From zhqasmi at cyber.net.pk Mon Jun 1 00:34:11 2009 From: zhqasmi at cyber.net.pk (Amjad Ul Hasnain Qasmi) Date: Mon, 01 Jun 2009 10:34:11 +0600 Subject: [c-nsp] strange behavior over MPLS network - remote desktopwon't work In-Reply-To: References: <4A22E68F.4010605@wbsconnect.com> Message-ID: <004c01c9e272$36ff9b40$a4fed1c0$@net.pk> If your PE-PE is not a trunk port, which is normaly the case, and you want to successfully transport a payload of 1500 bytes, you should consider setting IP MTU as 1500 + 20 = 1520 bytes. mostly two labeled are stacked for vpn traffic but there are cases when 3 label may also be used so you should consider 12 bytes for mpls header ( 4bytes each), it will make the mpls mtu as 1532. Your physical interface mtu should be equal or larger than 1532 + 18(Ethernet header) bytes. Try this out and share the results. /AHQ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Hale Sent: Monday, June 01, 2009 8:42 AM To: cisco-nsp Subject: Re: [c-nsp] strange behavior over MPLS network - remote desktopwon't work On Sun, May 31, 2009 at 9:04 PM, Ray Burkholder wrote: > > > > > > What does that indicate to you? 1472 + VLAN tag plus MPLS < 1500? > > > > When provisioning MPLS circuits, one has to be careful. Basic MPLS will > attach one or more 4 byte labels on to each packet. Psuedowires attach > additional bytes onto each packet. WAN circuits running MPLS need to be > provisioned such that the interface MTU is set to 1500 PLUS any pseudowire > overhead plus any MPLS label overhead. If you try to run MPLS stuff across > a standard 1500 MTU WAN interface, you get the problems you are now > encountering: fragmentation, drops, corruption, ... Some protocols can > handle it, but I've read that RDP sets the no-fragment bit, thus dropping > the packets. > > STM-1 and DS3 circuits run by default at 4470 bytes so easily accommodate > MPLS overhead. Ethernet circuits are at 1500, and you have to work with > upstream vendors to ensure their networks can handle MTU's greater than > 1500. Cisco switches need a reboot after setting a system mtu setting. > Routers can change interface mtu settings on the fly. > > You could try setting your MTU setting on your pc to 1300 and see if things > work. If they do, then you know you have an upstream mtu problem. > I have an available DS3 interface on each of the POP H routers. Maybe I will set that up tomorrow and push the MPLS traffic across this interconnect to see if that helps. Maybe the mpls mtu setting on the PA-FE-TX interfaces just isn't working. I have also forced the GigE MPLS MTU settings on the backbone link between the POPs to 1538 as they were at the default of 1500 before. Thanks again, Chris _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tom at snnap.net Mon Jun 1 00:57:16 2009 From: tom at snnap.net (Tom Storey) Date: Mon, 1 Jun 2009 13:57:16 +0900 (EIT) Subject: [c-nsp] Ingress policing on a 3560 Message-ID: <61575.172.25.144.4.1243832236.squirrel@imap.snnap.net> Thanks to those who have responded so far. To answer a couple of so far common questions: "mls qos" is enabled: sw2#sh mls qos QoS is enabled QoS ip packet dscp rewrite is enabled And I dont appear to be counting any hits against my MAC ACL, which may explain part of the problem: sw2#sh access-lists mac-any-any Extended MAC access list mac-any-any permit any any 0x0 0xFFFF I tried applying the ACL inbound on the interface to see if it would count any hits, and there are zero hits on there too. I also modified the ACL rule to what you see above based on an example I found. So something is definitely up there, considering I am pumping 12000+ pps through it each way with iperf. :-) Back to the drawing board. Cheers, Tom > Hi all. > > What I'm trying to do is police ingress on a port, using a MAC ACL to > match traffic to police (just a "permit any any" to match all traffic). > > But what I'm getting is that the switch doesnt appear to be matching any > traffic at all. > > sw2#sh int gi0/14 | inc put rate > 30 second input rate 20449000 bits/sec, 1688 packets/sec > 30 second output rate 2620000 bits/sec, 1690 packets/sec > sw2#sh policy-map int gi0/14 > GigabitEthernet0/14 > > Service-policy input: police-10mbit-in > > Class-map: mac-any-any (match-any) > 0 packets, 0 bytes > 30 second offered rate 0 bps, drop rate 0 bps > Match: access-group name mac-any-any > 0 packets, 0 bytes > 30 second rate 0 bps > > Class-map: class-default (match-any) > 0 packets, 0 bytes > 30 second offered rate 0 bps, drop rate 0 bps > Match: any > 0 packets, 0 bytes > 30 second rate 0 bps > > Does anyone have any pointers as to what I'm doing wrong? Below is my > config. > > mac access-list extended mac-any-any > permit any any > ! > class-map match-any mac-any-any > match access-group name mac-any-any > ! > policy-map police-10mbit-in > class mac-any-any > police 10000000 1000000 exceed-action drop > ! > interface GigabitEthernet0/14 > service-policy input police-10mbit-in > ! > > Ive also tried with just class-default, but got the same result. > > I am currently using the "vlan" SDM profile, if that makes any difference. > > Cheers, > Tom > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Mon Jun 1 03:48:42 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Mon, 01 Jun 2009 10:48:42 +0300 Subject: [c-nsp] Ingress policing on a 3560 In-Reply-To: <61575.172.25.144.4.1243832236.squirrel@imap.snnap.net> References: <61575.172.25.144.4.1243832236.squirrel@imap.snnap.net> Message-ID: <4A2387DA.7030108@forthnet.gr> Tom, If i remember right, in 3560/3750 MAC ACLs are used only for classification of non ip traffic. So if you're testing with ip (like iperf) you won't be able to match it. Also, use "sh mls qos int gi0/14 stat" to check for drops due to policing. -- Tassos Tom Storey wrote on 01/06/2009 07:57: > Thanks to those who have responded so far. > > To answer a couple of so far common questions: > > "mls qos" is enabled: > > sw2#sh mls qos > QoS is enabled > QoS ip packet dscp rewrite is enabled > > And I dont appear to be counting any hits against my MAC ACL, which may > explain part of the problem: > > sw2#sh access-lists mac-any-any > > Extended MAC access list mac-any-any > permit any any 0x0 0xFFFF > > I tried applying the ACL inbound on the interface to see if it would count > any hits, and there are zero hits on there too. I also modified the ACL > rule to what you see above based on an example I found. > > So something is definitely up there, considering I am pumping 12000+ pps > through it each way with iperf. :-) > > Back to the drawing board. > > Cheers, > Tom > >> Hi all. >> >> What I'm trying to do is police ingress on a port, using a MAC ACL to >> match traffic to police (just a "permit any any" to match all traffic). >> >> But what I'm getting is that the switch doesnt appear to be matching any >> traffic at all. >> >> sw2#sh int gi0/14 | inc put rate >> 30 second input rate 20449000 bits/sec, 1688 packets/sec >> 30 second output rate 2620000 bits/sec, 1690 packets/sec >> sw2#sh policy-map int gi0/14 >> GigabitEthernet0/14 >> >> Service-policy input: police-10mbit-in >> >> Class-map: mac-any-any (match-any) >> 0 packets, 0 bytes >> 30 second offered rate 0 bps, drop rate 0 bps >> Match: access-group name mac-any-any >> 0 packets, 0 bytes >> 30 second rate 0 bps >> >> Class-map: class-default (match-any) >> 0 packets, 0 bytes >> 30 second offered rate 0 bps, drop rate 0 bps >> Match: any >> 0 packets, 0 bytes >> 30 second rate 0 bps >> >> Does anyone have any pointers as to what I'm doing wrong? Below is my >> config. >> >> mac access-list extended mac-any-any >> permit any any >> ! >> class-map match-any mac-any-any >> match access-group name mac-any-any >> ! >> policy-map police-10mbit-in >> class mac-any-any >> police 10000000 1000000 exceed-action drop >> ! >> interface GigabitEthernet0/14 >> service-policy input police-10mbit-in >> ! >> >> Ive also tried with just class-default, but got the same result. >> >> I am currently using the "vlan" SDM profile, if that makes any difference. >> >> Cheers, >> Tom >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Mon Jun 1 06:35:50 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 01 Jun 2009 12:35:50 +0200 Subject: [c-nsp] strange behavior over MPLS network - remote desktop won't work In-Reply-To: References: <4A22E68F.4010605@wbsconnect.com> Message-ID: <1243852550.3428.2.camel@localhost.localdomain> On Sun, 2009-05-31 at 19:54 -0400, Chris Hale wrote: > ping do-not-fragment detail size 1473 192.168.3.254 > PING 192.168.3.254 (192.168.3.254): 1473 data bytes > ping: sendto: Message too long ... > What does that indicate to you? 1472 + VLAN tag plus MPLS < 1500? To me this indicates that the Juniper doesn't wan't to send the packet. As others mentioned 1472 is the largest ICMP payload to expect on a regularr 1500 byte MTU link. The "sendto: Message too long" is what I would assume if the IP stack of the sending host refuses to accept the packet. So the packet never leaves the CE. Regards, Peter From doraemonheng at yahoo.com.sg Mon Jun 1 06:17:38 2009 From: doraemonheng at yahoo.com.sg (Doraemon Heng) Date: Mon, 1 Jun 2009 18:17:38 +0800 (SGT) Subject: [c-nsp] 4x E1 MLPPP max throughput? Message-ID: <701771.79941.qm@web76013.mail.sg1.yahoo.com> Dear All, We are experiencing packet loss when ping from PE1 to CE2 when the traffic above 7.2Mbps. CE1 - PE1 ? PE2 ? CE2 Type of point-to-point between PE2 and CE2 is 4x E1 multilink (bandwidth 8192Kbit). Note*** (PE1 to PE2 no packet loss) We do see the Total output drops keep increasing even the traffic is low. Is it a normal behavior or does this caused the packet loss when PE1 ping to CE2? Also, what is the maximum throughput can the 4x E1 multilink handle without any packet loss? PE2#show interfaces multilink 10 Multilink10 is up, line protocol is up Hardware is multilink group interface Internet address is 10.19.60..9/30 MTU 1500 bytes, BW 8192 Kbit, DLY 100000 usec, reliability 255/255, txload 180/255, rxload 107/255 Encapsulation PPP, LCP Open, multilink Open Open: IPCP, loopback not set Keepalive set (10 sec) DTR is pulsed for 2 seconds on reset Last input 01:17:03, output never, output hang never Last clearing of "show interface" counters 05:24:17 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 31000 Queueing strategy: fifo Output queue: 31/300 (size/max) 30 second input rate 3440000 bits/sec, 1226 packets/sec 30 second output rate 5802000 bits/sec, 1212 packets/sec 22649490 packets input, 598130070 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 22368689 packets output, 2467487460 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Thanks & Regards, New Email addresses available on Yahoo! Get the Email name you've always wanted on the new @ymail and @rocketmail. Hurry before someone else does! http://mail.promotions.yahoo.com/newdomains/sg/ From dloughlin at otc.fsu.edu Mon Jun 1 10:12:56 2009 From: dloughlin at otc.fsu.edu (Loughlin, Daniel J.) Date: Mon, 1 Jun 2009 10:12:56 -0400 Subject: [c-nsp] Ingress policing on a 3560 In-Reply-To: <4A2387DA.7030108@forthnet.gr> References: <61575.172.25.144.4.1243832236.squirrel@imap.snnap.net> <4A2387DA.7030108@forthnet.gr> Message-ID: <0B5DA805D198954F8E6160D2AB3B43A595CE24@fsu-exch-11.fsu.edu> Yeah, that's correct. Mac acls only match non-IP traffic. -Danny -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos Chatzithomaoglou Sent: Monday, June 01, 2009 3:49 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Ingress policing on a 3560 Tom, If i remember right, in 3560/3750 MAC ACLs are used only for classification of non ip traffic. So if you're testing with ip (like iperf) you won't be able to match it. Also, use "sh mls qos int gi0/14 stat" to check for drops due to policing. -- Tassos Tom Storey wrote on 01/06/2009 07:57: > Thanks to those who have responded so far. > > To answer a couple of so far common questions: > > "mls qos" is enabled: > > sw2#sh mls qos > QoS is enabled > QoS ip packet dscp rewrite is enabled > > And I dont appear to be counting any hits against my MAC ACL, which may > explain part of the problem: > > sw2#sh access-lists mac-any-any > > Extended MAC access list mac-any-any > permit any any 0x0 0xFFFF > > I tried applying the ACL inbound on the interface to see if it would count > any hits, and there are zero hits on there too. I also modified the ACL > rule to what you see above based on an example I found. > > So something is definitely up there, considering I am pumping 12000+ pps > through it each way with iperf. :-) > > Back to the drawing board. > > Cheers, > Tom > >> Hi all. >> >> What I'm trying to do is police ingress on a port, using a MAC ACL to >> match traffic to police (just a "permit any any" to match all traffic). >> >> But what I'm getting is that the switch doesnt appear to be matching any >> traffic at all. >> >> sw2#sh int gi0/14 | inc put rate >> 30 second input rate 20449000 bits/sec, 1688 packets/sec >> 30 second output rate 2620000 bits/sec, 1690 packets/sec >> sw2#sh policy-map int gi0/14 >> GigabitEthernet0/14 >> >> Service-policy input: police-10mbit-in >> >> Class-map: mac-any-any (match-any) >> 0 packets, 0 bytes >> 30 second offered rate 0 bps, drop rate 0 bps >> Match: access-group name mac-any-any >> 0 packets, 0 bytes >> 30 second rate 0 bps >> >> Class-map: class-default (match-any) >> 0 packets, 0 bytes >> 30 second offered rate 0 bps, drop rate 0 bps >> Match: any >> 0 packets, 0 bytes >> 30 second rate 0 bps >> >> Does anyone have any pointers as to what I'm doing wrong? Below is my >> config. >> >> mac access-list extended mac-any-any >> permit any any >> ! >> class-map match-any mac-any-any >> match access-group name mac-any-any >> ! >> policy-map police-10mbit-in >> class mac-any-any >> police 10000000 1000000 exceed-action drop >> ! >> interface GigabitEthernet0/14 >> service-policy input police-10mbit-in >> ! >> >> Ive also tried with just class-default, but got the same result. >> >> I am currently using the "vlan" SDM profile, if that makes any difference. >> >> Cheers, >> Tom >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ying-xiang at 163.com Mon Jun 1 10:29:46 2009 From: ying-xiang at 163.com (ying-xiang) Date: Mon, 1 Jun 2009 22:29:46 +0800 (CST) Subject: [c-nsp] even Eompls "vc" is up but can not work Message-ID: <30733322.938901243866586761.JavaMail.coremail@bj163app25.163.com> hi the vc still is up,but the eompls does't work suddenly. i got the show message on the cli Local interface: VFI SDH-NEC VFI up MPLS VC type is VFI, interworking type is Ethernet Destination address: 192.168.4.16, VC ID: 807, VC status: up Output interface: Te2/0/0, imposed label stack {185 188} Preferred path: not configured Default path: active Next hop: 192.168.128.14 Create time: 19w4d, last status change time: 17:31:07 Signaling protocol: LDP, peer 192.168.4.16:0 up Targeted Hello: 192.168.0.1(LDP Id) -> 192.168.4.16 MPLS VC labels: local 336, remote 188 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 4016946, send 9576394 byte totals: receive 427480129, send 2838427498 packet drops: receive 0, send 0 sh mpls l2transport vc VFI SDH-NEC VFI 192.168.4.16 807 UP seems it does not have any issue here, except tunnel lable can not be found .what should i do for the further troubleshooting? From sam_mailinglists at spacething.org Mon Jun 1 11:27:54 2009 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Mon, 01 Jun 2009 16:27:54 +0100 Subject: [c-nsp] Nexus V1000 - Feedback? Message-ID: <4A23F37A.60008@spacething.org> Hi, Has anyone here deployed the Nexus V1000? I'm interested in feedback (good, back or indifferent). Thanks, Sam From wireless at starbeam.com Mon Jun 1 11:46:44 2009 From: wireless at starbeam.com (Jerry Bacon) Date: Mon, 1 Jun 2009 08:46:44 -0700 Subject: [c-nsp] even Eompls "vc" is up but can not work References: <30733322.938901243866586761.JavaMail.coremail@bj163app25.163.com> Message-ID: <1C46AB7345A44FD48211917490E2E9C4@user6006cfcba1> Check the other end and make sure it is also up. I've seen cases where the PE router on one side shows the circuit as "up", but the other PE router will show it as "down". -- Jerry B. ----- Original Message ----- > the vc still is up,but the eompls does't work suddenly. > i got the show message on the cli > > > Local interface: VFI SDH-NEC VFI up > [snip] > > sh mpls l2transport vc > > VFI SDH-NEC VFI 192.168.4.16 807 UP > > seems it does not have any issue here, except tunnel lable can not be > found .what should i do for the further troubleshooting? From gert at greenie.muc.de Mon Jun 1 13:20:18 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 1 Jun 2009 19:20:18 +0200 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: <4A23F37A.60008@spacething.org> References: <4A23F37A.60008@spacething.org> Message-ID: <20090601172018.GN290@greenie.muc.de> Hi, On Mon, Jun 01, 2009 at 04:27:54PM +0100, Sam Stickland wrote: > Has anyone here deployed the Nexus V1000? I'm interested in feedback > (good, back or indifferent). We haven't deployed it yet, but what I was demonstrated at Networkers in Barcelona was definitely Way Cool. "The Cisco way" to configure and monitor switches, not the VMware web-thingie... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Mon Jun 1 16:35:06 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 1 Jun 2009 22:35:06 +0200 Subject: [c-nsp] strange behavior over MPLS network - remote desktop won't work In-Reply-To: References: <4A22E68F.4010605@wbsconnect.com> Message-ID: <20090601203506.GO290@greenie.muc.de> Hi, On Sun, May 31, 2009 at 11:22:08PM +0200, Sascha E. Pollok wrote: > Also, what kind of FE boards do you use on the 7206? > I am currently unsure whether e.g. PA-FE-TX support > larger MTUs needed for MPLS/VPN. "Sort of". There was a lengthy discussion on this list, about two years ago - as far as I remember, the single-port FEs for the 7200s are bugged and can only do an MTU up to 1530 bytes. ... but this still works nicely for simple L3 VPN stuff (1500+4+4). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ml at kenweb.org Mon Jun 1 20:44:04 2009 From: ml at kenweb.org (ML) Date: Mon, 01 Jun 2009 20:44:04 -0400 Subject: [c-nsp] uRPF on ME3400 Message-ID: <4A2475D4.8000006@kenweb.org> With the IOS available today it's apparent that uRPF is only available in VRFs on the ME3400. Like some people I've run across, I want uRPF not in a VRF. Has anyone found a workaround to this limitation? Or should I hold my horses and hope it's in 12.2(52)SE? Thanks From n03ri at telkom.co.id Mon Jun 1 22:15:02 2009 From: n03ri at telkom.co.id (Nur Wahid) Date: Tue, 02 Jun 2009 09:15:02 +0700 Subject: [c-nsp] Cos to DSCP mapping in Cisco 7600 series In-Reply-To: References: Message-ID: <4A248B26.7020405@telkom.co.id> Hi All, I want to do configuring policy map in Cisco 7600 series: 1. The ingress DSCP to CoS mapping 2. The egress CoS to DSCP mapping Does anyone have template this mapping in both ingress or egress interface? -- Thanks and Best Regards, Abdul Wahid ==================================== Mau GRATIS TELPON LOKAL, DISCOUNT 50% SMS, DISCOUNT 20% SLJJ, dan DISCOUNT FLEXI MILIS? Ikuti Dahsyatnya FLEXI KOMUNITAS. Ketik CREATE[NAMA GRUP], sms ke 345. Contoh: CREATE SMU2, sms ke 345. Informasi selanjutnya: - hubungi 147 - http://www.telkomflexi.com - ketik INFO, sms ke 345. From rlucas at nz1.ibm.com Tue Jun 2 02:10:29 2009 From: rlucas at nz1.ibm.com (Raymond Lucas) Date: Tue, 2 Jun 2009 18:10:29 +1200 Subject: [c-nsp] OSPF LSA timers Message-ID: Hi, I have been gradually rolling out OSPF across a network including the following bit of config: router ospf 172 ispf timers throttle lsa all 10 100 5000 timers lsa arrival 80 Which was fine until I arrived at a couple of 6506s with SUP2/MSFC2 running 12.2(17d)SXB9 which don't support those commands. Seems they were only introduced in 12.2(18)SXF according to Software Advisor. We can't upgrade to 12.2(18)SXF due to a lack of memory on the switch processors. I'm not too worried by the "ispf" business, but I have a bad feeling about having a couple of devices different from their neighbours with the LSA stuff. To really up the nerves, these 6506s are are part of the core. I can imagine it working well most of the time but then failing badly when the pressure is on. So I guess my questions are: - Am I right to be worried, or will things work fine if I miss these commands from these devices? - Since these timers can only be set on a per device basis, as opposed to per interface, is there an elegant way to deal with this scenario? Obviously I would not be keen to remove the modified timers from the rest of the network! Thanks, Ray From tom at netspot.com.au Tue Jun 2 03:15:25 2009 From: tom at netspot.com.au (Tom Lanyon) Date: Tue, 2 Jun 2009 16:45:25 +0930 Subject: [c-nsp] Any problems w/ 3750 IOS 12.2(46)SE? Message-ID: We are seeing consistent low TCP throughput over a dual gig etherchannel between two stacks of 3x 3750G + 1x 3750E and intermittent delays (ie. random slow ICMP ping times) on another 2x 3750G stack, all on 12.2(46)SE. All switches are doing L2/L3 forwarding and a small amount of EIGRP. The stack with delayed ICMP has seemingly random high CPU load and this seems to correlate with the delayed ICMP packets; example: 5Min Processes: 27% CPU Interrupts: 0% CPU Sum of all processes: 1.88% CPU The other stacks haven't shown signs of ICMP delayed packets but still list high (40-100%) peaks of CPU utilisation. Can't see any indications of TCAM exhaustion on any switch (all desktop default SDM template). Just thought I'd throw this to the list to see if anyone else has had something similar? Tom From blahu77 at gmail.com Tue Jun 2 03:48:38 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Tue, 2 Jun 2009 08:48:38 +0100 Subject: [c-nsp] uRPF on ME3400 In-Reply-To: <4A2475D4.8000006@kenweb.org> References: <4A2475D4.8000006@kenweb.org> Message-ID: <383357750906020048r63eccb30u38b54e2ff1353b61@mail.gmail.com> 2009/6/2 ML : > With the IOS available today it's apparent that uRPF is only available in > VRFs on the ME3400. > > Like some people I've run across, I want uRPF not in a VRF. ?Has anyone > found a workaround to this limitation? if you are running vrf-lite i could create vrf global and put any interface in that vrf. BRs, -mat From jp at softnet.si Tue Jun 2 03:33:06 2009 From: jp at softnet.si (Primoz Jeroncic) Date: Tue, 2 Jun 2009 09:33:06 +0200 (CEST) Subject: [c-nsp] MPLS PE on Cisco L3 switches Message-ID: Hi guys I'm looking for solution of relatively cheap L3 switch, which could also be configured as MPLS PE device. As far as I know, until now cheapest option was Cisco 3750 Metro. Now I was reading whitepapers for Cisco ME3400, and to be honest I didn't find any certain info about this. Does anyone know if ME3400 (with proper IOS image) supports MPLS (as I wrote before, I basically want to configure it as PE device) or it still doesn't? Thanks for any info you might have. Have fun, Primoz Jeroncic Support - IP Connectivity & Routing ------------------------------------------------------------------- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ ------------------------------------------------------------------- From elmi at 4ever.de Tue Jun 2 05:23:28 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Tue, 2 Jun 2009 11:23:28 +0200 Subject: [c-nsp] ASR 1000 series again: Netflow export In-Reply-To: <20090514125033.GZ29526@ronin.4ever.de> References: <20090514090638.GQ29526@ronin.4ever.de> <20090514125033.GZ29526@ronin.4ever.de> Message-ID: <20090602092328.GO6911@ronin.4ever.de> I must follow up on that one... As a lot of people pointed out, the mgt if is out of the question, so I configured another mgt vrf to be able to put an interface into that (no, you cannot get another interface into the default mgt-vrf...it's only for gi0). I set the static route to null0 in the default vrf in order to see VRF ID : Default Source(1) 172.16.202.5 (Unknown) Destination(1) 172.16.31.250 (12001) Version 5 flow records, origin-as Cache for as aggregation: Flow export is disabled 2609363 flows exported in 122960 udp datagrams ...instead of the external address as the source. Still, I see no packets going out. Does anyone have a hint to get this running? Thanks for any input, Elmar. From sthaug at nethelp.no Tue Jun 2 04:23:40 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 02 Jun 2009 10:23:40 +0200 (CEST) Subject: [c-nsp] MPLS PE on Cisco L3 switches In-Reply-To: References: Message-ID: <20090602.102340.74688870.sthaug@nethelp.no> > I'm looking for solution of relatively cheap L3 switch, which could > also be configured as MPLS PE device. As far as I know, until now > cheapest option was Cisco 3750 Metro. Now I was reading whitepapers > for Cisco ME3400, and to be honest I didn't find any certain info > about this. Does anyone know if ME3400 (with proper IOS image) supports > MPLS (as I wrote before, I basically want to configure it as PE device) > or it still doesn't? It does not. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From zivl at gilat.net Tue Jun 2 08:43:03 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 2 Jun 2009 15:43:03 +0300 Subject: [c-nsp] Ingress policing on a 3560 In-Reply-To: <63266.172.25.144.4.1243823930.squirrel@imap.snnap.net> References: <63266.172.25.144.4.1243823930.squirrel@imap.snnap.net> Message-ID: I'm applying the same you need using dscp instead of mac for "all traffic" and it's working good, here's a sample: class-map match-all ALL-TRAFFIC match ip dscp 0 ! policy-map 7-MEGA class ALL-TRAFFIC police 7168000 1344000 exceed-action drop ! interface FastEthernet0/1 description 7 Megabit rated interface sample service-policy input 7-MEGA ! -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Storey Sent: Monday, June 01, 2009 5:39 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Ingress policing on a 3560 Hi all. What I'm trying to do is police ingress on a port, using a MAC ACL to match traffic to police (just a "permit any any" to match all traffic). But what I'm getting is that the switch doesnt appear to be matching any traffic at all. sw2#sh int gi0/14 | inc put rate 30 second input rate 20449000 bits/sec, 1688 packets/sec 30 second output rate 2620000 bits/sec, 1690 packets/sec sw2#sh policy-map int gi0/14 GigabitEthernet0/14 Service-policy input: police-10mbit-in Class-map: mac-any-any (match-any) 0 packets, 0 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: access-group name mac-any-any 0 packets, 0 bytes 30 second rate 0 bps Class-map: class-default (match-any) 0 packets, 0 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: any 0 packets, 0 bytes 30 second rate 0 bps Does anyone have any pointers as to what I'm doing wrong? Below is my config. mac access-list extended mac-any-any permit any any ! class-map match-any mac-any-any match access-group name mac-any-any ! policy-map police-10mbit-in class mac-any-any police 10000000 1000000 exceed-action drop ! interface GigabitEthernet0/14 service-policy input police-10mbit-in ! Ive also tried with just class-default, but got the same result. I am currently using the "vlan" SDM profile, if that makes any difference. Cheers, Tom _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From uugnaa_mns at yahoo.com Tue Jun 2 07:52:25 2009 From: uugnaa_mns at yahoo.com (uugnaa) Date: Tue, 2 Jun 2009 04:52:25 -0700 (PDT) Subject: [c-nsp] Optical Transceiver Module Message-ID: <268079.75440.qm@web55102.mail.re4.yahoo.com> Hello all, Is there any Cisco or third party Optical Transceiver SFP module which goes up to 80km, up to 15km and up to 20km. Please help me on this. thank you in advance. From johnny at johnnykarmspedersen.dk Tue Jun 2 09:55:08 2009 From: johnny at johnnykarmspedersen.dk (Johnny Karms Pedersen) Date: Tue, 2 Jun 2009 15:55:08 +0200 Subject: [c-nsp] Cisco 3640 flash installation issue. Message-ID: Hi, I've just installed two 16 MB flash modules in one of my Cisco 3640 with bootstrap v. 11.1(20)AA2. After I've installed the modules I boot the router up using an external flash card, the modules are recognized and I can partition them as one 32 MB partition. I can also succesfully copy an IOS image to it (checksum verification says everything is ok). But I reload the router I get the following error messages: ------------- get_man_dev: Unknown device - probably NOT formatted. unknown flash device - mandev code = 0x89aa cannot read flash info getdevnum warning: device "flash" has size of zero get_man_dev: Unknown device - probably NOT formatted. unknown flash device - mandev code = 0x89aa cannot read flash info getdevnum warning: device "flash" has size of zero get_man_dev: Unknown device - probably NOT formatted. unknown flash device - mandev code = 0x89aa cannot read flash info getdevnum warning: device "flash" has size of zero get_man_dev: Unknown device - probably NOT formatted. unknown flash device - mandev code = 0x89aa cannot read flash info getdevnum warning: device "flash" has size of zero open: read error...requested 0x4 bytes, got 0x0 trouble reading device magic number dir: cannot open device "flash:" ------------ I've got several others running the exact same setup with same bootstrap version. Any clues to why this doesn't seem to work when booting up, and how to solve it? Best regards Johnny Karms Pedersen From pavel.skovajsa at gmail.com Tue Jun 2 11:21:21 2009 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Tue, 2 Jun 2009 17:21:21 +0200 Subject: [c-nsp] Dot1x stuck in guest-vlan Message-ID: <323aca890906020821m4d89c879rdaddd5ebe636f0f8@mail.gmail.com> Hello all, I am struggling with the way the Guest Vlan is handled in dot1x. All the port states work just fine, except during workstation boot-up the switch does not receive dot1x packets from workstation dot1x client hence forcing the port to fall into Guest Vlan, as below: ============================================= C3560#sh authentication sessions interface fa0/38 Interface: FastEthernet0/38 MAC Address: Unknown IP Address: Unknown User-Name: UNRESPONSIVE Status: Authz Success Domain: DATA Oper host mode: multi-host Oper control dir: both Authorized By: Guest Vlan Vlan Policy: 330 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A821A5C00003727DE21D3A1 Acct Session ID: 0x000045A8 Handle: 0x63000727 Runnable methods list: Method State dot1x Failed over ============================================== Once PC and its dot1x client or supplicant is up and running the port status does not change as I would expect - to production Vlan. The only remedy here is to shut / no shut the port. port config: ==================== interface FastEthernet0/38 switchport access vlan 100 switchport mode access switchport voice vlan 500 priority-queue out authentication event fail action authorize vlan 330 authentication event server dead action authorize vlan 100 authentication event no-response action authorize vlan 330 <= it works without this command for compliant users, however non-compliant guest machines would not be allowed any network connectivity at all authentication event server alive action reinitialize authentication port-control auto authentication periodic authentication timer restart 20 authentication timer reauthenticate 20 authentication timer inactivity 120 mls qos trust device cisco-phone mls qos trust cos dot1x pae authenticator dot1x timeout server-timeout 100 dot1x timeout tx-period 2 dot1x timeout supp-timeout 10 spanning-tree portfast end =========================== Many thanks for any hints, Pavel Skovajsa From Michael.Balasko at cityofhenderson.com Tue Jun 2 14:24:47 2009 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Tue, 2 Jun 2009 11:24:47 -0700 Subject: [c-nsp] Optical Transceiver Module In-Reply-To: <268079.75440.qm@web55102.mail.re4.yahoo.com> References: <268079.75440.qm@web55102.mail.re4.yahoo.com> Message-ID: <9AF22D15085E7D409ED5710CBC779E930A870DCE@COHNTCS09.ci.henderson.nv.us> Distance is irrelevant - it's all about optical budget and the quality of your SM fiber number of splices/patches etc... but you're looking for a zx spec optic. http://www.google.com/search?hl=en&q=sfp+zx&aq=f&oq=&aqi= Michael Balasko CCNP,CCSP,MCSE,MCNE Network Specialist II City of Henderson, Nevada 240 Water St. Henderson, NV 89015 702-267-4337 (single number reach) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of uugnaa Sent: Tuesday, June 02, 2009 4:52 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Optical Transceiver Module Hello all, Is there any Cisco or third party Optical Transceiver SFP module which goes up to 80km, up to 15km and up to 20km. Please help me on this. thank you in advance. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pdavis at i2k.com Tue Jun 2 14:43:41 2009 From: pdavis at i2k.com (Phil Davis) Date: Tue, 02 Jun 2009 14:43:41 -0400 Subject: [c-nsp] PA-A3-T3 FEBE and LOS Message-ID: <4A2572DD.3000506@i2k.com> Hello, I have an ATM DS3 coming through a PA-A3-T3. The last few days it would abruptly go down for 5-10 minutes, perhaps every 12 hours on average. During these times, the interface would show rapidly growing carrier signal loss (about 10-20/sec.) I also saw incrementing FEBE errors. However, neither the provider, nor a third-party transport provider was detecting LOS on the line. However, the far side did see a relatively small number of FEBE errors. I swapped the interface and it's been quiet for last few hours, though it remains to be seen if that's the last of the issue. Does this make sense to anybody? I don't understand why an erroring PA would detect LOS without LOS being present. Could it have been bouncing in and out of loopback? sh run int ATM1/0: interface ATM1/0 no ip address no ip mroute-cache atm scrambling cell-payload atm framing cbitplcp no atm auto-configuration no atm ilmi-keepalive no atm address-registration no atm ilmi-enable no clns route-cache end sh diag 1: ATM WAN DS3 Port adapter, 1 port Port adapter is analyzed Port adapter insertion time 02:39:05 ago EEPROM contents at hardware discovery: Hardware revision 2.0 Board revision A0 Serial number 23121181 Part number 73-2432-04 FRU Part Number: PA-A3-T3= Test history 0x0 RMA number 00-00-00 EEPROM format version 1 EEPROM contents (hex): 0x00: 01 5B 02 00 01 60 CD 1D 49 09 80 04 00 00 00 00 0x10: 50 00 00 00 00 09 17 00 FF FF FF FF FF FF FF FF sh contr atm1/0: Slot 1: ATM WAN DS3 Port adapter, 1 port Port adapter is analyzed Port adapter insertion time 02:39:05 ago EEPROM contents at hardware discovery: Hardware revision 2.0 Board revision A0 Serial number 23121181 Part number 73-2432-04 FRU Part Number: PA-A3-T3= Test history 0x0 RMA number 00-00-00 EEPROM format version 1 EEPROM contents (hex): 0x00: 01 5B 02 00 01 60 CD 1D 49 09 80 04 00 00 00 00 0x10: 50 00 00 00 00 09 17 00 FF FF FF FF FF FF FF FF sh contr atm1/0: Interface ATM1/0 is up Hardware is ENHANCED ATM PA - DS3 (45000Kbps) Framer is PMC PM7345 S/UNI-PDH, SAR is LSI ATMIZER II Firmware rev: G153, Framer rev: 1, ATMIZER II rev: 3 idb=0x63A1F0D4, ds=0x63A491E0, vc=0x63A572E0 slot 1, unit 1, subunit 0, fci_type 0x005B, ticks 9682 1200 rx buffers: size=512, encap=64, trailer=28, magic=4 Curr Stats: VCC count: current=32, peak=32 AAL2 VCC count: 0 AAL2 TX no buffer count: 0 AAL2 RX no buffer count: 0 SAR crashes: Rx SAR=0, Tx SAR=0 rx_cell_lost=0, rx_no_buffer=0, rx_crc_10=0, rx_no_mem=0 rx_cell_len=0, rx_no_vcd=313, rx_cell_throttle=0, tx_aci_err=0 Rx Free Ring status: base=0x3CA7C040, size=2048, write=1016 Rx Compl Ring status: base=0x7E4DB7E0, size=2048, read=834 Tx Ring status: base=0x3CF13A40, size=8192, write=2205 Tx Compl Ring status: base=0x0E1B3840, size=4096, read=1101 BFD Cache status: base=0x65F45940, size=6144, read=6140 Rx Cache status: base=0x64458360, size=16, write=2 Tx Shadow status: base=0x66691E60, size=8192, read=2191, write=2205 Control data: rx_max_spins=22, max_tx_count=144, tx_count=14 rx_threshold=800, rx_count=2, tx_threshold=4608 tx bfd write indx=0x47C, rx_pool_info=0x63A208C0 Control data base address: rx_buf_base = 0x0E3A6C80 rx_p_base = 0x66802E80 rx_pak = 0x639727DC cmd = 0x64752080 framer = 0x60479798 framer_cb = 0x6474FB80 framer_base = 0x3C900000 pci_pa_stats = 0x7E391900 device_base[0] = 0x3C800000 device_base[1] = 0x3CC00000 ssram_base[0] = 0x3CA00000 ssram_base[1] = 0x3CE00000 sdram_base[0] = 0x3CB00000 sdram_base[1] = 0x3CF00000 pa_cmd_buf[0] = 0x3CA7FC00 pa_cmd_buf[1] = 0x3CE7FC00 vcd_base[0] = 0x3CA00000 vcd_base[1] = 0x3CE18000 chip_dump[0] = 0x0E39192C chip_dump[1] = 0x0E391A2C sar_buf_base[0] = 0x3CB24000 sar_buf_base[1] = 0x3CF1C000 bfd_base[0] = 0x3CA64000 bfd_base[1] = 0x3CE00000 acd_base[0] = 0x3CA22080 acd_base[1] = 0x3CE38240 Framer Information: Framing mode: DS3 C-bit PLCP No alarm detected Facility statistics: current interval elapsed 682 seconds lcv fbe ezd pe ppe febe hcse ---------------------------------------------------------------------- 0 1 0 1 1 1 0 0 PLCP Errors: bipe fbe febe ----------------------------- 0 1 0 0 lcv: Line Code Violation fbe: Framing Bit Error ezd: Summed Excessive Zeros pe: Parity Error ppe: Path Parity Error febe: Far-end Block Error hcse: Rx Cell HCS Error bipe: Bit Interleave Parity (B1) Error Thanks! Phil From andy at xecu.net Tue Jun 2 15:21:12 2009 From: andy at xecu.net (Andy Dills) Date: Tue, 2 Jun 2009 15:21:12 -0400 (EDT) Subject: [c-nsp] Netflow analyzer suggestions Message-ID: <20090602150859.H38689@shell.xecu.net> Hi there, Apologies for the non-cisco specific post, but I couldn't think of a better list to post to off of the top of my head. A friend of mine is looking to get some better visibility into their network usage (low bandwidth, T1 type scenario). I got them setup with an IOS that supports netflow v9, and since they had a freebsd box being barely used, I built ntop to be their collector/analyzer. It works reasonably well, but it's perhaps not quite...user friendly enough for them. What they're looking for is a graphical representation at the host level. In essence, they're looking for something like cricket/mrtg but with each IP having its own graph (rather than each interface). Additional features, such as protocol breakdown and so forth are helpful, but the primary desire is to be able to see how much bandwidth a given IP address is using currently and was using in the past. They're open to commercial solutions, but would prefer to keep costs down. Host operating system requirements for the collector/analyzer aren't important. Does anybody have any suggestions they could pass along? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- From florinb at teksavvy.com Tue Jun 2 16:59:41 2009 From: florinb at teksavvy.com (florinb at teksavvy.com) Date: Tue, 02 Jun 2009 16:59:41 -0400 Subject: [c-nsp] Cisco 7204 Ethernet LMI Question Message-ID: Hi, I would like to ask your opinion on an issue I see in a configuration where a 7204 acts as a CE and it is running Ethernet LMI on an FastE interface: interface FastEthernet2/0 no ip address logging event subif-link-status duplex full no keepalive ethernet lmi interface ethernet lmi t391 10 ethernet lmi n393 4 ! interface FastEthernet2/0.10 encapsulation dot1Q 10 ip address 10.0.11.12 255.255.255.0 As soon as the PE is sending an Ethernet LMI Status Full Status message with one EVC MAP entry indicating that EVC10 (mapped to VLAN 10 )is new and active in the MEN, the line protocol on interface Fast 2/0 changes status to down, the subinterface Fast 2/0.10 stays up (because LMI indicated the EVC associated to VLAN 10 is active). c7204#show int fast 2/0 FastEthernet2/0 is up, line protocol is down Hardware is AmdFE, address is 0005.dd6e.9038 (bia 0005.dd6e.9038) MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive not set Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:12, output 00:00:04, output hang never Last clearing of "show interface" counters never Input queue: 0/75/40/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 842 packets input, 62128 bytes Received 0 broadcasts, 0 runts, 0 giants, 1 throttles 1 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 17244 packets output, 1683765 bytes, 0 underruns 0 output errors, 0 collisions, 35 interface resets 57 unknown protocol drops 57 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out My take is the line protocol status on interface fast 2/0 changes to down because there was no indication from PE of an active EVC associated with VLAN 1 (native VLAN the system associates by default with interface fast 2/0). At this point the interface Fast 2/0 keeps sending Ethernet LMI PDUs (as expected by LMI protocol) but it does not accept any Ethernet LMI PDUs from PE ( Ethernet LMI PDUs are untagged ). If the PE includes the VLAN 1 in the CE-VLAN map it sends (or if I set the VLAN 10 as native on CE ) the Ethernet LMI PDUs exchange will be successful. I wonder if I miss something in CE configuration as it looks unusual to me the Ethernet LMI has to "enable" the data path it will use to send owns PDUs. Please let me know your opinion. Thanks, Florin From scott at labyrinth.org Tue Jun 2 19:58:52 2009 From: scott at labyrinth.org (Scott Keoseyan) Date: Tue, 2 Jun 2009 19:58:52 -0400 Subject: [c-nsp] Dot1x stuck in guest-vlan In-Reply-To: <323aca890906020821m4d89c879rdaddd5ebe636f0f8@mail.gmail.com> References: <323aca890906020821m4d89c879rdaddd5ebe636f0f8@mail.gmail.com> Message-ID: <88985CB2-7E54-48EB-A397-4826D0283693@labyrinth.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you're using the Microsoft supplicant, you may need to make a registry change to force the supplicant to issue an EAPOL start to initialize the state machine on the port. See: http://technet.microsoft.com/en-us/network/cc987603.aspx The SupplicantMode registry value (HKEY_LOCAL_MACHINE\Software \Microsoft\EAPOL\Parameters \General\Global\SupplicantMode) affects the behavior of an 802.1X supplicant when sending EAP over LAN (EAPOL)- Start packets during 802.1X authentication. The SupplicantMode value can be set to the following: * 0 - Disable IEEE 802.1X operation. * 1 - Never send an EAPOL-Start packet. * 2 - Automatically determine when to initiate the transmission of EAPOL-Start packets. This is the default value for wired connections. * 3 - Send an EAPOL-Start message upon association to initiate the 802.1X authentication process, for compliance with the IEEE 802.1X specification. On Jun 2, 2009, at 11:21 AM, Pavel Skovajsa wrote: > Hello all, > > I am struggling with the way the Guest Vlan is handled in dot1x. > All the port states work just fine, except during workstation boot-up > the switch does not receive dot1x packets from workstation dot1x > client hence forcing the port to fall into Guest Vlan, as below: > > ============================================= > C3560#sh authentication sessions interface fa0/38 > Interface: FastEthernet0/38 > MAC Address: Unknown > IP Address: Unknown > User-Name: UNRESPONSIVE > Status: Authz Success > Domain: DATA > Oper host mode: multi-host > Oper control dir: both > Authorized By: Guest Vlan > Vlan Policy: 330 > Session timeout: N/A > Idle timeout: N/A > Common Session ID: 0A821A5C00003727DE21D3A1 > Acct Session ID: 0x000045A8 > Handle: 0x63000727 > > Runnable methods list: > Method State > dot1x Failed over > ============================================== > > Once PC and its dot1x client or supplicant is up and running the port > status does not change as I would expect - to production Vlan. > The only remedy here is to shut / no shut the port. > > port config: > ==================== > interface FastEthernet0/38 > switchport access vlan 100 > switchport mode access > switchport voice vlan 500 > priority-queue out > authentication event fail action authorize vlan 330 > authentication event server dead action authorize vlan 100 > authentication event no-response action authorize vlan 330 <= > it works without this command for compliant users, however > non-compliant guest machines would not be allowed any network > connectivity at all > authentication event server alive action reinitialize > authentication port-control auto > authentication periodic > authentication timer restart 20 > authentication timer reauthenticate 20 > authentication timer inactivity 120 > mls qos trust device cisco-phone > mls qos trust cos > dot1x pae authenticator > dot1x timeout server-timeout 100 > dot1x timeout tx-period 2 > dot1x timeout supp-timeout 10 > spanning-tree portfast > end > =========================== > > Many thanks for any hints, > > Pavel Skovajsa > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ - -- Scott Keoseyan scott at labyrinth.org Homepage - http://www.labyrinth.org/homepages/scott Blog - http://www.labyrinth.org/wp1 PGP Key - http://www.labyrinth.org/homepages/scott/pgp.html -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) iEYEARECAAYFAkolvMAACgkQA7TpMPAlvEdl1gCeOKWRQybwDsfo+rJ5sqX/cXs1 MZYAn1X37ReSSi1zIkGcELpLeaMv1yqp =X0L3 -----END PGP SIGNATURE----- From ltd at cisco.com Tue Jun 2 20:12:42 2009 From: ltd at cisco.com (Lincoln Dale) Date: Wed, 03 Jun 2009 10:12:42 +1000 Subject: [c-nsp] Optical Transceiver Module In-Reply-To: <268079.75440.qm@web55102.mail.re4.yahoo.com> References: <268079.75440.qm@web55102.mail.re4.yahoo.com> Message-ID: <4A25BFFA.4040406@cisco.com> in Cisco terms: 80km would be covered by DWDM, CWDM and ZX optics. 20km would be covered by DWDM, CWDM, ZX and ER/ER+ optics 15km may be covered by LR optics at a pinch. would have to be very good fiber, few patches etc. you'd need to know exact fiber charactieristcs as to whether its possible. but if not, then it'll be the same as 20km above. http://www.cisco.com/en/US/prod/collateral/modules/ps5455/white_paper_c11-463661.html provides all the details you're looking for. as others have indicated "distance" is more of a 'typical' thing rather than an absolute science. cheers, lincoln. uugnaa wrote: > Hello all, > > Is there any Cisco or third party Optical Transceiver SFP module which goes up to 80km, up to 15km and up to 20km. > > Please help me on this. > > thank you in advance. > > From rdobbins at arbor.net Tue Jun 2 20:35:48 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Wed, 3 Jun 2009 07:35:48 +0700 Subject: [c-nsp] Netflow analyzer suggestions In-Reply-To: <20090602150859.H38689@shell.xecu.net> References: <20090602150859.H38689@shell.xecu.net> Message-ID: <222ACA30-9C13-4636-98F9-6F3F87604466@arbor.net> On Jun 3, 2009, at 2:21 AM, Andy Dills wrote: > Does anybody have any suggestions they could pass along? They should be able to use nfdump/nfsen, or most any of the others, and do graphing/reporting on individual IPs as /32s, one should think? ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From jloiacon at csc.com Tue Jun 2 20:52:38 2009 From: jloiacon at csc.com (Joe Loiacono) Date: Tue, 2 Jun 2009 20:52:38 -0400 Subject: [c-nsp] Netflow analyzer suggestions In-Reply-To: <20090602150859.H38689@shell.xecu.net> References: <20090602150859.H38689@shell.xecu.net> Message-ID: One open-source option is flow-tools and FlowViewer. It does exactly what you're asking for. But you would have to export v5 or v7. For information and screenshots: http://ensight.eos.nasa.gov/FlowViewer/ Joe Andy Dills Sent by: cisco-nsp-bounces at puck.nether.net 06/02/2009 03:21 PM To cisco-nsp at puck.nether.net cc Subject [c-nsp] Netflow analyzer suggestions Hi there, Apologies for the non-cisco specific post, but I couldn't think of a better list to post to off of the top of my head. A friend of mine is looking to get some better visibility into their network usage (low bandwidth, T1 type scenario). I got them setup with an IOS that supports netflow v9, and since they had a freebsd box being barely used, I built ntop to be their collector/analyzer. It works reasonably well, but it's perhaps not quite...user friendly enough for them. What they're looking for is a graphical representation at the host level. In essence, they're looking for something like cricket/mrtg but with each IP having its own graph (rather than each interface). Additional features, such as protocol breakdown and so forth are helpful, but the primary desire is to be able to see how much bandwidth a given IP address is using currently and was using in the past. They're open to commercial solutions, but would prefer to keep costs down. Host operating system requirements for the collector/analyzer aren't important. Does anybody have any suggestions they could pass along? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From r.burts at earthlink.net Tue Jun 2 21:17:23 2009 From: r.burts at earthlink.net (Rick Burts) Date: Tue, 02 Jun 2009 21:17:23 -0400 Subject: [c-nsp] ASA / EIGRP / Redundant Interfaces In-Reply-To: <007a01c9c9b5$22c119a1$0600a8c0@whgroup.com> References: <007a01c9c9b5$22c119a1$0600a8c0@whgroup.com> Message-ID: <4A25CF23.4040806@earthlink.net> It seems to me that an offset list applied outbound on one of the routers could make its routes less attractive than the routes from the other router. This should give you 1 primary set of routes and 1 backup set of routes. And does not require any special configuration on the ASA. HTH Rick Jason Link wrote: > Maybe that's the best option here. I can't seem to find any other way to do it cleanly. > > Thanks! > > > -----Original Message----- > From: Peter Rathlev > Sent: Thursday, April 30, 2009 11:52 AM > To: Jason Link > Cc: Cisco-nsp > Subject: RE: [c-nsp] ASA / EIGRP / Redundant Interfaces > > On Thu, 2009-04-30 at 11:39 -0500, Jason Link wrote: >> Additionally, I'm not sure HSRP would help me in a situation like this, >> since the way I understand it the ASA will still learn both routers >> "real" IP address and will form a neighbor to each one. I would like to >> avoid calling out the neighbor specifically, if I can help it. > > Yes of course, if the ASA has to do EIGRP my suggestion is irrelevant. I > overlooked that somewhat since I'm not used to thinking about having > firewalls do dynamic routing. :-) > > The HSRP thing would of course be with the ASA not participating in the > EIGRP. On the ASA side you would use static routes pointing at the HSRP > IP. On the router side you would use static routes pointing at the ASA > primary IP. > > Regards, > Peter > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pshem.k at gmail.com Tue Jun 2 22:26:37 2009 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Wed, 3 Jun 2009 14:26:37 +1200 Subject: [c-nsp] ICMP replay from egress PE Message-ID: <20fe625b0906021926x3e0065aficf005b0a86f3e0c4@mail.gmail.com> Hi, Recently we've upgraded some of our 7301 to ASR (1004). Config remained pretty much the same (from L3VPNs perspective), but it looks like the behaviour of both platforms is somewhat different. I'm not sure if it's a feature or a bug yet. We have a typical setup, like this: CE1 --- PE1 --- P1 --- P2 --- PE2 --- CE2 | | + --- PE3 --- CE3 So customers site is multihomed via PE2 and PE3 and has internal connection between CE2 and CE3 With 7301 Traceroute from CE1 used to show the IP of PE2 or PE3 (egress interface from the vrf), after the upgrade to ASRs - all we can see is PE1's IP and then straight CE2/CE3, but since customer drops icmp packets - we can't really see which way it's really going. Is there a way to get an ICMP reply from the egress ASR? I understand it switches the packets out through the interface without actually doing any lookups, but even after forcing 'label-per-vrf' we can't see the last hop. Any ideas if this behaviour can be corrected? kind regards Pshem From zhqasmi at cyber.net.pk Tue Jun 2 23:45:04 2009 From: zhqasmi at cyber.net.pk (Amjad Ul Hasnain Qasmi) Date: Wed, 03 Jun 2009 09:45:04 +0600 Subject: [c-nsp] ICMP replay from egress PE In-Reply-To: <20fe625b0906021926x3e0065aficf005b0a86f3e0c4@mail.gmail.com> References: <20fe625b0906021926x3e0065aficf005b0a86f3e0c4@mail.gmail.com> Message-ID: <00f601c9e3fd$aeb52d30$0c1f8790$@net.pk> Try enabling " mpls ip propagate-ttl " http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_m2.htm l#wp1058956 Regards, AHQ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pshem Kowalczyk Sent: Wednesday, June 03, 2009 8:27 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ICMP replay from egress PE Hi, Recently we've upgraded some of our 7301 to ASR (1004). Config remained pretty much the same (from L3VPNs perspective), but it looks like the behaviour of both platforms is somewhat different. I'm not sure if it's a feature or a bug yet. We have a typical setup, like this: CE1 --- PE1 --- P1 --- P2 --- PE2 --- CE2 | | + --- PE3 --- CE3 So customers site is multihomed via PE2 and PE3 and has internal connection between CE2 and CE3 With 7301 Traceroute from CE1 used to show the IP of PE2 or PE3 (egress interface from the vrf), after the upgrade to ASRs - all we can see is PE1's IP and then straight CE2/CE3, but since customer drops icmp packets - we can't really see which way it's really going. Is there a way to get an ICMP reply from the egress ASR? I understand it switches the packets out through the interface without actually doing any lookups, but even after forcing 'label-per-vrf' we can't see the last hop. Any ideas if this behaviour can be corrected? kind regards Pshem _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pshem.k at gmail.com Wed Jun 3 01:00:13 2009 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Wed, 3 Jun 2009 17:00:13 +1200 Subject: [c-nsp] ICMP replay from egress PE In-Reply-To: <00f601c9e3fd$aeb52d30$0c1f8790$@net.pk> References: <20fe625b0906021926x3e0065aficf005b0a86f3e0c4@mail.gmail.com> <00f601c9e3fd$aeb52d30$0c1f8790$@net.pk> Message-ID: <20fe625b0906022200h31a74b7ei399dbf870d499636@mail.gmail.com> Hi, If I do that I'll see the 'MPLS' hops, which I don't want. All I would like to see is ICMP reply from the address inside the vrf. kind regards Pshem 2009/6/3 Amjad Ul Hasnain Qasmi : > Try enabling " mpls ip propagate-ttl " > http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_m2.htm > l#wp1058956 > > Regards, > AHQ > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pshem Kowalczyk > Sent: Wednesday, June 03, 2009 8:27 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ICMP replay from egress PE > > Hi, > > Recently we've upgraded some of our 7301 to ASR (1004). Config > remained pretty much the same (from L3VPNs perspective), but it looks > like the behaviour of both platforms is somewhat different. I'm not > sure if it's a feature or a bug yet. > > We have a typical setup, like this: > CE1 --- PE1 --- P1 --- P2 --- PE2 --- CE2 > ? ? ? ? ? ? ? ? ? ? ? ?| ? ? ? ? ? ? ?| > ? ? ? ? ? ? ? ? ? ? ? ?+ --- PE3 --- CE3 > > So customers site is multihomed via PE2 and PE3 and has internal > connection between CE2 and CE3 > > With 7301 Traceroute from CE1 used to show the IP of PE2 or PE3 > (egress interface from the vrf), after the upgrade to ASRs - all we > can see is PE1's IP and then straight CE2/CE3, but since customer > drops icmp packets - we can't really see which way it's really going. > Is there a way to get an ICMP reply from the egress ASR? I understand > it switches the packets out through the interface without actually > doing any lookups, but even after forcing 'label-per-vrf' we can't see > the last hop. > Any ideas if this behaviour can be corrected? > > kind regards > Pshem > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From rick at woofpaws.com Wed Jun 3 00:54:07 2009 From: rick at woofpaws.com (Rick Ernst) Date: Tue, 2 Jun 2009 21:54:07 -0700 (PDT) Subject: [c-nsp] Revisiting ethernet bandwidth management Message-ID: <58184.172.16.5.57.1244004847.squirrel@www.woofpaws.com> I'm working on a network refresh that includes the customer aggregation. Services to customers are primarily across ethernet (LAN and MAN). I've been researching/fighting/experimenting with methods to handle per-port bidirectional bandwidth control. The legacy configuration uses Cisco's CAR, and I've been looking at traffic-shaping and policing. From what I can see, the various bandwidth management techniques require increasing CPU as the traffic rate increase (more packets/bytes == more work for the CPU). I need a device that does at least HSRP/VRRP/equivalent plus OSPF and handles the bandwidth management. The 3550G (playing with it for a different project) reportedly has problems with multiple ports/streams above 1Mbs. The chassis-based devices (6500/7600) appear to punt at least some of the traffic to CPU, plus I'd like to deploy small devices per patch-panel and backhaul to the aggregation or core (depending on how much functionality is in the device). I'd like either a stackable or small chassis device that I can either configure "M"Mbs per port/VLAN or "P"percent per port, not necessarily with bursting capability. The extreme hypothetical environment would be 24ea 10/100/1000 ports each configured for 1Mbs bandwidth and hosts on all ports attempting to send and/or receive at line rate without cratering the device. I've also considered essentially aggregating multiple ports/VLANs on a switch and uplinking with a 100Mbs port. This would require monitoring and manual intervention to ensure the aggregate doesn't exceed 100mbs. We also have customers that need more than 100mbs which means I'd somehow have to ensure that a single customer couldn't consume the capacity of an entire GigE (unless provisioned for it). Am I missing a feature/device/configuration that is obvious to somebody else, or.... ? My concern with any CPU-based solution is that it won't scale as customer bandwidth needs continue to increase. I'd also prefer small, stand-alone devices and distribute them at the patch-panel level for "light bulb" replacement and ease of cable management. Thanks, From rdobbins at arbor.net Wed Jun 3 01:37:37 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Wed, 3 Jun 2009 12:37:37 +0700 Subject: [c-nsp] Revisiting ethernet bandwidth management In-Reply-To: <58184.172.16.5.57.1244004847.squirrel@www.woofpaws.com> References: <58184.172.16.5.57.1244004847.squirrel@www.woofpaws.com> Message-ID: <14260C2D-D4D0-41C9-A506-120AFA1B52A4@arbor.net> On Jun 3, 2009, at 11:54 AM, Rick Ernst wrote: > Am I missing a feature/device/configuration that is obvious to > somebody > else, or.... ? Have you considered going with ASIC-based switches and make use of the QoS functionality, so you aren't CPU-bound? ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From zhqasmi at cyber.net.pk Wed Jun 3 02:10:36 2009 From: zhqasmi at cyber.net.pk (Amjad Ul Hasnain Qasmi) Date: Wed, 03 Jun 2009 12:10:36 +0600 Subject: [c-nsp] ICMP replay from egress PE In-Reply-To: <20fe625b0906022200h31a74b7ei399dbf870d499636@mail.gmail.com> References: <20fe625b0906021926x3e0065aficf005b0a86f3e0c4@mail.gmail.com> <00f601c9e3fd$aeb52d30$0c1f8790$@net.pk> <20fe625b0906022200h31a74b7ei399dbf870d499636@mail.gmail.com> Message-ID: <010001c9e412$0369a810$0a3cf830$@net.pk> As per my understanding of your issue, you want to keep your mpls domain hidden from customer perspective but at the same time you want your egress LER to be appeared in traceroute. you may need to to disable TTL propagation for forwarded packets (VPN traffic), use "no mpls ip propagate forwarded" on LERs, this allows the structure of the MPLS network to be hidden from customers, but not the provider. Regards, AHQ -----Original Message----- From: Pshem Kowalczyk [mailto:pshem.k at gmail.com] Sent: Wednesday, June 03, 2009 11:00 AM To: Amjad Ul Hasnain Qasmi Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ICMP replay from egress PE Hi, If I do that I'll see the 'MPLS' hops, which I don't want. All I would like to see is ICMP reply from the address inside the vrf. kind regards Pshem 2009/6/3 Amjad Ul Hasnain Qasmi : > Try enabling " mpls ip propagate-ttl " > http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_m2.htm > l#wp1058956 > > Regards, > AHQ > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pshem Kowalczyk > Sent: Wednesday, June 03, 2009 8:27 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ICMP replay from egress PE > > Hi, > > Recently we've upgraded some of our 7301 to ASR (1004). Config > remained pretty much the same (from L3VPNs perspective), but it looks > like the behaviour of both platforms is somewhat different. I'm not > sure if it's a feature or a bug yet. > > We have a typical setup, like this: > CE1 --- PE1 --- P1 --- P2 --- PE2 --- CE2 > | | > + --- PE3 --- CE3 > > So customers site is multihomed via PE2 and PE3 and has internal > connection between CE2 and CE3 > > With 7301 Traceroute from CE1 used to show the IP of PE2 or PE3 > (egress interface from the vrf), after the upgrade to ASRs - all we > can see is PE1's IP and then straight CE2/CE3, but since customer > drops icmp packets - we can't really see which way it's really going. > Is there a way to get an ICMP reply from the egress ASR? I understand > it switches the packets out through the interface without actually > doing any lookups, but even after forcing 'label-per-vrf' we can't see > the last hop. > Any ideas if this behaviour can be corrected? > > kind regards > Pshem > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From gert at greenie.muc.de Wed Jun 3 03:16:09 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 3 Jun 2009 09:16:09 +0200 Subject: [c-nsp] hung vty on SXH3a? Message-ID: <20090603071609.GY290@greenie.muc.de> Hi, so far, we have been quite happy with SXH3a, but today two of our boxes have started playing games with me... notably, the command we use to auto-upload ACLs etc rcp new_config.txt router:running-config started to fail with "rcp: running-config: No such file or directory". On other boxes, it works "as usual". All the "ip rcmd" config is present and sane. The only thing that looks different is this: Cisco#who Line User Host(s) Idle Location 1 vty 0 Virtual Exec 00:00:00 * 2 vty 1 gert idle 00:00:00 mgmthost Interface User Mode Idle Peer Address Cisco# - "vty 0" looks weird. I can't find a way to recover that vty, that is "clear line 1" or "clear line vty 0" don't change anything. Nor is there a TCB assigned to it ("show tcp vty 1" shows my telnet connection, but "show tcb vty 0" doesn't display anything). So... is this a known bug in SXH3a? Is there a way to reclaim that VTY without rebooting? (I've also tried configuring "transport input none" under "line vty 0", and to completely disable "ip rcmd ..." to get rid of the session, but no change either). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From pshem.k at gmail.com Wed Jun 3 04:30:02 2009 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Wed, 3 Jun 2009 20:30:02 +1200 Subject: [c-nsp] ICMP replay from egress PE In-Reply-To: <010001c9e412$0369a810$0a3cf830$@net.pk> References: <20fe625b0906021926x3e0065aficf005b0a86f3e0c4@mail.gmail.com> <00f601c9e3fd$aeb52d30$0c1f8790$@net.pk> <20fe625b0906022200h31a74b7ei399dbf870d499636@mail.gmail.com> <010001c9e412$0369a810$0a3cf830$@net.pk> Message-ID: <20fe625b0906030130o16aedbf1we98d8db9dc920ca1@mail.gmail.com> Hi, That setup (without ttl propagation) works fine on 7301. I would like to know if its possible to achieve the same result using and ASR1004. Since we are not talking here about only one customer, or one person that need to troubleshoot the problems having the previous behaviour back is definitely the best option. kind regards Pshem 2009/6/3 Amjad Ul Hasnain Qasmi : > As per my understanding of your issue, you want to keep your mpls domain hidden from customer perspective but at the same time you want your egress LER to be appeared in traceroute. you may need to to disable TTL propagation for forwarded packets (VPN traffic), use "no mpls ip propagate forwarded" on LERs, this allows the structure of the MPLS network to be hidden from customers, but not the provider. > > Regards, > AHQ > > > > -----Original Message----- > From: Pshem Kowalczyk [mailto:pshem.k at gmail.com] > Sent: Wednesday, June 03, 2009 11:00 AM > To: Amjad Ul Hasnain Qasmi > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ICMP replay from egress PE > > Hi, > > If I do that I'll see the 'MPLS' hops, which I don't want. All I would > like to see is ICMP reply from the address inside the vrf. > > kind regards > Pshem > > 2009/6/3 Amjad Ul Hasnain Qasmi : >> Try enabling " mpls ip propagate-ttl " >> http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_m2.htm >> l#wp1058956 >> >> Regards, >> AHQ >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pshem Kowalczyk >> Sent: Wednesday, June 03, 2009 8:27 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] ICMP replay from egress PE >> >> Hi, >> >> Recently we've upgraded some of our 7301 to ASR (1004). Config >> remained pretty much the same (from L3VPNs perspective), but it looks >> like the behaviour of both platforms is somewhat different. I'm not >> sure if it's a feature or a bug yet. >> >> We have a typical setup, like this: >> CE1 --- PE1 --- P1 --- P2 --- PE2 --- CE2 >> ? ? ? ? ? ? ? ? ? ? ? ?| ? ? ? ? ? ? ?| >> ? ? ? ? ? ? ? ? ? ? ? ?+ --- PE3 --- CE3 >> >> So customers site is multihomed via PE2 and PE3 and has internal >> connection between CE2 and CE3 >> >> With 7301 Traceroute from CE1 used to show the IP of PE2 or PE3 >> (egress interface from the vrf), after the upgrade to ASRs - all we >> can see is PE1's IP and then straight CE2/CE3, but since customer >> drops icmp packets - we can't really see which way it's really going. >> Is there a way to get an ICMP reply from the egress ASR? I understand >> it switches the packets out through the interface without actually >> doing any lookups, but even after forcing 'label-per-vrf' we can't see >> the last hop. >> Any ideas if this behaviour can be corrected? >> >> kind regards >> Pshem >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > From peter at rathlev.dk Wed Jun 3 04:29:59 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 03 Jun 2009 10:29:59 +0200 Subject: [c-nsp] hung vty on SXH3a? In-Reply-To: <20090603071609.GY290@greenie.muc.de> References: <20090603071609.GY290@greenie.muc.de> Message-ID: <1244017799.3444.41.camel@localhost.localdomain> On Wed, 2009-06-03 at 09:16 +0200, Gert Doering wrote: ... > Cisco#who > Line User Host(s) Idle Location > 1 vty 0 Virtual Exec 00:00:00 > * 2 vty 1 gert idle 00:00:00 mgmthost > > Interface User Mode Idle Peer Address > > Cisco# > > - "vty 0" looks weird. I can't find a way to recover that vty, that is > "clear line 1" or "clear line vty 0" don't change anything. Nor is there > a TCB assigned to it ("show tcp vty 1" shows my telnet connection, but > "show tcb vty 0" doesn't display anything). I've seen this on a 3560 when I tried running an exec command needing user input via TFTP uploaded configuration. (Specifically I tried to do a "do delete flash:/something" as a test.) The session never recovered and only a hard reset (power off) could fix it. The "reload" command didn't work. It was accepted, but nothing happened. Needless to say, I just went on with my life and ignored this. :-) No strange commands were present in the "new_config.txt" copied over? Regards, Peter From gert at greenie.muc.de Wed Jun 3 04:47:53 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 3 Jun 2009 10:47:53 +0200 Subject: [c-nsp] hung vty on SXH3a? In-Reply-To: <1244017799.3444.41.camel@localhost.localdomain> References: <20090603071609.GY290@greenie.muc.de> <1244017799.3444.41.camel@localhost.localdomain> Message-ID: <20090603084753.GZ290@greenie.muc.de> Hi, On Wed, Jun 03, 2009 at 10:29:59AM +0200, Peter Rathlev wrote: > > - "vty 0" looks weird. I can't find a way to recover that vty, that is > > "clear line 1" or "clear line vty 0" don't change anything. Nor is there > > a TCB assigned to it ("show tcp vty 1" shows my telnet connection, but > > "show tcb vty 0" doesn't display anything). > > I've seen this on a 3560 when I tried running an exec command needing > user input via TFTP uploaded configuration. (Specifically I tried to do > a "do delete flash:/something" as a test.) Mmmh. I'm not sure what my colleagues tried - I just found the box in this state... > The session never recovered and only a hard reset (power off) could fix > it. The "reload" command didn't work. It was accepted, but nothing > happened. Needless to say, I just went on with my life and ignored > this. :-) Now *that* is scary. Sounds something really got stuck on your box. Well. Time to reload, and upgrade to SXI... > No strange commands were present in the "new_config.txt" copied over? It wasn't *my* new_config.txt, otherwise all the other SXH3a boxes would be in the same funny state now as well (and they aren't). Just two of them... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Kris.Amy at EIP.net.au Wed Jun 3 04:59:35 2009 From: Kris.Amy at EIP.net.au (Kris Amy) Date: Wed, 3 Jun 2009 18:59:35 +1000 Subject: [c-nsp] hung vty on SXH3a? In-Reply-To: <20090603084753.GZ290@greenie.muc.de> Message-ID: Hi, I have something similar on a 7200 running 12.3(24a). Line User Host(s) Idle Location 2 vty 0 idle 14w6d A.B.C.D I just haven't got around to reloading the router as this seems the only way to clear the vty. Cheers, Kris On 3/06/09 6:47 PM, "Gert Doering" wrote: Hi, On Wed, Jun 03, 2009 at 10:29:59AM +0200, Peter Rathlev wrote: > > - "vty 0" looks weird. I can't find a way to recover that vty, that is > > "clear line 1" or "clear line vty 0" don't change anything. Nor is there > > a TCB assigned to it ("show tcp vty 1" shows my telnet connection, but > > "show tcb vty 0" doesn't display anything). > > I've seen this on a 3560 when I tried running an exec command needing > user input via TFTP uploaded configuration. (Specifically I tried to do > a "do delete flash:/something" as a test.) Mmmh. I'm not sure what my colleagues tried - I just found the box in this state... > The session never recovered and only a hard reset (power off) could fix > it. The "reload" command didn't work. It was accepted, but nothing > happened. Needless to say, I just went on with my life and ignored > this. :-) Now *that* is scary. Sounds something really got stuck on your box. Well. Time to reload, and upgrade to SXI... > No strange commands were present in the "new_config.txt" copied over? It wasn't *my* new_config.txt, otherwise all the other SXH3a boxes would be in the same funny state now as well (and they aren't). Just two of them... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -- Kind Regards, Kris Amy Enterprise IP Phone: 07 3123 5510 National: 1300 347 287 Fax: 1300 347 329 Direct: 07 3123 5511 Email: kris.amy at eip.net.au From achatz at forthnet.gr Wed Jun 3 08:14:58 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 03 Jun 2009 15:14:58 +0300 Subject: [c-nsp] Ingress policing on a 3560 In-Reply-To: References: <63266.172.25.144.4.1243823930.squirrel@imap.snnap.net> Message-ID: <4A266942.1030708@forthnet.gr> Yep, that is a known way for matching ALL "by-default untrusted" traffic. -- Tassos Ziv Leyes wrote on 02/06/2009 15:43: > I'm applying the same you need using dscp instead of mac for "all traffic" and it's working good, here's a sample: > > class-map match-all ALL-TRAFFIC > match ip dscp 0 > ! > policy-map 7-MEGA > class ALL-TRAFFIC > police 7168000 1344000 exceed-action drop > > ! > interface FastEthernet0/1 > description 7 Megabit rated interface sample > service-policy input 7-MEGA > ! > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Storey > Sent: Monday, June 01, 2009 5:39 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Ingress policing on a 3560 > > Hi all. > > What I'm trying to do is police ingress on a port, using a MAC ACL to > match traffic to police (just a "permit any any" to match all traffic). > > But what I'm getting is that the switch doesnt appear to be matching any > traffic at all. > > sw2#sh int gi0/14 | inc put rate > 30 second input rate 20449000 bits/sec, 1688 packets/sec > 30 second output rate 2620000 bits/sec, 1690 packets/sec > sw2#sh policy-map int gi0/14 > GigabitEthernet0/14 > > Service-policy input: police-10mbit-in > > Class-map: mac-any-any (match-any) > 0 packets, 0 bytes > 30 second offered rate 0 bps, drop rate 0 bps > Match: access-group name mac-any-any > 0 packets, 0 bytes > 30 second rate 0 bps > > Class-map: class-default (match-any) > 0 packets, 0 bytes > 30 second offered rate 0 bps, drop rate 0 bps > Match: any > 0 packets, 0 bytes > 30 second rate 0 bps > > Does anyone have any pointers as to what I'm doing wrong? Below is my config. > > mac access-list extended mac-any-any > permit any any > ! > class-map match-any mac-any-any > match access-group name mac-any-any > ! > policy-map police-10mbit-in > class mac-any-any > police 10000000 1000000 exceed-action drop > ! > interface GigabitEthernet0/14 > service-policy input police-10mbit-in > ! > > Ive also tried with just class-default, but got the same result. > > I am currently using the "vlan" SDM profile, if that makes any difference. > > Cheers, > Tom > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ip at ioshints.info Wed Jun 3 08:23:17 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 3 Jun 2009 14:23:17 +0200 Subject: [c-nsp] ICMP replay from egress PE In-Reply-To: <20fe625b0906021926x3e0065aficf005b0a86f3e0c4@mail.gmail.com> References: <20fe625b0906021926x3e0065aficf005b0a86f3e0c4@mail.gmail.com> Message-ID: <000d01c9e446$14212550$0a00000a@nil.si> The only reason I could see for this behavior is the per-platform specific IP packet processing on the egress PE router. Obviously the difference between the 7300 and the ASR is the exact moment at which the TTL is decrememented in the switching path. Based on your description, ASR decrements TTL before LFIB lookup is performed and thus decrements the label TTL, whereas the 7301 decrements TTL after the LFIB lookup causes the VPN label to be popped exposing the IP packet and thus decrements IP TTL. I am not sure you can get what you used to have with the ASRs. You could still, though, ping the PE2/PE3 in-VRF IP address from CE1 to verify that the PE-CE links are up (and I'm positive you know all this), but obviously cannot perform end-to-end path verification if CE2/CE3 block traceroute probes. How about inspecting the VRF routing table on PE1? Do you have access to it? Interesting behavior, thanks for sharing it! Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Pshem Kowalczyk [mailto:pshem.k at gmail.com] > Sent: Wednesday, June 03, 2009 4:27 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ICMP replay from egress PE > > Hi, > > Recently we've upgraded some of our 7301 to ASR (1004). > Config remained pretty much the same (from L3VPNs > perspective), but it looks like the behaviour of both > platforms is somewhat different. I'm not sure if it's a > feature or a bug yet. > > We have a typical setup, like this: > CE1 --- PE1 --- P1 --- P2 --- PE2 --- CE2 > | | > + --- PE3 --- CE3 > > So customers site is multihomed via PE2 and PE3 and has > internal connection between CE2 and CE3 > > With 7301 Traceroute from CE1 used to show the IP of PE2 or > PE3 (egress interface from the vrf), after the upgrade to > ASRs - all we can see is PE1's IP and then straight CE2/CE3, > but since customer drops icmp packets - we can't really see > which way it's really going. > Is there a way to get an ICMP reply from the egress ASR? I > understand it switches the packets out through the interface > without actually doing any lookups, but even after forcing > 'label-per-vrf' we can't see the last hop. > Any ideas if this behaviour can be corrected? > > kind regards > Pshem > > From panocisco77 at gmail.com Wed Jun 3 09:45:14 2009 From: panocisco77 at gmail.com (Renelson Panosky) Date: Wed, 3 Jun 2009 09:45:14 -0400 Subject: [c-nsp] IPV6 implementation Message-ID: <16e2ac180906030645h715b1de4y20faa49070410d49@mail.gmail.com> I am getting ready to start running IPV6 on my core routers, i have a couple questions for the people who already have IPV6 running 1. Should I let computers determine their own IPV6 addresses ? 2. Should I procure IPV6 DHCP Appliance ? or 3. Should i configure my router to act as the IPV6 DHCP Servers? Renelson From jcposeidon at cantv.net Wed Jun 3 09:52:01 2009 From: jcposeidon at cantv.net (Juan C. Crespo R.) Date: Wed, 03 Jun 2009 09:22:01 -0430 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? Message-ID: <4A268001.8030101@cantv.net> Guys I have one POP with 90% of CPU Load (WCCP2, QoS and other minor stuff) and we are thinking about change the IO/7200-2FE by one IO/7200-GE could this help with this load? Thanks From rick at woofpaws.com Wed Jun 3 10:15:41 2009 From: rick at woofpaws.com (Rick Ernst) Date: Wed, 3 Jun 2009 07:15:41 -0700 (PDT) Subject: [c-nsp] Revisiting ethernet bandwidth management In-Reply-To: <14260C2D-D4D0-41C9-A506-120AFA1B52A4@arbor.net> References: <58184.172.16.5.57.1244004847.squirrel@www.woofpaws.com> <14260C2D-D4D0-41C9-A506-120AFA1B52A4@arbor.net> Message-ID: <44037.69.30.17.85.1244038541.squirrel@www.woofpaws.com> Any specific ASIC-based switch in mind? What I've found (so far) with QoS is that it's generally ingress-only or prioritization/congestion-management rather than bandwidth control. I'm quite willing to be corrected, though. :) Rick On Tue, June 2, 2009 22:37, Roland Dobbins wrote: > > On Jun 3, 2009, at 11:54 AM, Rick Ernst wrote: > >> Am I missing a feature/device/configuration that is obvious to >> somebody >> else, or.... ? > > Have you considered going with ASIC-based switches and make use of the > QoS functionality, so you aren't CPU-bound? > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pdavis at i2k.com Wed Jun 3 10:21:20 2009 From: pdavis at i2k.com (Phil Davis) Date: Wed, 03 Jun 2009 10:21:20 -0400 Subject: [c-nsp] PA-A3-T3 FEBE and LOS In-Reply-To: <4A2572DD.3000506@i2k.com> References: <4A2572DD.3000506@i2k.com> Message-ID: <4A2686E0.9080207@i2k.com> Phil Davis wrote: > Hello, > > I have an ATM DS3 coming through a PA-A3-T3. The last few days it > would abruptly go down for 5-10 minutes, perhaps every 12 hours on > average. During these times, the interface would show rapidly growing > carrier signal loss (about 10-20/sec.) I also saw incrementing FEBE > errors. However, neither the provider, nor a third-party transport > provider was detecting LOS on the line...<> Just wanted to add to this. Overnight we saw the same issue with the replacement card, so I don't think it's our equipment. I now have some statistics that show the carrier transition/febe errors. I'm at a loss to fully interpret the sh controllers atm command. What is the first column on PLPC errors? Would appreciate any help I could get on this. Thanks! Phil sh int ATM1/0: ATM1/0 is up, line protocol is up Hardware is ENHANCED ATM PA MTU 4470 bytes, sub MTU 4470, BW 40704 Kbit, DLY 190 usec, reliability 255/255, txload 204/255, rxload 29/255 Encapsulation ATM, loopback not set Encapsulation(s): AAL5 4095 maximum active VCs, 32 current VCCs VC Auto Creation Disabled. VC idle disconnect time: 300 seconds 74 carrier transitions Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 22:12:59 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4673 Queueing strategy: Per VC Queueing 5 minute input rate 4695000 bits/sec, 2630 packets/sec 5 minute output rate 32647000 bits/sec, 3750 packets/sec 132076194 packets input, 900144269 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 38 input errors, 38 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 174968028 packets output, 1377286139 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out I do see some CRC errors now, which did not see previously. That may be from insertion. sh controller atm 1/0: Interface ATM1/0 is up Hardware is ENHANCED ATM PA - DS3 (45000Kbps) Framer is PMC PM7345 S/UNI-PDH, SAR is LSI ATMIZER II Firmware rev: G153, Framer rev: 1, ATMIZER II rev: 3 idb=0x63A1F0D4, ds=0x63A491E0, vc=0x63A572E0 slot 1, unit 1, subunit 0, fci_type 0x005B, ticks 79887 1200 rx buffers: size=512, encap=64, trailer=28, magic=4 Curr Stats: VCC count: current=32, peak=32 AAL2 VCC count: 0 AAL2 TX no buffer count: 0 AAL2 RX no buffer count: 0 SAR crashes: Rx SAR=0, Tx SAR=0 rx_cell_lost=0, rx_no_buffer=0, rx_crc_10=0, rx_no_mem=0 rx_cell_len=0, rx_no_vcd=34410, rx_cell_throttle=0, tx_aci_err=0 Rx Free Ring status: base=0x3CA7C040, size=2048, write=400 Rx Compl Ring status: base=0x7E4DB7E0, size=2048, read=1662 Tx Ring status: base=0x3CF13A40, size=8192, write=312 Tx Compl Ring status: base=0x0E1B3840, size=4096, read=156 BFD Cache status: base=0x65F45940, size=6144, read=6143 Rx Cache status: base=0x64458360, size=16, write=14 Tx Shadow status: base=0x66691E60, size=8192, read=303, write=312 Control data: rx_max_spins=42, max_tx_count=144, tx_count=9 rx_threshold=800, rx_count=14, tx_threshold=4608 tx bfd write indx=0x10DF, rx_pool_info=0x63A208C0 Control data base address: rx_buf_base = 0x0E3A6C80 rx_p_base = 0x66802E80 rx_pak = 0x639727DC cmd = 0x64752080 framer = 0x60479798 framer_cb = 0x6474FB80 framer_base = 0x3C900000 pci_pa_stats = 0x7E391900 device_base[0] = 0x3C800000 device_base[1] = 0x3CC00000 ssram_base[0] = 0x3CA00000 ssram_base[1] = 0x3CE00000 sdram_base[0] = 0x3CB00000 sdram_base[1] = 0x3CF00000 pa_cmd_buf[0] = 0x3CA7FC00 pa_cmd_buf[1] = 0x3CE7FC00 vcd_base[0] = 0x3CA00000 vcd_base[1] = 0x3CE18000 chip_dump[0] = 0x0E39192C chip_dump[1] = 0x0E391A2C sar_buf_base[0] = 0x3CB24000 sar_buf_base[1] = 0x3CF1C000 bfd_base[0] = 0x3CA64000 bfd_base[1] = 0x3CE00000 acd_base[0] = 0x3CA22080 acd_base[1] = 0x3CE38240 Framer Information: Framing mode: DS3 C-bit PLCP No alarm detected Facility statistics: current interval elapsed 687 seconds lcv fbe ezd pe ppe febe hcse ---------------------------------------------------------------------- 21 2 0 1 1 1 0 0 25 2 0 1 0 0 0 0 33 0 0 0 0 0 865055 0 34 0 0 0 0 0 5002913 0 38 0 0 0 0 0 7526033 0 39 0 0 0 0 0 3415647 0 40 0 0 0 0 0 1498637 0 42 0 0 0 0 0 217324 0 44 0 0 0 0 0 2972255 0 68 2 0 1 0 0 0 0 78 1 0 1 1 1 0 0 PLCP Errors: bipe fbe febe ----------------------------- 21 1 0 0 25 2 0 0 33 0 0 65655 34 0 0 272680 38 0 0 1744705 39 0 0 2043937 40 0 0 957544 42 0 0 21423 44 0 0 866414 68 1 0 0 78 1 0 0 lcv: Line Code Violation fbe: Framing Bit Error ezd: Summed Excessive Zeros pe: Parity Error ppe: Path Parity Error febe: Far-end Block Error hcse: Rx Cell HCS Error bipe: Bit Interleave Parity (B1) Error From gert at greenie.muc.de Wed Jun 3 10:34:15 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 3 Jun 2009 16:34:15 +0200 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <4A268001.8030101@cantv.net> References: <4A268001.8030101@cantv.net> Message-ID: <20090603143415.GC290@greenie.muc.de> Hi, On Wed, Jun 03, 2009 at 09:22:01AM -0430, Juan C. Crespo R. wrote: > I have one POP with 90% of CPU Load (WCCP2, QoS and other minor > stuff) and we are thinking about change the IO/7200-2FE by one > IO/7200-GE could this help with this load? No. This is a CPU-based platform - the only way to reduce the CPU load is to get a faster CPU or turn off features. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From trejrco at gmail.com Wed Jun 3 10:27:58 2009 From: trejrco at gmail.com (TJ) Date: Wed, 3 Jun 2009 10:27:58 -0400 Subject: [c-nsp] IPV6 implementation In-Reply-To: <16e2ac180906030645h715b1de4y20faa49070410d49@mail.gmail.com> References: <16e2ac180906030645h715b1de4y20faa49070410d49@mail.gmail.com> Message-ID: <005a01c9e457$a7456380$f5d02a80$@com> Short answer - it depends. Quick thoughts: 1) SLAAC can suffice, assuming IPv4 is present to "cheat" off of for DNS/name resolution. Or if/when RFC5006 gets more widely supported. 2) Maybe, see next comment :). 3) DHCPv6 client and server support is not exactly 100% available on all platforms, atleast not natively (3rd party apps exist, e.g. - Dibbler). Many routers currently support stateless DHCPv6 server functionality only ... not stateful. HTH! /TJ >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >bounces at puck.nether.net] On Behalf Of Renelson Panosky >Sent: Wednesday, June 03, 2009 9:45 AM >To: cisco-nsp at puck.nether.net >Subject: [c-nsp] IPV6 implementation > >I am getting ready to start running IPV6 on my core routers, i have a couple >questions for the people who already have IPV6 running > >1. Should I let computers determine their own IPV6 addresses ? > >2. Should I procure IPV6 DHCP Appliance ? > >or > >3. Should i configure my router to act as the IPV6 DHCP Servers? > > > >Renelson >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From dgranzer at gmail.com Wed Jun 3 10:49:01 2009 From: dgranzer at gmail.com (David Granzer) Date: Wed, 3 Jun 2009 16:49:01 +0200 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <4A268001.8030101@cantv.net> References: <4A268001.8030101@cantv.net> Message-ID: <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> Hi, could you post how much bandwidth and packet per second your 7200 ? Generally upgrade to I/O GE will not help much because the performance is based on the NPE used. regards, David On Wed, Jun 3, 2009 at 3:52 PM, Juan C. Crespo R. wrote: > Guys > > ? I have one POP with 90% of CPU Load (WCCP2, ?QoS and other minor stuff) > and we are thinking about change the IO/7200-2FE by one IO/7200-GE could > this help with this load? > > Thanks > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jcposeidon at cantv.net Wed Jun 3 11:01:10 2009 From: jcposeidon at cantv.net (Juan C. Crespo R.) Date: Wed, 03 Jun 2009 10:31:10 -0430 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> Message-ID: <4A269036.3080507@cantv.net> It have int fa0/0 30 second input rate 30616000 bits/sec, 13300 packets/sec 30 second output rate 47680000 bits/sec, 12178 packets/sec int fa 0/1 30 second input rate 27478000 bits/sec, 4672 packets/sec 30 second output rate 19071000 bits/sec, 3774 packets/sec int ser4/0 (ds3 link) 30 second input rate 43264000 bits/sec, 11862 packets/sec 30 second output rate 28832000 bits/sec, 13590 packets/sec 59376 Total Thanks David Granzer escribi?: > Hi, > > could you post how much bandwidth and packet per second your 7200 ? > Generally upgrade to I/O GE will not > help much because the performance is based on the NPE used. > > regards, > David > > > On Wed, Jun 3, 2009 at 3:52 PM, Juan C. Crespo R. wrote: > >> Guys >> >> I have one POP with 90% of CPU Load (WCCP2, QoS and other minor stuff) >> and we are thinking about change the IO/7200-2FE by one IO/7200-GE could >> this help with this load? >> >> Thanks >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > From lists at quux.de Wed Jun 3 11:09:11 2009 From: lists at quux.de (Jens Link) Date: Wed, 03 Jun 2009 17:09:11 +0200 Subject: [c-nsp] IPV6 implementation In-Reply-To: <16e2ac180906030645h715b1de4y20faa49070410d49@mail.gmail.com> (Renelson Panosky's message of "Wed\, 3 Jun 2009 09\:45\:14 -0400") References: <16e2ac180906030645h715b1de4y20faa49070410d49@mail.gmail.com> Message-ID: <87oct5z754.fsf@laphroiag.quux.de> Renelson Panosky writes: > I am getting ready to start running IPV6 on my core routers, i have a couple > questions for the people who already have IPV6 running > > 1. Should I let computers determine their own IPV6 addresses ? Yes and no. For end user computers I would use SLAC (or maybe DCHPv6), for servers, printers, ... static addresses > 2. Should I procure IPV6 DHCP Appliance ? > > or > > 3. Should i configure my router to act as the IPV6 DHCP Servers? Well that depends on how big your network is and if you have one group managing DHCP and the other managing the routers. A *NIX (or Windows) Sever will work just fine, it's more transparent, easier to troubleshoot and yo probably get security updates faster. cheers Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink at guug.de | ------------------------------------------------------------------------- From masood at nexlinx.net.pk Wed Jun 3 12:24:15 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Wed, 3 Jun 2009 21:24:15 +0500 (PKT) Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <4A269036.3080507@cantv.net> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> Message-ID: <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> cisco 7200 is a software based router so that every packet is punted to the NPE. You need to replace your NPE instead of PIC. which cisco 7200 series network processing engine you are running? what you get when do "show version" on this router? By using 'show processes cpu sorted 1min' you can check which process is eating NPE cpu cycles. Regards, Masood > It have > > int fa0/0 > 30 second input rate 30616000 bits/sec, 13300 packets/sec > 30 second output rate 47680000 bits/sec, 12178 packets/sec > > int fa 0/1 > 30 second input rate 27478000 bits/sec, 4672 packets/sec > 30 second output rate 19071000 bits/sec, 3774 packets/sec > > int ser4/0 (ds3 link) > 30 second input rate 43264000 bits/sec, 11862 packets/sec > 30 second output rate 28832000 bits/sec, 13590 packets/sec > > 59376 Total > > Thanks > > David Granzer escribi?: >> Hi, >> >> could you post how much bandwidth and packet per second your 7200 ? >> Generally upgrade to I/O GE will not >> help much because the performance is based on the NPE used. >> >> regards, >> David >> >> >> On Wed, Jun 3, 2009 at 3:52 PM, Juan C. Crespo R. >> wrote: >> >>> Guys >>> >>> I have one POP with 90% of CPU Load (WCCP2, QoS and other minor >>> stuff) >>> and we are thinking about change the IO/7200-2FE by one IO/7200-GE >>> could >>> this help with this load? >>> >>> Thanks >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jcposeidon at cantv.net Wed Jun 3 11:26:05 2009 From: jcposeidon at cantv.net (Juan C. Crespo R.) Date: Wed, 03 Jun 2009 10:56:05 -0430 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <4A26960D.8070206@cantv.net> NPE 400 CPU utilization for five seconds: 76%/75%; one minute: 74%; five minutes: 75% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 45 210365012 85449013 2461 0.23% 0.19% 0.19% 0 IP Input 118 99161264 248440739 399 0.23% 0.08% 0.06% 0 traffic_shape 18 19988356 29194664 684 0.00% 0.03% 0.02% 0 ARP Input 4 49353040 2274191 21701 0.00% 0.03% 0.04% 0 Check heaps 10 11268080 11331204 994 0.00% 0.02% 0.00% 0 EnvMon 63 8535512 47262546 180 0.07% 0.01% 0.00% 0 Spanning Tree 29 19555460 389652 50187 0.00% 0.01% 0.00% 0 Per-minute Jobs 5 6393048 430645 14845 0.07% 0.00% 0.00% 0 Pool Manager 119 14495556 1901716 7622 0.00% 0.00% 0.00% 0 MFI LFD Timer Pr 59 5397356 1127172 4788 0.00% 0.00% 0.00% 0 WCCP V2 Protocol 11 0 1 0 0.00% 0.00% 0.00% 0 OIR Handler 12 7912 190100 41 0.00% 0.00% 0.00% 0 IPC Dynamic Cach 13 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager 14 1344312 11329870 118 0.00% 0.00% 0.00% 0 IPC Periodic Tim 15 1196200 11329850 105 0.00% 0.00% 0.00% 0 IPC Deferred Por 16 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager 17 44772 1140352 39 0.00% 0.00% 0.00% 0 Compute SRP rate 9 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager 19 0 28 0 0.00% 0.00% 0.00% 0 DDR Timers 20 0 2 0 0.00% 0.00% 0.00% 0 Dialer event 21 0 2 0 0.00% 0.00% 0.00% 0 Entity MIB API 22 0 1 0 0.00% 0.00% 0.00% 0 SERIAL A'detect PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 23 770388 2845739 270 0.00% 0.00% 0.00% 0 HC Counter Timer 24 5264 22 239272 0.00% 0.00% 0.00% 0 Critical Bkgnd 25 3963452 4658455 850 0.00% 0.00% 0.00% 0 Net Background 26 6188 3016 2051 0.00% 0.00% 0.00% 0 Logger 27 2206724 11329804 194 0.00% 0.00% 0.00% 0 TTY Background 28 65577956 11340517 5782 0.00% 0.00% 0.00% 0 Per-Second Jobs 8 144284 2275716 63 0.00% 0.00% 0.00% 0 ALARM_TRIGGER_SC 7 0 2 0 0.00% 0.00% 0.00% 0 Serial Backgroun 31 0 1 0 0.00% 0.00% 0.00% 0 CSP Timer 6 0 2 0 0.00% 0.00% 0.00% 0 Timers 33 0 2 0 0.00% 0.00% 0.00% 0 Hawkeye Backgrou 34 0 1 0 0.00% 0.00% 0.00% 0 SONET alarm time 3 3297860 3024757 1090 0.00% 0.00% 0.00% 0 OSPF Hello 36 0 2 0 0.00% 0.00% 0.00% 0 VNM DSPRM MAIN 37 0 1 0 0.00% 0.00% 0.00% 0 CES Line Conditi 38 0 2 0 0.00% 0.00% 0.00% 0 Flash MIB Update 39 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM Input 40 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM TIMER 41 8 86 93 0.00% 0.00% 0.00% 0 TurboACL 42 0 2 0 0.00% 0.00% 0.00% 0 CEF switching ba 43 0 1 0 0.00% 0.00% 0.00% 0 AC Switch 44 0 2 0 0.00% 0.00% 0.00% 0 AAA Dictionary R 2 635356 2279979 278 0.00% 0.00% 0.00% 0 Load Meter PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 46 0 1 0 0.00% 0.00% 0.00% 0 ICMP event handl 47 1608916 1520006 1058 0.00% 0.00% 0.00% 0 CDP Protocol 48 1785752 1202253 1485 0.00% 0.00% 0.00% 0 LDP 49 16 175 91 0.00% 0.00% 0.00% 0 OLM 50 0 1 0 0.00% 0.00% 0.00% 0 PPPATM Session d 51 0 2 0 0.00% 0.00% 0.00% 0 PASVC create VA 52 9512 1676 5675 0.00% 0.00% 0.00% 0 EEM ED Syslog 53 0 2 0 0.00% 0.00% 0.00% 0 EEM ED SNMP 54 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Memory Th 55 23596 202778 116 0.00% 0.00% 0.00% 0 EEM ED Timer 56 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Counter 57 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Interface 58 0 3 0 0.00% 0.00% 0.00% 0 EEM ED IOSWD 30 0 1 0 0.00% 0.00% 0.00% 0 Inode Table Dest 32 0 2 0 0.00% 0.00% 0.00% 0 CES Timer 61 0 1 0 0.00% 0.00% 0.00% 0 MPLS Auto-Tunnel 62 0 1 0 0.00% 0.00% 0.00% 0 O-UNI Client Msg 35 0 1 0 0.00% 0.00% 0.00% 0 POS APS Event Pr 64 0 1 0 0.00% 0.00% 0.00% 0 AC Mgr 65 0 1 0 0.00% 0.00% 0.00% 0 SSS Manager 66 0 2 0 0.00% 0.00% 0.00% 0 SSM connection m 67 0 1 0 0.00% 0.00% 0.00% 0 PPP IP Add Route 68 90640 189720 477 0.00% 0.00% 0.00% 0 CEF background PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 69 0 1 0 0.00% 0.00% 0.00% 0 IP IRDP 1 0 2 0 0.00% 0.00% 0.00% 0 Chunk Manager 71 2091684 355745 5879 0.00% 0.00% 0.00% 0 IP Background 72 2340232 344710 6788 0.00% 0.00% 0.00% 0 IP RIB Update 73 69186296 16952818 4081 0.00% 0.00% 0.00% 0 CEF: IPv4 proces 74 24 122 196 0.00% 0.00% 0.00% 0 ADJ background 75 0 1 0 0.00% 0.00% 0.00% 0 L2X Data Daemon 76 0 1 0 0.00% 0.00% 0.00% 0 HTTP Timer 77 646408 693913 931 0.00% 0.00% 0.00% 0 TCP Timer 78 800 219 3652 0.00% 0.00% 0.00% 0 TCP Protocols 79 0 1 0 0.00% 0.00% 0.00% 0 Probe Input 80 0 1 0 0.00% 0.00% 0.00% 0 RARP Input 81 0 1 0 0.00% 0.00% 0.00% 0 Socket Timers 82 0 2 0 0.00% 0.00% 0.00% 0 LSP Tunnels 83 0 1 0 0.00% 0.00% 0.00% 0 COPS 84 0 1 0 0.00% 0.00% 0.00% 0 X.25 Encaps Mana 85 0 1 0 0.00% 0.00% 0.00% 0 PAD InCall 86 0 2 0 0.00% 0.00% 0.00% 0 X.25 Background 87 88 375 234 0.00% 0.00% 0.00% 0 AToM manager 88 0 5 0 0.00% 0.00% 0.00% 0 AToM LDP manager 89 79992 190099 420 0.00% 0.00% 0.00% 0 LDP Background 90 0 1 0 0.00% 0.00% 0.00% 0 L2X Socket proce 91 0 1 0 0.00% 0.00% 0.00% 0 L2X SSS manager PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 92 0 1 0 0.00% 0.00% 0.00% 0 L2TP mgmt daemon 93 28 204 137 0.00% 0.00% 0.00% 0 TCP Listener 94 4 1 4000 0.00% 0.00% 0.00% 0 TSP 95 0 1 0 0.00% 0.00% 0.00% 0 VOIP RTP Udp Inp 96 0 1 0 0.00% 0.00% 0.00% 0 QOS_MODULE_MAIN 97 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_HTSP 98 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_R2 99 0 1 0 0.00% 0.00% 0.00% 0 CCSWVOICE 100 43864 1140167 38 0.00% 0.00% 0.00% 0 RMON Recycle Pro 101 0 2 0 0.00% 0.00% 0.00% 0 RMON Deferred Se 102 0 1 0 0.00% 0.00% 0.00% 0 SYSMGT Events 103 1016848 11311292 89 0.00% 0.00% 0.00% 0 cerf_daemon_proc 104 0 1 0 0.00% 0.00% 0.00% 0 SONET Traps 105 640712 2278427 281 0.00% 0.00% 0.00% 0 EEM Server 106 0 1 0 0.00% 0.00% 0.00% 0 Syslog Traps 107 0 1 0 0.00% 0.00% 0.00% 0 DATA Transfer Pr 108 0 1 0 0.00% 0.00% 0.00% 0 DATA Collector 109 0 1 0 0.00% 0.00% 0.00% 0 RMON Packets 110 0 2 0 0.00% 0.00% 0.00% 0 EEM Policy Direc 111 1019748 11311275 90 0.00% 0.00% 0.00% 0 trunk conditioni 112 0 1 0 0.00% 0.00% 0.00% 0 trunk conditioni 113 503088 3349106 150 0.00% 0.00% 0.00% 0 Net Input 114 2325524 2279676 1020 0.00% 0.00% 0.00% 0 Compute load avg PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 115 83736 766853 109 0.00% 0.00% 0.00% 0 LSP Tunnel Head 116 0 2 0 0.00% 0.00% 0.00% 0 LSDp Input Proc 117 1288824 2405686 535 0.00% 0.00% 0.00% 0 LSD Main Proc 60 0 1 0 0.00% 0.00% 0.00% 0 LSP Tunnel FRR 70 0 3 0 0.00% 0.00% 0.00% 0 SNMP Timers 120 0 2 0 0.00% 0.00% 0.00% 0 MFI LFD Main Pro 121 2593264 11627651 223 0.00% 0.00% 0.00% 0 NTP 122 6873376 1817623 3781 0.00% 0.00% 0.00% 0 Tag Control 123 21808 190119 114 0.00% 0.00% 0.00% 0 IPRM 124 0 2 0 0.00% 0.00% 0.00% 0 IP Flow Backgrou 125 4970232 4644514 1070 0.00% 0.00% 0.00% 0 OSPF Hello 126 4203656 2503602 1679 0.00% 0.00% 0.00% 0 IP SNMP 127 457588 1255865 364 0.00% 0.00% 0.00% 0 PDU DISPATCHER 128 5118352 1257172 4071 0.00% 0.00% 0.00% 0 SNMP ENGINE 129 0 1 0 0.00% 0.00% 0.00% 0 SNMP ConfCopyPro 130 0 1 0 0.00% 0.00% 0.00% 0 SNMP Traps 131 28584 190100 150 0.00% 0.00% 0.00% 0 Time Range Proce 132 0 1 0 0.00% 0.00% 0.00% 0 xcpa-driver 133 1208 274 4408 0.00% 0.00% 0.00% 0 Tagcon Addr 134 4599240 11781205 390 0.00% 0.00% 0.00% 0 OSPF Router 1 135 1168632 11563127 101 0.00% 0.00% 0.00% 0 OSPF Router 2 136 7196544 6637085 1084 0.00% 0.00% 0.00% 0 TDP Hello 137 2712 1138 2383 0.00% 0.00% 0.00% 0 RADIUS PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 139 516 180 2866 0.00% 0.00% 0.00% 0 AAA Accounting 140 60 1542 38 0.00% 0.00% 0.00% 2 Virtual Exec masood at nexlinx.net.pk escribi?: > cisco 7200 is a software based router so that every packet is punted to > the NPE. You need to replace your NPE instead of PIC. which cisco 7200 > series network processing engine you are running? what you get when do > "show version" on this router? By using 'show processes cpu sorted 1min' > you can check which process is eating NPE cpu cycles. > > Regards, > Masood > > > >> It have >> >> int fa0/0 >> 30 second input rate 30616000 bits/sec, 13300 packets/sec >> 30 second output rate 47680000 bits/sec, 12178 packets/sec >> >> int fa 0/1 >> 30 second input rate 27478000 bits/sec, 4672 packets/sec >> 30 second output rate 19071000 bits/sec, 3774 packets/sec >> >> int ser4/0 (ds3 link) >> 30 second input rate 43264000 bits/sec, 11862 packets/sec >> 30 second output rate 28832000 bits/sec, 13590 packets/sec >> >> 59376 Total >> >> Thanks >> >> David Granzer escribi?: >> >>> Hi, >>> >>> could you post how much bandwidth and packet per second your 7200 ? >>> Generally upgrade to I/O GE will not >>> help much because the performance is based on the NPE used. >>> >>> regards, >>> David >>> >>> >>> On Wed, Jun 3, 2009 at 3:52 PM, Juan C. Crespo R. >>> wrote: >>> >>> >>>> Guys >>>> >>>> I have one POP with 90% of CPU Load (WCCP2, QoS and other minor >>>> stuff) >>>> and we are thinking about change the IO/7200-2FE by one IO/7200-GE >>>> could >>>> this help with this load? >>>> >>>> Thanks >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> >>>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > > > From david.freedman at uk.clara.net Wed Jun 3 11:32:08 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 03 Jun 2009 16:32:08 +0100 Subject: [c-nsp] CSCsv21403 (EVC not programmed on ES20 linecard) Message-ID: Has anybody come across this and if so are there any known workarounds? Am keen to know under what circumstances an EFP does not get programmed to the card, if anybody has any more information on this would be appreciative of it online or offline. Regards, David Freedman From sethm at rollernet.us Wed Jun 3 11:35:31 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 03 Jun 2009 08:35:31 -0700 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <4A26960D.8070206@cantv.net> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> Message-ID: <4A269843.9070300@rollernet.us> Juan C. Crespo R. wrote: > NPE 400 > Upgrade the NPE, turn off features, or reduce the load. You can change to a GE if you don't believe us, but you'll probably find it didn't help anything. ~Seth From masood at nexlinx.net.pk Wed Jun 3 12:41:52 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Wed, 3 Jun 2009 21:41:52 +0500 (PKT) Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <4A26960D.8070206@cantv.net> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> Message-ID: <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk> cisco 7200 NPE-400 is normally for customer premise equipment and DS1/DS3 aggregation. As per cisco performance of up to 400 kpps in cef switching. You can upgrade to NPE-G1 which provides performance of up to 1 million packets per second in cef switching (an increase of up to 250 percent over the cisco 7200 series npe 400) Regards, Masood > NPE 400 > > CPU utilization for five seconds: 76%/75%; one minute: 74%; five > minutes: 75% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 45 210365012 85449013 2461 0.23% 0.19% 0.19% 0 IP Input > 118 99161264 248440739 399 0.23% 0.08% 0.06% 0 > traffic_shape > 18 19988356 29194664 684 0.00% 0.03% 0.02% 0 ARP Input > 4 49353040 2274191 21701 0.00% 0.03% 0.04% 0 Check heaps > 10 11268080 11331204 994 0.00% 0.02% 0.00% 0 EnvMon > 63 8535512 47262546 180 0.07% 0.01% 0.00% 0 Spanning > Tree > 29 19555460 389652 50187 0.00% 0.01% 0.00% 0 > Per-minute Jobs > 5 6393048 430645 14845 0.07% 0.00% 0.00% 0 Pool > Manager > 119 14495556 1901716 7622 0.00% 0.00% 0.00% 0 MFI LFD > Timer Pr > 59 5397356 1127172 4788 0.00% 0.00% 0.00% 0 WCCP V2 > Protocol > 11 0 1 0 0.00% 0.00% 0.00% 0 OIR Handler > 12 7912 190100 41 0.00% 0.00% 0.00% 0 IPC > Dynamic Cach > 13 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone > Manager > 14 1344312 11329870 118 0.00% 0.00% 0.00% 0 IPC > Periodic Tim > 15 1196200 11329850 105 0.00% 0.00% 0.00% 0 IPC > Deferred Por > 16 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat > Manager > 17 44772 1140352 39 0.00% 0.00% 0.00% 0 Compute > SRP rate > 9 0 1 0 0.00% 0.00% 0.00% 0 Policy > Manager > 19 0 28 0 0.00% 0.00% 0.00% 0 DDR Timers > 20 0 2 0 0.00% 0.00% 0.00% 0 Dialer > event > 21 0 2 0 0.00% 0.00% 0.00% 0 Entity > MIB API > 22 0 1 0 0.00% 0.00% 0.00% 0 SERIAL > A'detect > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 23 770388 2845739 270 0.00% 0.00% 0.00% 0 HC > Counter Timer > 24 5264 22 239272 0.00% 0.00% 0.00% 0 Critical > Bkgnd > 25 3963452 4658455 850 0.00% 0.00% 0.00% 0 Net > Background > 26 6188 3016 2051 0.00% 0.00% 0.00% 0 Logger > 27 2206724 11329804 194 0.00% 0.00% 0.00% 0 TTY > Background > 28 65577956 11340517 5782 0.00% 0.00% 0.00% 0 > Per-Second Jobs > 8 144284 2275716 63 0.00% 0.00% 0.00% 0 > ALARM_TRIGGER_SC > 7 0 2 0 0.00% 0.00% 0.00% 0 Serial > Backgroun > 31 0 1 0 0.00% 0.00% 0.00% 0 CSP Timer > 6 0 2 0 0.00% 0.00% 0.00% 0 Timers > 33 0 2 0 0.00% 0.00% 0.00% 0 Hawkeye > Backgrou > 34 0 1 0 0.00% 0.00% 0.00% 0 SONET > alarm time > 3 3297860 3024757 1090 0.00% 0.00% 0.00% 0 OSPF Hello > 36 0 2 0 0.00% 0.00% 0.00% 0 VNM DSPRM > MAIN > 37 0 1 0 0.00% 0.00% 0.00% 0 CES Line > Conditi > 38 0 2 0 0.00% 0.00% 0.00% 0 Flash MIB > Update > 39 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM > Input > 40 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM > TIMER > 41 8 86 93 0.00% 0.00% 0.00% 0 TurboACL > 42 0 2 0 0.00% 0.00% 0.00% 0 CEF > switching ba > 43 0 1 0 0.00% 0.00% 0.00% 0 AC Switch > 44 0 2 0 0.00% 0.00% 0.00% 0 AAA > Dictionary R > 2 635356 2279979 278 0.00% 0.00% 0.00% 0 Load Meter > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 46 0 1 0 0.00% 0.00% 0.00% 0 ICMP > event handl > 47 1608916 1520006 1058 0.00% 0.00% 0.00% 0 CDP > Protocol > 48 1785752 1202253 1485 0.00% 0.00% 0.00% 0 LDP > 49 16 175 91 0.00% 0.00% 0.00% 0 OLM > 50 0 1 0 0.00% 0.00% 0.00% 0 PPPATM > Session d > 51 0 2 0 0.00% 0.00% 0.00% 0 PASVC > create VA > 52 9512 1676 5675 0.00% 0.00% 0.00% 0 EEM ED > Syslog > 53 0 2 0 0.00% 0.00% 0.00% 0 EEM ED SNMP > 54 0 2 0 0.00% 0.00% 0.00% 0 EEM ED > Memory Th > 55 23596 202778 116 0.00% 0.00% 0.00% 0 EEM ED > Timer > 56 0 2 0 0.00% 0.00% 0.00% 0 EEM ED > Counter > 57 0 2 0 0.00% 0.00% 0.00% 0 EEM ED > Interface > 58 0 3 0 0.00% 0.00% 0.00% 0 EEM ED > IOSWD > 30 0 1 0 0.00% 0.00% 0.00% 0 Inode > Table Dest > 32 0 2 0 0.00% 0.00% 0.00% 0 CES Timer > 61 0 1 0 0.00% 0.00% 0.00% 0 MPLS > Auto-Tunnel > 62 0 1 0 0.00% 0.00% 0.00% 0 O-UNI > Client Msg > 35 0 1 0 0.00% 0.00% 0.00% 0 POS APS > Event Pr > 64 0 1 0 0.00% 0.00% 0.00% 0 AC Mgr > 65 0 1 0 0.00% 0.00% 0.00% 0 SSS Manager > 66 0 2 0 0.00% 0.00% 0.00% 0 SSM > connection m > 67 0 1 0 0.00% 0.00% 0.00% 0 PPP IP > Add Route > 68 90640 189720 477 0.00% 0.00% 0.00% 0 CEF > background > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 69 0 1 0 0.00% 0.00% 0.00% 0 IP IRDP > 1 0 2 0 0.00% 0.00% 0.00% 0 Chunk > Manager > 71 2091684 355745 5879 0.00% 0.00% 0.00% 0 IP > Background > 72 2340232 344710 6788 0.00% 0.00% 0.00% 0 IP RIB > Update > 73 69186296 16952818 4081 0.00% 0.00% 0.00% 0 CEF: IPv4 > proces > 74 24 122 196 0.00% 0.00% 0.00% 0 ADJ > background > 75 0 1 0 0.00% 0.00% 0.00% 0 L2X Data > Daemon > 76 0 1 0 0.00% 0.00% 0.00% 0 HTTP Timer > 77 646408 693913 931 0.00% 0.00% 0.00% 0 TCP Timer > 78 800 219 3652 0.00% 0.00% 0.00% 0 TCP > Protocols > 79 0 1 0 0.00% 0.00% 0.00% 0 Probe Input > 80 0 1 0 0.00% 0.00% 0.00% 0 RARP Input > 81 0 1 0 0.00% 0.00% 0.00% 0 Socket > Timers > 82 0 2 0 0.00% 0.00% 0.00% 0 LSP Tunnels > 83 0 1 0 0.00% 0.00% 0.00% 0 COPS > 84 0 1 0 0.00% 0.00% 0.00% 0 X.25 > Encaps Mana > 85 0 1 0 0.00% 0.00% 0.00% 0 PAD InCall > 86 0 2 0 0.00% 0.00% 0.00% 0 X.25 > Background > 87 88 375 234 0.00% 0.00% 0.00% 0 AToM > manager > 88 0 5 0 0.00% 0.00% 0.00% 0 AToM LDP > manager > 89 79992 190099 420 0.00% 0.00% 0.00% 0 LDP > Background > 90 0 1 0 0.00% 0.00% 0.00% 0 L2X > Socket proce > 91 0 1 0 0.00% 0.00% 0.00% 0 L2X SSS > manager > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 92 0 1 0 0.00% 0.00% 0.00% 0 L2TP mgmt > daemon > 93 28 204 137 0.00% 0.00% 0.00% 0 TCP > Listener > 94 4 1 4000 0.00% 0.00% 0.00% 0 TSP > 95 0 1 0 0.00% 0.00% 0.00% 0 VOIP RTP > Udp Inp > 96 0 1 0 0.00% 0.00% 0.00% 0 > QOS_MODULE_MAIN > 97 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_HTSP > 98 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_R2 > 99 0 1 0 0.00% 0.00% 0.00% 0 CCSWVOICE > 100 43864 1140167 38 0.00% 0.00% 0.00% 0 RMON > Recycle Pro > 101 0 2 0 0.00% 0.00% 0.00% 0 RMON > Deferred Se > 102 0 1 0 0.00% 0.00% 0.00% 0 SYSMGT > Events > 103 1016848 11311292 89 0.00% 0.00% 0.00% 0 > cerf_daemon_proc > 104 0 1 0 0.00% 0.00% 0.00% 0 SONET Traps > 105 640712 2278427 281 0.00% 0.00% 0.00% 0 EEM Server > 106 0 1 0 0.00% 0.00% 0.00% 0 Syslog > Traps > 107 0 1 0 0.00% 0.00% 0.00% 0 DATA > Transfer Pr > 108 0 1 0 0.00% 0.00% 0.00% 0 DATA > Collector > 109 0 1 0 0.00% 0.00% 0.00% 0 RMON > Packets > 110 0 2 0 0.00% 0.00% 0.00% 0 EEM > Policy Direc > 111 1019748 11311275 90 0.00% 0.00% 0.00% 0 trunk > conditioni > 112 0 1 0 0.00% 0.00% 0.00% 0 trunk > conditioni > 113 503088 3349106 150 0.00% 0.00% 0.00% 0 Net Input > 114 2325524 2279676 1020 0.00% 0.00% 0.00% 0 Compute > load avg > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 115 83736 766853 109 0.00% 0.00% 0.00% 0 LSP > Tunnel Head > 116 0 2 0 0.00% 0.00% 0.00% 0 LSDp > Input Proc > 117 1288824 2405686 535 0.00% 0.00% 0.00% 0 LSD Main > Proc > 60 0 1 0 0.00% 0.00% 0.00% 0 LSP > Tunnel FRR > 70 0 3 0 0.00% 0.00% 0.00% 0 SNMP Timers > 120 0 2 0 0.00% 0.00% 0.00% 0 MFI LFD > Main Pro > 121 2593264 11627651 223 0.00% 0.00% 0.00% 0 NTP > 122 6873376 1817623 3781 0.00% 0.00% 0.00% 0 Tag Control > 123 21808 190119 114 0.00% 0.00% 0.00% 0 IPRM > 124 0 2 0 0.00% 0.00% 0.00% 0 IP Flow > Backgrou > 125 4970232 4644514 1070 0.00% 0.00% 0.00% 0 OSPF Hello > 126 4203656 2503602 1679 0.00% 0.00% 0.00% 0 IP SNMP > 127 457588 1255865 364 0.00% 0.00% 0.00% 0 PDU > DISPATCHER > 128 5118352 1257172 4071 0.00% 0.00% 0.00% 0 SNMP ENGINE > 129 0 1 0 0.00% 0.00% 0.00% 0 SNMP > ConfCopyPro > 130 0 1 0 0.00% 0.00% 0.00% 0 SNMP Traps > 131 28584 190100 150 0.00% 0.00% 0.00% 0 Time > Range Proce > 132 0 1 0 0.00% 0.00% 0.00% 0 xcpa-driver > 133 1208 274 4408 0.00% 0.00% 0.00% 0 Tagcon Addr > 134 4599240 11781205 390 0.00% 0.00% 0.00% 0 OSPF Router > 1 > 135 1168632 11563127 101 0.00% 0.00% 0.00% 0 OSPF Router > 2 > 136 7196544 6637085 1084 0.00% 0.00% 0.00% 0 TDP Hello > 137 2712 1138 2383 0.00% 0.00% 0.00% 0 RADIUS > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 139 516 180 2866 0.00% 0.00% 0.00% 0 AAA > Accounting > 140 60 1542 38 0.00% 0.00% 0.00% 2 Virtual > Exec > > > > masood at nexlinx.net.pk escribi?: >> cisco 7200 is a software based router so that every packet is punted to >> the NPE. You need to replace your NPE instead of PIC. which cisco 7200 >> series network processing engine you are running? what you get when do >> "show version" on this router? By using 'show processes cpu sorted 1min' >> you can check which process is eating NPE cpu cycles. >> >> Regards, >> Masood >> >> >> >>> It have >>> >>> int fa0/0 >>> 30 second input rate 30616000 bits/sec, 13300 packets/sec >>> 30 second output rate 47680000 bits/sec, 12178 packets/sec >>> >>> int fa 0/1 >>> 30 second input rate 27478000 bits/sec, 4672 packets/sec >>> 30 second output rate 19071000 bits/sec, 3774 packets/sec >>> >>> int ser4/0 (ds3 link) >>> 30 second input rate 43264000 bits/sec, 11862 packets/sec >>> 30 second output rate 28832000 bits/sec, 13590 packets/sec >>> >>> 59376 Total >>> >>> Thanks >>> >>> David Granzer escribi?: >>> >>>> Hi, >>>> >>>> could you post how much bandwidth and packet per second your 7200 ? >>>> Generally upgrade to I/O GE will not >>>> help much because the performance is based on the NPE used. >>>> >>>> regards, >>>> David >>>> >>>> >>>> On Wed, Jun 3, 2009 at 3:52 PM, Juan C. Crespo R. >>>> >>>> wrote: >>>> >>>> >>>>> Guys >>>>> >>>>> I have one POP with 90% of CPU Load (WCCP2, QoS and other minor >>>>> stuff) >>>>> and we are thinking about change the IO/7200-2FE by one IO/7200-GE >>>>> could >>>>> this help with this load? >>>>> >>>>> Thanks >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>>> >>>>> >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> >> >> >> > From jcposeidon at cantv.net Wed Jun 3 11:40:47 2009 From: jcposeidon at cantv.net (Juan C. Crespo R.) Date: Wed, 03 Jun 2009 11:10:47 -0430 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <4A26997F.3030107@cantv.net> That's great but the IO7200GE could help with the cpu load? if don't I must wait until get some budget Thanks masood at nexlinx.net.pk escribi?: > cisco 7200 NPE-400 is normally for customer premise equipment and DS1/DS3 > aggregation. As per cisco performance of up to 400 kpps in cef switching. > > You can upgrade to NPE-G1 which provides performance of up to 1 million > packets per second in cef switching (an increase of up to 250 percent over > the cisco 7200 series npe 400) > > Regards, > Masood > > >> NPE 400 >> >> CPU utilization for five seconds: 76%/75%; one minute: 74%; five >> minutes: 75% >> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >> 45 210365012 85449013 2461 0.23% 0.19% 0.19% 0 IP Input >> 118 99161264 248440739 399 0.23% 0.08% 0.06% 0 >> traffic_shape >> 18 19988356 29194664 684 0.00% 0.03% 0.02% 0 ARP Input >> 4 49353040 2274191 21701 0.00% 0.03% 0.04% 0 Check heaps >> 10 11268080 11331204 994 0.00% 0.02% 0.00% 0 EnvMon >> 63 8535512 47262546 180 0.07% 0.01% 0.00% 0 Spanning >> Tree >> 29 19555460 389652 50187 0.00% 0.01% 0.00% 0 >> Per-minute Jobs >> 5 6393048 430645 14845 0.07% 0.00% 0.00% 0 Pool >> Manager >> 119 14495556 1901716 7622 0.00% 0.00% 0.00% 0 MFI LFD >> Timer Pr >> 59 5397356 1127172 4788 0.00% 0.00% 0.00% 0 WCCP V2 >> Protocol >> 11 0 1 0 0.00% 0.00% 0.00% 0 OIR Handler >> 12 7912 190100 41 0.00% 0.00% 0.00% 0 IPC >> Dynamic Cach >> 13 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone >> Manager >> 14 1344312 11329870 118 0.00% 0.00% 0.00% 0 IPC >> Periodic Tim >> 15 1196200 11329850 105 0.00% 0.00% 0.00% 0 IPC >> Deferred Por >> 16 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat >> Manager >> 17 44772 1140352 39 0.00% 0.00% 0.00% 0 Compute >> SRP rate >> 9 0 1 0 0.00% 0.00% 0.00% 0 Policy >> Manager >> 19 0 28 0 0.00% 0.00% 0.00% 0 DDR Timers >> 20 0 2 0 0.00% 0.00% 0.00% 0 Dialer >> event >> 21 0 2 0 0.00% 0.00% 0.00% 0 Entity >> MIB API >> 22 0 1 0 0.00% 0.00% 0.00% 0 SERIAL >> A'detect >> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >> 23 770388 2845739 270 0.00% 0.00% 0.00% 0 HC >> Counter Timer >> 24 5264 22 239272 0.00% 0.00% 0.00% 0 Critical >> Bkgnd >> 25 3963452 4658455 850 0.00% 0.00% 0.00% 0 Net >> Background >> 26 6188 3016 2051 0.00% 0.00% 0.00% 0 Logger >> 27 2206724 11329804 194 0.00% 0.00% 0.00% 0 TTY >> Background >> 28 65577956 11340517 5782 0.00% 0.00% 0.00% 0 >> Per-Second Jobs >> 8 144284 2275716 63 0.00% 0.00% 0.00% 0 >> ALARM_TRIGGER_SC >> 7 0 2 0 0.00% 0.00% 0.00% 0 Serial >> Backgroun >> 31 0 1 0 0.00% 0.00% 0.00% 0 CSP Timer >> 6 0 2 0 0.00% 0.00% 0.00% 0 Timers >> 33 0 2 0 0.00% 0.00% 0.00% 0 Hawkeye >> Backgrou >> 34 0 1 0 0.00% 0.00% 0.00% 0 SONET >> alarm time >> 3 3297860 3024757 1090 0.00% 0.00% 0.00% 0 OSPF Hello >> 36 0 2 0 0.00% 0.00% 0.00% 0 VNM DSPRM >> MAIN >> 37 0 1 0 0.00% 0.00% 0.00% 0 CES Line >> Conditi >> 38 0 2 0 0.00% 0.00% 0.00% 0 Flash MIB >> Update >> 39 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM >> Input >> 40 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM >> TIMER >> 41 8 86 93 0.00% 0.00% 0.00% 0 TurboACL >> 42 0 2 0 0.00% 0.00% 0.00% 0 CEF >> switching ba >> 43 0 1 0 0.00% 0.00% 0.00% 0 AC Switch >> 44 0 2 0 0.00% 0.00% 0.00% 0 AAA >> Dictionary R >> 2 635356 2279979 278 0.00% 0.00% 0.00% 0 Load Meter >> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >> 46 0 1 0 0.00% 0.00% 0.00% 0 ICMP >> event handl >> 47 1608916 1520006 1058 0.00% 0.00% 0.00% 0 CDP >> Protocol >> 48 1785752 1202253 1485 0.00% 0.00% 0.00% 0 LDP >> 49 16 175 91 0.00% 0.00% 0.00% 0 OLM >> 50 0 1 0 0.00% 0.00% 0.00% 0 PPPATM >> Session d >> 51 0 2 0 0.00% 0.00% 0.00% 0 PASVC >> create VA >> 52 9512 1676 5675 0.00% 0.00% 0.00% 0 EEM ED >> Syslog >> 53 0 2 0 0.00% 0.00% 0.00% 0 EEM ED SNMP >> 54 0 2 0 0.00% 0.00% 0.00% 0 EEM ED >> Memory Th >> 55 23596 202778 116 0.00% 0.00% 0.00% 0 EEM ED >> Timer >> 56 0 2 0 0.00% 0.00% 0.00% 0 EEM ED >> Counter >> 57 0 2 0 0.00% 0.00% 0.00% 0 EEM ED >> Interface >> 58 0 3 0 0.00% 0.00% 0.00% 0 EEM ED >> IOSWD >> 30 0 1 0 0.00% 0.00% 0.00% 0 Inode >> Table Dest >> 32 0 2 0 0.00% 0.00% 0.00% 0 CES Timer >> 61 0 1 0 0.00% 0.00% 0.00% 0 MPLS >> Auto-Tunnel >> 62 0 1 0 0.00% 0.00% 0.00% 0 O-UNI >> Client Msg >> 35 0 1 0 0.00% 0.00% 0.00% 0 POS APS >> Event Pr >> 64 0 1 0 0.00% 0.00% 0.00% 0 AC Mgr >> 65 0 1 0 0.00% 0.00% 0.00% 0 SSS Manager >> 66 0 2 0 0.00% 0.00% 0.00% 0 SSM >> connection m >> 67 0 1 0 0.00% 0.00% 0.00% 0 PPP IP >> Add Route >> 68 90640 189720 477 0.00% 0.00% 0.00% 0 CEF >> background >> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >> 69 0 1 0 0.00% 0.00% 0.00% 0 IP IRDP >> 1 0 2 0 0.00% 0.00% 0.00% 0 Chunk >> Manager >> 71 2091684 355745 5879 0.00% 0.00% 0.00% 0 IP >> Background >> 72 2340232 344710 6788 0.00% 0.00% 0.00% 0 IP RIB >> Update >> 73 69186296 16952818 4081 0.00% 0.00% 0.00% 0 CEF: IPv4 >> proces >> 74 24 122 196 0.00% 0.00% 0.00% 0 ADJ >> background >> 75 0 1 0 0.00% 0.00% 0.00% 0 L2X Data >> Daemon >> 76 0 1 0 0.00% 0.00% 0.00% 0 HTTP Timer >> 77 646408 693913 931 0.00% 0.00% 0.00% 0 TCP Timer >> 78 800 219 3652 0.00% 0.00% 0.00% 0 TCP >> Protocols >> 79 0 1 0 0.00% 0.00% 0.00% 0 Probe Input >> 80 0 1 0 0.00% 0.00% 0.00% 0 RARP Input >> 81 0 1 0 0.00% 0.00% 0.00% 0 Socket >> Timers >> 82 0 2 0 0.00% 0.00% 0.00% 0 LSP Tunnels >> 83 0 1 0 0.00% 0.00% 0.00% 0 COPS >> 84 0 1 0 0.00% 0.00% 0.00% 0 X.25 >> Encaps Mana >> 85 0 1 0 0.00% 0.00% 0.00% 0 PAD InCall >> 86 0 2 0 0.00% 0.00% 0.00% 0 X.25 >> Background >> 87 88 375 234 0.00% 0.00% 0.00% 0 AToM >> manager >> 88 0 5 0 0.00% 0.00% 0.00% 0 AToM LDP >> manager >> 89 79992 190099 420 0.00% 0.00% 0.00% 0 LDP >> Background >> 90 0 1 0 0.00% 0.00% 0.00% 0 L2X >> Socket proce >> 91 0 1 0 0.00% 0.00% 0.00% 0 L2X SSS >> manager >> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >> 92 0 1 0 0.00% 0.00% 0.00% 0 L2TP mgmt >> daemon >> 93 28 204 137 0.00% 0.00% 0.00% 0 TCP >> Listener >> 94 4 1 4000 0.00% 0.00% 0.00% 0 TSP >> 95 0 1 0 0.00% 0.00% 0.00% 0 VOIP RTP >> Udp Inp >> 96 0 1 0 0.00% 0.00% 0.00% 0 >> QOS_MODULE_MAIN >> 97 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_HTSP >> 98 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_R2 >> 99 0 1 0 0.00% 0.00% 0.00% 0 CCSWVOICE >> 100 43864 1140167 38 0.00% 0.00% 0.00% 0 RMON >> Recycle Pro >> 101 0 2 0 0.00% 0.00% 0.00% 0 RMON >> Deferred Se >> 102 0 1 0 0.00% 0.00% 0.00% 0 SYSMGT >> Events >> 103 1016848 11311292 89 0.00% 0.00% 0.00% 0 >> cerf_daemon_proc >> 104 0 1 0 0.00% 0.00% 0.00% 0 SONET Traps >> 105 640712 2278427 281 0.00% 0.00% 0.00% 0 EEM Server >> 106 0 1 0 0.00% 0.00% 0.00% 0 Syslog >> Traps >> 107 0 1 0 0.00% 0.00% 0.00% 0 DATA >> Transfer Pr >> 108 0 1 0 0.00% 0.00% 0.00% 0 DATA >> Collector >> 109 0 1 0 0.00% 0.00% 0.00% 0 RMON >> Packets >> 110 0 2 0 0.00% 0.00% 0.00% 0 EEM >> Policy Direc >> 111 1019748 11311275 90 0.00% 0.00% 0.00% 0 trunk >> conditioni >> 112 0 1 0 0.00% 0.00% 0.00% 0 trunk >> conditioni >> 113 503088 3349106 150 0.00% 0.00% 0.00% 0 Net Input >> 114 2325524 2279676 1020 0.00% 0.00% 0.00% 0 Compute >> load avg >> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >> 115 83736 766853 109 0.00% 0.00% 0.00% 0 LSP >> Tunnel Head >> 116 0 2 0 0.00% 0.00% 0.00% 0 LSDp >> Input Proc >> 117 1288824 2405686 535 0.00% 0.00% 0.00% 0 LSD Main >> Proc >> 60 0 1 0 0.00% 0.00% 0.00% 0 LSP >> Tunnel FRR >> 70 0 3 0 0.00% 0.00% 0.00% 0 SNMP Timers >> 120 0 2 0 0.00% 0.00% 0.00% 0 MFI LFD >> Main Pro >> 121 2593264 11627651 223 0.00% 0.00% 0.00% 0 NTP >> 122 6873376 1817623 3781 0.00% 0.00% 0.00% 0 Tag Control >> 123 21808 190119 114 0.00% 0.00% 0.00% 0 IPRM >> 124 0 2 0 0.00% 0.00% 0.00% 0 IP Flow >> Backgrou >> 125 4970232 4644514 1070 0.00% 0.00% 0.00% 0 OSPF Hello >> 126 4203656 2503602 1679 0.00% 0.00% 0.00% 0 IP SNMP >> 127 457588 1255865 364 0.00% 0.00% 0.00% 0 PDU >> DISPATCHER >> 128 5118352 1257172 4071 0.00% 0.00% 0.00% 0 SNMP ENGINE >> 129 0 1 0 0.00% 0.00% 0.00% 0 SNMP >> ConfCopyPro >> 130 0 1 0 0.00% 0.00% 0.00% 0 SNMP Traps >> 131 28584 190100 150 0.00% 0.00% 0.00% 0 Time >> Range Proce >> 132 0 1 0 0.00% 0.00% 0.00% 0 xcpa-driver >> 133 1208 274 4408 0.00% 0.00% 0.00% 0 Tagcon Addr >> 134 4599240 11781205 390 0.00% 0.00% 0.00% 0 OSPF Router >> 1 >> 135 1168632 11563127 101 0.00% 0.00% 0.00% 0 OSPF Router >> 2 >> 136 7196544 6637085 1084 0.00% 0.00% 0.00% 0 TDP Hello >> 137 2712 1138 2383 0.00% 0.00% 0.00% 0 RADIUS >> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >> 139 516 180 2866 0.00% 0.00% 0.00% 0 AAA >> Accounting >> 140 60 1542 38 0.00% 0.00% 0.00% 2 Virtual >> Exec >> >> >> >> masood at nexlinx.net.pk escribi?: >> >>> cisco 7200 is a software based router so that every packet is punted to >>> the NPE. You need to replace your NPE instead of PIC. which cisco 7200 >>> series network processing engine you are running? what you get when do >>> "show version" on this router? By using 'show processes cpu sorted 1min' >>> you can check which process is eating NPE cpu cycles. >>> >>> Regards, >>> Masood >>> >>> >>> >>> >>>> It have >>>> >>>> int fa0/0 >>>> 30 second input rate 30616000 bits/sec, 13300 packets/sec >>>> 30 second output rate 47680000 bits/sec, 12178 packets/sec >>>> >>>> int fa 0/1 >>>> 30 second input rate 27478000 bits/sec, 4672 packets/sec >>>> 30 second output rate 19071000 bits/sec, 3774 packets/sec >>>> >>>> int ser4/0 (ds3 link) >>>> 30 second input rate 43264000 bits/sec, 11862 packets/sec >>>> 30 second output rate 28832000 bits/sec, 13590 packets/sec >>>> >>>> 59376 Total >>>> >>>> Thanks >>>> >>>> David Granzer escribi?: >>>> >>>> >>>>> Hi, >>>>> >>>>> could you post how much bandwidth and packet per second your 7200 ? >>>>> Generally upgrade to I/O GE will not >>>>> help much because the performance is based on the NPE used. >>>>> >>>>> regards, >>>>> David >>>>> >>>>> >>>>> On Wed, Jun 3, 2009 at 3:52 PM, Juan C. Crespo R. >>>>> >>>>> wrote: >>>>> >>>>> >>>>> >>>>>> Guys >>>>>> >>>>>> I have one POP with 90% of CPU Load (WCCP2, QoS and other minor >>>>>> stuff) >>>>>> and we are thinking about change the IO/7200-2FE by one IO/7200-GE >>>>>> could >>>>>> this help with this load? >>>>>> >>>>>> Thanks >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>> >>>>>> >>>>>> >>>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> >>>> >>> >>> >>> > > > > From sethm at rollernet.us Wed Jun 3 11:45:37 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 03 Jun 2009 08:45:37 -0700 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <4A26997F.3030107@cantv.net> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk> <4A26997F.3030107@cantv.net> Message-ID: <4A269AA1.2030509@rollernet.us> Juan C. Crespo R. wrote: > That's great but the IO7200GE could help with the cpu load? if don't I > must wait until get some budget > To copy and paste Gert's initial response: "No. This is a CPU-based platform - the only way to reduce the CPU load is to get a faster CPU or turn off features." ~Seth From masood at nexlinx.net.pk Wed Jun 3 12:53:55 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Wed, 3 Jun 2009 21:53:55 +0500 (PKT) Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <4A26997F.3030107@cantv.net> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk> <4A26997F.3030107@cantv.net> Message-ID: <61750.196.46.241.57.1244048035.squirrel@nexmail1.nexlinx.net.pk> The answer to your question... That's great but the IO7200GE could help with the cpu load? Nah :) What you need is NPE-G1 or NPE-G2 (double the speed of NPE-G1). Before making a decision, calculate your network bandwidth requirements. Regards, Masood > That's great but the IO7200GE could help with the cpu load? if don't I > must wait until get some budget > > Thanks > > masood at nexlinx.net.pk escribi?: >> cisco 7200 NPE-400 is normally for customer premise equipment and >> DS1/DS3 >> aggregation. As per cisco performance of up to 400 kpps in cef >> switching. >> >> You can upgrade to NPE-G1 which provides performance of up to 1 million >> packets per second in cef switching (an increase of up to 250 percent >> over >> the cisco 7200 series npe 400) >> >> Regards, >> Masood >> >> >>> NPE 400 >>> >>> CPU utilization for five seconds: 76%/75%; one minute: 74%; five >>> minutes: 75% >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >>> 45 210365012 85449013 2461 0.23% 0.19% 0.19% 0 IP Input >>> 118 99161264 248440739 399 0.23% 0.08% 0.06% 0 >>> traffic_shape >>> 18 19988356 29194664 684 0.00% 0.03% 0.02% 0 ARP >>> Input >>> 4 49353040 2274191 21701 0.00% 0.03% 0.04% 0 Check >>> heaps >>> 10 11268080 11331204 994 0.00% 0.02% 0.00% 0 EnvMon >>> 63 8535512 47262546 180 0.07% 0.01% 0.00% 0 Spanning >>> Tree >>> 29 19555460 389652 50187 0.00% 0.01% 0.00% 0 >>> Per-minute Jobs >>> 5 6393048 430645 14845 0.07% 0.00% 0.00% 0 Pool >>> Manager >>> 119 14495556 1901716 7622 0.00% 0.00% 0.00% 0 MFI LFD >>> Timer Pr >>> 59 5397356 1127172 4788 0.00% 0.00% 0.00% 0 WCCP V2 >>> Protocol >>> 11 0 1 0 0.00% 0.00% 0.00% 0 OIR >>> Handler >>> 12 7912 190100 41 0.00% 0.00% 0.00% 0 IPC >>> Dynamic Cach >>> 13 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone >>> Manager >>> 14 1344312 11329870 118 0.00% 0.00% 0.00% 0 IPC >>> Periodic Tim >>> 15 1196200 11329850 105 0.00% 0.00% 0.00% 0 IPC >>> Deferred Por >>> 16 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat >>> Manager >>> 17 44772 1140352 39 0.00% 0.00% 0.00% 0 Compute >>> SRP rate >>> 9 0 1 0 0.00% 0.00% 0.00% 0 Policy >>> Manager >>> 19 0 28 0 0.00% 0.00% 0.00% 0 DDR >>> Timers >>> 20 0 2 0 0.00% 0.00% 0.00% 0 Dialer >>> event >>> 21 0 2 0 0.00% 0.00% 0.00% 0 Entity >>> MIB API >>> 22 0 1 0 0.00% 0.00% 0.00% 0 SERIAL >>> A'detect >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >>> 23 770388 2845739 270 0.00% 0.00% 0.00% 0 HC >>> Counter Timer >>> 24 5264 22 239272 0.00% 0.00% 0.00% 0 Critical >>> Bkgnd >>> 25 3963452 4658455 850 0.00% 0.00% 0.00% 0 Net >>> Background >>> 26 6188 3016 2051 0.00% 0.00% 0.00% 0 Logger >>> 27 2206724 11329804 194 0.00% 0.00% 0.00% 0 TTY >>> Background >>> 28 65577956 11340517 5782 0.00% 0.00% 0.00% 0 >>> Per-Second Jobs >>> 8 144284 2275716 63 0.00% 0.00% 0.00% 0 >>> ALARM_TRIGGER_SC >>> 7 0 2 0 0.00% 0.00% 0.00% 0 Serial >>> Backgroun >>> 31 0 1 0 0.00% 0.00% 0.00% 0 CSP >>> Timer >>> 6 0 2 0 0.00% 0.00% 0.00% 0 Timers >>> 33 0 2 0 0.00% 0.00% 0.00% 0 Hawkeye >>> Backgrou >>> 34 0 1 0 0.00% 0.00% 0.00% 0 SONET >>> alarm time >>> 3 3297860 3024757 1090 0.00% 0.00% 0.00% 0 OSPF >>> Hello >>> 36 0 2 0 0.00% 0.00% 0.00% 0 VNM >>> DSPRM >>> MAIN >>> 37 0 1 0 0.00% 0.00% 0.00% 0 CES Line >>> Conditi >>> 38 0 2 0 0.00% 0.00% 0.00% 0 Flash >>> MIB >>> Update >>> 39 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM >>> Input >>> 40 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM >>> TIMER >>> 41 8 86 93 0.00% 0.00% 0.00% 0 TurboACL >>> 42 0 2 0 0.00% 0.00% 0.00% 0 CEF >>> switching ba >>> 43 0 1 0 0.00% 0.00% 0.00% 0 AC >>> Switch >>> 44 0 2 0 0.00% 0.00% 0.00% 0 AAA >>> Dictionary R >>> 2 635356 2279979 278 0.00% 0.00% 0.00% 0 Load >>> Meter >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >>> 46 0 1 0 0.00% 0.00% 0.00% 0 ICMP >>> event handl >>> 47 1608916 1520006 1058 0.00% 0.00% 0.00% 0 CDP >>> Protocol >>> 48 1785752 1202253 1485 0.00% 0.00% 0.00% 0 LDP >>> 49 16 175 91 0.00% 0.00% 0.00% 0 OLM >>> 50 0 1 0 0.00% 0.00% 0.00% 0 PPPATM >>> Session d >>> 51 0 2 0 0.00% 0.00% 0.00% 0 PASVC >>> create VA >>> 52 9512 1676 5675 0.00% 0.00% 0.00% 0 EEM ED >>> Syslog >>> 53 0 2 0 0.00% 0.00% 0.00% 0 EEM ED >>> SNMP >>> 54 0 2 0 0.00% 0.00% 0.00% 0 EEM ED >>> Memory Th >>> 55 23596 202778 116 0.00% 0.00% 0.00% 0 EEM ED >>> Timer >>> 56 0 2 0 0.00% 0.00% 0.00% 0 EEM ED >>> Counter >>> 57 0 2 0 0.00% 0.00% 0.00% 0 EEM ED >>> Interface >>> 58 0 3 0 0.00% 0.00% 0.00% 0 EEM ED >>> IOSWD >>> 30 0 1 0 0.00% 0.00% 0.00% 0 Inode >>> Table Dest >>> 32 0 2 0 0.00% 0.00% 0.00% 0 CES >>> Timer >>> 61 0 1 0 0.00% 0.00% 0.00% 0 MPLS >>> Auto-Tunnel >>> 62 0 1 0 0.00% 0.00% 0.00% 0 O-UNI >>> Client Msg >>> 35 0 1 0 0.00% 0.00% 0.00% 0 POS APS >>> Event Pr >>> 64 0 1 0 0.00% 0.00% 0.00% 0 AC Mgr >>> 65 0 1 0 0.00% 0.00% 0.00% 0 SSS >>> Manager >>> 66 0 2 0 0.00% 0.00% 0.00% 0 SSM >>> connection m >>> 67 0 1 0 0.00% 0.00% 0.00% 0 PPP IP >>> Add Route >>> 68 90640 189720 477 0.00% 0.00% 0.00% 0 CEF >>> background >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >>> 69 0 1 0 0.00% 0.00% 0.00% 0 IP IRDP >>> 1 0 2 0 0.00% 0.00% 0.00% 0 Chunk >>> Manager >>> 71 2091684 355745 5879 0.00% 0.00% 0.00% 0 IP >>> Background >>> 72 2340232 344710 6788 0.00% 0.00% 0.00% 0 IP RIB >>> Update >>> 73 69186296 16952818 4081 0.00% 0.00% 0.00% 0 CEF: >>> IPv4 >>> proces >>> 74 24 122 196 0.00% 0.00% 0.00% 0 ADJ >>> background >>> 75 0 1 0 0.00% 0.00% 0.00% 0 L2X Data >>> Daemon >>> 76 0 1 0 0.00% 0.00% 0.00% 0 HTTP >>> Timer >>> 77 646408 693913 931 0.00% 0.00% 0.00% 0 TCP >>> Timer >>> 78 800 219 3652 0.00% 0.00% 0.00% 0 TCP >>> Protocols >>> 79 0 1 0 0.00% 0.00% 0.00% 0 Probe >>> Input >>> 80 0 1 0 0.00% 0.00% 0.00% 0 RARP >>> Input >>> 81 0 1 0 0.00% 0.00% 0.00% 0 Socket >>> Timers >>> 82 0 2 0 0.00% 0.00% 0.00% 0 LSP >>> Tunnels >>> 83 0 1 0 0.00% 0.00% 0.00% 0 COPS >>> 84 0 1 0 0.00% 0.00% 0.00% 0 X.25 >>> Encaps Mana >>> 85 0 1 0 0.00% 0.00% 0.00% 0 PAD >>> InCall >>> 86 0 2 0 0.00% 0.00% 0.00% 0 X.25 >>> Background >>> 87 88 375 234 0.00% 0.00% 0.00% 0 AToM >>> manager >>> 88 0 5 0 0.00% 0.00% 0.00% 0 AToM LDP >>> manager >>> 89 79992 190099 420 0.00% 0.00% 0.00% 0 LDP >>> Background >>> 90 0 1 0 0.00% 0.00% 0.00% 0 L2X >>> Socket proce >>> 91 0 1 0 0.00% 0.00% 0.00% 0 L2X SSS >>> manager >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >>> 92 0 1 0 0.00% 0.00% 0.00% 0 L2TP >>> mgmt >>> daemon >>> 93 28 204 137 0.00% 0.00% 0.00% 0 TCP >>> Listener >>> 94 4 1 4000 0.00% 0.00% 0.00% 0 TSP >>> 95 0 1 0 0.00% 0.00% 0.00% 0 VOIP RTP >>> Udp Inp >>> 96 0 1 0 0.00% 0.00% 0.00% 0 >>> QOS_MODULE_MAIN >>> 97 0 1 0 0.00% 0.00% 0.00% 0 >>> CCVPM_HTSP >>> 98 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_R2 >>> 99 0 1 0 0.00% 0.00% 0.00% 0 >>> CCSWVOICE >>> 100 43864 1140167 38 0.00% 0.00% 0.00% 0 RMON >>> Recycle Pro >>> 101 0 2 0 0.00% 0.00% 0.00% 0 RMON >>> Deferred Se >>> 102 0 1 0 0.00% 0.00% 0.00% 0 SYSMGT >>> Events >>> 103 1016848 11311292 89 0.00% 0.00% 0.00% 0 >>> cerf_daemon_proc >>> 104 0 1 0 0.00% 0.00% 0.00% 0 SONET >>> Traps >>> 105 640712 2278427 281 0.00% 0.00% 0.00% 0 EEM >>> Server >>> 106 0 1 0 0.00% 0.00% 0.00% 0 Syslog >>> Traps >>> 107 0 1 0 0.00% 0.00% 0.00% 0 DATA >>> Transfer Pr >>> 108 0 1 0 0.00% 0.00% 0.00% 0 DATA >>> Collector >>> 109 0 1 0 0.00% 0.00% 0.00% 0 RMON >>> Packets >>> 110 0 2 0 0.00% 0.00% 0.00% 0 EEM >>> Policy Direc >>> 111 1019748 11311275 90 0.00% 0.00% 0.00% 0 trunk >>> conditioni >>> 112 0 1 0 0.00% 0.00% 0.00% 0 trunk >>> conditioni >>> 113 503088 3349106 150 0.00% 0.00% 0.00% 0 Net >>> Input >>> 114 2325524 2279676 1020 0.00% 0.00% 0.00% 0 Compute >>> load avg >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >>> 115 83736 766853 109 0.00% 0.00% 0.00% 0 LSP >>> Tunnel Head >>> 116 0 2 0 0.00% 0.00% 0.00% 0 LSDp >>> Input Proc >>> 117 1288824 2405686 535 0.00% 0.00% 0.00% 0 LSD Main >>> Proc >>> 60 0 1 0 0.00% 0.00% 0.00% 0 LSP >>> Tunnel FRR >>> 70 0 3 0 0.00% 0.00% 0.00% 0 SNMP >>> Timers >>> 120 0 2 0 0.00% 0.00% 0.00% 0 MFI LFD >>> Main Pro >>> 121 2593264 11627651 223 0.00% 0.00% 0.00% 0 NTP >>> 122 6873376 1817623 3781 0.00% 0.00% 0.00% 0 Tag >>> Control >>> 123 21808 190119 114 0.00% 0.00% 0.00% 0 IPRM >>> 124 0 2 0 0.00% 0.00% 0.00% 0 IP Flow >>> Backgrou >>> 125 4970232 4644514 1070 0.00% 0.00% 0.00% 0 OSPF >>> Hello >>> 126 4203656 2503602 1679 0.00% 0.00% 0.00% 0 IP SNMP >>> 127 457588 1255865 364 0.00% 0.00% 0.00% 0 PDU >>> DISPATCHER >>> 128 5118352 1257172 4071 0.00% 0.00% 0.00% 0 SNMP >>> ENGINE >>> 129 0 1 0 0.00% 0.00% 0.00% 0 SNMP >>> ConfCopyPro >>> 130 0 1 0 0.00% 0.00% 0.00% 0 SNMP >>> Traps >>> 131 28584 190100 150 0.00% 0.00% 0.00% 0 Time >>> Range Proce >>> 132 0 1 0 0.00% 0.00% 0.00% 0 >>> xcpa-driver >>> 133 1208 274 4408 0.00% 0.00% 0.00% 0 Tagcon >>> Addr >>> 134 4599240 11781205 390 0.00% 0.00% 0.00% 0 OSPF >>> Router >>> 1 >>> 135 1168632 11563127 101 0.00% 0.00% 0.00% 0 OSPF >>> Router >>> 2 >>> 136 7196544 6637085 1084 0.00% 0.00% 0.00% 0 TDP >>> Hello >>> 137 2712 1138 2383 0.00% 0.00% 0.00% 0 RADIUS >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >>> 139 516 180 2866 0.00% 0.00% 0.00% 0 AAA >>> Accounting >>> 140 60 1542 38 0.00% 0.00% 0.00% 2 Virtual >>> Exec >>> >>> >>> >>> masood at nexlinx.net.pk escribi?: >>> >>>> cisco 7200 is a software based router so that every packet is punted >>>> to >>>> the NPE. You need to replace your NPE instead of PIC. which cisco 7200 >>>> series network processing engine you are running? what you get when do >>>> "show version" on this router? By using 'show processes cpu sorted >>>> 1min' >>>> you can check which process is eating NPE cpu cycles. >>>> >>>> Regards, >>>> Masood >>>> >>>> >>>> >>>> >>>>> It have >>>>> >>>>> int fa0/0 >>>>> 30 second input rate 30616000 bits/sec, 13300 packets/sec >>>>> 30 second output rate 47680000 bits/sec, 12178 packets/sec >>>>> >>>>> int fa 0/1 >>>>> 30 second input rate 27478000 bits/sec, 4672 packets/sec >>>>> 30 second output rate 19071000 bits/sec, 3774 packets/sec >>>>> >>>>> int ser4/0 (ds3 link) >>>>> 30 second input rate 43264000 bits/sec, 11862 packets/sec >>>>> 30 second output rate 28832000 bits/sec, 13590 packets/sec >>>>> >>>>> 59376 Total >>>>> >>>>> Thanks >>>>> >>>>> David Granzer escribi?: >>>>> >>>>> >>>>>> Hi, >>>>>> >>>>>> could you post how much bandwidth and packet per second your 7200 ? >>>>>> Generally upgrade to I/O GE will not >>>>>> help much because the performance is based on the NPE used. >>>>>> >>>>>> regards, >>>>>> David >>>>>> >>>>>> >>>>>> On Wed, Jun 3, 2009 at 3:52 PM, Juan C. Crespo R. >>>>>> >>>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Guys >>>>>>> >>>>>>> I have one POP with 90% of CPU Load (WCCP2, QoS and other minor >>>>>>> stuff) >>>>>>> and we are thinking about change the IO/7200-2FE by one IO/7200-GE >>>>>>> could >>>>>>> this help with this load? >>>>>>> >>>>>>> Thanks >>>>>>> _______________________________________________ >>>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>>> >>>>> >>>> >>>> >>>> >> >> >> >> > From MatlockK at exempla.org Wed Jun 3 11:52:28 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 3 Jun 2009 09:52:28 -0600 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <4A269AA1.2030509@rollernet.us> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk><4A26997F.3030107@cantv.net> <4A269AA1.2030509@rollernet.us> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D36B9@LMC-MAIL2.exempla.org> To reiterate :) The problem you're having is the CPU is having to process EVERY packet coming in (the nature of the chassis unfortunately). Changing out the IO module will only allow you to have faster interfaces, but the CPU is still the exact same. The ONLY fixes are: 1) Reduce the packet rate on the chassis 2) Reduce the number of 'extraneous' services on the chassis 3) Get a faster CPU (NPE-G1 or NPE-G2) The advertised PPS rates are assuming (I believe) 64-byte packets, and nothing else (QoS/ACLs/dynamic routing protocols/etc) running on the chassis. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen Sent: Wednesday, June 03, 2009 9:46 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? Juan C. Crespo R. wrote: > That's great but the IO7200GE could help with the cpu load? if don't I > must wait until get some budget > To copy and paste Gert's initial response: "No. This is a CPU-based platform - the only way to reduce the CPU load is to get a faster CPU or turn off features." ~Seth _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Wed Jun 3 11:55:26 2009 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 3 Jun 2009 11:55:26 -0400 Subject: [c-nsp] BGP Advertising - Question re more specific block Message-ID: <004201c9e463$b72ec280$258c4780$@org> Hi folks. I'd like to know if there's a better way to approach this. We are advertising a specific /22 that belongs to a /18 block via one specific upstream BGP connection. The /18 is advertised to all upstreams, the /22 is only advertised to one upstream as a method of influencing traffic via that carrier (knowing that if that particular carrier went down, the less specific subnet will still be reachable via the other providers). Prepending is very ugly for this situation FYI. We use BGP communities to identify upstream and downstream BGP connections along with our own netblocks. First I built a route-map that I could use inside the BGP network statement: route-map blahblah-routes-providerx permit 1000 set community 11666:6001 Then created the network statement: network xx.xx.xx.0 mask 255.255.252.0 route-map blahblah-routes-providerx Created a new IP community-list that includes previous communities plus this one new specific community (11666:6001): ip community-list 101 permit 11666:4000 ip community-list 101 permit 11666:5000 ip community-list 101 permit 11666:6001 And, updated the route-map towards this upstream as applicable: route-map outbound-tsystems permit 10 match community 101 My question - is there a better way to configure this? This is working just fine for our needs but there's a lot of steps and we're going to have to add more into this in future so rather do as simple a config as possible ;) Thanks, Paul From achatz at forthnet.gr Wed Jun 3 13:21:26 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 03 Jun 2009 20:21:26 +0300 Subject: [c-nsp] CSCsv21403 (EVC not programmed on ES20 linecard) In-Reply-To: References: Message-ID: <4A26B116.4040803@forthnet.gr> Although i haven't met this, it might mean that the EVC frame matching config (the "encapsulation dot1q xxx" under the service instance) is not "converted" into the appropriate TCAM entry in the ES card. A possible result would be that frames that should be forwarded through this service instance, are either not forwarded at all or forwarded through a less specific match criterion of another service instance. In any case, your account SE should be able to provide you with more -internal- details about this bug. Regards, Tassos David Freedman wrote on 03/06/2009 18:32: > Has anybody come across this and if so are there any known workarounds? > > Am keen to know under what circumstances an EFP does not get programmed > to the card, if anybody has any more information on this would be > appreciative of it online or offline. > > Regards, > > David Freedman > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Wed Jun 3 13:23:47 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 3 Jun 2009 19:23:47 +0200 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <4A26997F.3030107@cantv.net> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk> <4A26997F.3030107@cantv.net> Message-ID: <20090603172347.GD290@greenie.muc.de> Hi, On Wed, Jun 03, 2009 at 11:10:47AM -0430, Juan C. Crespo R. wrote: > That's great but the IO7200GE could help with the cpu load? *NO*. There is no intelligence on the IO board. Packets go to the CPU. If the CPU is loaded, it doesn't matter where the packets are coming from. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From david.freedman at uk.clara.net Wed Jun 3 13:33:29 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 03 Jun 2009 18:33:29 +0100 Subject: [c-nsp] CSCsv21403 (EVC not programmed on ES20 linecard) In-Reply-To: <4A26B116.4040803@forthnet.gr> References: <4A26B116.4040803@forthnet.gr> Message-ID: <4A26B3E9.3010303@uk.clara.net> Tassos, the problem is that the EFP (Ethernet Flowpoint) is not programmed to the card using the efp-client , without an EFP the service instance has nothing to attach to. Am currently waiting on somebody to share the DE notes with me so I can see if I can find a workaround (even if it means a slew of test commands to prod the subsystems directly) I know this is resolved in SRC4 and we are on target to upgrade, would just appreciate a faster solution , we are all out of alternatives :) Dave. Tassos Chatzithomaoglou wrote: > Although i haven't met this, it might mean that the EVC frame matching > config (the "encapsulation dot1q xxx" under the service instance) is not > "converted" into the appropriate TCAM entry in the ES card. A possible > result would be that frames that should be forwarded through this > service instance, are either not forwarded at all or forwarded through a > less specific match criterion of another service instance. > > In any case, your account SE should be able to provide you with more > -internal- details about this bug. > > Regards, > Tassos > > David Freedman wrote on 03/06/2009 18:32: >> Has anybody come across this and if so are there any known workarounds? >> >> Am keen to know under what circumstances an EFP does not get programmed >> to the card, if anybody has any more information on this would be >> appreciative of it online or offline. >> >> Regards, >> >> David Freedman >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Wed Jun 3 13:33:29 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 03 Jun 2009 18:33:29 +0100 Subject: [c-nsp] CSCsv21403 (EVC not programmed on ES20 linecard) In-Reply-To: <4A26B116.4040803@forthnet.gr> References: <4A26B116.4040803@forthnet.gr> Message-ID: <4A26B3E9.3010303@uk.clara.net> Tassos, the problem is that the EFP (Ethernet Flowpoint) is not programmed to the card using the efp-client , without an EFP the service instance has nothing to attach to. Am currently waiting on somebody to share the DE notes with me so I can see if I can find a workaround (even if it means a slew of test commands to prod the subsystems directly) I know this is resolved in SRC4 and we are on target to upgrade, would just appreciate a faster solution , we are all out of alternatives :) Dave. Tassos Chatzithomaoglou wrote: > Although i haven't met this, it might mean that the EVC frame matching > config (the "encapsulation dot1q xxx" under the service instance) is not > "converted" into the appropriate TCAM entry in the ES card. A possible > result would be that frames that should be forwarded through this > service instance, are either not forwarded at all or forwarded through a > less specific match criterion of another service instance. > > In any case, your account SE should be able to provide you with more > -internal- details about this bug. > > Regards, > Tassos > > David Freedman wrote on 03/06/2009 18:32: >> Has anybody come across this and if so are there any known workarounds? >> >> Am keen to know under what circumstances an EFP does not get programmed >> to the card, if anybody has any more information on this would be >> appreciative of it online or offline. >> >> Regards, >> >> David Freedman >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Wed Jun 3 14:11:14 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 03 Jun 2009 21:11:14 +0300 Subject: [c-nsp] Mac-in-Mac supported in ES+ ? Message-ID: <4A26BCC2.5090405@forthnet.gr> Does anyone know more details about current mac-in-mac (802.1ah Provider Backbone Bridges) support? 7600#sh ethernet service ? evc Ethernet EVC instance Ethernet Service Instance interface Ethernet Service Interface ipc Ethernet Service IPC mac-tunnel Ethernet Mac-in-Mac tunnel CCO returned only pages regarding IOS-XR. -- Tassos From billf at mu.org Wed Jun 3 16:13:18 2009 From: billf at mu.org (bill fumerola) Date: Wed, 3 Jun 2009 13:13:18 -0700 Subject: [c-nsp] IO 7200 GE Improve Performance and help with the CPU Load? In-Reply-To: <20090603172347.GD290@greenie.muc.de> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk> <4A26997F.3030107@cantv.net> <20090603172347.GD290@greenie.muc.de> Message-ID: <20090603201318.GM14367@elvis.mu.org> On Wed, Jun 03, 2009 at 07:23:47PM +0200, Gert Doering wrote: > On Wed, Jun 03, 2009 at 11:10:47AM -0430, Juan C. Crespo R. wrote: > > That's great but the IO7200GE could help with the cpu load? > > *NO*. > > There is no intelligence on the IO board. Packets go to the CPU. If > the CPU is loaded, it doesn't matter where the packets are coming from. unless pushing all the frames to one interface causes reduced CPU time spent servicing interrupts from interrupt coalescing. -- bill From mduksa at gmail.com Wed Jun 3 19:07:29 2009 From: mduksa at gmail.com (Marlon Duksa) Date: Wed, 3 Jun 2009 16:07:29 -0700 Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 Message-ID: Hi -Does anyone know which cards on Cat6500 support MPLS and separately IP-VPN, posibly at 40Gbps throughput? I'm looking for a distributed (DFC) forwarding solution? I know that Cat6500 is very limited in VPLS support, but IP-VPN and EoMPLS should be no problem, right? Thanks, Marlon From avayner at cisco.com Thu Jun 4 00:19:03 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 4 Jun 2009 06:19:03 +0200 Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 In-Reply-To: References: Message-ID: <78C984F8939D424697B15E4B1C1BB3D7B75617@xmb-ams-331.emea.cisco.com> Marlon, If you have DFCs on the regular LAN cards, then EoMPLS and L3VPN will be done in hardware and in distributed forwarding mode. For VPLS, you need to have either an ES20/ES40 card or a SIP card facing the core. Having this card means that again VPLS is done in hardware - some functionality is done on the regular DFCs and some on the egress core facing module. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa Sent: Thursday, June 04, 2009 02:07 To: cisco-nsp at puck.nether.net Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 Hi -Does anyone know which cards on Cat6500 support MPLS and separately IP-VPN, posibly at 40Gbps throughput? I'm looking for a distributed (DFC) forwarding solution? I know that Cat6500 is very limited in VPLS support, but IP-VPN and EoMPLS should be no problem, right? Thanks, Marlon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Thu Jun 4 02:20:12 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 04 Jun 2009 09:20:12 +0300 Subject: [c-nsp] standby RSP720 gets "Data TLB Error Exception" after rommon upgrade Message-ID: <4A27679C.3070503@forthnet.gr> Has anyone managed to do a rommon upgrade to a RSP720 and immediately afterwards had it boot as a standby ? I did it twice and i always got the "Data TLB Error Exception" message rommon 7 > boot bootdisk:c7600rsp72043-advipservicesk9-mz.122-33.SRB5a.bin Initializing ATA monitor library... *** Data TLB Error Exception *** PC = 0x40442e4, Vector = 0x1400, SP = 0x4012dc4 I have RMAed 2 RSP720s until now after doing exactly the same procedure and now i'm waiting for the 3rd one! If the RSP720 is the only one in the chassis (so it's acting like an active), then booting after the rommon upgrade works fine! If the RSP720 gets booted as a standby after the rommon upgrade, then it gets destroyed and cannot be used neither as an active nor as a standby. -- Tassos From asturluismi at gmail.com Thu Jun 4 04:26:21 2009 From: asturluismi at gmail.com (luismi) Date: Thu, 04 Jun 2009 10:26:21 +0200 Subject: [c-nsp] Any problems w/ 3750 IOS 12.2(46)SE? In-Reply-To: References: Message-ID: <1244103981.7817.0.camel@dsba-ipso> What we saw with 12.2.(46) was a corruption of the "ifindex" file. We will go for 12.2(50) El mar, 02-06-2009 a las 16:45 +0930, Tom Lanyon escribi?: > We are seeing consistent low TCP throughput over a dual gig > etherchannel between two stacks of 3x 3750G + 1x 3750E and > intermittent delays (ie. random slow ICMP ping times) on another 2x > 3750G stack, all on 12.2(46)SE. All switches are doing L2/L3 > forwarding and a small amount of EIGRP. > > The stack with delayed ICMP has seemingly random high CPU load and > this seems to correlate with the delayed ICMP packets; example: > 5Min Processes: 27% CPU > Interrupts: 0% CPU > Sum of all processes: 1.88% CPU > > The other stacks haven't shown signs of ICMP delayed packets but still > list high (40-100%) peaks of CPU utilisation. Can't see any > indications of TCAM exhaustion on any switch (all desktop default SDM > template). > > Just thought I'd throw this to the list to see if anyone else has had > something similar? > > Tom > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rgallagh at cisco.com Thu Jun 4 06:05:22 2009 From: rgallagh at cisco.com (Richard Gallagher) Date: Thu, 4 Jun 2009 11:05:22 +0100 Subject: [c-nsp] CSCsv21403 (EVC not programmed on ES20 linecard) In-Reply-To: <4A26B3E9.3010303@uk.clara.net> References: <4A26B116.4040803@forthnet.gr> <4A26B3E9.3010303@uk.clara.net> Message-ID: <381A4C3F-2CE8-4BB4-96DC-8651ED9A093B@cisco.com> I've had a look for you and there is no workaround unfortunately. You could try OIR'ing the LC if you are hitting the issue, this may resolve it, there are no magic "test commands" to overcome it. Rich On 3 Jun 2009, at 18:33, David Freedman wrote: > Tassos, the problem is that the EFP (Ethernet Flowpoint) is not > programmed to the card using the efp-client , without an EFP the > service > instance has nothing to attach to. > > Am currently waiting on somebody to share the DE notes with me so I > can > see if I can find a workaround (even if it means a slew of test > commands > to prod the subsystems directly) > > I know this is resolved in SRC4 and we are on target to upgrade, would > just appreciate a faster solution , we are all out of alternatives :) > > Dave. > > > Tassos Chatzithomaoglou wrote: >> Although i haven't met this, it might mean that the EVC frame >> matching >> config (the "encapsulation dot1q xxx" under the service instance) >> is not >> "converted" into the appropriate TCAM entry in the ES card. A >> possible >> result would be that frames that should be forwarded through this >> service instance, are either not forwarded at all or forwarded >> through a >> less specific match criterion of another service instance. >> >> In any case, your account SE should be able to provide you with more >> -internal- details about this bug. >> >> Regards, >> Tassos >> >> David Freedman wrote on 03/06/2009 18:32: >>> Has anybody come across this and if so are there any known >>> workarounds? >>> >>> Am keen to know under what circumstances an EFP does not get >>> programmed >>> to the card, if anybody has any more information on this would be >>> appreciative of it online or offline. >>> >>> Regards, >>> >>> David Freedman >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RGoldberg at compudyne.net Thu Jun 4 08:16:53 2009 From: RGoldberg at compudyne.net (Ryan Goldberg) Date: Thu, 4 Jun 2009 07:16:53 -0500 Subject: [c-nsp] basic nat question Message-ID: I really did *not* want my first post to cisco-nsp to be this lame, but... if you have second- got an 1841 out there, with x.x.x.161/29 bound on the internet facing port, and .163, .164, .165 also bound as secondaries. need to do some static nat, but only the entries for the primary IP work eg ip nat inside source static tcp 192.168.1.103 110 x.x.x.161 110 vrf ISP2 extendable works just fine ip nat inside source static tcp 192.168.1.156 443 x.x.x.163 110 vrf ISP2 extendable does not work a clue that I'm unable to make use of is the traffic that I send to the secondary, comes back from the primary according to the nat trans table, and as verified by packet capture any help you could provide would be hugely appreciated running 12.4.24T.. Thanks- Ryan From paul at paulstewart.org Thu Jun 4 09:39:47 2009 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 4 Jun 2009 09:39:47 -0400 Subject: [c-nsp] BGP Advertising - Question re more specific block In-Reply-To: <4A27C5C4.1070300@ibctech.ca> References: <004201c9e463$b72ec280$258c4780$@org> <4A27C5C4.1070300@ibctech.ca> Message-ID: <000001c9e519$ed961970$c8c24c50$@org> Hi Steve.. That is correct - we will actually be taking any specifics and tagging them with one community. We will use that community only with certain upstream and peering points. Our overall problem is that we have one upstream that we are stuck with in contract and are not remotely meeting our minimum traffic levels with them - if we start prepending then we get too large of a traffic shift. So I'm hoping to take a few /22 and maybe a /20 and advertise it as a more specific route to that upstream and also to our peering points (we don't want to push any traffic away from peering points of course). Thanks, Paul -----Original Message----- From: Steve Bertrand [mailto:steve at ibctech.ca] Sent: Thursday, June 04, 2009 9:02 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP Advertising - Question re more specific block * PGP - S/MIME Signed by an unverified key: 06/04/09 at 09:01:56 Paul Stewart wrote: > We are advertising a specific /22 that belongs to a /18 block via one > specific upstream BGP connection. The /18 is advertised to all upstreams, > the /22 is only advertised to one upstream as a method of influencing > traffic via that carrier (knowing that if that particular carrier went down, > the less specific subnet will still be reachable via the other providers). > Prepending is very ugly for this situation FYI. Paul, Just so I can get a better understanding, you are applying a community to each /22 you are advertising to certain peers. You are then applying a route-map to a particular peer, that only sends the prefixes that have a particular community set. Is this correct? Do you advertise this exact group of /22's to more than one upstream peer? Steve * Thawte Freemail Member * Issuer: Thawte Consulting (Pty) Ltd. - Unverified From cchurc05 at harris.com Thu Jun 4 09:00:41 2009 From: cchurc05 at harris.com (Church, Charles) Date: Thu, 4 Jun 2009 08:00:41 -0500 Subject: [c-nsp] basic nat question In-Reply-To: References: Message-ID: What's the purpose of having those additional addresses bound as secondaries? It's not needed for NAT. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan Goldberg Sent: Thursday, June 04, 2009 8:17 AM To: 'cisco-nsp at puck.nether.net' Subject: [c-nsp] basic nat question I really did *not* want my first post to cisco-nsp to be this lame, but... if you have second- got an 1841 out there, with x.x.x.161/29 bound on the internet facing port, and .163, .164, .165 also bound as secondaries. need to do some static nat, but only the entries for the primary IP work eg ip nat inside source static tcp 192.168.1.103 110 x.x.x.161 110 vrf ISP2 extendable works just fine ip nat inside source static tcp 192.168.1.156 443 x.x.x.163 110 vrf ISP2 extendable does not work a clue that I'm unable to make use of is the traffic that I send to the secondary, comes back from the primary according to the nat trans table, and as verified by packet capture any help you could provide would be hugely appreciated running 12.4.24T.. Thanks- Ryan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From steve at ibctech.ca Thu Jun 4 09:01:56 2009 From: steve at ibctech.ca (Steve Bertrand) Date: Thu, 04 Jun 2009 09:01:56 -0400 Subject: [c-nsp] BGP Advertising - Question re more specific block In-Reply-To: <004201c9e463$b72ec280$258c4780$@org> References: <004201c9e463$b72ec280$258c4780$@org> Message-ID: <4A27C5C4.1070300@ibctech.ca> Paul Stewart wrote: > We are advertising a specific /22 that belongs to a /18 block via one > specific upstream BGP connection. The /18 is advertised to all upstreams, > the /22 is only advertised to one upstream as a method of influencing > traffic via that carrier (knowing that if that particular carrier went down, > the less specific subnet will still be reachable via the other providers). > Prepending is very ugly for this situation FYI. Paul, Just so I can get a better understanding, you are applying a community to each /22 you are advertising to certain peers. You are then applying a route-map to a particular peer, that only sends the prefixes that have a particular community set. Is this correct? Do you advertise this exact group of /22's to more than one upstream peer? Steve -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3233 bytes Desc: S/MIME Cryptographic Signature URL: From mduksa at gmail.com Thu Jun 4 10:10:27 2009 From: mduksa at gmail.com (Marlon Duksa) Date: Thu, 4 Jun 2009 07:10:27 -0700 Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7B75617@xmb-ams-331.emea.cisco.com> References: <78C984F8939D424697B15E4B1C1BB3D7B75617@xmb-ams-331.emea.cisco.com> Message-ID: Thanks Arie. But ES cards are not supported on Cat6500, no? And also VPLS over MPLS on a SIP in Cat6500 - is it supported? If so do you know which SIP?Thanks, Marlon On Wed, Jun 3, 2009 at 9:19 PM, Arie Vayner (avayner) wrote: > Marlon, > > If you have DFCs on the regular LAN cards, then EoMPLS and L3VPN will be > done in hardware and in distributed forwarding mode. > For VPLS, you need to have either an ES20/ES40 card or a SIP card facing > the core. Having this card means that again VPLS is done in hardware - > some functionality is done on the regular DFCs and some on the egress > core facing module. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa > Sent: Thursday, June 04, 2009 02:07 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 > > Hi -Does anyone know which cards on Cat6500 support MPLS > and separately IP-VPN, posibly at 40Gbps throughput? I'm looking for a > distributed (DFC) forwarding solution? > > I know that Cat6500 is very limited in VPLS support, but IP-VPN and > EoMPLS > should be no problem, right? > > Thanks, > Marlon > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From masood at nexlinx.net.pk Thu Jun 4 11:26:16 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Thu, 4 Jun 2009 20:26:16 +0500 (PKT) Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 In-Reply-To: References: <78C984F8939D424697B15E4B1C1BB3D7B75617@xmb-ams-331.emea.cisco.com> Message-ID: <28289.196.46.241.57.1244129176.squirrel@nexmail1.nexlinx.net.pk> AFAIK VPLS is not supported on the Catalyst 6500 series. You should upgrade to the 7600 series with enhanced core facing interfaces, such as ES-cards or SIP-400/600 cards. Regards, Masood > Thanks Arie. But ES cards are not supported on Cat6500, no? And also VPLS > over MPLS on a SIP in Cat6500 - is it supported? If so do you know which > SIP?Thanks, > Marlon > > On Wed, Jun 3, 2009 at 9:19 PM, Arie Vayner (avayner) > wrote: > >> Marlon, >> >> If you have DFCs on the regular LAN cards, then EoMPLS and L3VPN will be >> done in hardware and in distributed forwarding mode. >> For VPLS, you need to have either an ES20/ES40 card or a SIP card facing >> the core. Having this card means that again VPLS is done in hardware - >> some functionality is done on the regular DFCs and some on the egress >> core facing module. >> >> Arie >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa >> Sent: Thursday, June 04, 2009 02:07 >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 >> >> Hi -Does anyone know which cards on Cat6500 support MPLS >> and separately IP-VPN, posibly at 40Gbps throughput? I'm looking for a >> distributed (DFC) forwarding solution? >> >> I know that Cat6500 is very limited in VPLS support, but IP-VPN and >> EoMPLS >> should be no problem, right? >> >> Thanks, >> Marlon >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From chris.fournier at dal.ca Thu Jun 4 09:55:08 2009 From: chris.fournier at dal.ca (Chris Fournier) Date: Thu, 04 Jun 2009 10:55:08 -0300 Subject: [c-nsp] L2TPv3 performance over gig? Message-ID: <1244123708.30703.5351.camel@linux-xvcs> Does anyone use L2TPv3 over a gig link, and what is the performance overhead introduced? I've seen some numbers at the Cisco website, but these seem to reference encryption versus encapsulation. Chris From eng_mssk at hotmail.com Thu Jun 4 10:36:41 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Thu, 4 Jun 2009 17:36:41 +0300 Subject: [c-nsp] Juniper Simulator Message-ID: Hey all how are u ? I am looking for a free simulator for Juniper routers Thanks in advance _________________________________________________________________ Windows Live?: Keep your life in sync. Check it out! http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009 From achatz at forthnet.gr Thu Jun 4 10:52:50 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 04 Jun 2009 17:52:50 +0300 Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 In-Reply-To: <28289.196.46.241.57.1244129176.squirrel@nexmail1.nexlinx.net.pk> References: <78C984F8939D424697B15E4B1C1BB3D7B75617@xmb-ams-331.emea.cisco.com> <28289.196.46.241.57.1244129176.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <4A27DFC2.7030805@forthnet.gr> I had seen a presentation where with SIP-400 and SXI you could have VPLS on the 6500. -- Tassos masood at nexlinx.net.pk wrote on 04/06/2009 18:26: > AFAIK VPLS is not supported on the Catalyst 6500 series. You should > upgrade to the 7600 series with enhanced core facing interfaces, such as > ES-cards or SIP-400/600 cards. > > Regards, > Masood > >> Thanks Arie. But ES cards are not supported on Cat6500, no? And also VPLS >> over MPLS on a SIP in Cat6500 - is it supported? If so do you know which >> SIP?Thanks, >> Marlon >> >> On Wed, Jun 3, 2009 at 9:19 PM, Arie Vayner (avayner) >> wrote: >> >>> Marlon, >>> >>> If you have DFCs on the regular LAN cards, then EoMPLS and L3VPN will be >>> done in hardware and in distributed forwarding mode. >>> For VPLS, you need to have either an ES20/ES40 card or a SIP card facing >>> the core. Having this card means that again VPLS is done in hardware - >>> some functionality is done on the regular DFCs and some on the egress >>> core facing module. >>> >>> Arie >>> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa >>> Sent: Thursday, June 04, 2009 02:07 >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 >>> >>> Hi -Does anyone know which cards on Cat6500 support MPLS >>> and separately IP-VPN, posibly at 40Gbps throughput? I'm looking for a >>> distributed (DFC) forwarding solution? >>> >>> I know that Cat6500 is very limited in VPLS support, but IP-VPN and >>> EoMPLS >>> should be no problem, right? >>> >>> Thanks, >>> Marlon >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> From masood at nexlinx.net.pk Thu Jun 4 11:57:38 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Thu, 4 Jun 2009 20:57:38 +0500 (PKT) Subject: [c-nsp] Juniper Simulator In-Reply-To: References: Message-ID: <65498.196.46.241.57.1244131058.squirrel@nexmail1.nexlinx.net.pk> wrong list for this question, you use cisco-nsp for cisco stuff. you can use juniper-nsp for juniper. Anyway You can use QEMU with Olive to emulate Juniper JUNOS. The following URL will take you to the page... http://tinyurl.com/o4gbba Regards, Masood > > Hey all > how are u ? > I am looking for a free simulator for Juniper routers > > Thanks in advance > > _________________________________________________________________ > Windows Live?: Keep your life in sync. Check it out! > http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From eng_mssk at hotmail.com Thu Jun 4 10:54:20 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Thu, 4 Jun 2009 17:54:20 +0300 Subject: [c-nsp] Juniper Simulator In-Reply-To: <65498.196.46.241.57.1244131058.squirrel@nexmail1.nexlinx.net.pk> References: <65498.196.46.241.57.1244131058.squirrel@nexmail1.nexlinx.net.pk> Message-ID: i didnt know about juniper nsp thats y i asked here > Date: Thu, 4 Jun 2009 20:57:38 +0500 > Subject: Re: [c-nsp] Juniper Simulator > From: masood at nexlinx.net.pk > To: eng_mssk at hotmail.com > CC: cisco-nsp at puck.nether.net > > wrong list for this question, you use cisco-nsp for cisco stuff. you can > use juniper-nsp for juniper. > Anyway You can use QEMU with Olive to emulate Juniper JUNOS. The following > URL will take you to the page... > > http://tinyurl.com/o4gbba > > Regards, > Masood > > > > > > > Hey all > > how are u ? > > I am looking for a free simulator for Juniper routers > > > > Thanks in advance > > > > _________________________________________________________________ > > Windows Live?: Keep your life in sync. Check it out! > > http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009 > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us From dudepron at gmail.com Thu Jun 4 10:54:43 2009 From: dudepron at gmail.com (Aaron) Date: Thu, 4 Jun 2009 10:54:43 -0400 Subject: [c-nsp] L2TPv3 performance over gig? In-Reply-To: <1244123708.30703.5351.camel@linux-xvcs> References: <1244123708.30703.5351.camel@linux-xvcs> Message-ID: <480dad640906040754u4786db38v34e1782bdac1ed8d@mail.gmail.com> nothing more than doing mpls. Actually a little less since you don't have ldp going On Thu, Jun 4, 2009 at 09:55, Chris Fournier wrote: > Does anyone use L2TPv3 over a gig link, and what is the performance > overhead introduced? I've seen some numbers at the Cisco website, but > these seem to reference encryption versus encapsulation. > > > Chris > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rus-p at inbox.ru Thu Jun 4 09:34:05 2009 From: rus-p at inbox.ru (Ruslan Pustovoitov) Date: Thu, 04 Jun 2009 17:34:05 +0400 Subject: [c-nsp] (no subject) Message-ID: Hi all, I read config guide for IOS 12.2(x) about MSDP on 3750 and see this statements: MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running. .... In this software release, because BGP and MBGP are not supported, you cannot configure an MSDP peer on the local switch by using the ip msdp peer global configuration command. Instead, you define a default MSDP peer (by using the ip msdp default-peer global configuration command) from which to accept all SA messages for the switch. Could anybody tell me why MSDP cannot use BGP to accomplish peer-rpf check flooding on this platform ? Instead of this, config guide describe a simple case with default-peer configuration. From moua0100 at umn.edu Thu Jun 4 11:09:20 2009 From: moua0100 at umn.edu (Ge Moua) Date: Thu, 04 Jun 2009 10:09:20 -0500 Subject: [c-nsp] L2TPv3 performance over gig? In-Reply-To: <1244123708.30703.5351.camel@linux-xvcs> References: <1244123708.30703.5351.camel@linux-xvcs> Message-ID: <4A27E3A0.5090102@umn.edu> I've done testing for both: * no encryption: ~ 980Mb * encryption ~ 240 Mb Performance dependent on router platform (in my case 7203 w/ NSE-100) Encryption was on 7206 w/ NPE-G1 & VAM2+ Conclusion, performance limited to hardware used and not layer-1 link speed. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Chris Fournier wrote: > Does anyone use L2TPv3 over a gig link, and what is the performance > overhead introduced? I've seen some numbers at the Cisco website, but > these seem to reference encryption versus encapsulation. > > > Chris > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sil at infiltrated.net Thu Jun 4 10:41:28 2009 From: sil at infiltrated.net (J. Oquendo) Date: Thu, 04 Jun 2009 10:41:28 -0400 Subject: [c-nsp] Juniper Simulator In-Reply-To: References: Message-ID: <4A27DD18.2020107@infiltrated.net> Mohammad Khalil wrote: > Hey all > how are u ? > I am looking for a free simulator for Juniper routers > > Thanks in advance > > _________________________________________________________________ > Windows Live?: Keep your life in sync. Check it out! > http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ http://juniper.cluepon.net/index.php/Olive -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From avayner at cisco.com Thu Jun 4 11:29:49 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 4 Jun 2009 17:29:49 +0200 Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 In-Reply-To: References: <78C984F8939D424697B15E4B1C1BB3D7B75617@xmb-ams-331.emea.cisco.com> Message-ID: <78C984F8939D424697B15E4B1C1BB3D7BE25CA@xmb-ams-331.emea.cisco.com> Yes, this is true, ES20 is 7600 only (I missed the 6500 angle here ;-) ) We can do VPLS with SIP400 (lower BW) or SIP600 (higher BW). BTW, There is also support for MPLSoGRE Arie From: Marlon Duksa [mailto:mduksa at gmail.com] Sent: Thursday, June 04, 2009 17:10 To: Arie Vayner (avayner) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 Thanks Arie. But ES cards are not supported on Cat6500, no? And also VPLS over MPLS on a SIP in Cat6500 - is it supported? If so do you know which SIP? Thanks, Marlon On Wed, Jun 3, 2009 at 9:19 PM, Arie Vayner (avayner) wrote: Marlon, If you have DFCs on the regular LAN cards, then EoMPLS and L3VPN will be done in hardware and in distributed forwarding mode. For VPLS, you need to have either an ES20/ES40 card or a SIP card facing the core. Having this card means that again VPLS is done in hardware - some functionality is done on the regular DFCs and some on the egress core facing module. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa Sent: Thursday, June 04, 2009 02:07 To: cisco-nsp at puck.nether.net Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 Hi -Does anyone know which cards on Cat6500 support MPLS and separately IP-VPN, posibly at 40Gbps throughput? I'm looking for a distributed (DFC) forwarding solution? I know that Cat6500 is very limited in VPLS support, but IP-VPN and EoMPLS should be no problem, right? Thanks, Marlon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dudepron at gmail.com Thu Jun 4 13:14:40 2009 From: dudepron at gmail.com (Aaron) Date: Thu, 4 Jun 2009 13:14:40 -0400 Subject: [c-nsp] L2TPv3 performance over gig? In-Reply-To: <4A27E3A0.5090102@umn.edu> References: <1244123708.30703.5351.camel@linux-xvcs> <4A27E3A0.5090102@umn.edu> Message-ID: <480dad640906041014g52456b6dkbcf72517d719ce1c@mail.gmail.com> What does that have to do with L2TPv3? On Thu, Jun 4, 2009 at 11:09, Ge Moua wrote: > I've done testing for both: > * no encryption: ~ 980Mb > * encryption ~ 240 Mb > > Performance dependent on router platform (in my case 7203 w/ NSE-100) > > Encryption was on 7206 w/ NPE-G1 & VAM2+ > > Conclusion, performance limited to hardware used and not layer-1 link > speed. > > > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > > > > > Chris Fournier wrote: > >> Does anyone use L2TPv3 over a gig link, and what is the performance >> overhead introduced? I've seen some numbers at the Cisco website, but >> these seem to reference encryption versus encapsulation. >> >> >> Chris >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From moua0100 at umn.edu Thu Jun 4 14:01:38 2009 From: moua0100 at umn.edu (Ge Moua) Date: Thu, 04 Jun 2009 13:01:38 -0500 Subject: [c-nsp] L2TPv3 performance over gig? In-Reply-To: <480dad640906041014g52456b6dkbcf72517d719ce1c@mail.gmail.com> References: <1244123708.30703.5351.camel@linux-xvcs> <4A27E3A0.5090102@umn.edu> <480dad640906041014g52456b6dkbcf72517d719ce1c@mail.gmail.com> Message-ID: <4A280C02.4070101@umn.edu> The (2) scenarios is: * L2TPv3 vc w/ no ecryption vs. * L2TPv3 vc w/ IPSec encryption (encapsulated inside of) One can also do layer-2 VPN with MPLS, eg, AToM (EoMPLS), but I think the initial thread was about L2TPv3 (layer-2 VPN inside native IP). Persoanally I like the AToM/EoMPLS (or even VPLS) approach with the many-to-many connections flexibility (vs. one-to-one connection limitation with L2TPv3). We have about a half-dozen sites on L2TPv3 but have considered AToM/EoMPLS. Just in case your wondering Cisco TAC has far more in-depth expertise w/ MPLS flavors as I've been told; when you run into issues. Good luck. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Aaron wrote: > What does that have to do with L2TPv3? > > On Thu, Jun 4, 2009 at 11:09, Ge Moua > wrote: > > I've done testing for both: > * no encryption: ~ 980Mb > * encryption ~ 240 Mb > > Performance dependent on router platform (in my case 7203 w/ NSE-100) > > Encryption was on 7206 w/ NPE-G1 & VAM2+ > > Conclusion, performance limited to hardware used and not layer-1 > link speed. > > > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > > > > > Chris Fournier wrote: > > Does anyone use L2TPv3 over a gig link, and what is the > performance > overhead introduced? I've seen some numbers at the Cisco > website, but > these seem to reference encryption versus encapsulation. > > > Chris > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From lists.james.edwards at gmail.com Thu Jun 4 14:46:41 2009 From: lists.james.edwards at gmail.com (james edwards) Date: Thu, 4 Jun 2009 12:46:41 -0600 Subject: [c-nsp] help with BGP logs Message-ID: Can anyone give me some help with these logs ? The session is to a vyatta router (Quagga) from a 7206, what attribute is this ? Jun 4 12:42:25.842 MST: %BGP-5-ADJCHANGE: neighbor 164.64.41.180 Down BGP protocol initialization Jun 4 12:42:55.158 MST: %BGP-5-ADJCHANGE: neighbor 164.64.41.180 Up Jun 4 12:43:04.986 MST: %BGP-3-NOTIFICATION: received from neighbor 164.64.41.180 3/4 (invalid flags for attribute) 8 bytes E0150501 0000B7AA Jun 4 12:43:04.990 MST: %BGP-5-ADJCHANGE: neighbor 164.64.41.180 Down BGP protocol initialization Jun 4 12:43:17.170 MST: %BGP-5-ADJCHANGE: neighbor 164.64.41.180 Up Jun 4 12:43:46.710 MST: %BGP-3-NOTIFICATION: received from neighbor 164.64.41.180 3/4 (invalid flags for attribute) 8 bytes E0150501 0000B7AA -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov From achatz at forthnet.gr Thu Jun 4 15:09:45 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 04 Jun 2009 22:09:45 +0300 Subject: [c-nsp] standby RSP720 gets "Data TLB Error Exception" after rommon upgrade In-Reply-To: <4A27679C.3070503@forthnet.gr> References: <4A27679C.3070503@forthnet.gr> Message-ID: <4A281BF9.1000205@forthnet.gr> For everyone interested, bug was CSCsy92252. Many thanks to Arie and Andrew (@Cisco) for pointing that out. -- Tassos Tassos Chatzithomaoglou wrote on 04/06/2009 09:20: > Has anyone managed to do a rommon upgrade to a RSP720 and immediately > afterwards had it boot as a standby ? I did it twice and i always got > the "Data TLB Error Exception" message > > rommon 7 > boot bootdisk:c7600rsp72043-advipservicesk9-mz.122-33.SRB5a.bin > > Initializing ATA monitor library... > > *** Data TLB Error Exception *** > PC = 0x40442e4, Vector = 0x1400, SP = 0x4012dc4 > > > I have RMAed 2 RSP720s until now after doing exactly the same procedure > and now i'm waiting for the 3rd one! > > If the RSP720 is the only one in the chassis (so it's acting like an > active), then booting after the rommon upgrade works fine! If the RSP720 > gets booted as a standby after the rommon upgrade, then it gets > destroyed and cannot be used neither as an active nor as a standby. > From biged7600 at gmail.com Thu Jun 4 16:21:19 2009 From: biged7600 at gmail.com (James Edmondson) Date: Thu, 4 Jun 2009 15:21:19 -0500 Subject: [c-nsp] standby RSP720 gets "Data TLB Error Exception" after rommon upgrade In-Reply-To: <4A281BF9.1000205@forthnet.gr> References: <4A27679C.3070503@forthnet.gr> <4A281BF9.1000205@forthnet.gr> Message-ID: I would suggest SRD1 IOS, however be prepared to upgrade the firmware if you have any SPA boards. On Thu, Jun 4, 2009 at 2:09 PM, Tassos Chatzithomaoglou wrote: > For everyone interested, bug was CSCsy92252. > Many thanks to Arie and Andrew (@Cisco) for pointing that out. > > -- > Tassos > > Tassos Chatzithomaoglou wrote on 04/06/2009 09:20: > >> Has anyone managed to do a rommon upgrade to a RSP720 and immediately >> afterwards had it boot as a standby ? I did it twice and i always got the >> "Data TLB Error Exception" message >> >> rommon 7 > boot bootdisk:c7600rsp72043-advipservicesk9-mz.122-33.SRB5a.bin >> >> Initializing ATA monitor library... >> >> *** Data TLB Error Exception *** >> PC = 0x40442e4, Vector = 0x1400, SP = 0x4012dc4 >> >> >> I have RMAed 2 RSP720s until now after doing exactly the same procedure >> and now i'm waiting for the 3rd one! >> >> If the RSP720 is the only one in the chassis (so it's acting like an >> active), then booting after the rommon upgrade works fine! If the RSP720 >> gets booted as a standby after the rommon upgrade, then it gets destroyed >> and cannot be used neither as an active nor as a standby. >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- James From RGoldberg at compudyne.net Thu Jun 4 16:28:58 2009 From: RGoldberg at compudyne.net (Ryan Goldberg) Date: Thu, 4 Jun 2009 15:28:58 -0500 Subject: [c-nsp] basic nat question In-Reply-To: References: Message-ID: > -----Original Message----- > From: Church, Charles [mailto:cchurc05 at harris.com] > What's the purpose of having those additional addresses bound as > secondaries? It's not needed for NAT. desperate attempt to make things work I guess > I really did *not* want my first post to cisco-nsp to be this lame, > but... aghhhh... > ip nat inside source static tcp 192.168.1.103 110 x.x.x.161 110 vrf > ISP2 > extendable > > works just fine > > ip nat inside source static tcp 192.168.1.156 443 x.x.x.163 110 vrf > ISP2 > extendable > > does not work Had my head on wrong - wrong vrf. Although I don't understand at this point why it worked with the primary. Thanks for the responses... Ryan From cordmacleod at gmail.com Thu Jun 4 18:39:58 2009 From: cordmacleod at gmail.com (Cord MacLeod) Date: Thu, 4 Jun 2009 15:39:58 -0700 Subject: [c-nsp] static arping gateways Message-ID: <77AB9902-77FA-4E52-9660-0D138613B2E9@gmail.com> Would it be a reasonable solution to static arp a gateway on a cisco L3 switch to prevent a user from taking over the gateway? So assuming you have HSRP running on 2 layer 3 switches and they share a gateway of 10.0.0.1 with switch one's address being 10.0.0.2 and two's address being 10.0.0.3 would it be reasonable to static arp each of these addresses to each switch? From peter at rathlev.dk Thu Jun 4 19:31:33 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 05 Jun 2009 01:31:33 +0200 Subject: [c-nsp] static arping gateways In-Reply-To: <77AB9902-77FA-4E52-9660-0D138613B2E9@gmail.com> References: <77AB9902-77FA-4E52-9660-0D138613B2E9@gmail.com> Message-ID: <1244158293.4721.8.camel@localhost.localdomain> On Thu, 2009-06-04 at 15:39 -0700, Cord MacLeod wrote: > Would it be a reasonable solution to static arp a gateway on a cisco > L3 switch to prevent a user from taking over the gateway? So assuming > you have HSRP running on 2 layer 3 switches and they share a gateway > of 10.0.0.1 with switch one's address being 10.0.0.2 and two's address > being 10.0.0.3 would it be reasonable to static arp each of these > addresses to each switch? I'd say there's always a better way than static configuration. I'm not sure exactly what the scenario is, but if you're talking about simple L2 switches with a L3 interface for management, just keep the L3 termination away from user VLANs. If you're talking about two L3 switches with a configuration like: ! *** A *** interface Vlan2 ip address 10.0.0.2 255.255.255.0 standby ip 10.0.0.1 ! ! *** B *** interface Vlan2 ip address 10.0.0.3 255.255.255.0 standby ip 10.0.0.1 ! And then if you should configure each with a static ARP entry mapping 10.0.0.1 to 0000.0c07.ac00, then this would only "protect" each of these two switches, not any hosts on the network. And the switches would often have their own uplink(s), rarely needing to send traffic to the "gateway" address. Have you looked at Dynamic Arp Inspection? Regards, Peter From amsoares at netcabo.pt Thu Jun 4 19:34:49 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Fri, 5 Jun 2009 00:34:49 +0100 Subject: [c-nsp] 12k Full BGP Feed Memory Requirements Message-ID: <6E449148FF134A9BA2815F839724F23E@int.convex.pt> Hello group, I need help in order to calculate the memory needed to accomodate 2 or more Full BGP Feeds. This is for a 12400 running IOS. Today i saw this problem with some linecards: ++++++++++++++++++++++++++++++ %FIB-2-FIBDISABLE: Fatal error, slot X: no memory ++++++++++++++++++++++++++++++ %HW_RES_FAIL-4-LOW_CEF_MEM: SLOT Y is running low on E4_Lookup External SRAM resources. CEF will begin resource constrained forwarding operation if problem persists. For additional details please see show ip cef resource and show ip cef summary %LC-3-HWRESFAIL: OUT OF HW RESOURCES - FORWARDING MAY NOT BE ACCURATE.PLEASE CORRECT THE SITUATION AND TRY CLEAR CEF LINECARD TO RECOVER ++++++++++++++++++++++++++++++ Slot X is a GE-GBIC-SC-B with 256 Mb of RAM and Slot Y is a 1X10GE-LR-SC with 512 Mb of RAM. The errors above occurred after the 2nd Full BGP Feed was received. Linecards 4GE-SFP-LC with 512 Mb of RAM did not complain. Neither the SIP-600 with 1 Gb or the SIP-601 with 2Gb. I have a PRP-2 with 1 Gb of RAM. I understand that 256 Mb is definitely not enough. But i don't understand why the problem only affected the 1X10GE-LR-SC and not the 4GE-SFP-LC. Both have 512 Mb of RAM. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt From cordmacleod at gmail.com Thu Jun 4 19:37:52 2009 From: cordmacleod at gmail.com (Cord MacLeod) Date: Thu, 4 Jun 2009 16:37:52 -0700 Subject: [c-nsp] static arping gateways In-Reply-To: <1244158293.4721.8.camel@localhost.localdomain> References: <77AB9902-77FA-4E52-9660-0D138613B2E9@gmail.com> <1244158293.4721.8.camel@localhost.localdomain> Message-ID: <771064F0-629E-4D3F-8914-234F1C4FFFEF@gmail.com> On Jun 4, 2009, at 4:31 PM, Peter Rathlev wrote: > On Thu, 2009-06-04 at 15:39 -0700, Cord MacLeod wrote: >> Would it be a reasonable solution to static arp a gateway on a cisco >> L3 switch to prevent a user from taking over the gateway? So >> assuming >> you have HSRP running on 2 layer 3 switches and they share a gateway >> of 10.0.0.1 with switch one's address being 10.0.0.2 and two's >> address >> being 10.0.0.3 would it be reasonable to static arp each of these >> addresses to each switch? > > I'd say there's always a better way than static configuration. > > I'm not sure exactly what the scenario is, but if you're talking about > simple L2 switches with a L3 interface for management, just keep the > L3 > termination away from user VLANs. A bunch of L2 switches connected to two L3 switches. > > > If you're talking about two L3 switches with a configuration like: > > ! *** A *** > interface Vlan2 > ip address 10.0.0.2 255.255.255.0 > standby ip 10.0.0.1 > ! > > ! *** B *** > interface Vlan2 > ip address 10.0.0.3 255.255.255.0 > standby ip 10.0.0.1 > ! Essentially, yes. > > > And then if you should configure each with a static ARP entry mapping > 10.0.0.1 to 0000.0c07.ac00, then this would only "protect" each of > these > two switches, not any hosts on the network. And the switches would > often > have their own uplink(s), rarely needing to send traffic to the > "gateway" address. I only want to protect the switches. I don't want anyone stealing their ip addresses or the hrsp gateway addresses. > > > Have you looked at Dynamic Arp Inspection? Wish I could use this. Unfortunately, I can't. We use LVS, which is a linux load balancer. This does use a VIP, but not a virtual mac address. Therefore when there's a failover, the switch ignores the new mac address with DAI, found this out the hard way on my Juniper switches, which have DAI enabled by default. > > > Regards, > Peter > > From fwissue at gmail.com Thu Jun 4 21:06:29 2009 From: fwissue at gmail.com (Michael Lee) Date: Thu, 4 Jun 2009 18:06:29 -0700 Subject: [c-nsp] help with BGP logs In-Reply-To: References: Message-ID: <7ACEDD3C-6142-4BF0-BF9C-D6905E844E6A@gmail.com> No enforce first as in bgp configuration Regards -mike On Jun 4, 2009, at 11:46 AM, james edwards wrote: > Can anyone give me some help with these logs ? The session is to a > vyatta > router (Quagga) from a 7206, > what attribute is this ? > > Jun 4 12:42:25.842 MST: %BGP-5-ADJCHANGE: neighbor 164.64.41.180 > Down BGP > protocol initialization > Jun 4 12:42:55.158 MST: %BGP-5-ADJCHANGE: neighbor 164.64.41.180 Up > Jun 4 12:43:04.986 MST: %BGP-3-NOTIFICATION: received from neighbor > 164.64.41.180 3/4 (invalid flags for attribute) 8 bytes E0150501 > 0000B7AA > Jun 4 12:43:04.990 MST: %BGP-5-ADJCHANGE: neighbor 164.64.41.180 > Down BGP > protocol initialization > Jun 4 12:43:17.170 MST: %BGP-5-ADJCHANGE: neighbor 164.64.41.180 Up > Jun 4 12:43:46.710 MST: %BGP-3-NOTIFICATION: received from neighbor > 164.64.41.180 3/4 (invalid flags for attribute) 8 bytes E0150501 > 0000B7AA > > -- > James H. Edwards > Senior Network Systems Administrator > Judicial Information Division > jedwards at nmcourts.gov > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From RWerber at epiknetworks.com Thu Jun 4 21:37:57 2009 From: RWerber at epiknetworks.com (Ryan Werber) Date: Thu, 4 Jun 2009 21:37:57 -0400 Subject: [c-nsp] 12k Full BGP Feed Memory Requirements References: <6E449148FF134A9BA2815F839724F23E@int.convex.pt> Message-ID: <4D58C7B4943F874BA4CB5D68A7924060B0F530@Epikserver2.Epik.local> -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares >I need help in order to calculate the memory needed to accomodate 2 or more Full BGP >Feeds. This is for a 12400 running IOS. Today i >saw this problem with some linecards: OUR GE-GBIC-SC-B's w/ 256MB Generally have about 100 megs of ram free with 2 directly connected full feeds, and at least 6 through ibgp. There may be a configuration issue. Only recently have our Engine-0 Cards been running out of memory, as they only have 128MB. bbr1.tor#execute-on slot 3 show proc mem | i Free ========= Line Card (Slot 3) ========= Total: 223634112, Used: 88582896, Free: 135051216 We have 12008's with GRP-B's w/ 512 RP Ram. Hope this helps! Ryan Werber Epik Networks From ltd at cisco.com Thu Jun 4 22:43:13 2009 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 05 Jun 2009 12:43:13 +1000 Subject: [c-nsp] static arping gateways In-Reply-To: <77AB9902-77FA-4E52-9660-0D138613B2E9@gmail.com> References: <77AB9902-77FA-4E52-9660-0D138613B2E9@gmail.com> Message-ID: <4A288641.90105@cisco.com> Cord MacLeod wrote: > Would it be a reasonable solution to static arp a gateway on a cisco > L3 switch to prevent a user from taking over the gateway? So assuming > you have HSRP running on 2 layer 3 switches and they share a gateway > of 10.0.0.1 with switch one's address being 10.0.0.2 and two's address > being 10.0.0.3 would it be reasonable to static arp each of these > addresses to each switch? a better solution would be to enable Dynamic ARP Inspection (DAI) on your Cisco L3 switch. "best practice" would be to enable various other integrated security features to protect against other DoS, flooding, spoofing, starvation attack vectors. cheers, lincoln. From swmike at swm.pp.se Fri Jun 5 00:13:01 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 5 Jun 2009 06:13:01 +0200 (CEST) Subject: [c-nsp] 12k Full BGP Feed Memory Requirements In-Reply-To: <6E449148FF134A9BA2815F839724F23E@int.convex.pt> References: <6E449148FF134A9BA2815F839724F23E@int.convex.pt> Message-ID: On Fri, 5 Jun 2009, Antonio Soares wrote: > I understand that 256 Mb is definitely not enough. But i don't > understand why the problem only affected the 1X10GE-LR-SC and not the > 4GE-SFP-LC. Both have 512 Mb of RAM. Different models of linecards need different amounts of RAM for the same amount of routes. For instance, the 4GE gives up earlier when having just 256M of ram (we had to upgrade a year ago or so) compared to the 3GE (which still works). You need to monitor your RP and LC memory as well as your "show ip cef resources". Make sure your RP and LCs have *at least* 50 megs of ram free at all times, it's sometimes needed during a re-route. -- Mikael Abrahamsson email: swmike at swm.pp.se From peter at rathlev.dk Fri Jun 5 05:02:18 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 05 Jun 2009 11:02:18 +0200 Subject: [c-nsp] static arping gateways In-Reply-To: <771064F0-629E-4D3F-8914-234F1C4FFFEF@gmail.com> References: <77AB9902-77FA-4E52-9660-0D138613B2E9@gmail.com> <1244158293.4721.8.camel@localhost.localdomain> <771064F0-629E-4D3F-8914-234F1C4FFFEF@gmail.com> Message-ID: <1244192538.3480.2.camel@localhost.localdomain> On Thu, 2009-06-04 at 16:37 -0700, Cord MacLeod wrote: > On Jun 4, 2009, at 4:31 PM, Peter Rathlev wrote: > > I'm not sure exactly what the scenario is, but if you're talking > > about simple L2 switches with a L3 interface for management, just > > keep the L3 termination away from user VLANs. > > A bunch of L2 switches connected to two L3 switches. So why not just keep their management-interfaces on a seperate VLAN? That would protect the L2 switches. And the L3 switches have their own uplinks I assume, so they would probably not need to send traffic to each other via the user VLAN. Regards, Peter From amsoares at netcabo.pt Fri Jun 5 07:13:44 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Fri, 5 Jun 2009 12:13:44 +0100 Subject: [c-nsp] 12k Full BGP Feed Memory Requirements In-Reply-To: <4D58C7B4943F874BA4CB5D68A7924060B0F530@Epikserver2.Epik.local> References: <6E449148FF134A9BA2815F839724F23E@int.convex.pt> <4D58C7B4943F874BA4CB5D68A7924060B0F530@Epikserver2.Epik.local> Message-ID: <153DAD8392C948D6B0E0864E232B909C@int.convex.pt> Wow, this is unbelievable ! Can you show us your "show proc mem | inc BGP" ? Do you really have two full BGP feeds (about 284k prefixes each) ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: Ryan Werber [mailto:RWerber at epiknetworks.com] Sent: sexta-feira, 5 de Junho de 2009 2:38 To: Antonio Soares; cisco-nsp Subject: RE: [c-nsp] 12k Full BGP Feed Memory Requirements -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares >I need help in order to calculate the memory needed to accomodate 2 or more Full BGP >Feeds. This is for a 12400 running IOS. Today i >saw this problem with some linecards: OUR GE-GBIC-SC-B's w/ 256MB Generally have about 100 megs of ram free with 2 directly connected full feeds, and at least 6 through ibgp. There may be a configuration issue. Only recently have our Engine-0 Cards been running out of memory, as they only have 128MB. bbr1.tor#execute-on slot 3 show proc mem | i Free ========= Line Card (Slot 3) ========= Total: 223634112, Used: 88582896, Free: 135051216 We have 12008's with GRP-B's w/ 512 RP Ram. Hope this helps! Ryan Werber Epik Networks From masood at nexlinx.net.pk Fri Jun 5 08:30:52 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Fri, 5 Jun 2009 17:30:52 +0500 (PKT) Subject: [c-nsp] 12k Full BGP Feed Memory Requirements In-Reply-To: <153DAD8392C948D6B0E0864E232B909C@int.convex.pt> References: <6E449148FF134A9BA2815F839724F23E@int.convex.pt> <4D58C7B4943F874BA4CB5D68A7924060B0F530@Epikserver2.Epik.local> <153DAD8392C948D6B0E0864E232B909C@int.convex.pt> Message-ID: <28604.196.46.241.57.1244205052.squirrel@nexmail1.nexlinx.net.pk> it seems very special memory tweaking/management stuff.. LOLs :) i can't believe it. two full BGP feeds = 284k :P Regards, Masood > Wow, this is unbelievable ! Can you show us your "show proc mem | inc BGP" > ? Do you really have two full BGP feeds (about 284k > prefixes each) ? > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: Ryan Werber [mailto:RWerber at epiknetworks.com] > Sent: sexta-feira, 5 de Junho de 2009 2:38 > To: Antonio Soares; cisco-nsp > Subject: RE: [c-nsp] 12k Full BGP Feed Memory Requirements > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares > >>I need help in order to calculate the memory needed to accomodate 2 or > more Full BGP >Feeds. This is for a 12400 running IOS. Today i >>saw this problem with some linecards: > > OUR GE-GBIC-SC-B's w/ 256MB Generally have about 100 megs of ram free > with 2 directly connected full feeds, and at least 6 through ibgp. > There may be a configuration issue. Only recently have our Engine-0 > Cards been running out of memory, as they only have 128MB. > > bbr1.tor#execute-on slot 3 show proc mem | i Free > ========= Line Card (Slot 3) ========= > Total: 223634112, Used: 88582896, Free: 135051216 > > We have 12008's with GRP-B's w/ 512 RP Ram. > > Hope this helps! > > Ryan Werber > Epik Networks > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mvanton at gmail.com Fri Jun 5 09:09:28 2009 From: mvanton at gmail.com (vince anton) Date: Fri, 5 Jun 2009 15:09:28 +0200 Subject: [c-nsp] optical power on SPA 10GE Message-ID: <87e0d3ae0906050609g57450eftda4f30e916842e@mail.gmail.com> Hi All, got a quick question: Is it possible from a 12k GSR to obtain the optical power levels reaching a 10GE SPA. With a 'sh controller' I can see the optical power in db reaching my POS SPA, but no such luck with 10GE SPA (SPA-1X10GE-L-V2). Any ideas how to get this info ? Thanks anton From david.freedman at uk.clara.net Fri Jun 5 10:13:04 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Fri, 05 Jun 2009 15:13:04 +0100 Subject: [c-nsp] optical power on SPA 10GE In-Reply-To: <87e0d3ae0906050609g57450eftda4f30e916842e@mail.gmail.com> References: <87e0d3ae0906050609g57450eftda4f30e916842e@mail.gmail.com> Message-ID: You mean the XFP? Assuming you have a DOM XFP, try: sh hw-module subslot X/Y transceiver Z Where interface is X/Y/Z Dave. vince anton wrote: > Hi All, > > > got a quick question: > > Is it possible from a 12k GSR to obtain the optical power levels reaching a > 10GE SPA. > > With a 'sh controller' I can see the optical power in db reaching my POS > SPA, but no such luck with 10GE SPA (SPA-1X10GE-L-V2). > > Any ideas how to get this info ? > > > Thanks > > anton > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Fri Jun 5 10:13:40 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Fri, 05 Jun 2009 15:13:40 +0100 Subject: [c-nsp] optical power on SPA 10GE In-Reply-To: <87e0d3ae0906050609g57450eftda4f30e916842e@mail.gmail.com> References: <87e0d3ae0906050609g57450eftda4f30e916842e@mail.gmail.com> Message-ID: I omitted the trailing keyword "status" vince anton wrote: > Hi All, > > > got a quick question: > > Is it possible from a 12k GSR to obtain the optical power levels reaching a > 10GE SPA. > > With a 'sh controller' I can see the optical power in db reaching my POS > SPA, but no such luck with 10GE SPA (SPA-1X10GE-L-V2). > > Any ideas how to get this info ? > > > Thanks > > anton > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lists.james.edwards at gmail.com Fri Jun 5 10:54:14 2009 From: lists.james.edwards at gmail.com (james edwards) Date: Fri, 5 Jun 2009 08:54:14 -0600 Subject: [c-nsp] help with BGP logs In-Reply-To: References: Message-ID: Thanks to those who replied, it turned out to be a bug in Quagga. Someone advertised 208.185.195.0/24 for about an hour with AS-Pathlimit attribute. We filtered it out and will upgrade Quagga. One version of Quagga, 099.9, had a bug and brought down the session when it received a prefix with the AS-Pathlimit attribute set. -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov From RWerber at epiknetworks.com Fri Jun 5 15:30:37 2009 From: RWerber at epiknetworks.com (Ryan Werber) Date: Fri, 5 Jun 2009 15:30:37 -0400 Subject: [c-nsp] 12k Full BGP Feed Memory Requirements References: <6E449148FF134A9BA2815F839724F23E@int.convex.pt> <4D58C7B4943F874BA4CB5D68A7924060B0F530@Epikserver2.Epik.local> <153DAD8392C948D6B0E0864E232B909C@int.convex.pt> Message-ID: <4D58C7B4943F874BA4CB5D68A7924060B0F5F6@Epikserver2.Epik.local> >-----Original Message----- >From: Antonio Soares [mailto:amsoares at netcabo.pt] >Sent: Friday, June 05, 2009 4:14 AM >Wow, this is unbelievable ! Can you show us your "show proc mem | inc BGP" ? Do you really have two full BGP feeds (about 284k >prefixes each) ? #show proc memory | i BGP 169 0 2895956668 1123582500 310165452 0 0 BGP Router 172 0 3975400 1008225208 6840 53464 0 BGP I/O 173 0 4188 12111120 14028 0 0 BGP Scanner First one is Cogent (174), the Second one is Tiscali (3257). There are 4 Ibgp Route-Servers as well. we have ~10 full transit feeds throughout our asn, as well as a ton of peering. The only thing changed below are ip addresses to protect the innocent. We currently have ~130 meg free on the GRP-B. We also have 1 directly connected eBGP IPv6 peer, and 5 throughout our ASN. 38.103.xx.xx 4 174 3895305 60405 22155189 0 0 5w6d 283503 77.67.xx.xx 4 3257 5813157 139266 22155189 0 0 6w6d 282571 PEER-RS-1 4 21513 2472535 3813308 22155189 0 0 15:25:46 100863 RS-1 4 21513 4092583 3613405 22155189 0 0 6w6d 265775 RS-2 4 21513 3244549 3613398 22155189 0 0 6w6d 267897 RS-3 4 21513 5660680 3711962 22155189 0 0 1w1d 284664 show ip cef summary IP Distributed CEF with switching (Table Version 8565971), flags=0x0 288375 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 18273 8561775 instant recursive resolutions, 0 used background process 12 load sharing elements, 12 references 1389 in-place/0 aborted modifications 57883336 bytes allocated to the FIB table data structures universal per-destination load sharing algorithm, id 6CE54348 2(0) CEF resets Resolution Timer: Exponential (currently 1s, peak 4s) Tree summary: 8-8-8-8 stride pattern short mask protection disabled 288375 leaves, 14605 nodes using 23265244 bytes Transient memory used: 149355436, max: 149395476 Table epoch: 0 (288375 entries at this epoch) Adjacency Table has 41 adjacencies 34 IPv4 adjacencies 7 IPv6 adjacencies From chale99 at gmail.com Fri Jun 5 17:31:33 2009 From: chale99 at gmail.com (Chris Hale) Date: Fri, 5 Jun 2009 17:31:33 -0400 Subject: [c-nsp] SOLVED: Re: strange behavior over MPLS network - remote desktop won't work Message-ID: I set the interfaces between the two 7206's at POP H as well as the GigE backbone link to mpls mtu 1530, and everything worked. Thanks all. Chris On Mon, Jun 1, 2009 at 4:35 PM, Gert Doering wrote: > Hi, > > On Sun, May 31, 2009 at 11:22:08PM +0200, Sascha E. Pollok wrote: > > Also, what kind of FE boards do you use on the 7206? > > I am currently unsure whether e.g. PA-FE-TX support > > larger MTUs needed for MPLS/VPN. > > "Sort of". There was a lengthy discussion on this list, about two years > ago - as far as I remember, the single-port FEs for the 7200s are bugged > and can only do an MTU up to 1530 bytes. > > ... but this still works nicely for simple L3 VPN stuff (1500+4+4). > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > -- ------------------ Chris Hale chale99 at gmail.com From walter.keen at RainierConnect.net Fri Jun 5 17:35:01 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Fri, 05 Jun 2009 14:35:01 -0700 Subject: [c-nsp] 7500 performance (was: Re: IO 7200 GE Improve Performance and help with the CPU Load?) In-Reply-To: <4A269AA1.2030509@rollernet.us> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk> <4A26997F.3030107@cantv.net> <4A269AA1.2030509@rollernet.us> Message-ID: <4A298F85.5060002@rainierconnect.net> Speaking of CPU performance, does anyone have any feedback on the Cisco 7500 series, I'm considering using it instead of multiple 7204's to aggregate/terminate atm (9 oc3, 1 ds3) and T1 (channelized ds3) traffic, I'm looking at the RSP8, with vip4-80's and the appropriate PA's, and planning on doing etherchannel on (2) pa-fe's back to our core (7613) router. From gsgranados at comcast.net Sat Jun 6 02:27:36 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 5 Jun 2009 23:27:36 -0700 Subject: [c-nsp] ACL creation and editing tool suggestions? Message-ID: I'm working in an environment with several large (north of 300 lines) ACLs that need managing. Several different people have had their hands in editing before I arrived and the lists have grown in to large jumbled messes and as such are introducing a lot of error because of their complexity. I'm wondering how people manage large ACLs effectively. Are there any tools that help in the automation of ACL creation or any good methods, if even by hand, that folks could recommend to help ease the clean up and maintenance process. Something that could optimize the ACL in automated fashion? Any pointers would be appreciated. Thanks Scott From rdobbins at arbor.net Sat Jun 6 06:26:05 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Sat, 6 Jun 2009 17:26:05 +0700 Subject: [c-nsp] ACL creation and editing tool suggestions? In-Reply-To: References: Message-ID: On Jun 6, 2009, at 1:27 PM, Scott Granados wrote: > Something that could optimize the ACL in automated fashion? None of the commercial tools I've seen do this in a platform-aware way - they're oriented towards software routers running T-train, and don't take into account hardware platform caveats. You can start by organizing your ACLs into named and commented text files, and using something as simple as RCS to implement version control and to check out/check in ACL files for editing. Lots of folks end up using tools like RANCID, RAT, Pancho, et. al. to help with auditing, and then custom Perl scripts or somesuch for editing/ updating. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From yvanog at hotmail.com Sat Jun 6 12:51:43 2009 From: yvanog at hotmail.com (Rob Montgomery) Date: Sat, 6 Jun 2009 12:51:43 -0400 Subject: [c-nsp] FW: 2621XM as Term Server Message-ID: Has anyone configured a 2621XM (ASYNC32A) as a terminal server? From lukasz at bromirski.net Sat Jun 6 14:20:15 2009 From: lukasz at bromirski.net (=?UTF-8?B?xYF1a2FzeiBCcm9taXJza2k=?=) Date: Sat, 06 Jun 2009 20:20:15 +0200 Subject: [c-nsp] FW: 2621XM as Term Server In-Reply-To: References: Message-ID: <4A2AB35F.6010806@bromirski.net> On 2009-06-06 18:51, Rob Montgomery wrote: > Has anyone configured a 2621XM (ASYNC32A) as a terminal server? What is the *exact* problem you're facing? -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From sethm at rollernet.us Sat Jun 6 15:31:05 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sat, 06 Jun 2009 12:31:05 -0700 Subject: [c-nsp] FW: 2621XM as Term Server In-Reply-To: References: Message-ID: <4A2AC3F9.8080301@rollernet.us> Rob Montgomery wrote: > > > Has anyone configured a 2621XM (ASYNC32A) as a terminal server? > Yes, not with a 2621XM specifically, but they're practically all the same. ~Seth From zivl at gilat.net Sun Jun 7 08:48:43 2009 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 7 Jun 2009 15:48:43 +0300 Subject: [c-nsp] ACL creation and editing tool suggestions? In-Reply-To: References: Message-ID: I can't imagine any kind of environment that would need 300 or more lines of ACL, I'm sure most of it is historical trash that can be disposed. I'd suggest you to try to determine what do you REALLY need and create new ACL based on actual and updated needs, and then just delete the unused old ones. I have some long ACLs which I'm used to create divided by sections, according to protocols, then most to less specific, stating from permitted and ending with the denies, even when implied I like to put them so it's clear to others, e.g ip access extended TEST permit icmp any any permit udp any eq 53 any permit tcp any any established permit tcp any host 2.2.2.2 eq 80 permit tcp host 1.1.1.1 host 2.2.2.2 eq 3339 deny tcp any host 2.2.2.2 eq 3339 permit ip host 3.3.3.3 4.4.4.0 0.0.0.255 deny ip any 4.4.4.0 0.0.0.255 permit ip any any In case I need to add/remove/edit a working ACL I always use the line numbers If you do "show ip access-list TEST" for instance you'll get this output: Extended IP access list TEST 10 permit icmp any any 20 permit udp any eq domain any 30 permit tcp any any established 40 permit tcp any host 2.2.2.2 eq www 50 permit tcp host 1.1.1.1 host 2.2.2.2 eq 3339 60 deny tcp any host 2.2.2.2 eq 3339 70 permit ip host 3.3.3.3 4.4.4.0 0.0.0.255 80 deny ip any 4.4.4.0 0.0.0.255 90 permit ip any any This allows you to remove a line by doing conf t ip access-list extended TEST no 60 ! Or add a line in between 55 permit tcp host 5.5.5.5 host 2.2.2.2 eq 3339 Which will change your ACL to: Extended IP access list TEST 10 permit icmp any any 20 permit udp any eq domain any 30 permit tcp any any established 40 permit tcp any host 2.2.2.2 eq www 50 permit tcp host 1.1.1.1 host 2.2.2.2 eq 3339 55 permit tcp host 5.5.5.5 host 2.2.2.2 eq 3339 60 deny tcp any host 2.2.2.2 eq 3339 70 permit ip host 3.3.3.3 4.4.4.0 0.0.0.255 80 deny ip any 4.4.4.0 0.0.0.255 90 permit ip any any Anyway, I wouldn't suggest using any kind of automatic stuff, you'll have to actually go line by line, as tedious as it may sound, to determine what exactly you need or not, or just opt to create them from scratch setting only the stuff you're sure you need and save the old ones for reference or future review. Hope this helps, Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Saturday, June 06, 2009 9:28 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ACL creation and editing tool suggestions? I'm working in an environment with several large (north of 300 lines) ACLs that need managing. Several different people have had their hands in editing before I arrived and the lists have grown in to large jumbled messes and as such are introducing a lot of error because of their complexity. I'm wondering how people manage large ACLs effectively. Are there any tools that help in the automation of ACL creation or any good methods, if even by hand, that folks could recommend to help ease the clean up and maintenance process. Something that could optimize the ACL in automated fashion? Any pointers would be appreciated. Thanks Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From ygauteron at gmail.com Sun Jun 7 11:45:53 2009 From: ygauteron at gmail.com (Yann Gauteron) Date: Sun, 7 Jun 2009 17:45:53 +0200 Subject: [c-nsp] ACL creation and editing tool suggestions? In-Reply-To: References: Message-ID: <8097baf0906070845l3cd1e20bmb989a322e1bcfc60@mail.gmail.com> 2009/6/7 Ziv Leyes : > I can't imagine any kind of environment that would need 300 or more lines of ACL, I'm sure most of it is historical trash that can be disposed. > I'd suggest you to try to determine what do you REALLY need and create new ACL based on actual and updated needs, and then just delete the unused old ones. I can imagine a design where subnets are badly aggregated and where an ACL entry has to be repeated many times because it has to be applied to non-adjacent subnets that should have the same access control applied. I have seen this once... This was the result of historical evolution of the network without never thinking more steps forward than just the present augmentation (for instance reserving some ajdacent IP subnets for future extensions). ACL management is a nightmare, but redesigning the network was just something that was not considered by the company (because of the time and costs, and "why would I redesign it, as it operates as expected ?") From ibrahim.abozaid at gmail.com Sun Jun 7 19:09:53 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Mon, 8 Jun 2009 02:09:53 +0300 Subject: [c-nsp] 7600 router and Etherchannel across multiple line card Message-ID: Hi All I am trying to establish L2 Etherchannel between 2 7609 routers , SUP720-MSFC3 , PFC is 3BXL and Line cards WS-X6148-GE and IOS is * 12.2(33)SRD* are there any concerns to establish this etherchannel between ports in different line cards ? best regards --Ibrahim From peter at rathlev.dk Sun Jun 7 20:01:16 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 08 Jun 2009 02:01:16 +0200 Subject: [c-nsp] 7600 router and Etherchannel across multiple line card In-Reply-To: References: Message-ID: <1244419276.3423.70.camel@localhost.localdomain> On Mon, 2009-06-08 at 02:09 +0300, Ibrahim Abo Zaid wrote: > I am trying to establish L2 Etherchannel between 2 7609 routers , > SUP720-MSFC3 , PFC is 3BXL and Line cards WS-X6148-GE and IOS is * > 12.2(33)SRD* > > are there any concerns to establish this etherchannel between ports in > different line cards ? Etherchannels are a little pointless on the WS-X6148-GE card and similiar. They have 1GB/s ASICs, so you'll never exceed 1GB/s anyhow. And the ASIC to physical port ratio also limits you. But generally speaking, cross module etherchannels are a good idea and AFAIK is recommended from Cisco for high availability. Regards, Peter From paul at paulstewart.org Sun Jun 7 20:07:41 2009 From: paul at paulstewart.org (Paul Stewart) Date: Sun, 7 Jun 2009 20:07:41 -0400 Subject: [c-nsp] 7600 router and Etherchannel across multiple line card In-Reply-To: <1244419276.3423.70.camel@localhost.localdomain> References: <1244419276.3423.70.camel@localhost.localdomain> Message-ID: <000901c9e7cd$24df84b0$6e9e8e10$@org> You may wish to clarify the 1Gb/s limit however on the 6148A unless I am mistaken. Yes, 1 Gig per ASIC but doesn't the 6148A have one ASIC per 8 ports or am I thinking of a different card? Thank you for the clarification... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: June 7, 2009 8:01 PM To: Ibrahim Abo Zaid Cc: cisco_nsp Subject: Re: [c-nsp] 7600 router and Etherchannel across multiple line card On Mon, 2009-06-08 at 02:09 +0300, Ibrahim Abo Zaid wrote: > I am trying to establish L2 Etherchannel between 2 7609 routers , > SUP720-MSFC3 , PFC is 3BXL and Line cards WS-X6148-GE and IOS is * > 12.2(33)SRD* > > are there any concerns to establish this etherchannel between ports in > different line cards ? Etherchannels are a little pointless on the WS-X6148-GE card and similiar. They have 1GB/s ASICs, so you'll never exceed 1GB/s anyhow. And the ASIC to physical port ratio also limits you. But generally speaking, cross module etherchannels are a good idea and AFAIK is recommended from Cisco for high availability. Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Sun Jun 7 20:10:30 2009 From: paul at paulstewart.org (Paul Stewart) Date: Sun, 7 Jun 2009 20:10:30 -0400 Subject: [c-nsp] 7600 router and Etherchannel across multiple line card In-Reply-To: <1244419276.3423.70.camel@localhost.localdomain> References: <1244419276.3423.70.camel@localhost.localdomain> Message-ID: <000a01c9e7cd$8958f430$9c0adc90$@org> Apologies for bumping the post.... My notes show the following: WS-X6148A-GE-TX *Number of ports: 48 Number of port groups: 6 Port ranges per port group: 1-8, 9-16, 17-24, 25-32, 33-40, 41-48 *The aggregate bandwidth of each port group is 1 Gbps. WS-X6148-GE-TX *Number of ports: 48 Number of port groups: 2 Port ranges per port group: 1-24, 25-48 Note WS-X6148-GE-TX, WS-X6148V-GE-TX, and WS-X6148-GE-45AF do not support these features: *More than 1 Gbps of traffic per EtherChannel Sorry, I was thinking 6148A and the OP has specified the non-A version hence the confusion on my part... Thanks, Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: June 7, 2009 8:01 PM To: Ibrahim Abo Zaid Cc: cisco_nsp Subject: Re: [c-nsp] 7600 router and Etherchannel across multiple line card On Mon, 2009-06-08 at 02:09 +0300, Ibrahim Abo Zaid wrote: > I am trying to establish L2 Etherchannel between 2 7609 routers , > SUP720-MSFC3 , PFC is 3BXL and Line cards WS-X6148-GE and IOS is * > 12.2(33)SRD* > > are there any concerns to establish this etherchannel between ports in > different line cards ? Etherchannels are a little pointless on the WS-X6148-GE card and similiar. They have 1GB/s ASICs, so you'll never exceed 1GB/s anyhow. And the ASIC to physical port ratio also limits you. But generally speaking, cross module etherchannels are a good idea and AFAIK is recommended from Cisco for high availability. Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dstorandt at teljet.com Sun Jun 7 20:51:22 2009 From: dstorandt at teljet.com (David Storandt) Date: Sun, 7 Jun 2009 20:51:22 -0400 Subject: [c-nsp] 7500 performance Message-ID: Have you seen Cisco's performance spec sheet? Once of their better references for rough platform performance estimation. http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf A RSP8 is a touch faster than a 720x/NPE400, but also the 7500-series distributed switching capability will offload the CPU when it doesn't have to deal with forwarding, leaving more cycles for pure software processes. -Dave From sfischer1967 at gmail.com Sun Jun 7 22:47:58 2009 From: sfischer1967 at gmail.com (Steven Fischer) Date: Sun, 7 Jun 2009 22:47:58 -0400 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... Message-ID: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> I have a 4510 in our environment that is reporting literally dozens of changes to the running configuration throughout the day - days on which I am certain no changes have been made to it - the syslog message is given with the header - AUDIT-5-RUN_CONFIG. Cisco's support site doesn't give me a whole lot. Any ideas on what could be causing this? -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy From rdobbins at arbor.net Sun Jun 7 23:00:22 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Mon, 8 Jun 2009 10:00:22 +0700 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... In-Reply-To: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> References: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> Message-ID: On Jun 8, 2009, at 9:47 AM, Steven Fischer wrote: > Any ideas on what could be causing this? Are you doing config diffs in order to ensure that no changes are in fact being made? Have you looked through the AAA logs to look at logins/logouts and commands executed by authorized personnel? You should consider the possibility that someone other than authorized personnel within your organization is making changes, and investigate accordingly - especially if all the usual BCPs around iACLs, vty ACLs, AAA, strong local account/password, et. al. haven't yet been implemented. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From sfischer1967 at gmail.com Sun Jun 7 23:02:45 2009 From: sfischer1967 at gmail.com (Steven Fischer) Date: Sun, 7 Jun 2009 23:02:45 -0400 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012482A9074D@zy-ex1.zyedge.local> References: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> <6E21B2BDEF6E714EA0B5BA8D5D0E14012482A9074D@zy-ex1.zyedge.local> Message-ID: <500ffb690906072002w9922a52q61ba5a32350baae1@mail.gmail.com> indeed, we are running RANCID...good call. and they are periodic...but none of my other devices do this, and we have another 4510 that doesn't appear to be doing it either. can anything be done? I'm just waiting for management to see this and wonder what in blue-blazes is going on, and then to panic. On Sun, Jun 7, 2009 at 10:56 PM, Ryan West wrote: > Are you running any type of backup utility (RANCID etc) that might be > triggering your logs? Are the timestamps periodic or random? > > -ryan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Fischer > Sent: Sunday, June 07, 2009 10:48 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 4510 reporting dozens of config changes throughout the > day... > > I have a 4510 in our environment that is reporting literally dozens of > changes to the running configuration throughout the day - days on which I > am > certain no changes have been made to it - the syslog message is given with > the header - AUDIT-5-RUN_CONFIG. Cisco's support site doesn't give me a > whole lot. Any ideas on what could be causing this? > > -- > To him who is able to keep you from falling and to present you before his > glorious presence without fault and with great joy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy From rdobbins at arbor.net Sun Jun 7 23:13:00 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Mon, 8 Jun 2009 10:13:00 +0700 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... In-Reply-To: <500ffb690906072002w9922a52q61ba5a32350baae1@mail.gmail.com> References: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> <6E21B2BDEF6E714EA0B5BA8D5D0E14012482A9074D@zy-ex1.zyedge.local> <500ffb690906072002w9922a52q61ba5a32350baae1@mail.gmail.com> Message-ID: <80C93820-59A7-49E7-9617-F40B68EBAB5D@arbor.net> On Jun 8, 2009, at 10:02 AM, Steven Fischer wrote: > can anything be done? Assuming it's RANCID or something else legit, and assuming that you in fact don't want to see this in your logs (why non-technical management are looking at your logs in the first place is an interesting question, heh), is the log-level on this box different than the log- level on the other boxes? ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From andhy.indarto at indosat.com Sun Jun 7 22:38:59 2009 From: andhy.indarto at indosat.com (Andhy Indarto) Date: Mon, 8 Jun 2009 09:38:59 +0700 Subject: [c-nsp] atm oam ping ok but ping ip not ok Message-ID: <2233A6BE8D55AE4C9119D7870748FC310C6AEB90@isatjkt-msg01.office.corp.indosat.com> Dear all, I have experience with ATM interface that when I do atm oam ping the result is normal but when I do ping ip then the result is bad and have a lot of packet loss. This is the reslt of atm oam ping : Sending 500, 53-byte end-to-end OAM echoes, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (500/500), round-trip min/avg/max = 4/6/16 ms And this is the result of ping ip : Sending 100, 100-byte ICMP Echos to 10.149.3.97, timeout is 2 seconds: ..!!..!!!.!!!..!...!!!.!!!!.!.!!!!.!!...!...!..!!!..!!!.!!!.!!..!!.... ..!..!!..!!!.!.!!!...!!..!..!! Success rate is 53 percent (53/100), round-trip min/avg/max = 4/4/8 ms I am new with atm and I have to troubleshoot inter-city link using ATM, what is the cause of L2 ping ok but L3 ping is bad ? What is the troubleshooting scenario that I should do to verify and find the root cause ? Thanks andhi ***** "This message is intended only for recipients who are authorized to receive it. It contains confidential and/ or legally priveleged information belong to PT INDOSAT Tbk ("INDOSAT"), therefore the authorized recipients shall protect this confidential information disclosed pursuant to provisions of Indosat's policy. If you are not a valid recipient of this message, please delete it from your system and/ or destroy all of the tangible material produced from the information herein together with all copies or reproductions thereof and notify the sender immediately. Please also be notified that any disclosure, copying, distribution or taking any action based on the contents of this message is strictly prohibited and may be unlawful". ***** From rwest at zyedge.com Sun Jun 7 22:56:32 2009 From: rwest at zyedge.com (Ryan West) Date: Sun, 7 Jun 2009 22:56:32 -0400 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... In-Reply-To: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> References: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012482A9074D@zy-ex1.zyedge.local> Are you running any type of backup utility (RANCID etc) that might be triggering your logs? Are the timestamps periodic or random? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Fischer Sent: Sunday, June 07, 2009 10:48 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... I have a 4510 in our environment that is reporting literally dozens of changes to the running configuration throughout the day - days on which I am certain no changes have been made to it - the syslog message is given with the header - AUDIT-5-RUN_CONFIG. Cisco's support site doesn't give me a whole lot. Any ideas on what could be causing this? -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Sun Jun 7 23:20:38 2009 From: rwest at zyedge.com (Ryan West) Date: Sun, 7 Jun 2009 23:20:38 -0400 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... In-Reply-To: <500ffb690906072002w9922a52q61ba5a32350baae1@mail.gmail.com> References: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> <6E21B2BDEF6E714EA0B5BA8D5D0E14012482A9074D@zy-ex1.zyedge.local> <500ffb690906072002w9922a52q61ba5a32350baae1@mail.gmail.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012482A9074F@zy-ex1.zyedge.local> Without seeing the differences between configs on your 4510's, I would look at the archive section of the config to see if the auditing is enabled. -ryan From: Steven Fischer [mailto:sfischer1967 at gmail.com] Sent: Sunday, June 07, 2009 11:03 PM To: Ryan West Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 4510 reporting dozens of config changes throughout the day... indeed, we are running RANCID...good call. and they are periodic...but none of my other devices do this, and we have another 4510 that doesn't appear to be doing it either. can anything be done? I'm just waiting for management to see this and wonder what in blue-blazes is going on, and then to panic. On Sun, Jun 7, 2009 at 10:56 PM, Ryan West > wrote: Are you running any type of backup utility (RANCID etc) that might be triggering your logs? Are the timestamps periodic or random? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Fischer Sent: Sunday, June 07, 2009 10:48 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... I have a 4510 in our environment that is reporting literally dozens of changes to the running configuration throughout the day - days on which I am certain no changes have been made to it - the syslog message is given with the header - AUDIT-5-RUN_CONFIG. Cisco's support site doesn't give me a whole lot. Any ideas on what could be causing this? -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy From swmike at swm.pp.se Mon Jun 8 01:27:14 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 8 Jun 2009 07:27:14 +0200 (CEST) Subject: [c-nsp] atm oam ping ok but ping ip not ok In-Reply-To: <2233A6BE8D55AE4C9119D7870748FC310C6AEB90@isatjkt-msg01.office.corp.indosat.com> References: <2233A6BE8D55AE4C9119D7870748FC310C6AEB90@isatjkt-msg01.office.corp.indosat.com> Message-ID: On Mon, 8 Jun 2009, Andhy Indarto wrote: > I am new with atm and I have to troubleshoot inter-city link using ATM, > what is the cause of L2 ping ok but L3 ping is bad ? What is the > troubleshooting scenario that I should do to verify and find the root > cause ? When I've run into this it's always been that the routers are sending packets with higher bitrate than the ATM network is policing cellrate to. Make sure you have the correct UBR in your routers compared to what the ATM network is policing the PVC to. -- Mikael Abrahamsson email: swmike at swm.pp.se From david.freedman at uk.clara.net Mon Jun 8 05:23:46 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 08 Jun 2009 10:23:46 +0100 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... In-Reply-To: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> References: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> Message-ID: <4A2CD8A2.8050809@uk.clara.net> Silly question, but are you running RANCID and do these changes appear to be to port/vlan membership? It is quite a common occurrence to have flapping ports be shown as members and then suddenly not members of a vlan when rancid executes the "show vlan" command. Dave. Steven Fischer wrote: > I have a 4510 in our environment that is reporting literally dozens of > changes to the running configuration throughout the day - days on which I am > certain no changes have been made to it - the syslog message is given with > the header - AUDIT-5-RUN_CONFIG. Cisco's support site doesn't give me a > whole lot. Any ideas on what could be causing this? > From david.freedman at uk.clara.net Mon Jun 8 05:23:46 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 08 Jun 2009 10:23:46 +0100 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... In-Reply-To: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> References: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> Message-ID: <4A2CD8A2.8050809@uk.clara.net> Silly question, but are you running RANCID and do these changes appear to be to port/vlan membership? It is quite a common occurrence to have flapping ports be shown as members and then suddenly not members of a vlan when rancid executes the "show vlan" command. Dave. Steven Fischer wrote: > I have a 4510 in our environment that is reporting literally dozens of > changes to the running configuration throughout the day - days on which I am > certain no changes have been made to it - the syslog message is given with > the header - AUDIT-5-RUN_CONFIG. Cisco's support site doesn't give me a > whole lot. Any ideas on what could be causing this? > From david.freedman at uk.clara.net Mon Jun 8 05:26:40 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 08 Jun 2009 10:26:40 +0100 Subject: [c-nsp] ACL creation and editing tool suggestions? In-Reply-To: References: Message-ID: <4A2CD950.70704@uk.clara.net> A newcomer to the 12.4(T) train is "ACL Object Groups" http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html I can see this making everybody's lives useful when it hits real production trains. For the time being, I'm emulating this functionality with my own home-grown software. Dave. Scott Granados wrote: > I'm working in an environment with several large (north of 300 lines) ACLs that need managing. Several different people have had their hands in editing before I arrived and the lists have grown in to large jumbled messes and as such are introducing a lot of error because of their complexity. I'm wondering how people manage large ACLs effectively. Are there any tools that help in the automation of ACL creation or any good methods, if even by hand, that folks could recommend to help ease the clean up and maintenance process. Something that could optimize the ACL in automated fashion? > > Any pointers would be appreciated. > > Thanks > Scott > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon Jun 8 05:26:40 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 08 Jun 2009 10:26:40 +0100 Subject: [c-nsp] ACL creation and editing tool suggestions? In-Reply-To: References: Message-ID: <4A2CD950.70704@uk.clara.net> A newcomer to the 12.4(T) train is "ACL Object Groups" http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html I can see this making everybody's lives useful when it hits real production trains. For the time being, I'm emulating this functionality with my own home-grown software. Dave. Scott Granados wrote: > I'm working in an environment with several large (north of 300 lines) ACLs that need managing. Several different people have had their hands in editing before I arrived and the lists have grown in to large jumbled messes and as such are introducing a lot of error because of their complexity. I'm wondering how people manage large ACLs effectively. Are there any tools that help in the automation of ACL creation or any good methods, if even by hand, that folks could recommend to help ease the clean up and maintenance process. Something that could optimize the ACL in automated fashion? > > Any pointers would be appreciated. > > Thanks > Scott > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tom at netspot.com.au Mon Jun 8 05:36:26 2009 From: tom at netspot.com.au (Tom Lanyon) Date: Mon, 8 Jun 2009 19:06:26 +0930 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... In-Reply-To: <4A2CD8A2.8050809@uk.clara.net> References: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> <4A2CD8A2.8050809@uk.clara.net> Message-ID: On 08/06/2009, at 6:53 PM, David Freedman wrote: > Silly question, but are you running RANCID and do these changes appear > to be to port/vlan membership? > > It is quite a common occurrence to have flapping ports be shown as > members and then suddenly not members of a vlan when rancid executes > the > "show vlan" command. That shouldn't cause a AUDIT-5-RUN_CONFIG log message though, right? Tom From sfischer1967 at gmail.com Mon Jun 8 06:01:15 2009 From: sfischer1967 at gmail.com (Steven Fischer) Date: Mon, 8 Jun 2009 06:01:15 -0400 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... In-Reply-To: References: <500ffb690906071947n60d38714v7f4c4ea7812a1edd@mail.gmail.com> <4A2CD8A2.8050809@uk.clara.net> Message-ID: <500ffb690906080301p40dfd68bu4a74c721ae3ea083@mail.gmail.com> doing a compare, I found a single config element, "ip ssh logging events" that was present on the device generating the messages, but not on the 4510 that isn't. Removed it, and will see what that does. On Mon, Jun 8, 2009 at 5:36 AM, Tom Lanyon wrote: > On 08/06/2009, at 6:53 PM, David Freedman wrote: > > Silly question, but are you running RANCID and do these changes appear >> to be to port/vlan membership? >> >> It is quite a common occurrence to have flapping ports be shown as >> members and then suddenly not members of a vlan when rancid executes the >> "show vlan" command. >> > > > That shouldn't cause a AUDIT-5-RUN_CONFIG log message though, right? > > Tom > -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy From karim.adel at gmail.com Mon Jun 8 06:13:01 2009 From: karim.adel at gmail.com (Kasper Adel) Date: Mon, 8 Jun 2009 13:13:01 +0300 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP Message-ID: Hello, I'm looking for a way to measure Jitter for a VoIP network and i cant get my hands on IXIA or any fancy tool like that so i'm asking if anyone used any open source tool specifically for the matter. IPerf is an option but i've never used it, so can you guys point me if i can be used and what are the tests that i can try with it, my skills on *nix and these tools is similar to my skills with Chinese poetry ;) Thanks, Kas From Ian.Mackinnon at lumison.net Mon Jun 8 06:19:12 2009 From: Ian.Mackinnon at lumison.net (Ian MacKinnon) Date: Mon, 8 Jun 2009 11:19:12 +0100 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: References: Message-ID: Is using IP SLA functionality on your routers an option? Then graph the data with Cacti or mrtg. Or smoke ping, http://oss.oetiker.ch/smokeping/ > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Kasper Adel > Sent: 08 June 2009 11:13 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Opensource tool to measure Jitter for VoIP > > Hello, > > I'm looking for a way to measure Jitter for a VoIP network and i cant > get my > hands on IXIA or any fancy tool like that so i'm asking if anyone used > any > open source tool specifically for the matter. > > IPerf is an option but i've never used it, so can you guys point me if > i can > be used and what are the tests that i can try with it, my skills on > *nix and > these tools is similar to my skills with Chinese poetry ;) > > Thanks, > Kas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. From peter at rathlev.dk Mon Jun 8 06:24:56 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 08 Jun 2009 12:24:56 +0200 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: References: Message-ID: <1244456696.5100.37.camel@localhost.localdomain> On Mon, 2009-06-08 at 13:13 +0300, Kasper Adel wrote: > I'm looking for a way to measure Jitter for a VoIP network and i cant > get my hands on IXIA or any fancy tool like that so i'm asking if > anyone used any open source tool specifically for the matter. > > IPerf is an option but i've never used it, so can you guys point me if > i can be used and what are the tests that i can try with it, my skills > on *nix and these tools is similar to my skills with Chinese poetry ;) We use IP SLA / RTR measuring and graph it via Cacti. This URL describes the procedure for installing the required templates in Cacti: desc > Thanks, > Kas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Mon Jun 8 06:25:57 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 08 Jun 2009 12:25:57 +0200 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: References: Message-ID: <1244456757.5100.38.camel@localhost.localdomain> (Hist Ctrl+Enter a little fast before, sorry. :-)) On Mon, 2009-06-08 at 13:13 +0300, Kasper Adel wrote: > I'm looking for a way to measure Jitter for a VoIP network and i cant > get my hands on IXIA or any fancy tool like that so i'm asking if > anyone used any open source tool specifically for the matter. > > IPerf is an option but i've never used it, so can you guys point me if > i can be used and what are the tests that i can try with it, my skills > on *nix and these tools is similar to my skills with Chinese poetry ;) We use IP SLA / RTR measuring and graph it via Cacti. This URL describes the procedure for installing the required templates in Cacti: http://forums.cacti.net/about19542.html Regards, Peter From masood at nexlinx.net.pk Mon Jun 8 07:31:51 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Mon, 8 Jun 2009 16:31:51 +0500 (PKT) Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: References: Message-ID: <35132.196.46.241.57.1244460711.squirrel@nexmail1.nexlinx.net.pk> MTR is a nice tool to check delay, loss and jitter stuff. If you wana keep track of historic logs, you can use nagios (or a tool like nagios). You can write your own scripts (using tcl, bash, perl or whatever u like) to monitor delay, jitter and loss and can feed the output to nagios for historic logs. Regards, Masood > Hello, > > I'm looking for a way to measure Jitter for a VoIP network and i cant get > my > hands on IXIA or any fancy tool like that so i'm asking if anyone used any > open source tool specifically for the matter. > > IPerf is an option but i've never used it, so can you guys point me if i > can > be used and what are the tests that i can try with it, my skills on *nix > and > these tools is similar to my skills with Chinese poetry ;) > > Thanks, > Kas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From karim.adel at gmail.com Mon Jun 8 06:53:33 2009 From: karim.adel at gmail.com (Kasper Adel) Date: Mon, 8 Jun 2009 13:53:33 +0300 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: <35132.196.46.241.57.1244460711.squirrel@nexmail1.nexlinx.net.pk> References: <35132.196.46.241.57.1244460711.squirrel@nexmail1.nexlinx.net.pk> Message-ID: Thanks guys, the customer is looking for a third party vendor for this test because we already used IP SLA and it looks good but the Media Gateways vendor has its own measurement tool inside and they mentioned that their values are bad (8 msec jittter). Cheers, Kas On Mon, Jun 8, 2009 at 2:31 PM, wrote: > MTR is a nice tool to check delay, loss and jitter stuff. If you wana keep > track of historic logs, you can use nagios (or a tool like nagios). > > You can write your own scripts (using tcl, bash, perl or whatever u like) > to monitor delay, jitter and loss and can feed the output to nagios for > historic logs. > > Regards, > Masood > > > > Hello, > > > > I'm looking for a way to measure Jitter for a VoIP network and i cant get > > my > > hands on IXIA or any fancy tool like that so i'm asking if anyone used > any > > open source tool specifically for the matter. > > > > IPerf is an option but i've never used it, so can you guys point me if i > > can > > be used and what are the tests that i can try with it, my skills on *nix > > and > > these tools is similar to my skills with Chinese poetry ;) > > > > Thanks, > > Kas > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > From ray at oneunified.net Mon Jun 8 07:02:52 2009 From: ray at oneunified.net (Ray Burkholder) Date: Mon, 8 Jun 2009 08:02:52 -0300 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: References: <35132.196.46.241.57.1244460711.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <052801c9e828$ca440100$5ecc0300$@net> > > Thanks guys, the customer is looking for a third party vendor for this > test > because we already used IP SLA and it looks good but the Media Gateways > vendor has its own measurement tool inside and they mentioned that > their > values are bad (8 msec jittter). Obtain nProbe from NTOP. It can be used to collect jitter statistics, amongst other things. nProbe has a small, reasonable one time licensing fee. Use any version 9 netflow analyzer to look at the statistics. http://www.oneunified.net/blog/OpenSource/Debian/Monitoring/ntop.article > > > On Mon, Jun 8, 2009 at 2:31 PM, wrote: > > > MTR is a nice tool to check delay, loss and jitter stuff. If you wana > keep > > track of historic logs, you can use nagios (or a tool like nagios). > > > > You can write your own scripts (using tcl, bash, perl or whatever u > like) > > to monitor delay, jitter and loss and can feed the output to nagios > for > > historic logs. > > > > > > > Hello, > > > > > > I'm looking for a way to measure Jitter for a VoIP network and i > cant get > > > my > > > hands on IXIA or any fancy tool like that so i'm asking if anyone > used > > any > > > open source tool specifically for the matter. > > > > > > IPerf is an option but i've never used it, so can you guys point me > if i > > > can > > > be used and what are the tests that i can try with it, my skills on > *nix > > > and > > > these tools is similar to my skills with Chinese poetry ;) > > > -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean. From rodunn at cisco.com Mon Jun 8 07:15:28 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 8 Jun 2009 07:15:28 -0400 Subject: [c-nsp] 7500 performance (was: Re: IO 7200 GE Improve Performance and help with the CPU Load?) In-Reply-To: <4A298F85.5060002@rainierconnect.net> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk> <4A26997F.3030107@cantv.net> <4A269AA1.2030509@rollernet.us> <4A298F85.5060002@rainierconnect.net> Message-ID: <20090608111528.GE1288@rtp-cse-489.cisco.com> As long as you want just basic IP with very little features and you make sure it's all dCEF switched you will probably be ok. Watch the VIP cpu loads though if you pack the oc3's and etherchannels. It's all software, although distributed, switching. Rodney On Fri, Jun 05, 2009 at 02:35:01PM -0700, Walter Keen wrote: > Speaking of CPU performance, does anyone have any feedback on the Cisco > 7500 series, I'm considering using it instead of multiple 7204's to > aggregate/terminate atm (9 oc3, 1 ds3) and T1 (channelized ds3) traffic, > I'm looking at the RSP8, with vip4-80's and the appropriate PA's, and > planning on doing etherchannel on (2) pa-fe's back to our core (7613) > router. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From pekkas at netcore.fi Mon Jun 8 07:17:46 2009 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 8 Jun 2009 14:17:46 +0300 (EEST) Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: <35132.196.46.241.57.1244460711.squirrel@nexmail1.nexlinx.net.pk> References: <35132.196.46.241.57.1244460711.squirrel@nexmail1.nexlinx.net.pk> Message-ID: On Mon, 8 Jun 2009, masood at nexlinx.net.pk wrote: > MTR is a nice tool to check delay, loss and jitter stuff. If you wana keep > track of historic logs, you can use nagios (or a tool like nagios). Note that MTR is measuring almost everything it does from the ICMPs generated by the routers. As such it doesn't necessarily give the right idea of end-to-end network properties. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From bbc at misn.com Mon Jun 8 08:46:06 2009 From: bbc at misn.com (Bryan Campbell) Date: Mon, 08 Jun 2009 07:46:06 -0500 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: References: Message-ID: <1244465167.7701.8.camel@home-desktop> You cannot measure VOIP (sip) jitter using ICMP tools. You will only isolate false positives when the ICMP is not doing well. Route or mirror the customers traffic trough a monitoring station. Run tcpdump or Wireshark to get a pcap file that contains traffic of interest. Wash the pcap file through the Wireshark VOIP analysis tool to find your jitter. It is a standard tool in Wireshark. If you can't find jitter in this manner, it cannot be found. If it cannot be found, it doesn't exist. bbc at misn.com On Mon, 2009-06-08 at 13:13 +0300, Kasper Adel wrote: > Hello, > > I'm looking for a way to measure Jitter for a VoIP network and i cant get my > hands on IXIA or any fancy tool like that so i'm asking if anyone used any > open source tool specifically for the matter. > > IPerf is an option but i've never used it, so can you guys point me if i can > be used and what are the tests that i can try with it, my skills on *nix and > these tools is similar to my skills with Chinese poetry ;) > > Thanks, > Kas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From eric at atlantech.net Mon Jun 8 10:06:21 2009 From: eric at atlantech.net (Eric Van Tol) Date: Mon, 8 Jun 2009 10:06:21 -0400 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: <1244465167.7701.8.camel@home-desktop> References: <1244465167.7701.8.camel@home-desktop> Message-ID: <2C05E949E19A9146AF7BDF9D44085B8635399EACA9@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Bryan Campbell > Sent: Monday, June 08, 2009 8:46 AM > To: Kasper Adel > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Opensource tool to measure Jitter for VoIP > > > You cannot measure VOIP (sip) jitter using ICMP tools. You will only > isolate false positives when the ICMP is not doing well. > > Route or mirror the customers traffic trough a monitoring station. Run > tcpdump or Wireshark to get a pcap file that contains traffic of > interest. Wash the pcap file through the Wireshark VOIP analysis tool > to find your jitter. It is a standard tool in Wireshark. > > If you can't find jitter in this manner, it cannot be found. If it > cannot be found, it doesn't exist. > > bbc at misn.com What are the there legal ramifications to this? While I like to think that "it's my network, I'll do what I want to measure its performance", I *think* that sniffing voice traffic without consent is considered wiretapping. IANAL, but it would behoove you to get a consent form from your customer prior to taking this route, just in case. -evt From moua0100 at umn.edu Mon Jun 8 10:11:29 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 08 Jun 2009 09:11:29 -0500 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: References: Message-ID: <4A2D1C11.3010105@umn.edu> smokeping supports latency metrics out of the box; add plugins for jitter easy to install (debian based *nix) apt-get install smokeping Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Kasper Adel wrote: > Hello, > > I'm looking for a way to measure Jitter for a VoIP network and i cant get my > hands on IXIA or any fancy tool like that so i'm asking if anyone used any > open source tool specifically for the matter. > > IPerf is an option but i've never used it, so can you guys point me if i can > be used and what are the tests that i can try with it, my skills on *nix and > these tools is similar to my skills with Chinese poetry ;) > > Thanks, > Kas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mcgrath at fas.harvard.edu Mon Jun 8 09:46:38 2009 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Mon, 8 Jun 2009 08:46:38 -0500 Subject: [c-nsp] 4510 reporting dozens of config changes throughout the day... Message-ID: <0964463E42710F45AD34A9F2D9F249DC22A62F8735@34093-MBX-C05.mex07a.mlsrvr.com> Port autonegotiation may be a cause you may prefer not logging port status changes which DO alter the running config Sent with Good (www.good.com) -----Original Message----- From: Steven Fischer [mailto:sfischer1967 at gmail.com] Sent: Sunday, June 07, 2009 10:06 PM Central Standard Time To: Ryan West Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 4510 reporting dozens of config changes throughout the day... indeed, we are running RANCID...good call. and they are periodic...but none of my other devices do this, and we have another 4510 that doesn't appear to be doing it either. can anything be done? I'm just waiting for management to see this and wonder what in blue-blazes is going on, and then to panic. On Sun, Jun 7, 2009 at 10:56 PM, Ryan West wrote: > Are you running any type of backup utility (RANCID etc) that might be > triggering your logs? Are the timestamps periodic or random? > > -ryan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Fischer > Sent: Sunday, June 07, 2009 10:48 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 4510 reporting dozens of config changes throughout the > day... > > I have a 4510 in our environment that is reporting literally dozens of > changes to the running configuration throughout the day - days on which I > am > certain no changes have been made to it - the syslog message is given with > the header - AUDIT-5-RUN_CONFIG. Cisco's support site doesn't give me a > whole lot. Any ideas on what could be causing this? > > -- > To him who is able to keep you from falling and to present you before his > glorious presence without fault and with great joy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Mon Jun 8 11:04:19 2009 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 8 Jun 2009 11:04:19 -0400 Subject: [c-nsp] BGP Advertising - Question re more specific block In-Reply-To: <200906081038.30501.kratzers@pa.net> References: <004201c9e463$b72ec280$258c4780$@org> <200906081038.30501.kratzers@pa.net> Message-ID: <001301c9e84a$66b67fb0$34237f10$@org> Thank you.... We've messed already with a number of the options as you mentioned - this is really a last resort from our viewpoint. ;) The upstream (AS3320) does not have good reach when going against our other upstreams/peering and we are locked in a contract so trying to hit our minimum commit with them as best as we can. When we do some granular local-pref options it swings traffic around too "dramatically" - using communities doesn't seem to resolve it neither (would have thought it would actually)... Appreciate it, Paul -----Original Message----- From: Stephen Kratzer [mailto:kratzers at pa.net] Sent: Monday, June 08, 2009 10:39 AM To: cisco-nsp at puck.nether.net Cc: Paul Stewart Subject: Re: [c-nsp] BGP Advertising - Question re more specific block If the provider to which you are advertising a /22 is well-connected, I would suggest determining what communities they support and try having them bump local pref up for the /18 and removing the more specific advertisements. If that brings too much traffic in via that provider, consider advertising the /18 with default local pref, but advertising a few more specifics with either no-advertise or no-export communities. Doing so should force that provider to use the more specifics while keeping global routing table pollution to a minimum. And if either of these two approaches don't bring enough traffic in via this provider, try tweaking local pref (depreferencing) on other providers. I realize that this doesn't address your specific config question, but I think these approaches might be a bit better (more granular and nicer to the rest of us) than plain deaggregation. And yes, do as I say, not as I do. Stephen On Wednesday 03 June 2009 11:55:26 Paul Stewart wrote: > Hi folks. > > > > I'd like to know if there's a better way to approach this. > > > > We are advertising a specific /22 that belongs to a /18 block via one > specific upstream BGP connection. The /18 is advertised to all upstreams, > the /22 is only advertised to one upstream as a method of influencing > traffic via that carrier (knowing that if that particular carrier went > down, the less specific subnet will still be reachable via the other > providers). Prepending is very ugly for this situation FYI. > > > > We use BGP communities to identify upstream and downstream BGP connections > along with our own netblocks. > > > > First I built a route-map that I could use inside the BGP network > statement: > > > > route-map blahblah-routes-providerx permit 1000 > > set community 11666:6001 > > > > Then created the network statement: > > > > network xx.xx.xx.0 mask 255.255.252.0 route-map blahblah-routes-providerx > > > > Created a new IP community-list that includes previous communities plus > this one new specific community (11666:6001): > > > > ip community-list 101 permit 11666:4000 > > ip community-list 101 permit 11666:5000 > > ip community-list 101 permit 11666:6001 > > > > And, updated the route-map towards this upstream as applicable: > > > > route-map outbound-tsystems permit 10 > > match community 101 > > > > > > My question - is there a better way to configure this? This is working > just fine for our needs but there's a lot of steps and we're going to have > to add more into this in future so rather do as simple a config as possible > ;) > > > > Thanks, > > > > Paul > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From A.L.M.Buxey at lboro.ac.uk Mon Jun 8 11:18:28 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 8 Jun 2009 16:18:28 +0100 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B8635399EACA9@exchange.aoihq.local> References: <1244465167.7701.8.camel@home-desktop> <2C05E949E19A9146AF7BDF9D44085B8635399EACA9@exchange.aoihq.local> Message-ID: <20090608151828.GB1811@lboro.ac.uk> Hi, > What are the there legal ramifications to this? While I like to think that "it's my network, I'll do what I want to measure its performance", I *think* that sniffing voice traffic without consent is considered wiretapping. IANAL, but it would behoove you to get a consent form from your customer prior to taking this route, just in case. dependsw what country you are in, why you are 'sniffing' and how you are sniffing. if you are using an automated process to keep measurements and are not looking at anything such as the payload you have already removed a whole heap of issues. one would hope that the voice traffic was encrypted by default so there was no 'wire-tapping' argument (boy, I've had fun demonstrating why encryption should be turned on ('but I'm on a private switched network!' they scream) ) finally, if you have no other indications of _who_ or _where_ the IP addresses in src/dst are then thats another lot of privacy baggage dumped. the general concensus is that standard automated monitoring of network performance with no tie to ownership or data within packets is fair game. PS IANAL. alan From petelists at templin.org Mon Jun 8 10:44:45 2009 From: petelists at templin.org (Pete Templin) Date: Mon, 08 Jun 2009 09:44:45 -0500 Subject: [c-nsp] 7600 router and Etherchannel across multiple line card In-Reply-To: References: Message-ID: <4A2D23DD.4080503@templin.org> Ibrahim Abo Zaid wrote: > I am trying to establish L2 Etherchannel between 2 7609 routers , > SUP720-MSFC3 , PFC is 3BXL and Line cards WS-X6148-GE and IOS is * > 12.2(33)SRD* > > are there any concerns to establish this etherchannel between ports in > different line cards ? I vaguely recall a major limitation in the 6148 cards: not only is the card limited by only 6 1Gbps controllers, I believe EtherChannel traffic is mirrored across all 6 1Gbps controllers and therefore 1Gbps of EC traffic will max the card. pt From madunix at gmail.com Mon Jun 8 11:50:10 2009 From: madunix at gmail.com (madunix) Date: Mon, 8 Jun 2009 17:50:10 +0200 Subject: [c-nsp] MPLS Message-ID: <4d3f56c90906080850j5eef041cua8abd4938698d177@mail.gmail.com> agree with you security concern and latency, the overhead to make the routing work in an MPLS network will slow the traffic down, this will creates latency concerns for the customer. >madunix wrote: >> I have 3x sites with DS8100 SAN Storage at each side, I will be >> replicating data from one side to another (A - B, synchronous, >> distance 100Km) and (B-C, asynchronous, 300Km). Am thinking to use >> MPLS based on IP-VPN since its secure and not visible to other >> customers or internet. >> Out of your experience ...what do you think about ? >> > >Well, it's not "secure", it's simply routing isolated. If you want >security, as in encryption, you will need to do that on your own. > >If you need low convergence times, MPLS/VPN is probably not your best >choice. I don't know of many (if any) providers who will guarantee the >convergence times through their network. You should expect convergence >times in the 10's of seconds or more for certain types of failures. > >You may want to consider getting an L2VPN solution such as VPWS or VPLS and >running your own routing protocol and failure detection methods. > madunix From petelists at templin.org Mon Jun 8 11:27:01 2009 From: petelists at templin.org (Pete Templin) Date: Mon, 08 Jun 2009 10:27:01 -0500 Subject: [c-nsp] 7500 performance In-Reply-To: <4A298F85.5060002@rainierconnect.net> References: <4A268001.8030101@cantv.net> <844ef89c0906030749v1dd9f77fy6c5d15059ab1b81e@mail.gmail.com> <4A269036.3080507@cantv.net> <25474.196.46.241.57.1244046255.squirrel@nexmail1.nexlinx.net.pk> <4A26960D.8070206@cantv.net> <46075.196.46.241.57.1244047312.squirrel@nexmail1.nexlinx.net.pk> <4A26997F.3030107@cantv.net> <4A269AA1.2030509@rollernet.us> <4A298F85.5060002@rainierconnect.net> Message-ID: <4A2D2DC5.1020605@templin.org> Walter Keen wrote: > Speaking of CPU performance, does anyone have any feedback on the Cisco > 7500 series, I'm considering using it instead of multiple 7204's to > aggregate/terminate atm (9 oc3, 1 ds3) and T1 (channelized ds3) traffic, > I'm looking at the RSP8, with vip4-80's and the appropriate PA's, and > planning on doing etherchannel on (2) pa-fe's back to our core (7613) > router. As someone (Jon Lewis?) said a while ago, VIPs in a 7500 are like individual 7202s with a magic backplane between them. Sizing your VIPs is like sizing your NPEs. If I were buying 7500s (which I wouldn't be doing), I'd be buying VIP4-80s at the bare minimum, VIP6-80s if I had the need, and RSP4s (if I didn't need full routes) or RSP16s (if I did need full routes). I don't know how well those etherchannels will work for you. I think they're software-dependent, but I suspect GEIP+ may be the better bet for you. Complexity (of which etherchannel most likely qualifies) is not the 7500 strong suit. pt From zeusdadog at gmail.com Mon Jun 8 14:33:09 2009 From: zeusdadog at gmail.com (Jay Nakamura) Date: Mon, 8 Jun 2009 14:33:09 -0400 Subject: [c-nsp] Cisco IOS content filtering Message-ID: <9418aca70906081133yd17948duaa1fd4153970828c@mail.gmail.com> I am trying out for the first time the IOS content filtering feature. Detail documentation seems little lacking. One thing I can't find references to is what exactly does each security categories and productivity categories includes. For example, UNBLEMISHED, what web sites does that include? Anyone have any info on this? Thanks! From mylists at battleop.com Mon Jun 8 14:29:15 2009 From: mylists at battleop.com (Richey) Date: Mon, 8 Jun 2009 14:29:15 -0400 Subject: [c-nsp] "sh run" crashes router Message-ID: <00bb01c9e867$0727bc90$157735b0$@com> I am setting up Tacacs+ on all of our far end routers so I can run rancid. I have found several 1720s and a 2621 that crash when I log in to them and issue the "sh run" command. They reboot quickly and then I don't have a problem with the "sh run" command after the reload. If I look at the output from a "sh ver" I get System returned to ROM by error - a SegV exception, PC 0x8066A150. This seems to only be a small number of routers. They are in different environments (one is in a server room, another on the wall in a warehouse, etc) The 1700s are running various versions of the same image type. The only thing that they all have in common is that it's been months since anyone has logged into the router. Is this some bug that comes from long uptimes without any activity at the CLI? Richey From eninja at gmail.com Mon Jun 8 17:02:00 2009 From: eninja at gmail.com (e ninja) Date: Mon, 8 Jun 2009 14:02:00 -0700 Subject: [c-nsp] "sh run" crashes router In-Reply-To: <00bb01c9e867$0727bc90$157735b0$@com> References: <00bb01c9e867$0727bc90$157735b0$@com> Message-ID: Segmentation Violations (SegV) exceptions are _always_ caused by a bug in Cisco IOS and could be triggered by either of the following: - Accessing an invalid memory address e.g. attempting to access the lowest 16KB of memory on powerPC platforms - Writing to a read-only memory region - A jump to an invalid PC (often 0x0) Contact your network maintenance service provider/Cisco to get your bug fix. More info at... - http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a0080189ddb.shtml - http://solutions.mysolvr.com/Spurious_Memory_Accesses eninja On Mon, Jun 8, 2009 at 11:29 AM, Richey wrote: > I am setting up Tacacs+ on all of our far end routers so I can run rancid. > I have found several 1720s and a 2621 that crash when I log in to them and > issue the "sh run" command. They reboot quickly and then I don't have a > problem with the "sh run" command after the reload. If I look at the > output from a "sh ver" I get System returned to ROM by error - a SegV > exception, PC 0x8066A150. This seems to only be a small number of > routers. They are in different environments (one is in a server room, > another on the wall in a warehouse, etc) The 1700s are running various > versions of the same image type. The only thing that they all have in > common is that it's been months since anyone has logged into the router. > Is this some bug that comes from long uptimes without any activity at the > CLI? > > > > Richey > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From elmi at 4ever.de Mon Jun 8 17:03:27 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Mon, 8 Jun 2009 23:03:27 +0200 Subject: [c-nsp] ASR7401 and PA-FE-TX (ISL) Message-ID: <20090608210327.GV6911@ronin.4ever.de> Re folks, my private 7401 felt a bit empty, and I bought an ISL for it (this should be the mgt interface, not much bandwidth). I wonder if it is broken, or if I am doing something wrong, or if this just cannot work because I'm too st00p1d and bought the wrong thing... The "show interface" output is quite interesting. No input packets, but hundreds of thousands of input errors _per second_: ========================================================================== rt#sh int f1/0 FastEthernet1/0 is up, line protocol is up Hardware is DEC21140A, address is 000a.4230.841c (bia 000a.4230.841c) Internet address is *.*.*.* MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 245/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, Unknown Speed, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 2770584934 input errors, 0 CRC, 0 frame, 42604211 overrun, 2727980723 ignored 0 watchdog 0 input packets with dribble condition detected 2432 packets output, 242733 bytes, 0 underruns 0 output errors, 0 collisions, 2090 interface resets 0 babbles, 0 late collision, 0 deferred 2078 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out ========================================================================== Needless to say, I cannot see anything there and I cannot ping the address with a direct connection either... Config is straightforward: interface FastEthernet1/0 ip address *.*.*.* *.*.*.* load-interval 30 duplex full end (I explicitly set the media-type, but that was obviously alright) Of course the switch (3560) the box is connected to has full-duplex configured on the if. Any ideas? Elmar. From paul at paulstewart.org Mon Jun 8 17:40:37 2009 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 8 Jun 2009 17:40:37 -0400 Subject: [c-nsp] "sh run" crashes router In-Reply-To: References: <00bb01c9e867$0727bc90$157735b0$@com> Message-ID: <005901c9e881$c3c4ce50$4b4e6af0$@org> What are some of the versions you are running? We have some 1710/1711 routers and many 2621 in the field and have never experienced that particular issue.. Agree with eninja though - always IOS bug 95% of the time anyways...;) Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of e ninja Sent: June 8, 2009 5:02 PM To: Richey Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] "sh run" crashes router Segmentation Violations (SegV) exceptions are _always_ caused by a bug in Cisco IOS and could be triggered by either of the following: - Accessing an invalid memory address e.g. attempting to access the lowest 16KB of memory on powerPC platforms - Writing to a read-only memory region - A jump to an invalid PC (often 0x0) Contact your network maintenance service provider/Cisco to get your bug fix. More info at... - http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186 a0080189ddb.shtml - http://solutions.mysolvr.com/Spurious_Memory_Accesses eninja On Mon, Jun 8, 2009 at 11:29 AM, Richey wrote: > I am setting up Tacacs+ on all of our far end routers so I can run rancid. > I have found several 1720s and a 2621 that crash when I log in to them and > issue the "sh run" command. They reboot quickly and then I don't have a > problem with the "sh run" command after the reload. If I look at the > output from a "sh ver" I get System returned to ROM by error - a SegV > exception, PC 0x8066A150. This seems to only be a small number of > routers. They are in different environments (one is in a server room, > another on the wall in a warehouse, etc) The 1700s are running various > versions of the same image type. The only thing that they all have in > common is that it's been months since anyone has logged into the router. > Is this some bug that comes from long uptimes without any activity at the > CLI? > > > > Richey > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mhuff at ox.com Mon Jun 8 18:10:38 2009 From: mhuff at ox.com (Matthew Huff) Date: Mon, 8 Jun 2009 18:10:38 -0400 Subject: [c-nsp] ASR7401 and PA-FE-TX (ISL) In-Reply-To: <20090608210327.GV6911@ronin.4ever.de> References: <20090608210327.GV6911@ronin.4ever.de> Message-ID: <483E6B0272B0284BA86D7596C40D29F9C3811FD239@PUR-EXCH07.ox.com> Duplex problems typically show runt, crc and collisions. The show interface line with: Full-duplex, Unknown Speed, 100BaseTX/FX might be the problem. How about : interface FastEthernet1/0 ip address *.*.*.* *.*.*.* load-interval 30 speed 100 duplex full end and check the config on the 3560 int fa1/2 speed 100 duplex full switchport switchport mode access spanning-tree portfast If you are paranoid with portfast, add "spanning-tree bpduguard enable" ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com? | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Elmar K. Bins Sent: Monday, June 08, 2009 5:03 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ASR7401 and PA-FE-TX (ISL) Re folks, my private 7401 felt a bit empty, and I bought an ISL for it (this should be the mgt interface, not much bandwidth). I wonder if it is broken, or if I am doing something wrong, or if this just cannot work because I'm too st00p1d and bought the wrong thing... The "show interface" output is quite interesting. No input packets, but hundreds of thousands of input errors _per second_: ========================================================================== rt#sh int f1/0 FastEthernet1/0 is up, line protocol is up Hardware is DEC21140A, address is 000a.4230.841c (bia 000a.4230.841c) Internet address is *.*.*.* MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 245/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, Unknown Speed, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 2770584934 input errors, 0 CRC, 0 frame, 42604211 overrun, 2727980723 ignored 0 watchdog 0 input packets with dribble condition detected 2432 packets output, 242733 bytes, 0 underruns 0 output errors, 0 collisions, 2090 interface resets 0 babbles, 0 late collision, 0 deferred 2078 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out ========================================================================== Needless to say, I cannot see anything there and I cannot ping the address with a direct connection either... Config is straightforward: interface FastEthernet1/0 ip address *.*.*.* *.*.*.* load-interval 30 duplex full end (I explicitly set the media-type, but that was obviously alright) Of course the switch (3560) the box is connected to has full-duplex configured on the if. Any ideas? Elmar. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Mon Jun 8 21:48:30 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 9 Jun 2009 11:48:30 +1000 Subject: [c-nsp] data corruption erros on the 7606 sup-720 Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654E51@vic-cr-ex1.staff.netspace.net.au> Anybody come across data corruption erros on the 7606 sup-720 before? What's causing them? Are they bad or can we live with them???? Eg: router-1#sh data-corruption Data inconsistency records for: s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Compiled Tue 03-Mar-09 23:54 by kellythw Count Traceback 112920 40E36158, 4045D590 40E36158 40E36EFC 40E49340 40E3B3D8 40EB04B4 40E8F3B0 1: May 13 19:10:42.989 2: May 13 19:10:42.989 3: May 13 19:10:42.993 112920: Jun 9 01:40:38.250 We're using IOS s72033-ipservicesk9_wan-mz.122-18.SXF16.bin We're only seeing these data corrpuption errors on this particular hardware platform and IOS. We've got other 7606s deployed but these are sup-32's instead and do not show any data corruption errors. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From frnkblk at iname.com Mon Jun 8 22:39:08 2009 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Mon, 8 Jun 2009 21:39:08 -0500 Subject: [c-nsp] hung vty on SXH3a? In-Reply-To: <20090603071609.GY290@greenie.muc.de> References: <20090603071609.GY290@greenie.muc.de> Message-ID: Have you tried the SNMP approach? Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: Wednesday, June 03, 2009 2:16 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] hung vty on SXH3a? Hi, so far, we have been quite happy with SXH3a, but today two of our boxes have started playing games with me... notably, the command we use to auto-upload ACLs etc rcp new_config.txt router:running-config started to fail with "rcp: running-config: No such file or directory". On other boxes, it works "as usual". All the "ip rcmd" config is present and sane. The only thing that looks different is this: Cisco#who Line User Host(s) Idle Location 1 vty 0 Virtual Exec 00:00:00 * 2 vty 1 gert idle 00:00:00 mgmthost Interface User Mode Idle Peer Address Cisco# - "vty 0" looks weird. I can't find a way to recover that vty, that is "clear line 1" or "clear line vty 0" don't change anything. Nor is there a TCB assigned to it ("show tcp vty 1" shows my telnet connection, but "show tcb vty 0" doesn't display anything). So... is this a known bug in SXH3a? Is there a way to reclaim that VTY without rebooting? (I've also tried configuring "transport input none" under "line vty 0", and to completely disable "ip rcmd ..." to get rid of the session, but no change either). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From frnkblk at iname.com Mon Jun 8 22:39:08 2009 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Mon, 8 Jun 2009 21:39:08 -0500 Subject: [c-nsp] Netflow analyzer suggestions In-Reply-To: <20090602150859.H38689@shell.xecu.net> References: <20090602150859.H38689@shell.xecu.net> Message-ID: It's not cheap, but Xangati may be a good match. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Dills Sent: Tuesday, June 02, 2009 2:21 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Netflow analyzer suggestions Hi there, Apologies for the non-cisco specific post, but I couldn't think of a better list to post to off of the top of my head. A friend of mine is looking to get some better visibility into their network usage (low bandwidth, T1 type scenario). I got them setup with an IOS that supports netflow v9, and since they had a freebsd box being barely used, I built ntop to be their collector/analyzer. It works reasonably well, but it's perhaps not quite...user friendly enough for them. What they're looking for is a graphical representation at the host level. In essence, they're looking for something like cricket/mrtg but with each IP having its own graph (rather than each interface). Additional features, such as protocol breakdown and so forth are helpful, but the primary desire is to be able to see how much bandwidth a given IP address is using currently and was using in the past. They're open to commercial solutions, but would prefer to keep costs down. Host operating system requirements for the collector/analyzer aren't important. Does anybody have any suggestions they could pass along? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ml at kenweb.org Mon Jun 8 22:44:01 2009 From: ml at kenweb.org (ML) Date: Mon, 08 Jun 2009 22:44:01 -0400 Subject: [c-nsp] ME3400 Transmit queues and architecture Message-ID: <4A2DCC71.6080605@kenweb.org> This is a multi part question please bear with me. Background synopsis: A large (on the order of millions) of output queue drops were causing noticeable breakup of multicast video streams. I learned that the default egress queue size is 160 starting in 12.2.46SE. I upgraded some lab switches, This helped my situation immensely. However output queue drops continued albeit much less frequently. Question 1: From an off-list reply to my original question I was told I could increase the number of queues per interface with this policy-map: policy-map max-queue class class-default queue-limit 544 Naturally I would want to apply to this to every interface, however I am unsure if this will be detrimental. What I don't know is where queue space exists: DRAM, a small supply of onboard SRAM? If I allocate 544 queues to every interface on an ME3400-24TS-A will I starve other processes for memory (unlikely check my math below)? If the current default queue size is 160 and I increase it to 544 for all FastEthernet interfaces I would increase the amount of memory usage by 2.25 megabytes: Queue size is 256 bytes; 24 interfaces. ((256*(544-160)bytes))*24 = 2.25 megabytes Since these ME3400s are just access switches I seem to always at least 50MB of free memory. Therefore 2.25 MBs doesn't seem like a big impact. Am I correct in my calculations about the impact of the preceding policy-map applied system wide? Do the output queues live in run of the mill DRAM? Question 2: When I do apply the 'max-queue' policy-map to an interface and inspect my work: sh platform qos debug port-class sh platform qos debug port-config X Port Class 0: Queue #3 seems to have my new max-queue setting but every other Port Class and corresponding Queue are still set to 48 (The pre-12.2.46SE default queue size?) Am I missing something when I use these commands? This is new territory for me. Question 3: Are the FastEthernet ports on the ME3400 over subscribed in any way? Can I expect line-rate performance on every port at once or is there an ASIC handling groups of 2^n ports? Thanks in advance for any help. **** From ip at ioshints.info Tue Jun 9 00:58:25 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Tue, 9 Jun 2009 06:58:25 +0200 Subject: [c-nsp] Cisco IOS content filtering In-Reply-To: <9418aca70906081133yd17948duaa1fd4153970828c@mail.gmail.com> References: <9418aca70906081133yd17948duaa1fd4153970828c@mail.gmail.com> Message-ID: <001101c9e8be$ecad7230$0a00000a@nil.si> Haven't tried the server-based configuration yet (it only works on ISRs), here's what you can do locally: http://wiki.nil.com/Local_Content_Filtering_in_Cisco_IOS Best regards Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Jay Nakamura [mailto:zeusdadog at gmail.com] > Sent: Monday, June 08, 2009 8:33 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cisco IOS content filtering > > I am trying out for the first time the IOS content filtering feature. > Detail documentation seems little lacking. One thing I can't > find references to is what exactly does each security > categories and productivity categories includes. For > example, UNBLEMISHED, what web sites does that include? > Anyone have any info on this? > > Thanks! > > From elmi at 4ever.de Tue Jun 9 03:14:28 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Tue, 9 Jun 2009 09:14:28 +0200 Subject: [c-nsp] ASR7401 and PA-FE-TX (ISL) In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9C3811FD239@PUR-EXCH07.ox.com> References: <20090608210327.GV6911@ronin.4ever.de> <483E6B0272B0284BA86D7596C40D29F9C3811FD239@PUR-EXCH07.ox.com> Message-ID: <20090609071427.GW6911@ronin.4ever.de> Re everyone and thank you for the input. The "speed unknown" hadn't revealed itself to me _but_ I cannot make it go away. The interface does not understand the "speed" command: rt(config-if)#speed ? % Unrecognized command The duplex does of course match on both sides - I did not see any collision or late collision errors. The router i/f doesn't seem capable of any kind of negotiation, at least there's no matching command except for, maybe, "no duplex"... I also get this from time to time: *Jun 9 06:44:18: %SYS-3-CPUHOG: Task is running for (2004)msecs, more than (2000)msecs (0/0),process = Exec. -Traceback= 0x608FAE9C 0x608FACB0 0x6015BA10 0x60162FC0 0x6016001C 0x6087A44C 0x60879ABC 0x6086F7A4 0x607FDF2C 0x6081BDD8 0x608BEFCC 0x608BEFB0 I wonder whether the interface is really broken (and I should return it), or whether it's supposed to (not) work that way. Yours, Elmar. PS: Although my WS worked fine on that cable and switchport, I'll go swap the cable next. PPS: IOSes tried are 12.3(14)T3 and 12.4(12)a. From gert at greenie.muc.de Tue Jun 9 03:20:46 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 9 Jun 2009 09:20:46 +0200 Subject: [c-nsp] hung vty on SXH3a? In-Reply-To: References: <20090603071609.GY290@greenie.muc.de> Message-ID: <20090609072046.GR290@greenie.muc.de> Hi, On Mon, Jun 08, 2009 at 09:39:08PM -0500, Frank Bulk - iName.com wrote: > Have you tried the SNMP approach? What is "the SNMP approach"? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From mark.r.zipp at gmail.com Tue Jun 9 03:26:31 2009 From: mark.r.zipp at gmail.com (Mark Zipp) Date: Tue, 9 Jun 2009 16:56:31 +0930 Subject: [c-nsp] Non-Cisco SFPs (i.e. Finisar) in TwinGig modules on a 4900M? Message-ID: Hi, Does anybody know if the 'service unsupported-transceiver' command is supported on the 4900Ms? We're intending to use Finisar 1000BaseLX SFPs. Thanks, Mark. From elmi at 4ever.de Tue Jun 9 03:28:11 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Tue, 9 Jun 2009 09:28:11 +0200 Subject: [c-nsp] ASR7401 and PA-FE-TX (ISL) In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9C3811FD239@PUR-EXCH07.ox.com> References: <20090608210327.GV6911@ronin.4ever.de> <483E6B0272B0284BA86D7596C40D29F9C3811FD239@PUR-EXCH07.ox.com> Message-ID: <20090609072811.GY6911@ronin.4ever.de> I have an update on this one... I powered off the router (in order to put a Wattmeter in between), and while I was at it, I thought "hell, pull and push the card back in again" which I did. Well, I don't know why, but this worked, the card sees a speed now and seems to work. Thank you all for your kind responses and help! Elmar. From p.mayers at imperial.ac.uk Tue Jun 9 04:33:38 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 09 Jun 2009 09:33:38 +0100 Subject: [c-nsp] hung vty on SXH3a? In-Reply-To: <20090609072046.GR290@greenie.muc.de> References: <20090603071609.GY290@greenie.muc.de> <20090609072046.GR290@greenie.muc.de> Message-ID: <4A2E1E62.8020301@imperial.ac.uk> Gert Doering wrote: > Hi, > > On Mon, Jun 08, 2009 at 09:39:08PM -0500, Frank Bulk - iName.com wrote: >> Have you tried the SNMP approach? > > What is "the SNMP approach"? You can use SNMP to close the TCP connection. Our local docs reckon: snmpwalk -c READCOMM -v 2c ROUTER .1.3.6.1.2.1.6.13.1.1 ...to get a list of connections, then: snmpset -c WRITECOMM -v 2c ROUTER .1.3.6.1.2.1.6.13.1.1.locip.locport.remip.remport integer 12 From sam_mailinglists at spacething.org Tue Jun 9 07:12:32 2009 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 09 Jun 2009 12:12:32 +0100 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: <4A23F37A.60008@spacething.org> References: <4A23F37A.60008@spacething.org> Message-ID: <4A2E43A0.2050306@spacething.org> All, I had some feedback from people that have tried it in the lab, but not in production yet. I notice that in all the Cisco marketing material it talks repeatedly about how the guest's security profile will migrate with the VM. However, as far as I can tell NX-OS only offers non-stateful ACLs and no inspection so I'm not sure it's really that useful? Sam Sam Stickland wrote: > Hi, > > Has anyone here deployed the Nexus V1000? I'm interested in feedback > (good, back or indifferent). > > Thanks, > > Sam > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From shinejoseph at dodo.com.au Tue Jun 9 07:00:52 2009 From: shinejoseph at dodo.com.au (Shine Joseph) Date: Tue, 9 Jun 2009 19:00:52 +0800 Subject: [c-nsp] Policy Based Routing on Cisco 6500 Message-ID: Hi, I am wondering if there any performance issue with using PBR on a Cisco 6500 with Sup720? Any pointers and suggestions are most appreciated. Thanks in advance, Shine From cisco-nsp at ml.karotte.org Tue Jun 9 07:11:09 2009 From: cisco-nsp at ml.karotte.org (Sebastian Wiesinger) Date: Tue, 9 Jun 2009 13:11:09 +0200 Subject: [c-nsp] Non-Cisco SFPs (i.e. Finisar) in TwinGig modules on a 4900M? In-Reply-To: References: Message-ID: <20090609111109.GA22755@danton.fire-world.de> * Mark Zipp [2009-06-09 09:33]: > Hi, > > Does anybody know if the 'service unsupported-transceiver' command is > supported on the 4900Ms? We're intending to use Finisar 1000BaseLX > SFPs. I can confirm this: NAME: "Converter 3/2", DESCR: "Converter Module" PID: CVR-X2-SFP , VID: V01 , SN: CAT111058P7 NAME: "GigabitEthernet3/11", DESCR: "1000BaseSX" PID: Unspecified , VID: , SN: FNS11172H80 Don't forget to use hw-module module X port-group Y select gigabitethernet or you'll get some not-so-helpful errors (in older IOS versions). -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From rdobbins at arbor.net Tue Jun 9 07:54:32 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Tue, 9 Jun 2009 18:54:32 +0700 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: <4A2E43A0.2050306@spacething.org> References: <4A23F37A.60008@spacething.org> <4A2E43A0.2050306@spacething.org> Message-ID: On Jun 9, 2009, at 6:12 PM, Sam Stickland wrote: > only offers non-stateful ACLs and no inspection so I'm not sure > it's really that useful? Stateful inspection in front of front-end servers is generally not only useless, but counterproductive, as it greatly increases susceptibility to DDoS. Especially with a software-based switch/ router/what-have-you. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From rdobbins at arbor.net Tue Jun 9 08:01:15 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Tue, 9 Jun 2009 19:01:15 +0700 Subject: [c-nsp] Policy Based Routing on Cisco 6500 In-Reply-To: References: Message-ID: <4B9493F0-E907-4D93-A4C4-F4E7DCF6194A@arbor.net> On Jun 9, 2009, at 6:00 PM, Shine Joseph wrote: > I am wondering if there any performance issue with using PBR on a > Cisco 6500 with Sup720? I think (correction welcome) that it only works in hardware based upon matching an extended ACL - any attempt to do things like match on packet size, etc. results in software switching. PBR by its nature is operationally brittle and ugly; if there's another way to accomplish one's goal, it's generally best to pursue an alternate method, if at all possible. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From avayner at cisco.com Tue Jun 9 08:07:19 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 9 Jun 2009 14:07:19 +0200 Subject: [c-nsp] Policy Based Routing on Cisco 6500 In-Reply-To: References: Message-ID: <78C984F8939D424697B15E4B1C1BB3D7BE31D4@xmb-ams-331.emea.cisco.com> Shine, PBR is done in hardware on the 6500. If you have DFC's, it would be done on the DFC. If not, the central PFC will do it. You should monitor your TCAM resources, as it may fill it up, and then traffic would be punted to the CPU - which you want to avoid at all costs. Use the "show tcam counts" command. Take a look here: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con figuration/guide/cef.html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Shine Joseph Sent: Tuesday, June 09, 2009 14:01 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Policy Based Routing on Cisco 6500 Hi, I am wondering if there any performance issue with using PBR on a Cisco 6500 with Sup720? Any pointers and suggestions are most appreciated. Thanks in advance, Shine _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Jun 9 09:13:11 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 9 Jun 2009 09:13:11 -0400 Subject: [c-nsp] "sh run" crashes router In-Reply-To: <00bb01c9e867$0727bc90$157735b0$@com> References: <00bb01c9e867$0727bc90$157735b0$@com> Message-ID: <20090609131311.GB14941@rtp-cse-489.cisco.com> Need: sh ver sh stack and bonus points for a crashinfo file from flash: Did you try posting the sh stack in the output interpreter on Cisco.com? Rodney sh On Mon, Jun 08, 2009 at 02:29:15PM -0400, Richey wrote: > I am setting up Tacacs+ on all of our far end routers so I can run rancid. > I have found several 1720s and a 2621 that crash when I log in to them and > issue the "sh run" command. They reboot quickly and then I don't have a > problem with the "sh run" command after the reload. If I look at the > output from a "sh ver" I get System returned to ROM by error - a SegV > exception, PC 0x8066A150. This seems to only be a small number of > routers. They are in different environments (one is in a server room, > another on the wall in a warehouse, etc) The 1700s are running various > versions of the same image type. The only thing that they all have in > common is that it's been months since anyone has logged into the router. > Is this some bug that comes from long uptimes without any activity at the > CLI? > > > > Richey > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Tue Jun 9 10:39:21 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 9 Jun 2009 16:39:21 +0200 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: <4A2E43A0.2050306@spacething.org> References: <4A23F37A.60008@spacething.org> <4A2E43A0.2050306@spacething.org> Message-ID: <20090609143921.GY290@greenie.muc.de> Hi, On Tue, Jun 09, 2009 at 12:12:32PM +0100, Sam Stickland wrote: > I notice that in all the Cisco marketing material it talks repeatedly > about how the guest's security profile will migrate with the VM. > However, as far as I can tell NX-OS only offers non-stateful ACLs and no > inspection so I'm not sure it's really that useful? Well, you need to put this in relation to the "standard" VMware switch - which can't do ACLs, and where nothing whatsoever will migrate but everything (VLAN setup etc) needs to be properly prepated beforhand for VMotion to work... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From linux.yahoo at gmail.com Tue Jun 9 11:25:40 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Jun 2009 17:25:40 +0200 Subject: [c-nsp] VPLS & FRR (RSVP Fast Reroute) Message-ID: <7100ed370906090825u5e4d4d9fiaa8bc568141f19f0@mail.gmail.com> Hello, Is it possible to deploy MPLS VPLS by using RSVP instead of LDP? I need FRR feature ;) Thanks & Best Regards, Manu From tstevens at cisco.com Tue Jun 9 11:42:36 2009 From: tstevens at cisco.com (Tim Stevenson) Date: Tue, 09 Jun 2009 08:42:36 -0700 Subject: [c-nsp] Policy Based Routing on Cisco 6500 In-Reply-To: <4B9493F0-E907-4D93-A4C4-F4E7DCF6194A@arbor.net> References: <4B9493F0-E907-4D93-A4C4-F4E7DCF6194A@arbor.net> Message-ID: <200906091542.n59FgakC013593@sj-core-3.cisco.com> Correct. See: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer3.html#wpmkr1033564 ?The Policy Feature Card (PFC) and any Distributed Feature Cards (DFCs) provide hardware support for policy-based routing (PBR) for route-map sequences that use the match ip address, set ip next-hop, and ip default next-hop PBR keywords. HTH, Tim At 05:01 AM 6/9/2009, Roland Dobbins proclaimed: >On Jun 9, 2009, at 6:00 PM, Shine Joseph wrote: > > > I am wondering if there any performance issue with using PBR on a > > Cisco 6500 with Sup720? > >I think (correction welcome) that it only works in hardware based upon >matching an extended ACL - any attempt to do things like match on >packet size, etc. results in software switching. > >PBR by its nature is operationally brittle and ugly; if there's >another way to accomplish one's goal, it's generally best to pursue an >alternate method, if at all possible. > >----------------------------------------------------------------------- >Roland Dobbins // ><http://www.arbornetworks.com> > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at >http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstevens at cisco.com Routing & Switching CCIE #5561 Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 ******************************************************** The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. From sthaug at nethelp.no Tue Jun 9 11:51:09 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 09 Jun 2009 17:51:09 +0200 (CEST) Subject: [c-nsp] VPLS & FRR (RSVP Fast Reroute) In-Reply-To: <7100ed370906090825u5e4d4d9fiaa8bc568141f19f0@mail.gmail.com> References: <7100ed370906090825u5e4d4d9fiaa8bc568141f19f0@mail.gmail.com> Message-ID: <20090609.175109.74673745.sthaug@nethelp.no> > Is it possible to deploy MPLS VPLS by using RSVP instead of LDP? > > I need FRR feature ;) Yes, it's called Juniper. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From linux.yahoo at gmail.com Tue Jun 9 11:54:09 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Jun 2009 17:54:09 +0200 Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7BE25CA@xmb-ams-331.emea.cisco.com> References: <78C984F8939D424697B15E4B1C1BB3D7B75617@xmb-ams-331.emea.cisco.com> <78C984F8939D424697B15E4B1C1BB3D7BE25CA@xmb-ams-331.emea.cisco.com> Message-ID: <7100ed370906090854y681a4828u8eb1a5b96fde6526@mail.gmail.com> SIP400/SIP600 is 7600 only too no? On Thu, Jun 4, 2009 at 5:29 PM, Arie Vayner (avayner) wrote: > Yes, this is true, ES20 is 7600 only (I missed the 6500 angle here ;-) ) > > We can do VPLS with SIP400 (lower BW) or SIP600 (higher BW). > > > > BTW, There is also support for MPLSoGRE > > > > Arie > > > > From: Marlon Duksa [mailto:mduksa at gmail.com] > Sent: Thursday, June 04, 2009 17:10 > To: Arie Vayner (avayner) > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 > > > > Thanks Arie. But ES cards are not supported on Cat6500, no? And also > VPLS over MPLS on a SIP in Cat6500 - is it supported? If so do you know > which SIP? > > Thanks, > > Marlon > > On Wed, Jun 3, 2009 at 9:19 PM, Arie Vayner (avayner) > wrote: > > Marlon, > > If you have DFCs on the regular LAN cards, then EoMPLS and L3VPN will be > done in hardware and in distributed forwarding mode. > For VPLS, you need to have either an ES20/ES40 card or a SIP card facing > the core. Having this card means that again VPLS is done in hardware - > some functionality is done on the regular DFCs and some on the egress > core facing module. > > Arie > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa > Sent: Thursday, June 04, 2009 02:07 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 > > Hi -Does anyone know which cards on Cat6500 support MPLS > and separately IP-VPN, posibly at 40Gbps throughput? I'm looking for a > distributed (DFC) forwarding solution? > > I know that Cat6500 is very limited in VPLS support, but IP-VPN and > EoMPLS > should be no problem, right? > > Thanks, > Marlon > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From linux.yahoo at gmail.com Tue Jun 9 11:55:16 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Jun 2009 17:55:16 +0200 Subject: [c-nsp] VPLS & FRR (RSVP Fast Reroute) In-Reply-To: <20090609.175109.74673745.sthaug@nethelp.no> References: <7100ed370906090825u5e4d4d9fiaa8bc568141f19f0@mail.gmail.com> <20090609.175109.74673745.sthaug@nethelp.no> Message-ID: <7100ed370906090855sef8c88ao51a6121b4d102e71@mail.gmail.com> i know junos very well thanks ;) On Tue, Jun 9, 2009 at 5:51 PM, wrote: > > Is it possible to deploy MPLS VPLS by using RSVP instead of LDP? > > > > I need FRR feature ;) > > Yes, it's called Juniper. > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no > From gert at greenie.muc.de Tue Jun 9 12:09:00 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 9 Jun 2009 18:09:00 +0200 Subject: [c-nsp] hung vty on SXH3a? In-Reply-To: <4A2E1E62.8020301@imperial.ac.uk> References: <20090603071609.GY290@greenie.muc.de> <20090609072046.GR290@greenie.muc.de> <4A2E1E62.8020301@imperial.ac.uk> Message-ID: <20090609160900.GZ290@greenie.muc.de> Hi, On Tue, Jun 09, 2009 at 09:33:38AM +0100, Phil Mayers wrote: > Gert Doering wrote: > >On Mon, Jun 08, 2009 at 09:39:08PM -0500, Frank Bulk - iName.com wrote: > >>Have you tried the SNMP approach? > > > >What is "the SNMP approach"? > > You can use SNMP to close the TCP connection. Our local docs reckon: > > snmpwalk -c READCOMM -v 2c ROUTER .1.3.6.1.2.1.6.13.1.1 > > ...to get a list of connections, then: > > snmpset -c WRITECOMM -v 2c ROUTER > .1.3.6.1.2.1.6.13.1.1.locip.locport.remip.remport integer 12 Thanks. Indeed, there *is* a connection, stuck in CLOSEWAIT state. Knowing what to look for, I can see it with "show tcp" as well, and can clear it with "clear tcp tcb...". I'm not sure whether it actually helped anything - now the session is in "CLOSED" state, the VTY is still stuck, and the TCP session refuses to "really" go away... :-( But thanks for the explanation :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From avayner at cisco.com Tue Jun 9 12:23:31 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 9 Jun 2009 18:23:31 +0200 Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 In-Reply-To: <7100ed370906090854y681a4828u8eb1a5b96fde6526@mail.gmail.com> References: <78C984F8939D424697B15E4B1C1BB3D7B75617@xmb-ams-331.emea.cisco.com> <78C984F8939D424697B15E4B1C1BB3D7BE25CA@xmb-ams-331.emea.cisco.com> <7100ed370906090854y681a4828u8eb1a5b96fde6526@mail.gmail.com> Message-ID: <78C984F8939D424697B15E4B1C1BB3D7BE3340@xmb-ams-331.emea.cisco.com> Not that I am aware of... http://www.cisco.com/en/US/products/hw/switches/ps708/products_relevant_ interfaces_and_modules.html Arie From: Manu Chao [mailto:linux.yahoo at gmail.com] Sent: Tuesday, June 09, 2009 18:54 To: Arie Vayner (avayner) Cc: Marlon Duksa; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 SIP400/SIP600 is 7600 only too no? On Thu, Jun 4, 2009 at 5:29 PM, Arie Vayner (avayner) wrote: Yes, this is true, ES20 is 7600 only (I missed the 6500 angle here ;-) ) We can do VPLS with SIP400 (lower BW) or SIP600 (higher BW). BTW, There is also support for MPLSoGRE Arie From: Marlon Duksa [mailto:mduksa at gmail.com] Sent: Thursday, June 04, 2009 17:10 To: Arie Vayner (avayner) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 Thanks Arie. But ES cards are not supported on Cat6500, no? And also VPLS over MPLS on a SIP in Cat6500 - is it supported? If so do you know which SIP? Thanks, Marlon On Wed, Jun 3, 2009 at 9:19 PM, Arie Vayner (avayner) wrote: Marlon, If you have DFCs on the regular LAN cards, then EoMPLS and L3VPN will be done in hardware and in distributed forwarding mode. For VPLS, you need to have either an ES20/ES40 card or a SIP card facing the core. Having this card means that again VPLS is done in hardware - some functionality is done on the regular DFCs and some on the egress core facing module. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa Sent: Thursday, June 04, 2009 02:07 To: cisco-nsp at puck.nether.net Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 Hi -Does anyone know which cards on Cat6500 support MPLS and separately IP-VPN, posibly at 40Gbps throughput? I'm looking for a distributed (DFC) forwarding solution? I know that Cat6500 is very limited in VPLS support, but IP-VPN and EoMPLS should be no problem, right? Thanks, Marlon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ibrahim.abozaid at gmail.com Tue Jun 9 12:26:18 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Tue, 9 Jun 2009 19:26:18 +0300 Subject: [c-nsp] HSRP and Standby router Message-ID: Hi All I was studying some HSRP senario which is little bit different than what used to work on , we have 2 routers connected with access ports to internal box which has 2 direct physical layer-2 links to both routers and HSRP is running between VLAN SVIs on both routers across L2 ether-channel between them if physical link to active router fail , the client will ARP stanby router for MAC of HSRP group IP , my question here is stanby router will answer ARP requests while it still detect that active router is still alive from HSRP over etherchannel between them ? and if yes , what MAC address it will answer with ? the active router owns group vmac address so if standby reply it will reply with bia address and L2-switch the traffic to active router ? waiting for opinions and your experience share best regards --Ibrahim From ip at ioshints.info Tue Jun 9 12:54:09 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Tue, 9 Jun 2009 18:54:09 +0200 Subject: [c-nsp] Policy Based Routing on Cisco 6500 In-Reply-To: <4B9493F0-E907-4D93-A4C4-F4E7DCF6194A@arbor.net> References: <4B9493F0-E907-4D93-A4C4-F4E7DCF6194A@arbor.net> Message-ID: <003801c9e922$e98c84b0$0a00000a@nil.si> > PBR by its nature is operationally brittle and ugly; if > there's another way to accomplish one's goal, it's generally > best to pursue an alternate method, if at all possible. Absolutely forcefully agree :) While this is a bit off-topic here's an example of what you can do with a distance-vector routing protocol: http://www.nil.com/ipcorner/ScalablePolicyRouting/ MPLS + BGP or MPLS TE can also solve numerous issues for which people tend to use PBR. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ From oliver.gorwits at oucs.ox.ac.uk Tue Jun 9 14:03:32 2009 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Tue, 09 Jun 2009 19:03:32 +0100 Subject: [c-nsp] ACL creation and editing tool suggestions? In-Reply-To: <4A2CD950.70704@uk.clara.net> References: <4A2CD950.70704@uk.clara.net> Message-ID: <4A2EA3F4.60306@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Freedman wrote: > A newcomer to the 12.4(T) train is "ACL Object Groups" Some time ago I wrote a couple of Perl modules to help generate these for FWSM type devices. They might still be useful: http://search.cpan.org/perldoc?Net::Cisco::ObjectGroup http://search.cpan.org/perldoc?Net::Cisco::AccessList::Extended regards, - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKLqP02NPq7pwWBt4RAjN3AKDC1qvUvProXTG51b4n46kOz2wx/QCgoubB q+JGCEb4jUkXrCDV8AeMTAs= =uFSK -----END PGP SIGNATURE----- From tvarriale at comcast.net Tue Jun 9 13:22:22 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 9 Jun 2009 12:22:22 -0500 Subject: [c-nsp] hung vty on SXH3a? References: <20090603071609.GY290@greenie.muc.de><20090609072046.GR290@greenie.muc.de><4A2E1E62.8020301@imperial.ac.uk> <20090609160900.GZ290@greenie.muc.de> Message-ID: Odd, I've been seeing similiar problems lately in ASA 8.x code with IPv6 SSH connections...when IPv6 isn't enabled. Maybe the same team writes the management code? :) tv ----- Original Message ----- From: "Gert Doering" To: "Phil Mayers" Cc: "Gert Doering" ; Sent: Tuesday, June 09, 2009 11:09 AM Subject: Re: [c-nsp] hung vty on SXH3a? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From vandry at TZoNE.ORG Tue Jun 9 13:31:52 2009 From: vandry at TZoNE.ORG (Phil Vandry) Date: Tue, 9 Jun 2009 13:31:52 -0400 Subject: [c-nsp] Opensource tool to measure Jitter for VoIP In-Reply-To: <1244465167.7701.8.camel@home-desktop> References: <1244465167.7701.8.camel@home-desktop> Message-ID: <20090609173152.GA14962@OZoNE.TZoNE.ORG> On Mon, Jun 08, 2009 at 07:46:06AM -0500, Bryan Campbell wrote: > You cannot measure VOIP (sip) jitter using ICMP tools. You will only s/sip/RTP/ [snip using Wireshark VoIP analysis] > If you can't find jitter in this manner, it cannot be found. If it > cannot be found, it doesn't exist. This will be true as long as you are monitoring close to the receiving end. Otherwise you will miss jitter that is introduced by the network beyond your monitoring point. This means you may want to have two monitoring points for bidirectional voice traffic: one close to each receiving end. On Mon, Jun 08, 2009 at 10:06:21AM -0400, Eric Van Tol wrote: > What are the there legal ramifications to this? While I like to think > that "it's my network, I'll do what I want to measure its performance", You could avoid problems by capturing (Wireshark or tcpdump) using a limited snapshot length. You do not need the payload to perform jitter analysis so "tcpdump -s 50" might be safer (14 bytes Ethernet + 20 IP + 8 UDP + 8 RTP header). -Phil From linux.yahoo at gmail.com Tue Jun 9 14:39:22 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Tue, 9 Jun 2009 20:39:22 +0200 Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7BE3340@xmb-ams-331.emea.cisco.com> References: <78C984F8939D424697B15E4B1C1BB3D7B75617@xmb-ams-331.emea.cisco.com> <78C984F8939D424697B15E4B1C1BB3D7BE25CA@xmb-ams-331.emea.cisco.com> <7100ed370906090854y681a4828u8eb1a5b96fde6526@mail.gmail.com> <78C984F8939D424697B15E4B1C1BB3D7BE3340@xmb-ams-331.emea.cisco.com> Message-ID: <7100ed370906091139n7afa958em4ff1927b9adc907d@mail.gmail.com> Thanks Arie On Tue, Jun 9, 2009 at 6:23 PM, Arie Vayner (avayner) wrote: > Not that I am aware of? > > > > > http://www.cisco.com/en/US/products/hw/switches/ps708/products_relevant_interfaces_and_modules.html > > > > Arie > > > > *From:* Manu Chao [mailto:linux.yahoo at gmail.com] > *Sent:* Tuesday, June 09, 2009 18:54 > *To:* Arie Vayner (avayner) > *Cc:* Marlon Duksa; cisco-nsp at puck.nether.net > > *Subject:* Re: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 > > > > SIP400/SIP600 is 7600 only too > > > > no? > > On Thu, Jun 4, 2009 at 5:29 PM, Arie Vayner (avayner) > wrote: > > Yes, this is true, ES20 is 7600 only (I missed the 6500 angle here ;-) ) > > We can do VPLS with SIP400 (lower BW) or SIP600 (higher BW). > > > > BTW, There is also support for MPLSoGRE > > > > Arie > > > > From: Marlon Duksa [mailto:mduksa at gmail.com] > Sent: Thursday, June 04, 2009 17:10 > To: Arie Vayner (avayner) > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 > > > > > Thanks Arie. But ES cards are not supported on Cat6500, no? And also > VPLS over MPLS on a SIP in Cat6500 - is it supported? If so do you know > which SIP? > > Thanks, > > Marlon > > On Wed, Jun 3, 2009 at 9:19 PM, Arie Vayner (avayner) > wrote: > > Marlon, > > If you have DFCs on the regular LAN cards, then EoMPLS and L3VPN will be > done in hardware and in distributed forwarding mode. > For VPLS, you need to have either an ES20/ES40 card or a SIP card facing > the core. Having this card means that again VPLS is done in hardware - > some functionality is done on the regular DFCs and some on the egress > core facing module. > > Arie > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa > Sent: Thursday, June 04, 2009 02:07 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] MPLS/IP-VPN capable cards on Cat 6500 > > Hi -Does anyone know which cards on Cat6500 support MPLS > and separately IP-VPN, posibly at 40Gbps throughput? I'm looking for a > distributed (DFC) forwarding solution? > > I know that Cat6500 is very limited in VPLS support, but IP-VPN and > EoMPLS > should be no problem, right? > > Thanks, > Marlon > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From ayourtch at cisco.com Tue Jun 9 15:16:11 2009 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Tue, 9 Jun 2009 21:16:11 +0200 (CEST) Subject: [c-nsp] ASA IPv6 SSH Re: hung vty on SXH3a? In-Reply-To: References: <20090603071609.GY290@greenie.muc.de><20090609072046.GR290@greenie.muc.de><4A2E1E62.8020301@imperial.ac.uk> <20090609160900.GZ290@greenie.muc.de> Message-ID: On Tue, 9 Jun 2009, Tony Varriale wrote: > Odd, I've been seeing similiar problems lately in ASA 8.x code with IPv6 SSH > connections...when IPv6 isn't enabled. > > Maybe the same team writes the management code? :) nope, they are different. :) If you have more details / case# for the ASA IPv6 SSH issue - please unicast the details, let's take a look. (yes, I work in TAC and yes i am interested ensure we sort out this IPv6-related issue :) cheers, andrew From mb at adv.gcomm.com.au Tue Jun 9 19:05:31 2009 From: mb at adv.gcomm.com.au (mb at adv.gcomm.com.au) Date: Wed, 10 Jun 2009 09:05:31 +1000 Subject: [c-nsp] BGP -> OSPF (Or another way?) Message-ID: <20090610090531.uwoq6f82pgesoo8g@webmail.datafx.com.au> Hi, We are receiving a /24 from one of our upstreams, that we need to redistribute into our IGP (OSPF), so that all of our cores are aware that they can reach this /24 primarily through this upstream(Then, if this upstream is down, traffic destined to this /24 would go via our other upstreams) I know redistributing bgp->ospf is considered a bad idea, but other than adding a static route, is there another option? Under ospf would it be redistribute bgp xxx route-map SUBNET_TO_INJECT_FROM_BGP With the above route maps acl only allowing the /24 we are interested in? Thanks in advance. ------------------------------------------------------------------------- This e-mail was sent via GCOMM WebMail http://www.gcomm.com.au/ From mulitskiy at acedsl.com Tue Jun 9 18:37:06 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Tue, 9 Jun 2009 18:37:06 -0400 Subject: [c-nsp] RTL-8139 NIC in WS-X6348-RJ-45 - no link Message-ID: <200906091837.06067.mulitskiy@acedsl.com> From mulitskiy at acedsl.com Tue Jun 9 18:37:06 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Tue, 9 Jun 2009 18:37:06 -0400 Subject: [c-nsp] RTL-8139 NIC in WS-X6348-RJ-45 - no link Message-ID: <200906091837.06067.mulitskiy@acedsl.com> Hello, I have some very strange problem. I have 2 old servers that I still need to support that have RTL-8139 NIC on-board. For some reason if I connect them to WS-X6348-RJ-45 in 6500 the link doesn't come up whatever I do. If I connect them to another switch - I tried 3500XL and 8500 - then everything OK and link comes up as it should. Is anyone aware about some kind of incompatibility between Realtek and WS-X6348-RJ-45? Is there any knob to turn? Thanks, Michael From dale.shaw+cisco-nsp at gmail.com Tue Jun 9 19:34:22 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 10 Jun 2009 09:34:22 +1000 Subject: [c-nsp] BGP -> OSPF (Or another way?) In-Reply-To: <20090610090531.uwoq6f82pgesoo8g@webmail.datafx.com.au> References: <20090610090531.uwoq6f82pgesoo8g@webmail.datafx.com.au> Message-ID: <3329cbb40906091634p1a7a8017rdb7e206368ca0ebc@mail.gmail.com> Hi, On Wed, Jun 10, 2009 at 9:05 AM, wrote: > I know redistributing bgp->ospf is considered a bad idea, but other than > adding a static route, is there another option? You could use a 'reliable static' (using IP SLA and the 'track' keyword on the 'ip route' command) and redistribute that, but I'm not sure it's any 'better' in this case, as long as you're only ever redistributing a small number of routes. You could probably get quicker convergence this way, depending on how connectivity to the upstream fails. http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html Assuming you pursue the BGP -> OSPF redistribution -- > Under ospf would it be > redistribute bgp xxx route-map SUBNET_TO_INJECT_FROM_BGP Don't forget the 'subnets' keyword. > With the above route maps acl only allowing the /24 we are interested in? Depending on your route-map config, yeah. ip prefix-list BGP_TO_OSPF permit 192.168.55.0/24 ! route-map SUBNET_TO_INJECT_FROM_BGP match ip address prefix BGP_TO_OSPF ! router ospf 1 redistribute bgp 12345 subnets route-map SUBNET_TO_INJECT_FROM_BGP This will inject anything matched in the 'BGP_TO_OSPF' prefix-list into OSPF as a type-2 external ("O E2") route. This'll turn your BGP router into an OSPF ASBR, if it's not already. Make sure it's not in a stub area. cheers, Dale From max.reid at saikonetworks.com Tue Jun 9 19:41:25 2009 From: max.reid at saikonetworks.com (Maxwell Reid) Date: Tue, 9 Jun 2009 16:41:25 -0700 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: <20090609143921.GY290@greenie.muc.de> References: <4A23F37A.60008@spacething.org> <4A2E43A0.2050306@spacething.org> <20090609143921.GY290@greenie.muc.de> Message-ID: <8E7FB9F5-4AF2-49D1-8DDF-9A95F9F913B5@saikonetworks.com> The ACL"s on the vswitch/nexus are only part of the security equation. It's using them in combination with vShield Zones at the ESX level (new feature of v4) that yields the best results. ~Max On Jun 9, 2009, at 7:39 AM, Gert Doering wrote: > Hi, > > On Tue, Jun 09, 2009 at 12:12:32PM +0100, Sam Stickland wrote: >> I notice that in all the Cisco marketing material it talks repeatedly >> about how the guest's security profile will migrate with the VM. >> However, as far as I can tell NX-OS only offers non-stateful ACLs >> and no >> inspection so I'm not sure it's really that useful? > > Well, you need to put this in relation to the "standard" VMware switch > - which can't do ACLs, and where nothing whatsoever will migrate but > everything (VLAN setup etc) needs to be properly prepated beforhand > for VMotion to work... > > gert > > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Kris.Amy at EIP.net.au Tue Jun 9 19:43:08 2009 From: Kris.Amy at EIP.net.au (Kris Amy) Date: Wed, 10 Jun 2009 09:43:08 +1000 Subject: [c-nsp] BGP -> OSPF (Or another way?) In-Reply-To: <20090610090531.uwoq6f82pgesoo8g@webmail.datafx.com.au> Message-ID: You could run iBGP from your borders into your core. On 10/06/09 9:05 AM, "mb at adv.gcomm.com.au" wrote: Hi, We are receiving a /24 from one of our upstreams, that we need to redistribute into our IGP (OSPF), so that all of our cores are aware that they can reach this /24 primarily through this upstream(Then, if this upstream is down, traffic destined to this /24 would go via our other upstreams) I know redistributing bgp->ospf is considered a bad idea, but other than adding a static route, is there another option? Under ospf would it be redistribute bgp xxx route-map SUBNET_TO_INJECT_FROM_BGP With the above route maps acl only allowing the /24 we are interested in? Thanks in advance. ------------------------------------------------------------------------- This e-mail was sent via GCOMM WebMail http://www.gcomm.com.au/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Kind Regards, Kris Amy Enterprise IP Phone: 07 3123 5510 National: 1300 347 287 Fax: 1300 347 329 Direct: 07 3123 5511 Email: kris.amy at eip.net.au From rdobbins at arbor.net Tue Jun 9 20:00:36 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Wed, 10 Jun 2009 07:00:36 +0700 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: <8E7FB9F5-4AF2-49D1-8DDF-9A95F9F913B5@saikonetworks.com> References: <4A23F37A.60008@spacething.org> <4A2E43A0.2050306@spacething.org> <20090609143921.GY290@greenie.muc.de> <8E7FB9F5-4AF2-49D1-8DDF-9A95F9F913B5@saikonetworks.com> Message-ID: <7B1AB359-3C4C-49C4-B566-54056F489D46@arbor.net> On Jun 10, 2009, at 6:41 AM, Maxwell Reid wrote: > It's using them in combination with vShield Zones at the ESX level > (new feature of v4) that yields the best results. It's also important to note that all of this runs in software, and is thus subject to the performance limitations thereof. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From mark.r.zipp at gmail.com Tue Jun 9 21:16:32 2009 From: mark.r.zipp at gmail.com (Mark Zipp) Date: Wed, 10 Jun 2009 10:46:32 +0930 Subject: [c-nsp] Non-Cisco SFPs (i.e. Finisar) in TwinGig modules on a 4900M? In-Reply-To: <20090609111109.GA22755@danton.fire-world.de> References: <20090609111109.GA22755@danton.fire-world.de> Message-ID: Hi Sebastian, 2009/6/9 Sebastian Wiesinger : > * Mark Zipp [2009-06-09 09:33]: >> Hi, >> >> Does anybody know if the 'service unsupported-transceiver' command is >> supported on the 4900Ms? We're intending to use Finisar 1000BaseLX >> SFPs. > > I can confirm this: > > NAME: "Converter 3/2", DESCR: "Converter Module" > PID: CVR-X2-SFP ? ? ? ?, VID: V01 ?, SN: CAT111058P7 > > NAME: "GigabitEthernet3/11", DESCR: "1000BaseSX" > PID: Unspecified ? ? ? , VID: ? ? ?, SN: FNS11172H80 > > Don't forget to use > > hw-module module X port-group Y select gigabitethernet > > or you'll get some not-so-helpful errors (in older IOS versions). > Thanks very much for that info - it'll save us $000s! Regards, Mark. > -- > GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) > 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. > ? ? ? ? ? ?-- Terry Pratchett, The Fifth Elephant > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mksmith at adhost.com Tue Jun 9 21:58:15 2009 From: mksmith at adhost.com (Michael K. Smith) Date: Tue, 09 Jun 2009 18:58:15 -0700 Subject: [c-nsp] BGP -> OSPF (Or another way?) In-Reply-To: <20090610090531.uwoq6f82pgesoo8g@webmail.datafx.com.au> Message-ID: On 6/9/09 4:05 PM, "mb at adv.gcomm.com.au" wrote: > Hi, > > We are receiving a /24 from one of our upstreams, that we need to > redistribute into our IGP (OSPF), so that all of our cores are aware > that they can reach this /24 primarily through this upstream(Then, if > this upstream is down, traffic destined to this /24 would go via our > other upstreams) > > I know redistributing bgp->ospf is considered a bad idea, but other > than adding a static route, is there another option? > > Under ospf would it be > redistribute bgp xxx route-map SUBNET_TO_INJECT_FROM_BGP > > With the above route maps acl only allowing the /24 we are interested in? > I think, as Kris said, you should be running iBGP to distribute external routes through your network. This keeps the two processes and associated routes nicely separated. Setting up an iBGP mesh should be as easy as a single network statement on each of your connected devices towards every other (unless you want to use route reflectors). Regards, Mike From Skeeve at eintellego.net Tue Jun 9 22:22:25 2009 From: Skeeve at eintellego.net (Skeeve Stevens) Date: Wed, 10 Jun 2009 12:22:25 +1000 Subject: [c-nsp] PA-GE GBIC-T Support? Message-ID: <292AF25E62B8894C921B893B53A19D97394469E479@BUSINESSEX.business.ad> Does anyone know if the GBIC-T is officially supported in the PA-GE (for 7200's). We're actually running these in a dozen routers but until the other day have never noticed it saying: GigabitEthernet2/0 is up, line protocol is up Hardware is WISEMAN, address is 0005.5f23.b41c (bia 0005.5f23.b438) ... Full-duplex, 1000Mb/s, link type is autonegotiation, media type is unknown media type But... it is fully working, and has been since it was installed with no errors. This page: http://www.cisco.com/en/US/products/hw/modules/ps2033/products_data_sheet09186a0080091ce7.html Only mentions: 1000Base-SX 1000Base-LX/LH 1000Base-ZX This may or may not be an old page, but the GBIC-T is not mentioned anywhere, but maybe importantly, does not say that it "isn't" supported. My googling for any commentary on the PA-GE with GBIC-T has resulted in nothing. Thoughts anyone? -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve -- NOC, NOC, who's there? Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. From clinton at scripty.com Tue Jun 9 23:38:01 2009 From: clinton at scripty.com (Clinton Work) Date: Tue, 09 Jun 2009 21:38:01 -0600 Subject: [c-nsp] PA-GE GBIC-T Support? In-Reply-To: <292AF25E62B8894C921B893B53A19D97394469E479@BUSINESSEX.business.ad> References: <292AF25E62B8894C921B893B53A19D97394469E479@BUSINESSEX.business.ad> Message-ID: <4A2F2A99.8010803@scripty.com> The topic has been discussed before. Sounds like it works, but isn't officially supported. http://markmail.org/message/ozlmnboj6ytph4tq Skeeve Stevens wrote: > Does anyone know if the GBIC-T is officially supported in the PA-GE (for 7200's). > > We're actually running these in a dozen routers but until the other day have never noticed it saying: > > GigabitEthernet2/0 is up, line protocol is up > > -- ================================================================== Clinton Work Airdrie, AB From achatz at forthnet.gr Wed Jun 10 04:10:01 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 10 Jun 2009 11:10:01 +0300 Subject: [c-nsp] Inter-AS EoMPLS/VPLS Message-ID: <4A2F6A59.2000100@forthnet.gr> Does anyone have any experience? I can see it's supported only on IOS-XR, so 7600 it's out of the question (any plans?). http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.7/mpls/configuration/guide/gc37v2.html#wp1100339 -- Tassos From ibrahim.abozaid at gmail.com Wed Jun 10 04:30:05 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Wed, 10 Jun 2009 11:30:05 +0300 Subject: [c-nsp] HSRP and Standby router Message-ID: Hi All I was studying some HSRP senario which is little bit different than what used to work on , we have 2 routers connected with access ports to internal box which has 2 direct physical layer-2 links to both routers and HSRP is running between VLAN SVIs on both routers across L2 ether-channel between them if physical link to active router fail , the client will ARP stanby router for MAC of HSRP group IP , my question here is stanby router will answer ARP requests while it still detect that active router is still alive from HSRP over etherchannel between them ? and if yes , what MAC address it will answer with ? the active router owns group vmac address so if standby reply it will reply with bia address and L2-switch the traffic to active router ? waiting for opinions and your experience share best regards --Ibrahim From llc at dansketelecom.com Wed Jun 10 04:34:51 2009 From: llc at dansketelecom.com (Lars Lystrup Christensen) Date: Wed, 10 Jun 2009 10:34:51 +0200 Subject: [c-nsp] Inter-AS EoMPLS/VPLS In-Reply-To: <4A2F6A59.2000100@forthnet.gr> References: <4A2F6A59.2000100@forthnet.gr> Message-ID: <44417CD2F19FEA4F885088340A71D33201F0E6FD@mail.office.dansketelecom.com> Hi Tassos, You could do inter-AS EoMPLS by using Pseudo Wire stitching/switching, which is supporte don 12.2(33)SRC on the 7600. It's done as a kind of VPLS domain, however it can only handle one neighbour. ______________________________________ Med venlig hilsen / Kind regards Lars Lystrup Christensen Director of Engineering, CCIE(tm) #20292 Danske Telecom A/S Sundkrogsgade 13, 4 2100 K?benhavn ? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos Chatzithomaoglou Sent: 10. juni 2009 10:10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Inter-AS EoMPLS/VPLS Does anyone have any experience? I can see it's supported only on IOS-XR, so 7600 it's out of the question (any plans?). http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.7/mpls/configuration/guide/gc37v2.html#wp1100339 -- Tassos _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sam_mailinglists at spacething.org Wed Jun 10 05:56:46 2009 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Wed, 10 Jun 2009 10:56:46 +0100 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: References: <4A23F37A.60008@spacething.org> <4A2E43A0.2050306@spacething.org> Message-ID: <4A2F835E.1090204@spacething.org> From rdobbins at arbor.net Wed Jun 10 06:12:48 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Wed, 10 Jun 2009 17:12:48 +0700 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: <4A2F835E.1090204@spacething.org> References: <4A23F37A.60008@spacething.org> <4A2E43A0.2050306@spacething.org> <4A2F835E.1090204@spacething.org> Message-ID: <0BABBA46-C1B8-40B2-B1A3-95F69BD458A8@arbor.net> From rdobbins at arbor.net Wed Jun 10 06:34:04 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Wed, 10 Jun 2009 17:34:04 +0700 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: <4A2F8AEE.4010904@spacething.org> References: <4A23F37A.60008@spacething.org> <4A2E43A0.2050306@spacething.org> <4A2F835E.1090204@spacething.org> <4A2F8AEE.4010904@spacething.org> Message-ID: <1F20BA2C-C258-4ABF-A626-415B17B7A4A9@arbor.net> From sam_mailinglists at spacething.org Wed Jun 10 06:29:02 2009 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Wed, 10 Jun 2009 11:29:02 +0100 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: <4A2F835E.1090204@spacething.org> References: <4A23F37A.60008@spacething.org> <4A2E43A0.2050306@spacething.org> <4A2F835E.1090204@spacething.org> Message-ID: <4A2F8AEE.4010904@spacething.org> From snar at snar.spb.ru Wed Jun 10 05:11:59 2009 From: snar at snar.spb.ru (Alexandre Snarskii) Date: Wed, 10 Jun 2009 13:11:59 +0400 Subject: [c-nsp] Inter-AS EoMPLS/VPLS In-Reply-To: <4A2F6A59.2000100@forthnet.gr> References: <4A2F6A59.2000100@forthnet.gr> Message-ID: <20090610091159.GA73066@snar.spb.ru> From j.varaillon at cosmoline.com Wed Jun 10 05:30:05 2009 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Wed, 10 Jun 2009 12:30:05 +0300 Subject: [c-nsp] BGP -> OSPF (Or another way?) In-Reply-To: <20090610090531.uwoq6f82pgesoo8g@webmail.datafx.com.au> References: <20090610090531.uwoq6f82pgesoo8g@webmail.datafx.com.au> Message-ID: <011701c9e9ae$0a20c1b0$1e624510$%varaillon@cosmoline.com> From peter at rathlev.dk Wed Jun 10 07:26:31 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 10 Jun 2009 13:26:31 +0200 Subject: [c-nsp] HSRP and Standby router In-Reply-To: References: Message-ID: <1244633191.6034.13.camel@localhost.localdomain> On Wed, 2009-06-10 at 11:30 +0300, Ibrahim Abo Zaid wrote: > I was studying some HSRP senario which is little bit different than > what used to work on , we have 2 routers connected with access ports > to internal box which has 2 direct physical layer-2 links to both > routers and HSRP is running between VLAN SVIs on both routers across > L2 ether-channel between them > > if physical link to active router fail , the client will ARP stanby > router for MAC of HSRP group IP , my question here is stanby router > will answer ARP requests while it still detect that active router is > still alive from HSRP over etherchannel between them ? and if yes , > what MAC address it will answer with ? the active router owns group > vmac address so if standby reply it will reply with bia address and > L2-switch the traffic to active router ? Assuming that the routers bridge the access connection and the connection between them, thus forming a triangular bridge domain, then if only one physical access link fails and the connection between the routers is still active the HSRP role will not move between the two routers. As long as they can see each other somehow the HSRP is stable. This is effectively a ring topology where any one link may fail without impacting the forwarding ability. The spanning tree might need to be recalculated, so it might introduce a short-ish pause. Traffic from access towards the HSRP standby IP might be switched through the inactive HSRP member, and this might not be the most effective way of switching, maybe introducing congestion, but traffic would still end up in the right place. OTOH if the two routers lose L2 contact they will both go active. (Though if the router has no active ports in the VLAN the SVI should go "line protocol down" and not try to participate in HSRP.) You can expect loss of connectivity towards the gateway for a full HSRP hold-time interval, default 10 seconds. AFAIK the standby HSRP unit will not answer ARP queries in this period. ARP entries need not be updated since the MAC address of the standby IP address stays the same. A topology change notification, sent out when there are changes in the physical topology, will flush all MAC address tables, helping this part of the convergence. I may not have understood your question completely though. :-) -- Peter Rathlev From peter at rathlev.dk Wed Jun 10 09:52:13 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 10 Jun 2009 15:52:13 +0200 Subject: [c-nsp] 3750E and X2-10GB-ZR compatibility? Message-ID: <1244641933.7592.25.camel@localhost.localdomain> Just a quick question: The 3750E doesn't support X2-10GB-ZR tranceivers[1], only up to ER. Using "service unsupported-transceiver" I can get the switch to recognize the transceiver, but will I be able to get a link with it? It's for testing part of a fiber stretch, so it's not for production. Does anybody have any experience that can confirm or deny any of the following: - Could it damage the transceiver? - Could it damage the switch? - Would I be able to get link up with it? (The other end is a similar transceiver in a WS-X6708-10GE-3C module.) - If I got link up, could I trust this to generally work? The problem is that the last part of the stretch isn't finished yet, and it's a little much to carry around a 6506 chassis for testing purposes. (We have OTDR btw, just want to do a "live" test.) Thanks in advance. -- Peter Rathlev [1]: http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modu les/compatibility/matrix/OL_6974.html#wp48759 (http://tinyurl.com/yooxks) From max.reid at saikonetworks.com Wed Jun 10 10:32:31 2009 From: max.reid at saikonetworks.com (Maxwell Reid) Date: Wed, 10 Jun 2009 07:32:31 -0700 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: <7B1AB359-3C4C-49C4-B566-54056F489D46@arbor.net> References: <4A23F37A.60008@spacething.org> <4A2E43A0.2050306@spacething.org> <20090609143921.GY290@greenie.muc.de> <8E7FB9F5-4AF2-49D1-8DDF-9A95F9F913B5@saikonetworks.com> <7B1AB359-3C4C-49C4-B566-54056F489D46@arbor.net> Message-ID: On Jun 9, 2009, at 5:00 PM, Roland Dobbins wrote: > > On Jun 10, 2009, at 6:41 AM, Maxwell Reid wrote: > >> It's using them in combination with vShield Zones at the ESX level >> (new feature of v4) that yields the best results. > > It's also important to note that all of this runs in software, and > is thus subject to the performance limitations thereof. When you're talking about a box with 16-32 3 Ghz Cores and 128 GBs of ram with offloading NIC/CNA's that "software" is pretty speedy. A single host running 3 vms can go as high as 350,000 IOPs/sec from a storage perspective, and handle high PPS loads w/ 10GbE at line rate. Even "hardware" appliances like the ASA boot strap off what appears to be KVM and handle multiple contexts in software; and you really only need specialized ASIC's as part of the forwarding plane of high end routers. ~Max > > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jcposeidon at cantv.net Wed Jun 10 11:33:33 2009 From: jcposeidon at cantv.net (Juan C. Crespo R.) Date: Wed, 10 Jun 2009 11:03:33 -0430 Subject: [c-nsp] Cisco DSLAM ? Message-ID: <4A2FD24D.2060703@cantv.net> Guys Does anyone of you knows a good DSLAM for HDSL & ADSL ? Thanks From paul at paulstewart.org Wed Jun 10 12:28:51 2009 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 10 Jun 2009 12:28:51 -0400 Subject: [c-nsp] Cisco DSLAM ? In-Reply-To: <4A2FD24D.2060703@cantv.net> References: <4A2FD24D.2060703@cantv.net> Message-ID: <000001c9e9e8$8abbfcb0$a033f610$@org> Occam... ;) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juan C. Crespo R. Sent: Wednesday, June 10, 2009 11:34 AM To: Cisco Post NSP Cc: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco DSLAM ? Guys Does anyone of you knows a good DSLAM for HDSL & ADSL ? Thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From panocisco77 at gmail.com Wed Jun 10 12:40:48 2009 From: panocisco77 at gmail.com (Renelson Panosky) Date: Wed, 10 Jun 2009 12:40:48 -0400 Subject: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B Message-ID: <16e2ac180906100940p850db43na2c1e7ea8e463184@mail.gmail.com> I Have a brand new 6509-E with WS-SUP32-GE-3B booting up in rommon> mode i was able to type the command boot so it can look for the right code to boot up but after i configured the switch i turned off and turned it back on, it boot up in rommon mode again and everything was lost. I know someone had upgraded the IOS and i am sure that's what causing the problem and i know there is command i can type to fix the problem but i can't remember it or find it on the web can someone please help me out with this ? Renelson From avayner at cisco.com Wed Jun 10 12:46:17 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 10 Jun 2009 18:46:17 +0200 Subject: [c-nsp] Cisco DSLAM ? In-Reply-To: <4A2FD24D.2060703@cantv.net> References: <4A2FD24D.2060703@cantv.net> Message-ID: <78C984F8939D424697B15E4B1C1BB3D7C48BF7@xmb-ams-331.emea.cisco.com> Juan, Cisco does not make DSLAMs for a long time now... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juan C. Crespo R. Sent: Wednesday, June 10, 2009 18:34 To: Cisco Post NSP Cc: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco DSLAM ? Guys Does anyone of you knows a good DSLAM for HDSL & ADSL ? Thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Wed Jun 10 12:50:31 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 10 Jun 2009 18:50:31 +0200 Subject: [c-nsp] HSRP and Standby router In-Reply-To: <1244633191.6034.13.camel@localhost.localdomain> References: <1244633191.6034.13.camel@localhost.localdomain> Message-ID: <78C984F8939D424697B15E4B1C1BB3D7C48BFA@xmb-ams-331.emea.cisco.com> I think this document can provide more insight: http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_Infr a2_5/DCInfra_6.html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: Wednesday, June 10, 2009 14:27 To: Ibrahim Abo Zaid Cc: cisco at groupstudy.com; cisco_nsp Subject: Re: [c-nsp] HSRP and Standby router On Wed, 2009-06-10 at 11:30 +0300, Ibrahim Abo Zaid wrote: > I was studying some HSRP senario which is little bit different than > what used to work on , we have 2 routers connected with access ports > to internal box which has 2 direct physical layer-2 links to both > routers and HSRP is running between VLAN SVIs on both routers across > L2 ether-channel between them > > if physical link to active router fail , the client will ARP stanby > router for MAC of HSRP group IP , my question here is stanby router > will answer ARP requests while it still detect that active router is > still alive from HSRP over etherchannel between them ? and if yes , > what MAC address it will answer with ? the active router owns group > vmac address so if standby reply it will reply with bia address and > L2-switch the traffic to active router ? Assuming that the routers bridge the access connection and the connection between them, thus forming a triangular bridge domain, then if only one physical access link fails and the connection between the routers is still active the HSRP role will not move between the two routers. As long as they can see each other somehow the HSRP is stable. This is effectively a ring topology where any one link may fail without impacting the forwarding ability. The spanning tree might need to be recalculated, so it might introduce a short-ish pause. Traffic from access towards the HSRP standby IP might be switched through the inactive HSRP member, and this might not be the most effective way of switching, maybe introducing congestion, but traffic would still end up in the right place. OTOH if the two routers lose L2 contact they will both go active. (Though if the router has no active ports in the VLAN the SVI should go "line protocol down" and not try to participate in HSRP.) You can expect loss of connectivity towards the gateway for a full HSRP hold-time interval, default 10 seconds. AFAIK the standby HSRP unit will not answer ARP queries in this period. ARP entries need not be updated since the MAC address of the standby IP address stays the same. A topology change notification, sent out when there are changes in the physical topology, will flush all MAC address tables, helping this part of the convergence. I may not have understood your question completely though. :-) -- Peter Rathlev _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From aaron at wsc.ma.edu Wed Jun 10 13:24:34 2009 From: aaron at wsc.ma.edu (Childs, Aaron) Date: Wed, 10 Jun 2009 13:24:34 -0400 Subject: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B In-Reply-To: <16e2ac180906100940p850db43na2c1e7ea8e463184@mail.gmail.com> References: <16e2ac180906100940p850db43na2c1e7ea8e463184@mail.gmail.com> Message-ID: <3760B7E1B344364AA0384B231FE7BA6901BBF92B31@ex-be1.ads.wsc.ma.edu> Hi Renelson, What's the configuration register set to? (sh boot) once you're in IOS. 0x0 will bring you to rommon everytime, 0x2102 will boot the sup using the config file. Aaron ------------- Aaron Childs Assistant Director, Networking Westfield State College http://www.wsc.ma.edu/it/ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Renelson Panosky Sent: Wednesday, June 10, 2009 12:41 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B I Have a brand new 6509-E with WS-SUP32-GE-3B booting up in rommon> mode i was able to type the command boot so it can look for the right code to boot up but after i configured the switch i turned off and turned it back on, it boot up in rommon mode again and everything was lost. I know someone had upgraded the IOS and i am sure that's what causing the problem and i know there is command i can type to fix the problem but i can't remember it or find it on the web can someone please help me out with this ? Renelson _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Wed Jun 10 13:25:01 2009 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 10 Jun 2009 13:25:01 -0400 Subject: [c-nsp] IPTV Switch Recommendation Message-ID: <000801c9e9f0$638170a0$2a8451e0$@org> Hi there. We have a customer that does lots of IPTV - they have a new deployment currently going into an MDU (condos). They have asked for a recommended switch that is "IPTV friendly" - I'm presuming they mean multicast aware etc. Which Cisco switches would be recommended to handoff approximately 20 Cat5 drops fed by fiber coming in? Cheers, Paul From masood at nexlinx.net.pk Wed Jun 10 14:29:51 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Wed, 10 Jun 2009 23:29:51 +0500 (PKT) Subject: [c-nsp] Cisco DSLAM ? In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7C48BF7@xmb-ams-331.emea.cisco.com> References: <4A2FD24D.2060703@cantv.net> <78C984F8939D424697B15E4B1C1BB3D7C48BF7@xmb-ams-331.emea.cisco.com> Message-ID: <27388.196.46.241.57.1244658591.squirrel@nexmail1.nexlinx.net.pk> Yup Cisco does not make DSLAMs anymore. I think paradyne guys are doing great job in fact. http://www.paradyne.com/ Regards, Masood > Juan, > > Cisco does not make DSLAMs for a long time now... > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juan C. Crespo > R. > Sent: Wednesday, June 10, 2009 18:34 > To: Cisco Post NSP > Cc: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cisco DSLAM ? > > Guys > > Does anyone of you knows a good DSLAM for HDSL & ADSL ? > > Thanks > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From swmike at swm.pp.se Wed Jun 10 13:56:51 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 10 Jun 2009 19:56:51 +0200 (CEST) Subject: [c-nsp] IPTV Switch Recommendation In-Reply-To: <000801c9e9f0$638170a0$2a8451e0$@org> References: <000801c9e9f0$638170a0$2a8451e0$@org> Message-ID: On Wed, 10 Jun 2009, Paul Stewart wrote: > Which Cisco switches would be recommended to handoff approximately 20 > Cat5 drops fed by fiber coming in? 3560/3750 seems to work well for this. -- Mikael Abrahamsson email: swmike at swm.pp.se From ed at edgeoc.net Wed Jun 10 14:00:41 2009 From: ed at edgeoc.net (Edward Salonia) Date: Wed, 10 Jun 2009 18:00:41 +0000 Subject: [c-nsp] IPTV Switch Recommendation Message-ID: <900802754-1244656846-cardhu_decombobulator_blackberry.rim.net-62317833-@bxe1048.bisx.prod.on.blackberry> Take a look at the ME3400 series. - Ed ------Original Message------ From: Paul Stewart Sender: cisco-nsp-bounces at puck.nether.net To: cisco-nsp at puck.nether.net Subject: [c-nsp] IPTV Switch Recommendation Sent: Jun 10, 2009 1:25 PM Hi there. We have a customer that does lots of IPTV - they have a new deployment currently going into an MDU (condos). They have asked for a recommended switch that is "IPTV friendly" - I'm presuming they mean multicast aware etc. Which Cisco switches would be recommended to handoff approximately 20 Cat5 drops fed by fiber coming in? Cheers, Paul _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From savage at savage.za.org Wed Jun 10 14:09:37 2009 From: savage at savage.za.org (Chris Knipe) Date: Wed, 10 Jun 2009 20:09:37 +0200 Subject: [c-nsp] IPTV Switch Recommendation In-Reply-To: <000801c9e9f0$638170a0$2a8451e0$@org> References: <000801c9e9f0$638170a0$2a8451e0$@org> Message-ID: <20090610180937.GA27437@fusion.opticnetworks.net> On 10/06/09 13:25 -0400, Paul Stewart wrote: >We have a customer that does lots of IPTV - they have a new deployment >currently going into an MDU (condos). They have asked for a recommended >switch that is "IPTV friendly" - I'm presuming they mean multicast aware >etc. > >Which Cisco switches would be recommended to handoff approximately 20 Cat5 >drops fed by fiber coming in? We're going through the same story at this stage. Working with allot of vendors, testing, and trails. So far for us, a combination of entry level 2960s and 3560s are working fine. You are correct, the most important thing is Multicast and IGMP subscriptions, so pretty much any half decent switch would be capable. Ciscos naturally just work best for us though because we love them so much. -- Chris. From jeff-kell at utc.edu Wed Jun 10 14:27:17 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 10 Jun 2009 14:27:17 -0400 Subject: [c-nsp] IPTV Switch Recommendation In-Reply-To: <20090610180937.GA27437@fusion.opticnetworks.net> References: <000801c9e9f0$638170a0$2a8451e0$@org> <20090610180937.GA27437@fusion.opticnetworks.net> Message-ID: <4A2FFB05.1050709@utc.edu> Chris Knipe wrote: > We're going through the same story at this stage. Working with allot > of vendors, testing, and trails. So far for us, a combination of entry > level 2960s and 3560s are working fine. You are correct, the most > important thing is Multicast and IGMP subscriptions, so pretty much > any half decent switch would be capable. Reminds me... do you need the "LAN Base" version to make it fly, or will "LAN Lite" work? (or for the 3560s, IP Base or IP Services?) Jeff From savage at savage.za.org Wed Jun 10 14:29:43 2009 From: savage at savage.za.org (Chris Knipe) Date: Wed, 10 Jun 2009 20:29:43 +0200 Subject: [c-nsp] IPTV Switch Recommendation In-Reply-To: <4A2FFB05.1050709@utc.edu> References: <000801c9e9f0$638170a0$2a8451e0$@org> <20090610180937.GA27437@fusion.opticnetworks.net> <4A2FFB05.1050709@utc.edu> Message-ID: <20090610182943.GA29875@fusion.opticnetworks.net> On 10/06/09 14:27 -0400, Jeff Kell wrote: >Chris Knipe wrote: >> We're going through the same story at this stage. Working with allot >> of vendors, testing, and trails. So far for us, a combination of entry >> level 2960s and 3560s are working fine. You are correct, the most >> important thing is Multicast and IGMP subscriptions, so pretty much >> any half decent switch would be capable. > >Reminds me... do you need the "LAN Base" version to make it fly, or will >"LAN Lite" work? Didn't even know there is a LAN Lite :( All our switches runs LAN Base -- Chris From rshughes at gmail.com Wed Jun 10 14:54:55 2009 From: rshughes at gmail.com (Ryan Hughes) Date: Wed, 10 Jun 2009 14:54:55 -0400 Subject: [c-nsp] IPTV Switch Recommendation In-Reply-To: <4A2FFB05.1050709@utc.edu> References: <000801c9e9f0$638170a0$2a8451e0$@org> <20090610180937.GA27437@fusion.opticnetworks.net> <4A2FFB05.1050709@utc.edu> Message-ID: It "depends" - largely on the type of Multicast you're rolling out. I had mixed results with 3560's running IP Base versus IP Services for SSM/AutoRP roll out. Depending on your requirements you could maybe get IP Base to work but best results were with IP Services. Ryan On Wed, Jun 10, 2009 at 2:27 PM, Jeff Kell wrote: > Chris Knipe wrote: > > We're going through the same story at this stage. Working with allot > > of vendors, testing, and trails. So far for us, a combination of entry > > level 2960s and 3560s are working fine. You are correct, the most > > important thing is Multicast and IGMP subscriptions, so pretty much > > any half decent switch would be capable. > > Reminds me... do you need the "LAN Base" version to make it fly, or will > "LAN Lite" work? > > (or for the 3560s, IP Base or IP Services?) > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From amgnetforums at gmail.com Wed Jun 10 15:45:45 2009 From: amgnetforums at gmail.com (amgnetforums) Date: Wed, 10 Jun 2009 20:45:45 +0100 Subject: [c-nsp] IPTV Switch Recommendation In-Reply-To: References: <000801c9e9f0$638170a0$2a8451e0$@org> <20090610180937.GA27437@fusion.opticnetworks.net> <4A2FFB05.1050709@utc.edu> Message-ID: <4A300D69.9060501@gmail.com> Ryan Hughes wrote: > It "depends" - largely on the type of Multicast you're rolling out. > > I had mixed results with 3560's running IP Base versus IP Services for > SSM/AutoRP roll out. Depending on your requirements you could maybe get IP > Base to work but best results were with IP Services. > > Ryan > > On Wed, Jun 10, 2009 at 2:27 PM, Jeff Kell wrote: > > >> Chris Knipe wrote: >> >>> We're going through the same story at this stage. Working with allot >>> of vendors, testing, and trails. So far for us, a combination of entry >>> level 2960s and 3560s are working fine. You are correct, the most >>> important thing is Multicast and IGMP subscriptions, so pretty much >>> any half decent switch would be capable. >>> >> Reminds me... do you need the "LAN Base" version to make it fly, or will >> "LAN Lite" work? >> >> (or for the 3560s, IP Base or IP Services?) >> >> Jeff >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Hi We use ME3400 with metro ip access image. ssm works perfect. Have a look at the following links for some guidelines. http://www.cisco.com/en/US/products/ps6902/products_implementation_design_guide_book09186a00806b5b4c.html http://www.cisco.com/en/US/partner/products/ps6902/products_implementation_design_guide_book09186a0080665c4c.html Anthony From tarko at lanparty.ee Wed Jun 10 15:12:57 2009 From: tarko at lanparty.ee (Tarko Tikan) Date: Wed, 10 Jun 2009 22:12:57 +0300 Subject: [c-nsp] IPTV Switch Recommendation In-Reply-To: <000801c9e9f0$638170a0$2a8451e0$@org> References: <000801c9e9f0$638170a0$2a8451e0$@org> Message-ID: <1244660866-sup-9497@valgus> hey, > We have a customer that does lots of IPTV - they have a new deployment > currently going into an MDU (condos). They have asked for a recommended > switch that is "IPTV friendly" - I'm presuming they mean multicast aware > etc. I have been down this road - don't waste your time with "cheaper" vendors, you will end up replacing the gear anyway. > Which Cisco switches would be recommended to handoff approximately 20 Cat5 > drops fed by fiber coming in? 2960 does fine job. You now get all the security features that were available on 3750 only, on 2960 too. ME2400 used to be an alternative but it always looked like a box made for one customer and it's EOS now anyway. -- tarko From tkacprzynski at SpencerStuart.com Wed Jun 10 15:55:59 2009 From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com) Date: Wed, 10 Jun 2009 14:55:59 -0500 Subject: [c-nsp] WS-X6148-RJ21 Ethernet Modules In-Reply-To: <4A300D69.9060501@gmail.com> References: <000801c9e9f0$638170a0$2a8451e0$@org> <20090610180937.GA27437@fusion.opticnetworks.net> <4A2FFB05.1050709@utc.edu> <4A300D69.9060501@gmail.com> Message-ID: Hello I was wondering if anyone has any experience using the RJ21 modules for 6500 Catalyst? Any good things to say? Any bad things to say? Regrets deploying it? This would be for access switches. Thank you, Tom From shinejoseph at dodo.com.au Wed Jun 10 16:42:26 2009 From: shinejoseph at dodo.com.au (Shine Joseph) Date: Thu, 11 Jun 2009 04:42:26 +0800 Subject: [c-nsp] WLC discovery Message-ID: <58C3E1A533144637A09B8082C7489B21@au.didata.local> Hi, A Cisco WLC4402 is configured and working alright. All of the APs currently are in the same subnet and hence the discovery do not require DHCP Option 43 or DNS. I want to add another AP that is in a different. When the AP tries to register with the WLC, it registers momentarily and un registers. This has happened for eithe DHCP option and DNS discovery. I am sure, there is something I have not done to get this working. Can anyone suggest somthing that I should try? Thanks in advance, Shine From eng_mssk at hotmail.com Wed Jun 10 17:09:37 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Thu, 11 Jun 2009 00:09:37 +0300 Subject: [c-nsp] Cisco DSLAM ? In-Reply-To: <4A2FD24D.2060703@cantv.net> References: <4A2FD24D.2060703@cantv.net> Message-ID: you can use Paradyne DSLAMs or Alcatel ISAMs (IP DSLAMs) > Date: Wed, 10 Jun 2009 11:03:33 -0430 > From: jcposeidon at cantv.net > To: cisco-nsp-request at puck.nether.net > CC: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cisco DSLAM ? > > Guys > > Does anyone of you knows a good DSLAM for HDSL & ADSL ? > > Thanks > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us From A.L.M.Buxey at lboro.ac.uk Wed Jun 10 17:11:31 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 10 Jun 2009 22:11:31 +0100 Subject: [c-nsp] WLC discovery In-Reply-To: <58C3E1A533144637A09B8082C7489B21@au.didata.local> References: <58C3E1A533144637A09B8082C7489B21@au.didata.local> Message-ID: <20090610211131.GA9779@lboro.ac.uk> Hi, > Hi, > > A Cisco WLC4402 is configured and working alright. All of the APs currently are in the same subnet and hence the discovery do not require DHCP Option 43 or DNS. I want to add another AP that is in a different. When the AP tries to register with the WLC, it registers momentarily and un registers. This has happened for eithe DHCP option and DNS discovery. > > I am sure, there is something I have not done to get this working. Can anyone suggest somthing that I should try? is master controller mode turned on? alan From shinejoseph at dodo.com.au Wed Jun 10 17:14:08 2009 From: shinejoseph at dodo.com.au (Shine Joseph) Date: Thu, 11 Jun 2009 05:14:08 +0800 Subject: [c-nsp] WLC discovery References: Message-ID: <29674A7372B443BDBC917147C67A32B7@au.didata.local> Thanks Mike for the the quick response. That means I have to have physical access to the APs which are already mounted on the ceiling. I am in the process of moving this AP to another subnet and I have some 18 of them to be moved from a single subnet to different subnets. I can see this AP regsiters momentarily and de-registers. We are running code 5.1. When the AP regsiters I can go to its configuration page and I see Hardware reset and Reset to Factory defaults. Any help is appreciated. Thanks, Shine ----- Original Message ----- From: "Kaegler, Mike" To: "Shine Joseph" ; Sent: Thursday, June 11, 2009 4:50 AM Subject: Re: [c-nsp] WLC discovery > Boot the AP with the Mode button down to reset its parameter memory. > If that doesn't help, hook into console and watch the messages. > If that doesn't help, execute some 'debug [...]' statements on the same > console. > -porkchop > > > On 6/10/09 4:42 PM, "Shine Joseph" wrote: > >> Hi, >> >> A Cisco WLC4402 is configured and working alright. All of the APs >> currently >> are in the same subnet and hence the discovery do not require DHCP Option >> 43 >> or DNS. I want to add another AP that is in a different. When the AP >> tries to >> register with the WLC, it registers momentarily and un registers. This >> has >> happened for eithe DHCP option and DNS discovery. >> >> I am sure, there is something I have not done to get this working. Can >> anyone >> suggest somthing that I should try? >> >> Thanks in advance, >> >> Shine >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- > Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 > Your wireless success, nothing less. http://www.tessco.com/ > From shinejoseph at dodo.com.au Wed Jun 10 17:18:37 2009 From: shinejoseph at dodo.com.au (Shine Joseph) Date: Thu, 11 Jun 2009 05:18:37 +0800 Subject: [c-nsp] WLC discovery References: <58C3E1A533144637A09B8082C7489B21@au.didata.local> <20090610211131.GA9779@lboro.ac.uk> Message-ID: <523AE2E8DAAC4990BDA1EB865ECB8630@au.didata.local> Hi, There is only one controller and I believe this is the master controller. DO you know, where I could check this? Thanks, Shine ----- Original Message ----- From: To: "Shine Joseph" Cc: Sent: Thursday, June 11, 2009 5:11 AM Subject: Re: [c-nsp] WLC discovery > Hi, >> Hi, >> >> A Cisco WLC4402 is configured and working alright. All of the APs >> currently are in the same subnet and hence the discovery do not require >> DHCP Option 43 or DNS. I want to add another AP that is in a different. >> When the AP tries to register with the WLC, it registers momentarily and >> un registers. This has happened for eithe DHCP option and DNS discovery. >> >> I am sure, there is something I have not done to get this working. Can >> anyone suggest somthing that I should try? > > is master controller mode turned on? > > alan From KaeglerM at tessco.com Wed Jun 10 16:50:00 2009 From: KaeglerM at tessco.com (Kaegler, Mike) Date: Wed, 10 Jun 2009 16:50:00 -0400 Subject: [c-nsp] WLC discovery In-Reply-To: <58C3E1A533144637A09B8082C7489B21@au.didata.local> Message-ID: Boot the AP with the Mode button down to reset its parameter memory. If that doesn't help, hook into console and watch the messages. If that doesn't help, execute some 'debug [...]' statements on the same console. -porkchop On 6/10/09 4:42 PM, "Shine Joseph" wrote: > Hi, > > A Cisco WLC4402 is configured and working alright. All of the APs currently > are in the same subnet and hence the discovery do not require DHCP Option 43 > or DNS. I want to add another AP that is in a different. When the AP tries to > register with the WLC, it registers momentarily and un registers. This has > happened for eithe DHCP option and DNS discovery. > > I am sure, there is something I have not done to get this working. Can anyone > suggest somthing that I should try? > > Thanks in advance, > > Shine > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 Your wireless success, nothing less. http://www.tessco.com/ From rwest at zyedge.com Wed Jun 10 17:30:32 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 10 Jun 2009 17:30:32 -0400 Subject: [c-nsp] WLC discovery In-Reply-To: <29674A7372B443BDBC917147C67A32B7@au.didata.local> References: <29674A7372B443BDBC917147C67A32B7@au.didata.local> Message-ID: <8ED19A65-5326-45D3-9AB4-8ED342823302@zyedge.com> Are you in Layer 2 or Layer 3 AP mode. I forget if this is the actual name, but you may need to switch to layer 3. Sent from handheld. On Jun 10, 2009, at 5:26 PM, "Shine Joseph" wrote: > Thanks Mike for the the quick response. > > That means I have to have physical access to the APs which are already > mounted on the ceiling. > I am in the process of moving this AP to another subnet and I have > some 18 > of them to be moved from a single subnet to different subnets. > > I can see this AP regsiters momentarily and de-registers. We are > running > code 5.1. > > When the AP regsiters I can go to its configuration page and I see > Hardware > reset and Reset to Factory defaults. > > Any help is appreciated. > > Thanks, > Shine > ----- Original Message ----- > From: "Kaegler, Mike" > To: "Shine Joseph" ; > > Sent: Thursday, June 11, 2009 4:50 AM > Subject: Re: [c-nsp] WLC discovery > > >> Boot the AP with the Mode button down to reset its parameter memory. >> If that doesn't help, hook into console and watch the messages. >> If that doesn't help, execute some 'debug [...]' statements on the >> same >> console. >> -porkchop >> >> >> On 6/10/09 4:42 PM, "Shine Joseph" wrote: >> >>> Hi, >>> >>> A Cisco WLC4402 is configured and working alright. All of the APs >>> currently >>> are in the same subnet and hence the discovery do not require DHCP >>> Option >>> 43 >>> or DNS. I want to add another AP that is in a different. When the AP >>> tries to >>> register with the WLC, it registers momentarily and un registers. >>> This >>> has >>> happened for eithe DHCP option and DNS discovery. >>> >>> I am sure, there is something I have not done to get this working. >>> Can >>> anyone >>> suggest somthing that I should try? >>> >>> Thanks in advance, >>> >>> Shine >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> -- >> Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 >> Your wireless success, nothing less. http://www.tessco.com/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From shinejoseph at dodo.com.au Wed Jun 10 17:49:10 2009 From: shinejoseph at dodo.com.au (Shine Joseph) Date: Thu, 11 Jun 2009 05:49:10 +0800 Subject: [c-nsp] WLC discovery References: <29674A7372B443BDBC917147C67A32B7@au.didata.local> <8ED19A65-5326-45D3-9AB4-8ED342823302@zyedge.com> Message-ID: <49E6C818867140B7A647B639486C81C8@au.didata.local> Yes it is in layer 3 mode ----- Original Message ----- From: "Ryan West" To: "Shine Joseph" Cc: "Kaegler, Mike" ; Sent: Thursday, June 11, 2009 5:30 AM Subject: Re: [c-nsp] WLC discovery Are you in Layer 2 or Layer 3 AP mode. I forget if this is the actual name, but you may need to switch to layer 3. Sent from handheld. On Jun 10, 2009, at 5:26 PM, "Shine Joseph" wrote: > Thanks Mike for the the quick response. > > That means I have to have physical access to the APs which are already > mounted on the ceiling. > I am in the process of moving this AP to another subnet and I have > some 18 > of them to be moved from a single subnet to different subnets. > > I can see this AP regsiters momentarily and de-registers. We are > running > code 5.1. > > When the AP regsiters I can go to its configuration page and I see > Hardware > reset and Reset to Factory defaults. > > Any help is appreciated. > > Thanks, > Shine > ----- Original Message ----- > From: "Kaegler, Mike" > To: "Shine Joseph" ; > > Sent: Thursday, June 11, 2009 4:50 AM > Subject: Re: [c-nsp] WLC discovery > > >> Boot the AP with the Mode button down to reset its parameter memory. >> If that doesn't help, hook into console and watch the messages. >> If that doesn't help, execute some 'debug [...]' statements on the >> same >> console. >> -porkchop >> >> >> On 6/10/09 4:42 PM, "Shine Joseph" wrote: >> >>> Hi, >>> >>> A Cisco WLC4402 is configured and working alright. All of the APs >>> currently >>> are in the same subnet and hence the discovery do not require DHCP >>> Option >>> 43 >>> or DNS. I want to add another AP that is in a different. When the AP >>> tries to >>> register with the WLC, it registers momentarily and un registers. >>> This >>> has >>> happened for eithe DHCP option and DNS discovery. >>> >>> I am sure, there is something I have not done to get this working. >>> Can >>> anyone >>> suggest somthing that I should try? >>> >>> Thanks in advance, >>> >>> Shine >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> -- >> Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 >> Your wireless success, nothing less. http://www.tessco.com/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From KaeglerM at tessco.com Wed Jun 10 17:56:36 2009 From: KaeglerM at tessco.com (Kaegler, Mike) Date: Wed, 10 Jun 2009 17:56:36 -0400 Subject: [c-nsp] WLC discovery In-Reply-To: <49E6C818867140B7A647B639486C81C8@au.didata.local> Message-ID: Good call anyway, Ryan. Master mode will have no affect in this scenario, AFAIK. Master will only cause this controller to take priority over any other controllers if several share the same group, forcing new APs to land on the Master (knowing where they'd land makes for easier configuration during initial deployment). In the era of WCS, this is less of an issue. The only other things you can do are check firewalls between subnets (make sure both IPs are allowed, etc). You can try a few 'debug [...]' commands on the controller, but what you may really need is a ladder. -porkchop On 6/10/09 5:49 PM, "Shine Joseph" wrote: > Yes it is in layer 3 mode > > ----- Original Message ----- > From: "Ryan West" > To: "Shine Joseph" > Cc: "Kaegler, Mike" ; > Sent: Thursday, June 11, 2009 5:30 AM > Subject: Re: [c-nsp] WLC discovery > > > Are you in Layer 2 or Layer 3 AP mode. I forget if this is the actual > name, but you may need to switch to layer 3. > > Sent from handheld. > > On Jun 10, 2009, at 5:26 PM, "Shine Joseph" > wrote: > >> Thanks Mike for the the quick response. >> >> That means I have to have physical access to the APs which are already >> mounted on the ceiling. >> I am in the process of moving this AP to another subnet and I have >> some 18 >> of them to be moved from a single subnet to different subnets. >> >> I can see this AP regsiters momentarily and de-registers. We are >> running >> code 5.1. >> >> When the AP regsiters I can go to its configuration page and I see >> Hardware >> reset and Reset to Factory defaults. >> >> Any help is appreciated. >> >> Thanks, >> Shine >> ----- Original Message ----- >> From: "Kaegler, Mike" >> To: "Shine Joseph" ; >> >> Sent: Thursday, June 11, 2009 4:50 AM >> Subject: Re: [c-nsp] WLC discovery >> >> >>> Boot the AP with the Mode button down to reset its parameter memory. >>> If that doesn't help, hook into console and watch the messages. >>> If that doesn't help, execute some 'debug [...]' statements on the >>> same >>> console. >>> -porkchop >>> >>> >>> On 6/10/09 4:42 PM, "Shine Joseph" wrote: >>> >>>> Hi, >>>> >>>> A Cisco WLC4402 is configured and working alright. All of the APs >>>> currently >>>> are in the same subnet and hence the discovery do not require DHCP >>>> Option >>>> 43 >>>> or DNS. I want to add another AP that is in a different. When the AP >>>> tries to >>>> register with the WLC, it registers momentarily and un registers. >>>> This >>>> has >>>> happened for eithe DHCP option and DNS discovery. >>>> >>>> I am sure, there is something I have not done to get this working. >>>> Can >>>> anyone >>>> suggest somthing that I should try? >>>> >>>> Thanks in advance, >>>> >>>> Shine >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> >>> -- >>> Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 >>> Your wireless success, nothing less. http://www.tessco.com/ >>> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 Your wireless success, nothing less. http://www.tessco.com/ From dale.shaw+cisco-nsp at gmail.com Wed Jun 10 18:25:41 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Thu, 11 Jun 2009 08:25:41 +1000 Subject: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B In-Reply-To: <3760B7E1B344364AA0384B231FE7BA6901BBF92B31@ex-be1.ads.wsc.ma.edu> References: <16e2ac180906100940p850db43na2c1e7ea8e463184@mail.gmail.com> <3760B7E1B344364AA0384B231FE7BA6901BBF92B31@ex-be1.ads.wsc.ma.edu> Message-ID: <3329cbb40906101525g2bf543fdu9ee4a7e74a429a31@mail.gmail.com> Check the config-register, as Aaron suggests, but also check the SP's config-register. #remote command switch show boot If the RP shows 0x2102 but the SP is something else, that could be the problem. To fix, go into config mode on the RP and re-enter the 0x2102 config-register, ^Z, then write mem. Cheers, Dale On Thu, Jun 11, 2009 at 3:24 AM, Childs, Aaron wrote: > ?What's the configuration register set to? (sh boot) once you're in IOS. ?0x0 will bring you to rommon everytime, 0x2102 will boot the sup using the config file. > > Aaron > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Renelson Panosky > Sent: Wednesday, June 10, 2009 12:41 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B > > I Have a brand new 6509-E with WS-SUP32-GE-3B booting up in rommon> mode i > was able to type the command boot so it can look for the right code to boot > up but after i configured the switch i turned off and turned it back on, ?it > boot up in rommon mode again and everything was lost. ?I know someone had > upgraded the IOS and i am sure that's what causing the problem and i know > there is command i can type to fix the problem but i can't remember it or > find it on the web can someone please help me out with this ? > > Renelson From cayers at ena.com Wed Jun 10 19:08:06 2009 From: cayers at ena.com (Cory Ayers) Date: Wed, 10 Jun 2009 18:08:06 -0500 Subject: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B In-Reply-To: <3329cbb40906101525g2bf543fdu9ee4a7e74a429a31@mail.gmail.com> References: <16e2ac180906100940p850db43na2c1e7ea8e463184@mail.gmail.com><3760B7E1B344364AA0384B231FE7BA6901BBF92B31@ex-be1.ads.wsc.ma.edu> <3329cbb40906101525g2bf543fdu9ee4a7e74a429a31@mail.gmail.com> Message-ID: > > Check the config-register, as Aaron suggests, but also check the SP's > config-register. > > #remote command switch show boot > > If the RP shows 0x2102 but the SP is something else, that could be the > problem. To fix, go into config mode on the RP and re-enter the 0x2102 > config-register, ^Z, then write mem. > > Cheers, > Dale > While looking at show boot, you should also verify the boot variable. It may be necessary to explicitly specify the image filename. show boot BOOT variable = disk0:c7600s72033-advipservicesk9-mz.122-33.SRC2.bin,1;,1; show star | i ^boot boot-start-marker boot system flash disk0:c7600s72033-advipservicesk9-mz.122-33.SRC2.bin boot system flash boot-end-marker From rdobbins at arbor.net Wed Jun 10 21:16:00 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Thu, 11 Jun 2009 08:16:00 +0700 Subject: [c-nsp] Nexus V1000 - Feedback? In-Reply-To: References: <4A23F37A.60008@spacething.org> <4A2E43A0.2050306@spacething.org> <20090609143921.GY290@greenie.muc.de> <8E7FB9F5-4AF2-49D1-8DDF-9A95F9F913B5@saikonetworks.com> <7B1AB359-3C4C-49C4-B566-54056F489D46@arbor.net> Message-ID: On Jun 10, 2009, at 9:32 PM, Maxwell Reid wrote: > you really only need specialized ASIC's as part of the forwarding > plane of high end routers. When you're talking about DDoS, that's what's needed; general-purpose CPUs on boxes running many different VM/OS/app stacks, or things like ASAs don't cut it. That's why you don't see stateful firewalling in front of major public- facing properties; not only is it useless by definition in such scenarios, in which every single incoming connection is unsolicited, but it's a DDoS chokepoint due to the state instantiated and the limited resources available. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From jrhett at netconsonance.com Wed Jun 10 20:58:04 2009 From: jrhett at netconsonance.com (Jo Rhett) Date: Wed, 10 Jun 2009 17:58:04 -0700 Subject: [c-nsp] full routing table / provider-class chassis Message-ID: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> I've been trying to spec Cisco for an upgrade of our Force10 backbone for nearly 2 months now. I'm just trying to clarify which platform Cisco recommends for full routing table/hardware forwarding/provider- class environments. Unfortunately every time I get through to the supposed right group, I mention our requirements and Cisco never follows up. It's almost like they realize they have nothing on Juniper and they don't even bother. They are about to be eliminated from the choices for lack of having an answer. Until they decide to care, is there anyone on here willing to propose a basic platform for provider-class environment? By which I mean * Full IPv4 & v6 routing table (Cisco has 760k v4/260k v6 I know with SUP720/3CXL) * ASIC-based line-rate forwarding (SUP720-3CXL and DFC-3CXL on each line card, right?) * 196 ports copper 10/100/1000 * 40 ports SFP 1g (on two line cards, not one) * 96+ BGP peers, 8-10 full routing table peers Unfortunately, Cisco's partners are useless. They propose 6509s without the DFCs, which we know will fall over. And as I understand it, the 6509 even with the 3CXL cards can't handle 5 full peers, nevermind 96 total peers. Most people suggest the 7600 platform, but at least two comments on the mailing list indicate it isn't much better. What are people using today for this kind of environment? Does it work? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness From rdobbins at arbor.net Wed Jun 10 21:42:49 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Thu, 11 Jun 2009 08:42:49 +0700 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> Message-ID: On Jun 11, 2009, at 7:58 AM, Jo Rhett wrote: > What are people using today for this kind of environment? GSR, ASR 1K, CRS-1 all work quite well. Avoid 6500/7600 for edge applications due to NetFlow, uRPF, & ACL caveats (they're fine in the core). ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From kgraham at industrial-marshmallow.com Wed Jun 10 21:17:49 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Wed, 10 Jun 2009 18:17:49 -0700 (PDT) Subject: [c-nsp] Location of 67xx rommon (c2lc-rm) images? Message-ID: <499643.28801.qm@web1215.biz.mail.gq1.yahoo.com> With the new and not so improved software download and documentation sites, does anyone know where to find rommon images and release notes for 6500 line cards? RP/SP images are linked under the 6500 download pages, but the only DFC-related link is for c6dfc3 (65xx/68xx DFC3, I believe). Thanks. From arup.ab at gmail.com Wed Jun 10 22:28:16 2009 From: arup.ab at gmail.com (Arup Bhattacharya) Date: Thu, 11 Jun 2009 07:58:16 +0530 Subject: [c-nsp] need help..... Message-ID: <643fa0f40906101928q7bb79ec4r3c568dfc69197c71@mail.gmail.com> Why VLAN 0 is not configur in Switch where as starting range of VLAN is 0 and default VLAN is 1....... -- Regards..... Arup Bhattacharya GSM-9748238797 ------------------------------------- Success is not final, failure is not fatal: it is the courage to continue that counts From achatz at forthnet.gr Thu Jun 11 00:01:58 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 11 Jun 2009 07:01:58 +0300 Subject: [c-nsp] Location of 67xx rommon (c2lc-rm) images? In-Reply-To: <499643.28801.qm@web1215.biz.mail.gq1.yahoo.com> References: <499643.28801.qm@web1215.biz.mail.gq1.yahoo.com> Message-ID: <4A3081B6.3040102@forthnet.gr> Do a search for "c2lc-rm2.srec.122-18r.S1" and you'll find many download locations. i.e. http://tools.cisco.com/support/downloads/go/IPCheck.x?defAdv=N&sftAdv=N&filename=c2lc-rm2.srec.122-18r.S1&advUrl=null&defInd=N&mdfid=281569550&sftType=IOS%20ROMMON%20Software&optPlat=&relVer=12.2(18r)S1&md5=cabfe0b596363489047c769baf9dc161&modifmdfid=281569550&imname=null&imst=N&hybrid=Y&modelName=Cisco%20Catalyst%206500%20Series%20Virtual%20Switching%20Supervisor%20Engine%20720%20with%2010GE%20uplinks&treeMdfId=268437717&treeName=Cisco%20Interfaces%20and%20Modules&edesignator=&fsd=&hasfsd=N&nodecount=0 or use the old -classic- one: http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/lan/catalyst/6000/rommon/c2lc-rm2.srec.122-18r.S1 -- Tassos Kevin Graham wrote on 11/06/2009 04:17: > With the new and not so improved software download and documentation > sites, does anyone know where to find rommon images and release notes > for 6500 line cards? RP/SP images are linked under the 6500 download > pages, but the only DFC-related link is for c6dfc3 (65xx/68xx DFC3, > I believe). > > Thanks. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From spinthiras.mario at gmail.com Thu Jun 11 02:31:15 2009 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Thu, 11 Jun 2009 09:31:15 +0300 Subject: [c-nsp] Cisco DSLAM ? In-Reply-To: References: <4A2FD24D.2060703@cantv.net> Message-ID: <4f890e580906102331r10937ac9yfb8859586248f60b@mail.gmail.com> Haven't had much DSLAM hands on but the Allied Telesis iMAP range is nice. Regards, Mario From baimoung at inet.co.th Thu Jun 11 02:51:35 2009 From: baimoung at inet.co.th (Charuntorn Baimoung) Date: Thu, 11 Jun 2009 13:51:35 +0700 (ICT) Subject: [c-nsp] Finisar SFPs on 6500 and 2960 In-Reply-To: <4A3081B6.3040102@forthnet.gr> References: <499643.28801.qm@web1215.biz.mail.gq1.yahoo.com> <4A3081B6.3040102@forthnet.gr> Message-ID: Can anyone ever use Finisar SFPs on connection between 6500 and 2960? Both switch compatible with Finisar SFPs. Thanks From eng_mssk at hotmail.com Thu Jun 11 03:21:01 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Thu, 11 Jun 2009 10:21:01 +0300 Subject: [c-nsp] MetroEthernet Switches Message-ID: Hey all , we have ME-C3750-24TE switches and we are using a product named redline for broadband lesaed lines we are using power adapters between the redline and the switch port if i connect the redline directly to the switch port , am i going to face any failure ??? Input Power The AN-80i is powered by the PoE power injector available in 90-264 VAC (50/60 Hz) or +/- 18-60 VDC versions. Thanks in advance, _________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx From A.L.M.Buxey at lboro.ac.uk Thu Jun 11 03:54:16 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Thu, 11 Jun 2009 08:54:16 +0100 Subject: [c-nsp] WLC discovery In-Reply-To: <523AE2E8DAAC4990BDA1EB865ECB8630@au.didata.local> References: <58C3E1A533144637A09B8082C7489B21@au.didata.local> <20090610211131.GA9779@lboro.ac.uk> <523AE2E8DAAC4990BDA1EB865ECB8630@au.didata.local> Message-ID: <20090611075416.GA12785@lboro.ac.uk> Hi, > Hi, > > There is only one controller and I believe this is the master controller. > DO you know, where I could check this? CLI or web interface. on web interface it should be under controller menu. CLI is buried somewhere non intuitive ;-) alan From elmi at 4ever.de Thu Jun 11 06:28:31 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Thu, 11 Jun 2009 12:28:31 +0200 Subject: [c-nsp] need help..... In-Reply-To: <643fa0f40906101928q7bb79ec4r3c568dfc69197c71@mail.gmail.com> References: <643fa0f40906101928q7bb79ec4r3c568dfc69197c71@mail.gmail.com> Message-ID: <20090611102831.GS1071@ronin.4ever.de> arup.ab at gmail.com (Arup Bhattacharya) wrote: > Why VLAN 0 is not configur in Switch where as starting range of VLAN is 0 > and default VLAN is 1....... There is no VLAN 0. "0" means "untagged". From jcovini at free.fr Thu Jun 11 04:42:26 2009 From: jcovini at free.fr (jcovini at free.fr) Date: Thu, 11 Jun 2009 10:42:26 +0200 Subject: [c-nsp] need help..... In-Reply-To: <643fa0f40906101928q7bb79ec4r3c568dfc69197c71@mail.gmail.com> References: <643fa0f40906101928q7bb79ec4r3c568dfc69197c71@mail.gmail.com> Message-ID: <1244709746.4a30c3725a782@imp.free.fr> C2950(config)#vlan 0 Command rejected: Bad VLAN list - character #2 (EOL) delimits a VLAN number (0) out of the range 1..4094. But go and check the following doc, you will see that VLAN 0 can be used by a Cisco switch to forward DOT1P-tagged voices frames : http://www.cisco.com/en/US/docs/switches/lan/catalyst2970/software/release/12.1_19_ea1/configuration/guide/swvoip.html#wp1034347 Selon Arup Bhattacharya : > Why VLAN 0 is not configur in Switch where as starting range of VLAN is 0 > and default VLAN is 1....... > > -- > Regards..... > Arup Bhattacharya > GSM-9748238797 > ------------------------------------- > Success is not final, failure is not fatal: it is the courage to continue > that counts > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From A.L.M.Buxey at lboro.ac.uk Thu Jun 11 04:44:29 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Thu, 11 Jun 2009 09:44:29 +0100 Subject: [c-nsp] WLC discovery In-Reply-To: References: <49E6C818867140B7A647B639486C81C8@au.didata.local> Message-ID: <20090611084429.GB13857@lboro.ac.uk> Hi, > The only other things you can do are check firewalls between subnets (make > sure both IPs are allowed, etc). You can try a few 'debug [...]' commands on > the controller, but what you may really need is a ladder. :-) the AP joins..and then goes. when you move to l3 mode you rely on information such as DHCP responses of DNS entries for the AP to know what controller to talk to...hmm, but the AP does talk to the controller at some point. AP debugging seems to be the best choice here - normally the output will be screaming out the issue. I wonder if its joining, being told about a firmware update...unable to get that firmware update (via TFTP..cant recall) across the L3 link due to ACLs and then either just sitting there pretty or going through the cycle again? alan From avayner at cisco.com Thu Jun 11 03:56:00 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 11 Jun 2009 09:56:00 +0200 Subject: [c-nsp] MetroEthernet Switches In-Reply-To: References: Message-ID: <78C984F8939D424697B15E4B1C1BB3D7C48CFB@xmb-ams-331.emea.cisco.com> Mohammad, I would assume that the power adaptor is there in order to feed the AN-80i with power, as the ME-C3750-24TE switches are not PoE enabled. If you remove it, I guess the AN-80i will not get power, and would not work... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Thursday, June 11, 2009 10:21 To: cisco-nsp at puck.nether.net Subject: [c-nsp] MetroEthernet Switches Hey all , we have ME-C3750-24TE switches and we are using a product named redline for broadband lesaed lines we are using power adapters between the redline and the switch port if i connect the redline directly to the switch port , am i going to face any failure ??? Input Power The AN-80i is powered by the PoE power injector available in 90-264 VAC (50/60 Hz) or +/- 18-60 VDC versions. Thanks in advance, _________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vedlabs at gmail.com Thu Jun 11 06:34:30 2009 From: vedlabs at gmail.com (Ved Labs) Date: Thu, 11 Jun 2009 16:04:30 +0530 Subject: [c-nsp] MetroEthernet Switches In-Reply-To: References: Message-ID: <7db92dcc0906110334r28781be5k4805d3cd41560002@mail.gmail.com> Will you be using the DC to DC convertor and use the RPS port for the same , On Thu, Jun 11, 2009 at 12:51 PM, Mohammad Khalil wrote: > > Hey all , > we have ME-C3750-24TE switches > and we are using a product named redline for broadband lesaed lines > we are using power adapters between the redline and the switch port > if i connect the redline directly to the switch port , am i going to face > any failure ??? > Input Power > The AN-80i is powered by the PoE power injector available in 90-264 VAC > (50/60 Hz) or +/- 18-60 VDC versions. > > Thanks in advance, > > _________________________________________________________________ > Show them the way! Add maps and directions to your party invites. > http://www.microsoft.com/windows/windowslive/products/events.aspx > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From md at bts.sk Thu Jun 11 06:54:20 2009 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Thu, 11 Jun 2009 12:54:20 +0200 Subject: [c-nsp] 3750E and X2-10GB-ZR compatibility? In-Reply-To: <1244641933.7592.25.camel@localhost.localdomain> References: <1244641933.7592.25.camel@localhost.localdomain> Message-ID: <20090611105420.GA34090@bts.sk> On Wed, Jun 10, 2009 at 03:52:13PM +0200, Peter Rathlev wrote: > Just a quick question: The 3750E doesn't support X2-10GB-ZR > tranceivers[1], only up to ER. Using "service unsupported-transceiver" I > can get the switch to recognize the transceiver, but will I be able to > get a link with it? There is nothing special about the X2-ZR units, they are fully compliant with X2 spec, just have longer reach. Lack of "support" means there's no entry in your IOS for ZR - but it was already added into 12.2(50)SE. So either upgrade to 12.2(50)SE2 or use service unsupported-transceiver in your present IOS and everything will work as expected. We're using them in production with 12.2(44)SE1 for several months already. With kind regards, M. From Skeeve at eintellego.net Thu Jun 11 08:00:16 2009 From: Skeeve at eintellego.net (Skeeve Stevens) Date: Thu, 11 Jun 2009 22:00:16 +1000 Subject: [c-nsp] Cisco IP Phones and IPv6 Message-ID: <292AF25E62B8894C921B893B53A19D97394469E4CE@BUSINESSEX.business.ad> Does anyone know if any of the SCCP or SIP images for any of the models of Cisco IP Phones support IPv6? ...Skeeve -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve -- NOC, NOC, who's there? Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. From david.freedman at uk.clara.net Thu Jun 11 09:41:48 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 11 Jun 2009 14:41:48 +0100 Subject: [c-nsp] Inter-AS EoMPLS/VPLS In-Reply-To: <4A2F6A59.2000100@forthnet.gr> References: <4A2F6A59.2000100@forthnet.gr> Message-ID: If you send labels via BGP for your xconnect endpoints then you can do it without this feature. (Just like RFC4364 Section 10(C)) It does mean however sending eachother your /32s like you would if you had mutual IGP , just without the IGP. Dave. Tassos Chatzithomaoglou wrote: > Does anyone have any experience? > > I can see it's supported only on IOS-XR, so 7600 it's out of the > question (any plans?). > http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.7/mpls/configuration/guide/gc37v2.html#wp1100339 > > From jfitz at Princeton.EDU Thu Jun 11 09:44:14 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 11 Jun 2009 09:44:14 -0400 Subject: [c-nsp] 3750 running jumbo frames ? Message-ID: <987B409C-FF47-45CD-BF4D-C350D24B7EB3@princeton.edu> We have the need to run two 3750 switches with jumbo frames (9000), for a high performance data transfer application. Both switches will be manages by connections to a NON-JUMBO frame environment. (That is, if this will work) If I enable jumbo frames (which is a global change) and leave the management interface MTU at 1500 so the switch will use 1500 as packet size for all management, is there any NEGATIVE ISSUES I should be aware because of them being connected to the non-jumbo environment? Thanks for any help, Jeff Fitzwater OIT Network Systems Princeton University From alexmoya at bellsouth.net Thu Jun 11 09:00:04 2009 From: alexmoya at bellsouth.net (Alex Moya) Date: Thu, 11 Jun 2009 06:00:04 -0700 (PDT) Subject: [c-nsp] Cisco IP Phones and IPv6 Message-ID: <933154.15438.qm@web180712.mail.sp1.yahoo.com> I beleave that 8.4 on the 7961 does Sent from my iPhone On Jun 11, 2009, at 8:00 AM, Skeeve Stevens wrote: Does anyone know if any of the SCCP or SIP images for any of the models of Cisco IP Phones support IPv6? ...Skeeve -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve -- NOC, NOC, who's there? Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are! virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jarruda-cnsp at jarruda.com Thu Jun 11 09:29:53 2009 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Thu, 11 Jun 2009 09:29:53 -0400 Subject: [c-nsp] Cisco DSLAM ? In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7C48BF7@xmb-ams-331.emea.cisco.com> References: <4A2FD24D.2060703@cantv.net> <78C984F8939D424697B15E4B1C1BB3D7C48BF7@xmb-ams-331.emea.cisco.com> Message-ID: <4A3106D1.5010506@jarruda.com> Arie Vayner (avayner) wrote: > Juan, > > Cisco does not make DSLAMs for a long time now... > I wonder if there is any Next-Gen DLC that Cisco has been seeing/using in customers ? In a previous life in NT, I remember Calix was quite popular in ANSI/T1 customers in Caribean market, so, if someone is looking atend-to-end solutions, would cisco kit 'fit' better with any specific vendor (IOT and etc ?). > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juan C. Crespo > R. > Sent: Wednesday, June 10, 2009 18:34 > To: Cisco Post NSP > Cc: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cisco DSLAM ? > > Guys > > Does anyone of you knows a good DSLAM for HDSL & ADSL ? > > Thanks > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jfitz at Princeton.EDU Thu Jun 11 10:14:11 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 11 Jun 2009 10:14:11 -0400 Subject: [c-nsp] 3750 running jumbo frames ? In-Reply-To: <987B409C-FF47-45CD-BF4D-C350D24B7EB3@princeton.edu> References: <987B409C-FF47-45CD-BF4D-C350D24B7EB3@princeton.edu> Message-ID: <31CE01FD-0D58-4C4D-9152-0C41D2B53673@princeton.edu> I forgot to mention that the hosts that will be using jumbo frames, will be on a separate VLAN between the two switches. The concern was since the jumbo frame was a global change (all gig ports on 3750), how would it impact the other vlan that only has 1500 MTU hosts on. I would assume there isn't any impact for hosts with a 1500 MTU, its just that the switch can now pass 9k frames if present. The switch management was the other key issue. Thanks Jeff On Jun 11, 2009, at 9:44 AM, Jeff Fitzwater wrote: > We have the need to run two 3750 switches with jumbo frames (9000), > for a high performance data transfer application. Both switches > will be manages by connections to a NON-JUMBO frame environment. > (That is, if this will work) > > If I enable jumbo frames (which is a global change) and leave the > management interface MTU at 1500 so the switch will use 1500 as > packet size for all management, is there any NEGATIVE ISSUES I > should be aware because of them being connected to the non-jumbo > environment? > > > > Thanks for any help, > > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jared at puck.nether.net Thu Jun 11 10:22:13 2009 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 11 Jun 2009 10:22:13 -0400 Subject: [c-nsp] Cisco IP Phones and IPv6 In-Reply-To: <933154.15438.qm@web180712.mail.sp1.yahoo.com> References: <933154.15438.qm@web180712.mail.sp1.yahoo.com> Message-ID: <3203A896-2BB5-4B6A-8DDE-C00FCE8C87A6@puck.nether.net> They do, but require DHCPv6 to be configured. - Jared On Jun 11, 2009, at 9:00 AM, Alex Moya wrote: > > I beleave that 8.4 on the 7961 does > > Sent from my iPhone > > On Jun 11, 2009, at 8:00 AM, Skeeve Stevens > wrote: > > Does anyone know if any of the SCCP or SIP images for any of the > models of Cisco IP Phones support IPv6? > > ...Skeeve > > -- > Skeeve Stevens, CEO/Technical Director > eintellego Pty Ltd - The Networking Specialists > skeeve at eintellego.net / www.eintellego.net > Phone: 1300 753 383, Fax: (+612) 8572 9954 > Cell +61 (0)414 753 383 / skype://skeeve > -- > NOC, NOC, who's there? > > Disclaimer: Limits of Liability and Disclaimer: This message is for > the named person's use only. It may contain sensitive and private > proprietary or legally privileged information. You must not, > directly or indirectly, use, disclose, distribute, print, or copy > any part of this message if you are not the intended recipient. > eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd > group of companies reserve the right to monitor all e-mail > communications through its networks. Any views expressed in this > message are those of the individual sender, except where the message > states otherwise and the sender is authorised to state them to be > the views of any such entity. Any reference to costs, fee > quotations, contractual transactions and variations to contract > terms is subject to separate confirmation in writing signed by an > authorised representative of eintellego. Whilst all efforts are made > to safeguard inbound and outbound e-mails, we cannot guarantee > that attachments are! > virus-free or compatible with your systems and do not accept any > liability in respect of viruses or computer problems experienced. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From bacon at walleyesoftware.com Thu Jun 11 10:22:22 2009 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Thu, 11 Jun 2009 09:22:22 -0500 Subject: [c-nsp] full routing table / provider-class chassis (Roland Dobbins) In-Reply-To: References: Message-ID: <5A69C25361FED34F83ABF05F5047524505CD8001@wally.walleyetrading.net> > On Jun 11, 2009, at 7:58 AM, Jo Rhett wrote: > > > What are people using today for this kind of environment? > > GSR, ASR 1K, CRS-1 all work quite well. > > Avoid 6500/7600 for edge applications due to NetFlow, uRPF, & ACL > caveats (they're fine in the core). Is there a good list of these caveats somewhere I can look at? Thanks -bacon From gert at greenie.muc.de Thu Jun 11 09:41:24 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 11 Jun 2009 15:41:24 +0200 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> Message-ID: <20090611134124.GO290@greenie.muc.de> Hi, On Wed, Jun 10, 2009 at 05:58:04PM -0700, Jo Rhett wrote: > Unfortunately, Cisco's partners are useless. They propose 6509s > without the DFCs, which we know will fall over. Whether or not you need DFCs really depends on the throughput on the box, and the features used. DFCs are good due to local switching (less load on the Sup and the fabrich) and because they do local netflow - but if the aggregate throughput is lower than what the Supervisor('s hardware forwarding engine) can handle, a DFC will not be mandatory. Some of our peering/uplink routers have DFCs, others have not, and with the load we have (peak traffic ~ 4-5 Gbit/s on those boxes) the DFCs are not yet really needed. > And as I understand > it, the 6509 even with the 3CXL cards can't handle 5 full peers, "XL" or "non-XL" has nothing to do with the number of *peers*. "XL" decides on the number of prefixes that you can have in your forwarding table (hardware FIB) - and this will be about the same for "1 peer with a full BGP Table" or "20 peers with the same set of prefixes but just different BGP paths". A higher number of different "full table "peers is going to eat up CPU memory and CPU power - memory is easy (Sup720-3CXL comes with 1Gbyte RAM, which is sufficient for at least 10 "full table" BGP peers), but CPU might reach its limit with 5 full table peers and 91 others. Our most loaded box has 2 full table eBGP peerings + iBGP full mesh + ~30 smaller eBGP peerings, and the CPU load is usually well below 10% - so it might work or it might not. > nevermind 96 total peers. Most people suggest the 7600 platform, but > at least two comments on the mailing list indicate it isn't much better. For the 7600, there is the RSP720 supervisor board, which has a faster CPU, so it should scale better with the number > What are people using today for this kind of environment? Does it work? We use 6500s with Sup720-10G (-3CXL) and Sup720-3B, and we're quite happy with them. The platform has its limits (shared VLAN space being the most significant for many folks), but compared to a "real router" (CRS-1) the main advantage is that it's dirt cheap. For us, questions like "does our 'router box' need to have large line card memory to do nice QoS things in case our backbone lines fill up?" (which is one of the big differences between LAN hardware and ES/CRS cards) translates to "for the price difference, we can just double or triple the raw capacity of our backbone, thus having no congestion, thus needing no QoS"... (Yes, caveats apply. With LAN hardware, you always have issues with microbursts and buffering. But ES/CRS - or Juniper - hardware is LOTS of extra money.) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From pr at isprime.com Thu Jun 11 09:41:28 2009 From: pr at isprime.com (Phil Rosenthal) Date: Thu, 11 Jun 2009 09:41:28 -0400 Subject: [c-nsp] BGP Default announcement disappearing Message-ID: Hi all, I know we've seen this bug now for several years, and I've given up hope for cisco ever fixing it. We're now running SRD on a Sup720. For those of you who haven't seen the bug before, it goes something like this: 1) Everything is working fine, you have your router in a full mesh in your network, seeing several full tables from various sources, including (at least) one directly connected full transit provider announcing a full table (or at least some peer with a very large number of routes). You are announcing default (0.0.0.0/0) to several customer peers via BGP. 2) Transit provider (or peer with large number of routes) flaps a couple of times in rapid succession 3) A small number of default-only customer peers will see the default route get withdrawn, but most will continue as normal 4) Any default-only customer peer that flaps after this point will either not learn the default route, or will see it announced and then withdrawn immediately afterwards. Sessions that are like this (supposed to be receiving default, but not), still show up just fine in a show ip bgp nei x.x.x routes command, eg: BGP table version is 20510920, local router ID is x.x.x.x Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Originating default network 0.0.0.0 Network Next Hop Metric LocPrf Weight Path Total number of prefixes 0 Does anyone know of a way to get the router to once again announce 0.0.0.0/0 without a reload? I've tried removing the null0 route for 0/0 and re-adding it, as well as completely unconfiguring the sessions that should learn default and re-adding them, neither has worked. Thanks, -Phil From dcp at dcptech.com Thu Jun 11 10:53:50 2009 From: dcp at dcptech.com (David Prall) Date: Thu, 11 Jun 2009 10:53:50 -0400 Subject: [c-nsp] 3750 running jumbo frames ? In-Reply-To: <31CE01FD-0D58-4C4D-9152-0C41D2B53673@princeton.edu> References: <987B409C-FF47-45CD-BF4D-C350D24B7EB3@princeton.edu> <31CE01FD-0D58-4C4D-9152-0C41D2B53673@princeton.edu> Message-ID: <005f01c9eaa4$8145c820$83d15860$@com> The 3750 and 3560 can only pass L2 jumbos. They are limited to a frame size of 1998 for routed packets. http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration _example09186a008010edab.shtml#c3 David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jeff Fitzwater > Sent: Thursday, June 11, 2009 10:14 AM > To: Jeff Fitzwater > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 3750 running jumbo frames ? > > I forgot to mention that the hosts that will be using jumbo > frames, > will be on a separate VLAN between the two switches. The concern was > since the jumbo frame was a global change (all gig ports on 3750), how > would it impact the other vlan that only has 1500 MTU hosts on. I > would assume there isn't any impact for hosts with a 1500 MTU, its > just that the switch can now pass 9k frames if present. The switch > management was the other key issue. > > > Thanks > > > Jeff > > > On Jun 11, 2009, at 9:44 AM, Jeff Fitzwater wrote: > > > We have the need to run two 3750 switches with jumbo frames (9000), > > for a high performance data transfer application. Both switches > > will be manages by connections to a NON-JUMBO frame environment. > > (That is, if this will work) > > > > If I enable jumbo frames (which is a global change) and leave the > > management interface MTU at 1500 so the switch will use 1500 as > > packet size for all management, is there any NEGATIVE ISSUES I > > should be aware because of them being connected to the non-jumbo > > environment? > > > > > > > > Thanks for any help, > > > > > > > > > > Jeff Fitzwater > > OIT Network Systems > > Princeton University > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Ian.Mackinnon at lumison.net Thu Jun 11 10:57:11 2009 From: Ian.Mackinnon at lumison.net (Ian MacKinnon) Date: Thu, 11 Jun 2009 15:57:11 +0100 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: <20090611134124.GO290@greenie.muc.de> References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> <20090611134124.GO290@greenie.muc.de> Message-ID: Hi Gert, > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gert Doering > Sent: 11 June 2009 14:41 > To: Jo Rhett > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp > "XL" or "non-XL" has nothing to do with the number of *peers*. > > "XL" decides on the number of prefixes that you can have in your > forwarding table (hardware FIB) - and this will be about the same for > "1 peer with a full BGP Table" or "20 peers with the same set of > prefixes but just different BGP paths". > > A higher number of different "full table "peers is going to eat up CPU > memory and CPU power - memory is easy (Sup720-3CXL comes with 1Gbyte > RAM, which is sufficient for at least 10 "full table" BGP peers), but > CPU might reach its limit with 5 full table peers and 91 others. I was the under the impression that the limit on these boxes (and ASR1002 R1) was approx 1 Million routes. I had assumed that was the total number of routes from all your peers, eg we see about 280k routes in a full table, so that would be approx 4 full tables. Are you saying that the limit on the number of routes, is actually in the FIB, ie active routes, so currently would always be about 280k, and multiple full tables is OK. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. From mhuff at ox.com Thu Jun 11 10:38:44 2009 From: mhuff at ox.com (Matthew Huff) Date: Thu, 11 Jun 2009 10:38:44 -0400 Subject: [c-nsp] [c-nap] Location of 67xx rommon (c2lc-rm) images? In-Reply-To: <499643.28801.qm@web1215.biz.mail.gq1.yahoo.com> References: <499643.28801.qm@web1215.biz.mail.gq1.yahoo.com> Message-ID: <483E6B0272B0284BA86D7596C40D29F9C3811FD2A8@PUR-EXCH07.ox.com> It's hidden. We ran into the same thing. Look under the LAN Switches section, for switches, 6509, then the 6500 Virtual Switching Supervisor 720, IOS Rommmon. It's only there, and it's the same for DFC with regular sup 720. We found this out from a TAC case. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Kevin Graham > Sent: Wednesday, June 10, 2009 9:18 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Location of 67xx rommon (c2lc-rm) images? > > > With the new and not so improved software download and documentation > sites, does anyone know where to find rommon images and release notes > for 6500 line cards? RP/SP images are linked under the 6500 download > pages, but the only DFC-related link is for c6dfc3 (65xx/68xx DFC3, > I believe). > > Thanks. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4229 bytes Desc: not available URL: From gert at greenie.muc.de Thu Jun 11 11:17:01 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 11 Jun 2009 17:17:01 +0200 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> <20090611134124.GO290@greenie.muc.de> Message-ID: <20090611151701.GQ290@greenie.muc.de> Hi, On Thu, Jun 11, 2009 at 03:57:11PM +0100, Ian MacKinnon wrote: > > "XL" or "non-XL" has nothing to do with the number of *peers*. > > > > "XL" decides on the number of prefixes that you can have in your > > forwarding table (hardware FIB) - and this will be about the same for > > "1 peer with a full BGP Table" or "20 peers with the same set of > > prefixes but just different BGP paths". > > > > A higher number of different "full table "peers is going to eat up CPU > > memory and CPU power - memory is easy (Sup720-3CXL comes with 1Gbyte > > RAM, which is sufficient for at least 10 "full table" BGP peers), but > > CPU might reach its limit with 5 full table peers and 91 others. > > I was the under the impression that the limit on these boxes > (and ASR1002 R1) was approx 1 Million routes. True. *FIB space* routes. > I had assumed that was the total number of routes from all your peers, > eg we see about 280k routes in a full table, Correct. > so that would be approx 4 full tables. No. 1 full table has 280k routes. 100 full tables have 280k routes as well. (But LOTS of additional BGP path information - but those are not stored in the FIB, and don't count for the "1 million" limit). > Are you saying that the limit on the number of routes, is actually in > the FIB, ie active routes, so currently would always be about 280k, and > multiple full tables is OK. BGP paths that don't go to the FIB are not "routes". They are just prefixes with path info. (In other words: yes). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Ian.Mackinnon at lumison.net Thu Jun 11 11:18:44 2009 From: Ian.Mackinnon at lumison.net (Ian MacKinnon) Date: Thu, 11 Jun 2009 16:18:44 +0100 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: <20090611151701.GQ290@greenie.muc.de> References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> <20090611134124.GO290@greenie.muc.de> <20090611151701.GQ290@greenie.muc.de> Message-ID: Thanks Gert, excellent answer. > -----Original Message----- > From: Gert Doering [mailto:gert at greenie.muc.de] > Sent: 11 June 2009 16:17 > To: Ian MacKinnon > Cc: Gert Doering; Jo Rhett; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] full routing table / provider-class chassis > > Hi, > > On Thu, Jun 11, 2009 at 03:57:11PM +0100, Ian MacKinnon wrote: > > > "XL" or "non-XL" has nothing to do with the number of *peers*. > > > > > > "XL" decides on the number of prefixes that you can have in your > > > forwarding table (hardware FIB) - and this will be about the same > > > for > > > "1 peer with a full BGP Table" or "20 peers with the same set of > > > prefixes but just different BGP paths". > > > > > > A higher number of different "full table "peers is going to eat up > > > CPU memory and CPU power - memory is easy (Sup720-3CXL comes with > > > 1Gbyte RAM, which is sufficient for at least 10 "full table" BGP > > > peers), but CPU might reach its limit with 5 full table peers and > 91 others. > > > > I was the under the impression that the limit on these boxes (and > > ASR1002 R1) was approx 1 Million routes. > > True. *FIB space* routes. > > > I had assumed that was the total number of routes from all your > peers, > > eg we see about 280k routes in a full table, > > Correct. > > > so that would be approx 4 full tables. > > No. > > 1 full table has 280k routes. > > 100 full tables have 280k routes as well. (But LOTS of additional BGP > path information - but those are not stored in the FIB, and don't count > for the "1 million" limit). > > > Are you saying that the limit on the number of routes, is actually in > > the FIB, ie active routes, so currently would always be about 280k, > > and multiple full tables is OK. > > BGP paths that don't go to the FIB are not "routes". They are just > prefixes with path info. > > (In other words: yes). > > gert > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu- > muenchen.de -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. From gert at greenie.muc.de Thu Jun 11 11:23:10 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 11 Jun 2009 17:23:10 +0200 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: <20090611151701.GQ290@greenie.muc.de> References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> <20090611134124.GO290@greenie.muc.de> <20090611151701.GQ290@greenie.muc.de> Message-ID: <20090611152310.GR290@greenie.muc.de> Hi, On Thu, Jun 11, 2009 at 05:17:01PM +0200, Gert Doering wrote: > > Are you saying that the limit on the number of routes, is actually in > > the FIB, ie active routes, so currently would always be about 280k, and > > multiple full tables is OK. > > BGP paths that don't go to the FIB are not "routes". They are just prefixes > with path info. > > (In other words: yes). To clarify: this is the way *Cisco* does it. Information gets collected inside routing processes, routing processes (here: BGP) select a "winner" amoing all candidates (= 1 route out of many BGP paths), and the result goes to the FIB (if it's the protocol with the best preference). As far as I understand, Juniper handles this a bit different, with no separate tables for "inside BGP" stuff, so things might look different there. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From A.L.M.Buxey at lboro.ac.uk Thu Jun 11 12:03:18 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Thu, 11 Jun 2009 17:03:18 +0100 Subject: [c-nsp] Cisco IP Phones and IPv6 In-Reply-To: <933154.15438.qm@web180712.mail.sp1.yahoo.com> References: <933154.15438.qm@web180712.mail.sp1.yahoo.com> Message-ID: <20090611160318.GA14721@lboro.ac.uk> Hi, > > I beleave that 8.4 on the 7961 does > > Sent from my iPhone > > On Jun 11, 2009, at 8:00 AM, Skeeve Stevens wrote: > > Does anyone know if any of the SCCP or SIP images for any of the models of Cisco IP Phones support IPv6? 8.4.2S show it ghosted out on the network info page...i think we're just one version short - cant recall if its the firmware or the CUCM we need to deal with....its certainly coming! alan From rdobbins at arbor.net Thu Jun 11 12:07:47 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Thu, 11 Jun 2009 23:07:47 +0700 Subject: [c-nsp] full routing table / provider-class chassis (Roland Dobbins) In-Reply-To: <5A69C25361FED34F83ABF05F5047524505CD8001@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524505CD8001@wally.walleyetrading.net> Message-ID: <7813E55B-4111-4B52-A1A5-34337B7CE8DD@arbor.net> On Jun 11, 2009, at 9:22 PM, Jeff Bacon wrote: > Is there a good list of these caveats somewhere I can look at? NetFlow: 256K mls tables at 93% efficiency (~233K entries). No packet-sampled control of flow creation can lead to mls table overflow & non-deterministic skewing of stats/heuristics; small mls table size contributes to this in environments with diverse traffic patterns and/or high pps, such as SP edge. NetFlow 'sampling' on 6500/7600 is actually NDE output telemetry sampling only, not the same as packet-sampled control of flow creation on software platforms, GSR, ASR 1K, CRS-1, N7K. No logical OR of TCP flags observed throughout a TCP flow, only the last flag. No dropped traffic stats/heuristics. ACLs: ACLs must be carefully crafted to avoid LOU exhaustion & subsequent software switching self-DoS: uRPF: uRPF mode must be the same for all interfaces in a chassis. Note that these are all edge features. These boxes are fine running in the core and/or other areas in which these particular edge features aren't required; it's the edge which can be problematic. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From cmadams at hiwaay.net Thu Jun 11 12:13:05 2009 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 11 Jun 2009 11:13:05 -0500 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: <20090611152310.GR290@greenie.muc.de> References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> <20090611134124.GO290@greenie.muc.de> <20090611151701.GQ290@greenie.muc.de> <20090611152310.GR290@greenie.muc.de> Message-ID: <20090611161305.GC1185296@hiwaay.net> Once upon a time, Gert Doering said: > As far as I understand, Juniper handles this a bit different, with no > separate tables for "inside BGP" stuff, so things might look different > there. Juniper JUNOS keeps all routes (static, OSPF, BGP, etc.) in the "route table" in the routing engine (where the protocols run), and exports the best routes to the "forwarding table" in the forwarding engine (where the packets are forwarded). The forwarding table in a router with full Internet BGP routes currently has ~282K routes, while the route table has ~282K times however many full-route peers you have (plus internal routes in both cases). The route table has all the routes (from all sources and peers) known to the router, but routing engine RAM is (relatively) cheap since the RE is basically just a PC running FreeBSD. I'm not sure off the top of my head how much additional RAM is used per full-route peer. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From Jeff.Wojciechowski at midlandpaper.com Thu Jun 11 12:37:42 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Thu, 11 Jun 2009 11:37:42 -0500 Subject: [c-nsp] ASA 5510 Configuration Replication Failure Message-ID: <6B8401A83219DF499C34DEAEE9A599921015AED7E9@XBOX.midlandpaper.com> Dearest List: We are building a new active/standby ASA cluster with 5510's and the initial config synch went just fine. However, when we changed the hostname on the primary unit and did a 'write standby' I got the following: VaultASA(config)# wr stan Building configuration... [OK] VaultASA(config)# Beginning configuration replication: Sending to mate. Failover LAN Failed Configuration Replication Failure sh ver Cisco Adaptive Security Appliance Software Version 8.0(3) Device Manager Version 6.1(5) Another interesting point about this is that both units show the synch interface (E0/3 on both units in our case) show line protocol down. VaultASA(config)# sh int e0/3 Interface Ethernet0/3 "failover", is down, line protocol is down Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec Full-Duplex, 100 Mbps Description: LAN/STATE Failover Interface MAC address 0024.14d3.7b37, MTU 1500 IP address x.x.x.x, subnet mask 255.255.255.0 558 packets input, 49468 bytes, 0 no buffer Received 3 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 499 packets output, 71296 bytes, 0 underruns 0 output errors, 0 collisions, 9 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max packets): hardware (0/25) software (0/0) output queue (curr/max packets): hardware (0/0) software (0/0) Traffic Statistics for "failover": 558 packets input, 39264 bytes 502 packets output, 59800 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec VaultASA(config)# Ideas? Thanks in advance. Jeff From mhuff at ox.com Thu Jun 11 13:04:26 2009 From: mhuff at ox.com (Matthew Huff) Date: Thu, 11 Jun 2009 13:04:26 -0400 Subject: [c-nsp] ASA 5510 Configuration Replication Failure In-Reply-To: <6B8401A83219DF499C34DEAEE9A599921015AED7E9@XBOX.midlandpaper.com> References: <6B8401A83219DF499C34DEAEE9A599921015AED7E9@XBOX.midlandpaper.com> Message-ID: <483E6B0272B0284BA86D7596C40D29F9C3811FD2C3@PUR-EXCH07.ox.com> Try connecting to the serial port on both boxes and setting the name on both, and then retrying the sync. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jeff Wojciechowski > Sent: Thursday, June 11, 2009 12:38 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA 5510 Configuration Replication Failure > > Dearest List: > > We are building a new active/standby ASA cluster with 5510's and the > initial config synch went just fine. > > However, when we changed the hostname on the primary unit and did a > 'write standby' I got the following: > > VaultASA(config)# wr stan > Building configuration... > [OK] > VaultASA(config)# Beginning configuration replication: Sending to mate. > Failover LAN Failed > Configuration Replication Failure > sh ver > > Cisco Adaptive Security Appliance Software Version 8.0(3) > Device Manager Version 6.1(5) > > Another interesting point about this is that both units show the synch > interface (E0/3 on both units in our case) show line protocol down. > > VaultASA(config)# sh int e0/3 > Interface Ethernet0/3 "failover", is down, line protocol is down > Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec > Full-Duplex, 100 Mbps > Description: LAN/STATE Failover Interface > MAC address 0024.14d3.7b37, MTU 1500 > IP address x.x.x.x, subnet mask 255.255.255.0 > 558 packets input, 49468 bytes, 0 no buffer > Received 3 broadcasts, 0 runts, 0 giants > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort > 0 L2 decode drops > 499 packets output, 71296 bytes, 0 underruns > 0 output errors, 0 collisions, 9 interface resets > 0 babbles, 0 late collisions, 0 deferred > 0 lost carrier, 0 no carrier > input queue (curr/max packets): hardware (0/25) software (0/0) > output queue (curr/max packets): hardware (0/0) software (0/0) > Traffic Statistics for "failover": > 558 packets input, 39264 bytes > 502 packets output, 59800 bytes > 0 packets dropped > 1 minute input rate 0 pkts/sec, 0 bytes/sec > 1 minute output rate 0 pkts/sec, 0 bytes/sec > 1 minute drop rate, 0 pkts/sec > 5 minute input rate 0 pkts/sec, 0 bytes/sec > 5 minute output rate 0 pkts/sec, 0 bytes/sec > 5 minute drop rate, 0 pkts/sec > VaultASA(config)# > > Ideas? > > Thanks in advance. > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4229 bytes Desc: not available URL: From peter at rathlev.dk Thu Jun 11 13:04:03 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 11 Jun 2009 19:04:03 +0200 Subject: [c-nsp] 3750E and X2-10GB-ZR compatibility? In-Reply-To: <20090611105420.GA34090@bts.sk> References: <1244641933.7592.25.camel@localhost.localdomain> <20090611105420.GA34090@bts.sk> Message-ID: <1244739843.3383.1.camel@localhost.localdomain> Hi Marian, On Thu, 2009-06-11 at 12:54 +0200, Marian ?urkovi? wrote: > There is nothing special about the X2-ZR units, they are fully compliant > with X2 spec, just have longer reach. Lack of "support" means there's no > entry in your IOS for ZR - but it was already added into 12.2(50)SE. Thank you very much for poiting this out, after loading 12.2(50)SE2 it was recognized fine. :-) Regards, Peter From peter at rathlev.dk Thu Jun 11 13:13:09 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 11 Jun 2009 19:13:09 +0200 Subject: [c-nsp] 3750 running jumbo frames ? In-Reply-To: <987B409C-FF47-45CD-BF4D-C350D24B7EB3@princeton.edu> References: <987B409C-FF47-45CD-BF4D-C350D24B7EB3@princeton.edu> Message-ID: <1244740389.3383.6.camel@localhost.localdomain> On Thu, 2009-06-11 at 09:44 -0400, Jeff Fitzwater wrote: > We have the need to run two 3750 switches with jumbo frames (9000), > for a high performance data transfer application. Both switches will > be manages by connections to a NON-JUMBO frame environment. (That > is, if this will work) > > If I enable jumbo frames (which is a global change) and leave the > management interface MTU at 1500 so the switch will use 1500 as packet > size for all management, is there any NEGATIVE ISSUES I should be > aware because of them being connected to the non-jumbo environment? This will not present problems. As David mentions only L2 switched frames can be jumbo. Management-traffic wouldn't exceed the routing MTU, which is 1500 bytes by default. Changing the "system jumbo mtu" doesn't change the L3 MTU. Any TCP based L3 connection would use the lowest of the two endpoint MSSs anyway, so hosts connecting from 1500 byte MTU segments would always end up using 1500 byte MTU connections. Even if you could adjust routing MTU to 9000 bytes you probably wouldn't face any problems. IMHO there would never be any negative effects from enabling 9000 bytes MTU, unless of course you explicitely WANT to limit the MTU. Regards, Peter From kloch at kl.net Thu Jun 11 12:40:50 2009 From: kloch at kl.net (Kevin Loch) Date: Thu, 11 Jun 2009 12:40:50 -0400 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> Message-ID: <4A313392.60604@kl.net> Jo Rhett wrote: > I've been trying to spec Cisco for an upgrade of our Force10 backbone > for nearly 2 months now. I'm just trying to clarify which platform > Cisco recommends for full routing table/hardware > forwarding/provider-class environments. > > Unfortunately every time I get through to the supposed right group, I > mention our requirements and Cisco never follows up. It's almost like > they realize they have nothing on Juniper and they don't even bother. > They are about to be eliminated from the choices for lack of having an > answer. > > Until they decide to care, is there anyone on here willing to propose a > basic platform for provider-class environment? By which I mean > > * Full IPv4 & v6 routing table (Cisco has 760k v4/260k v6 I know with > SUP720/3CXL) > * ASIC-based line-rate forwarding (SUP720-3CXL and DFC-3CXL on each line > card, right?) > * 196 ports copper 10/100/1000 > * 40 ports SFP 1g (on two line cards, not one) > * 96+ BGP peers, 8-10 full routing table peers > > Unfortunately, Cisco's partners are useless. They propose 6509s without > the DFCs, which we know will fall over. Well that depends... The DFC's only do next-hop (tcam) lookups and netflow. All packets are switched on the centralized PFC. Each line card has two 20Gbit/s fabric channels (2x 40Gbit/s full duplex) to the PFC. The PFC also has tcam for lookups and netflow to service any cards that do not have a DFC. The PFC is rated at something like 30Mpps so if you are doing less than that and you don't need the extra netflow tcam you don't need any DFC's and can still theoretically do 640Gbit/s (320Gbit/s for those of us to have highly unbalanced traffic flows). Netflow is subsampled on this platform. I have been able to get pretty good estimates of traffic flow (checked against SNMP counters) but I would not use that for any kind of accounting. The SNMP counters are fairly noisy due to the several second update intervals. SNMP counters on vlans are even worse and loop over after a few gbit/s even though the coutners themselves are 64bit. You may find using smaller switches (like 3560) for most customer ports and using 10Gig uplinks is better than using copper ports on the 6500/7600. I would avoid the sup720, the rsp720 has 2x the ram and more than 2x the cpu power. cpu on the sup720 is by far it's biggest limitation. > And as I understand it, the > 6509 even with the 3CXL cards can't handle 5 full peers, nevermind 96 > total peers. Most people suggest the 7600 platform, but at least two > comments on the mailing list indicate it isn't much better. > > What are people using today for this kind of environment? Does it work? > From lukasz at bromirski.net Thu Jun 11 13:40:32 2009 From: lukasz at bromirski.net (=?UTF-8?B?xYF1a2FzeiBCcm9taXJza2k=?=) Date: Thu, 11 Jun 2009 19:40:32 +0200 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: <4A313392.60604@kl.net> References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> <4A313392.60604@kl.net> Message-ID: <4A314190.8050907@bromirski.net> On 2009-06-11 18:40, Kevin Loch wrote: You've got something messed up Kevin: > The DFC's only do next-hop (tcam) lookups and netflow. DFCs are doing all and exactly the same work as PFC on Supervisors locally on the LC that they are installed to. They're the same in terms of hardware, just in a different form - to fit the LC, not the Sup. > All packets are switched on the centralized PFC. If the LC has a DFC, packet is switched by DFC toward destination - if it's on the same card, it's switched locally (until, of course, you seem to have 6748/6704/6708/6716 where the card is divided into two). If the LC doesn't have a DFC but CFC only, the traffic is switched by PFC. > Each line card has two 20Gbit/s fabric channels > (2x 40Gbit/s full duplex) to the PFC. Each 67xx series LC can have one or two 20Gbit/s channel connections to switch fabric located at Supervisor. Switch Fabric ASICs and PFCs are not the same thing. 65xx LCs have one or two 8Gbit/s connections to the switch fabric and different DFCs models, but the switch fabric of Sup720/RSP720 can autonegotiate 8/20 Gbit/s upon insertion into chassis/boot. > The PFC is rated at something like 30Mpps so if you are doing less > than that and you don't need the extra netflow tcam you don't > need any DFC's and can still theoretically do 640Gbit/s (320Gbit/s > for those of us to have highly unbalanced traffic flows). PFC is 30Mpps, DFCs for 67xx LCs can do 48Mpps. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From bacon at walleyesoftware.com Thu Jun 11 14:00:52 2009 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Thu, 11 Jun 2009 13:00:52 -0500 Subject: [c-nsp] cisco-nsp Digest, Vol 79, Issue 37 In-Reply-To: References: Message-ID: <5A69C25361FED34F83ABF05F5047524505CD8011@wally.walleyetrading.net> > > Message: 4 > Date: Thu, 11 Jun 2009 15:41:24 +0200 > From: Gert Doering > To: Jo Rhett > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] full routing table / provider-class chassis > Message-ID: <20090611134124.GO290 at greenie.muc.de> > Content-Type: text/plain; charset="us-ascii" > > > (Yes, caveats apply. With LAN hardware, you always have issues with > microbursts and buffering. But ES/CRS - or Juniper - hardware is LOTS > of extra money.) > > gert > So is there a good way to watch/track microbursts? I don't care if it buffers, but in our environment (lot of market data) we suffer from a) regular microbursts (micro meaning in the 1s or less timeframe) b) no really good way to measure or capture them short of putting packet sniffers on lines and sorting through packet dumps ex-post-facto. We're using 6500/720-3BXL hardware but could buy other hardware (though I imagine that's not the problem). Traffic comes in over gig fiber or various metro-e, NYC metro area. Our general answer is "throw more bandwidth at the problem" - which is fine; the problem is knowing _when_ we need to, short of finding out from end-users. -bacon From rwest at zyedge.com Thu Jun 11 14:16:16 2009 From: rwest at zyedge.com (Ryan West) Date: Thu, 11 Jun 2009 14:16:16 -0400 Subject: [c-nsp] ASA 5510 Configuration Replication Failure In-Reply-To: <6B8401A83219DF499C34DEAEE9A599921015AED7E9@XBOX.midlandpaper.com> References: <6B8401A83219DF499C34DEAEE9A599921015AED7E9@XBOX.midlandpaper.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124835C52C6@zy-ex1.zyedge.local> Jeff, It's hard to tell exactly what happened based on your post, can you do a 'show failover'? When the ASA's are paired, you should only need to do a wr to save config on both. Try erasing the config on the backup ASA, regenerate your RSA key with your new hostname (on the primary), re-enter the failover commands (on the standby) and see if it sync's up again. You should consider moving away from 8.0(3), there a number of publicized security risks with it. The interim releases should have much fewer bugs as well. As for the failover interface, are you using a crossover or does it connect to a switch? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Thursday, June 11, 2009 12:38 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ASA 5510 Configuration Replication Failure Dearest List: We are building a new active/standby ASA cluster with 5510's and the initial config synch went just fine. However, when we changed the hostname on the primary unit and did a 'write standby' I got the following: VaultASA(config)# wr stan Building configuration... [OK] VaultASA(config)# Beginning configuration replication: Sending to mate. Failover LAN Failed Configuration Replication Failure sh ver Cisco Adaptive Security Appliance Software Version 8.0(3) Device Manager Version 6.1(5) Another interesting point about this is that both units show the synch interface (E0/3 on both units in our case) show line protocol down. VaultASA(config)# sh int e0/3 Interface Ethernet0/3 "failover", is down, line protocol is down Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec Full-Duplex, 100 Mbps Description: LAN/STATE Failover Interface MAC address 0024.14d3.7b37, MTU 1500 IP address x.x.x.x, subnet mask 255.255.255.0 558 packets input, 49468 bytes, 0 no buffer Received 3 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 499 packets output, 71296 bytes, 0 underruns 0 output errors, 0 collisions, 9 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max packets): hardware (0/25) software (0/0) output queue (curr/max packets): hardware (0/0) software (0/0) Traffic Statistics for "failover": 558 packets input, 39264 bytes 502 packets output, 59800 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec VaultASA(config)# Ideas? Thanks in advance. Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From randy_94108 at yahoo.com Thu Jun 11 13:39:43 2009 From: randy_94108 at yahoo.com (Randy) Date: Thu, 11 Jun 2009 10:39:43 -0700 (PDT) Subject: [c-nsp] ASA 5510 Configuration Replication Failure Message-ID: <755887.26624.qm@web80506.mail.mud.yahoo.com> was the appliance actually *the active unit* when you made the change? despite the replication failure, you should still be able to connect to both appliances and see what they think their host names are. Make sure it is the same. ? make sure you have the following entries in the config: in active: ? conf t standby lan unit primary hostname state(this will display the state of the unit at the prompt - hostname/act and hostname/stdby) ? in standby: conf t standby lan unit secondary hostname state ? Regards ? --- On Thu, 6/11/09, Jeff Wojciechowski wrote: From: Jeff Wojciechowski Subject: [c-nsp] ASA 5510 Configuration Replication Failure To: "cisco-nsp at puck.nether.net" Date: Thursday, June 11, 2009, 9:37 AM Dearest List: We are building a new active/standby ASA cluster with 5510's and the initial config synch went just fine. However, when we changed the hostname on the primary unit and did a 'write standby' I got the following: VaultASA(config)# wr stan Building configuration... [OK] VaultASA(config)# Beginning configuration replication: Sending to mate. Failover LAN Failed Configuration Replication Failure sh ver Cisco Adaptive Security Appliance Software Version 8.0(3) Device Manager Version 6.1(5) Another interesting point about this is that both units show the synch interface (E0/3 on both units in our case) show line protocol down. VaultASA(config)# sh int e0/3 Interface Ethernet0/3 "failover", is down, line protocol is down ? Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec ? ? ? ? Full-Duplex, 100 Mbps ? ? ? ? Description: LAN/STATE Failover Interface ? ? ? ? MAC address 0024.14d3.7b37, MTU 1500 ? ? ? ? IP address x.x.x.x, subnet mask 255.255.255.0 ? ? ? ? 558 packets input, 49468 bytes, 0 no buffer ? ? ? ? Received 3 broadcasts, 0 runts, 0 giants ? ? ? ? 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort ? ? ? ? 0 L2 decode drops ? ? ? ? 499 packets output, 71296 bytes, 0 underruns ? ? ? ? 0 output errors, 0 collisions, 9 interface resets ? ? ? ? 0 babbles, 0 late collisions, 0 deferred ? ? ? ? 0 lost carrier, 0 no carrier ? ? ? ? input queue (curr/max packets): hardware (0/25) software (0/0) ? ? ? ? output queue (curr/max packets): hardware (0/0) software (0/0) ? Traffic Statistics for "failover": ? ? ? ? 558 packets input, 39264 bytes ? ? ? ? 502 packets output, 59800 bytes ? ? ? ? 0 packets dropped ? ? ? 1 minute input rate 0 pkts/sec,? 0 bytes/sec ? ? ? 1 minute output rate 0 pkts/sec,? 0 bytes/sec ? ? ? 1 minute drop rate, 0 pkts/sec ? ? ? 5 minute input rate 0 pkts/sec,? 0 bytes/sec ? ? ? 5 minute output rate 0 pkts/sec,? 0 bytes/sec ? ? ? 5 minute drop rate, 0 pkts/sec VaultASA(config)# Ideas? Thanks in advance. Jeff _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mhuff at ox.com Thu Jun 11 14:56:52 2009 From: mhuff at ox.com (Matthew Huff) Date: Thu, 11 Jun 2009 14:56:52 -0400 Subject: [c-nsp] cisco-nsp Digest, Vol 79, Issue 37 In-Reply-To: <5A69C25361FED34F83ABF05F5047524505CD8011@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524505CD8011@wally.walleyetrading.net> Message-ID: <483E6B0272B0284BA86D7596C40D29F9C3811FD2CE@PUR-EXCH07.ox.com> input and output drops on the interface are the key (depending on direction). Microbursting is a problem with the short term sustained rate overflows the input or output hardware buffer. If the system can't dequeue the packets faster enough the you will get tail drops. With a 6500/720-3BXL the problem with microbursting is going to be in the linecard. With a 67xx series linecard you shouldn't receive microbursting unless you have a very congested fabric or are saturating the interface With a 65xx series linecard it will depend on the rate. On an otherwise normal utilization microbursting shouldn't be a big problem With a 61xx,62xx, 63xx the buffers are pretty shallow, hence their positioning as access linecards for end users All this depends on hardware switching. If something is causing the packets to be punted to the CPU, then microbursting drops can occur on any linecard. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jeff Bacon > Sent: Thursday, June 11, 2009 2:01 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] cisco-nsp Digest, Vol 79, Issue 37 > > > > > Message: 4 > > Date: Thu, 11 Jun 2009 15:41:24 +0200 > > From: Gert Doering > > To: Jo Rhett > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] full routing table / provider-class chassis > > Message-ID: <20090611134124.GO290 at greenie.muc.de> > > Content-Type: text/plain; charset="us-ascii" > > > > > > (Yes, caveats apply. With LAN hardware, you always have issues with > > microbursts and buffering. But ES/CRS - or Juniper - hardware is > LOTS > > of extra money.) > > > > gert > > > > So is there a good way to watch/track microbursts? I don't care if it > buffers, but in our environment (lot of market data) we suffer from > a) regular microbursts (micro meaning in the 1s or less timeframe) > b) no really good way to measure or capture them short of putting > packet > sniffers on lines and sorting through packet dumps ex-post-facto. > > We're using 6500/720-3BXL hardware but could buy other hardware (though > I imagine that's not the problem). Traffic comes in over gig fiber or > various metro-e, NYC metro area. > > Our general answer is "throw more bandwidth at the problem" - which is > fine; the problem is knowing _when_ we need to, short of finding out > from end-users. > > -bacon > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4229 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Thu Jun 11 15:01:34 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 11 Jun 2009 20:01:34 +0100 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: <4A313392.60604@kl.net> References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> <4A313392.60604@kl.net> Message-ID: <4A31548E.3080501@imperial.ac.uk> Kevin Loch wrote: >> >> Unfortunately, Cisco's partners are useless. They propose 6509s without >> the DFCs, which we know will fall over. > > Well that depends... > > The DFC's only do next-hop (tcam) lookups and netflow. All packets are > switched on the centralized PFC. Each line card has two 20Gbit/s ?ukasz has already addressed this; suffice to say he's right, and the above is not correct. A TCAM lookup *is* the forwarding operation, and the DFC has all information required locally to switch the packet (via the fabric) to the output linecard, and does so. > > Netflow is subsampled on this platform. I have been able to get I don't know what you mean by "subsampled", but my experience of netflow on this platform does not match this description. Because we are within the netflow TCAM limits, I get 100% accurate netflow. There's no sampling in hardware - the hardware is in fact not *capable* of such - and we see all packets in our flow table. > pretty good estimates of traffic flow (checked against SNMP counters) > but I would not use that for any kind of accounting. The Again, this depends on your traffic pattern. We use it for accounting and it is essentially totally reliable, given our traffic patterns. It's popular to bash netflow on the 6500s, but I personally think that's unfair. It's very effective for the (large numbers of) sites who are within the design limits of the platform. I can understand it's frustrating to be outside those limits though. > SNMP counters are fairly noisy due to the several second update > intervals. SNMP counters on vlans are even worse and loop > over after a few gbit/s even though the coutners themselves > are 64bit. You may find using smaller switches (like 3560) > for most customer ports and using 10Gig uplinks is better > than using copper ports on the 6500/7600. I think that would depend on the architecture one was trying to build. By terminating the link on a 6748-TX, you get: * sensible power redundancy * sensible control-plane redundancy * better performance / lower contention * fewer devices to manage > > I would avoid the sup720, the rsp720 has 2x the ram and more Obviously it's worth emphasising that the RSP720 is 7600-only, and from posts on this list it's still not in general availability I think? > than 2x the cpu power. cpu on the sup720 is by far it's biggest > limitation. That's certainly true; 600Mhz is pretty derisory these days. From Jeff.Wojciechowski at midlandpaper.com Thu Jun 11 15:15:30 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Thu, 11 Jun 2009 14:15:30 -0500 Subject: [c-nsp] ASA 5510 Configuration Replication Failure In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124835C52C6@zy-ex1.zyedge.local> References: <6B8401A83219DF499C34DEAEE9A599921015AED7E9@XBOX.midlandpaper.com> <6E21B2BDEF6E714EA0B5BA8D5D0E140124835C52C6@zy-ex1.zyedge.local> Message-ID: <6B8401A83219DF499C34DEAEE9A599921015AED7FC@XBOX.midlandpaper.com> Ryan, Thx for the heads up on the 8.0(3) bugs. I blew away the configs on the secondary unit - upgraded to 8.0(4) on both units, re synched and the synch interface goes line protocol down and got this: OUTPUT FROM SECONDARY: ______________________ Detected an Active mate Beginning configuration replication from mate. Failover LAN Failed Switching to Active VaultASA(config-if)# sh fail Failover On Failover unit Secondary Failover LAN Interface: failover Ethernet0/3 (Failed - No Switchover) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 8.0(4), Mate 8.0(4) Last Failover at: 14:05:04 CDT Jun 11 2009 This host: Secondary - Active Active time: 53 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys) Interface outside (172.20.50.16): Normal (Waiting) Interface inside (172.20.40.16): Normal (Waiting) slot 1: empty Other host: Primary - Failed Active time: 204 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Unknown/Unknown) Interface outside (172.20.50.17): Unknown (Waiting) Interface inside (172.20.40.17): Unknown (Waiting) slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/3 (Failed) Stateful Obj xmit xerr rcv rerr General 0 0 0 0 sys cmd 0 0 0 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 0 0 0 0 VPN IPSEC upd 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 0 0 Xmit Q: 0 0 0 Sh Fail on Primary (after failure): ___________________________________ VaultASA# sh fail Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/3 (Failed - No Switchover) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 8.0(4), Mate 8.0(4) Last Failover at: 14:01:27 CDT Jun 11 2009 This host: Primary - Active Active time: 387 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys) Interface outside (172.20.50.16): Normal (Waiting) Interface inside (172.20.40.16): Normal (Waiting) slot 1: empty Other host: Secondary - Failed Active time: 0 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Unknown/Unknown) Interface outside (172.20.50.17): Unknown (Waiting) Interface inside (172.20.40.17): Unknown (Waiting) slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/3 (Failed) Stateful Obj xmit xerr rcv rerr General 0 0 0 0 sys cmd 0 0 0 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 0 0 0 0 VPN IPSEC upd 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 0 0 Xmit Q: 0 0 0 To answer your question - the failover interfaces are connected directly using a straight thru cable - the interfaces come 'up' long enough to synch and then immediately go down after a synch. And yes we tried different cable(s) on the synch interface :o) Thanks, -Jeff -----Original Message----- From: Ryan West [mailto:rwest at zyedge.com] Sent: Thursday, June 11, 2009 1:16 PM To: Jeff Wojciechowski; cisco-nsp at puck.nether.net Subject: RE: ASA 5510 Configuration Replication Failure Jeff, It's hard to tell exactly what happened based on your post, can you do a 'show failover'? When the ASA's are paired, you should only need to do a wr to save config on both. Try erasing the config on the backup ASA, regenerate your RSA key with your new hostname (on the primary), re-enter the failover commands (on the standby) and see if it sync's up again. You should consider moving away from 8.0(3), there a number of publicized security risks with it. The interim releases should have much fewer bugs as well. As for the failover interface, are you using a crossover or does it connect to a switch? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Thursday, June 11, 2009 12:38 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ASA 5510 Configuration Replication Failure Dearest List: We are building a new active/standby ASA cluster with 5510's and the initial config synch went just fine. However, when we changed the hostname on the primary unit and did a 'write standby' I got the following: VaultASA(config)# wr stan Building configuration... [OK] VaultASA(config)# Beginning configuration replication: Sending to mate. Failover LAN Failed Configuration Replication Failure sh ver Cisco Adaptive Security Appliance Software Version 8.0(3) Device Manager Version 6.1(5) Another interesting point about this is that both units show the synch interface (E0/3 on both units in our case) show line protocol down. VaultASA(config)# sh int e0/3 Interface Ethernet0/3 "failover", is down, line protocol is down Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec Full-Duplex, 100 Mbps Description: LAN/STATE Failover Interface MAC address 0024.14d3.7b37, MTU 1500 IP address x.x.x.x, subnet mask 255.255.255.0 558 packets input, 49468 bytes, 0 no buffer Received 3 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 499 packets output, 71296 bytes, 0 underruns 0 output errors, 0 collisions, 9 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max packets): hardware (0/25) software (0/0) output queue (curr/max packets): hardware (0/0) software (0/0) Traffic Statistics for "failover": 558 packets input, 39264 bytes 502 packets output, 59800 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec VaultASA(config)# Ideas? Thanks in advance. Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From chadwick.whitten at gmail.com Thu Jun 11 15:23:32 2009 From: chadwick.whitten at gmail.com (Chad Whitten) Date: Thu, 11 Jun 2009 14:23:32 -0500 Subject: [c-nsp] Cisco DSLAM ? In-Reply-To: <4A3106D1.5010506@jarruda.com> References: <4A2FD24D.2060703@cantv.net> <78C984F8939D424697B15E4B1C1BB3D7C48BF7@xmb-ams-331.emea.cisco.com> <4A3106D1.5010506@jarruda.com> Message-ID: <973236a60906111223v7d847c46x82e1674834c4ac52@mail.gmail.com> On Thu, Jun 11, 2009 at 8:29 AM, Julio Arruda wrote: > Arie Vayner (avayner) wrote: > >> Juan, >> >> Cisco does not make DSLAMs for a long time now... >> >> > I wonder if there is any Next-Gen DLC that Cisco has been seeing/using in > customers ? > In a previous life in NT, I remember Calix was quite popular in ANSI/T1 > customers in Caribean market, so, if someone is looking atend-to-end > solutions, would cisco kit 'fit' better with any specific vendor (IOT and > etc ?). > > > > Arie >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juan C. Crespo >> R. >> Sent: Wednesday, June 10, 2009 18:34 >> To: Cisco Post NSP >> Cc: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Cisco DSLAM ? >> >> Guys >> >> Does anyone of you knows a good DSLAM for HDSL & ADSL ? >> >> Thanks >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Chad Whitten chadwick.whitten at gmail.com 601-519-4172 From jfitz at Princeton.EDU Thu Jun 11 16:23:03 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 11 Jun 2009 16:23:03 -0400 Subject: [c-nsp] 3750 running jumbo frames ? In-Reply-To: <1244740389.3383.6.camel@localhost.localdomain> References: <987B409C-FF47-45CD-BF4D-C350D24B7EB3@princeton.edu> <1244740389.3383.6.camel@localhost.localdomain> Message-ID: <5E377FEF-23E7-4782-BCB1-4A6127BCC81F@Princeton.EDU> Thanks for all the info. Thats what I thought, but I have people checking on me. Case closed. Jeff On Jun 11, 2009, at 1:13 PM, Peter Rathlev wrote: > On Thu, 2009-06-11 at 09:44 -0400, Jeff Fitzwater wrote: >> We have the need to run two 3750 switches with jumbo frames (9000), >> for a high performance data transfer application. Both switches will >> be manages by connections to a NON-JUMBO frame environment. (That >> is, if this will work) >> >> If I enable jumbo frames (which is a global change) and leave the >> management interface MTU at 1500 so the switch will use 1500 as >> packet >> size for all management, is there any NEGATIVE ISSUES I should be >> aware because of them being connected to the non-jumbo environment? > > This will not present problems. As David mentions only L2 switched > frames can be jumbo. Management-traffic wouldn't exceed the routing > MTU, > which is 1500 bytes by default. Changing the "system jumbo mtu" > doesn't > change the L3 MTU. > > Any TCP based L3 connection would use the lowest of the two endpoint > MSSs anyway, so hosts connecting from 1500 byte MTU segments would > always end up using 1500 byte MTU connections. Even if you could > adjust > routing MTU to 9000 bytes you probably wouldn't face any problems. > > IMHO there would never be any negative effects from enabling 9000 > bytes > MTU, unless of course you explicitely WANT to limit the MTU. > > Regards, > Peter > > From jared at puck.nether.net Thu Jun 11 16:48:50 2009 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 11 Jun 2009 16:48:50 -0400 Subject: [c-nsp] WS-X6148-RJ21 Ethernet Modules In-Reply-To: References: <000801c9e9f0$638170a0$2a8451e0$@org> <20090610180937.GA27437@fusion.opticnetworks.net> <4A2FFB05.1050709@utc.edu> <4A300D69.9060501@gmail.com> Message-ID: My biggest comments surround insuring that they're supported in recent software. Cisco pulled some hardware support in the SXI -> SXI1 rebuild. You also need to verify that the patch panels being used are the "right ones". It's easy for someone to hand you a T1 patch panel and think it's viable for ethernet until you actually trace the wiring. - Jared On Jun 10, 2009, at 3:55 PM, wrote: > Hello > I was wondering if anyone has any experience using the RJ21 modules > for > 6500 Catalyst? Any good things to say? Any bad things to say? > > Regrets deploying it? > > This would be for access switches. > > Thank you, > > Tom > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Thu Jun 11 17:15:52 2009 From: cchurc05 at harris.com (Church, Charles) Date: Thu, 11 Jun 2009 16:15:52 -0500 Subject: [c-nsp] WS-X6148-RJ21 Ethernet Modules In-Reply-To: References: <000801c9e9f0$638170a0$2a8451e0$@org> <20090610180937.GA27437@fusion.opticnetworks.net> <4A2FFB05.1050709@utc.edu><4A300D69.9060501@gmail.com>

Message-ID: >My biggest comments surround insuring that they're supported in recent >software. Cisco pulled some hardware support in the SXI -> SXI1 >rebuild. Didn't know about that. Thought SXH and SXI had the same HW support. Are there release notes for SXI1 up yet? Chuck From rwest at zyedge.com Thu Jun 11 17:16:48 2009 From: rwest at zyedge.com (Ryan West) Date: Thu, 11 Jun 2009 17:16:48 -0400 Subject: [c-nsp] ASA 5510 Configuration Replication Failure In-Reply-To: <6B8401A83219DF499C34DEAEE9A599921015AED7FC@XBOX.midlandpaper.com> References: <6B8401A83219DF499C34DEAEE9A599921015AED7E9@XBOX.midlandpaper.com> <6E21B2BDEF6E714EA0B5BA8D5D0E140124835C52C6@zy-ex1.zyedge.local> <6B8401A83219DF499C34DEAEE9A599921015AED7FC@XBOX.midlandpaper.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124835C5305@zy-ex1.zyedge.local> Have you tried a crossover? Can you post 'show run failover' ? A console on the standby firewall might reveal something during the replication process too. -ryan -----Original Message----- From: Jeff Wojciechowski [mailto:Jeff.Wojciechowski at midlandpaper.com] Sent: Thursday, June 11, 2009 3:16 PM To: Ryan West Cc: cisco-nsp at puck.nether.net Subject: RE: ASA 5510 Configuration Replication Failure Ryan, Thx for the heads up on the 8.0(3) bugs. I blew away the configs on the secondary unit - upgraded to 8.0(4) on both units, re synched and the synch interface goes line protocol down and got this: OUTPUT FROM SECONDARY: ______________________ Detected an Active mate Beginning configuration replication from mate. Failover LAN Failed Switching to Active VaultASA(config-if)# sh fail Failover On Failover unit Secondary Failover LAN Interface: failover Ethernet0/3 (Failed - No Switchover) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 8.0(4), Mate 8.0(4) Last Failover at: 14:05:04 CDT Jun 11 2009 This host: Secondary - Active Active time: 53 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys) Interface outside (172.20.50.16): Normal (Waiting) Interface inside (172.20.40.16): Normal (Waiting) slot 1: empty Other host: Primary - Failed Active time: 204 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Unknown/Unknown) Interface outside (172.20.50.17): Unknown (Waiting) Interface inside (172.20.40.17): Unknown (Waiting) slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/3 (Failed) Stateful Obj xmit xerr rcv rerr General 0 0 0 0 sys cmd 0 0 0 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 0 0 0 0 VPN IPSEC upd 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 0 0 Xmit Q: 0 0 0 Sh Fail on Primary (after failure): ___________________________________ VaultASA# sh fail Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/3 (Failed - No Switchover) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 8.0(4), Mate 8.0(4) Last Failover at: 14:01:27 CDT Jun 11 2009 This host: Primary - Active Active time: 387 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys) Interface outside (172.20.50.16): Normal (Waiting) Interface inside (172.20.40.16): Normal (Waiting) slot 1: empty Other host: Secondary - Failed Active time: 0 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Unknown/Unknown) Interface outside (172.20.50.17): Unknown (Waiting) Interface inside (172.20.40.17): Unknown (Waiting) slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/3 (Failed) Stateful Obj xmit xerr rcv rerr General 0 0 0 0 sys cmd 0 0 0 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 0 0 0 0 VPN IPSEC upd 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 0 0 Xmit Q: 0 0 0 To answer your question - the failover interfaces are connected directly using a straight thru cable - the interfaces come 'up' long enough to synch and then immediately go down after a synch. And yes we tried different cable(s) on the synch interface :o) Thanks, -Jeff -----Original Message----- From: Ryan West [mailto:rwest at zyedge.com] Sent: Thursday, June 11, 2009 1:16 PM To: Jeff Wojciechowski; cisco-nsp at puck.nether.net Subject: RE: ASA 5510 Configuration Replication Failure Jeff, It's hard to tell exactly what happened based on your post, can you do a 'show failover'? When the ASA's are paired, you should only need to do a wr to save config on both. Try erasing the config on the backup ASA, regenerate your RSA key with your new hostname (on the primary), re-enter the failover commands (on the standby) and see if it sync's up again. You should consider moving away from 8.0(3), there a number of publicized security risks with it. The interim releases should have much fewer bugs as well. As for the failover interface, are you using a crossover or does it connect to a switch? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Thursday, June 11, 2009 12:38 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ASA 5510 Configuration Replication Failure Dearest List: We are building a new active/standby ASA cluster with 5510's and the initial config synch went just fine. However, when we changed the hostname on the primary unit and did a 'write standby' I got the following: VaultASA(config)# wr stan Building configuration... [OK] VaultASA(config)# Beginning configuration replication: Sending to mate. Failover LAN Failed Configuration Replication Failure sh ver Cisco Adaptive Security Appliance Software Version 8.0(3) Device Manager Version 6.1(5) Another interesting point about this is that both units show the synch interface (E0/3 on both units in our case) show line protocol down. VaultASA(config)# sh int e0/3 Interface Ethernet0/3 "failover", is down, line protocol is down Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec Full-Duplex, 100 Mbps Description: LAN/STATE Failover Interface MAC address 0024.14d3.7b37, MTU 1500 IP address x.x.x.x, subnet mask 255.255.255.0 558 packets input, 49468 bytes, 0 no buffer Received 3 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 499 packets output, 71296 bytes, 0 underruns 0 output errors, 0 collisions, 9 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max packets): hardware (0/25) software (0/0) output queue (curr/max packets): hardware (0/0) software (0/0) Traffic Statistics for "failover": 558 packets input, 39264 bytes 502 packets output, 59800 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec VaultASA(config)# Ideas? Thanks in advance. Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Jeff.Wojciechowski at midlandpaper.com Thu Jun 11 17:24:03 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Thu, 11 Jun 2009 16:24:03 -0500 Subject: [c-nsp] ASA 5510 Configuration Replication Failure In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E140124835C5305@zy-ex1.zyedge.local> References: <6B8401A83219DF499C34DEAEE9A599921015AED7E9@XBOX.midlandpaper.com> <6E21B2BDEF6E714EA0B5BA8D5D0E140124835C52C6@zy-ex1.zyedge.local> <6B8401A83219DF499C34DEAEE9A599921015AED7FC@XBOX.midlandpaper.com> <6E21B2BDEF6E714EA0B5BA8D5D0E140124835C5305@zy-ex1.zyedge.local> Message-ID: <6B8401A83219DF499C34DEAEE9A599921015AED808@XBOX.midlandpaper.com> Ryan - Solved... for now at least... Still using straight thru cable for synch interface I upgraded to 8.21 - based on the following bug IDs: CSCsu88174 CSCsw98373 CSCsy21727 CSCsz63217 For the record the sh run | inc fail: failover lan unit primary failover lan interface failover Ethernet0/3 failover link failover Ethernet0/3 failover interface ip failover 172.20.20.6 255.255.255.0 standby 172.20.20.7 and failover lan unit secondary failover lan interface failover Ethernet0/3 failover link failover Ethernet0/3 failover interface ip failover 172.20.20.6 255.255.255.0 standby 172.20.20.7 Thanks again, -Jeff -----Original Message----- From: Ryan West [mailto:rwest at zyedge.com] Sent: Thursday, June 11, 2009 4:17 PM To: Jeff Wojciechowski Cc: cisco-nsp at puck.nether.net Subject: RE: ASA 5510 Configuration Replication Failure Have you tried a crossover? Can you post 'show run failover' ? A console on the standby firewall might reveal something during the replication process too. -ryan From kgraham at industrial-marshmallow.com Thu Jun 11 17:58:19 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Thu, 11 Jun 2009 14:58:19 -0700 (PDT) Subject: [c-nsp] Location of 67xx rommon (c2lc-rm) images? In-Reply-To: <4A3081B6.3040102@forthnet.gr> References: <499643.28801.qm@web1215.biz.mail.gq1.yahoo.com> <4A3081B6.3040102@forthnet.gr> Message-ID: <601566.41451.qm@web1206.biz.mail.gq1.yahoo.com> > Do a search for "c2lc-rm2.srec.122-18r.S1" Yep, thanks for the pointer. Wonderful that they made the site spider-friendly enough that: http://www.google.com/search?q=site%3Acisco.com+c2lc-rm2 ...returns 1 result. I was mostly trying to confirm that (18r)S1 was still the most current option so was hoping for a canonical location over a search result. > and you'll find many download locations. Indeed. 3 pages of download links for irrelevant permutations of supervisors and chassis combinations with release notes as the last result of the last page. Apparently the brilliant decisions for how to deliver support tools made c2lc is the exclusive "IOS rommon" for "6509E -> Sup720 w/ 10GbE uplinks"... I admire the effort it must take to maintain such a friendly facade over such clear contempt for anyone actually using it. From samantha at cairns.net.au Thu Jun 11 20:13:24 2009 From: samantha at cairns.net.au (Samantha (Regional Connect)) Date: Fri, 12 Jun 2009 10:13:24 +1000 Subject: [c-nsp] Problem with config for 7206 acting as a lns Message-ID: <02ee01c9eaf2$9a4a0fe0$cede2fa0$@net.au> Hi I have the radius issuing the following attribute (example) lcp:interface-config#1=service-policy output 160 lcp:interface-config#1=service-policy input 2560 Now when the user authenticates it closes the connection on the user If I remove the attributes from radius (shaping after a user has reached a download limit) they stay connected boot system flash disk0:c7200-xxxxxxxxxxxx aaa new-model ! ! aaa authentication login default local aaa authentication enable default enable aaa authentication ppp default group radius aaa authorization network l2tp group radius aaa accounting delay-start aaa accounting update periodic 5 aaa accounting network default start-stop group radius aaa accounting network l2tp start-stop group radius aaa nas port extended aaa pod server auth-type any server-key xxxxxxxxxxxxxxxxx aaa session-id common enable secret 5 $1$BSPX$QS0/XG/J8WmSW7attjsTC/ enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ! clock timezone GMT 10 ip subnet-zero no ip source-route ! ! ip name-server xxx.xxx.xxx.xxx ip name-server xxx.xxx.xxx.xxx ip name-server xxx.xxx.xxx.xxx ! ip cef vpdn enable vpdn multihop vpdn aaa attribute nas-port vpdn-nas vpdn logging vpdn logging local vpdn logging tunnel-drop vpdn history failure table-size 50 vpdn session-limit 1000 ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 lcp renegotiation always l2tp tunnel password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx ! ! ! voice call carrier capacity active ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet1/0 description LNS Link to Network ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx duplex full ipv6 address xxx.xxx.xxx.xxx /48 ipv6 enable no cdp enable ! interface FastEthernet2/0 no ip address duplex full no cdp enable no mop enabled ! interface FastEthernet2/0.1027 encapsulation dot1Q 1027 ip address 125.xxx.xxx.xxx 255.255.xxx.xxx no cdp enable ! interface FastEthernet2/0.1028 encapsulation dot1Q 1028 ip address 125.xxx.xxx.xxx 255.255.xxx.xxx no cdp enable ! interface Virtual-Template1 description Customer DSL-Sessions via L2TP ip unnumbered FastEthernet1/0 ip access-group 110 out peer default ip address pool default ppp authentication pap chap radius ppp authorization l2tp ppp accounting l2tp ppp multilink ! router ospf 1 router-id 202.xxx.xxx.xxx log-adjacency-changes redistribute connected subnets redistribute static subnets passive-interface FastEthernet2/0 passive-interface FastEthernet2/0.1027 passive-interface FastEthernet2/0.1028 network 202.xxx.xxx.xxx 0.0.0.255 area 0.0.0.0 ! ip local pool default xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx ip classless ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx ip route xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx FastEthernet1/0 no ip http server ! ! access-list 110 permit ip any any no cdp run ipv6 route xxx.xxx.xxx.xxx 48 FastEthernet1/0 ipv6 route ::/0 xxx.xxx.xxx.xxx ! snmp-server community public RO 99 snmp-server location Equinix Sydney snmp-server contact xxx.xxx.xxx.xxx snmp-server chassis-id lns1.c7206 snmp-server enable traps tty ! ! radius-server configure-nas radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server key xxxxxxxxxxx radius-server authorization permit missing Service-Type radius-server vsa send accounting radius-server vsa send authentication no call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! gatekeeper shutdown ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ntp clock-period 17179650 ntp master 4 ntp server 192.189.54.17 ntp server 202.47.112.1 ntp server 192.189.54.65 ! Thanks Sam From BBlackford at nwresd.k12.or.us Thu Jun 11 22:20:14 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Thu, 11 Jun 2009 19:20:14 -0700 Subject: [c-nsp] x6148 vs. x6548 Message-ID: <6069A203FD01884885C037F81DD7508016CE1890E4@wsc-mail-01.intra.nwresd.k12.or.us> I've recently learned that the ws-x6148-ge-tx has 6 gig ASICs, one for every 8 ports thusly rendering this line card to a 8:1 oversubscription ratio. I've also learned that an etherchannel is limited to 1 gig, great for redundancy, but slow as all get up. I'm buying a ws-x6548-ge-tx in hope that it can do much better (I didn't have enough in my budget for a x6748). How does the 6548 compare to the 6148? I have a pair of shiny new sup720-3bxl's. Thank you for any insight from the field as Cisco's site seems best suited for the marketing of products. -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home From cphillips at wbsconnect.com Thu Jun 11 22:31:55 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Thu, 11 Jun 2009 19:31:55 -0700 Subject: [c-nsp] x6148 vs. x6548 In-Reply-To: <6069A203FD01884885C037F81DD7508016CE1890E4@wsc-mail-01.intra.nwresd.k12.or.us> References: <6069A203FD01884885C037F81DD7508016CE1890E4@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <4A31BE1B.4020702@wbsconnect.com> Bill, One caveat that jumps to mind is the max MTU of 1518 instead of the far more desirable 9216. We ran into some MPLS VC issues with MTU mismatch that forced us to re-engineer and/or upgrade those blades. Give this a read before you buy anything: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet0900aecd8017376e_ps4835_Products_Data_Sheet.html Good luck with your decision. Bill Blackford wrote: > I've recently learned that the ws-x6148-ge-tx has 6 gig ASICs, one for every 8 ports thusly rendering this line card to a 8:1 oversubscription ratio. I've also learned that an etherchannel is limited to 1 gig, great for redundancy, but slow as all get up. > > I'm buying a ws-x6548-ge-tx in hope that it can do much better (I didn't have enough in my budget for a x6748). How does the 6548 compare to the 6148? I have a pair of shiny new sup720-3bxl's. > > Thank you for any insight from the field as Cisco's site seems best suited for the marketing of products. > > -b > > -- > Bill Blackford > Senior Network Engineer > Technology Systems Group > Northwest Regional ESD > > my /home away from home > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Chris Phillips From ayourtch at gmail.com Thu Jun 11 23:32:26 2009 From: ayourtch at gmail.com (Andrew Yourtchenko) Date: Fri, 12 Jun 2009 05:32:26 +0200 Subject: [c-nsp] Cisco IP Phones and IPv6 In-Reply-To: <292AF25E62B8894C921B893B53A19D97394469E4CE@BUSINESSEX.business.ad> References: <292AF25E62B8894C921B893B53A19D97394469E4CE@BUSINESSEX.business.ad> Message-ID: <530c5af60906112032u29362a5ej97af9433e6f8c6a4@mail.gmail.com> On Thu, Jun 11, 2009 at 2:00 PM, Skeeve Stevens wrote: > Does anyone know if any of the SCCP or SIP images for any of the models of Cisco IP Phones support IPv6? I found these two pointers, HTH: http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/firmware/8_5_2/english/release/notes/7900_852.html#wp159417 http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmfeat/fsipv6.html thanks, andrew > > ...Skeeve > > -- > Skeeve Stevens, CEO/Technical Director > eintellego Pty Ltd - The Networking Specialists > skeeve at eintellego.net / www.eintellego.net > Phone: 1300 753 383, Fax: (+612) 8572 9954 > Cell +61 (0)414 753 383 / skype://skeeve > -- > NOC, NOC, who's there? > > Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are! > virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mulitskiy at acedsl.com Fri Jun 12 01:10:09 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Fri, 12 Jun 2009 01:10:09 -0400 Subject: [c-nsp] Problem with config for 7206 acting as a lns In-Reply-To: <02ee01c9eaf2$9a4a0fe0$cede2fa0$@net.au> References: <02ee01c9eaf2$9a4a0fe0$cede2fa0$@net.au> Message-ID: <200906120110.09722.mulitskiy@acedsl.com> There's no such policy-maps defined in your config. If you supply an undefined policy-map in radius VSA then cisco just drops the connection. Michael On Thursday 11 June 2009 08:13:24 pm Samantha (Regional Connect) wrote: > Hi > > I have the radius issuing the following attribute (example) > > lcp:interface-config#1=service-policy output 160 > lcp:interface-config#1=service-policy input 2560 > > Now when the user authenticates it closes the connection on the user > If I remove the attributes from radius (shaping after a user has reached a > download limit) > they stay connected > > > > > boot system flash disk0:c7200-xxxxxxxxxxxx > aaa new-model > ! > ! > aaa authentication login default local > aaa authentication enable default enable > aaa authentication ppp default group radius > aaa authorization network l2tp group radius > aaa accounting delay-start > aaa accounting update periodic 5 > aaa accounting network default start-stop group radius > aaa accounting network l2tp start-stop group radius > aaa nas port extended > aaa pod server auth-type any server-key xxxxxxxxxxxxxxxxx > aaa session-id common > enable secret 5 $1$BSPX$QS0/XG/J8WmSW7attjsTC/ > enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > ! > clock timezone GMT 10 > ip subnet-zero > no ip source-route > ! > ! > ip name-server xxx.xxx.xxx.xxx > ip name-server xxx.xxx.xxx.xxx > ip name-server xxx.xxx.xxx.xxx > ! > ip cef > vpdn enable > vpdn multihop > vpdn aaa attribute nas-port vpdn-nas > vpdn logging > vpdn logging local > vpdn logging tunnel-drop > vpdn history failure table-size 50 > vpdn session-limit 1000 > ! Default L2TP VPDN group > accept-dialin > protocol l2tp > virtual-template 1 > lcp renegotiation always > l2tp tunnel password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx > ! > ! > ! > voice call carrier capacity active > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > interface FastEthernet1/0 > description LNS Link to Network > ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx > duplex full > ipv6 address xxx.xxx.xxx.xxx /48 > ipv6 enable > no cdp enable > ! > interface FastEthernet2/0 > no ip address > duplex full > no cdp enable > no mop enabled > ! > interface FastEthernet2/0.1027 > encapsulation dot1Q 1027 > ip address 125.xxx.xxx.xxx 255.255.xxx.xxx > no cdp enable > ! > interface FastEthernet2/0.1028 > encapsulation dot1Q 1028 > ip address 125.xxx.xxx.xxx 255.255.xxx.xxx > no cdp enable > ! > interface Virtual-Template1 > description Customer DSL-Sessions via L2TP > ip unnumbered FastEthernet1/0 > ip access-group 110 out > peer default ip address pool default > ppp authentication pap chap radius > ppp authorization l2tp > ppp accounting l2tp > ppp multilink > ! > router ospf 1 > router-id 202.xxx.xxx.xxx > log-adjacency-changes > redistribute connected subnets > redistribute static subnets > passive-interface FastEthernet2/0 > passive-interface FastEthernet2/0.1027 > passive-interface FastEthernet2/0.1028 > network 202.xxx.xxx.xxx 0.0.0.255 area 0.0.0.0 > ! > ip local pool default xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx > ip classless > ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx > ip route xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx FastEthernet1/0 > no ip http server > ! > ! > access-list 110 permit ip any any > no cdp run > ipv6 route xxx.xxx.xxx.xxx 48 FastEthernet1/0 > ipv6 route ::/0 xxx.xxx.xxx.xxx > ! > snmp-server community public RO 99 > snmp-server location Equinix Sydney > snmp-server contact xxx.xxx.xxx.xxx > snmp-server chassis-id lns1.c7206 > snmp-server enable traps tty > ! > ! > radius-server configure-nas > radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 > radius-server retransmit 3 > radius-server key xxxxxxxxxxx > radius-server authorization permit missing Service-Type > radius-server vsa send accounting > radius-server vsa send authentication > no call rsvp-sync > ! > ! > mgcp profile default > ! > dial-peer cor custom > ! > ! > ! > ! > gatekeeper > shutdown > ! > ! > line con 0 > stopbits 1 > line aux 0 > stopbits 1 > line vty 0 4 > ! > ntp clock-period 17179650 > ntp master 4 > ntp server 192.189.54.17 > ntp server 202.47.112.1 > ntp server 192.189.54.65 > ! > > > Thanks > > > Sam > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tincan at gmail.com Fri Jun 12 02:41:27 2009 From: tincan at gmail.com (Nate) Date: Thu, 11 Jun 2009 23:41:27 -0700 Subject: [c-nsp] Nexus 5000 + Qlogic QLE8042 + VMware ESX 3.5? Message-ID: Has anyone gotten VMware ESX 3.5 Update 4 to recognize the Qlogic QLE8042 CNA with both the 10G Ethernet interface and FC HBA? We're trying to get the server with the CNA installed connected to the Nexus 5000 and while the Ethernet interfaces are shown as up on the N5K, the VFC interfaces are stuck in init state. ESX does not appear to recognize the Qlogic as an HBA, even though we're using the latest driver from Qlogic. We contacted VMware tech support and the answer we got back was that ESX will only recognize the Qlogic as an Ethernet interface, not HBA. That does not sound right, since I've recalled hearing others having success. If anyone has successfully gotten the Qlogic CNA to work under VMware ESX as both an Ethernet and HBA, I would love to hear your experience. TIA! Nate From erik at infopact.nl Fri Jun 12 02:54:16 2009 From: erik at infopact.nl (E. Versaevel) Date: Fri, 12 Jun 2009 08:54:16 +0200 Subject: [c-nsp] Problem with config for 7206 acting as a lns In-Reply-To: <02ee01c9eaf2$9a4a0fe0$cede2fa0$@net.au> References: <02ee01c9eaf2$9a4a0fe0$cede2fa0$@net.au> Message-ID: <4A31FB98.30008@infopact.nl> You need to increment the sequence number: > lcp:interface-config#1=service-policy output 160 > lcp:interface-config#2=service-policy input 2560 also make sure the service policy referred to are in you configuration :) Samantha (Regional Connect) schreef: > Hi > > I have the radius issuing the following attribute (example) > > lcp:interface-config#1=service-policy output 160 > lcp:interface-config#1=service-policy input 2560 > > Now when the user authenticates it closes the connection on the user > If I remove the attributes from radius (shaping after a user has reached a > download limit) > they stay connected > > > > > boot system flash disk0:c7200-xxxxxxxxxxxx > aaa new-model > ! > ! > aaa authentication login default local > aaa authentication enable default enable > aaa authentication ppp default group radius > aaa authorization network l2tp group radius > aaa accounting delay-start > aaa accounting update periodic 5 > aaa accounting network default start-stop group radius > aaa accounting network l2tp start-stop group radius > aaa nas port extended > aaa pod server auth-type any server-key xxxxxxxxxxxxxxxxx > aaa session-id common > enable secret 5 $1$BSPX$QS0/XG/J8WmSW7attjsTC/ > enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > ! > clock timezone GMT 10 > ip subnet-zero > no ip source-route > ! > ! > ip name-server xxx.xxx.xxx.xxx > ip name-server xxx.xxx.xxx.xxx > ip name-server xxx.xxx.xxx.xxx > ! > ip cef > vpdn enable > vpdn multihop > vpdn aaa attribute nas-port vpdn-nas > vpdn logging > vpdn logging local > vpdn logging tunnel-drop > vpdn history failure table-size 50 > vpdn session-limit 1000 > ! Default L2TP VPDN group > accept-dialin > protocol l2tp > virtual-template 1 > lcp renegotiation always > l2tp tunnel password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx > ! > ! > ! > voice call carrier capacity active > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > interface FastEthernet1/0 > description LNS Link to Network > ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx > duplex full > ipv6 address xxx.xxx.xxx.xxx /48 > ipv6 enable > no cdp enable > ! > interface FastEthernet2/0 > no ip address > duplex full > no cdp enable > no mop enabled > ! > interface FastEthernet2/0.1027 > encapsulation dot1Q 1027 > ip address 125.xxx.xxx.xxx 255.255.xxx.xxx > no cdp enable > ! > interface FastEthernet2/0.1028 > encapsulation dot1Q 1028 > ip address 125.xxx.xxx.xxx 255.255.xxx.xxx > no cdp enable > ! > interface Virtual-Template1 > description Customer DSL-Sessions via L2TP > ip unnumbered FastEthernet1/0 > ip access-group 110 out > peer default ip address pool default > ppp authentication pap chap radius > ppp authorization l2tp > ppp accounting l2tp > ppp multilink > ! > router ospf 1 > router-id 202.xxx.xxx.xxx > log-adjacency-changes > redistribute connected subnets > redistribute static subnets > passive-interface FastEthernet2/0 > passive-interface FastEthernet2/0.1027 > passive-interface FastEthernet2/0.1028 > network 202.xxx.xxx.xxx 0.0.0.255 area 0.0.0.0 > ! > ip local pool default xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx > ip classless > ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx > ip route xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx FastEthernet1/0 > no ip http server > ! > ! > access-list 110 permit ip any any > no cdp run > ipv6 route xxx.xxx.xxx.xxx 48 FastEthernet1/0 > ipv6 route ::/0 xxx.xxx.xxx.xxx > ! > snmp-server community public RO 99 > snmp-server location Equinix Sydney > snmp-server contact xxx.xxx.xxx.xxx > snmp-server chassis-id lns1.c7206 > snmp-server enable traps tty > ! > ! > radius-server configure-nas > radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 > radius-server retransmit 3 > radius-server key xxxxxxxxxxx > radius-server authorization permit missing Service-Type > radius-server vsa send accounting > radius-server vsa send authentication > no call rsvp-sync > ! > ! > mgcp profile default > ! > dial-peer cor custom > ! > ! > ! > ! > gatekeeper > shutdown > ! > ! > line con 0 > stopbits 1 > line aux 0 > stopbits 1 > line vty 0 4 > ! > ntp clock-period 17179650 > ntp master 4 > ntp server 192.189.54.17 > ntp server 202.47.112.1 > ntp server 192.189.54.65 > ! > > > Thanks > > > Sam > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Erik Versaevel From narmaw at pertamina-ep.com Fri Jun 12 03:35:54 2009 From: narmaw at pertamina-ep.com (Narma Wahyuadi) Date: Fri, 12 Jun 2009 14:35:54 +0700 Subject: [c-nsp] cisco router for internet Message-ID: <002801c9eb30$6c62c660$45285320$@com> Could cisco router 2800 series work under BGP protocol for internet ? thx _____________________________________________________________________ Note: The information contained in this e-mail is intended only for the use of the individual or entity named above and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended party to receive the message and its attachment(s), you are hereby notified that any dissemination, distribution or copy of the message is strictly prohibited. Please immediately notify the sender and delete the message as soon as possible. Thank you for kind attention. Catatan: Informasi yang terdapat dalam e-mail ini ditujukan hanya untuk penggunaan individu atau kelompok yang disebutkan di atas dan mungkin berisi informasi yang istimewa, rahasia dan dikecualikan dari pengungkapan menurut hukum yang berlaku. Jika Anda bukan pihak yang ditujukan untuk menerima pesan ini beserta lampirannya, dengan ini Anda diberitahukan bahwa penyebaran, pendistribusian atau penyalinan pesan ini adalah sangat dilarang. Harap segera memberitahu pengirim dan menghapus pesan ini secepatnya. Terima kasih atas perhatian Anda. From Skeeve at eintellego.net Fri Jun 12 04:54:06 2009 From: Skeeve at eintellego.net (Skeeve Stevens) Date: Fri, 12 Jun 2009 18:54:06 +1000 Subject: [c-nsp] cisco router for internet In-Reply-To: <002801c9eb30$6c62c660$45285320$@com> References: <002801c9eb30$6c62c660$45285320$@com> Message-ID: <292AF25E62B8894C921B893B53A19D97394469E4E3@BUSINESSEX.business.ad> Yes... just not fast, but if you run a 2821/2852 with a gig of Ram, it can do multiple tables quite fine, it just takes a little while to fully load all the routes. A 2811 with 768 will also be fine. I wouldn't try a 2801... even with 512 it will be slow. ...Skeeve -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve -- NOC, NOC, who's there? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Narma Wahyuadi > Sent: Friday, 12 June 2009 5:36 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] cisco router for internet > > Could cisco router 2800 series work under BGP protocol for internet ? > > > > thx > > > _____________________________________________________________________ > > Note: The information contained in this e-mail is intended only for the > use of the individual or entity named above and may contain information > that is privileged, confidential and exempt from disclosure under > applicable law. If you are not the intended party to receive the > message and its attachment(s), you are hereby notified that any > dissemination, distribution or copy of the message is strictly > prohibited. Please immediately notify the sender and delete the message > as soon as possible. Thank you for kind attention. > > Catatan: Informasi yang terdapat dalam e-mail ini ditujukan hanya untuk > penggunaan individu atau kelompok yang disebutkan di atas dan mungkin > berisi informasi yang istimewa, rahasia dan dikecualikan dari > pengungkapan menurut hukum yang berlaku. Jika Anda bukan pihak yang > ditujukan untuk menerima pesan ini beserta lampirannya, dengan ini Anda > diberitahukan bahwa penyebaran, pendistribusian atau penyalinan pesan > ini adalah sangat dilarang. Harap segera memberitahu pengirim dan > menghapus pesan ini secepatnya. Terima kasih atas perhatian Anda. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lukasz at bromirski.net Fri Jun 12 05:18:35 2009 From: lukasz at bromirski.net (=?UTF-8?B?xYF1a2FzeiBCcm9taXJza2k=?=) Date: Fri, 12 Jun 2009 11:18:35 +0200 Subject: [c-nsp] full routing table / provider-class chassis In-Reply-To: <4A31548E.3080501@imperial.ac.uk> References: <04BFB690-C747-46D2-A1D6-E4B7243E804B@netconsonance.com> <4A313392.60604@kl.net> <4A31548E.3080501@imperial.ac.uk> Message-ID: <4A321D6B.4000300@bromirski.net> On 2009-06-11 21:01, Phil Mayers wrote: >> I would avoid the sup720, the rsp720 has 2x the ram and more > Obviously it's worth emphasising that the RSP720 is 7600-only, and from > posts on this list it's still not in general availability I think? True, the RSP is 7600-only, but only the RSP720-10GE waits for general availability until 12.2(33)SRE (due to HA issues, NSF/SSO is not yet supported). RSP720 is available. -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From s.ganschow at buelow-masiak.de Fri Jun 12 05:54:46 2009 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Fri, 12 Jun 2009 11:54:46 +0200 Subject: [c-nsp] clear ip pool Message-ID: Hi, we've got our ciscos configured that ip pool configuration is derived from our radius servers. In order to change the ip pool, I change the pool in the radius config. But our ciscos are still using the old ip pool. It seems like some caching issue. Is there any way to let the cisco forget the pool information and get it again from the radius server? Thanks in advance Sebastian From rwest at zyedge.com Fri Jun 12 08:25:24 2009 From: rwest at zyedge.com (Ryan West) Date: Fri, 12 Jun 2009 08:25:24 -0400 Subject: [c-nsp] cisco router for internet In-Reply-To: <002801c9eb30$6c62c660$45285320$@com> References: <002801c9eb30$6c62c660$45285320$@com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E140124835C531A@zy-ex1.zyedge.local> Hi. Depends on what you mean by work. A 2811 with 512 megs of RAM will handle multiple full feeds ok. It chugs when they are first sent, but will handle them fine. The question is really how many routes do you need from your provider. You may only need a default from one provider and customer routes from the other, in which case the default amount of RAM (256 on the 2811) would be just fine. Here is a 2811 with two full feeds: mcrt01#show memory free Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 44D28460 711818144 304454336 407363808 406062736 406201608 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd x.x.x.x 4 174 2221937 39239 8509486 3 0 2w2d 282799 x.x.x.x 4 174 38978 39247 8509486 0 0 3w6d 1 x.x.x.x 4 701 1511250 78488 8509486 0 0 3w6d 281498 -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Narma Wahyuadi Sent: Friday, June 12, 2009 3:36 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] cisco router for internet Could cisco router 2800 series work under BGP protocol for internet ? thx _____________________________________________________________________ Note: The information contained in this e-mail is intended only for the use of the individual or entity named above and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended party to receive the message and its attachment(s), you are hereby notified that any dissemination, distribution or copy of the message is strictly prohibited. Please immediately notify the sender and delete the message as soon as possible. Thank you for kind attention. Catatan: Informasi yang terdapat dalam e-mail ini ditujukan hanya untuk penggunaan individu atau kelompok yang disebutkan di atas dan mungkin berisi informasi yang istimewa, rahasia dan dikecualikan dari pengungkapan menurut hukum yang berlaku. Jika Anda bukan pihak yang ditujukan untuk menerima pesan ini beserta lampirannya, dengan ini Anda diberitahukan bahwa penyebaran, pendistribusian atau penyalinan pesan ini adalah sangat dilarang. Harap segera memberitahu pengirim dan menghapus pesan ini secepatnya. Terima kasih atas perhatian Anda. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From geoff at pendery.net Fri Jun 12 09:36:25 2009 From: geoff at pendery.net (Geoffrey Pendery) Date: Fri, 12 Jun 2009 08:36:25 -0500 Subject: [c-nsp] x6148 vs. x6548 In-Reply-To: <6069A203FD01884885C037F81DD7508016CE1890E4@wsc-mail-01.intra.nwresd.k12.or.us> References: <6069A203FD01884885C037F81DD7508016CE1890E4@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: Well, with the 6548, you're still going to be limited to 8 Gbps, rather than 6 Gbps. It's a CEF256 card, which means it has an 8 Gbps fabric connection to the supervisor, instead of just sharing the 32 Gbps like the 6148 does. So if you're looking to drive more than a gig through an Etherchannel, it will do it, but only for a limited number of them. The 6748 would bump your bottleneck up to 40 Gbps. I have a question of my own, since this subject has come up a time or two - regarding the 6148's, the statement is made a couple times that Etherchannel will get you port redundancy but no extra bandwidth, since the ASIC is only a gig. But if I distribute my channel across two slots, say Gig 1/1 and Gig 2/1, does that get me around the gig limit? Or even Gig 1/1 and Gig 1/48, since it's separate ASICs? Logic tells me yes, but I've heard the "1 gig limit" mentioned as if it's a hard platform limitation, not just a result of a particular bottleneck. My instinctive behavior with channels is to span them across blades anyway, to guard against blade failure.... -Geoff On Thu, Jun 11, 2009 at 9:20 PM, Bill Blackford wrote: > I've recently learned that the ws-x6148-ge-tx has 6 gig ASICs, one for every 8 ports thusly rendering this line card to a 8:1 oversubscription ratio. I've also learned that an etherchannel is limited to 1 gig, great for redundancy, but slow as all get up. > > I'm buying a ws-x6548-ge-tx in hope that it can do much better (I didn't have enough in my budget for a x6748). How does the 6548 compare to the 6148? I have a pair of shiny new sup720-3bxl's. > > Thank you for any insight from the field as Cisco's site seems best suited for the marketing of products. > > -b > > -- > Bill Blackford > Senior Network Engineer > Technology Systems Group > Northwest Regional ESD > > my /home away from home > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From will at thoughtcrime.net Fri Jun 12 09:42:11 2009 From: will at thoughtcrime.net (Byrd, William) Date: Fri, 12 Jun 2009 08:42:11 -0500 (CDT) Subject: [c-nsp] A question about TACACS+ and controlling command use Message-ID: <1244814131.v2.mailanyonewebmail-222491@fuse114> I've done a lot of thinking and searching on this problem and I haven't been able to figure out any way to solve it. The rest of the Engineers here have come to the conclusion it just can't be done. We have a pretty large deployment of Cisco 7200's with the vast majority being carded out with PA-MC-2T3 cards. Typically a customer will order a DS1 or several DS1's which will be delivered MLPPP to the customer. As we do not currently have any automation tools in place to provision or remove old provisioning for customers we frequently end up in situations where a technician building or removing a customer has shutdown a DS3 and taken down a lot of customers. The obvious answer is to restrict the use of the shutdown command. Unfortunately the technicians that often make the mistakes have to be able to use the command to shut down Serial or Ethernet interfaces in the course of their work. As TACACS is setup to basically permit or deny the use of the command I can't find a way to restrict it on say a T3 controller but permit it for everything else; example: cmd = no { permit ^shutdown.$ deny .* cmd = shutdown { permit .* } Anyone ever deal with a similar problem and find a good solution to it? -Will From BBlackford at nwresd.k12.or.us Fri Jun 12 09:51:17 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Fri, 12 Jun 2009 06:51:17 -0700 Subject: [c-nsp] x6148 vs. x6548 In-Reply-To: