From ras at e-gerbil.net Sun Mar 1 13:03:53 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sun, 1 Mar 2009 12:03:53 -0600 Subject: [c-nsp] bootvar desync between RP and SP In-Reply-To: <9149d2410902272125n189f4fc0sf678a50621538b0a@mail.gmail.com> References: <20090228025216.GC51443@gerbil.cluepon.net> <9e246b4d0902271924x133a1b9g1ca5cda9204621e4@mail.gmail.com> <20090228051314.GD51443@gerbil.cluepon.net> <9149d2410902272125n189f4fc0sf678a50621538b0a@mail.gmail.com> Message-ID: <20090301180353.GM51443@gerbil.cluepon.net> On Sat, Feb 28, 2009 at 10:25:20AM +0500, M Usman Ashraf wrote: > Hi, > > What is the "boot system" command in this box configuration. router#sh run | inc boot boot-start-marker boot system flash disk0:s72033-advipservicesk9-mz.122-33.SRC3.bin boot system flash disk0:s72033-advipservicesk9-mz.122-33.SRC2.bin boot-end-marker I tried removing and readding these in IOS, but it doesn't change the SP's bootvar at all. On Sat, Feb 28, 2009 at 02:46:04PM -0500, Tim Durack wrote: > What does "show run" look like on the sp? Mine all have: > > ! > boot-start-marker > boot-end-marker > ! > > Wonder if that ever gets out of sync. Empty on all routers, both working and non-working. Seems like this is completely ignored, and the bootvar is what is passed to the SP. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From musmanashraf at gmail.com Sun Mar 1 13:23:55 2009 From: musmanashraf at gmail.com (M Usman Ashraf) Date: Sun, 1 Mar 2009 23:23:55 +0500 Subject: [c-nsp] bootvar desync between RP and SP In-Reply-To: <20090301180353.GM51443@gerbil.cluepon.net> References: <20090228025216.GC51443@gerbil.cluepon.net> <9e246b4d0902271924x133a1b9g1ca5cda9204621e4@mail.gmail.com> <20090228051314.GD51443@gerbil.cluepon.net> <9149d2410902272125n189f4fc0sf678a50621538b0a@mail.gmail.com> <20090301180353.GM51443@gerbil.cluepon.net> Message-ID: <9149d2410903011023u251c5a2aje52d9c210d65afb4@mail.gmail.com> Hi, In our case the difference between boot variable on SP and RP was due to "boot system" command. When it was boot system disk0:c7600s72033-advipservicesk9-mz.122-33.SRC.bin", router used to boot from sup-bootflash image, and like you, we had to break the boot sequence and then had to type new image name. When we changed "boot system" command to, boot-start-marker boot system flash disk0:c7600s72033-advipservicesk9-mz.122-33.SRC.bin boot-end-marker and then had to retype config register value to 0x2102, save and reload. Since then everything is fine. However in you case everthing seems to be ok. On Sun, Mar 1, 2009 at 11:03 PM, Richard A Steenbergen wrote: > On Sat, Feb 28, 2009 at 10:25:20AM +0500, M Usman Ashraf wrote: > > Hi, > > > > What is the "boot system" command in this box configuration. > > router#sh run | inc boot > boot-start-marker > boot system flash disk0:s72033-advipservicesk9-mz.122-33.SRC3.bin > boot system flash disk0:s72033-advipservicesk9-mz.122-33.SRC2.bin > boot-end-marker > > I tried removing and readding these in IOS, but it doesn't change the > SP's bootvar at all. > > On Sat, Feb 28, 2009 at 02:46:04PM -0500, Tim Durack wrote: > > What does "show run" look like on the sp? Mine all have: > > > > ! > > boot-start-marker > > boot-end-marker > > ! > > > > Wonder if that ever gets out of sync. > > Empty on all routers, both working and non-working. Seems like this is > completely ignored, and the bootvar is what is passed to the SP. > > -- > Richard A Steenbergen http://www.e-gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) > -- Regards, M Usman Ashraf From asadh at comcast.net Sun Mar 1 17:27:18 2009 From: asadh at comcast.net (asadh at comcast.net) Date: Sun, 1 Mar 2009 22:27:18 +0000 (UTC) Subject: [c-nsp] Which OID provides SP Memory stats on Sup720-3B In-Reply-To: <240914582.865311235946144653.JavaMail.root@sz0032a.westchester.pa.mail.comcast.net> Message-ID: <1668770281.866501235946438793.JavaMail.root@sz0032a.westchester.pa.mail.comcast.net> I am trying use SNMP to get MemoryUsed and MemoryFree from SUP720-3B SP. Is there a particular OID that can be used to get this information? I've OIDs which work for RP but the OIDs for SP seem to be different for each 6509-E chassis. For example, I walked three 6509-Es with Sup720-3B, installed in slot 5 and resulting OID is different on each chassis. Sup720-3B in slot 5, running 12.2(33)SXI snmpwalk -v1 -c irishspring test -dist-01 1.3.6.1.4.1.9.9.221.1.1.1.1.7 CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.5001.1 = Gauge32: 127996892 (SP Processor Mem) CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.5001.2 = Gauge32: 2082350 4 (SP IO Mem) CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.5017.1 = Gauge32: 121830752 (RP Processor Mem) CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.5017.2 = Gauge32: 21605592 (R P IO Mem) Sup720-3B in slot 5, running 12.2(18)SXF10 snmpwalk -v1 -c irishspring test -dist-02 1.3.6.1.4.1.9.9.221.1.1.1.1.7 CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.2001.1 = Gauge32: 70445456 (SP Processor Mem) CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.2001.2 = Gauge32: 15705552 (SP IO Mem) CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.2017.1 = Gauge32: 82511200 (RP Processor Mem) CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.2017.2 = Gauge32: 16487640 (RP IO Mem) Sup720-3B in slot 5, running 12.2(33)SXI snmpwalk -v1 -c irishspring test -dist-03 1.3.6.1.4.1.9.9.221.1.1.1.1.7 CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.6001.1 = Gauge32: 128474820 (SP Processor Mem) CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.6001.2 = Gauge32: 20823504 (SP IO Mem) CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.6017.1 = Gauge32: 141062428 (RP Processor Mem) CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolUsed.6017.2 = Gauge32: 21605592 (RP IO Mem) Above OIDs also change upon reboot. Is there an easier?method or different OID to get memory information on SP? Thanks in advance. -Asad From David at hughes.com.au Sun Mar 1 17:13:59 2009 From: David at hughes.com.au (David Hughes) Date: Mon, 2 Mar 2009 08:13:59 +1000 Subject: [c-nsp] Odd request to anyone who has a switch capable of EoMPLS In-Reply-To: References: Message-ID: On 28/02/2009, at 12:15 AM, Jason Lixfeld wrote: > I need to know whether or not a switch port from a 6500/7600 or > ME6500 (or any other switch series that does EoMPLS) that is > configured for EoMPLS (xconnect ) still transmits STP BPDUs > while the EoMPLS tunnel is up (or down for that matter). On Cat6k you can only configure EoMPLS xconnects on a layer 3 interface, not a switch port.. Any BPDUs you get are from the other end of the VC. Thanks David ... From sam+cisco-nsp at australiaonline.net.au Sun Mar 1 19:45:22 2009 From: sam+cisco-nsp at australiaonline.net.au (Sam Tilders) Date: Mon, 02 Mar 2009 11:45:22 +1100 Subject: [c-nsp] packet loss between adjacent ciscos In-Reply-To: <200902272248.30103.mtinka@globaltransit.net> References: <20090227162830.xbtdn6m8jyss40sg@webmail2.australiaonline.net.au> <200902272248.30103.mtinka@globaltransit.net> Message-ID: <20090302114522.h7m2au9v8kwk4c88@webmail2.australiaonline.net.au> Quoting Mark Tinka : > On Friday 27 February 2009 01:28:30 pm Sam Tilders wrote: > >> So, I was wondering if this sounds familiar to anyone or >> if there is anything someone might be able to suggest to >> further investigate or resolve this issue. > > Does this affect all other traffic running across this > switch, or just the VoIP customer? Mark, It appears to affect all traffic. For example an SSH session to a host that has to pass across the link between the router and switch will pause at the same moment that the ping misses a packet and the voip is silent. - Sam From md at bts.sk Mon Mar 2 03:29:22 2009 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Mon, 2 Mar 2009 09:29:22 +0100 Subject: [c-nsp] Cat3560E - insufficient buffers for microbursts? Message-ID: <20090302082922.GA35030@bts.sk> Hi all, recently we replaced some of our access switches by Cat3560E models. After the change, we noticed a significant rise of dropped packets on outgoing interfaces. Closer investigation showed, that for some reason, Cat3560E is doing significantly less output buffering than all other Cisco access switches. While Cat2960G, Cat3550, Cat3560G and Cat3750G happily buffer any microburst upto 100 full size (1500 byte) packets, Cat3560E only buffers upto 64 full size packets and starts dropping beginning with 65-th packet. This was rather bad surprise, since the Cat3560E is supposed to have 10GE uplinks - and with 10:1 or 100:1 speed downshift from uplink into access ports decent buffering is vital for proper operation. Does anyone have an idea what's the reason for this behaviour - i.e. were the ASIC buffers significantly reduced on Cat3560E models or is this just wrong IOS defaults? Are there any CLI knobs to tune output buffering in FIFO mode of operation (no mls qos)? Thanks & kind regards, M. P.S. This behaviour could be reproduced by e.g. sending 1500 byte packets at gigabit ethernet wire rate through the switch to another device, which is connected at lower speed (10 or 100 Mbps). From ian.mackinnon at lumison.net Mon Mar 2 04:01:15 2009 From: ian.mackinnon at lumison.net (Ian MacKinnon) Date: Mon, 02 Mar 2009 09:01:15 +0000 Subject: [c-nsp] mls qos vlan-based issues In-Reply-To: References: Message-ID: <49ABA05B.40703@lumison.net> Hi Leslie, I am seeing something similar, but I am not seeing policing in either direction :-) 12.2(33)SXH when I check with sh policy-map interface, I do not see the exceed counters incrementing. On 27/02/2009 20:14, Leslie Meade wrote: > I have an issue that I cannot work out. > > I had all my policing statements working, when I had my asa's plugged > into an old 6509 via a fiber port that was trunked on both ends and the > ports that the asa's were plugged into were normal switch ports. > > I have now plugged them directly into the new 6509 and now I am only > getting policing on downloads only. > > > > policy-map 8_Mb_Internet > > class class-default > > police cir 8388500 bc 265625 be 265625 conform-action transmit > exceed-action drop violate-action drop > > > > interface GigabitEthernet5/8 > > switchport > > switchport trunk encapsulation dot1q > > switchport mode trunk > > no ip address > > mls qos vlan-based > > > > interface Vlan16 > > ip address 10.1.16.2 255.255.255.0 > > ip access-group Productions in > > ip helper-address 10.1.6.10 > > no ip redirects > > no ip unreachables > > ip flow ingress > > ip route-cache flow > > no ip mroute-cache > > mls netflow sampling > > standby 15 ip 10.1.16.1 > > standby 15 priority 250 > > standby 15 preempt > > service-policy input 8_Mb_Internet > > service-policy output 8_Mb_Internet > > > > Any ideas what could be causing the qos to police only downloads and not > up loads ? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Ian MacKinnon Lumison t: 0845 1199 900 d: 0131 514 4055 P.S. Do you love Lumison? p.s. Looking for remote access? Chat to our team about our award winning broadband and VoIP solutions for remote and home working, or visit www.lumison.net -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From manafo at hotmail.com Mon Mar 2 04:27:27 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Mon, 2 Mar 2009 11:27:27 +0200 Subject: [c-nsp] DHCP Binding Expiration In-Reply-To: References: <49906CFE.7040407@justinshore.com><200902092022.14601.lowen@pari.edu> Message-ID: Yes, I've noticed that all affected clients are BOOTP clients! -------------------------------------------------- From: "Buhrmaster, Gary" Sent: Sunday, February 15, 2009 7:51 AM To: Subject: Re: [c-nsp] DHCP Binding Expiration > > >> >> BOOTP. >> > > Have not used the IOS dhcp server in a long > time (the ISC dhcp server is far more capable), > but when I did, I vaguely recall adding these > commands which eliminated the infinite lease > times in my specific environment (which were > all traced down to bootp requests): > > no ip bootp server > ip dhcp bootp ignore > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sthaug at nethelp.no Mon Mar 2 04:41:26 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 02 Mar 2009 10:41:26 +0100 (CET) Subject: [c-nsp] Cat3560E - insufficient buffers for microbursts? In-Reply-To: <20090302082922.GA35030@bts.sk> References: <20090302082922.GA35030@bts.sk> Message-ID: <20090302.104126.74722994.sthaug@nethelp.no> > Closer investigation showed, that for some reason, Cat3560E is doing > significantly less output buffering than all other Cisco access switches. > While Cat2960G, Cat3550, Cat3560G and Cat3750G happily buffer any > microburst upto 100 full size (1500 byte) packets, Cat3560E only buffers > upto 64 full size packets and starts dropping beginning with 65-th packet. > This was rather bad surprise, since the Cat3560E is supposed to have > 10GE uplinks - and with 10:1 or 100:1 speed downshift from uplink into > access ports decent buffering is vital for proper operation. We experienced the same problem with ME3400 switches. It has extremely small buffers by default - the queue size is in units of 256 byte, and default queue size is only 48 of these. We got around this by configuring shaping (which is possible on the ME3400) and setting queue-limit 256 in the policy-map. The problem seems to be resolved in 12.2(46), note the following point from the release notes: > CSCsm80634 > > The default queue limit for QoS has been changed from 48 to 160 > (256-byte) packets. I wouldn't be surprised if 3560E has similar behavior (but I haven't checked). Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ibrahim.abozaid at gmail.com Mon Mar 2 05:01:10 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Mon, 2 Mar 2009 12:01:10 +0200 Subject: [c-nsp] CCIE Lab tools Message-ID: Hi All I have a question about CCIE Lab exam , we heard many stories about some exam trick and IOS bugs which causes technologies to fail and losing point so is there any tool available in the exam to identify if there is IOS bug cause this problem ? i know there is documentation tool but that states technologies configuration task list not technologies interworking problems ? best regards --Ibrahim From zhqasmi at cyber.net.pk Mon Mar 2 05:03:54 2009 From: zhqasmi at cyber.net.pk (Amjad Ul Hasnain Qasmi) Date: Mon, 02 Mar 2009 15:03:54 +0500 Subject: [c-nsp] No. of VRF supported Message-ID: <006c01c99b1e$32a3ce90$97eb6bb0$@net.pk> Hi All, I would like to know the max. number of VRF supported on Cisco 7206VXR (NPE-G2) and Cisco 10K. Regards, AHQ From mihai.todor at datanets.ro Mon Mar 2 05:18:34 2009 From: mihai.todor at datanets.ro (Mihai Todor) Date: Mon, 2 Mar 2009 12:18:34 +0200 Subject: [c-nsp] high cpu load not by processes In-Reply-To: <499D912E.3020301@umn.edu> References: <006001c992af$f5648ef0$e02dacd0$@todor@datanets.ro> <499D912E.3020301@umn.edu> Message-ID: <004b01c99b20$3e787430$bb695c90$@todor@datanets.ro> Thanks for the tip! In my case though there were no single processes loading the cpu: #sh proc cpu | e 0.00 CPU utilization for five seconds: 48%/35%; one minute: 32%; five minutes: 32% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 196 21322228 427846338 49 0.31% 0.16% 0.17% 0 IP Input 460 5474156 285374 19182 0.55% 0.07% 0.03% 0 BGP Scanner 466 2868 6596 434 11.59% 0.96% 0.23% 1 Virtual Exec A nice command to check how much traffic goes to the cpu: #show ibc Interface information: Interface IBC0/0(idb 0x13764774) 5 minute rx rate 285758000 bits/sec, 23046 packets/sec 5 minute tx rate 594270000 bits/sec, 91869 packets/sec 110219721075 packets input, 170099314990812 bytes 109544766443 broadcasts received 218978746093 packets output, 173382310588137 bytes 283552367 broadcasts sent 0 Bridge Packet loopback drops 109343818646 Packets CEF Switched, 8 Packets Fast Switched 0 Packets SLB Switched, 0 Packets CWAN Switched Label switched pkts dropped: 0 0 total martian ip v4 packets dropped Xconnect pkts processed: 0, dropped: 0 Total paks copied for process level 0 Total throttle drops 612719 Input queue drops 2662 IBC resets = 1; last at 09:35:51.771 UTC Mon Aug 11 2008 Dev_Instance=0x1377F774 In our case the load was caused by packet fragmentation performed by the CPU in interrupt mode I suppose. Cheers, Mihai -----Original Message----- From: Ge Moua [mailto:moua0100 at umn.edu] Sent: Thursday, February 19, 2009 7:05 PM To: Mihai Todor Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] high cpu load not by processes sh proc cpu | ex 0.00 sh proc cpu detailed [pid] | ex 0.00 Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Mihai Todor wrote: > Hello, > > Do you have any ideea on how to see what interrups are loading a router's > CPU? > > We're experiencing a high cpu load (60%) on a router, yet resources are not > consumed by processes. Some background info - the machine is a 7609-S router > with redundant SUP720-3BXL supervizors having a PE role. > > Thanks! > > Mihai > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oboehmer at cisco.com Mon Mar 2 07:04:27 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 2 Mar 2009 13:04:27 +0100 Subject: [c-nsp] No. of VRF supported In-Reply-To: <006c01c99b1e$32a3ce90$97eb6bb0$@net.pk> References: <006c01c99b1e$32a3ce90$97eb6bb0$@net.pk> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406F46F64@xmb-ams-333.emea.cisco.com> Amjad Ul Hasnain Qasmi <> wrote on Monday, March 02, 2009 11:04: > I would like to know the max. number of VRF supported on Cisco 7206VXR > (NPE-G2) and Cisco 10K. "it depends".. Don't think there is a hard/fixed limit on the 7200, we used to recommend not more than 1000 (NPE-G2 can push more, possibly), but it depends on the control-plane features being used (i.e. routing protocols) and also the number of routes/vrf.. I think the 10k PRE2/PRE3 supports 4k VRFs, but with the same caveat.. oli From blahu77 at gmail.com Mon Mar 2 08:24:00 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Mon, 2 Mar 2009 13:24:00 +0000 (IST) Subject: [c-nsp] Cat3560E - insufficient buffers for microbursts? In-Reply-To: <20090302.104126.74722994.sthaug@nethelp.no> Message-ID: We are seeing similar problem not to be able to achieve good thorughput speeds even with 12.2(46). 2009/3/2 : > We got around this by configuring > shaping (which is possible on the ME3400) and setting queue-limit 256 in > the policy-map. The problem seems to be resolved in 12.2(46), note the > following point from the release notes: > >> CSCsm80634 >> >> The default queue limit for QoS has been changed from 48 to 160 >> (256-byte) packets. 27x 1500B packets is still low.. so I guess the shaping/policy-map is still needed. -- pgp-key 0x1C655CAB -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 270 bytes Desc: OpenPGP digital signature URL: From bennetb at gmail.com Mon Mar 2 11:23:49 2009 From: bennetb at gmail.com (Brandon Bennett) Date: Mon, 2 Mar 2009 09:23:49 -0700 Subject: [c-nsp] CCIE Lab tools In-Reply-To: References: Message-ID: On Mon, Mar 2, 2009 at 3:01 AM, Ibrahim Abo Zaid wrote: > Hi All > > I have a question about CCIE Lab exam , we heard many stories about some > exam trick and IOS bugs which causes technologies to fail and losing point > so is there any tool available in the exam to identify if there is IOS bug > cause this problem ? i know there is documentation tool but that states > technologies configuration task list not technologies interworking problems > ? > > Those people are just trying to justify why they failed and blame external issues instead of "incompetence". You will not run into a bug during the exam. If you think you have you can call over the proctor, he will let you know if it is a bug or not but 99.9% of the time it won't be. Don't get hung up on the stories of people failing and the reasons why. The reason always boils down to not enough studying. -Brandon CCIE #19406 From nrauhauser at gmail.com Mon Mar 2 12:24:38 2009 From: nrauhauser at gmail.com (neal rauhauser) Date: Mon, 2 Mar 2009 11:24:38 -0600 Subject: [c-nsp] finding bad actors on Cat 2924 ports Message-ID: <9515c62d0903020924y38c48f08i92c8420d265f8952@mail.gmail.com> I have a Cat 2924 with a port facing an old Waverider radio. I've got about 80 MACs live on the interface, it's got a steady 5% error rate, and the net effect is that it's behaving like WRED with a nearly full cue - traffic for all slows to a crawl. I've been fiddling with it a bit trying to come up with a way to sort out which remote MAC is the source of the mangled frames and I'm having no luck. Let's keep in mind that it's 18F here today with a nice, stiff breeze and the machine in question is 120' up in the top of an old grain elevator. Something in an snmpwalk that would find this would be lovely ... -- mailto:Neal at layer3arts.com // GoogleTalk: nrauhauser at gmail.com IM: nealrauhauser From isplists at duracom.net Mon Mar 2 15:04:04 2009 From: isplists at duracom.net (Rhino Lists) Date: Mon, 2 Mar 2009 14:04:04 -0600 Subject: [c-nsp] 7206 Gig Ethernet Options In-Reply-To: <037901c995ec$4ba3db60$e2eb9220$@net> References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU> <037901c995ec$4ba3db60$e2eb9220$@net> Message-ID: <01c301c99b72$09866730$1c933590$@net> We are in the process of migrating from ATM Circuits at our locations to point to point fiber. I have a Cisco 7206vxr with NPE-G2 so currently I have 3 GigE ports over Copper and have the option to add SFP's if need be to go to fiber. If I need more GigE ports in this Chassis are the only options to add a PA-GE? I read where a PA-GE will not support the copper gigabit? Joe From abalashov at evaristesys.com Mon Mar 2 15:07:29 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Mon, 02 Mar 2009 15:07:29 -0500 Subject: [c-nsp] Voice translation-rules on FXS voice-port don't work. Message-ID: <49AC3C81.4030508@evaristesys.com> Sorry for crossposting this from cisco-voip - figured maybe someone here might know. -------- Original Message -------- Subject: Re: [cisco-voip] Voice translation-rules on FXS voice-port don't work. Date: Mon, 02 Mar 2009 15:03:45 -0500 From: Alex Balashov To: cisco-voip at puck.nether.net References: <49AC3722.9040900 at evaristesys.com> Applying the translation rule straight without a profile - e.g. voice-port 5/0/0 translate called 10 Doesn't work either. Alex Balashov wrote: > Does anybody have any idea why voice translation-rules designed to > prepend a prefix to the dialed number would not work when applied to an > FXS voice-port? > > e.g. > > voice translation-rule 10 > rule 1 /^1/ /35#1/ > rule 2 /^2/ /35#2/ > rule 3 /^3/ /35#3/ > rule 4 /^4/ /35#4/ > rule 5 /^5/ /35#5/ > rule 6 /^6/ /35#6/ > rule 7 /^7/ /35#7/ > rule 8 /^8/ /35#8/ > rule 9 /^9/ /35#9/ > ! > ! > ! > voice translation-profile TRANSPROF > translate called 10 > > ... > > voice-port 5/0/0 > translation-profile incoming TRANSPROF > station-id number 4049611103 > > The goal here is to prepend a 35# prefix to any number that is dialed > from an analog phone connected to this device before the call is sent > out as VoIP. > > I've never run into this before because the only ports I've ever needed > to apply these types of translations to have been PRI. In any case, the > above does not cause a 35# prefix to be prepended. The call just passes > through as normal with no translations. > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 _______________________________________________ cisco-voip mailing list cisco-voip at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 From billw at waveform.net Mon Mar 2 15:26:31 2009 From: billw at waveform.net (billw at waveform.net) Date: Mon, 2 Mar 2009 15:26:31 -0500 (EST) Subject: [c-nsp] 7206 Gig Ethernet Options In-Reply-To: <01c301c99b72$09866730$1c933590$@net> References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU> <037901c995ec$4ba3db60$e2eb9220$@net> <01c301c99b72$09866730$1c933590$@net> Message-ID: <6caa2aaf3999544c0ef807111b85a0c8.squirrel@webmail.waveform.net> AFAIK, the PA-GE is only available supporting a GBIC, so there is no native copper interface. I've never tried using a 1000b-T GBIC in a PA-GE before, but I wouldn't count on it working -- Cisco only lists the PA-GE as supporting optical GBICs. Depending on your application, you might be able to use a switch as a "media converter" to convert from something like gig-SX from the PA-GE to a gigabit copper port. If you don't need the router to see multiple VLANs it's easy to just put a copper port and an optical port on the same VLAN in a switch and use the two ports like a media converter. While not an elegant solution, it does work. -Bill > We are in the process of migrating from ATM Circuits at our locations to > point to point fiber. I have a Cisco 7206vxr with NPE-G2 so currently I > have 3 GigE ports over Copper and have the option to add SFP's if need be > to > go to fiber. If I need more GigE ports in this Chassis are the only > options > to add a PA-GE? I read where a PA-GE will not support the copper gigabit? > > > Joe > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From kapsi1911 at hotmail.com Mon Mar 2 15:45:12 2009 From: kapsi1911 at hotmail.com (D W) Date: Mon, 2 Mar 2009 15:45:12 -0500 Subject: [c-nsp] Verizon's PIP service Message-ID: Anyone happen to know if Verizon relies on any 3rd party service providers (using inter-AS MP-BGP, ATOM, etc.) for their PIP (MPLS based private IP) service? I'm trying to figure out which service providers have a national reach and fully contain/control their own MPLS clouds without relying on one another for transport. Thanks, Dave _________________________________________________________________ Windows Live?: Life without walls. http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009 From Gregori.Parker at theplatform.com Mon Mar 2 15:52:53 2009 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Mon, 2 Mar 2009 12:52:53 -0800 Subject: [c-nsp] 7206 Gig Ethernet Options In-Reply-To: <6caa2aaf3999544c0ef807111b85a0c8.squirrel@webmail.waveform.net> References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU><037901c995ec$4ba3db60$e2eb9220$@net><01c301c99b72$09866730$1c933590$@net> <6caa2aaf3999544c0ef807111b85a0c8.squirrel@webmail.waveform.net> Message-ID: <1A9866F953006D45AEE0166066114E0915D78791@TPMAIL02.corp.theplatform.com> PA-GE is the only available option for more GE ports on the 7206vxr...and it's one interface per module and 1000b-TX GBICs work just fine in the slot. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of billw at waveform.net Sent: Monday, March 02, 2009 12:27 PM To: Rhino Lists Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7206 Gig Ethernet Options AFAIK, the PA-GE is only available supporting a GBIC, so there is no native copper interface. I've never tried using a 1000b-T GBIC in a PA-GE before, but I wouldn't count on it working -- Cisco only lists the PA-GE as supporting optical GBICs. Depending on your application, you might be able to use a switch as a "media converter" to convert from something like gig-SX from the PA-GE to a gigabit copper port. If you don't need the router to see multiple VLANs it's easy to just put a copper port and an optical port on the same VLAN in a switch and use the two ports like a media converter. While not an elegant solution, it does work. -Bill > We are in the process of migrating from ATM Circuits at our locations to > point to point fiber. I have a Cisco 7206vxr with NPE-G2 so currently I > have 3 GigE ports over Copper and have the option to add SFP's if need be > to > go to fiber. If I need more GigE ports in this Chassis are the only > options > to add a PA-GE? I read where a PA-GE will not support the copper gigabit? > > > Joe > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lowen at pari.edu Mon Mar 2 16:13:14 2009 From: lowen at pari.edu (Lamar Owen) Date: Mon, 2 Mar 2009 16:13:14 -0500 Subject: [c-nsp] 7206 Gig Ethernet Options In-Reply-To: <6caa2aaf3999544c0ef807111b85a0c8.squirrel@webmail.waveform.net> References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU> Message-ID: <200903021613.14546.lowen@pari.edu> I have used a copper GBIC (WS-G5483) with a 7500 and a GEIP+ before. But not with a GEIP (VIP2-50+PA-GE). It may work, though. The 'official' answer is in http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.html But, that document doesn't show the WS-G5483 being supported by the GEIP+ (which I know works, because I've used it). Likewise, Catalyst 5500 Gigabit EtherChannel module (WS-X5410) works with the 5483, but it's the only Catalyst 5000 series interface to do so (see below: pari-5505-colo-1> (enable) sh mod Mod Slot Ports Module-Type Model Sub Status --- ---- ----- ------------------------- ------------------- --- -------- 1 1 2 1000BaseX Supervisor IIIG WS-X5550 no ok 15 1 1 Route Switch Feature Card WS-F5541 no ok 2 2 2 1000BaseX Supervisor IIIG WS-X5550 no standby 16 2 1 Route Switch Feature Card WS-F5541 no ok 3 3 Gigabit Ethernet Ext WS-X5410 4 4 9 Gigabit Ethernet WS-X5410 no ok 5 5 24 10/100BaseTX Ethernet WS-X5225R no ok ...... ari-5505-colo-1> (enable) sh port Port Name Status Vlan Level Duplex Speed Type ----- ------------------ ---------- ---------- ------ ------ ----- ------------ 1/1 notconnect 1 normal full 1000 No Connector 1/2 connected trunk normal full 1000 1000-LX/LH [snip] 4/9 connected trunk normal full 1000 1000BaseT The X5410 ports will work with 1000base-T, but the SupIIIG's ports will not, nor will a X5403's (three-port gigabit ethernet). So, grab a surplus 5483 on ebay and try it. It may work. On Monday 02 March 2009 15:26:31 billw at waveform.net wrote: > AFAIK, the PA-GE is only available supporting a GBIC, so there is no > native copper interface. I've never tried using a 1000b-T GBIC in a PA-GE > before, but I wouldn't count on it working -- Cisco only lists the PA-GE > as supporting optical GBICs. > > Depending on your application, you might be able to use a switch as a > "media converter" to convert from something like gig-SX from the PA-GE to > a gigabit copper port. If you don't need the router to see multiple VLANs > it's easy to just put a copper port and an optical port on the same VLAN > in a switch and use the two ports like a media converter. While not an > elegant solution, it does work. > > -Bill > > > We are in the process of migrating from ATM Circuits at our locations to > > point to point fiber. I have a Cisco 7206vxr with NPE-G2 so currently I > > have 3 GigE ports over Copper and have the option to add SFP's if need be > > to > > go to fiber. If I need more GigE ports in this Chassis are the only > > options > > to add a PA-GE? I read where a PA-GE will not support the copper > > gigabit? > > > > > > Joe > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From sml at lordsargon.com Mon Mar 2 16:30:36 2009 From: sml at lordsargon.com (SML) Date: Mon, 2 Mar 2009 15:30:36 -0600 Subject: [c-nsp] Verizon's PIP service In-Reply-To: References: Message-ID: <13B240E3-7052-4F46-B88D-9FCE692AAC08@lordsargon.com> On 2-Mar-09, at 14:45:12, D W wrote: > > Anyone happen to know if Verizon relies on any 3rd party service > providers (using inter-AS MP-BGP, ATOM, etc.) for their PIP (MPLS > based private IP) service? I'm trying to figure out which service > providers have a national reach and fully contain/control their own > MPLS clouds without relying on one another for transport. VZ told us that they use their network. We user them in multiple locations around the world. We do see the occasional issue in which the PE circuit (Ethernet hand-off) is up and the BGP peering is up, but we see no routes. Sometimes this lasts for a couple of hours (especially in Asia). We have never received a satisfactory explanation for what they are doing to our routes internally in their network. From chris at chrisserafin.com Mon Mar 2 16:44:43 2009 From: chris at chrisserafin.com (ChrisSerafin) Date: Mon, 02 Mar 2009 15:44:43 -0600 Subject: [c-nsp] Verizon's PIP service In-Reply-To: References: Message-ID: <49AC534B.8010809@chrisserafin.com> I know for a fact that Verizon doesn't control everything end to end. I have a decent sized client with circuits all over EMEA, and I always hear, 'ooh that's referred out to AT&T/xxxx for testing' This may be only the last mile of the circuit though. just my 2 cents --chris D W wrote: > Anyone happen to know if Verizon relies on any 3rd party service providers (using inter-AS MP-BGP, ATOM, etc.) for their PIP (MPLS based private IP) service? I'm trying to figure out which service providers have a national reach and fully contain/control their own MPLS clouds without relying on one another for transport. > > > > Thanks, > > Dave > > _________________________________________________________________ > Windows Live?: Life without walls. > http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/01/09 17:46:00 > > From brandon at sterling.net Mon Mar 2 18:27:03 2009 From: brandon at sterling.net (Brandon Price) Date: Mon, 02 Mar 2009 15:27:03 -0800 Subject: [c-nsp] 7206 Gig Ethernet Options In-Reply-To: <1A9866F953006D45AEE0166066114E0915D78791@TPMAIL02.corp.theplatform.com> References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU><037901c995ec$4ba3db60$e2eb9220$@net><01c301c99b72$09866730$1c933590$@net> <6caa2aaf3999544c0ef807111b85a0c8.squirrel@webmail.waveform.net> <1A9866F953006D45AEE0166066114E0915D78791@TPMAIL02.corp.theplatform.com> Message-ID: <49AC6B47.9040805@sterling.net> Actually, you can install a C7200-I/O-GE+E and save yourself a PA slot and the associated bandwidth point hit. http://www.gossamer-threads.com/lists/cisco/bba/101247 Brandon Gregori Parker wrote: > PA-GE is the only available option for more GE ports on the > 7206vxr...and it's one interface per module and 1000b-TX GBICs work just > fine in the slot. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > billw at waveform.net > Sent: Monday, March 02, 2009 12:27 PM > To: Rhino Lists > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7206 Gig Ethernet Options > > AFAIK, the PA-GE is only available supporting a GBIC, so there is no > native copper interface. I've never tried using a 1000b-T GBIC in a > PA-GE > before, but I wouldn't count on it working -- Cisco only lists the PA-GE > as supporting optical GBICs. > > Depending on your application, you might be able to use a switch as a > "media converter" to convert from something like gig-SX from the PA-GE > to > a gigabit copper port. If you don't need the router to see multiple > VLANs > it's easy to just put a copper port and an optical port on the same VLAN > in a switch and use the two ports like a media converter. While not an > elegant solution, it does work. > > -Bill > > >> We are in the process of migrating from ATM Circuits at our locations >> > to > >> point to point fiber. I have a Cisco 7206vxr with NPE-G2 so currently >> > I > >> have 3 GigE ports over Copper and have the option to add SFP's if need >> > be > >> to >> go to fiber. If I need more GigE ports in this Chassis are the only >> options >> to add a PA-GE? I read where a PA-GE will not support the copper >> > gigabit? > >> Joe >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From brian at bluecoat93.org Mon Mar 2 19:30:47 2009 From: brian at bluecoat93.org (Brian Landers) Date: Mon, 2 Mar 2009 19:30:47 -0500 Subject: [c-nsp] SNMP MIB for IP SLA on Pix/ASA 7.x? Message-ID: <689ea7e40903021630x12b916c7s35b16928b0519046@mail.gmail.com> Does anyone know if the Pix/ASA has support for polling IP SLA monitor status in the 7.x (or even 8.x) OS? It don't seem to support the standard RTTMON-MIB like IOS does. Thanks, Brian -- Brian C Landers http://www.packetslave.com/ CCIE #23115 From leonardo.souza at nec.com.br Mon Mar 2 20:08:57 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Mon, 2 Mar 2009 22:08:57 -0300 Subject: [c-nsp] Export routes from VRF to the global routing table Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02124E6C@spsrvmail03.nec.br> Hi list, I am almost confident this is not possible, but would like to confirm whether exporting routes from some VRF to the global routing table is possible or not. This would be a solution to overcome the constraints of using PBR+GRE setup. Thanks in advance. From gustavo at nexthop.com.br Mon Mar 2 20:30:20 2009 From: gustavo at nexthop.com.br (Gustavo Rodrigues Ramos) Date: Mon, 2 Mar 2009 22:30:20 -0300 Subject: [c-nsp] Export routes from VRF to the global routing table In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02124E6C@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02124E6C@spsrvmail03.nec.br> Message-ID: <73d1f88a0903021730j267a1cc5q1d71df107bc2b050@mail.gmail.com> Hello Leonardo, I guess you'll use route leaking to accomplish what you want. http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml Gustavo. On Mon, Mar 2, 2009 at 10:08 PM, Leonardo Gama Souza wrote: > Hi list, > > I am almost confident this is not possible, but would like to confirm > whether exporting routes from some VRF to the global routing table is > possible or not. > This would be a solution to overcome the constraints of using PBR+GRE > setup. > > Thanks in advance. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From David at Hughes.com.au Mon Mar 2 20:33:35 2009 From: David at Hughes.com.au (David Hughes) Date: Tue, 3 Mar 2009 11:33:35 +1000 Subject: [c-nsp] 7206 Gig Ethernet Options In-Reply-To: <01c301c99b72$09866730$1c933590$@net> References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU> <037901c995ec$4ba3db60$e2eb9220$@net> <01c301c99b72$09866730$1c933590$@net> Message-ID: On 03/03/2009, at 6:04 AM, Rhino Lists wrote: > If I need more GigE ports in this Chassis are the only options > to add a PA-GE? I read where a PA-GE will not support the copper > gigabit? Hi Nope, that's not correct. We've run copper gbics in a pa-ge on 7206- VXR / NPE-G1 before. David ... From ccie6961 at yahoo.com Tue Mar 3 00:12:53 2009 From: ccie6961 at yahoo.com (Yinglam Cheung) Date: Mon, 2 Mar 2009 21:12:53 -0800 (PST) Subject: [c-nsp] ipsec support on 7600 References: Message-ID: <405404.85822.qm@web52706.mail.re2.yahoo.com> The answer is no. I just got into this recently. The software crypto feature is in SXF but no longer in SR releases. You need to get the IPSec module for hardware crypto. ----- Original Message ---- From: Marlon Duksa To: "cisco-nsp at puck.nether.net" Sent: Saturday, February 28, 2009 2:02:57 AM Subject: [c-nsp] ipsec support on 7600 Hi - does anyone know if Cisco 7600 can support IPSec only with RSPs and ES20 cards? No additional hardware service modules such as IPSec VPN modules. If so, I presume the processing of IPSec would take place in MSFC?I understand that performance would be severely impacted without the HW acceleration module, I just need to know if this is supported? And also maybe what would be the performance in this case? Thanks, Marlon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From swmike at swm.pp.se Tue Mar 3 02:09:59 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 3 Mar 2009 08:09:59 +0100 (CET) Subject: [c-nsp] 7206 Gig Ethernet Options In-Reply-To: References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU> <037901c995ec$4ba3db60$e2eb9220$@net> <01c301c99b72$09866730$1c933590$@net> Message-ID: On Tue, 3 Mar 2009, David Hughes wrote: > Nope, that's not correct. We've run copper gbics in a pa-ge on 7206-VXR > / NPE-G1 before. There is a difference between "it works" and "it's supported". Cisco do not support copper GBICs in the PA-GE, but there are lots of success stories that it still works (plenty of old threads regarding this). -- Mikael Abrahamsson email: swmike at swm.pp.se From vdv at co.ru Tue Mar 3 02:08:15 2009 From: vdv at co.ru (Dmitry V. Volkov) Date: Tue, 3 Mar 2009 10:08:15 +0300 Subject: [c-nsp] TE FRR via CSC Message-ID: <1de701c99bce$d2acad70$1e3843c2@sovintel.net> Hi All, Does anyone have experience organizing TE FRR via CSC? Customer network is VOIP operator and they would like organize fast convergence via CSC connection. Dmitry From perc69 at gmail.com Tue Mar 3 03:25:46 2009 From: perc69 at gmail.com (Pelle) Date: Tue, 3 Mar 2009 09:25:46 +0100 Subject: [c-nsp] 7206 Gig Ethernet Options In-Reply-To: <01c301c99b72$09866730$1c933590$@net> References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU> <037901c995ec$4ba3db60$e2eb9220$@net> <01c301c99b72$09866730$1c933590$@net> Message-ID: <746ca6da0903030025v5eca9fefp37234e2024763bcc@mail.gmail.com> Hi. > If I need more GigE ports in this Chassis are the only options > to add a PA-GE? ?I read where a PA-GE will not support the copper gigabit? You also have the option to use an external switch to aggregate several GE links into the 7200. Of course do that limit the bandwidth to the locations, but a 7200 will probably not do 3 x GE on full speed any way... IMHO that's a better/safer solution than fiddeling with unsupported combinations on PA-GE/GBICs. -- Pelle From md at bts.sk Tue Mar 3 04:13:28 2009 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Tue, 3 Mar 2009 10:13:28 +0100 Subject: [c-nsp] Cat3560E - insufficient buffers for microbursts? In-Reply-To: <20090302.104126.74722994.sthaug@nethelp.no> References: <20090302082922.GA35030@bts.sk> <20090302.104126.74722994.sthaug@nethelp.no> Message-ID: <20090303091328.GA81897@bts.sk> On Mon, Mar 02, 2009 at 10:41:26AM +0100, sthaug at nethelp.no wrote: > > Closer investigation showed, that for some reason, Cat3560E is doing > > significantly less output buffering than all other Cisco access switches. > > While Cat2960G, Cat3550, Cat3560G and Cat3750G happily buffer any > > microburst upto 100 full size (1500 byte) packets, Cat3560E only buffers > > upto 64 full size packets and starts dropping beginning with 65-th packet. > > This was rather bad surprise, since the Cat3560E is supposed to have > > 10GE uplinks - and with 10:1 or 100:1 speed downshift from uplink into > > access ports decent buffering is vital for proper operation. > > We experienced the same problem with ME3400 switches. It has extremely > small buffers by default - the queue size is in units of 256 byte, and > default queue size is only 48 of these. We got around this by configuring > shaping (which is possible on the ME3400) and setting queue-limit 256 in > the policy-map. The problem seems to be resolved in 12.2(46), note the > following point from the release notes: > > > CSCsm80634 > > > > The default queue limit for QoS has been changed from 48 to 160 > > (256-byte) packets. > > I wouldn't be surprised if 3560E has similar behavior (but I haven't > checked). Yes, looks like it's indeed wrong IOS defaults. More buffering could be achieved on 3560-E by enabling qos, and increasing the thresholds: mls qos mls qos queue-set output 1 threshold 2 1400 1400 100 1400 This restores the ability to buffer 100 full-size packets on 3560-E. Anyway, there doesn't seem to be any CLI knob to tune this when qos is disabled and the default buffer size (64 full-size packets) is too small. We do not want to enable qos, as it most probably reserves some packet memory for unused queues and lowers total available buffer space. With kind regards, M. From jcovini at free.fr Tue Mar 3 05:39:06 2009 From: jcovini at free.fr (jcovini at free.fr) Date: Tue, 03 Mar 2009 11:39:06 +0100 Subject: [c-nsp] 3560 vrf unwanted leaking when using tracked static route Message-ID: <1236076746.49ad08ca07b54@imp.free.fr> Fixed in 12.2.46 :) >>> The problem you noticed is documented under the following bug ID: >>> CSCsl31925 >>> Externally found moderate defect: Duplicate (D) >>> Static routes using VRF object tracking not working . . >>> It eventually was found to be due to bug: >>> CSCsf25288 From deric.kwok2000 at gmail.com Tue Mar 3 08:01:42 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Tue, 3 Mar 2009 08:01:42 -0500 Subject: [c-nsp] Can I post the network question here? Message-ID: <40d8a95a0903030501r5b306c53x1b2e3c127012de32@mail.gmail.com> Hi all I have network question and hope you can help main router- 3 static routes ip route 192.168.0.0/24 10.0.0.1 (routerA) ---- ip route 192.168.1.0/24 10.0.0.2 (routerB) ----same switch ---telecom company---client request ip route 192.168.2.0/24 10.0.0.3 (routerC) ---- Diagram ======= ---routerA--- main router ---switch ---routerB--- switch ---telecom company ---routerC--- dyname ip clients ip 192.168.0.0/24 and 192.168.1.0/24 static ip clients ip 192.168.2.0/24 This setting is fine when any dynamic ip clients sent from telcom company. But When telecom company sent request from static ip client (any ip in 192.168.2.0/24) but this client is sent to in routerA, how this work out? I really don't want to have 192.168.2.0 in routerC to routerB then routerA in loop as there will have big admin work if there is more than 3 routers and have increase new static ip client for the future Thank you for your help From leonardo.souza at nec.com.br Tue Mar 3 08:11:38 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Tue, 3 Mar 2009 10:11:38 -0300 Subject: [c-nsp] Export routes from VRF to the global routing table References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02124E6C@spsrvmail03.nec.br> <73d1f88a0903021730j267a1cc5q1d71df107bc2b050@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E9C@spsrvmail03.nec.br> Hi Gustavo, Thanks for the feedback, but I would like to dynamically export the routes, not using static routing. Regards. ________________________________ From: Gustavo Rodrigues Ramos [mailto:gustavo at nexthop.com.br] Sent: Mon 3/2/2009 22:30 To: Leonardo Gama Souza Cc: cisco-nsp Subject: Re: [c-nsp] Export routes from VRF to the global routing table Hello Leonardo, I guess you'll use route leaking to accomplish what you want. http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml Gustavo. On Mon, Mar 2, 2009 at 10:08 PM, Leonardo Gama Souza wrote: > Hi list, > > I am almost confident this is not possible, but would like to confirm > whether exporting routes from some VRF to the global routing table is > possible or not. > This would be a solution to overcome the constraints of using PBR+GRE > setup. > > Thanks in advance. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From deric.kwok2000 at gmail.com Tue Mar 3 08:21:41 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Tue, 3 Mar 2009 08:21:41 -0500 Subject: [c-nsp] how can I know which process takes over CPU and memory? In-Reply-To: <002a01c999df$97fa2680$0a00000a@nil.si> References: <40d8a95a0902280959q7c5abfb4j8b5def5adfe4a097@mail.gmail.com> <002a01c999df$97fa2680$0a00000a@nil.si> Message-ID: <40d8a95a0903030521s670b04e2x8f8e139339a0dd2f@mail.gmail.com> Hi Ivan Thank you. I try to do it in my switch but it won't work What wrong I did? Thank you switch#dir Directory of flash:/ 4 drwx 704 Feb 28 1993 19:08:20 html 18 -rwx 1142 Mar 03 2009 08:14:33 top.tcl 3612672 bytes total (357888 bytes free) switch#config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)#alias exec top tclsh flash:top.tcl switch(config)#exit switch#top tclsh flash:top.tcl ^ % Invalid input detected at '^' marker. switch# On Sat, Feb 28, 2009 at 3:03 PM, Ivan Pepelnjak wrote: > To get the top CPU consumers, use the "show proc cpu sorted" command. > You're > probably experiencing increase in "interrupt CPU usage" (packet > forwarding), > which is the second number in the "CPU utilization for five seconds" field > in the top line. > > To get continuous CPU utilization display (similar to the Unix "top" > command), use this Tclsh script: > > http://wiki.nil.com/Continuous_display_of_top_CPU_processes > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > > > > -----Original Message----- > > From: Deric Kwok [mailto:deric.kwok2000 at gmail.com] > > Sent: Saturday, February 28, 2009 6:59 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] how can I know which process takes over CPU > > and memory? > > > > Hi All > > > > I am trying to add access rule to prevent outside accessing > > to one host. > > > > I realize the router CPU (R700 CPU at 240MHz) graph rising > > from 70% to 80% > > > > How can I know which process used up how many CPU and memory? > > > > I use show memory but don't understand the listing > > > > Thank you for your help > > > > > > From drew.weaver at thenap.com Tue Mar 3 08:37:21 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 3 Mar 2009 05:37:21 -0800 Subject: [c-nsp] SNMP fun Message-ID: Does anyone know if it is possible even roundaboutly to figure out what physical port a MAC address is connected to even if that port is in a VLAN? I can find the mac -> IP pair and I can find out what ports are assigned to the VLAN, but it would be super swell if I could also figure out what port => what IP/Mac address. I believe you can do this in the CAM table on the switches but I'm not really sure how to do it in SNMP Thanks, -Drew From schilling2006 at gmail.com Tue Mar 3 08:41:57 2009 From: schilling2006 at gmail.com (schilling) Date: Tue, 3 Mar 2009 08:41:57 -0500 Subject: [c-nsp] Export routes from VRF to the global routing table In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02124E6C@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D02124E6C@spsrvmail03.nec.br> Message-ID: If you have loopback cable on the same router, or vlan between two different routers, you could potentially run a IGP routing protocol for example ospf on the same network while using different context/process on each end to exchange routes. Schilling On Mon, Mar 2, 2009 at 8:08 PM, Leonardo Gama Souza < leonardo.souza at nec.com.br> wrote: > Hi list, > > I am almost confident this is not possible, but would like to confirm > whether exporting routes from some VRF to the global routing table is > possible or not. > This would be a solution to overcome the constraints of using PBR+GRE > setup. > > Thanks in advance. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From blahu77 at gmail.com Tue Mar 3 08:43:42 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Tue, 3 Mar 2009 13:43:42 +0000 Subject: [c-nsp] SNMP fun In-Reply-To: References: Message-ID: <383357750903030543o788adc64t88579177e83fb554@mail.gmail.com> 2009/3/3 Drew Weaver : > Does anyone know if it is possible even roundaboutly to figure out what physical port a MAC address is connected to even if that port is in a VLAN? I can find the mac -> IP pair and I can find out what ports are assigned to the VLAN, but it would be super swell if I could also figure out what port => what IP/Mac address. > > I believe you can do this in the CAM table on the switches but I'm not really sure how to do it in SNMP > try that http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml -mat -- pgp-key 0x1C655CAB From jcovini at free.fr Tue Mar 3 09:30:24 2009 From: jcovini at free.fr (jcovini at free.fr) Date: Tue, 03 Mar 2009 15:30:24 +0100 Subject: [c-nsp] Can I post the network question here? In-Reply-To: <40d8a95a0903030501r5b306c53x1b2e3c127012de32@mail.gmail.com> References: <40d8a95a0903030501r5b306c53x1b2e3c127012de32@mail.gmail.com> Message-ID: <1236090624.49ad3f00c160f@imp.free.fr> Why not running a dynamic routing protocol between Main, A, B, and C. ? Static routes = manual maintenance. Selon Deric Kwok : > Hi all > > I have network question and hope you can help > > main router- 3 static routes > ip route 192.168.0.0/24 10.0.0.1 (routerA) ---- > ip route 192.168.1.0/24 10.0.0.2 (routerB) ----same switch ---telecom > company---client request > ip route 192.168.2.0/24 10.0.0.3 (routerC) ---- > > Diagram > ======= > ---routerA--- > main router ---switch ---routerB--- switch ---telecom company > ---routerC--- > dyname ip clients ip 192.168.0.0/24 and 192.168.1.0/24 > static ip clients ip 192.168.2.0/24 > This setting is fine when any dynamic ip clients sent from telcom company. > But When telecom company sent request from static ip client > (any ip in 192.168.2.0/24) but this client is sent to in routerA, > how this work out? > I really don't want to have 192.168.2.0 in routerC to routerB then routerA > in loop > as there will have big admin work if there is more than 3 routers and have > increase > new static ip client for the future > Thank you for your help > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oboehmer at cisco.com Tue Mar 3 10:53:34 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 3 Mar 2009 16:53:34 +0100 Subject: [c-nsp] TE FRR via CSC In-Reply-To: <1de701c99bce$d2acad70$1e3843c2@sovintel.net> References: <1de701c99bce$d2acad70$1e3843c2@sovintel.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406FA51A3@xmb-ams-333.emea.cisco.com> Dmitry V. Volkov <> wrote on Tuesday, March 03, 2009 08:08: > Hi All, > > Does anyone have experience organizing TE FRR via CSC? Customer > network is VOIP operator and they would like organize fast > convergence via CSC connection. Don't see how this can be done at the moment. You can investigate Inter-AS MPLS-TE (and moving to PCE in the future), but this generally requires an Inter-AS setup, rather than CSC. General note: TE-FRR is generally not required for Voice, fast convergence (sub-second) is generally sufficient.. Your challenge could be L3VPN convergence (CSC is using regular L3VPN mechanisms within the carrier's AS), so your convergence will depend on what the customer is providing. A L2VPN setup (where you could run BFD-triggered FRR over the L2VPN circuit) might be better if you strive for reliable sub-500msec convergence or so.. oli From jason at pins.net Tue Mar 3 10:52:25 2009 From: jason at pins.net (Jason Berenson) Date: Tue, 03 Mar 2009 10:52:25 -0500 Subject: [c-nsp] OSPF flaps Message-ID: <49AD5239.9010906@pins.net> Greetings, I'm seeing a weird OSPF flap issue between a bunch of 7206's and a 6513. We're running fast OSPF between them all. Here's some sample config: 7206: router ospf 1 router-id 0.0.1.10 log-adjacency-changes area 0 authentication redistribute connected metric-type 1 subnets redistribute static metric-type 1 subnets redistribute bgp 65010 metric-type 1 subnets route-map global network 10.11.1.0 0.0.0.255 area 0 network 10.12.1.0 0.0.0.255 area 0 ! interface GigabitEthernet0/2 des primary net ip address 10.11.1.10 255.255.255.0 no ip redirects ip route-cache flow ip ospf authentication-key 7 ip ospf cost 1 ip ospf dead-interval minimal hello-multiplier 4 duplex auto speed auto media-type rj45 no negotiation auto 6513: router ospf 1 router-id 0.0.1.24 log-adjacency-changes no capability lls area 0 authentication passive-interface default network 10.11.1.0 0.0.0.255 area 0 network 10.12.1.0 0.0.0.255 area 0 ! interface GigabitEthernet9/1 no ip address speed 1000 duplex full switchport switchport access vlan 11 switchport mode access ! interface Vlan11 description << PRIMARY NET >> ip address 10.11.1.24 255.255.255.0 no ip redirects no ip mroute-cache ip ospf authentication-key 7 ip ospf cost 1 ip ospf dead-interval minimal hello-multiplier 4 ! There is IP connectivity between the two routers of course. We leave all ints as passive by default and turn on each int as we need them to speak OSPF. When I turn on vlan 11 as non passive, things come up then start flapping very rapidly at which point the 6513 becomes completely unresponsive. Here's some output from the 7206's logs: Mar 2 19:07:07 pri.core.router1 37224: Mar 2 19:07:04: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.1.24 on GigabitEthernet0/2 from 2WAY to DOWN, Neighbor Down: Dead timer expired Mar 2 19:07:07 pri.core.router2 2556211: Mar 2 19:07:04: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.1.24 on GigabitEthernet0/2 from 2WAY to DOWN, Neighbor Down: Dead timer expired The timers are matched up on all the routers, and there's of course no packet loss. I don't see why the dead timers are expiring causing this to keep flapping. Any input would be greatly appreciated. Thanks, Jason From asturluismi at gmail.com Tue Mar 3 12:01:32 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 03 Mar 2009 18:01:32 +0100 Subject: [c-nsp] strange message at boot "Can't insert config node for vrf=default" Message-ID: <1236099692.10233.1.camel@dsba-ipso> Hi all, I have here a 2960 switch with 12.2(46) lan base. After the switche has booted correctly I can see.. [...] % Can't insert config node for vrf=default Press RETURN to get started! What is the reason for the message "Can't insert config node for vrf=default"? Any idea? Thanks From jared at puck.nether.net Tue Mar 3 12:13:45 2009 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 3 Mar 2009 12:13:45 -0500 Subject: [c-nsp] strange message at boot "Can't insert config node for vrf=default" In-Reply-To: <1236099692.10233.1.camel@dsba-ipso> References: <1236099692.10233.1.camel@dsba-ipso> Message-ID: <20090303171345.GB11502@puck.nether.net> On Tue, Mar 03, 2009 at 06:01:32PM +0100, luismi wrote: > Hi all, > > I have here a 2960 switch with 12.2(46) lan base. > After the switche has booted correctly I can see.. > > [...] > % Can't insert config node for vrf=default > > > Press RETURN to get started! > > What is the reason for the message "Can't insert config node for > vrf=default"? cisco doesn't do effective testing of the boot-up mode of the device so does not notice these types of things, and when they are noticed they are logged as sev5 or sev6 defects since they are not seen as critical. there is also the problem that the parser operates in two modes, one for processing the config at boot-time, and another for processing the config at runtime. This is why it will translate some older-style configuration bits but you can no longer enter them. Without knowing your full config, it's hard to say what caused the above, but if everything is working fine, or you are not using VRFs it's likely cosmetic. I do encourage you to ask cisco to fix the defect, but don't expect it to be quickly resolved. -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From asturluismi at gmail.com Tue Mar 3 12:28:55 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 03 Mar 2009 18:28:55 +0100 Subject: [c-nsp] strange message at boot "Can't insert config node for vrf=default" In-Reply-To: <20090303171345.GB11502@puck.nether.net> References: <1236099692.10233.1.camel@dsba-ipso> <20090303171345.GB11502@puck.nether.net> Message-ID: <1236101335.10233.4.camel@dsba-ipso> So if I understand everything correctly, it is a cosmetic bug during the boot. I will notify it to Cisco. It shouldn't be related with my previous config since I don't have any command related with "node", "vrf" or similar words related with the message -I think-. El mar, 03-03-2009 a las 12:13 -0500, Jared Mauch escribi?: > On Tue, Mar 03, 2009 at 06:01:32PM +0100, luismi wrote: > > Hi all, > > > > I have here a 2960 switch with 12.2(46) lan base. > > After the switche has booted correctly I can see.. > > > > [...] > > % Can't insert config node for vrf=default > > > > > > Press RETURN to get started! > > > > What is the reason for the message "Can't insert config node for > > vrf=default"? > > cisco doesn't do effective testing of the boot-up mode of the device so > does not notice these types of things, and when they are noticed they are logged > as sev5 or sev6 defects since they are not seen as critical. > > there is also the problem that the parser operates in two modes, one > for processing the config at boot-time, and another for processing the config > at runtime. This is why it will translate some older-style configuration bits > but you can no longer enter them. > > Without knowing your full config, it's hard to say what caused the above, > but if everything is working fine, or you are not using VRFs it's likely cosmetic. > I do encourage you to ask cisco to fix the defect, but don't expect it to be > quickly resolved. > From jp at saucer.midcoast.com Tue Mar 3 12:50:04 2009 From: jp at saucer.midcoast.com (jp) Date: Tue, 3 Mar 2009 12:50:04 -0500 Subject: [c-nsp] Verizon's PIP service In-Reply-To: <49AC534B.8010809@chrisserafin.com> References: <49AC534B.8010809@chrisserafin.com> Message-ID: <20090303175004.GA10877@saucer.midcoast.com> No company owns all the infrastructure to get around the world. For example the undersea cables are commonly investor owned, installed by one company, maintained by another, and used by a variety of carriers. Things like the FLAG or SEA-* cables. Surely not the case here, but AT&T either did or does a lot of the ship-based repair/construction work on undersea cables, and has a fleet of ships around the world waiting for a problem to respond to. Probably differnet companies are incharge of things on land too. On Mon, Mar 02, 2009 at 03:44:43PM -0600, ChrisSerafin wrote: > I know for a fact that Verizon doesn't control everything end to end. I > have a decent sized client with circuits all over EMEA, and I always hear, > 'ooh that's referred out to AT&T/xxxx for testing' > > This may be only the last mile of the circuit though. > > just my 2 cents > > --chris > > D W wrote: >> Anyone happen to know if Verizon relies on any 3rd party service providers (using inter-AS MP-BGP, ATOM, etc.) for their PIP (MPLS based private IP) service? I'm trying to figure out which service providers have a national reach and fully contain/control their own MPLS clouds without relying on one another for transport. >> >> >> Thanks, >> >> Dave >> >> _________________________________________________________________ >> Windows Live?: Life without walls. >> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009 >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> ------------------------------------------------------------------------ >> >> >> No virus found in this incoming message. >> Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: >> 270.11.5/1979 - Release Date: 03/01/09 17:46:00 >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- /* Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL KB1IOJ | Broadband Internet Access, Dialup, and Hosting http://f64.nu/ | for Midcoast Maine http://www.midcoast.com/ */ From ip at ioshints.info Tue Mar 3 14:03:02 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Tue, 3 Mar 2009 20:03:02 +0100 Subject: [c-nsp] how can I know which process takes over CPU and memory? In-Reply-To: <40d8a95a0903030521s670b04e2x8f8e139339a0dd2f@mail.gmail.com> References: <40d8a95a0902280959q7c5abfb4j8b5def5adfe4a097@mail.gmail.com> <002a01c999df$97fa2680$0a00000a@nil.si> <40d8a95a0903030521s670b04e2x8f8e139339a0dd2f@mail.gmail.com> Message-ID: <002501c99c32$ade84cb0$0a00000a@nil.si> Your original message indicated you had a router. Based on Cisco's documentation tclsh doesn't work on most Catalyst switches. Best regards Ivan _____ From: Deric Kwok [mailto:deric.kwok2000 at gmail.com] Sent: Tuesday, March 03, 2009 2:22 PM To: Ivan Pepelnjak Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] how can I know which process takes over CPU and memory? Hi Ivan Thank you. I try to do it in my switch but it won't work What wrong I did? Thank you switch#dir Directory of flash:/ 4 drwx 704 Feb 28 1993 19:08:20 html 18 -rwx 1142 Mar 03 2009 08:14:33 top.tcl 3612672 bytes total (357888 bytes free) switch#config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)#alias exec top tclsh flash:top.tcl switch(config)#exit switch#top tclsh flash:top.tcl ^ % Invalid input detected at '^' marker. switch# From jeff-kell at utc.edu Tue Mar 3 14:09:14 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 03 Mar 2009 14:09:14 -0500 Subject: [c-nsp] how can I know which process takes over CPU and memory? In-Reply-To: <002501c99c32$ade84cb0$0a00000a@nil.si> References: <40d8a95a0902280959q7c5abfb4j8b5def5adfe4a097@mail.gmail.com> <002a01c999df$97fa2680$0a00000a@nil.si> <40d8a95a0903030521s670b04e2x8f8e139339a0dd2f@mail.gmail.com> <002501c99c32$ade84cb0$0a00000a@nil.si> Message-ID: <49AD805A.8010608@utc.edu> Ivan Pepelnjak wrote: > Your original message indicated you had a router. Based on Cisco's > documentation tclsh doesn't work on most Catalyst switches. They do have their pride, after all :-) Jeff From kevin at gannons.net Tue Mar 3 15:25:27 2009 From: kevin at gannons.net (kevin gannon) Date: Tue, 3 Mar 2009 20:25:27 +0000 Subject: [c-nsp] mpls bgp forwarding ? Message-ID: <17eef0950903031225m561003d3j302e7b6f4694ca3a@mail.gmail.com> Having a strange problem with IPv4 and send-label. The topology is the below. I originate 100.100.100.16 from AS16 and it reaches AS19. R16-------eBGP+send-label----------R17-------IGP BGP+send-label-----R18---------eBGP send-label--------R19 AS16 AS17 AS17 AS19 100.100.100.16 On R18 I see the label installed for 100.100.100.16 R18#show mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 16 Pop Label 189.189.189.9/32 0 Fa1/1 189.189.189.9 17 Pop Label 100.100.100.17/32 0 Fa1/0 178.178.178.7 18 20 100.100.100.16/32 0 Fa1/0 178.178.178.7 19 Pop Label 100.100.100.19/32 0 Fa1/1 189.189.189.9 show ip bgp 100.100.100.16 BGP routing table entry for 100.100.100.16/32, version 2 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 2 16 100.100.100.17 (metric 2) from 100.100.100.17 (100.100.100.17) Origin IGP, metric 0, localpref 100, valid, internal, best, mpls labels in/out 18/20 R18(config)# However on R19 I receive the label via eBGP. However I do not install into the MPLS forwarding table but I do not know why ?? R19#show ip bgp 100.100.100.16 BGP routing table entry for 100.100.100.16/32, version 7 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 17 16 189.189.189.8 from 189.189.189.8 (100.100.100.18) Origin IGP, localpref 100, valid, external, best, mpls labels in/out nolabel/18 R19# R19#show mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 16 Pop Label 189.189.189.8/32 0 Fa1/0 189.189.189.8 From deric.kwok2000 at gmail.com Tue Mar 3 15:26:16 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Tue, 3 Mar 2009 15:26:16 -0500 Subject: [c-nsp] how can I know which process takes over CPU and memory? In-Reply-To: <002501c99c32$ade84cb0$0a00000a@nil.si> References: <40d8a95a0902280959q7c5abfb4j8b5def5adfe4a097@mail.gmail.com> <002a01c999df$97fa2680$0a00000a@nil.si> <40d8a95a0903030521s670b04e2x8f8e139339a0dd2f@mail.gmail.com> <002501c99c32$ade84cb0$0a00000a@nil.si> Message-ID: <40d8a95a0903031226o3d7a0592xdec2edfcdf1ee88a@mail.gmail.com> Hi Ivan Now I am trying on the router but it won't work also What wrong I did? Thank you router#dir Directory of flash:/ 1 -rw- 8624196 Mar 5 1993 00:05:02 +00:00 c3725-i-mz.123-6e.bin 2 -rw- 1142 Mar 3 2009 15:05:26 +00:00 top.tcl 31936512 bytes total (23306240 bytes free) router#config t Enter configuration commands, one per line. End with CNTL/Z. router(config)#alias exec top tclsh flash:top.tcl router(config)#exit router#top Translating "top"...domain server (202.64.2.36) (202.64.3.5) Translating "top"...domain server (202.64.2.36) (202.64.3.5) (202.64.2.36) (202.64.3.5)% Unknown command or computer name, or unable to find computer address On Tue, Mar 3, 2009 at 2:03 PM, Ivan Pepelnjak wrote: > Your original message indicated you had a router. Based on Cisco's > documentation tclsh doesn't work on most Catalyst switches. > > Best regards > Ivan > > ------------------------------ > *From:* Deric Kwok [mailto:deric.kwok2000 at gmail.com] > *Sent:* Tuesday, March 03, 2009 2:22 PM > *To:* Ivan Pepelnjak > *Cc:* cisco-nsp at puck.nether.net > *Subject:* Re: [c-nsp] how can I know which process takes over CPU and > memory? > > Hi Ivan > > Thank you. I try to do it in my switch but it won't work > > What wrong I did? > > Thank you > > switch#dir > Directory of flash:/ > 4 drwx 704 Feb 28 1993 19:08:20 html > 18 -rwx 1142 Mar 03 2009 08:14:33 top.tcl > 3612672 bytes total (357888 bytes free) > switch#config terminal > Enter configuration commands, one per line. End with CNTL/Z. > switch(config)#alias exec top tclsh flash:top.tcl > switch(config)#exit > switch#top > tclsh flash:top.tcl > ^ > % Invalid input detected at '^' marker. > switch# > > From ip at ioshints.info Tue Mar 3 15:32:39 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Tue, 3 Mar 2009 21:32:39 +0100 Subject: [c-nsp] how can I know which process takes over CPU and memory? In-Reply-To: <40d8a95a0903031226o3d7a0592xdec2edfcdf1ee88a@mail.gmail.com> References: <40d8a95a0902280959q7c5abfb4j8b5def5adfe4a097@mail.gmail.com> <002a01c999df$97fa2680$0a00000a@nil.si> <40d8a95a0903030521s670b04e2x8f8e139339a0dd2f@mail.gmail.com> <002501c99c32$ade84cb0$0a00000a@nil.si> <40d8a95a0903031226o3d7a0592xdec2edfcdf1ee88a@mail.gmail.com> Message-ID: <003001c99c3f$32e79400$0a00000a@nil.si> Your IOS is too old, tclsh was introduced in 12.3(2)T. Cisco recommends using at least 12.3(14)T; 12.4 might be even better. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_tcl.html If you want to know when a particular command (for example, tclsh) was introduced in Cisco IOS, the Command Lookup Tool is a great place to start; you can even install it in your browser's toolbar. Best regards Ivan _____ From: Deric Kwok [mailto:deric.kwok2000 at gmail.com] Sent: Tuesday, March 03, 2009 9:26 PM To: Ivan Pepelnjak Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] how can I know which process takes over CPU and memory? Hi Ivan Now I am trying on the router but it won't work also What wrong I did? Thank you router#dir Directory of flash:/ 1 -rw- 8624196 Mar 5 1993 00:05:02 +00:00 c3725-i-mz.123-6e.bin 2 -rw- 1142 Mar 3 2009 15:05:26 +00:00 top.tcl 31936512 bytes total (23306240 bytes free) router#config t Enter configuration commands, one per line. End with CNTL/Z. router(config)#alias exec top tclsh flash:top.tcl router(config)#exit router#top Translating "top"...domain server (202.64.2.36) (202.64.3.5) Translating "top"...domain server (202.64.2.36) (202.64.3.5) (202.64.2.36) (202.64.3.5)% Unknown command or computer name, or unable to find computer address From justin at justinshore.com Tue Mar 3 16:38:20 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 03 Mar 2009 15:38:20 -0600 Subject: [c-nsp] 7206 Gig Ethernet Options In-Reply-To: <49AC6B47.9040805@sterling.net> References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU><037901c995ec$4ba3db60$e2eb9220$@net><01c301c99b72$09866730$1c933590$@net> <6caa2aaf3999544c0ef807111b85a0c8.squirrel@webmail.waveform.net> <1A9866F953006D45AEE0166066114E0915D78791@TPMAIL02.corp.theplatform.com> <49AC6B47.9040805@sterling.net> Message-ID: <49ADA34C.7060309@justinshore.com> Brandon Price wrote: > Actually, you can install a C7200-I/O-GE+E and save yourself a PA slot > and the associated bandwidth point hit. > > http://www.gossamer-threads.com/lists/cisco/bba/101247 Now that's something that I did not know. Any word on if this is actually supported or not? Justin From Stig.Johansen at atea.no Tue Mar 3 17:29:22 2009 From: Stig.Johansen at atea.no (Stig Johansen) Date: Tue, 3 Mar 2009 23:29:22 +0100 Subject: [c-nsp] mpls bgp forwarding ? In-Reply-To: <17eef0950903031225m561003d3j302e7b6f4694ca3a@mail.gmail.com> References: <17eef0950903031225m561003d3j302e7b6f4694ca3a@mail.gmail.com> Message-ID: <5EB9799F396A304686962AFFF740ED0CE96C400F@NOOSLEXCH001.adno.local> Hi there, >However on R19 I receive the label via eBGP. However I do not install into >The MPLS forwarding table but I do not know why ?? You send the labels via BGP, but have you enabled LDP/TDP between R18 and R19? If not, it won't use any labels and consequently not install anything into the LFIB. Regards, Stig Meireles Johansen From ddunkin at netos.net Tue Mar 3 18:09:09 2009 From: ddunkin at netos.net (Darryl Dunkin) Date: Tue, 3 Mar 2009 15:09:09 -0800 Subject: [c-nsp] mpls bgp forwarding ? References: <17eef0950903031225m561003d3j302e7b6f4694ca3a@mail.gmail.com> Message-ID: <56F5BC5F404CF84896C447397A1AAF20D499CC@MAIL.nosi.netos.com> Do you have the VRF configured in your eBGP router? If not, add this to your BGP configuration to keep it from filtering those out: no bgp default route-target filter The prefixes will be filtered out if there is no local VRF to import to. Some more details on this setup: http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_e xample09186a0080094472.shtml -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kevin gannon Sent: Tuesday, March 03, 2009 12:25 To: cisco-nsp Subject: [c-nsp] mpls bgp forwarding ? Having a strange problem with IPv4 and send-label. The topology is the below. I originate 100.100.100.16 from AS16 and it reaches AS19. R16-------eBGP+send-label----------R17-------IGP BGP+send-label-----R18---------eBGP send-label--------R19 AS16 AS17 AS17 AS19 100.100.100.16 On R18 I see the label installed for 100.100.100.16 R18#show mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 16 Pop Label 189.189.189.9/32 0 Fa1/1 189.189.189.9 17 Pop Label 100.100.100.17/32 0 Fa1/0 178.178.178.7 18 20 100.100.100.16/32 0 Fa1/0 178.178.178.7 19 Pop Label 100.100.100.19/32 0 Fa1/1 189.189.189.9 show ip bgp 100.100.100.16 BGP routing table entry for 100.100.100.16/32, version 2 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 2 16 100.100.100.17 (metric 2) from 100.100.100.17 (100.100.100.17) Origin IGP, metric 0, localpref 100, valid, internal, best, mpls labels in/out 18/20 R18(config)# However on R19 I receive the label via eBGP. However I do not install into the MPLS forwarding table but I do not know why ?? R19#show ip bgp 100.100.100.16 BGP routing table entry for 100.100.100.16/32, version 7 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 17 16 189.189.189.8 from 189.189.189.8 (100.100.100.18) Origin IGP, localpref 100, valid, external, best, mpls labels in/out nolabel/18 R19# R19#show mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 16 Pop Label 189.189.189.8/32 0 Fa1/0 189.189.189.8 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lsawyer at gci.com Tue Mar 3 20:19:58 2009 From: lsawyer at gci.com (Leif Sawyer) Date: Tue, 3 Mar 2009 16:19:58 -0900 Subject: [c-nsp] FWSM and mixed IPv4/IPv6 access-list In-Reply-To: <49A88BB5.8050901@bromirski.net> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA09E90498@FNB1EX01.gci.com> Is anybody working with FWSM's and mixed-mode IPv4+IPv6 ACL's? I'm having trouble with traceroute6 not succeeding, but ping6 working fine: access-list From_Internet extended permit udp any range 32768 65535 object-group NMS-HOSTS range 33434 33523 log access-list From_Internet extended permit icmp any object-group NMS-HOSTS log ! access-list PERMIT_ANY extended permit ip any any log ! ipv6 access-list V6_From_Internet permit udp any range 32768 65535 object-group V6-NMS-HOSTS range 33434 33523 log ipv6 access-list V6_From_Internet permit icmp6 any object-group V6-NMS-HOSTS log ! ipv6 access-list V6_PERMIT_ANY permit ip any any log ! ! for testing, allow anything outbound... ! access-group PERMIT_ANY in interface inside access-group V6_PERMIT_ANY in interface inside ! ! access-group From_Internet in interface outside access-group V6_From_Internet in interface outside ! ipv6 icmp permit any inside ipv6 icmp permit any outside icmp permit any inside icmp permit any outside object-group NMS-HOSTS :== V6-NMS-HOSTS for the appropriate protocol. I'm running FWSM 4.0(4) on top of 12.2.33(SXI) on my 6509. The above is cut verbatim, but slightly re-arranged. telnet/ssh work from the inside-> outside as well. here's the output from the FWSM. First, the successful IPv4, then the failed IPv6. The source hosts and destination hosts are equivalent. Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(60219) -> outside/192.168.3.1(33434) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(38690) -> outside/192.168.3.1(33435) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(60005) -> outside/192.168.3.1(33436) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(53862) -> outside/192.168.3.1(33437) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(35579) -> outside/192.168.3.1(33438) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(57635) -> outside/192.168.3.1(33439) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(59543) -> outside/192.168.3.1(33440) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(42568) -> outside/192.168.3.1(33441) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(45739) -> outside/192.168.3.1(33442) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(38052) -> outside/192.168.3.1(33443) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list From_Internet permitted icmp outside/192.168.3.1(0) -> inside/192.168.1.127(3) hit-cnt 1 (first hit) [0x64d8ffc5, 0x5a3e207a] Mar 3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted udp inside/192.168.1.127(50556) -> outside/192.168.3.1(33444) hit-cnt 1 (first hit) [0xd136324, 0x0] Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(50928) -> outside/2001:dead:beef:cafe::1(33434) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(40298) -> outside/2001:dead:beef:cafe::1(33435) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(59693) -> outside/2001:dead:beef:cafe::1(33436) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(53347) -> outside/2001:dead:beef:cafe::1(33437) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(40017) -> outside/2001:dead:beef:cafe::1(33438) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(35667) -> outside/2001:dead:beef:cafe::1(33439) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(36459) -> outside/2001:dead:beef:cafe::1(33440) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(45750) -> outside/2001:dead:beef:cafe::1(33441) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(59125) -> outside/2001:dead:beef:cafe::1(33442) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(34934) -> outside/2001:dead:beef:cafe::1(33443) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(48452) -> outside/2001:dead:beef:cafe::1(33444) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(44628) -> outside/2001:dead:beef:cafe::1(33445) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(33027) -> outside/2001:dead:beef:cafe::1(33446) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(45131) -> outside/2001:dead:beef:cafe::1(33447) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(52958) -> outside/2001:dead:beef:cafe::1(33448) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(33004) -> outside/2001:dead:beef:cafe::1(33449) hit-cnt 1 first hit Mar 3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src outside:2001:dead:beef:cafe::1 dst inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by access-group "V6_From_Internet" Mar 3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src outside:2001:dead:beef:cafe::1 dst inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by access-group "V6_From_Internet" Mar 3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src outside:2001:dead:beef:cafe::1 dst inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by access-group "V6_From_Internet" Mar 3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src outside:2001:dead:beef:cafe::1 dst inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by access-group "V6_From_Internet" Mar 3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src outside:2001:dead:beef:cafe::1 dst inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by access-group "V6_From_Internet" Mar 3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src outside:2001:dead:beef:cafe::1 dst inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by access-group "V6_From_Internet" Mar 3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src outside:2001:dead:beef:cafe::1 dst inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by access-group "V6_From_Internet" Mar 3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src outside:2001:dead:beef:cafe::1 dst inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by access-group "V6_From_Internet" Mar 3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src outside:2001:dead:beef:cafe::1 dst inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by access-group "V6_From_Internet" Mar 3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src outside:2001:dead:beef:cafe::1 dst inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by access-group "V6_From_Internet" From streiner at cluebyfour.org Tue Mar 3 20:30:06 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 3 Mar 2009 20:30:06 -0500 (EST) Subject: [c-nsp] FWSM and mixed IPv4/IPv6 access-list In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA09E90498@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA09E90498@FNB1EX01.gci.com> Message-ID: On Tue, 3 Mar 2009, Leif Sawyer wrote: > Is anybody working with FWSM's and mixed-mode IPv4+IPv6 ACL's? > > I'm having trouble with traceroute6 not succeeding, but ping6 working > fine: You might be getting caught by flawed behavior of the FWSM. I've run into something similar with straight v4 firewall zones where certain flavors of traceroute will be dropped by the blade. When it was first reported to us, we thought is was a broken fixup, but the behavior persisted after the fixup was disabled. No word on a fix from Cisco. On a somewhat unrelated note, how has the v6 performance been on the FWSMs for you? Everything I've heard from Cisco and other sources suggests that the v6 packets are much more expensive for the FWSM to forward, so performance would suffer greatly. jms From lsawyer at gci.com Tue Mar 3 20:56:29 2009 From: lsawyer at gci.com (Leif Sawyer) Date: Tue, 3 Mar 2009 16:56:29 -0900 Subject: [c-nsp] FWSM and mixed IPv4/IPv6 access-list In-Reply-To: Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA09E904C5@FNB1EX01.gci.com> Justin M. Streiner writes in reply to: > On Tue, 3 Mar 2009, Leif Sawyer wrote: > >> Is anybody working with FWSM's and mixed-mode IPv4+IPv6 ACL's? >> >> I'm having trouble with traceroute6 not succeeding, but >> ping6 working fine: > > You might be getting caught by flawed behavior of the FWSM. > I've run into something similar with straight v4 firewall > zones where certain flavors of traceroute will be dropped by > the blade. When it was first reported to us, we thought is > was a broken fixup, but the behavior persisted after the > fixup was disabled. No word on a fix from Cisco. Hrm. I guess it's time to open a ticket, then. Damn. I hate dealing with TAC on complex issues. And it's not like CiscoPress is up-to-date. what, 6 pages on Ipv6 in the FWSM manual? friggin joke. > On a somewhat unrelated note, how has the v6 performance been > on the FWSMs for you? Everything I've heard from Cisco and > other sources suggests that the v6 packets are much more > expensive for the FWSM to forward, so performance would > suffer greatly. Just starting to roll this out, so no load to speak of. Can't wait to see what next issue creeps up! From ajadav at gmail.com Tue Mar 3 23:28:57 2009 From: ajadav at gmail.com (Asheesh Jadav) Date: Tue, 3 Mar 2009 20:28:57 -0800 Subject: [c-nsp] VPLS on 7600 Message-ID: Hi, I'm trying to get answers to a few questions regarding VPLS configuration on a 7600. Can someone please help me out here. Below is my running config. * I'm not seeing the traffic coming in on the VC get switched towards the attachment circuit. The traffic i'm using is Unicast, IP. Is there something i'm missing in my config? * The 'Output Interface' and 'Preferred path' parameters for the VC are default, why is it so? And how can I set a preferred path if I can? Thanks. Router# Router#show run Building configuration... Current configuration : 2641 bytes ! upgrade fpd auto version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service counters max age 10 ! hostname Router ! boot-start-marker boot system flash sup-bootdisk:c7600s72033-advipservicesk9-mz.122-33.SRB5.bin boot-end-marker ! ! no aaa new-model ip subnet-zero ! ! ! ! ipv6 mfib hardware-switching replication-mode ingress mls ip slb purge global mls ip multicast flow-stat-timer 9 mls flow ip interface-full no mls flow ipv6 no mls acl tcam share-global mls cef error action reset mpls traffic-eng tunnels mpls ldp neighbor 7.7.7.7 targeted ldp mpls ldp discovery targeted-hello accept mpls label range 2048 524287 mpls label protocol ldp ! ! spanning-tree mode pvst spanning-tree extend system-id diagnostic cns publish cisco.cns.device.diag_results diagnostic cns subscribe cisco.cns.device.diag_commands ! ! redundancy mode sso main-cpu auto-sync running-config ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 l2 vfi vpls manual vpn id 100 neighbor 7.7.7.7 encapsulation mpls ! ! ! ! ! ! ! interface Tunnel1 ip unnumbered Loopback0 mpls traffic-eng tunnels mpls ip tunnel source GigabitEthernet4/1 tunnel destination 7.7.7.7 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 1 dynamic ! interface Loopback0 ip address 9.9.9.9 255.255.255.255 ! interface GigabitEthernet4/1 ip address 20.20.20.9 255.255.255.0 ip ospf network broadcast ip ospf priority 2 mpls traffic-eng tunnels mpls label protocol ldp ip rsvp bandwidth ! interface GigabitEthernet4/2 switchport switchport access vlan 100 switchport mode access ! interface GigabitEthernet4/3 no ip address ! interface GigabitEthernet4/4 no ip address shutdown ! interface GigabitEthernet4/5 no ip address shutdown ! interface GigabitEthernet4/6 no ip address shutdown ! interface GigabitEthernet4/7 no ip address shutdown ! interface GigabitEthernet4/8 no ip address shutdown ! interface GigabitEthernet5/1 no ip address shutdown ! interface GigabitEthernet5/2 no ip address shutdown ! interface Vlan1 no ip address shutdown ! interface Vlan100 no ip address xconnect vfi vpls ! router ospf 1 router-id 9.9.9.9 log-adjacency-changes network 9.9.9.9 0.0.0.0 area 0 network 20.20.20.0 0.0.0.255 area 0 mpls traffic-eng router-id Loopback0 mpls traffic-eng area 0 mpls traffic-eng interface GigabitEthernet4/1 area 0 ! ip classless ! ! no ip http server no ip http secure-server ! ! ! mpls ldp router-id Loopback0 force ! control-plane ! ! line con 0 line vty 0 4 login ! ! end Router#show ip cef Prefix Next Hop Interface 0.0.0.0/0 no route 0.0.0.0/32 receive 7.7.7.7/32 7.7.7.7 Tunnel1 9.9.9.9/32 receive Loopback0 20.20.20.0/24 attached GigabitEthernet4/1 20.20.20.0/32 receive GigabitEthernet4/1 20.20.20.7/32 attached GigabitEthernet4/1 20.20.20.9/32 receive GigabitEthernet4/1 20.20.20.255/32 receive GigabitEthernet4/1 127.0.0.0/8 attached EOBC0/0 127.0.0.0/32 receive EOBC0/0 127.0.0.51/32 receive EOBC0/0 127.255.255.255/32 receive EOBC0/0 224.0.0.0/4 drop 224.0.0.0/24 receive 240.0.0.0/4 drop 255.255.255.255/32 receive Router# Router#show mpls l2transport vc 100 detail Local interface: VFI vpls VFI up MPLS VC type is VFI, interworking type is Ethernet Destination address: 7.7.7.7, VC ID: 100, VC status: up Output interface: none, imposed label stack {2048} Preferred path: not configured Default path: active Next hop: Invalid ADDR Create time: 09:16:24, last status change time: 00:07:30 Signaling protocol: LDP, peer 7.7.7.7:0 up Targeted Hello: 9.9.9.9(LDP Id) -> 7.7.7.7 MPLS VC labels: local 2050, remote 2048 Group ID: local 0, remote 100 MTU: local 1500, remote 1500 Remote interface description: Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 111393, send 0 byte totals: receive 6683580, send 0 packet drops: receive 0, send 0 Router# From brhedlun at cisco.com Wed Mar 4 00:26:24 2009 From: brhedlun at cisco.com (Brad Hedlund) Date: Tue, 03 Mar 2009 23:26:24 -0600 Subject: [c-nsp] VPLS on 7600 In-Reply-To: Message-ID: Hi, VPLS is not supported over GRE on 7600. Brad Hedlund bhedlund at cisco.com http://www.internetworkexpert.org On 3/3/09 10:28 PM, "Asheesh Jadav" wrote: > Hi, > > I'm trying to get answers to a few questions regarding VPLS configuration > on a 7600. Can someone please help me out here. Below is my running config. > > * I'm not seeing the traffic coming in on the VC get switched towards the > attachment circuit. The traffic i'm using is Unicast, IP. Is there something > i'm missing in my config? > * The 'Output Interface' and 'Preferred path' parameters for the VC are > default, why is it so? And how can I set a preferred path if I can? > > Thanks. > > Router# > Router#show run > Building configuration... > > Current configuration : 2641 bytes > ! > upgrade fpd auto > version 12.2 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > service counters max age 10 > ! > hostname Router > ! > boot-start-marker > boot system flash > sup-bootdisk:c7600s72033-advipservicesk9-mz.122-33.SRB5.bin > boot-end-marker > ! > ! > no aaa new-model > ip subnet-zero > ! > ! > ! > ! > ipv6 mfib hardware-switching replication-mode ingress > mls ip slb purge global > mls ip multicast flow-stat-timer 9 > mls flow ip interface-full > no mls flow ipv6 > no mls acl tcam share-global > mls cef error action reset > mpls traffic-eng tunnels > mpls ldp neighbor 7.7.7.7 targeted ldp > mpls ldp discovery targeted-hello accept > mpls label range 2048 524287 > mpls label protocol ldp > ! > ! > spanning-tree mode pvst > spanning-tree extend system-id > diagnostic cns publish cisco.cns.device.diag_results > diagnostic cns subscribe cisco.cns.device.diag_commands > ! > ! > redundancy > mode sso > main-cpu > auto-sync running-config > ! > vlan internal allocation policy ascending > vlan access-log ratelimit 2000 > l2 vfi vpls manual > vpn id 100 > neighbor 7.7.7.7 encapsulation mpls > ! > ! > ! > ! > ! > ! > ! > interface Tunnel1 > ip unnumbered Loopback0 > mpls traffic-eng tunnels > mpls ip > tunnel source GigabitEthernet4/1 > tunnel destination 7.7.7.7 > tunnel mode mpls traffic-eng > tunnel mpls traffic-eng autoroute announce > tunnel mpls traffic-eng path-option 1 dynamic > ! > interface Loopback0 > ip address 9.9.9.9 255.255.255.255 > ! > interface GigabitEthernet4/1 > ip address 20.20.20.9 255.255.255.0 > ip ospf network broadcast > ip ospf priority 2 > mpls traffic-eng tunnels > mpls label protocol ldp > ip rsvp bandwidth > ! > interface GigabitEthernet4/2 > switchport > switchport access vlan 100 > switchport mode access > ! > interface GigabitEthernet4/3 > no ip address > ! > interface GigabitEthernet4/4 > no ip address > shutdown > ! > interface GigabitEthernet4/5 > no ip address > shutdown > ! > interface GigabitEthernet4/6 > no ip address > shutdown > ! > interface GigabitEthernet4/7 > no ip address > shutdown > ! > interface GigabitEthernet4/8 > no ip address > shutdown > ! > interface GigabitEthernet5/1 > no ip address > shutdown > ! > interface GigabitEthernet5/2 > no ip address > shutdown > ! > interface Vlan1 > no ip address > shutdown > ! > interface Vlan100 > no ip address > xconnect vfi vpls > ! > router ospf 1 > router-id 9.9.9.9 > log-adjacency-changes > network 9.9.9.9 0.0.0.0 area 0 > network 20.20.20.0 0.0.0.255 area 0 > mpls traffic-eng router-id Loopback0 > mpls traffic-eng area 0 > mpls traffic-eng interface GigabitEthernet4/1 area 0 > ! > ip classless > ! > ! > no ip http server > no ip http secure-server > ! > ! > ! > mpls ldp router-id Loopback0 force > ! > control-plane > ! > ! > line con 0 > line vty 0 4 > login > ! > ! > end > > Router#show ip cef > Prefix Next Hop Interface > 0.0.0.0/0 no route > 0.0.0.0/32 receive > 7.7.7.7/32 7.7.7.7 Tunnel1 > 9.9.9.9/32 receive Loopback0 > 20.20.20.0/24 attached GigabitEthernet4/1 > 20.20.20.0/32 receive GigabitEthernet4/1 > 20.20.20.7/32 attached GigabitEthernet4/1 > 20.20.20.9/32 receive GigabitEthernet4/1 > 20.20.20.255/32 receive GigabitEthernet4/1 > 127.0.0.0/8 attached EOBC0/0 > 127.0.0.0/32 receive EOBC0/0 > 127.0.0.51/32 receive EOBC0/0 > 127.255.255.255/32 receive EOBC0/0 > 224.0.0.0/4 drop > 224.0.0.0/24 receive > 240.0.0.0/4 drop > 255.255.255.255/32 receive > Router# > Router#show mpls l2transport vc 100 detail > Local interface: VFI vpls VFI up > MPLS VC type is VFI, interworking type is Ethernet > Destination address: 7.7.7.7, VC ID: 100, VC status: up > Output interface: none, imposed label stack {2048} > Preferred path: not configured > Default path: active > Next hop: Invalid ADDR > Create time: 09:16:24, last status change time: 00:07:30 > Signaling protocol: LDP, peer 7.7.7.7:0 up > Targeted Hello: 9.9.9.9(LDP Id) -> 7.7.7.7 > MPLS VC labels: local 2050, remote 2048 > Group ID: local 0, remote 100 > MTU: local 1500, remote 1500 > Remote interface description: > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 111393, send 0 > byte totals: receive 6683580, send 0 > packet drops: receive 0, send 0 > > Router# > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From thilak.t at gmail.com Wed Mar 4 00:37:10 2009 From: thilak.t at gmail.com (Thilak T) Date: Tue, 3 Mar 2009 21:37:10 -0800 Subject: [c-nsp] How to track SSL cert expiry on Cisco ACS Message-ID: <1d11fbf80903032137i49899c54nac5fb1513d011274@mail.gmail.com> Hello Can anyone advice what is the best method to keep track of SSL cert expiry on ACS 4.2 servers. I have 15 ACS across the globe , which I have to manually keep track on cert validity. From ajadav at gmail.com Wed Mar 4 01:19:36 2009 From: ajadav at gmail.com (Asheesh Jadav) Date: Tue, 3 Mar 2009 22:19:36 -0800 Subject: [c-nsp] VPLS on 7600 In-Reply-To: References: Message-ID: The Line card I have is a WS-X6408A-GBIC. I'm using different ports on the same line card for my attachment circuit as well as VC. Is VPLS supported on this hardware? On Tue, Mar 3, 2009 at 8:28 PM, Asheesh Jadav wrote: > Hi, > > I'm trying to get answers to a few questions regarding VPLS configuration > on a 7600. Can someone please help me out here. Below is my running config. > > * I'm not seeing the traffic coming in on the VC get switched towards the > attachment circuit. The traffic i'm using is Unicast, IP. Is there something > i'm missing in my config? > * The 'Output Interface' and 'Preferred path' parameters for the VC are > default, why is it so? And how can I set a preferred path if I can? > > Thanks. > > Router# > Router#show run > Building configuration... > > Current configuration : 2641 bytes > ! > upgrade fpd auto > version 12.2 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > service counters max age 10 > ! > hostname Router > ! > boot-start-marker > boot system flash > sup-bootdisk:c7600s72033-advipservicesk9-mz.122-33.SRB5.bin > boot-end-marker > ! > ! > no aaa new-model > ip subnet-zero > ! > ! > ! > ! > ipv6 mfib hardware-switching replication-mode ingress > mls ip slb purge global > mls ip multicast flow-stat-timer 9 > mls flow ip interface-full > no mls flow ipv6 > no mls acl tcam share-global > mls cef error action reset > mpls traffic-eng tunnels > mpls ldp neighbor 7.7.7.7 targeted ldp > mpls ldp discovery targeted-hello accept > mpls label range 2048 524287 > mpls label protocol ldp > ! > ! > spanning-tree mode pvst > spanning-tree extend system-id > diagnostic cns publish cisco.cns.device.diag_results > diagnostic cns subscribe cisco.cns.device.diag_commands > ! > ! > redundancy > mode sso > main-cpu > auto-sync running-config > ! > vlan internal allocation policy ascending > vlan access-log ratelimit 2000 > l2 vfi vpls manual > vpn id 100 > neighbor 7.7.7.7 encapsulation mpls > ! > ! > ! > ! > ! > ! > ! > interface Tunnel1 > ip unnumbered Loopback0 > mpls traffic-eng tunnels > mpls ip > tunnel source GigabitEthernet4/1 > tunnel destination 7.7.7.7 > tunnel mode mpls traffic-eng > tunnel mpls traffic-eng autoroute announce > tunnel mpls traffic-eng path-option 1 dynamic > ! > interface Loopback0 > ip address 9.9.9.9 255.255.255.255 > ! > interface GigabitEthernet4/1 > ip address 20.20.20.9 255.255.255.0 > ip ospf network broadcast > ip ospf priority 2 > mpls traffic-eng tunnels > mpls label protocol ldp > ip rsvp bandwidth > ! > interface GigabitEthernet4/2 > switchport > switchport access vlan 100 > switchport mode access > ! > interface GigabitEthernet4/3 > no ip address > ! > interface GigabitEthernet4/4 > no ip address > shutdown > ! > interface GigabitEthernet4/5 > no ip address > shutdown > ! > interface GigabitEthernet4/6 > no ip address > shutdown > ! > interface GigabitEthernet4/7 > no ip address > shutdown > ! > interface GigabitEthernet4/8 > no ip address > shutdown > ! > interface GigabitEthernet5/1 > no ip address > shutdown > ! > interface GigabitEthernet5/2 > no ip address > shutdown > ! > interface Vlan1 > no ip address > shutdown > ! > interface Vlan100 > no ip address > xconnect vfi vpls > ! > router ospf 1 > router-id 9.9.9.9 > log-adjacency-changes > network 9.9.9.9 0.0.0.0 area 0 > network 20.20.20.0 0.0.0.255 area 0 > mpls traffic-eng router-id Loopback0 > mpls traffic-eng area 0 > mpls traffic-eng interface GigabitEthernet4/1 area 0 > ! > ip classless > ! > ! > no ip http server > no ip http secure-server > ! > ! > ! > mpls ldp router-id Loopback0 force > ! > control-plane > ! > ! > line con 0 > line vty 0 4 > login > ! > ! > end > > Router#show ip cef > Prefix Next Hop Interface > 0.0.0.0/0 no route > 0.0.0.0/32 receive > 7.7.7.7/32 7.7.7.7 Tunnel1 > 9.9.9.9/32 receive Loopback0 > 20.20.20.0/24 attached GigabitEthernet4/1 > 20.20.20.0/32 receive GigabitEthernet4/1 > 20.20.20.7/32 attached GigabitEthernet4/1 > 20.20.20.9/32 receive GigabitEthernet4/1 > 20.20.20.255/32 receive GigabitEthernet4/1 > 127.0.0.0/8 attached EOBC0/0 > 127.0.0.0/32 receive EOBC0/0 > 127.0.0.51/32 receive EOBC0/0 > 127.255.255.255/32 receive EOBC0/0 > 224.0.0.0/4 drop > 224.0.0.0/24 receive > 240.0.0.0/4 drop > 255.255.255.255/32 receive > Router# > Router#show mpls l2transport vc 100 detail > Local interface: VFI vpls VFI up > MPLS VC type is VFI, interworking type is Ethernet > Destination address: 7.7.7.7, VC ID: 100, VC status: up > Output interface: none, imposed label stack {2048} > Preferred path: not configured > Default path: active > Next hop: Invalid ADDR > Create time: 09:16:24, last status change time: 00:07:30 > Signaling protocol: LDP, peer 7.7.7.7:0 up > Targeted Hello: 9.9.9.9(LDP Id) -> 7.7.7.7 > MPLS VC labels: local 2050, remote 2048 > Group ID: local 0, remote 100 > MTU: local 1500, remote 1500 > Remote interface description: > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 111393, send 0 > byte totals: receive 6683580, send 0 > packet drops: receive 0, send 0 > > Router# > From r.engehausen at gmail.com Wed Mar 4 01:49:12 2009 From: r.engehausen at gmail.com (Roy) Date: Tue, 03 Mar 2009 22:49:12 -0800 Subject: [c-nsp] SSH from router to linux Message-ID: <49AE2468.40001@gmail.com> I am trying to ssh from a 2811 to linux box. I telnet to the Cisco and issue ssh -l root xx.xx.xx.xx and I get the password prompt. I enter that and then logon goes through and I get the shell prompt. The problem is that nothing I type seems to get through to linux. Is there some magic I am missing? From serhat.candan at probil.com.tr Wed Mar 4 04:14:43 2009 From: serhat.candan at probil.com.tr (=?iso-8859-9?Q?Serhat_Candan_=28Probil_-_=DDstanbul=29?=) Date: Wed, 4 Mar 2009 11:14:43 +0200 Subject: [c-nsp] Cisco 7600 Router's Default IPSec Throughput Rate In-Reply-To: <3fc686ad0903040112p6760a191r9cb16eb7969d8960@mail.gmail.com> References: <3fc686ad0903040112p6760a191r9cb16eb7969d8960@mail.gmail.com> Message-ID: <2ED8C866F019B840AD21E8E29AD091CD0CB9E77410@proexc.probil.intl> Hello All, I m trying to find a reference guide which has IPSec VPN throughput rates of Cisco 7600 router. I m not sure to use VPN SPA or not because of that. For example if you have 50 IPSec Sites with low speed such as 128 Kbps, do we need to use VPN SPA or just upgrade the IOS of the router by using Security Feature enabled IOS? It would be great to have such a document to determine that need. Thanks in advance, Serhat From blahu77 at gmail.com Wed Mar 4 05:00:06 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Wed, 4 Mar 2009 10:00:06 +0000 Subject: [c-nsp] VPLS on 7600 In-Reply-To: References: Message-ID: <383357750903040200s5cb711ceg94e872948507041e@mail.gmail.com> 2009/3/4 Asheesh Jadav : > The Line card I have is a WS-X6408A-GBIC. I'm using different ports on the > same line card for my attachment circuit as well as VC. Is VPLS supported on > this hardware? VPLS is supported only on ES, SPA and OSM line cards [...] >> interface Tunnel1 >> ?ip unnumbered Loopback0 >> ?mpls traffic-eng tunnels >> ?mpls ip >> ?tunnel source GigabitEthernet4/1 I think you need to source the tunnel from Lo0 >> ?tunnel destination 7.7.7.7 >> ?tunnel mode mpls traffic-eng >> ?tunnel mpls traffic-eng autoroute announce >> ?tunnel mpls traffic-eng path-option 1 dynamic [...] >> interface Vlan100 >> ?no ip address >> ?xconnect vfi vpls This configuration is not supported on your line card. Best Regards, -mat -- pgp-key 0x1C655CAB From hegedus.gabor at euroway.hu Wed Mar 4 04:27:25 2009 From: hegedus.gabor at euroway.hu (Hegedus Gabor) Date: Wed, 04 Mar 2009 10:27:25 +0100 Subject: [c-nsp] ip helper and dhcp on the same device Message-ID: <49AE497D.20503@euroway.hu> Hi all! I have a question. Is it possible to use ip dhcp pool XY for one host( use mac address) and ip helper-address for the others (all pc is in the same subnet). the scenario is here: ________onePcWithKnownMAC | [ROUTER]_____________[SW]_______otherPCs | |__________________[DHCP SERVER for the others] - one dhcp server on the router for just one pc and - one dhcp server for the others Is it possible? another question: I set the ip helper address, and the ip on 2 interface, and my C 2611 dosen't send the request packet from in interface to the out interface. (checked by in acc list log and out acc list log) Why? What is the problem? Thank you for help me! Best regards Gabor From Steven.Glogger at swisscom.com Wed Mar 4 05:42:06 2009 From: Steven.Glogger at swisscom.com (Steven.Glogger at swisscom.com) Date: Wed, 4 Mar 2009 11:42:06 +0100 Subject: [c-nsp] ip helper and dhcp on the same device In-Reply-To: <49AE497D.20503@euroway.hu> References: <49AE497D.20503@euroway.hu> Message-ID: <1FC8A0BAFBBD9749BB1F06010D23C8A55EE6565D@sg000035.corproot.net> probably you could solve it by placing one pool for your local stuff, and doing some nasty dhcp proxying / agent stuff for your other requirement -steven -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hegedus Gabor Sent: Wednesday, March 04, 2009 10:27 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ip helper and dhcp on the same device Hi all! I have a question. Is it possible to use ip dhcp pool XY for one host( use mac address) and ip helper-address for the others (all pc is in the same subnet). the scenario is here: ________onePcWithKnownMAC | [ROUTER]_____________[SW]_______otherPCs | |__________________[DHCP SERVER for the others] - one dhcp server on the router for just one pc and - one dhcp server for the others Is it possible? another question: I set the ip helper address, and the ip on 2 interface, and my C 2611 dosen't send the request packet from in interface to the out interface. (checked by in acc list log and out acc list log) Why? What is the problem? Thank you for help me! Best regards Gabor _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Craig at smilernet.com Wed Mar 4 07:25:51 2009 From: Craig at smilernet.com (Craig Allen) Date: Wed, 4 Mar 2009 12:25:51 -0000 Subject: [c-nsp] Cisco 6509-E QoS Policy Confusion Message-ID: <468184E71AE00E4B803885E21B5CD81408A828@bender.smilernet.local> Hello, I have recently taken over a network and have a question about a current QoS policy and am trying to understand why it would have been configured this way. An excerpt of the questionable config is as follows: policy-map apply_1000_qos_for_att_dscp_to_nextlevel class EF_QOS_PORTS police cir 4000000000 bc 3125000 be 31250000 conform-action set-dscp-transmit ef exceed-action policed-dscp-transmit violate-action policed-dscp-transmit class af31_QOS_PORTS police cir 4000000000 bc 31250000 be 31250000 conform-action set-dscp-transmit af31 exceed-action policed-dscp-transmit violate-action policed-dscp-transmit class af21_QOS_PORTS police cir 1000000000 bc 31250000 be 31250000 conform-action set-dscp-transmit af21 exceed-action policed-dscp-transmit violate-action policed-dscp-transmit ! The above policy has been applied to all Gig interfaces on the 6509 blades. What I'm trying to understand is the CIR / BC / BE settings and exactly what they will achieve. My first initial thought is that the CIR/BC/BE settings will achieve nothing? Thanks! Craig From Michael.Robson at manchester.ac.uk Wed Mar 4 08:00:59 2009 From: Michael.Robson at manchester.ac.uk (Michael Robson) Date: Wed, 4 Mar 2009 13:00:59 +0000 Subject: [c-nsp] UDP-helper problem Message-ID: <2CE904AA-FF23-4480-8D58-1322E1521FBD@manchester.ac.uk> I have recently moved the routing of a subnet from an old sup2/msfc2 6500 (Version 12.1(26)E8, RELEASE SOFTWARE (fc1)) to a newer sup3/ msfc3 6500 (Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1)). On the old router the udp-helper command worked fine, but on the new router I can see the DHCP address coming in but not the reply coming back and the DHCP server isn't seeing the request arriving. Can anyone suggest why this might have stopped working (it isn't an ACL or firewall issue as there aren't any in the way) and I haven't turned _off_ any component of udp-helper (i.e. using the ip forward-protocol command). interface Vlan937 description XXXYYYZZZ ip address w.x.y.z 255.255.255.192 ip helper-address a.b.c.d Thanks, Michael -- From avayner at cisco.com Wed Mar 4 08:16:39 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 4 Mar 2009 14:16:39 +0100 Subject: [c-nsp] Cisco 6509-E QoS Policy Confusion In-Reply-To: <468184E71AE00E4B803885E21B5CD81408A828@bender.smilernet.local> References: <468184E71AE00E4B803885E21B5CD81408A828@bender.smilernet.local> Message-ID: <78C984F8939D424697B15E4B1C1BB3D74D4B7B@xmb-ams-331.emea.cisco.com> Craig, Basically you are making sure the customer is not abusing the different classes. For example any packet that goes beyond the policer in class EF_QOS_PORTS would be remarked (this is the " exceed-action policed-dscp-transmit violate-action policed-dscp-transmit" part) to a lower value. To see the value of the remark, you should use this command: router#show mls qos maps policed-dscp Normal Burst Policed-dscp map: (dscp= d1d2) d1 : d2 0 1 2 3 4 5 6 7 8 9 ------------------------------------- 0 : 00 01 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63 