegotiate you cant have a 'switchport access' and 'switchport mode trunk' (especially with nonegotiate). but the rest of it is the way to go for sure. alan From alexc at actcom.co.il Sun Jan 18 10:12:13 2009 From: alexc at actcom.co.il (Vects) Date: Sun, 18 Jan 2009 17:12:13 +0200 Subject: [c-nsp] LNS for 500-1000 Message-ID: <1232291533.31435.216.camel@vects1.nivki.net> Hello there, I need to install small LNS for 500-1000 concurrent customers in order to implement per user rate limit/ACL assigned by radius. I'm planing to use l2tp. Please advise what minimal model of cisco I can use for that purpose? Thanks, Alexc. From jcartier at acs.on.ca Sun Jan 18 10:43:16 2009 From: jcartier at acs.on.ca (Jeff Cartier) Date: Sun, 18 Jan 2009 10:43:16 -0500 Subject: [c-nsp] Port-Channel load-balance w/ Voice Message-ID: Just wondering what the recommended load-balance state should be for a port-channel carrying voice packets? From thomas at dupas.be Sun Jan 18 12:21:40 2009 From: thomas at dupas.be (Thomas Dupas) Date: Sun, 18 Jan 2009 18:21:40 +0100 Subject: [c-nsp] Not Allowing Vlan 1 on trunk ports In-Reply-To: <20090118154747.GA16892@lboro.ac.uk> Message-ID: You could do the opposite if you only want to remove vlan 1. "switchport trunk allowed vlan except vlan 1", this will allow all vlans except 1 Best Regards, Thomas On 18/01/09 16:47, "A.L.M.Buxey at lboro.ac.uk" wrote: Hi, > interface GigabitEthernet0/14 > switchport trunk encapsulation dot1q > switchport mode trunk > switchport trunk allowed vlan 2,10,200-300 > > switchport access vlan X > switchport trunk native vlan X > switchport nonegotiate you cant have a 'switchport access' and 'switchport mode trunk' (especially with nonegotiate). but the rest of it is the way to go for sure. alan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From wp at null0.nl Sun Jan 18 12:29:38 2009 From: wp at null0.nl (Wouter Prins) Date: Sun, 18 Jan 2009 18:29:38 +0100 Subject: [c-nsp] Not Allowing Vlan 1 on trunk ports In-Reply-To: References: Message-ID: Hi Hitesh, The best way is to configure: 'vlan dot1q tag native' under global configuration. Regards, Wouter 2009/1/18 Hitesh Vinzoda > Dear All > > Is there a way to supress vlan 1 from passing from a trunk link coz i m not > able to shutdown the L2 vlan 1. > > > Regards > > Ronnie > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From wp at null0.nl Sun Jan 18 12:31:03 2009 From: wp at null0.nl (Wouter Prins) Date: Sun, 18 Jan 2009 18:31:03 +0100 Subject: [c-nsp] Not Allowing Vlan 1 on trunk ports In-Reply-To: References: Message-ID: Sorry, i misread this! I thought you wanted to tag the native vlan.. time for some coffee! 2009/1/18 Wouter Prins > Hi Hitesh, > > The best way is to configure: > 'vlan dot1q tag native' under global configuration. > > Regards, > Wouter > > 2009/1/18 Hitesh Vinzoda > > Dear All >> >> Is there a way to supress vlan 1 from passing from a trunk link coz i m >> not >> able to shutdown the L2 vlan 1. >> >> >> Regards >> >> Ronnie >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From willay at gmail.com Sun Jan 18 12:39:58 2009 From: willay at gmail.com (William) Date: Sun, 18 Jan 2009 17:39:58 +0000 Subject: [c-nsp] changing VTP domain on 3750 not working Message-ID: Hi chaps, I'm slightly confused whats going on here, I have a 3750 switch which isnt changing VTP domain. The switch is currently in Server operating mode, I want to change the VTP domain and get rid of the current VLAN database. I've tried the following: vlan database vtp domain newdomain exit configure terminal vtp domain newdomain exit wr mem delete vlan.dat reload all in one session, every time it comes back with the original domain name, I have no idea what I'm doing wrong here as its worked for me before! Please help. Cheers, W From willay at gmail.com Sun Jan 18 13:06:19 2009 From: willay at gmail.com (William) Date: Sun, 18 Jan 2009 18:06:19 +0000 Subject: [c-nsp] changing VTP domain on 3750 not working In-Reply-To: References: Message-ID: Nothing like replying to your own email :) - I've fixed it by getting VLAN1 up/up then doing the changes, reload, sorted! Thanks for your time. W 2009/1/18 William : > Hi chaps, > > I'm slightly confused whats going on here, I have a 3750 switch which > isnt changing VTP domain. > > The switch is currently in Server operating mode, I want to change the > VTP domain and get rid of the current VLAN database. I've tried the > following: > > vlan database > vtp domain newdomain > exit > configure terminal > vtp domain newdomain > exit > wr mem > delete vlan.dat > reload > > all in one session, every time it comes back with the original domain > name, I have no idea what I'm doing wrong here as its worked for me > before! Please help. > > Cheers, > > W > From jeff-kell at utc.edu Sun Jan 18 13:26:15 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Sun, 18 Jan 2009 13:26:15 -0500 Subject: [c-nsp] Not Allowing Vlan 1 on trunk ports In-Reply-To: References: Message-ID: <49737447.2040604@utc.edu> Hitesh Vinzoda wrote: > Dear All > > Is there a way to supress vlan 1 from passing from a trunk link coz i m not > able to shutdown the L2 vlan 1. 'switchport trunk allowed vlan xx,xx,xx-xx,xx' or where supported, 'switchport trunk allowed vlan remove 1' Jeff From oiyankok at yahoo.ca Sun Jan 18 14:07:07 2009 From: oiyankok at yahoo.ca (ann kok) Date: Sun, 18 Jan 2009 11:07:07 -0800 (PST) Subject: [c-nsp] LNS for 500-1000 In-Reply-To: <1232291533.31435.216.camel@vects1.nivki.net> Message-ID: <703713.2225.qm@web111312.mail.gq1.yahoo.com> Assume 5M per user then you might need any cisco to support GigE or 10G --- On Sun, 1/18/09, Vects wrote: > From: Vects > Subject: [c-nsp] LNS for 500-1000 > To: "'Cisco-nsp'" > Received: Sunday, January 18, 2009, 10:12 AM > Hello there, > I need to install small LNS for 500-1000 concurrent > customers in order > to implement per user rate limit/ACL assigned by radius. > I'm planing to > use l2tp. > Please advise what minimal model of cisco I can use for > that purpose? > > Thanks, Alexc. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ __________________________________________________________________ Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail. Click on Options in Mail and switch to New Mail today or register for free at http://mail.yahoo.ca From peter at rathlev.dk Sun Jan 18 15:13:14 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sun, 18 Jan 2009 21:13:14 +0100 Subject: [c-nsp] changing VTP domain on 3750 not working In-Reply-To: References: Message-ID: <1232309594.31256.1.camel@localhost.localdomain> On Sun, 2009-01-18 at 18:06 +0000, William wrote: > Nothing like replying to your own email :) - I've fixed it by getting > VLAN1 up/up then doing the changes, reload, sorted! Strange, but if it works... > > vlan database > > vtp domain newdomain > > exit > > configure terminal > > vtp domain newdomain > > exit > > wr mem > > delete vlan.dat > > reload When you delete "vlan.dat" as the next to last step, you actually reset all the settings to their default. If you omitted that part it would work as expected. Regards, Peter From mt at vol.cz Mon Jan 19 06:09:00 2009 From: mt at vol.cz (Marek Tyban) Date: Mon, 19 Jan 2009 12:09:00 +0100 (CET) Subject: [c-nsp] QOS VLAN In-Reply-To: References: <20fe625b0901121617l3af0dbas8aef533ff74f4a8b@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406AEB089@xmb-ams-333.emea.cisco.com> <20090116085954.L86034@k3.vol.cz> Message-ID: <20090119114001.R16888@k3.vol.cz> Hello Leslie, it seems that it works fine, see below ! L2_ingress_interface (trunk or access) ! interface GigabitEthernet1/8 switchport mls qos vlan-based ! ! interface Vlan3 service-policy input VQOS ! ! 6503.lab#sh policy-map interface vlan 3 input class CLASS1 Vlan3 Service-policy input: VQOS class-map: CLASS1 (match-all) Match: access-group name ACL1 police : 64000 bps 2000 limit 2000 extended limit Earl in slot 1 : 9414000 bytes 30 second offered rate 82752 bps aggregate-forwarded 7300034 bytes action: transmit exceeded 2113966 bytes action: drop aggregate-forward 62760 bps exceed 18408 bps Regards, Marek On Fri, 16 Jan 2009, Leslie Meade wrote: > Hmmm I still could not get it to work. > But I got it to go on the ASA's > > Thanks for the help > > > > -----Original Message----- > From: Marek Tyban [mailto:mt at vol.cz] > Sent: Friday, January 16, 2009 12:08 AM > To: Leslie Meade > Cc: cisco-nsp > Subject: Re: [c-nsp] QOS VLAN > > > Hello Leslie, > > to accomplish this you need enable vlan based QoS (mls qos vlan-based). > > m. > > On Thu, 15 Jan 2009, Leslie Meade wrote: > >> I have a 6509e with a sup 32, and I want to control how much bandwidth >> is available to each vlan. My uploading is working fine but I do not >> know understand why my users on this vlan or any vlan still pulls down >> lots of data. I have been told that I cannot do this because the >> equipment is not suited to my needs. >> >> This is what I have >> >> policy-map 4_Mb_Internet >> class class-default >> police cir 4194000 bc 491515 be 491515 conform-action transmit exceed-action drop violate-action drop >> >> interface Vlan4 >> description 2012 Camera Feed >> ip address 10.1.4.2 255.255.255.0 >> ip access-group Productions in >> ip helper-address 10.1.6.10 >> no ip redirects >> no ip unreachables >> ip flow ingress >> ip route-cache flow >> no ip mroute-cache >> mls netflow sampling >> standby 15 ip 10.1.4.1 >> standby 15 priority 250 >> standby 15 preempt >> service-policy input 4_Mb_Internet >> service-policy output 4_Mb_Internet >> >> >> Any one point me in the right direction >> >> Leslie >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From Anton.Schweitzer at o2.com Mon Jan 19 08:24:16 2009 From: Anton.Schweitzer at o2.com (Anton.Schweitzer at o2.com) Date: Mon, 19 Jan 2009 14:24:16 +0100 Subject: [c-nsp] Combined AUX/Console Port, HOW do i use AUX ? Message-ID: Hi, i need to use the AUX port on a Cisco 876, but there ist only a Combined AUX/CON Port. we need to use PAD on the AUX Port and need to know how the router decides what is active console or aux ??? Cheers Anton Anton Schweitzer Senior Specialist BS Projekt & Service Customer Design o2 (Germany) GmbH & Co.OHG Georg Brauchle-Ring 23-25, D-80992 M?nchen Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 anton.schweitzer at o2.com Ein Beitrag zum Umweltschutz. Nicht jede E-Mail muss ausgedruckt werden. http://www.o2engagiert-fuer-morgen.de Telef?nica o2 Germany GmbH & Co. OHG ? Georg-Brauchle-Ring 23-25 ? 80992 M?nchen ? Deutschland ? www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht M?nchen HRA 70343. Gesellschafter: Telef?nica o2 Germany Management GmbH. Amtsgericht M?nchen HRB 109061 und Telef?nica o2 Germany Verwaltungs GmbH. Amtsgericht M?nchen HRB 121389, beide ebenda. Gesch?ftsf?hrer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. Andr? Krause. Lutz Sch?ler. Carsten Wreth. From cklam at ias.edu Mon Jan 19 10:06:23 2009 From: cklam at ias.edu (Christina Klam) Date: Mon, 19 Jan 2009 10:06:23 -0500 Subject: [c-nsp] Diagnostic errors in 6513 Message-ID: <497496EF.2010301@ias.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, We have a Cisco 6513 in production that is having some problems. After the switch runs its daily diagnostics on each of the modules, most of the line cards stop passing traffic. As a workaround, I have disabled diagnostics on all of the modules. Initially, Cisco TAC said this was a known bug. However after I have upgraded from SXH2 to SXH4 and eventually to s72033-ipservicesk9_wan-mz.122-33.SXI.bin, they are now leaning towards hardware problems. If I have to replace this chassis, it will be the second time in two months. In addition, I have replaced two of the line cards in December. As we have only had this switch for 18 months, this is a lot in a short period of time. Has anyone else had these problems with the 6500s? Dec 21 06:41:08 172.16.4.158 189: Dec 21 06:41:03.261 EST: %CONST_DIAG-SP-4-ERROR_ COUNTER_DATA: ID:60 IN:0 PO:255 RE:5212 RM:255 DV:1 EG:2 CF:10 TF:1574 Dec 21 06:48:09 172.16.4.158 190: Dec 21 06:48:04.750 EST: %CONST_DIAG-SP-4-ERROR_COUNTER_WARNING: Module 1 Error counter exceeds threshold, system operation continue. Dec 21 06:48:10 172.16.4.158 191: Dec 21 06:48:04.750 EST: %CONST_DIAG-SP-4-ERROR_COUNTER_DATA: ID:60 IN:0 PO:255 RE:5212 RM:255 DV:30 EG:2 CF:10 TF:1585 Jan 13 22:31:27.552 EST: %DIAG-SP-6-DIAG_OK: Module 1: Passed Online Diagnostics Jan 13 22:31:46.339 EST: %HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD EEM TCL policy for TestNonDisruptiveLoopback Mod Ports Card Type Model Serial No. - --- ----- -------------------------------------- ------------------ - ----------- 1 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-45AF 2 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-45AF 3 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX 4 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX 5 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX 6 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX 7 5 Supervisor Engine 720 10GE (Active) VS-S720-10G 8 5 Supervisor Engine 720 10GE (Hot) VS-S720-10G 9 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX 10 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX 11 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX 12 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX Thank you, Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBSXSW799pUgshfvqBAQKsqwgAhSJDJCIeH8sGuTej7q+mYhfWvtyC0Ec1 Q31e943DNsolWOakEu9IY4sHOCDYAoXq8fenZPkUncWzOsBKZ6aTja1INQfHK+4G H0ZiviGTwh9vCHEX3e4PIOrGTZx/DEleTWU7NaWhIwuPv2uXBOLj3g0LTFEGJnUx J8Rp+NpBD5HyeN2zdUKpcFIQsu42uVXAbjiDWN91KrqwZEUr17a4frluF975MXyh AW+nq79BDCq6oTjW5xXKw6uEo+VLS6lzcV+75sPdzshnPJRm15lzTOx3yEEXnRfv Lapui6w6njOWzuejrEvdyEeNNgS170NLvrJKaNLPuMKM4TeiI2oEgA== =1n9/ -----END PGP SIGNATURE----- From jonathan.oddy at hostway.co.uk Mon Jan 19 10:58:17 2009 From: jonathan.oddy at hostway.co.uk (Jonathan Oddy) Date: Mon, 19 Jan 2009 15:58:17 +0000 Subject: [c-nsp] BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH In-Reply-To: <20090116125718.GB26415@bronze.eng.gxn.net> References: <20090116125718.GB26415@bronze.eng.gxn.net> Message-ID: <4974A319.60302@hostway.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 After some lab work we have established that the source of the invalid AS4_PATHs discussed in [1] is likely a non compliant implementation of RFC4893 (AS4) in some versions of Juniper JunOS. We have observed the following behaviour with both JunOS 9.3R1.7 and 9.1R2.10, and suspect it may be present in all other JunOS versions since they introduced AS4 support in 9.1R1. Unfortunately we have limited resources so have not been able to test with other versions. When a mix of pre and post 9.1R1 JunOS devices are deployed within a network utilising confederations the AS4_PATH (if present) is used by the AS4 supporting devices to hold an AS_CONFED_SET/SEQUENCE. This behaviour is explicitly forbidden by RFC4893 [3]. If the egress router from the AS utilising confederations is not AS4-aware the confederation information is never removed from the AS4_PATH, and is passed onto the neighbouring networks with the repercussions discussed in [1]. As mentioned in both [1] and [2] this is especially critical as at present Cisco IOS will tear down sessions when receiving an AS4_PATH containing an AS_CONFED_SET/SEQUENCE. Lab setup: AS1.0 - obgp1 (OpenBGPD) AS64512 { ~ AS65001 - juniper1 (JunOS 9.1 or 9.3) (32 bit ASN support) ~ AS65002 - juniper2 (JunOS 8.4) (no 32 bit ASN support) } AS64513 - obgp2 (OpenBGPD) Where AS1.0 is an AS with a 32bit AS number, AS64512 is a Juniper network using confederations and with mixed AS4 support, and AS64513 is another network (doesn't matter what it supports.) On announcing a prefix from obgp1 we observe the following in the UPDATE from juniper1 to juniper2: AS_PATH: (65001) 23456 AS4_PATH: (65001) 65536 And at obgp2: AS_PATH: 64512 23456 AS4_PATH: (65001) 65536 This shows juniper1, which is AS4-aware, adding an AS_CONFED_SET to both the AS_PATH and AS4_PATH before announcing the prefix to juniper2. As juniper2 is not AS4-aware it does not strip the AS_CONFED_SET from the AS4_PATH before announcing it to obgp2, resulting in an invalid AS4_PATH attribute in the UPDATE to obgp2. Conclusions: ~ * If you use JunOS and make use of confederations you should ensure that your entire network either supports AS4 (9.1R1 or later) or doesn't (pre 9.1.) ~ * While the Juniper implementation is clearly non-compliant with the standard, and should be corrected, the number of versions in which this bug is probably present means that these versions will never be completely eliminated from use. ~ * The flaw in the standard can still be misused maliciously. We do not see that going forward it will be possible to completely eliminate the possibility of an AS_CONFED_SET appearing in an AS4_PATH. We believe that this problem requires a consistent response from the vendors, and that to facilitate such a response the standard must be revised. Even if vendors do implement their own workarounds the standard needs to be revised to ensure that future implementers don't fall into this trap. Regards, ~ Andy Davidson, NetSumo (andy.davidson at netsumo.com), ~ Jonathan Oddy, Hostway UK (jonathan.oddy at hostway.co.uk), ~ Rob Shakir, GX Networks (rjs at eng.gxn.net) [1] http://www.merit.edu/mail.archives/nanog/msg14345.html [2] http://www.merit.edu/mail.archives/nanog/msg14388.html [3] From RFC4893 section 3: ~ "To prevent the possible propagation of confederation path segments ~ outside of a confederation, the path segment types AS_CONFED_SEQUENCE ~ and AS_CONFED_SET [RFC3065] are declared invalid for the AS4_PATH ~ attribute." Thanks to Dan Goscomb (Goscomb Tech) for loan of a J2320 for the lab. Thanks to Will Hargrave (LONAP) for assistance with this document. - -- Jonathan Oddy Hostway UK -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJdKMZWGqmTqbbikoRAuDFAJ9WTlvAE/5KogtgShiBmXJo238kHQCfdSjG s3p8pIfX7JmPKC84/yxE67w= =53KL -----END PGP SIGNATURE----- From avayner at cisco.com Mon Jan 19 13:29:52 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Mon, 19 Jan 2009 19:29:52 +0100 Subject: [c-nsp] LNS for 500-1000 In-Reply-To: <1232291533.31435.216.camel@vects1.nivki.net> References: <1232291533.31435.216.camel@vects1.nivki.net> Message-ID: <78C984F8939D424697B15E4B1C1BB3D70E59EE@xmb-ams-331.emea.cisco.com> For this scale (and assuming <10Mbps per user) a 7201 would be great. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vects Sent: Sunday, January 18, 2009 17:12 To: 'Cisco-nsp' Subject: [c-nsp] LNS for 500-1000 Hello there, I need to install small LNS for 500-1000 concurrent customers in order to implement per user rate limit/ACL assigned by radius. I'm planing to use l2tp. Please advise what minimal model of cisco I can use for that purpose? Thanks, Alexc. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Mon Jan 19 16:53:26 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Mon, 19 Jan 2009 15:53:26 -0600 Subject: [c-nsp] Diagnostic errors in 6513 References: <497496EF.2010301@ias.edu> Message-ID: <31B889C67B864012AFCF3284C02C7096@flamdt01> I do not recall bad problems with the 6148 or the 6513 chassis. Did you replace your chassis originally and it didn't fix the problem? If not, why did you replace the chassis? Do you have the default tests on or modified? tv ----- Original Message ----- From: "Christina Klam" To: Sent: Monday, January 19, 2009 9:06 AM Subject: [c-nsp] Diagnostic errors in 6513 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > We have a Cisco 6513 in production that is having some problems. > After the switch runs its daily diagnostics on each of the modules, > most of the line cards stop passing traffic. As a workaround, I have > disabled diagnostics on all of the modules. > > Initially, Cisco TAC said this was a known bug. However after I have > upgraded from SXH2 to SXH4 and eventually to > s72033-ipservicesk9_wan-mz.122-33.SXI.bin, they are now leaning > towards hardware problems. If I have to replace this chassis, it > will be the second time in two months. In addition, I have replaced > two of the line cards in December. As we have only had this switch > for 18 months, this is a lot in a short period of time. Has anyone > else had these problems with the 6500s? > > Dec 21 06:41:08 172.16.4.158 189: Dec 21 06:41:03.261 EST: > %CONST_DIAG-SP-4-ERROR_ > COUNTER_DATA: ID:60 IN:0 PO:255 RE:5212 RM:255 DV:1 EG:2 CF:10 TF:1574 > Dec 21 06:48:09 172.16.4.158 190: Dec 21 06:48:04.750 EST: > %CONST_DIAG-SP-4-ERROR_COUNTER_WARNING: Module 1 Error counter exceeds > threshold, system operation continue. > Dec 21 06:48:10 172.16.4.158 191: Dec 21 06:48:04.750 EST: > %CONST_DIAG-SP-4-ERROR_COUNTER_DATA: ID:60 IN:0 PO:255 RE:5212 RM:255 > DV:30 EG:2 CF:10 TF:1585 > Jan 13 22:31:27.552 EST: %DIAG-SP-6-DIAG_OK: Module 1: Passed Online > Diagnostics > Jan 13 22:31:46.339 EST: %HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD > EEM TCL policy for TestNonDisruptiveLoopback > > Mod Ports Card Type Model > Serial No. > - --- ----- -------------------------------------- ------------------ > - ----------- > 1 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-45AF > 2 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-45AF > 3 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX > 4 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX > 5 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX > 6 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX > 7 5 Supervisor Engine 720 10GE (Active) VS-S720-10G > 8 5 Supervisor Engine 720 10GE (Hot) VS-S720-10G > 9 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX > 10 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX > 11 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX > 12 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX > > > Thank you, > Chris > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEVAwUBSXSW799pUgshfvqBAQKsqwgAhSJDJCIeH8sGuTej7q+mYhfWvtyC0Ec1 > Q31e943DNsolWOakEu9IY4sHOCDYAoXq8fenZPkUncWzOsBKZ6aTja1INQfHK+4G > H0ZiviGTwh9vCHEX3e4PIOrGTZx/DEleTWU7NaWhIwuPv2uXBOLj3g0LTFEGJnUx > J8Rp+NpBD5HyeN2zdUKpcFIQsu42uVXAbjiDWN91KrqwZEUr17a4frluF975MXyh > AW+nq79BDCq6oTjW5xXKw6uEo+VLS6lzcV+75sPdzshnPJRm15lzTOx3yEEXnRfv > Lapui6w6njOWzuejrEvdyEeNNgS170NLvrJKaNLPuMKM4TeiI2oEgA== > =1n9/ > -----END PGP SIGNATURE----- > > -------------------------------------------------------------------------------- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dudepron at gmail.com Mon Jan 19 17:59:06 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 19 Jan 2009 17:59:06 -0500 Subject: [c-nsp] BGP Question In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A280165524E2718@SRVEXC02.aas.its.nja.dk> References: <505b616c0901151311v68800105u21c5473a5c005149@mail.gmail.com> <8D68760F464FFD40A01BF2FB374E4A280165524E2718@SRVEXC02.aas.its.nja.dk> Message-ID: <480dad640901191459r1a4fd205j2b863702a5377635@mail.gmail.com> and a static route pointing to the outgoing interface On Thu, Jan 15, 2009 at 17:24, Arne Larsen / Region Nordjylland wrote: > If an EBGP peer is more than one hop away from the local router, you must > specify the next hop to the peer so that the two systems can establish a BGP > session. > > neighbor x.x.x.x remote-as xxx > neighbor x.x.x.x ebgp-multihop > > /Arne > > -----Oprindelig meddelelse----- > Fra: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] P? vegne af > tkacprzynski at spencerstuart.com > Sendt: 15. januar 2009 23:13 > Til: cisco-nsp at puck.nether.net > Emne: [c-nsp] BGP Question > > Hello, > I'm trying to figure out if this configuration can be accomplished. > > Topology > > > CPE-----------CE-----------PE -------- Internet > ASN 1 ASN 3 > > I'm trying to figure out a way where CPE and PE is peering with each other, > where CE is not using iBGP between PE but can still filter some of the > routes from PE. The PE can't really have any "custom" > configuration except simple neighboring. I have more flexibility with the > CE. > > The PE basically has a lot of summary routes that I need to make more > specific, but can't really change much on the PE, the idea is to use the CE > to modify them then send the CPE more specific routes based on the summary > routes. The requirement for more specific routers is there to eliminate some > asymmetric routing (other links not shown). > > I was looking at Local-AS and whether that could help. Not sure. > > Any suggestions are greatly appreciated. > > Thank you > > Tom > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mduksa at gmail.com Mon Jan 19 18:24:51 2009 From: mduksa at gmail.com (Marlon Duksa) Date: Mon, 19 Jan 2009 15:24:51 -0800 Subject: [c-nsp] EoMPLS termination into L3 VRF Message-ID: Hi,Does anyone know how to terminate EoMPLS (point to point service) on 7600 (ES20 cards) into a L3 VRF. Documentation say that it can be done but I can't find any examples. We do not want to create xconnect under EVC interface because this way we would waste an interface. It should be something like: intf vlan 10 vrf ip address x.x.x.x xconnect y.y.y.y 100 mpls -> the problem with this is that this has to be in the global context so that it can see remote PE. With this, it looks like it is defined in the vrf where y.y.y.y (remote PE) does not exist. Thanks, Marlon From brad.henshaw at qcn.com.au Mon Jan 19 18:30:16 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Tue, 20 Jan 2009 09:30:16 +1000 Subject: [c-nsp] Combined AUX/Console Port, HOW do i use AUX ? Message-ID: <8B25B862BC09784B9B74FB950D4F64D406CCAE@qcnapp01.corp.qcn> Anton.Schweitzer at o2.com wrote: > i need to use the AUX port on a Cisco 876, but there ist > only a Combined AUX/CON Port. we need to use PAD on the AUX > Port and need to know how the router decides what is active > console or aux ??? You need to set 'modem enable' on line con 0 then configure line aux 0. http://www.cisco.com/en/US/docs/routers/access/800/850/software/configur ation/guide/dialbkup.html#wp1015415 I don't know whether PAD is supported on the AUX port of the 870 series but the above should provide a starting point. Personally I find it annoying that Cisco didn't just put both console & aux ports on these routers... configuring the console port as an aux port makes on-site management and configuration (when the modem needs to be unplugged) a right pain in the arse. Regards, Brad From lists at hojmark.org Mon Jan 19 18:33:21 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Tue, 20 Jan 2009 00:33:21 +0100 Subject: [c-nsp] 3750 or 3560? In-Reply-To: <1231844166.12543.7.camel@dsba-ipso> References: <1231844166.12543.7.camel@dsba-ipso> Message-ID: <461AED17EC98482F8172FA136E6F7723@hojmark.net> > I have now a requirement and I need PVLANs but they are not > supported in the 2960 (as far as I was reading at cisco.com) Private VLAN *Edge* is supported on the Catalyst 2960. See Configuration Guide > Configuring Port-Based Traffic Control > Configuring Protected Ports. (http://tinyurl.com/7drp4c) -A From oiyankok at yahoo.ca Mon Jan 19 20:35:47 2009 From: oiyankok at yahoo.ca (ann kok) Date: Mon, 19 Jan 2009 17:35:47 -0800 (PST) Subject: [c-nsp] 3750 or 3560? In-Reply-To: <461AED17EC98482F8172FA136E6F7723@hojmark.net> Message-ID: <921694.96400.qm@web111308.mail.gq1.yahoo.com> why click tinyurl.com to redirect to cisco site? Do they have any relationship? Thank you --- On Mon, 1/19/09, Asbjorn Hojmark - Lists wrote: > From: Asbjorn Hojmark - Lists > Subject: Re: [c-nsp] 3750 or 3560? > To: "'luismi'" > Cc: cisco-nsp at puck.nether.net > Received: Monday, January 19, 2009, 6:33 PM > > I have now a requirement and I need PVLANs but they are > not > > supported in the 2960 (as far as I was reading at > cisco.com) > > Private VLAN *Edge* is supported on the Catalyst 2960. See > Configuration Guide > Configuring Port-Based Traffic > Control > > Configuring Protected Ports. (http://tinyurl.com/7drp4c) > > -A > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ __________________________________________________________________ Instant Messaging, free SMS, sharing photos and more... Try the new Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/ From ploopster at gmail.com Mon Jan 19 20:39:24 2009 From: ploopster at gmail.com (Sridhar Ayengar) Date: Mon, 19 Jan 2009 20:39:24 -0500 Subject: [c-nsp] 3750 or 3560? In-Reply-To: <921694.96400.qm@web111308.mail.gq1.yahoo.com> References: <921694.96400.qm@web111308.mail.gq1.yahoo.com> Message-ID: <49752B4C.1090507@gmail.com> ann kok wrote: > why click tinyurl.com to redirect to cisco site? > > Do they have any relationship? Because the Cisco URL in question was long. That's the purpose of TinyURL and services like it. Peace... Sridhar From oiyankok at yahoo.ca Mon Jan 19 20:15:47 2009 From: oiyankok at yahoo.ca (ann kok) Date: Mon, 19 Jan 2009 17:15:47 -0800 (PST) Subject: [c-nsp] 6513 vs Message-ID: <808842.7565.qm@web111315.mail.gq1.yahoo.com> Hi Can you tell me what is the different between 6513 and local direct in load balancing function? Thank you __________________________________________________________________ Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail. Click on Options in Mail and switch to New Mail today or register for free at http://mail.yahoo.ca From jay at west.net Mon Jan 19 21:14:02 2009 From: jay at west.net (Jay Hennigan) Date: Mon, 19 Jan 2009 18:14:02 -0800 Subject: [c-nsp] 3750 or 3560? In-Reply-To: <921694.96400.qm@web111308.mail.gq1.yahoo.com> References: <921694.96400.qm@web111308.mail.gq1.yahoo.com> Message-ID: <4975336A.2080406@west.net> ann kok wrote: > why click tinyurl.com to redirect to cisco site? > > Do they have any relationship? Some mail clients break long URLs by throwing in hard line breaks. Tinyurl allows a short link to be sent by email that redirects to the long ugly one. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From oboehmer at cisco.com Tue Jan 20 03:50:50 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 20 Jan 2009 09:50:50 +0100 Subject: [c-nsp] EoMPLS termination into L3 VRF In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406B82D84@xmb-ams-333.emea.cisco.com> Marlon Duksa <> wrote on Tuesday, January 20, 2009 00:25: > Hi,Does anyone know how to terminate EoMPLS (point to point service) > on 7600 (ES20 cards) into a L3 VRF. Documentation say that it can be > done but I can't find any examples. > > We do not want to create xconnect under EVC interface because this > way we would waste an interface. > > It should be something like: > > intf vlan 10 > vrf > ip address x.x.x.x > xconnect y.y.y.y 100 mpls correct ("xconnect encaps mpls"). > -> the problem with this is that this > has to be in the global context so that it can see remote PE right. > With this, it looks like it is defined in the vrf where y.y.y.y (remote > PE) does not exist. why? The PW endpoint y.y.y.y is looked up in the global table (might not be apparent looking at this config, but there is no "vrf-aware PW" where the PW endpoint would need to be looked up in the VRF context). Did you actually try this? oli From rjs at eng.gxn.net Tue Jan 20 05:35:48 2009 From: rjs at eng.gxn.net (Rob Shakir) Date: Tue, 20 Jan 2009 10:35:48 +0000 Subject: [c-nsp] BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH In-Reply-To: <4974A319.60302@hostway.co.uk> References: <20090116125718.GB26415@bronze.eng.gxn.net> <4974A319.60302@hostway.co.uk> Message-ID: <20090120103548.GD20730@bronze.eng.gxn.net> On Mon, Jan 19, 2009 at 03:58:17PM +0000, Jonathan Oddy wrote: > As mentioned in both [1] and [2] this is especially critical as at > present Cisco IOS will tear down sessions when receiving an AS4_PATH > containing an AS_CONFED_SET/SEQUENCE. Hi, Whilst this is behaviour is RFC compliant, as previously described, it is sub-optimal operationally. I have raised this issue with Cisco TAC, and CSCsx10140 has been opened to track this problem. I would encourage those network operators who may be planning to deploy AS4-support and use Cisco equipment to open a SR with Cisco, tracking this bug, to try to ensure that both the IOS behaviour, and RFC are changed. Many thanks, Rob -- Rob Shakir Network Development Engineer GX Networks/Vialtus Solutions ddi: +44208 587 6077 mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http//www.vialtus.com/disclaimer.html From zivl at gilat.net Tue Jan 20 05:13:46 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 20 Jan 2009 12:13:46 +0200 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices Message-ID: Hi all, Could anyone share if possible a kind of basic ATP you may use for new Cisco devices that you may receive? I'm in need of providing a customer with such procedure for two new devices, a Cisco 1861 router and a Cisco ASA5510 I'll appreciate any help Thanks, Ziv ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From peter at rathlev.dk Tue Jan 20 06:30:43 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 20 Jan 2009 12:30:43 +0100 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices In-Reply-To: References: Message-ID: <1232451043.3327.9.camel@localhost.localdomain> On Tue, 2009-01-20 at 12:13 +0200, Ziv Leyes wrote: > Could anyone share if possible a kind of basic ATP you may use for new > Cisco devices that you may receive? > I'm in need of providing a customer with such procedure for two new > devices, a Cisco 1861 router and a Cisco ASA5510 Is it just the hardware that needs to be acceptance tested or is it some kind of service depending on this hardware? I don't specifically recall the term "ATP" but I guess Operational Acceptance Testing is the same. We only supply services, and the acceptance tests are defined by the receiving end, typically with some help from a Service Manager and a network engineer. The tests only check functionality not endurance of the system. Typically the tests check everything defined in the SLA. When receiving hardware we use for ourselves we have no formal acceptance tests; for core equipment it runs in a lab for some time and the takes on a role as a standby unit in the production net. Sometimes when time limits dictate it we end up just placing some new component in an important role without testing. I hope the manufacturer does some kind of burn in test. :-) HTH, Peter From janasamit at wlink.com.np Tue Jan 20 07:15:04 2009 From: janasamit at wlink.com.np (Samit) Date: Tue, 20 Jan 2009 18:00:04 +0545 Subject: [c-nsp] Number of Vlan supported in Catalsyt Message-ID: <4975C048.2020402@wlink.com.np> Hi, Can anyone give me any pointer/url from which I find out how many 802.1Q Vlans is supported in various model of Catalyst switch? I am looking for specifically for following models: 2900XL --> 64 2950G ---> 255 3400ME ---->?? IE 3000 --->?? Regards, Samit From zivl at gilat.net Tue Jan 20 07:37:21 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 20 Jan 2009 14:37:21 +0200 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices In-Reply-To: <1232451043.3327.9.camel@localhost.localdomain> References: <1232451043.3327.9.camel@localhost.localdomain> Message-ID: Ok, let me be more specific When we buy devices for our own use, we just open it, plug it, and start using them, if there are any problems, we call the provider and they fix the problem (RMA or whatever) In this case, we're going to sell the equipment as a kind of turn-key project, and the customer asked us to provide them with "our" ATP, which we don't really use for ourselves, so I'd like to implement one sort of testing procedure from now on for this type of cases. We're going to attach this to a legal statement so we can't just type some BS there and that's it, we want to actually implement it, and if we write we do a,b,c,d then we'll going to do a,b,c,d procedure for real. I was thinking some of you guys may already use this kind of test routines and can help me creating one. I don't need some really serious stuff, I can imagine I'll check the delivery status of the package, open it, check all the contents that need to be there are there, to plug the device and see it works, perhaps load some configuration, plug the hardware that is planned to hold if any (HWICS and so), perform some soft and hard reboots, see the device responds, there are links on all interfaces, and pack it back exactly as it was. The problem is I don't know how exactly write it down on a kind of form that there's a checkbox for each test. Does anybody have some ready to go stuff? -----Original Message----- From: Peter Rathlev [mailto:peter at rathlev.dk] Sent: Tuesday, January 20, 2009 1:31 PM To: Ziv Leyes Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices On Tue, 2009-01-20 at 12:13 +0200, Ziv Leyes wrote: > Could anyone share if possible a kind of basic ATP you may use for new > Cisco devices that you may receive? > I'm in need of providing a customer with such procedure for two new > devices, a Cisco 1861 router and a Cisco ASA5510 Is it just the hardware that needs to be acceptance tested or is it some kind of service depending on this hardware? I don't specifically recall the term "ATP" but I guess Operational Acceptance Testing is the same. We only supply services, and the acceptance tests are defined by the receiving end, typically with some help from a Service Manager and a network engineer. The tests only check functionality not endurance of the system. Typically the tests check everything defined in the SLA. When receiving hardware we use for ourselves we have no formal acceptance tests; for core equipment it runs in a lab for some time and the takes on a role as a standby unit in the production net. Sometimes when time limits dictate it we end up just placing some new component in an important role without testing. I hope the manufacturer does some kind of burn in test. :-) HTH, Peter ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From p.mayers at imperial.ac.uk Tue Jan 20 08:05:33 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 20 Jan 2009 13:05:33 +0000 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices In-Reply-To: References: <1232451043.3327.9.camel@localhost.localdomain> Message-ID: <4975CC1D.40500@imperial.ac.uk> Ziv Leyes wrote: > Ok, let me be more specific When we buy devices for our own use, we > just open it, plug it, and start using them, if there are any > problems, we call the provider and they fix the problem (RMA or > whatever) In this case, we're going to sell the equipment as a kind > of turn-key project, and the customer asked us to provide them with > "our" ATP, which we don't really use for ourselves, so I'd like to > implement one sort of testing procedure from now on for this type of > cases. We're going to attach this to a legal statement so we can't > just type some BS there and that's it, we want to actually implement > it, and if we write we do a,b,c,d then we'll going to do a,b,c,d > procedure for real. I was thinking some of you guys may already use > this kind of test routines and can help me creating one. I don't need > some really serious stuff, I can imagine I'll check the delivery > status of the package, open it, check all the contents that need to > be there are there, to plug the device and see it works, perhaps load > some configuration, plug the hardware that is planned to hold if any > (HWICS and so), perform some soft and hard reboots, see the device > responds, there are links on all interfaces, and pack it back exactly > as it was. The problem is I don't know how exactly write it down on a > kind of form that there's a checkbox for each test. Does anybody have > some ready to go stuff? Well, it's going to depend very much on the kind of equipment. For example, a mandatory step when we get anything for our 6500s is a complete run passing all GOLD tests (including the disruptive tests). We maintain a spare chassis specifically for this. I don't know if ASA5510 and 1861 have diagnostics, but I don't think so. In that case, you're probably going to want something like: * Build a standard config involving (at least) your ASA & 18xx router, which all or a large subset of the features are enabled * For each pair of devices you distribute, load the standard config on and run some test traffic * Leave it powered up for long enough to count as "burn in" i.e. 7 days? So you'd write something like: """Party X will undertake to: * Unpack all equipment and check inventory * Check that equipment will power up * Load on a standard config, which tests: * OSPF routing * BGP routing * Packet forwarding * IPSec * Coffee making * Run test traffic for 48 hours, to ensure the devices compare to a known-good platform * Leave the config running for 7 days, to eliminate early-life failure ...before shipping to Customer Y""" From luan at netcraftsmen.net Tue Jan 20 08:19:48 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Tue, 20 Jan 2009 08:19:48 -0500 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices In-Reply-To: <4975CC1D.40500@imperial.ac.uk> References: <1232451043.3327.9.camel@localhost.localdomain> <4975CC1D.40500@imperial.ac.uk> Message-ID: <00e001c97b01$c506a2e0$4f13e8a0$@net> Going a bit further...how's about looking at those benchmarking RFCs http://www.ietf.org/html.charters/bmwg-charter.html In particular http://www.ietf.org/rfc/rfc2544.txt for the 1861 and http://www.ietf.org/rfc/rfc3511.txt for the ASA Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] luan at netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, January 20, 2009 8:06 AM To: Ziv Leyes Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices Ziv Leyes wrote: > Ok, let me be more specific When we buy devices for our own use, we > just open it, plug it, and start using them, if there are any > problems, we call the provider and they fix the problem (RMA or > whatever) In this case, we're going to sell the equipment as a kind > of turn-key project, and the customer asked us to provide them with > "our" ATP, which we don't really use for ourselves, so I'd like to > implement one sort of testing procedure from now on for this type of > cases. We're going to attach this to a legal statement so we can't > just type some BS there and that's it, we want to actually implement > it, and if we write we do a,b,c,d then we'll going to do a,b,c,d > procedure for real. I was thinking some of you guys may already use > this kind of test routines and can help me creating one. I don't need > some really serious stuff, I can imagine I'll check the delivery > status of the package, open it, check all the contents that need to > be there are there, to plug the device and see it works, perhaps load > some configuration, plug the hardware that is planned to hold if any > (HWICS and so), perform some soft and hard reboots, see the device > responds, there are links on all interfaces, and pack it back exactly > as it was. The problem is I don't know how exactly write it down on a > kind of form that there's a checkbox for each test. Does anybody have > some ready to go stuff? Well, it's going to depend very much on the kind of equipment. For example, a mandatory step when we get anything for our 6500s is a complete run passing all GOLD tests (including the disruptive tests). We maintain a spare chassis specifically for this. I don't know if ASA5510 and 1861 have diagnostics, but I don't think so. In that case, you're probably going to want something like: * Build a standard config involving (at least) your ASA & 18xx router, which all or a large subset of the features are enabled * For each pair of devices you distribute, load the standard config on and run some test traffic * Leave it powered up for long enough to count as "burn in" i.e. 7 days? So you'd write something like: """Party X will undertake to: * Unpack all equipment and check inventory * Check that equipment will power up * Load on a standard config, which tests: * OSPF routing * BGP routing * Packet forwarding * IPSec * Coffee making * Run test traffic for 48 hours, to ensure the devices compare to a known-good platform * Leave the config running for 7 days, to eliminate early-life failure ...before shipping to Customer Y""" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gkg at gmx.de Tue Jan 20 08:20:05 2009 From: gkg at gmx.de (Garry) Date: Tue, 20 Jan 2009 14:20:05 +0100 Subject: [c-nsp] Number of Vlan supported in Catalsyt In-Reply-To: <4975C048.2020402@wlink.com.np> References: <4975C048.2020402@wlink.com.np> Message-ID: <4975CF85.30809@gmx.de> Samit wrote: > 3400ME ---->?? > ME3400(config)#vlan ? WORD ISL VLAN IDs 1-4094 From skeeve at skeeve.org Tue Jan 20 08:31:34 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Wed, 21 Jan 2009 00:31:34 +1100 Subject: [c-nsp] Number of Vlan supported in Catalsyt In-Reply-To: <4975C048.2020402@wlink.com.np> References: <4975C048.2020402@wlink.com.np> Message-ID: 3400ME - 1005 active VLANS, numbering to 4096 (128 STP) IE3000 - Not clear (see below), numbering to 4096 (128 STP) It says @ https://www.cisco.com/en/US/docs/switches/lan/cisco_ie3000/software/release/ 12.2_44_ex/configuration/guide/swvlan.html#wp1298058 --- Supported VLANs The switch supports VLANs in VTP client, server, and transparent modes. VLANs are identified by a number from 1 to 4094. VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. VTP only learns normal-range VLANs, with VLAN IDs 1 to 1005; VLAN IDs greater than 1005 are extended-range VLANs and are not stored in the VLAN database. The switch must be in VTP transparent mode when you create VLAN IDs from 1006 to 4094. Although the switch supports a total of 255 (normal range and extended range) VLANs, the number of configured features affects the use of the switch hardware. The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN. See the "Normal-Range VLAN Configuration Guidelines" section for more information about the number of spanning-tree instances and the number of VLANs. The switch supports only IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports. --- Whatever that means. ...Skeeve -- Skeeve Stevens, CEO eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: (+61) 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve -- NOC, NOC, who's there? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Samit Sent: Tuesday, 20 January 2009 11:15 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Number of Vlan supported in Catalsyt Hi, Can anyone give me any pointer/url from which I find out how many 802.1Q Vlans is supported in various model of Catalyst switch? I am looking for specifically for following models: 2900XL --> 64 2950G ---> 255 3400ME ---->?? IE 3000 --->?? Regards, Samit _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.10.9/1902 - Release Date: 19/01/2009 9:37 AM From skeeve at skeeve.org Tue Jan 20 08:34:11 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Wed, 21 Jan 2009 00:34:11 +1100 Subject: [c-nsp] Number of Vlan supported in Catalsyt In-Reply-To: <4975CF85.30809@gmx.de> References: <4975C048.2020402@wlink.com.np> <4975CF85.30809@gmx.de> Message-ID: That is just what number range is supports, not the number of active VLAN's.. which for that Switch is 1005. From: http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6580/product_da ta_sheet0900aecd8034fef3.html ".... Up to 1005 VLANs per switch and up to 128 spanning-tree instances per switch are supported." ...Skeeve -- Skeeve Stevens, CEO eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: (+61) 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve -- NOC, NOC, who's there? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Garry Sent: Wednesday, 21 January 2009 12:20 AM To: Samit Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Number of Vlan supported in Catalsyt Samit wrote: > 3400ME ---->?? > ME3400(config)#vlan ? WORD ISL VLAN IDs 1-4094 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.10.9/1902 - Release Date: 19/01/2009 9:37 AM From skeeve at skeeve.org Tue Jan 20 08:43:39 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Wed, 21 Jan 2009 00:43:39 +1100 Subject: [c-nsp] Connecting a VRF between routers Message-ID: Firstly, YES, I've kind of asked this before, but with the different ways people do and understand things all over the world, I've not had a response that actually works. So.. Simply. I have, lets just say 2 (two) routers and or switches (3560, etc with VRF support). I want to, at a layer 2 level, link a vrf on one router/switch to another. What I am meaning here is. If I type 'show ip arp vrf BLAH' on one device, I want to see the ARP for devices connected into the VRF on the other router. I don't particularly want to use tunnels due to MTU issues. A VLAN with an SVI on a switch and a sub-e on a router work fine, but only if I have a full layer2 switched path all the way. In some cases I do not. An example would be when we use another carrier to link two cities and they have an MPLS cloud in the middle. I want to link a VRF to another VRF on each side of the cloud. I am not sure if what I want to do makes sense.. Some people just suggest MPLS, but it seems like an over complex solution if we're talking about 2-3 routers/switches. If I am not being clear about something, please feel free to ask me for more info. -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum From sthaug at nethelp.no Tue Jan 20 08:43:53 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 20 Jan 2009 14:43:53 +0100 (CET) Subject: [c-nsp] Number of Vlan supported in Catalsyt In-Reply-To: <4975CF85.30809@gmx.de> References: <4975C048.2020402@wlink.com.np> <4975CF85.30809@gmx.de> Message-ID: <20090120.144353.74703285.sthaug@nethelp.no> > Samit wrote: > > 3400ME ---->?? > > > ME3400(config)#vlan ? > WORD ISL VLAN IDs 1-4094 Which does *not* necessarily mean you can have all 4094 VLANs configured and operating at the same time. According to http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6580/product_data_sheet0900aecd8034fef3.html "Up to 1005 VLANs per switch and up to 128 spanning-tree instances per switch are supported." Steinar Haug, Nethelp consulting, sthaug at nethelp.no From cklam at ias.edu Tue Jan 20 08:52:46 2009 From: cklam at ias.edu (Christina Klam) Date: Tue, 20 Jan 2009 08:52:46 -0500 Subject: [c-nsp] Diagnostic errors in 6513 Message-ID: <4975D72E.5030503@ias.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I replaced the original chassis in December because whatever supervisor I used in slot 8 would become "inactive" or "unknown" within 2 months. After the fourth supervisor reported the same issue and I had two line cards reporting problems, I bit the bullet and replaced the chassis. So far the new chassis is not having the same issue with slot 8. But, until I upgraded the IOS & turned off all diagnostic tests a week ago, I continually had the following in the logs: %CONST_DIAG-SP-4-ERROR_COUNTER_DATA: ID:60 IN:0 PO:255 RE:5212 RM:255 > DV:30 EG:2 CF:10 TF:1585 > Jan 13 22:31:27.552 EST: %DIAG-SP-6-DIAG_OK: Module 1: Passed Online > Diagnostics > Jan 13 22:31:46.339 EST: %HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD > EEM TCL policy for TestNonDisruptiveLoopback What diagnostic tests did I originally have enabled? The default. - --Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBSXXXLt9pUgshfvqBAQKC3QgAhBaF7v/QVqYPwKjbqX7uDpsA7Dmz8nNy 0fdW0Y7+OQmE3Wv2YTB+7SGa90u0NmGLqdyrDqipp7RWYoVx2IBFSB/uSk17CzfI VOeDtZV8Igw19ykwZsTdkPIUO7bypTSefJjP7qTpiVGiu0JV5mueWKkpZVRfOxvf 9xCwEc/aCRzGSFWjtg/pjEFENbaCEBr7nYyU0T5D5FnlOWAbJOne1w4N5hbO/8yj X7HZt3sZfe4N2jqC0xCVKDKpjcuvFpvvOejAgSKsKFzrlXpUyB52WW0UCfAcoQvZ s1Wv+BnRWt7tl653KERZ1BqEglkP6VRLxhV1FXylHDASMW5Q+ePfnQ== =fyfa -----END PGP SIGNATURE----- From p.mayers at imperial.ac.uk Tue Jan 20 09:07:23 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 20 Jan 2009 14:07:23 +0000 Subject: [c-nsp] Connecting a VRF between routers In-Reply-To: References: Message-ID: <4975DA9B.4010408@imperial.ac.uk> Skeeve Stevens wrote: > Firstly, YES, I've kind of asked this before, but with the different ways > people do and understand things all over the world, I've not had a response > that actually works. > > So.. Simply. > > I have, lets just say 2 (two) routers and or switches (3560, etc with VRF > support). > > I want to, at a layer 2 level, link a vrf on one router/switch to another. > > What I am meaning here is. If I type 'show ip arp vrf BLAH' on one device, > I want to see the ARP for devices connected into the VRF on the other > router. You want to see "the ARP"? What does that mean? Do you mean: """I want a router in location A, with an IP interface inside a VRF. I want a switch in location B, with a vlan. I want to connect the VLAN to the routed interface.""" Perhaps you could draw a diagram and provide the config fragments you want to see in each location? > > I don't particularly want to use tunnels due to MTU issues. > > A VLAN with an SVI on a switch and a sub-e on a router work fine, but only > if I have a full layer2 switched path all the way. > > In some cases I do not. An example would be when we use another carrier to > link two cities and they have an MPLS cloud in the middle. I want to link a > VRF to another VRF on each side of the cloud. > > I am not sure if what I want to do makes sense.. Some people just suggest > MPLS, but it seems like an over complex solution if we're talking about 2-3 > routers/switches. > > If I am not being clear about something, please feel free to ask me for more > info. You seem to want magic. Your options using Cisco kit, that I know of, are: 1. End-to-end MPLS transit, and MPLS-capable devices 2. End-to-end layer2 3. Tunnels (L2TP, GRE) All require either jumbo frames, lower "inner" MTU (possibly with TCP MSS clamping) or fragmentation (and clearing the "dont frag" bit) There are of course other esoteric options - you could run 2 linux boxes and tunnel PPP over SSH - since you're tunneling packets over TCP, you can have over-size packets and TCP segmentation will deal with it, but you can suffer massive jitter and buffering problems. From pavel-subscriptions at pavel.pro Tue Jan 20 08:40:37 2009 From: pavel-subscriptions at pavel.pro (Pavel Stan) Date: Tue, 20 Jan 2009 15:40:37 +0200 Subject: [c-nsp] Number of Vlan supported in Catalsyt In-Reply-To: <4975CF85.30809@gmx.de> References: <4975C048.2020402@wlink.com.np> <4975CF85.30809@gmx.de> Message-ID: <4975D455.6010807@pavel.pro> for ME: Up to 1005 VLANs per switch and up to 128 spanning-tree instances per switch are supported. Indeed, 4k of vlan "ID" supported. Garry wrote: > Samit wrote: > >> 3400ME ---->?? >> >> > ME3400(config)#vlan ? > WORD ISL VLAN IDs 1-4094 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From abalashov at evaristesys.com Tue Jan 20 08:37:47 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 20 Jan 2009 08:37:47 -0500 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices In-Reply-To: References: <1232451043.3327.9.camel@localhost.localdomain> Message-ID: <4975D3AB.7020308@evaristesys.com> But if it's attached to a legal statement, the more nebulous and elastic (aka BS) it is the more protection you have from incurring liability for actually having done or not done something. That gets easier when the "acceptance testing process" is ill-defined and metaphysical, not harder. Ziv Leyes wrote: > Ok, let me be more specific > When we buy devices for our own use, we just open it, plug it, and start using them, if there are any problems, we call the provider and they fix the problem (RMA or whatever) > In this case, we're going to sell the equipment as a kind of turn-key project, and the customer asked us to provide them with "our" ATP, which we don't really use for ourselves, so I'd like to implement one sort of testing procedure from now on for this type of cases. We're going to attach this to a legal statement so we can't just type some BS there and that's it, we want to actually implement it, and if we write we do a,b,c,d then we'll going to do a,b,c,d procedure for real. > I was thinking some of you guys may already use this kind of test routines and can help me creating one. > I don't need some really serious stuff, I can imagine I'll check the delivery status of the package, open it, check all the contents that need to be there are there, to plug the device and see it works, perhaps load some configuration, plug the hardware that is planned to hold if any (HWICS and so), perform some soft and hard reboots, see the device responds, there are links on all interfaces, and pack it back exactly as it was. > The problem is I don't know how exactly write it down on a kind of form that there's a checkbox for each test. > Does anybody have some ready to go stuff? > > > > > > -----Original Message----- > From: Peter Rathlev [mailto:peter at rathlev.dk] > Sent: Tuesday, January 20, 2009 1:31 PM > To: Ziv Leyes > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices > > On Tue, 2009-01-20 at 12:13 +0200, Ziv Leyes wrote: >> Could anyone share if possible a kind of basic ATP you may use for new >> Cisco devices that you may receive? >> I'm in need of providing a customer with such procedure for two new >> devices, a Cisco 1861 router and a Cisco ASA5510 > > Is it just the hardware that needs to be acceptance tested or is it some > kind of service depending on this hardware? I don't specifically recall > the term "ATP" but I guess Operational Acceptance Testing is the same. > > We only supply services, and the acceptance tests are defined by the > receiving end, typically with some help from a Service Manager and a > network engineer. The tests only check functionality not endurance of > the system. Typically the tests check everything defined in the SLA. > > When receiving hardware we use for ourselves we have no formal > acceptance tests; for core equipment it runs in a lab for some time and > the takes on a role as a standby unit in the production net. Sometimes > when time limits dictate it we end up just placing some new component in > an important role without testing. I hope the manufacturer does some > kind of burn in test. :-) > > HTH, > Peter > > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 From zivl at gilat.net Tue Jan 20 09:36:59 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 20 Jan 2009 16:36:59 +0200 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices In-Reply-To: <4975D3AB.7020308@evaristesys.com> References: <1232451043.3327.9.camel@localhost.localdomain> <4975D3AB.7020308@evaristesys.com> Message-ID: Thank you all guys for your answers! I think Phil has hit the nail and gave me an idea about what I was looking for, anything more thorough than this will be a waste of time in our case and unnecessary long. But I guess we'll finally opt for letting the Cisco QA be enough as a guarantee the devices work (there's always RMA) and have Alex's suggestion be the winner here, just be as nebulous as you can and follow the "ill-defined and metaphysical characteristique" of such undefined term as "Acceptance Test Procedure" I'd ask the customer: Are you married? Did you fill an ATP form before you said "Yes, I do" ??? No??? Then c'mon, gimme a break!!! It's just a darn router we're talking here, not chaining your entire life with the same woman!! A router can be replaced when malfunctioning, with a wife it's a bit more difficult, isn't it?? Thak you all again! Ziv -----Original Message----- From: Alex Balashov [mailto:abalashov at evaristesys.com] Sent: Tuesday, January 20, 2009 3:38 PM To: Ziv Leyes Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices But if it's attached to a legal statement, the more nebulous and elastic (aka BS) it is the more protection you have from incurring liability for actually having done or not done something. That gets easier when the "acceptance testing process" is ill-defined and metaphysical, not harder. Ziv Leyes wrote: > Ok, let me be more specific > When we buy devices for our own use, we just open it, plug it, and start using them, if there are any problems, we call the provider and they fix the problem (RMA or whatever) > In this case, we're going to sell the equipment as a kind of turn-key project, and the customer asked us to provide them with "our" ATP, which we don't really use for ourselves, so I'd like to implement one sort of testing procedure from now on for this type of cases. We're going to attach this to a legal statement so we can't just type some BS there and that's it, we want to actually implement it, and if we write we do a,b,c,d then we'll going to do a,b,c,d procedure for real. > I was thinking some of you guys may already use this kind of test routines and can help me creating one. > I don't need some really serious stuff, I can imagine I'll check the delivery status of the package, open it, check all the contents that need to be there are there, to plug the device and see it works, perhaps load some configuration, plug the hardware that is planned to hold if any (HWICS and so), perform some soft and hard reboots, see the device responds, there are links on all interfaces, and pack it back exactly as it was. > The problem is I don't know how exactly write it down on a kind of form that there's a checkbox for each test. > Does anybody have some ready to go stuff? > > > > > > -----Original Message----- > From: Peter Rathlev [mailto:peter at rathlev.dk] > Sent: Tuesday, January 20, 2009 1:31 PM > To: Ziv Leyes > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices > > On Tue, 2009-01-20 at 12:13 +0200, Ziv Leyes wrote: >> Could anyone share if possible a kind of basic ATP you may use for new >> Cisco devices that you may receive? >> I'm in need of providing a customer with such procedure for two new >> devices, a Cisco 1861 router and a Cisco ASA5510 > > Is it just the hardware that needs to be acceptance tested or is it some > kind of service depending on this hardware? I don't specifically recall > the term "ATP" but I guess Operational Acceptance Testing is the same. > > We only supply services, and the acceptance tests are defined by the > receiving end, typically with some help from a Service Manager and a > network engineer. The tests only check functionality not endurance of > the system. Typically the tests check everything defined in the SLA. > > When receiving hardware we use for ourselves we have no formal > acceptance tests; for core equipment it runs in a lab for some time and > the takes on a role as a standby unit in the production net. Sometimes > when time limits dictate it we end up just placing some new component in > an important role without testing. I hope the manufacturer does some > kind of burn in test. :-) > > HTH, > Peter > > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From rubensk at gmail.com Tue Jan 20 10:02:24 2009 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 20 Jan 2009 13:02:24 -0200 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices In-Reply-To: References: <1232451043.3327.9.camel@localhost.localdomain> <4975D3AB.7020308@evaristesys.com> Message-ID: <6bb5f5b10901200702w32053161xea726471acdcc2ef@mail.gmail.com> > But I guess we'll finally opt for letting the Cisco QA be enough as a guarantee the devices work (there's always RMA) and have Alex's suggestion be the winner here, just be as nebulous as you can and follow the "ill-defined and metaphysical characteristique" of such undefined term as "Acceptance Test Procedure" > I'd ask the customer: > Are you married? Did you fill an ATP form before you said "Yes, I do" ??? No??? Then c'mon, gimme a break!!! It's just a darn router we're talking here, not chaining your entire life with the same woman!! > A router can be replaced when malfunctioning, with a wife it's a bit more difficult, isn't it?? Actually there are best practices to that also, see http://www.iambored.co.za/funny/girlfriend-v10-v20/ Rubens From omar.parihuana at gmail.com Tue Jan 20 11:26:30 2009 From: omar.parihuana at gmail.com (omar parihuana) Date: Tue, 20 Jan 2009 11:26:30 -0500 Subject: [c-nsp] What does mean Unknown state in Online diag.. 7609 Router Message-ID: <834c50110901200826o4bbad617q3f3f8560eb3dc9aa@mail.gmail.com> Hi Folks, Recently I've installed a SPA-2XT3/E3 card (in module 7), but I get unknown state in online diagnostic, what does mean this "Unknow", because the led status in card is ok, and the sh diagbus also is ok: Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 7/0 2xOC3 ATM SPA SPA-2XOC3-ATM JAE1217FPTR 1.1 Ok 7/1 2xT3E3 SPA SPA-2XT3/E3 JAE1219H6QE 1.1 Ok Mod Online Diag Status ---- ------------------- 1 Pass 5 Pass 6 Pass 7 Pass 7/0 Not Applicable 7/1 Unknown <<<<<<<<<<<<<<<<<<<<<<<<<< 8 Pass 8/0 Not Applicable 8/1 Not Applicable Slot 7: Logical_index 14 4-subslot SPA Interface Processor-200 controller Board is analyzed ipc ready HW rev 2.303, board revision C0 Serial Number: JAE1220HSI2 Part number: 73-10476-03 Slot database information: Flags: 0x2004 Insertion time: 0x17E48 (1w4d ago) Controller Memory Size: 832 MBytes CPU Memory 191 MBytes Packet Memory 1023 MBytes Total on Board SDRAM Cisco IOS Software, cwlc Software (sip1-DW-M), Version 12.2(33)SRB3, RELEASE SOFTWARE (fc1) SPA Information: subslot 7/0: SPA-2XOC3-ATM (0x46E), status: ok subslot 7/1: SPA-2XT3/E3 (0x40C), status: ok Thanks!! -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! From barry at opensolutions.ie Tue Jan 20 11:17:42 2009 From: barry at opensolutions.ie (Barry O'Donovan) Date: Tue, 20 Jan 2009 16:17:42 +0000 Subject: [c-nsp] Set Virtual-Template 'ip wccp x redirect in' via RADIUS attribute on LNS Message-ID: <200901201617.42918.barry@opensolutions.ie> Hi folks, In a nutshell, I have an ISP who has LNS' terminating L2TP tunnels from the incumbent telco. These L2TP tunnels are terminated based on domain as is common and we have three terminating vpdn-group (two production, one testing). Each vpdn-group uses the same virtual template ('virtual-template 1') and this template in turn has a hard coded 'ip wccp x redirect in' (where x is the configured wccp service id. We'll use 97. So the watered down config is: vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 ... vpdn-group 2 accept-dialin protocol l2tp virtual-template 1 ... ... interface Virtual-Template1 ip unnumbered Loopback0 ip access-group cust-in in ip wccp 97 redirect in ... What I need to do is to be able to selectively use 'ip wccp 97 redirect in' by RADIUS attribute but I can't seem to find the right (any) RADIUS attributes. I think there may be two ways of doing it but I don't know if any / either are possible: 1) have RADIUS specify a 'virtual-template 2' rather than 1 dynamically where I don't have the 'ip wccp 97 redirect in' statement; 2) have RADIUS specify an attribute that can add the 'ip wccp 97 redirect in' statement dynamically. Any help / advice would be much appreciated. Kind regards, Barry O'Donovan http://www.opensolutions.ie/ From listensammler at gmx.de Tue Jan 20 13:44:10 2009 From: listensammler at gmx.de (listensammler at gmx.de) Date: Tue, 20 Jan 2009 19:44:10 +0100 Subject: [c-nsp] Set Virtual-Template 'ip wccp x redirect in' via RADIUS attribute on LNS In-Reply-To: <200901201617.42918.barry@opensolutions.ie> References: <200901201617.42918.barry@opensolutions.ie> Message-ID: <49761B7A.40607@gmx.de> Hi Barry, > 2) have RADIUS specify an attribute that can add the 'ip wccp 97 redirect in' > statement dynamically. > i think following Reply-Item should work to Attribut: Cisco-AVPair Value: lcp:no ip wccp 97 redirect in So you can disable wccp for selected users. If you prefer the to enable it for different users, you have to remove "ip wccp 97 redirect in" from virtual-template1 and use this Reply-Item: Attribut: Cisco-AVPair Value: lcp:ip wccp 97 redirect in I couldn't test i by myself, because we don't use wccp-feature.... Regards, Alex Detzen From marc at sniff.de Tue Jan 20 19:08:41 2009 From: marc at sniff.de (Marc Binderberger) Date: Tue, 20 Jan 2009 19:08:41 -0500 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices In-Reply-To: References: <1232451043.3327.9.camel@localhost.localdomain> <4975D3AB.7020308@evaristesys.com> Message-ID: <960488A0-C71C-4937-8C9A-A0B584DC8BB9@sniff.de> Hi Ziv, > But I guess we'll finally opt for letting the Cisco QA be enough as > a guarantee the devices work (there's always RMA) and have Alex's > suggestion be the winner here, just be as nebulous as you can and > follow the "ill-defined and metaphysical characteristique" of such > undefined term as "Acceptance Test Procedure" Is a hardware failure what the customer is worried about? You mentioned a turn-key solution and as a customer I would be more worried about if the solution actually works as expected. The detail that you have RMA contracts with Cisco and within what time is only part of it. Routers/Firewalls are mostly a software product with all the consequences. Regarding the "ill-defined" - may work. Sometimes it also works to be extremely detailed. You describe a test procedure in the very detail, so there is no doubt what you have tested and how to reproduce it. Doesn't mean the test has to be complicated - even if it's trivial you can hide this is many test steps ;-) E.g. power-cycling a whole setup is a valid test - after an power outage you want your solution come back up again. Regards, Marc > > I'd ask the customer: > Are you married? Did you fill an ATP form before you said "Yes, I > do" ??? No??? Then c'mon, gimme a break!!! It's just a darn router > we're talking here, not chaining your entire life with the same > woman!! > A router can be replaced when malfunctioning, with a wife it's a bit > more difficult, isn't it?? > Thak you all again! > Ziv > > > > -----Original Message----- > From: Alex Balashov [mailto:abalashov at evaristesys.com] > Sent: Tuesday, January 20, 2009 3:38 PM > To: Ziv Leyes > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices > > But if it's attached to a legal statement, the more nebulous and > elastic > (aka BS) it is the more protection you have from incurring liability > for > actually having done or not done something. > > That gets easier when the "acceptance testing process" is ill-defined > and metaphysical, not harder. > > Ziv Leyes wrote: > >> Ok, let me be more specific >> When we buy devices for our own use, we just open it, plug it, and >> start using them, if there are any problems, we call the provider >> and they fix the problem (RMA or whatever) >> In this case, we're going to sell the equipment as a kind of turn- >> key project, and the customer asked us to provide them with "our" >> ATP, which we don't really use for ourselves, so I'd like to >> implement one sort of testing procedure from now on for this type >> of cases. We're going to attach this to a legal statement so we >> can't just type some BS there and that's it, we want to actually >> implement it, and if we write we do a,b,c,d then we'll going to do >> a,b,c,d procedure for real. >> I was thinking some of you guys may already use this kind of test >> routines and can help me creating one. >> I don't need some really serious stuff, I can imagine I'll check >> the delivery status of the package, open it, check all the contents >> that need to be there are there, to plug the device and see it >> works, perhaps load some configuration, plug the hardware that is >> planned to hold if any (HWICS and so), perform some soft and hard >> reboots, see the device responds, there are links on all >> interfaces, and pack it back exactly as it was. >> The problem is I don't know how exactly write it down on a kind of >> form that there's a checkbox for each test. >> Does anybody have some ready to go stuff? >> >> >> >> >> >> -----Original Message----- >> From: Peter Rathlev [mailto:peter at rathlev.dk] >> Sent: Tuesday, January 20, 2009 1:31 PM >> To: Ziv Leyes >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices >> >> On Tue, 2009-01-20 at 12:13 +0200, Ziv Leyes wrote: >>> Could anyone share if possible a kind of basic ATP you may use for >>> new >>> Cisco devices that you may receive? >>> I'm in need of providing a customer with such procedure for two new >>> devices, a Cisco 1861 router and a Cisco ASA5510 >> >> Is it just the hardware that needs to be acceptance tested or is it >> some >> kind of service depending on this hardware? I don't specifically >> recall >> the term "ATP" but I guess Operational Acceptance Testing is the >> same. >> >> We only supply services, and the acceptance tests are defined by the >> receiving end, typically with some help from a Service Manager and a >> network engineer. The tests only check functionality not endurance of >> the system. Typically the tests check everything defined in the SLA. >> >> When receiving hardware we use for ourselves we have no formal >> acceptance tests; for core equipment it runs in a lab for some time >> and >> the takes on a role as a standby unit in the production net. >> Sometimes >> when time limits dictate it we end up just placing some new >> component in >> an important role without testing. I hope the manufacturer does some >> kind of burn in test. :-) >> >> HTH, >> Peter >> >> >> >> >> >> >> >> ************************************************************************************ >> This footnote confirms that this email message has been scanned by >> PineApp Mail-SeCure for the presence of malicious code, vandals & >> computer viruses. >> ************************************************************************************ >> >> >> >> >> >> >> >> >> ************************************************************************************ >> This footnote confirms that this email message has been scanned by >> PineApp Mail-SeCure for the presence of malicious code, vandals & >> computer viruses. >> ************************************************************************************ >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > Alex Balashov > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (678) 237-1775 > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & > computer viruses. > ************************************************************************************ > > > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & > computer viruses. > ************************************************************************************ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Marc Binderberger From abalashov at evaristesys.com Tue Jan 20 19:18:25 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 20 Jan 2009 19:18:25 -0500 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices In-Reply-To: <960488A0-C71C-4937-8C9A-A0B584DC8BB9@sniff.de> References: <1232451043.3327.9.camel@localhost.localdomain> <4975D3AB.7020308@evaristesys.com> <960488A0-C71C-4937-8C9A-A0B584DC8BB9@sniff.de> Message-ID: <497669D1.6080300@evaristesys.com> Yep, that's the other end of the spectrum. If the test is extremely detailed, it can also mitigate liability by being "thorough" and "complete" from a contractual obligation perspective. Precision is always better than ambiguity from a legal perspective, all other things being equal. It can still consist of little to no meaningful work. Something like: * Power-cycle high availability metrics assessment. * IOS command line interface code train regression test. * Layer 2 Media Access Control interface state transition test. * NTP time server synchronisation exercise under nonzero load. * Telnet RFC 854 interoperability regime. * RFC 1073 NAWS compliance test. * NVRAM installation verification. * Flash I/O subsystem test. * Professional interface inspection for jumbo frame incidence. * Deployment of Maximum Transfer Unit (MTU) processing engine. * Metaphysical Feature Card (MPFC) integration. But unless that seems straightforward to do, the best route is cloudy ambiguity. Marc Binderberger wrote: > Hi Ziv, > >> But I guess we'll finally opt for letting the Cisco QA be enough as a >> guarantee the devices work (there's always RMA) and have Alex's >> suggestion be the winner here, just be as nebulous as you can and >> follow the "ill-defined and metaphysical characteristique" of such >> undefined term as "Acceptance Test Procedure" > > Is a hardware failure what the customer is worried about? You mentioned > a turn-key solution and as a customer I would be more worried about if > the solution actually works as expected. The detail that you have RMA > contracts with Cisco and within what time is only part of it. > Routers/Firewalls are mostly a software product with all the consequences. > > Regarding the "ill-defined" - may work. Sometimes it also works to be > extremely detailed. You describe a test procedure in the very detail, so > there is no doubt what you have tested and how to reproduce it. Doesn't > mean the test has to be complicated - even if it's trivial you can hide > this is many test steps ;-) > > E.g. power-cycling a whole setup is a valid test - after an power outage > you want your solution come back up again. > > > Regards, Marc > > > > >> >> I'd ask the customer: >> Are you married? Did you fill an ATP form before you said "Yes, I do" >> ??? No??? Then c'mon, gimme a break!!! It's just a darn router we're >> talking here, not chaining your entire life with the same woman!! >> A router can be replaced when malfunctioning, with a wife it's a bit >> more difficult, isn't it?? >> Thak you all again! >> Ziv >> >> >> >> -----Original Message----- >> From: Alex Balashov [mailto:abalashov at evaristesys.com] >> Sent: Tuesday, January 20, 2009 3:38 PM >> To: Ziv Leyes >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices >> >> But if it's attached to a legal statement, the more nebulous and elastic >> (aka BS) it is the more protection you have from incurring liability for >> actually having done or not done something. >> >> That gets easier when the "acceptance testing process" is ill-defined >> and metaphysical, not harder. >> >> Ziv Leyes wrote: >> >>> Ok, let me be more specific >>> When we buy devices for our own use, we just open it, plug it, and >>> start using them, if there are any problems, we call the provider and >>> they fix the problem (RMA or whatever) >>> In this case, we're going to sell the equipment as a kind of turn-key >>> project, and the customer asked us to provide them with "our" ATP, >>> which we don't really use for ourselves, so I'd like to implement one >>> sort of testing procedure from now on for this type of cases. We're >>> going to attach this to a legal statement so we can't just type some >>> BS there and that's it, we want to actually implement it, and if we >>> write we do a,b,c,d then we'll going to do a,b,c,d procedure for real. >>> I was thinking some of you guys may already use this kind of test >>> routines and can help me creating one. >>> I don't need some really serious stuff, I can imagine I'll check the >>> delivery status of the package, open it, check all the contents that >>> need to be there are there, to plug the device and see it works, >>> perhaps load some configuration, plug the hardware that is planned to >>> hold if any (HWICS and so), perform some soft and hard reboots, see >>> the device responds, there are links on all interfaces, and pack it >>> back exactly as it was. >>> The problem is I don't know how exactly write it down on a kind of >>> form that there's a checkbox for each test. >>> Does anybody have some ready to go stuff? >>> >>> >>> >>> >>> >>> -----Original Message----- >>> From: Peter Rathlev [mailto:peter at rathlev.dk] >>> Sent: Tuesday, January 20, 2009 1:31 PM >>> To: Ziv Leyes >>> Cc: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices >>> >>> On Tue, 2009-01-20 at 12:13 +0200, Ziv Leyes wrote: >>>> Could anyone share if possible a kind of basic ATP you may use for new >>>> Cisco devices that you may receive? >>>> I'm in need of providing a customer with such procedure for two new >>>> devices, a Cisco 1861 router and a Cisco ASA5510 >>> >>> Is it just the hardware that needs to be acceptance tested or is it some >>> kind of service depending on this hardware? I don't specifically recall >>> the term "ATP" but I guess Operational Acceptance Testing is the same. >>> >>> We only supply services, and the acceptance tests are defined by the >>> receiving end, typically with some help from a Service Manager and a >>> network engineer. The tests only check functionality not endurance of >>> the system. Typically the tests check everything defined in the SLA. >>> >>> When receiving hardware we use for ourselves we have no formal >>> acceptance tests; for core equipment it runs in a lab for some time and >>> the takes on a role as a standby unit in the production net. Sometimes >>> when time limits dictate it we end up just placing some new component in >>> an important role without testing. I hope the manufacturer does some >>> kind of burn in test. :-) >>> >>> HTH, >>> Peter >>> >>> >>> >>> >>> >>> >>> >>> ************************************************************************************ >>> >>> This footnote confirms that this email message has been scanned by >>> PineApp Mail-SeCure for the presence of malicious code, vandals & >>> computer viruses. >>> ************************************************************************************ >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ************************************************************************************ >>> >>> This footnote confirms that this email message has been scanned by >>> PineApp Mail-SeCure for the presence of malicious code, vandals & >>> computer viruses. >>> ************************************************************************************ >>> >>> >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> -- >> Alex Balashov >> Evariste Systems >> Web : http://www.evaristesys.com/ >> Tel : (+1) (678) 954-0670 >> Direct : (+1) (678) 954-0671 >> Mobile : (+1) (678) 237-1775 >> >> >> >> >> >> ************************************************************************************ >> >> This footnote confirms that this email message has been scanned by >> PineApp Mail-SeCure for the presence of malicious code, vandals & >> computer viruses. >> ************************************************************************************ >> >> >> >> >> >> >> >> >> >> ************************************************************************************ >> >> This footnote confirms that this email message has been scanned by >> PineApp Mail-SeCure for the presence of malicious code, vandals & >> computer viruses. >> ************************************************************************************ >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- > Marc Binderberger > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 From abalashov at evaristesys.com Tue Jan 20 19:23:05 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 20 Jan 2009 19:23:05 -0500 Subject: [c-nsp] Acceptance Test Procedure for New Cisco Devices In-Reply-To: <497669D1.6080300@evaristesys.com> References: <1232451043.3327.9.camel@localhost.localdomain> <4975D3AB.7020308@evaristesys.com> <960488A0-C71C-4937-8C9A-A0B584DC8BB9@sniff.de> <497669D1.6080300@evaristesys.com> Message-ID: <49766AE9.40605@evaristesys.com> Alex Balashov wrote: > * Deployment of Maximum Transfer Unit (MTU) processing engine. Actually, you can upsell this feature. Take a page from the Cisco VAR channel on this. You: "You DO want the MAXIMUM(tm) transfer unit, right?" Customer: "... well... yes...?" You: "Great, it'll be an additional $200 for the 1500 byte series ValuePack." Customer: "Really? That's it? $200? Excellent!" -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 From ariemer at wesenergy.com.au Tue Jan 20 21:45:16 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Wed, 21 Jan 2009 11:45:16 +0900 Subject: [c-nsp] Cisco Tools Message-ID: <0867622C64B50C4B878AB45C95F43F11066FF33A@MAILWA01.wesenergy.local> Hey guys, I have found quite a useful website for different cisco configurations etc.. If anyone has any similar feel free to post in this thread :-) http://www.bradreese.com/cisco-tools.htm Props to Brad. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From gkg at gmx.de Wed Jan 21 02:37:45 2009 From: gkg at gmx.de (Garry) Date: Wed, 21 Jan 2009 08:37:45 +0100 Subject: [c-nsp] Which QoS/Shaping is actually supported on ME3400? Message-ID: <4976D0C9.9070609@gmx.de> Hi, I'm playing with an ME3400 in our Lab, trying to set up some QoS/Shaping stuff ... I want to see whether I can limit the throughput on the uplink port (using G0/1 for that, or rather, ether-channeled g0/1+2) to any value, not shaping a certain protocol/service, but rather the whole link. I've tried all the logical choices, like vlans, IP traffic, etc., but somehow all I get when I try to set up the policy-map for the port is the error that that kind of class is not supported on the interface ... as I can't seem to find any decent explanation in the manual entries, I'm wondering which classes are actually configurable on an ME3400 ... n.b.: I'm using the MetroAccess IOS 12.2.46 on it ... Tnx, -garry From rmacharia at gmail.com Wed Jan 21 02:48:56 2009 From: rmacharia at gmail.com (Raymond Macharia) Date: Wed, 21 Jan 2009 10:48:56 +0300 Subject: [c-nsp] Which QoS/Shaping is actually supported on ME3400? In-Reply-To: <4976D0C9.9070609@gmx.de> References: <4976D0C9.9070609@gmx.de> Message-ID: Hi,you may need to change the IOS to the METROIPACCESS version. Regards Raymond On Wed, Jan 21, 2009 at 10:37 AM, Garry wrote: > Hi, > > I'm playing with an ME3400 in our Lab, trying to set up some QoS/Shaping > stuff ... I want to see whether I can limit the throughput on the uplink > port (using G0/1 for that, or rather, ether-channeled g0/1+2) to any > value, not shaping a certain protocol/service, but rather the whole > link. I've tried all the logical choices, like vlans, IP traffic, etc., > but somehow all I get when I try to set up the policy-map for the port > is the error that that kind of class is not supported on the interface > ... as I can't seem to find any decent explanation in the manual > entries, I'm wondering which classes are actually configurable on an > ME3400 ... > n.b.: I'm using the MetroAccess IOS 12.2.46 on it ... > > Tnx, -garry > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Raymond Macharia From avayner at cisco.com Wed Jan 21 02:54:49 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 21 Jan 2009 08:54:49 +0100 Subject: [c-nsp] Connecting a VRF between routers In-Reply-To: References: Message-ID: <78C984F8939D424697B15E4B1C1BB3D714CE82@xmb-ams-331.emea.cisco.com> Skeeve, I am not sure I fully understand your application, but a few things come to mind: 1. You can buy a VPLS service from your SP (the one that has an MPLS cloud) and ask them to provision a L2 cloud between your sites. 2. You could try using some tunnels (most solutions would be L3 based except EoMPLS), but platform/software support for this is limited 3. Run L3 VPN between your sites using the SP's service. This would not allow for L2 interconnection, but would allow IP communication. If you give a better view of what you want actually to achieve maybe we can come up with something more specific. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Skeeve Stevens Sent: Tuesday, January 20, 2009 15:44 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Connecting a VRF between routers Firstly, YES, I've kind of asked this before, but with the different ways people do and understand things all over the world, I've not had a response that actually works. So.. Simply. I have, lets just say 2 (two) routers and or switches (3560, etc with VRF support). I want to, at a layer 2 level, link a vrf on one router/switch to another. What I am meaning here is. If I type 'show ip arp vrf BLAH' on one device, I want to see the ARP for devices connected into the VRF on the other router. I don't particularly want to use tunnels due to MTU issues. A VLAN with an SVI on a switch and a sub-e on a router work fine, but only if I have a full layer2 switched path all the way. In some cases I do not. An example would be when we use another carrier to link two cities and they have an MPLS cloud in the middle. I want to link a VRF to another VRF on each side of the cloud. I am not sure if what I want to do makes sense.. Some people just suggest MPLS, but it seems like an over complex solution if we're talking about 2-3 routers/switches. If I am not being clear about something, please feel free to ask me for more info. -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From brad.henshaw at qcn.com.au Wed Jan 21 08:23:07 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Wed, 21 Jan 2009 23:23:07 +1000 Subject: [c-nsp] Which QoS/Shaping is actually supported on ME3400? Message-ID: <8B25B862BC09784B9B74FB950D4F64D406CCC2@qcnapp01.corp.qcn> Garry wrote: > I'm playing with an ME3400 in our Lab, trying to set up some QoS/Shaping stuff ... I'm pretty sure the last ME3400 I had my hands on was running Metro Access and was able to shape but only in class-default at the top level of the policy. Granularity at anything less than about 50Mbps was pretty much useless also. The Quality of Service section of the Software Configuration Guide for your particular software version should cover everything. Regards, Brad From gkg at gmx.de Wed Jan 21 10:15:43 2009 From: gkg at gmx.de (Garry) Date: Wed, 21 Jan 2009 16:15:43 +0100 Subject: [c-nsp] Which QoS/Shaping is actually supported on ME3400? In-Reply-To: <8B25B862BC09784B9B74FB950D4F64D406CCC2@qcnapp01.corp.qcn> References: <8B25B862BC09784B9B74FB950D4F64D406CCC2@qcnapp01.corp.qcn> Message-ID: <49773C1F.8000609@gmx.de> Brad Henshaw wrote: > Garry wrote: > > >> I'm playing with an ME3400 in our Lab, trying to set up some >> > QoS/Shaping stuff ... > > I'm pretty sure the last ME3400 I had my hands on was running Metro > Access and was able to shape but only in class-default at the top level > of the policy. Granularity at anything less than about 50Mbps was pretty > much useless also. > > The Quality of Service section of the Software Configuration Guide for > your particular software version should cover everything. > The only shaping I've been able to configure is somewhat "limited", as it only allows either ~60mbit or ~111mbit ... all other commands/settings I've tried are rejected when I try to assign the policy map to the uplink interface ... Alternatively, I tried setting an incoming policy on the 4500, but that one seems to be completely ignored, even though there at least I can configure arbitrary bit rates ... -garry From psirt at cisco.com Wed Jan 21 11:00:00 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 21 Jan 2009 17:00:00 +0100 Subject: [c-nsp] Cisco Security Advisory: Cisco Security Manager Vulnerability Message-ID: <200901211702.csm@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Security Manager Vulnerability Advisory ID: cisco-sa-20090121-csm http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml Revision 1.0 For Public Release 2009 January 21 1600 UTC (GMT) - --------------------------------------------------------------------- Summary ======= Cisco Security Manager contains a vulnerability when it is used with Cisco IPS Event Viewer (IEV) that results in open TCP ports on both the Cisco Security Manager server and IEV client. An unauthenticated, remote attacker could leverage this vulnerability to access the MySQL databases or IEV server. Cisco has released free software updates that address this vulnerability. A workaround is also available to mitigate this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml Affected Products ================= Vulnerable Products +------------------ All 3.1 and 3.2 versions prior to 3.2.2 of Cisco Security Manager are affected by this vulnerability. Cisco IEV is installed with Cisco Security Manager by default, but the vulnerability is not exposed until IEV has been launched. Products Confirmed Not Vulnerable +-------------------------------- The following products have been confirmed not vulnerable: * Cisco Security Manager 3.2.2 * Cisco Security Manager 3.0.x and earlier * Standalone implementations of Cisco IEV * Cisco IPS Manager Express No other Cisco products are currently known to be affected by this vulnerability. Details ======= Cisco Security Manager is an enterprise-class management application that is designed to configure firewall, VPN, and intrusion prevention security services on Cisco network and security devices. As part of Cisco Security Manager installation, the Cisco IEV is installed by default. The IEV is a Java-based application that allows users to view and manage alerts for up to five sensors, including the ability to report top alerts, attackers, and victims over a specified number of hours or days. Users can connect to and view alerts in real time or via imported log files, configure filters and views to help manage alerts, and import and export event data for further analysis. A vulnerability exists in the Cisco Security Manager server. When the IEV is launched, it opens several remotely available TCP ports on the Cisco Security Manager server and client. These ports could allow remote, unauthenticated root access to the IEV database and server. When IEV is closed, it closes open ports on the Cisco Security Manager client that launched the IEV but fails to close open ports on the server. If the IEV has never been used on the system, the Cisco Security Manager server is not vulnerable. The IEV database contains events that are collected from Cisco Intrusion Prevention System (IPS) devices. The IEV server allows an unauthenticated user to add, delete, or modify the devices that are added into the IEV. This vulnerability is documented in Cisco Bug ID: CSCsv66897 This vulnerability have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-3820. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsv66897: Cisco Security Manager/IEV: TCP Ports open for remote connection without any authentication CVSS Base Score - 8.8 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - None CVSS Temporal Score - 7.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may result in remote root access to the IEV database or to the IEV Server. Upon launching the IEV remotely accessible ports are opened on the Cisco Security Manager server and the client where the IEV is launched. When the IEV application is closed these ports are subsequently closed on the client however remain open on the Cisco Security Manager server. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. A software patch for Cisco Security Manager versions 3.1, 3.1.1, 3.2 and 3.2.1 is available for download at: http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app?psrtdcat20e2 The patch file names by Cisco Security Manager version follow: +------------------------------------------+ | Cisco | | | Security | Patch Filename | | Manager | | | version | | |-----------+------------------------------| | 3.0.x and | Not Vulnerable | | earlier | | |-----------+------------------------------| | 3.1 | CSM310PatchCSCsv66897.zip | |-----------+------------------------------| | 3.1.1.SP3 | CSM311SP3PatchCSCsv66897.zip | |-----------+------------------------------| | 3.2.SP2 | CSM320SP2PatchCSCsv66897.zip | |-----------+------------------------------| | 3.2.1.SP1 | CSM321SP1PatchCSCsv66897.zip | |-----------+------------------------------| | 3.2.2 | Not Vulnerable | +------------------------------------------+ Please read the corresponding readme files for installation instructions. Workarounds =========== In the event that Cisco IEV is not being used, administrators are advised to disable the functionality until a patch is applied. To disable IEV on Cisco Security Manager, perform the following steps: 1. Access the Microsoft Windows Server that Cisco Security Manager is installed on. 2. Open the Services dialog box (Choose Start > Administrative Tools > Services). 3. Locate the Cisco IPS Event Viewer service and open Properties. 4. Change Startup Type: to Disabled and click Ok. 5. Stop the Cisco IPS Event Viewer service. 6. Stop and Restart the Cisco Security Manager Daemon Manager service. 7. Confirm that the Cisco IPS Event Viewer service has not restarted. Upon disabling the Cisco IPS Event Viewer service, the open ports on the Cisco Security Manager server will be closed. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090121-csm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was discovered through internal Cisco testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-January-21 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkl3Q3QACgkQ86n/Gc8U/uCrVwCgjzYJzcc9npFzFfdAnudO1QYC JvAAn1Ij4FRrttn3WjOHF+GthJw1x1+K =5AmB -----END PGP SIGNATURE----- From psirt at cisco.com Wed Jan 21 11:15:00 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wednesday, 21 January 2009 10:15:00 -0600 Subject: [c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager CAPF Denial of Service Vulnerability` Message-ID: <200901211015.cucmcapf@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager CAPF Denial of Service Vulnerability Advisory ID: cisco-sa-20090121-cucmcapf Revision 1.0 For Public Release 2009 January 21 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco Unified Communications Manager, formerly Cisco CallManager, contains a denial of service (DoS) vulnerability in the Certificate Authority Proxy Function (CAPF) service. Exploitation of this vulnerability could cause an interruption in voice services. The CAPF service is disabled by default. Cisco has released free software updates that address this vulnerability. Workarounds available that mitigate this vulnerability are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090121-cucmcapf.shtml Affected Products ================= Vulnerable Products +------------------ These products are vulnerable: * Cisco Unified Communications Manager 5.x versions prior to 5.1(3e) * Cisco Unified Communications Manager 6.x versions prior to 6.1(3) Administrators of systems that are running Cisco Unified Communications Manager versions 5.x and 6.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager Administration interface. The software version can also be determined by running the command show version active by way of the command line interface (CLI). Products Confirmed Not Vulnerable +-------------------------------- Cisco Unified Communications Manager version 4.x and Cisco Unified Communications Manager Express are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Note: Cisco Unified Communications Manager 7.0(1) shipped with the software fix for this vulnerability and is not affected. Details ======= The CAPF service of Cisco Unified Communications Manager versions 5.x and 6.x contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service is disabled by default; however, if it is enabled, the CAPF service listens by default on TCP port 3804 and the listening port is configurable by the user. There is a workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3e) and 6.1(3). This vulnerability is documented in Cisco Bug ID CSCsq32032 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0057. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsq32032 - CAPF DoS when client terminates prematurely CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability described in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified Communications Manager version 5.1(3e) contains the fix for this vulnerability and can be downloaded here: http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Cisco Unified Communications Manager version 6.1(3) contains the fix for this vulnerability can downloaded here: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Workarounds =========== To mitigate against this vulnerability, system administrators can disable the CAPF service if it is not necessary for business operations. Access to the CAPF service is only required if Cisco Unified Communications Manager systems and IP phone devices are configured to use certificates for a secure deployment. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices if the CAPF service is required. If the CAPF service is enabled, allow access to TCP port 3804 only from networks that contain IP phone devices that require the CAPF service. The CAPF port is user configurable, and if modified, filtering on screening devices should be based on the TCP port that is used. For Cisco Unified Communications Manager 5.x and 6.x systems, please consult the following documentation for details on how to disable Cisco Unified Communications Manager services: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/service/5_0_1/ccmsrva/sasrvact.html#wp1048220 Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090121-cucmcapf.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by VoIPshield. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090121-cucmcapf.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-January-21 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/ products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/ go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFJd0dD86n/Gc8U/uARAhPkAJ9eOS8yZa18csFfRpyarwx2G4G00wCgjPWa Jd/WyK/F5INcBCYG2KCL2K0= =MqQz -----END PGP SIGNATURE----- From spencer at ceiva.com Wed Jan 21 12:08:51 2009 From: spencer at ceiva.com (Spencer Barnes) Date: Wed, 21 Jan 2009 09:08:51 -0800 Subject: [c-nsp] Cisco 7206 - High CPU Utilization References: <0BE527EE61205F409B0EDB4F6544552E01BE20D4@stewie.ceiva.local><4948B693.6000908@infopact.nl> <0BE527EE61205F409B0EDB4F6544552E01BE21A5@stewie.ceiva.local> <0BE527EE61205F409B0EDB4F6544552E01BE21C6@stewie.ceiva.local> Message-ID: <0BE527EE61205F409B0EDB4F6544552E01C9301E@stewie.ceiva.local> It has been a while but I wanted to follow up on the problem I was having. It looks like IOS is the main culprit. I downgraded from 12.4(21) to 12.3(14)T7 this morning and the CPU utilization has dropped. I received a message from another user that has 7206VXRs with NPE-300s and he had CPU utilization issues with 12.4. Thanks for all the help everyone! Spencer -----Original Message----- From: Spencer Sent: Thursday, December 18, 2008 9:00 AM To: 'Mikael Abrahamsson' Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Cisco 7206 - High CPU Utilization Thanks for the suggestion, unfortunately it didn't have an impact on the CPU utilization. I received this suggestion as well: " If you run AES instead you'll massively reduce your CPU utilization. I'd suggest a G1 at least for what you're doing. An 1811 would probably run better than this router because the processor is at least somewhat designed to handle what you're doing." It helped reduce utilization on the VPN process by about 20% but I'm still seeing high CPU utilization when uploading from our network and I should have mentioned that the border router with the high CPU utilization is connected to another Cisco 7206 with a lesser NPE-200. All the same traffic flowing through the border router is going through the core so you'd think it would exhibit the high CPU utilization but it never breaks a sweat. This seems important and seems to indicate the border router is having a problem? I'm thinking downgrade the IOS on the border router ((C7200-JK9O3S-M), Version 12.4(21)) to match the core ((C7200-IK9S-M), Version 12.3(14)T7). Perhaps the newer IOS with the bigger feature set is too much for the border router? If that doesn't work I'd also be curious to see what would happen if I moved the T3 card to the core router and see if the CPU utilization goes up on it but I can't do that until after the holidays. I've followed Cisco's guide to troubleshooting high IP input utilization and I can't think of anything else to do configuration wise on the border router. Thanks for all the help from everyone so far, it is very much appreciated. Spencer -----Original Message----- From: Mikael Abrahamsson [mailto:swmike at swm.pp.se] Sent: Wednesday, December 17, 2008 11:13 AM To: Spencer Cc: Church, Charles; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization On Wed, 17 Dec 2008, Spencer Barnes wrote: > I removed all ACLs and Netflow but that did not have an effect. I think > I can move NAT to the core router for testing purposes, I'll try and do > that tomorrow morning. IOS version is (C7200-JK9O3S-M), Version > 12.4(21). If you're tunneling over 1500 media, doing "ip tcp mss-adjust 1300" on the interface where the traffic to encrypt/tunnel is passing unencrypted/untunneled, might help you. Worth a try though, you don't want multiple tunnel/encrypted packets per packet in the VPN. -- Mikael Abrahamsson email: swmike at swm.pp.se From russlaplante at gmail.com Wed Jan 21 13:03:53 2009 From: russlaplante at gmail.com (Russ LaPlante) Date: Wed, 21 Jan 2009 12:03:53 -0600 Subject: [c-nsp] Cisco Tools In-Reply-To: <0867622C64B50C4B878AB45C95F43F11066FF33A@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F11066FF33A@MAILWA01.wesenergy.local> Message-ID: <364341630901211003v70a0997fybb18ed5bb28b827@mail.gmail.com> My inline IPS/AV identifies this link as infected with JS/Feebs.fam at mm. - Russ On Tue, Jan 20, 2009 at 8:45 PM, Aaron Riemer wrote: > Hey guys, > > I have found quite a useful website for different cisco configurations > etc.. If anyone has any similar feel free to post in this thread :-) > > http://www.bradreese.com/cisco-tools.htm > > Props to Brad. > > Cheers, > > Aaron. > > > > LEGAL DISCLAIMER: This message contains confidential information and is > intended only for the individual named. If you are not the named addressee > you should not disseminate, distribute or copy this e-mail. Please notify > the sender immediately by e-mail if you have received this e-mail by mistake > and delete this e-mail from your system. If you are not the intended > recipient you are notified that disclosing, copying, distributing or taking > any action in reliance on the contents of this information is strictly > prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From adrian.minta at gmail.com Wed Jan 21 13:03:57 2009 From: adrian.minta at gmail.com (Adrian Minta) Date: Wed, 21 Jan 2009 13:03:57 -0500 Subject: [c-nsp] set TTL value Message-ID: <4977638D.60108@gmail.com> Is it possible to set TTL for outgoing packets on a cisco router ? -- Best regards, Adrian Minta From blahu77 at gmail.com Wed Jan 21 14:17:24 2009 From: blahu77 at gmail.com (blahu77 at gmail.com) Date: Wed, 21 Jan 2009 19:17:24 +0000 (IST) Subject: [c-nsp] set TTL value In-Reply-To: <4977638D.60108@gmail.com> Message-ID: A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 194 bytes Desc: OpenPGP digital signature URL: From ibrahim.abozaid at gmail.com Wed Jan 21 15:46:27 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Wed, 21 Jan 2009 22:46:27 +0200 Subject: [c-nsp] network connection tool Message-ID: Hi All i want to know if there any network connectivity tool can be configured to respond to spesific TCP/UDP port number ? sometimes we do modifiy our security policy in FWs but the application level still have problem so we need to use this tool to configure it to respond to application port (that will be different for each application) and try some sort of ping or connect-attempt across FW to isolate is it FW problem or application problem ? is there any tool out there can help in that best regards --Ibrahim Abo Zaid From luan at netcraftsmen.net Wed Jan 21 15:49:16 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 21 Jan 2009 15:49:16 -0500 Subject: [c-nsp] AIM-SSL-3 card on 2811 Message-ID: <028201c97c09$b9bd9890$2d38c9b0$@net> Hi folks, Anyone tried the SSL-3 VPN encryption card on a 2800 series before? Thanks. Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] luan at netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ From td_miles at yahoo.com Wed Jan 21 16:27:26 2009 From: td_miles at yahoo.com (Tony) Date: Wed, 21 Jan 2009 13:27:26 -0800 (PST) Subject: [c-nsp] network connection tool In-Reply-To: Message-ID: <921010.6511.qm@web110108.mail.gq1.yahoo.com> --- On Thu, 22/1/09, Ibrahim Abo Zaid wrote: > From: Ibrahim Abo Zaid > Subject: [c-nsp] network connection tool > To: "cisco-nsp at puck.nether.net" , cisco at groupstudy.com > Date: Thursday, 22 January, 2009, 7:46 AM > Hi All > > i want to know if there any network connectivity tool can > be configured to > respond to spesific TCP/UDP port number ? > Historically I've just used a small freebie web server that is easily configurable for which port it runs on for Windows based testing (from laptop). Once you've changed the port, a simple telnet to that port, type something (anything) and press enter and you will get HTML back. This obviously only works for TCP. Someone else may know of a specific tool that is designed to do just what you want and works for both TCP & UDP. A port scanner is also useful for testing things like this. regards, Tony. From blahu77 at gmail.com Wed Jan 21 16:35:09 2009 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Wed, 21 Jan 2009 21:35:09 +0000 Subject: [c-nsp] network connection tool In-Reply-To: <921010.6511.qm@web110108.mail.gq1.yahoo.com> References: <921010.6511.qm@web110108.mail.gq1.yahoo.com> Message-ID: <383357750901211335q6f0d02f5y883b51e22de2c1e2@mail.gmail.com> >> >> i want to know if there any network connectivity tool can >> be configured to >> respond to spesific TCP/UDP port number ? iperf for both tcp & udp -- pgp-key 0x1C655CAB From moua0100 at umn.edu Wed Jan 21 16:11:57 2009 From: moua0100 at umn.edu (Ge Moua) Date: Wed, 21 Jan 2009 15:11:57 -0600 Subject: [c-nsp] AIM-SSL-3 card on 2811 In-Reply-To: <028201c97c09$b9bd9890$2d38c9b0$@net> References: <028201c97c09$b9bd9890$2d38c9b0$@net> Message-ID: <49778F9D.6080209@umn.edu> We are using the SSL-2 card; I've been able to push about 130Mb/s 3des traffic on this card. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Luan Nguyen wrote: > Hi folks, > > > > Anyone tried the SSL-3 VPN encryption card on a 2800 series before? > > > > Thanks. > > > > Luan Nguyen > > Chesapeake NetCraftsmen, LLC. > > [W] http://www.netcraftsmen.net > > [M] luan at netcraftsmen.net > > [Blog] http://cnc-networksecurity.blogspot.com/ > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From A.L.M.Buxey at lboro.ac.uk Wed Jan 21 17:42:27 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 21 Jan 2009 22:42:27 +0000 Subject: [c-nsp] network connection tool In-Reply-To: References: Message-ID: <20090121224227.GA8829@lboro.ac.uk> Hi, > i want to know if there any network connectivity tool can be configured to > respond to spesific TCP/UDP port number ? a selection of small tools and utils. eg 'lighttpd' for TCP - just change the port its listening on and web browse to a file on it, 'netcat', 'tftpd' for UDP randomness. heck you could even use 'SSH' and just change the port for TCP connectivity (good for IPv6 tests too that one...). alan From mickster4470 at gmail.com Wed Jan 21 18:59:51 2009 From: mickster4470 at gmail.com (The Mickster) Date: Wed, 21 Jan 2009 15:59:51 -0800 Subject: [c-nsp] Public table on 7206 VXR with NPE-G1 - 512MB or 1GB? Message-ID: <7729f05c0901211559y4d0b3e65p95623b25d0b4ba85@mail.gmail.com> We need to shift some routers around in our network, and we have a couple of 7206-VXR routers with NPE-G1 which we'd like to redeploy into a situation where they'll need to take the full public BGP table. Currently they have 512MB of RAM, and the NPE-G1 appears to top-out at 1GigB of RAM. Can anyone tell me if I can do the full table on 512 MB, or if I need upgrade to !Gig, or is running the full table on a 7206-VXR a lost cause anyway? I'd run some tests, but it's going to be pain to get one of the 7206 to where we can use it for testing without shuffling a bunch of stuff around. I'd really like to know if it's going to function before going to all of that work, so I'm hoping someone on this list can offer me a clue... -Mick From thilak.t at gmail.com Wed Jan 21 19:26:48 2009 From: thilak.t at gmail.com (Thilak T) Date: Wed, 21 Jan 2009 16:26:48 -0800 Subject: [c-nsp] cisco-nsp Digest, Vol 74, Issue 67 In-Reply-To: References: Message-ID: <1d11fbf80901211626yd3ae8adladc9b2414b280ade@mail.gmail.com> can anyone please advice what does it mean and why is an LACP port-channel displays an alphabet along with an actual channel number ? 240 Po240(SD) LACP 240 Po240A(SU) LACP Gi10/17(P) Gi10/18(P) Gi10/19(P) Gi10/20(P) 240 Po240C(SU) LACP Gi10/21(P) On Tue, Jan 20, 2009 at 9:00 AM, wrote: > Send cisco-nsp mailing list submissions to > cisco-nsp at puck.nether.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://puck.nether.net/mailman/listinfo/cisco-nsp > or, via email, send a message with subject or body 'help' to > cisco-nsp-request at puck.nether.net > > You can reach the person managing the list at > cisco-nsp-owner at puck.nether.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of cisco-nsp digest..." > > > Today's Topics: > > 1. Re: Acceptance Test Procedure for New Cisco Devices (Ziv Leyes) > 2. Re: Acceptance Test Procedure for New Cisco Devices > (Rubens Kuhl Jr.) > 3. What does mean Unknown state in Online diag.. 7609 Router > (omar parihuana) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 20 Jan 2009 16:36:59 +0200 > From: Ziv Leyes > Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices > To: "cisco-nsp at puck.nether.net" > Message-ID: > > Content-Type: text/plain; charset="us-ascii" > > Thank you all guys for your answers! > I think Phil has hit the nail and gave me an idea about what I was looking > for, anything more thorough than this will be a waste of time in our case > and unnecessary long. > But I guess we'll finally opt for letting the Cisco QA be enough as a > guarantee the devices work (there's always RMA) and have Alex's suggestion > be the winner here, just be as nebulous as you can and follow the > "ill-defined and metaphysical characteristique" of such undefined term as > "Acceptance Test Procedure" > I'd ask the customer: > Are you married? Did you fill an ATP form before you said "Yes, I do" ??? > No??? Then c'mon, gimme a break!!! It's just a darn router we're talking > here, not chaining your entire life with the same woman!! > A router can be replaced when malfunctioning, with a wife it's a bit more > difficult, isn't it?? > Thak you all again! > Ziv > > > > -----Original Message----- > From: Alex Balashov [mailto:abalashov at evaristesys.com] > Sent: Tuesday, January 20, 2009 3:38 PM > To: Ziv Leyes > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices > > But if it's attached to a legal statement, the more nebulous and elastic > (aka BS) it is the more protection you have from incurring liability for > actually having done or not done something. > > That gets easier when the "acceptance testing process" is ill-defined > and metaphysical, not harder. > > Ziv Leyes wrote: > > > Ok, let me be more specific > > When we buy devices for our own use, we just open it, plug it, and start > using them, if there are any problems, we call the provider and they fix the > problem (RMA or whatever) > > In this case, we're going to sell the equipment as a kind of turn-key > project, and the customer asked us to provide them with "our" ATP, which we > don't really use for ourselves, so I'd like to implement one sort of testing > procedure from now on for this type of cases. We're going to attach this to > a legal statement so we can't just type some BS there and that's it, we want > to actually implement it, and if we write we do a,b,c,d then we'll going to > do a,b,c,d procedure for real. > > I was thinking some of you guys may already use this kind of test > routines and can help me creating one. > > I don't need some really serious stuff, I can imagine I'll check the > delivery status of the package, open it, check all the contents that need to > be there are there, to plug the device and see it works, perhaps load some > configuration, plug the hardware that is planned to hold if any (HWICS and > so), perform some soft and hard reboots, see the device responds, there are > links on all interfaces, and pack it back exactly as it was. > > The problem is I don't know how exactly write it down on a kind of form > that there's a checkbox for each test. > > Does anybody have some ready to go stuff? > > > > > > > > > > > > -----Original Message----- > > From: Peter Rathlev [mailto:peter at rathlev.dk] > > Sent: Tuesday, January 20, 2009 1:31 PM > > To: Ziv Leyes > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices > > > > On Tue, 2009-01-20 at 12:13 +0200, Ziv Leyes wrote: > >> Could anyone share if possible a kind of basic ATP you may use for new > >> Cisco devices that you may receive? > >> I'm in need of providing a customer with such procedure for two new > >> devices, a Cisco 1861 router and a Cisco ASA5510 > > > > Is it just the hardware that needs to be acceptance tested or is it some > > kind of service depending on this hardware? I don't specifically recall > > the term "ATP" but I guess Operational Acceptance Testing is the same. > > > > We only supply services, and the acceptance tests are defined by the > > receiving end, typically with some help from a Service Manager and a > > network engineer. The tests only check functionality not endurance of > > the system. Typically the tests check everything defined in the SLA. > > > > When receiving hardware we use for ourselves we have no formal > > acceptance tests; for core equipment it runs in a lab for some time and > > the takes on a role as a standby unit in the production net. Sometimes > > when time limits dictate it we end up just placing some new component in > > an important role without testing. I hope the manufacturer does some > > kind of burn in test. :-) > > > > HTH, > > Peter > > > > > > > > > > > > > > > > > ************************************************************************************ > > This footnote confirms that this email message has been scanned by > > PineApp Mail-SeCure for the presence of malicious code, vandals & > computer viruses. > > > ************************************************************************************ > > > > > > > > > > > > > > > > > > > ************************************************************************************ > > This footnote confirms that this email message has been scanned by > > PineApp Mail-SeCure for the presence of malicious code, vandals & > computer viruses. > > > ************************************************************************************ > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > Alex Balashov > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (678) 237-1775 > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer > viruses. > > ************************************************************************************ > > > > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer > viruses. > > ************************************************************************************ > > > > > > ------------------------------ > > Message: 2 > Date: Tue, 20 Jan 2009 13:02:24 -0200 > From: "Rubens Kuhl Jr." > Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices > To: "Ziv Leyes" > Cc: "cisco-nsp at puck.nether.net" > Message-ID: > <6bb5f5b10901200702w32053161xea726471acdcc2ef at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > > But I guess we'll finally opt for letting the Cisco QA be enough as a > guarantee the devices work (there's always RMA) and have Alex's suggestion > be the winner here, just be as nebulous as you can and follow the > "ill-defined and metaphysical characteristique" of such undefined term as > "Acceptance Test Procedure" > > I'd ask the customer: > > Are you married? Did you fill an ATP form before you said "Yes, I do" ??? > No??? Then c'mon, gimme a break!!! It's just a darn router we're talking > here, not chaining your entire life with the same woman!! > > A router can be replaced when malfunctioning, with a wife it's a bit more > difficult, isn't it?? > > Actually there are best practices to that also, see > http://www.iambored.co.za/funny/girlfriend-v10-v20/ > > > > Rubens > > > ------------------------------ > > Message: 3 > Date: Tue, 20 Jan 2009 11:26:30 -0500 > From: "omar parihuana" > Subject: [c-nsp] What does mean Unknown state in Online diag.. 7609 > Router > To: "cisco-nsp at puck.nether.net" > Message-ID: > <834c50110901200826o4bbad617q3f3f8560eb3dc9aa at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi Folks, > > Recently I've installed a SPA-2XT3/E3 card (in module 7), but I get unknown > state in online diagnostic, what does mean this "Unknow", because the led > status in card is ok, and the sh diagbus also is ok: > > Mod Sub-Module Model Serial Hw > Status > ---- --------------------------- ------------------ ----------- ------- > ------- > 7/0 2xOC3 ATM SPA SPA-2XOC3-ATM JAE1217FPTR 1.1 Ok > 7/1 2xT3E3 SPA SPA-2XT3/E3 JAE1219H6QE 1.1 Ok > > Mod Online Diag Status > ---- ------------------- > 1 Pass > 5 Pass > 6 Pass > 7 Pass > 7/0 Not Applicable > 7/1 Unknown <<<<<<<<<<<<<<<<<<<<<<<<<< > 8 Pass > 8/0 Not Applicable > 8/1 Not Applicable > > > Slot 7: Logical_index 14 > 4-subslot SPA Interface Processor-200 controller > Board is analyzed ipc ready > HW rev 2.303, board revision C0 > Serial Number: JAE1220HSI2 Part number: 73-10476-03 > > Slot database information: > Flags: 0x2004 Insertion time: 0x17E48 (1w4d ago) > > Controller Memory Size: > 832 MBytes CPU Memory > 191 MBytes Packet Memory > 1023 MBytes Total on Board SDRAM > Cisco IOS Software, cwlc Software (sip1-DW-M), Version 12.2(33)SRB3, > RELEASE SOFTWARE (fc1) > > SPA Information: > subslot 7/0: SPA-2XOC3-ATM (0x46E), status: ok > subslot 7/1: SPA-2XT3/E3 (0x40C), status: ok > > Thanks!! > -- > Omar E.P.T > ----------------- > Certified Networking Professionals make better Connections! > > > ------------------------------ > > _______________________________________________ > cisco-nsp mailing list > cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > > End of cisco-nsp Digest, Vol 74, Issue 67 > ***************************************** > From elmi at 4ever.de Wed Jan 21 19:25:27 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Thu, 22 Jan 2009 01:25:27 +0100 Subject: [c-nsp] Public table on 7206 VXR with NPE-G1 - 512MB or 1GB? In-Reply-To: <7729f05c0901211559y4d0b3e65p95623b25d0b4ba85@mail.gmail.com> References: <7729f05c0901211559y4d0b3e65p95623b25d0b4ba85@mail.gmail.com> Message-ID: <20090122002527.GE52352@ronin.4ever.de> Re Mick, mickster4470 at gmail.com (The Mickster) wrote: > Currently they have 512MB of RAM, and the NPE-G1 appears to top-out at 1GigB > of RAM. Can anyone tell me if I can do the full table on 512 MB, or if I > need upgrade to !Gig, or is running the full table on a 7206-VXR a lost > cause anyway? If your memory doesn't get eaten by features - the BGP table will not be a problem there (currently). Here's some output from a 7301 (NPE-G1 in 1RU) with: Cisco 7301 (NPE) processor (revision F) with 491520K/32768K bytes of memory. BGP summary heads: BGP table version is 25371047, main routing table version 25371047 272588 network entries using 31892796 bytes of memory 596159 path entries using 31000268 bytes of memory 63023/49155 BGP path/bestpath attribute entries u