Maximum Burst Policed-dscp map: (dscp= d1d2) d1 : d2 0 1 2 3 4 5 6 7 8 9 ------------------------------------- 0 : 00 01 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63 For reference, search for "policed-dscp-transmit" on this page: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con figuration/guide/qos.html Usually this kind of policy is deployed on the ingress of the network (where a customer is connected) and the remark makes sure that any excess traffic from each class is marked down either to BE or a lower class (depends on policy) Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Craig Allen Sent: Wednesday, March 04, 2009 14:26 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco 6509-E QoS Policy Confusion Hello, I have recently taken over a network and have a question about a current QoS policy and am trying to understand why it would have been configured this way. An excerpt of the questionable config is as follows: policy-map apply_1000_qos_for_att_dscp_to_nextlevel class EF_QOS_PORTS police cir 4000000000 bc 3125000 be 31250000 conform-action set-dscp-transmit ef exceed-action policed-dscp-transmit violate-action policed-dscp-transmit class af31_QOS_PORTS police cir 4000000000 bc 31250000 be 31250000 conform-action set-dscp-transmit af31 exceed-action policed-dscp-transmit violate-action policed-dscp-transmit class af21_QOS_PORTS police cir 1000000000 bc 31250000 be 31250000 conform-action set-dscp-transmit af21 exceed-action policed-dscp-transmit violate-action policed-dscp-transmit ! The above policy has been applied to all Gig interfaces on the 6509 blades. What I'm trying to understand is the CIR / BC / BE settings and exactly what they will achieve. My first initial thought is that the CIR/BC/BE settings will achieve nothing? Thanks! Craig _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Craig at smilernet.com Wed Mar 4 08:50:02 2009 From: Craig at smilernet.com (Craig Allen) Date: Wed, 4 Mar 2009 13:50:02 -0000 Subject: [c-nsp] Cisco 6509-E QoS Policy Confusion References: <468184E71AE00E4B803885E21B5CD81408A828@bender.smilernet.local> <78C984F8939D424697B15E4B1C1BB3D74D4B7B@xmb-ams-331.emea.cisco.com> Message-ID: <468184E71AE00E4B803885E21B5CD81408A82A@bender.smilernet.local> Arie, I understand the policed-dscp-transmit part of the policy however it's the CIR/BC/BE values that I'm questioning as based on the figures the CIR is set to 4Gbps so effectively the policed-dscp-transmit will never kick in and BC/BE are set to 32Megabytes. Basically this policy is applied to user access ports (1Gb) and also to 2 x 1Gb EtherChannel Trunk ports. What values should be applied for CIR/BC/BE on the edge if any? Craig ________________________________ From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Wed 04/03/2009 13:16 To: Craig Allen; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Cisco 6509-E QoS Policy Confusion Craig, Basically you are making sure the customer is not abusing the different classes. For example any packet that goes beyond the policer in class EF_QOS_PORTS would be remarked (this is the " exceed-action policed-dscp-transmit violate-action policed-dscp-transmit" part) to a lower value. To see the value of the remark, you should use this command: router#show mls qos maps policed-dscp Normal Burst Policed-dscp map: (dscp= d1d2) d1 : d2 0 1 2 3 4 5 6 7 8 9 ------------------------------------- 0 : 00 01 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63 Maximum Burst Policed-dscp map: (dscp= d1d2) d1 : d2 0 1 2 3 4 5 6 7 8 9 ------------------------------------- 0 : 00 01 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63 For reference, search for "policed-dscp-transmit" on this page: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con figuration/guide/qos.html Usually this kind of policy is deployed on the ingress of the network (where a customer is connected) and the remark makes sure that any excess traffic from each class is marked down either to BE or a lower class (depends on policy) Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Craig Allen Sent: Wednesday, March 04, 2009 14:26 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco 6509-E QoS Policy Confusion Hello, I have recently taken over a network and have a question about a current QoS policy and am trying to understand why it would have been configured this way. An excerpt of the questionable config is as follows: policy-map apply_1000_qos_for_att_dscp_to_nextlevel class EF_QOS_PORTS police cir 4000000000 bc 3125000 be 31250000 conform-action set-dscp-transmit ef exceed-action policed-dscp-transmit violate-action policed-dscp-transmit class af31_QOS_PORTS police cir 4000000000 bc 31250000 be 31250000 conform-action set-dscp-transmit af31 exceed-action policed-dscp-transmit violate-action policed-dscp-transmit class af21_QOS_PORTS police cir 1000000000 bc 31250000 be 31250000 conform-action set-dscp-transmit af21 exceed-action policed-dscp-transmit violate-action policed-dscp-transmit ! The above policy has been applied to all Gig interfaces on the 6509 blades. What I'm trying to understand is the CIR / BC / BE settings and exactly what they will achieve. My first initial thought is that the CIR/BC/BE settings will achieve nothing? Thanks! Craig _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rens at autempspourmoi.be Wed Mar 4 09:10:46 2009 From: rens at autempspourmoi.be (Rens) Date: Wed, 4 Mar 2009 15:10:46 +0100 Subject: [c-nsp] Deliver a L2 MTU circuit of 1530 Message-ID: <259B663485FD4F5A8F803F333F048F8D@EU.corp.clearwire.com> Hi all, I would want to know of my logic makes sense. Customer side A <=> SWITCH L2 <=> ROUTER <=> L2TPv3 cloud <=> ROUTER <=> SWITCH L2 <=> Customer side B So I would configure QinQ on my switch and this would arrive on my router via dot1q subinterface and with an xconnect to the other router and out again with dot1q subinterface and QinQ towards the customer. If my customer demands a L2 MTU of 1530 which IP should I need between my 2 routers towards the L2TPv3 cloud. I calculate like this: Customer 1530 + 8 bytes for my QinQ + 42 bytes for my L2TPv3 So my minimum MTU between my 2 routers should be minimum 1580 so they wouldn't fragment? Any feedback is welcome. Regards, Rens From justin at justinshore.com Wed Mar 4 09:14:27 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 04 Mar 2009 08:14:27 -0600 Subject: [c-nsp] SSH from router to linux In-Reply-To: <49AE2468.40001@gmail.com> References: <49AE2468.40001@gmail.com> Message-ID: <49AE8CC3.5060802@justinshore.com> My best guess is that your Linux box isn't correcting determining what term type to use or some other core shell variable along those lines. SSH in normally and issue echo $TERM to see what it is. Add "env" to one your shell's startup file (.bash_login for example if you use bash). Compare env output from the normal SSH connection to the one through the router. Try switching your default shell on the Linux box to something else. I use bash. You'll probably get better responses on a list specific to your Linux distribution's SSH daemon. I think that's where the problem most likely is. Justin Roy wrote: > I am trying to ssh from a 2811 to linux box. I telnet to the Cisco and > issue > > ssh -l root xx.xx.xx.xx > > and I get the password prompt. I enter that and then logon goes through > and I get the shell prompt. The problem is that nothing I type seems to > get through to linux. > > Is there some magic I am missing? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From charles.regan at gmail.com Wed Mar 4 09:46:10 2009 From: charles.regan at gmail.com (Charles Regan) Date: Wed, 4 Mar 2009 10:46:10 -0400 Subject: [c-nsp] VLAN and switch and ? Message-ID: Good Morning, I'll try to explain what I want to do... We are LOCAL NETWORK in this graphic. The ISP wants to use our fiber link to connect to his wireless customer. We also want internet access from his Wireless Backhaul1. ISP also use VLAN on his customer subscriber modules. How would you configure 2924 Switch and 2960 Switch, so that everything is transparent from my side and his side ? I don't want him to call me to add a new VLAN on our switch. ISP ---Wireless BackHaul1 -- 2924 Switch ---- FIBER ---- 2960 Switch ---- Wireless Backhaul2 ---- Access Point ---- Wireless subscriber modules | | | | | | | | | | LOCAL NETWORK LOCAL NETWORK Will something like this work ? switchport access vlan 500 switchport trunk encapsulation dot1q switchport mode trunk From rodunn at cisco.com Wed Mar 4 10:11:39 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 4 Mar 2009 10:11:39 -0500 Subject: [c-nsp] packet loss between adjacent ciscos In-Reply-To: <20090227162830.xbtdn6m8jyss40sg@webmail2.australiaonline.net.au> References: <20090227162830.xbtdn6m8jyss40sg@webmail2.australiaonline.net.au> Message-ID: <20090304151139.GG4100@rtp-cse-489.cisco.com> Upgrade the 72xx's to 12.4(20)T latest on Cisco.com to get the packet capture feature and prove where the packets are getting lost via a capture: http://supportwiki.cisco.com/ViewWiki/index.php/Tech_Insights:Utilizing_the_New_Packet_Capture_Feature We could go in to the long discussion about how to make sure all the packets are being CEF switched, performance with features, etc... But it's easier to just prove via a trace where the packets are not being delivered via a trace and focus there. Rodney On Fri, Feb 27, 2009 at 04:28:30PM +1100, Sam Tilders wrote: > Hi, > > We have been experiencing some packet loss between a switch and a > router directly connected to each other and are having some difficulty > finding the problem. > > The problem showed up when a customer complained that there were > moments of silence on their voip calls. They did some pings and found > that there was packet loss at the same time as the silence on the calls. > > With some further help from the customer, I was able to narrow the > problem down to loss between two ciscos in our rack. > > The network layout is like this: > > carrier peer port > | > | > | 100% ping success. > | > | iofe > border router (7200vxr w/npe-400 12.2(18)S4) > | pa-fe-tx > | > | 99.994 - 99.999% ping success > | > | > switch (2924 xl en) > | > | > | 100% ping success > | > | iofe > l2tp termination router (7200vxr w/npe-300 12.4(4)T1) > | gige > | > | > downstream to customers > > The ping percentages are from repeated 100000 ping samples. > > The interfaces are all forced duplex full, the switch interfaces are > forced speed 100. > > When the link between the router and the switch has loss it can be > seen in the ping as a slow down then a single timeout. > > The ping output goes something like: > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > !!!! ! ! ! ! ! ! .!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > where I've used spacing to indicate the time between markers. > > So it appears that the ping and reply begins to slow, then it slows > enough that a single 2 second timeout occurs and then it picks up > again at full speed. > > A 100000 ping takes a few minutes to run and during this time it may > lose one or half a dozen pings, each lost ping spaced apart, > apparently with no regular period. > > The router and switch are typically running around 30% cpu. > > When I run these ping tests the switch gets to 80% cpu, however it can > be shown with cases like a customer's voip call that the problem > occurs even when the util is lower. > > I have correlated the ping loss with the customer's voip silence, > having them on a call while running the ping and they experience a > couple of seconds of silence at the same time as the router misses a > ping. > > I've been on site and replaced the pa-fe-tx in the 7200 to no > improvement. I moved the PA to a different port on the router, no > improvement. I've replaced the switch with no improvement. > > (We had previously tried different switch ports and replacing the cabling.) > > All the while, none of the interface statistics report any errors > other than the occasional ignored packet - however, these don't occur > at the same time as > the problem and much less frequently. > > I've had various debug options turned on - both on the switch and the > router - there has been no clear correlation between any events and > the occurence of packet loss. > > So, I was wondering if this sounds familiar to anyone or if there is > anything someone might be able to suggest to further investigate or > resolve this issue. > > I'd appreciate any advice that can be given. > > Regards, > > - Sam > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jfitz at Princeton.EDU Wed Mar 4 10:14:15 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Wed, 4 Mar 2009 10:14:15 -0500 Subject: [c-nsp] VLAN and switch and ? In-Reply-To: References: Message-ID: Look at layer 2 tunneling for your switches. You would assign tunnel vlan ID and ISP would send tagged traffic into tunnel (Q in Q) and traffic would exit tunnel where ever needed. When you assign a port as a tunnel port, it becomes a tunnel-input and tunnel-output. You can have as many tunnel ports as you need. The ISP can now send what ever VLANs they want and you do not need to change anything. Read the doc and be aware of oversized packet handling within tunnel switches. Jeff Fitzwater OIT Network Systems Princeton University On Mar 4, 2009, at 9:46 AM, Charles Regan wrote: > Good Morning, > > I'll try to explain what I want to do... We are LOCAL NETWORK in > this graphic. > The ISP wants to use our fiber link to connect to his wireless > customer. > We also want internet access from his Wireless Backhaul1. > ISP also use VLAN on his customer subscriber modules. > > How would you configure 2924 Switch and 2960 Switch, so that > everything is transparent from my side and his side ? > I don't want him to call me to add a new VLAN on our switch. > > > ISP ---Wireless BackHaul1 -- 2924 Switch ---- FIBER ---- 2960 Switch > ---- Wireless Backhaul2 ---- Access Point ---- Wireless subscriber > modules > | > | > | > | > | > | > | > | > | > | > LOCAL NETWORK LOCAL NETWORK > > > Will something like this work ? > switchport access vlan 500 > switchport trunk encapsulation dot1q > switchport mode trunk > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mduksa at gmail.com Wed Mar 4 10:57:17 2009 From: mduksa at gmail.com (Marlon Duksa) Date: Wed, 4 Mar 2009 07:57:17 -0800 Subject: [c-nsp] Cisco 7600 Router's Default IPSec Throughput Rate In-Reply-To: <2ED8C866F019B840AD21E8E29AD091CD0CB9E77410@proexc.probil.intl> References: <3fc686ad0903040112p6760a191r9cb16eb7969d8960@mail.gmail.com> <2ED8C866F019B840AD21E8E29AD091CD0CB9E77410@proexc.probil.intl> Message-ID: Serhat - look for "ipsec support on 7600" posting on this list. A similar question was submitted a several days ago.. On Wed, Mar 4, 2009 at 1:14 AM, Serhat Candan (Probil - ?stanbul) < serhat.candan at probil.com.tr> wrote: > Hello All, > > I m trying to find a reference guide which has IPSec VPN throughput rates > of Cisco 7600 router. I m not sure to use VPN SPA or not because of that. > For example if you have 50 IPSec Sites with low speed such as 128 Kbps, do > we need to use VPN SPA or just upgrade the IOS of the router by using > Security Feature enabled IOS? > > It would be great to have such a document to determine that need. > > Thanks in advance, > > Serhat > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From psirt at cisco.com Wed Mar 4 11:30:00 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 04 Mar 2009 17:30:00 +0100 Subject: [c-nsp] Cisco Security Advisory: Cisco 7600 Series Router Session Border Controller Denial of Service Vulnerability Message-ID: <200903041732.sbc@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco 7600 Series Router Session Border Controller Denial of Service Vulnerability Document ID: 109483 Advisory ID: cisco-sa-20090304-sbc http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml Revision 1.0 For Public Release 2009 March 4 1600 UTC (GMT) - --------------------------------------------------------------------- Summary ======= A denial of service (DoS) vulnerability exists in the Cisco Session Border Controller (SBC) for the Cisco 7600 series routers. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml Affected Products ================= Vulnerable Products +------------------ All Cisco ACE-based SBC modules running software versions prior to 3.0(2) are affected. To determine the version of the Cisco SBC software running on a system, log in to the device and issue the show version command to display the system banner. card_A/Admin# show version system image file: [LCP] disk0:c76-sbck9-mzg.3.0.1_AS3_0_00.bin Cisco SBC software version 3.0.1 is running in the device used in this example. Products Confirmed Not Vulnerable +-------------------------------- The Cisco XR 12000 Series SBC is not vulnerable. Additionally, the Cisco ACE Module, Cisco ACE 4710 Application Control Engine, Cisco ACE XML Gateway, Cisco ACE Web Application Firewall, and the Cisco ACE GSS (Global Site Selector) 4400 Series are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details ======= The Session Border Controller (SBC) enables direct IP-to-IP interconnect between multiple administrative domains for session-based services providing protocol interworking, security, and admission control and management. The SBC is a multimedia device that sits on the border of a network and controls call admission to that network. A vulnerability exists in the Cisco SBC where an unauthenticated attacker may cause the Cisco SBC card to reload by sending crafted TCP packets over port 2000. Repeated exploitation could result in a sustained DoS condition. Note: Only the Cisco SBC module reloads after successful exploitation. The Cisco 7600 series router does not reload and it is not affected by this vulnerability. Note: TCP port 2000 is typically used by Skinny Call Control Protocol (SCCP) applications. However, the Cisco SBC module uses TCP port 2000 for high availability (redundancy) communication, but does not use the SCCP for this purpose. This vulnerability is documented in Cisco Bug IDs CSCsq18958 ( registered customers only) ; and has been assigned the Common Vulnerability and Exposures (CVE) IDs CVE-2009-0619. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== This vulnerability has been corrected in Cisco SBC software release 3.0(2). Cisco SBC software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/sbc-7600-crypto When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== As a workaround, configure an access control list (ACL) in the signaling / media VLAN on the Route Processor (RP). The following examples show how VLAN 140 is configured as the signaling / media VLAN. A separate VLAN (VLAN 77) is configured as Fault Tolerance (FT). An ACL is added to the signaling/media VLAN on the RP filtering all TCP port 2000 packets to the alias IP address. Cisco SBC configuration interface vlan 140 ip address 10.140.1.90 255.255.255.0 alias 10.140.1.100 255.255.255.0 peer ip address 10.140.1.8 255.255.255.0 ! ft interface vlan 77 ip address 192.168.1.1 255.255.255.0 peer ip address 192.168.1. 255.255.255.0 RP Configuration !- ACL blocking all TCP port 2000 traffic to the 10.140.1.0 internal network ! access-list 100 deny tcp any host 10.140.1.100 eq 2000 access-list 100 permit ip any any ! interface Vlan140 ip address 10.140.1.1 255.255.255.0 !- ACL is applied to the VLAN interface to egress traffic ip access-group 100 out ! The alias command under VLAN 140 is configured with an IP address that floats between active and standby modules when using high availability. Only TCP port 2000 traffic destined to this IP address may trigger this vulnerability. An access control list (ACL) is configured to deny TCP port 2000 destined to the alias IP address (10.140.1.100). The ACL is applied egress in the RP. Note: TCP port 2000 is used by Skinny Call Control Protocol (SCCP) applications; however, in this case it is used by the SBC for internal communications. The previous ACL only blocks TCP port 2000 traffic to the alias IP address. TCP port 2000 is not used by the alias IP address. This ACL should not cause any collateral damage. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090304-sbc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-March-04 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkmurgEACgkQ86n/Gc8U/uBrwwCfbQxCcSz4S4X3UpH4Mccg0Df1 KMoAn11BqKmRhw5mUuJOl3D/RrVxVrc7 =m2di -----END PGP SIGNATURE----- From ploopster at gmail.com Wed Mar 4 11:44:16 2009 From: ploopster at gmail.com (Sridhar Ayengar) Date: Wed, 04 Mar 2009 11:44:16 -0500 Subject: [c-nsp] SSH from router to linux In-Reply-To: <49AE2468.40001@gmail.com> References: <49AE2468.40001@gmail.com> Message-ID: <49AEAFE0.5030306@gmail.com> Roy wrote: > I am trying to ssh from a 2811 to linux box. I telnet to the Cisco and > issue > > ssh -l root xx.xx.xx.xx > > and I get the password prompt. I enter that and then logon goes through > and I get the shell prompt. The problem is that nothing I type seems to > get through to linux. > > Is there some magic I am missing? Does the TERM environment variable make sense? Are there any stty lines anywhere in your login configuration? Peace... Sridhar From brandon at sterling.net Wed Mar 4 12:16:29 2009 From: brandon at sterling.net (Brandon Price) Date: Wed, 04 Mar 2009 09:16:29 -0800 Subject: [c-nsp] 7206 Gig Ethernet Options In-Reply-To: <49ADA34C.7060309@justinshore.com> References: <389E7FA0-2001-4038-B225-D4B6C003B593@Princeton.EDU><037901c995ec$4ba3db60$e2eb9220$@net><01c301c99b72$09866730$1c933590$@net> <6caa2aaf3999544c0ef807111b85a0c8.squirrel@webmail.waveform.net> <1A9866F953006D45AEE0166066114E0915D78791@TPMAIL02.corp.theplatform.com> <49AC6B47.9040805@sterling.net> <49ADA34C.7060309@justinshore.com> Message-ID: <49AEB76D.6010303@sterling.net> Justin Shore wrote: > Brandon Price wrote: >> Actually, you can install a C7200-I/O-GE+E and save yourself a PA >> slot and the associated bandwidth point hit. >> >> http://www.gossamer-threads.com/lists/cisco/bba/101247 > > Now that's something that I did not know. Any word on if this is > actually supported or not? > > Justin * From the NPE G1 datasheet: http://tinyurl.com/2hlzhg* "Although a Cisco 7200VXR chassis with an NPE-G1 does not require the use of an I/O controller, an I/O controller can still be used. The NPE-G1 is supported with the following Cisco 7200 Series I/O controller part numbers: C7200-I/O, C7200-I/O-2FE/E, C7200-I/O-GE+E." Brandon From csirek at cooler.hu Wed Mar 4 11:41:05 2009 From: csirek at cooler.hu (Nemeth Laszlo) Date: Wed, 04 Mar 2009 17:41:05 +0100 Subject: [c-nsp] 6500/Sup720 3BXL and ACK/RST Message-ID: <49AEAF21.7020606@cooler.hu> Hi list, I would like to set a limit in my 6500/Sup720 3BXL RP card to how many ACK/RST packets send back to source if this RP get lot of SYN packets (flood) to random ports. I think to a magic mls rate-limit command :) The CoPP not a good idea, because if i use it the CPU make a 100% load every 4th minutes (may be it is an IOS bug, i tried it whit 12.2(18)SXF6 ). Thanks Laszlo From lmeade at signal.ca Wed Mar 4 13:21:39 2009 From: lmeade at signal.ca (Leslie Meade) Date: Wed, 4 Mar 2009 10:21:39 -0800 Subject: [c-nsp] (no subject) In-Reply-To: References:

Message-ID: I am trying to bridge my 2821 to one ip to give me redundancy. I am using this config to bridge the two ints and I see gig0/1 up and the bvi up but I am not able to ping it The original config gig0/1 had the ip of 10.1.1.6 and I could ping everything and get to everything Ios C2800NM-IPVOICEK9-M Any ideas ? bridge irb ! interface gig0/0.100 encapsulation dot1Q 100 bridge-group 100 ! interface gig0/1.100 encapsulation dot1Q 100 bridge-group 100 ! interface BVI100 ip address 10.1.1.6 255.255.255.0 no shutdown ! bridge 100 protocol ieee bridge 100 route ip From chris at lavin-llc.com Wed Mar 4 13:28:07 2009 From: chris at lavin-llc.com (chris at lavin-llc.com) Date: Wed, 04 Mar 2009 13:28:07 -0500 Subject: [c-nsp] (no subject) Message-ID: <53311.1236191287@lavin-llc.com> On Wed Mar 4 13:21 , "Leslie Meade" sent: >I am trying to bridge my 2821 to one ip to give me redundancy. >I am using this config to bridge the two ints and I see gig0/1 up and the bvi up but I am not able to ping it > >The original config gig0/1 had the ip of 10.1.1.6 and I could ping everything and get to everything >Ios C2800NM-IPVOICEK9-M > >Any ideas ? > > >bridge irb >! >interface gig0/0.100 >encapsulation dot1Q 100 >bridge-group 100 >! >interface gig0/1.100 >encapsulation dot1Q 100 >bridge-group 100 >! >interface BVI100 >ip address 10.1.1.6 255.255.255.0 >no shutdown >! >bridge 100 protocol ieee >bridge 100 route ip Do you have a default route configured? If you are pinging from a remote subnet you'll need a default route. -chris From lmeade at signal.ca Wed Mar 4 13:33:10 2009 From: lmeade at signal.ca (Leslie Meade) Date: Wed, 4 Mar 2009 10:33:10 -0800 Subject: [c-nsp] (no subject) In-Reply-To: <53311.1236191287@lavin-llc.com> References: <53311.1236191287@lavin-llc.com> Message-ID: Yep ip route 0.0.0.0 0.0.0.0 10.1.1.220 -----Original Message----- From: chris at lavin-llc.com [mailto:chris at lavin-llc.com] Sent: Wednesday, March 04, 2009 10:28 AM To: cisco-nsp at puck.nether.net; Leslie Meade Subject: Re: [c-nsp] (no subject) On Wed Mar 4 13:21 , "Leslie Meade" sent: >I am trying to bridge my 2821 to one ip to give me redundancy. >I am using this config to bridge the two ints and I see gig0/1 up and the bvi up but I am not able to ping it > >The original config gig0/1 had the ip of 10.1.1.6 and I could ping everything and get to everything >Ios C2800NM-IPVOICEK9-M > >Any ideas ? > > >bridge irb >! >interface gig0/0.100 >encapsulation dot1Q 100 >bridge-group 100 >! >interface gig0/1.100 >encapsulation dot1Q 100 >bridge-group 100 >! >interface BVI100 >ip address 10.1.1.6 255.255.255.0 >no shutdown >! >bridge 100 protocol ieee >bridge 100 route ip Do you have a default route configured? If you are pinging from a remote subnet you'll need a default route. -chris From MatlockK at exempla.org Wed Mar 4 13:41:22 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 4 Mar 2009 11:41:22 -0700 Subject: [c-nsp] (no subject) In-Reply-To: <53311.1236191287@lavin-llc.com> References: <53311.1236191287@lavin-llc.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D32AC@LMC-MAIL2.exempla.org> A couple of other things to look for. 1) Where are you trying to ping the 10.1.1.6 IP from? I assume something on Gi0/1? 2) Make sure the devices plugged into Gi0/0 and Gi0/1 are either set up as trunk ports allowing VLAN100, or access ports in VLAN100. (since you're giving it a dot1q encapsulation on the subints) 3) Make sure that you have a route in the route table for 10.1.1.0/24 going towards this chassis. 4) Make sure you have a valid route back to the destination from this chassis. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chris at lavin-llc.com Sent: Wednesday, March 04, 2009 11:28 AM To: cisco-nsp at puck.nether.net; Leslie Meade Subject: Re: [c-nsp] (no subject) On Wed Mar 4 13:21 , "Leslie Meade" sent: >I am trying to bridge my 2821 to one ip to give me redundancy. >I am using this config to bridge the two ints and I see gig0/1 up and the bvi up but I am not able to ping it > >The original config gig0/1 had the ip of 10.1.1.6 and I could ping everything and get to everything >Ios C2800NM-IPVOICEK9-M > >Any ideas ? > > >bridge irb >! >interface gig0/0.100 >encapsulation dot1Q 100 >bridge-group 100 >! >interface gig0/1.100 >encapsulation dot1Q 100 >bridge-group 100 >! >interface BVI100 >ip address 10.1.1.6 255.255.255.0 >no shutdown >! >bridge 100 protocol ieee >bridge 100 route ip Do you have a default route configured? If you are pinging from a remote subnet you'll need a default route. -chris _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From chris at lavin-llc.com Wed Mar 4 13:54:17 2009 From: chris at lavin-llc.com (chris at lavin-llc.com) Date: Wed, 04 Mar 2009 13:54:17 -0500 Subject: [c-nsp] UDP-helper problem Message-ID: <35870.1236192857@lavin-llc.com> On Wed Mar 4 8:00 , Michael Robson sent: >I have recently moved the routing of a subnet from an old sup2/msfc2 >6500 (Version 12.1(26)E8, RELEASE SOFTWARE (fc1)) to a newer sup3/ >msfc3 6500 (Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1)). On the old >router the udp-helper command worked fine, but on the new router I can >see the DHCP address coming in but not the reply coming back and the >DHCP server isn't seeing the request arriving. Can anyone suggest why >this might have stopped working (it isn't an ACL or firewall issue as >there aren't any in the way) and I haven't turned _off_ any component >of udp-helper (i.e. using the ip forward-protocol command). > >interface Vlan937 > description XXXYYYZZZ > ip address w.x.y.z 255.255.255.192 > ip helper-address a.b.c.d > >From this new sup, do you have a route to a.b.c.d? Can you ping the DHCP server from this new sup? -chris From kevin at gannons.net Wed Mar 4 14:08:02 2009 From: kevin at gannons.net (kevin gannon) Date: Wed, 4 Mar 2009 19:08:02 +0000 Subject: [c-nsp] mpls bgp forwarding ? In-Reply-To: <5EB9799F396A304686962AFFF740ED0CE96C400F@NOOSLEXCH001.adno.local> References: <17eef0950903031225m561003d3j302e7b6f4694ca3a@mail.gmail.com> <5EB9799F396A304686962AFFF740ED0CE96C400F@NOOSLEXCH001.adno.local> Message-ID: <17eef0950903041108g4c743fccva00546f37f1c9afa@mail.gmail.com> I have and it still doesnt show up in a "show mpls forw" however when I dug deeper "show ip cef" and "show ip bgp labels" was showing them. No idea why. It does for eBGP learned routes with a label but not iBGP learned labels. Its ipv4 only routes no vpnv4. Regards Kevin On Tue, Mar 3, 2009 at 10:29 PM, Stig Johansen wrote: > > Hi there, > >>However on R19 I receive the label via eBGP. However I do not install into >>The MPLS forwarding table but I do not know why ?? > > You send the labels via BGP, but have you enabled LDP/TDP between R18 and R19? If not, it won't use any labels and consequently not install anything into the LFIB. > > Regards, > Stig Meireles Johansen From Michael.Robson at manchester.ac.uk Wed Mar 4 16:27:44 2009 From: Michael.Robson at manchester.ac.uk (Michael Robson) Date: Wed, 4 Mar 2009 21:27:44 +0000 Subject: [c-nsp] UDP-helper problem In-Reply-To: <35870.1236192857@lavin-llc.com> References: <35870.1236192857@lavin-llc.com> Message-ID: <2B8F519A-BE98-44BA-841D-4C304E19CD11@manchester.ac.uk> Yes there is a route to a.b.c.d and yes we can ping the DHCP server from everywhere, including the new sup. On 4 Mar 2009, at 18:54, wrote: > On Wed Mar 4 8:00 , Michael Robson sent: > >> I have recently moved the routing of a subnet from an old sup2/msfc2 >> 6500 (Version 12.1(26)E8, RELEASE SOFTWARE (fc1)) to a newer sup3/ >> msfc3 6500 (Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1)). On the >> old >> router the udp-helper command worked fine, but on the new router I >> can >> see the DHCP address coming in but not the reply coming back and the >> DHCP server isn't seeing the request arriving. Can anyone suggest why >> this might have stopped working (it isn't an ACL or firewall issue as >> there aren't any in the way) and I haven't turned _off_ any component >> of udp-helper (i.e. using the ip forward-protocol command). >> >> interface Vlan937 >> description XXXYYYZZZ >> ip address w.x.y.z 255.255.255.192 >> ip helper-address a.b.c.d >> > > From this new sup, do you have a route to a.b.c.d? Can you ping the > DHCP server from this new sup? > > > -chris > Michael -- Michael Robson | Tel: +44 (0) 161 275 6113 Senior Network Engineer | Fax: +44 (0) 161 275 6120 Net North West | Email: Michael.Robson at manchester.ac.uk From MatlockK at exempla.org Wed Mar 4 16:30:08 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 4 Mar 2009 14:30:08 -0700 Subject: [c-nsp] UDP-helper problem In-Reply-To: <2B8F519A-BE98-44BA-841D-4C304E19CD11@manchester.ac.uk> References: <35870.1236192857@lavin-llc.com> <2B8F519A-BE98-44BA-841D-4C304E19CD11@manchester.ac.uk> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D32B2@LMC-MAIL2.exempla.org> Extended ping using the source interface of Vlan937 as well works? Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Robson Sent: Wednesday, March 04, 2009 2:28 PM To: chris at lavin-llc.com Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] UDP-helper problem Yes there is a route to a.b.c.d and yes we can ping the DHCP server from everywhere, including the new sup. On 4 Mar 2009, at 18:54, wrote: > On Wed Mar 4 8:00 , Michael Robson sent: > >> I have recently moved the routing of a subnet from an old sup2/msfc2 >> 6500 (Version 12.1(26)E8, RELEASE SOFTWARE (fc1)) to a newer sup3/ >> msfc3 6500 (Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1)). On the >> old >> router the udp-helper command worked fine, but on the new router I >> can >> see the DHCP address coming in but not the reply coming back and the >> DHCP server isn't seeing the request arriving. Can anyone suggest why >> this might have stopped working (it isn't an ACL or firewall issue as >> there aren't any in the way) and I haven't turned _off_ any component >> of udp-helper (i.e. using the ip forward-protocol command). >> >> interface Vlan937 >> description XXXYYYZZZ >> ip address w.x.y.z 255.255.255.192 >> ip helper-address a.b.c.d >> > > From this new sup, do you have a route to a.b.c.d? Can you ping the > DHCP server from this new sup? > > > -chris > Michael -- Michael Robson | Tel: +44 (0) 161 275 6113 Senior Network Engineer | Fax: +44 (0) 161 275 6120 Net North West | Email: Michael.Robson at manchester.ac.uk _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From deric.kwok2000 at gmail.com Wed Mar 4 16:44:09 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Wed, 4 Mar 2009 16:44:09 -0500 Subject: [c-nsp] VLAN and switch and ? In-Reply-To: References:

Message-ID: <40d8a95a0903041344v5ebf64ffk1288300312ed7371@mail.gmail.com> look like L2TP. Can I know why use it intead of typically vlan? Thank you On Wed, Mar 4, 2009 at 10:14 AM, Jeff Fitzwater wrote: > Look at layer 2 tunneling for your switches. You would assign tunnel vlan > ID and ISP would send tagged traffic into tunnel (Q in Q) and traffic would > exit tunnel where ever needed. When you assign a port as a tunnel port, it > becomes a tunnel-input and tunnel-output. You can have as many tunnel > ports as you need. The ISP can now send what ever VLANs they want and you > do not need to change anything. > Read the doc and be aware of oversized packet handling within tunnel > switches. > > > Jeff Fitzwater > OIT Network Systems > Princeton University > > > On Mar 4, 2009, at 9:46 AM, Charles Regan wrote: > > Good Morning, >> >> I'll try to explain what I want to do... We are LOCAL NETWORK in this >> graphic. >> The ISP wants to use our fiber link to connect to his wireless customer. >> We also want internet access from his Wireless Backhaul1. >> ISP also use VLAN on his customer subscriber modules. >> >> How would you configure 2924 Switch and 2960 Switch, so that >> everything is transparent from my side and his side ? >> I don't want him to call me to add a new VLAN on our switch. >> >> >> ISP ---Wireless BackHaul1 -- 2924 Switch ---- FIBER ---- 2960 Switch >> ---- Wireless Backhaul2 ---- Access Point ---- Wireless subscriber >> modules >> | >> | >> | >> | >> | >> | >> | >> | >> | >> | >> LOCAL NETWORK LOCAL NETWORK >> >> >> Will something like this work ? >> switchport access vlan 500 >> switchport trunk encapsulation dot1q >> switchport mode trunk >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From charles.regan at gmail.com Wed Mar 4 16:48:02 2009 From: charles.regan at gmail.com (Charles Regan) Date: Wed, 4 Mar 2009 17:48:02 -0400 Subject: [c-nsp] VLAN and switch and ? In-Reply-To: References:

<40d8a95a0903041344v5ebf64ffk1288300312ed7371@mail.gmail.com> Message-ID: On Wed, Mar 4, 2009 at 5:47 PM, Charles Regan wrote: > There's now way my switch will support L2TP. > > How would you setup VLAN in this setup. > > ISP needs to pass all his vlan (switchport mode trunk) > I don't want ISP to have access to my network ... (swictchport access > vlan 500, on both end ?) > I want Internet acces from this ISP from his BackHaul1. ?(switchport > access vlan 500, on my gateway router ?) > > > > On Wed, Mar 4, 2009 at 5:44 PM, Deric Kwok wrote: >> look like L2TP. >> >> Can I know why use it intead of typically vlan? >> >> Thank you >> >> On Wed, Mar 4, 2009 at 10:14 AM, Jeff Fitzwater wrote: >>> >>> Look at layer 2 tunneling for your switches. ?You would assign tunnel vlan >>> ID and ISP would send tagged traffic into tunnel (Q in Q) and traffic would >>> exit tunnel where ever needed. ? When you assign a port as a tunnel port, it >>> becomes a tunnel-input and tunnel-output. ? You can have as many tunnel >>> ports as you need. ?The ISP can now send what ever VLANs they want and you >>> do not need to change anything. >>> Read the doc and be aware of oversized packet handling within tunnel >>> switches. >>> >>> >>> Jeff Fitzwater >>> OIT Network Systems >>> Princeton University >>> >>> On Mar 4, 2009, at 9:46 AM, Charles Regan wrote: >>> >>>> Good Morning, >>>> >>>> I'll try to explain what I want to do... We are LOCAL NETWORK in this >>>> graphic. >>>> The ISP wants to use our fiber link to connect to his wireless customer. >>>> We also want internet access from his Wireless Backhaul1. >>>> ISP also use VLAN on his customer subscriber modules. >>>> >>>> How would you configure 2924 Switch and 2960 Switch, so that >>>> everything is transparent from my side and his side ? >>>> I don't want him to call me to add a new VLAN on our switch. >>>> >>>> >>>> ISP ---Wireless BackHaul1 -- 2924 Switch ---- FIBER ---- 2960 Switch >>>> ---- Wireless Backhaul2 ---- Access Point ---- Wireless subscriber >>>> modules >>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >>>> ? ? ? ? ? ?| >>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >>>> ? ? ? ? ? ?| >>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >>>> ? ? ? ? ? ?| >>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >>>> ? ? ? ? ? ?| >>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >>>> ? ? ? ? ? ?| >>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ?LOCAL NETWORK ? ? ? ? ? ?LOCAL NETWORK >>>> >>>> >>>> Will something like this work ? >>>> switchport access vlan 500 >>>> switchport trunk encapsulation dot1q >>>> switchport mode trunk >>>> _______________________________________________ >>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > From charles.regan at gmail.com Wed Mar 4 16:48:25 2009 From: charles.regan at gmail.com (Charles Regan) Date: Wed, 4 Mar 2009 17:48:25 -0400 Subject: [c-nsp] VLAN and switch and ? In-Reply-To: References:

<40d8a95a0903041344v5ebf64ffk1288300312ed7371@mail.gmail.com> Message-ID: There's now way my switch will support L2TP. How would you setup VLAN in this setup. ISP needs to pass all his vlan (switchport mode trunk) I don't want ISP to have access to my network ... (swictchport access vlan 500, on both end ?) I want Internet acces from this ISP from his BackHaul1. (switchport access vlan 500, on my gateway router ?) On Wed, Mar 4, 2009 at 5:48 PM, Charles Regan wrote: > On Wed, Mar 4, 2009 at 5:47 PM, Charles Regan wrote: >> There's now way my switch will support L2TP. >> >> How would you setup VLAN in this setup. >> >> ISP needs to pass all his vlan (switchport mode trunk) >> I don't want ISP to have access to my network ... (swictchport access >> vlan 500, on both end ?) >> I want Internet acces from this ISP from his BackHaul1. ?(switchport >> access vlan 500, on my gateway router ?) >> >> >> >> On Wed, Mar 4, 2009 at 5:44 PM, Deric Kwok wrote: >>> look like L2TP. >>> >>> Can I know why use it intead of typically vlan? >>> >>> Thank you >>> >>> On Wed, Mar 4, 2009 at 10:14 AM, Jeff Fitzwater wrote: >>>> >>>> Look at layer 2 tunneling for your switches. ?You would assign tunnel vlan >>>> ID and ISP would send tagged traffic into tunnel (Q in Q) and traffic would >>>> exit tunnel where ever needed. ? When you assign a port as a tunnel port, it >>>> becomes a tunnel-input and tunnel-output. ? You can have as many tunnel >>>> ports as you need. ?The ISP can now send what ever VLANs they want and you >>>> do not need to change anything. >>>> Read the doc and be aware of oversized packet handling within tunnel >>>> switches. >>>> >>>> >>>> Jeff Fitzwater >>>> OIT Network Systems >>>> Princeton University >>>> >>>> On Mar 4, 2009, at 9:46 AM, Charles Regan wrote: >>>> >>>>> Good Morning, >>>>> >>>>> I'll try to explain what I want to do... We are LOCAL NETWORK in this >>>>> graphic. >>>>> The ISP wants to use our fiber link to connect to his wireless customer. >>>>> We also want internet access from his Wireless Backhaul1. >>>>> ISP also use VLAN on his customer subscriber modules. >>>>> >>>>> How would you configure 2924 Switch and 2960 Switch, so that >>>>> everything is transparent from my side and his side ? >>>>> I don't want him to call me to add a new VLAN on our switch. >>>>> >>>>> >>>>> ISP ---Wireless BackHaul1 -- 2924 Switch ---- FIBER ---- 2960 Switch >>>>> ---- Wireless Backhaul2 ---- Access Point ---- Wireless subscriber >>>>> modules >>>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >>>>> ? ? ? ? ? ?| >>>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >>>>> ? ? ? ? ? ?| >>>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >>>>> ? ? ? ? ? ?| >>>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >>>>> ? ? ? ? ? ?| >>>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >>>>> ? ? ? ? ? ?| >>>>> ? ? ? ? ? ? ? ? ? ? ? ? ? ?LOCAL NETWORK ? ? ? ? ? ?LOCAL NETWORK >>>>> >>>>> >>>>> Will something like this work ? >>>>> switchport access vlan 500 >>>>> switchport trunk encapsulation dot1q >>>>> switchport mode trunk >>>>> _______________________________________________ >>>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> > From Jonathan.Brashear at hq.speakeasy.net Wed Mar 4 16:55:29 2009 From: Jonathan.Brashear at hq.speakeasy.net (Jonathan Brashear) Date: Wed, 4 Mar 2009 13:55:29 -0800 Subject: [c-nsp] ASA 5505 multiple netblock functionality Message-ID: <725755F5E728EE4086DAAF1A54DACF4F0B53DB2B@sea5exbe1.speakeasy.hq> Apologies if this has been addressed previously, I looked through the last 12 months of c-nsp threads and didn't see this mentioned. There is some debate going on in my department over a particular implementation and the 5505's capability to handle multiple netblocks. A quick primer on the situation: Firewall IP: 1.2.3.4(publicly routable, but changing for cust privacy) Customer netblock: 5.6.7.0/26(it's publicly routable as well, I'm changing for sake of cust privacy) Customer NAT: 192.168.0.0/24 The /26 is statically routed to 1.2.3.4 from the router level, and the customer wants to run NAT for their internal devices(db servers, etc.). Our implementations guy states that the 5505 can't handle assigning 3+ netblocks because they can't run multiple contexts. My experience with the ASA firewalls is limited so I very well may be wrong, but I believe the 5505s should be able to handle multiple netblocks on the internal side of the firewall using something such as sub-interfaces or similar. Can anyone help explain why this is or isn't feasible? They don't need to be on the same physical interface necessarily, we can run them to separate physical interfaces because this customer is hairpinned behind a switch(and the servers are connected to said switch instead of the firewall directly) so port density isn't a big issue(to a point). We can assign a netblock to each internal port on the firewall if need be - which seems to be the best solution from what I'm uncovering - and that works as a reasonable alternative. It doesn't scale very well obviously, but I don't think this customer is going to chew through netblocks at a rate where this will be an issue. Network Engineer, JNCIS-M > 214-981-1954 (office) > 214-642-4075 (cell) > jbrashear at hq.speakeasy.net http://www.speakeasy.net From samuel-petreski at uiowa.edu Wed Mar 4 17:35:14 2009 From: samuel-petreski at uiowa.edu (Petreski, Samuel) Date: Wed, 4 Mar 2009 16:35:14 -0600 Subject: [c-nsp] FWSM and mixed IPv4/IPv6 access-list In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA09E904C5@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA09E904C5@FNB1EX01.gci.com> Message-ID: <0AF2BA9F8063B34AA9A2201D34DFC7B45FF8B1F25D@IOWAEVS07.iowa.uiowa.edu> One thing that I have had problems with is sourcing a high number of IPv6 pings (~10K) from the FWSM in routed mode; it makes the FWSM freeze. Don't do this if you don't have console access. I was running FWSM 4.0.3. Good luck IPv6ing! --Samuel -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leif Sawyer Sent: Tuesday, March 03, 2009 7:56 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] FWSM and mixed IPv4/IPv6 access-list Justin M. Streiner writes in reply to: > On Tue, 3 Mar 2009, Leif Sawyer wrote: > >> Is anybody working with FWSM's and mixed-mode IPv4+IPv6 ACL's? >> >> I'm having trouble with traceroute6 not succeeding, but >> ping6 working fine: > > You might be getting caught by flawed behavior of the FWSM. > I've run into something similar with straight v4 firewall > zones where certain flavors of traceroute will be dropped by > the blade. When it was first reported to us, we thought is > was a broken fixup, but the behavior persisted after the > fixup was disabled. No word on a fix from Cisco. Hrm. I guess it's time to open a ticket, then. Damn. I hate dealing with TAC on complex issues. And it's not like CiscoPress is up-to-date. what, 6 pages on Ipv6 in the FWSM manual? friggin joke. > On a somewhat unrelated note, how has the v6 performance been > on the FWSMs for you? Everything I've heard from Cisco and > other sources suggests that the v6 packets are much more > expensive for the FWSM to forward, so performance would > suffer greatly. Just starting to roll this out, so no load to speak of. Can't wait to see what next issue creeps up! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3175 bytes Desc: not available URL: From deric.kwok2000 at gmail.com Wed Mar 4 17:35:33 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Wed, 4 Mar 2009 17:35:33 -0500 Subject: [c-nsp] VLAN and switch and ? In-Reply-To: References:

<40d8a95a0903041344v5ebf64ffk1288300312ed7371@mail.gmail.com> Message-ID: <40d8a95a0903041435n51afa718qe90074f2f957ca1c@mail.gmail.com> Hi I only have l2tp configuration in linux router. Here is below. Pls note that i don't know Jeff suggestion how L2tp works out in your network it looks like his suggestion is same as L2tp so that I post to ask him I only know this l2tp worked in my setting before when doing in DSL HTH ! interface Ethernet0 no ip address speed 1000 duplex full ! interface Ethernet0.120 description vlan120 ip address 10.0.0.6 255.255.255.252 ! interface Ethernet0.130 description vlan130 ip address 10.0.0.74 255.255.255.252 ! interface Ethernet0.140 description vlan140 ip address 10.0.0.54 255.255.255.252 ! ! interface Tunnel1 description vlan120 tunnel mode l2tp tunnel peer name xxxx tunnel local name deric tunnel key kwok tunnel virtual-template 1 ! interface Tunnel2 description vlan130 tunnel mode l2tp tunnel peer name xxxx tunnel local name deric tunnel key kwok tunnel virtual-template 1 ! interface Tunnel3 description vlan140 tunnel mode l2tp tunnel peer name xxxx tunnel local name deric tunnel key kwok tunnel virtual-template 1 ! On Wed, Mar 4, 2009 at 4:48 PM, Charles Regan wrote: > There's now way my switch will support L2TP. > > How would you setup VLAN in this setup. > > ISP needs to pass all his vlan (switchport mode trunk) > I don't want ISP to have access to my network ... (swictchport access > vlan 500, on both end ?) > I want Internet acces from this ISP from his BackHaul1. (switchport > access vlan 500, on my gateway router ?) > > > > On Wed, Mar 4, 2009 at 5:48 PM, Charles Regan > wrote: > > On Wed, Mar 4, 2009 at 5:47 PM, Charles Regan > wrote: > >> There's now way my switch will support L2TP. > >> > >> How would you setup VLAN in this setup. > >> > >> ISP needs to pass all his vlan (switchport mode trunk) > >> I don't want ISP to have access to my network ... (swictchport access > >> vlan 500, on both end ?) > >> I want Internet acces from this ISP from his BackHaul1. (switchport > >> access vlan 500, on my gateway router ?) > >> > >> > >> > >> On Wed, Mar 4, 2009 at 5:44 PM, Deric Kwok > wrote: > >>> look like L2TP. > >>> > >>> Can I know why use it intead of typically vlan? > >>> > >>> Thank you > >>> > >>> On Wed, Mar 4, 2009 at 10:14 AM, Jeff Fitzwater > wrote: > >>>> > >>>> Look at layer 2 tunneling for your switches. You would assign tunnel > vlan > >>>> ID and ISP would send tagged traffic into tunnel (Q in Q) and traffic > would > >>>> exit tunnel where ever needed. When you assign a port as a tunnel > port, it > >>>> becomes a tunnel-input and tunnel-output. You can have as many > tunnel > >>>> ports as you need. The ISP can now send what ever VLANs they want and > you > >>>> do not need to change anything. > >>>> Read the doc and be aware of oversized packet handling within tunnel > >>>> switches. > >>>> > >>>> > >>>> Jeff Fitzwater > >>>> OIT Network Systems > >>>> Princeton University > >>>> > >>>> On Mar 4, 2009, at 9:46 AM, Charles Regan wrote: > >>>> > >>>>> Good Morning, > >>>>> > >>>>> I'll try to explain what I want to do... We are LOCAL NETWORK in this > >>>>> graphic. > >>>>> The ISP wants to use our fiber link to connect to his wireless > customer. > >>>>> We also want internet access from his Wireless Backhaul1. > >>>>> ISP also use VLAN on his customer subscriber modules. > >>>>> > >>>>> How would you configure 2924 Switch and 2960 Switch, so that > >>>>> everything is transparent from my side and his side ? > >>>>> I don't want him to call me to add a new VLAN on our switch. > >>>>> > >>>>> > >>>>> ISP ---Wireless BackHaul1 -- 2924 Switch ---- FIBER ---- 2960 Switch > >>>>> ---- Wireless Backhaul2 ---- Access Point ---- Wireless subscriber > >>>>> modules > >>>>> | > >>>>> | > >>>>> | > >>>>> | > >>>>> | > >>>>> | > >>>>> | > >>>>> | > >>>>> | > >>>>> | > >>>>> LOCAL NETWORK LOCAL NETWORK > >>>>> > >>>>> > >>>>> Will something like this work ? > >>>>> switchport access vlan 500 > >>>>> switchport trunk encapsulation dot1q > >>>>> switchport mode trunk > >>>>> _______________________________________________ > >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>>> > >>>> _______________________________________________ > >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >>> > >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lmeade at signal.ca Wed Mar 4 17:49:57 2009 From: lmeade at signal.ca (Leslie Meade) Date: Wed, 4 Mar 2009 14:49:57 -0800 Subject: [c-nsp] BVI issues In-Reply-To: <3e4b8fe10903041407i4e984498lf0dbbc2e7d819d16@mail.gmail.com> References:

<3e4b8fe10903041407i4e984498lf0dbbc2e7d819d16@mail.gmail.com> Message-ID: Thanks guys I have worked it out. I left this command out... bridge 100 route ip Thanks for your help From: Rich Davies [mailto:rich.davies at gmail.com] Sent: Wednesday, March 04, 2009 2:08 PM To: Leslie Meade Subject: Re: [c-nsp] (no subject) Leslie, A handy command I used to use when troubleshooting BVI's was: show bridge verbose This was able to show me the L2 info (MAC) of members of the BVI. Hopefully you can do a "show arp" and see the MAC addy of 10.1.1.6 and then also check the "show bridge verbose" to also see the MAC within the BVI. Hope this helps. Your config does look good. -Rich On Wed, Mar 4, 2009 at 1:21 PM, Leslie Meade wrote: I am trying to bridge my 2821 to one ip to give me redundancy. I am using this config to bridge the two ints and I see gig0/1 up and the bvi up but I am not able to ping it The original config gig0/1 had the ip of 10.1.1.6 and I could ping everything and get to everything Ios C2800NM-IPVOICEK9-M Any ideas ? bridge irb ! interface gig0/0.100 encapsulation dot1Q 100 bridge-group 100 ! interface gig0/1.100 encapsulation dot1Q 100 bridge-group 100 ! interface BVI100 ip address 10.1.1.6 255.255.255.0 no shutdown ! bridge 100 protocol ieee bridge 100 route ip _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vincent.aniello at pipelinefinancial.com Wed Mar 4 18:23:49 2009 From: vincent.aniello at pipelinefinancial.com (Vincent Aniello) Date: Wed, 4 Mar 2009 18:23:49 -0500 Subject: [c-nsp] CPU utilization on a Cisco 3560E switch Message-ID: <9DF561416307E245950A6E212A55367A04BFCB61@EMAILSRV1.exad.net> We have two Cisco 3560E switches that during the day when the network traffic load is high run at about 40% CPU utilization. This is much higher than on our other 3650E switches that sit at about 10% CPU utilization even when the network traffic load is high. What I have noticed is that when I log into the switch with the 40% CPU utilization, either via SSH or through the console, the CPU utilization drops to 10% and stays there as long as I remain logged into the switch. Once I log out the CPU utilization goes back up to 40%. Unfortunately, it is difficult to see what process is causing the high CPU utilization since it drops down when we are logged into the switch. Has anyone else experienced this behavior? The switch is running IOS version 12.2(46)SE. We are tracking the CPU utilization through MRTG. Thanks. --Vincent Disclaimer: Any references to Pipeline performance contained herein are based on internal testing and / or historic performance levels which Pipeline expects to maintain or exceed but nevertheless does not guarantee. Congested networks, price volatility, or other extraordinary events may impede future trading activities and degrade performance statistics. Pipeline is a member of FINRA and SIPC. From mksmith at adhost.com Wed Mar 4 18:49:38 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Wed, 4 Mar 2009 15:49:38 -0800 Subject: [c-nsp] ASA 5505 multiple netblock functionality In-Reply-To: <725755F5E728EE4086DAAF1A54DACF4F0B53DB2B@sea5exbe1.speakeasy.hq> References: <725755F5E728EE4086DAAF1A54DACF4F0B53DB2B@sea5exbe1.speakeasy.hq> Message-ID: <17838240D9A5544AAA5FF95F8D520316059759E4@ad-exh01.adhost.lan> Hello Jonathan: You can have multiple subnets defined on the statics from the outside with no problem, routed as you described. Such as: static (inside,outside) 5.1.1.1 192.168.0.1 static (inside,outside) 6.2.2.2 192.168.0.2 If you have multiple inside subnets they would have to be on their own VLAN's, provided you have a license that allows that configuration. I think you need Security Plus for more than two VLAN's (i.e. inside and outside). With that configuration you would have something like: interface vlan 1 ip address 192.168.0.1 255.255.255.0 nameif inside interface vlan 2 ip address 1.2.3.4 255.255.255.0 nameif outside interface vlan 3 ip address 192.168.1.1 255.255.255.0 nameif dmz Then you can add statics for the 192.168.1.0/24 subnet as well. You *can't* have two different attached subnets on the same VLAN interface, such as: interface vlan 1 ip address 192.168.0.1 255.255.255.0 ip address 192.168.1.1 255.255.255.0 secondary nameif inside Regards, Mike > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jonathan Brashear > Sent: Wednesday, March 04, 2009 1:55 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA 5505 multiple netblock functionality > > Apologies if this has been addressed previously, I looked through the last 12 > months of c-nsp threads and didn't see this mentioned. > > There is some debate going on in my department over a particular > implementation and the 5505's capability to handle multiple netblocks. A quick > primer on the situation: > > Firewall IP: 1.2.3.4(publicly routable, but changing for cust privacy) > Customer netblock: 5.6.7.0/26(it's publicly routable as well, I'm changing for > sake of cust privacy) > Customer NAT: 192.168.0.0/24 > > > The /26 is statically routed to 1.2.3.4 from the router level, and the > customer wants to run NAT for their internal devices(db servers, etc.). Our > implementations guy states that the 5505 can't handle assigning 3+ netblocks > because they can't run multiple contexts. My experience with the ASA firewalls > is limited so I very well may be wrong, but I believe the 5505s should be able > to handle multiple netblocks on the internal side of the firewall using > something such as sub-interfaces or similar. Can anyone help explain why this > is or isn't feasible? > > They don't need to be on the same physical interface necessarily, we can run > them to separate physical interfaces because this customer is hairpinned > behind a switch(and the servers are connected to said switch instead of the > firewall directly) so port density isn't a big issue(to a point). > > We can assign a netblock to each internal port on the firewall if need be - > which seems to be the best solution from what I'm uncovering - and that works > as a reasonable alternative. It doesn't scale very well obviously, but I don't > think this customer is going to chew through netblocks at a rate where this > will be an issue. > > Network Engineer, JNCIS-M > > 214-981-1954 (office) > > 214-642-4075 (cell) > > jbrashear at hq.speakeasy.net > http://www.speakeasy.net > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From Carlos.Bulleri at matsci.com Wed Mar 4 20:57:09 2009 From: Carlos.Bulleri at matsci.com (Bulleri, Carlos) Date: Wed, 4 Mar 2009 19:57:09 -0600 Subject: [c-nsp] 6500 not exporting layer 2 netflow data Message-ID: Have you found a solution to this problem? I have the exact same problem except that our 6500 router has a Sup2 with a MSCFC2 and we are running 12.2(18) SFX11, I can see the Bridge captured data but nothing is being exported to the Netflow server, only the routed information. I'm considering upgrading to the SFX15 version but I would like your input first. Thanks Carlos Bulleri Network Engineer (847) 439-2210 ext. 8225 Carlos.Bulleri at matsci.com From jeff-kell at utc.edu Wed Mar 4 21:49:22 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 04 Mar 2009 21:49:22 -0500 Subject: [c-nsp] 100Mb fiber aggregation/conversion/etc Message-ID: <49AF3DB2.9080207@utc.edu> We have a couple of areas with a need to aggregate some legacy 100FX/MM fiber runs. There are three different housing clusters that are currently all 100FX uplinks, and 100FX back to campus. In two areas we have small IDFs with 100FX back to a common plant back to campus over 100FX, one of them aggregates on some old 2912MF-XLs, another has a set of 2924XLs with the fiber "daisy-chained" with loops at the MDF to create one long (way too many hops) chain through the IDFs. It's old, but sparsely populated, and we're not looking at upgrading the IDFs just yet. I'd like to use some new SM runs to the complexes to get a gigabit back to campus, and aggregate the 100FX "somehow". Having the option to later upgrade to gig from the IDFs is a plus, but not a requirement. I see the Cisco-ish options as: * pick up some used 2912MF-XLs for spares, and try to locate a couple of the gigabit uplink modules for the uplinks, but that freezes the 100FX, * pick up some used 4912s, 3508XLs, or 3550-12s and try to locate some cheap 100FX GBIC modules for the IDFs, * forklift the IDFs too and just do gig (really out of our budget) Otherwise, we could just pick up some media converters (100FX to TX) and aggregate the buildings with any 100Mb switch with a 1G fiber uplink. We have one of these rack-mounts (12 or 16 slots for converter modules) in the data center from another consolidation project, but it was "provided" for us and I don't have the original bids / specs. Anyone have any suggestions, particularly for the media converter modules? Don't need high-density, the worst-case would be 22 lines (if we consolidated both 2912MFs in the modular apartments), but need "more than 6" each place. Jeff From justin at justinshore.com Thu Mar 5 01:27:22 2009 From: justin at justinshore.com (Justin Shore) Date: Thu, 05 Mar 2009 00:27:22 -0600 Subject: [c-nsp] Conflicting OSPF router-ids in separate VRFs Message-ID: <49AF70CA.6070007@justinshore.com> I'm trying to get multiple OSPF instances to work in separate VRFs with all OSPF instances using the same router-id. We're offering a VPN tunnel service to access offsite bit-for-bit data copy services in our Data Center. The tunnel of choice is a GRE tunnel with IPSec protection. The GRE tunnel interface is inside a unique VRF per customer. The IP subnet used in each VRF for this product offering is identical, as is the interface IPs on the tunnel interfaces. This makes the config templates as simple as possible since all sites are essentially identical from our perspective. I have OSPF configured inside the VRF in question. This is the first of the production GRE tunnels we've turned up for this product offering. Tunnel2999 is my beta tunnel and Tunnel3013 is the production tunnel: Neighbor ID Pri State Dead Time Address Interface %OSPF: Router process 3013 is not running, please configure a router-id 192.168.100.1 0 FULL/ - 00:00:38 10.125.124.2 Tunnel2999 The problem I'm running into is that OSPF will not run on the production tunnel because it's IP conflicts with the IP in my beta tunnel in a separate VRF. When I try to configure OSPF in the production VRF with the interface IP of the tunnel I get an error: 7613-1(config-router)#router-id 10.125.124.1 OSPF: router-id 10.125.124.1 in use by ospf process 2999 router ospf 2999 vrf dc-gre-test ignore lsa mospf ispf log-adjacency-changes redistribute bgp 65001 subnets passive-interface default no passive-interface Tunnel2999 network 10.125.124.0 0.0.0.3 area 0 network 10.125.125.0 0.0.0.255 area 0 router ospf 3013 vrf dc-customer-vrf ignore lsa mospf ispf log-adjacency-changes redistribute bgp 65001 subnets passive-interface default no passive-interface Tunnel3013 network 10.125.124.0 0.0.0.3 area 0 network 10.125.125.0 0.0.0.255 area 0 Is there some magic trick to making OSPF on a 7600 running SRB1 be truly VRF-aware? OSPF instances in separate VRFs shouldn't IP conflict with router-ids in other VRFs. If they did then what's the point of VRF separation? Any thoughts before I call TAC? Thanks Justin From justin at justinshore.com Thu Mar 5 01:34:25 2009 From: justin at justinshore.com (Justin Shore) Date: Thu, 05 Mar 2009 00:34:25 -0600 Subject: [c-nsp] MPLS LDP and BGP Neighbor flapping constantly Message-ID: <49AF7271.40507@justinshore.com> This afternoon I stumbled across a problem with a LDP session between a 7613 and a 7201. Actually both LDP and iBGP were flapping every 10 seconds or so. I had both interfaces configured for MPLS, LDP, IS-IS (with AUTH and BFD though BFD isn't enabled on the interface itself yet) with an interface MTU of 9000 and CLNS MTU of 1496. Nothing too fancy. The systems as a whole are configured with MPLS graceful-restart, LDP, no mpls ip propagate-ttl, and LDP router-ID on a loopback: # 7201 mpls label protocol ldp no mpls ip propagate-ttl mpls ldp graceful-restart mpls ldp router-id Loopback0 force # 7613 mls mpls tunnel-recir mpls traffic-eng tunnels mpls ldp graceful-restart no mpls ip propagate-ttl mpls label protocol ldp mpls ldp router-id Loopback0 force This morning at 7:05 the router stopped responding to SNMP queries for about 15m. The load was about 13 before. Cacti shows the load doubling in the 10m prior to the 15m of nothing. When it came back the load was just shy of 50 and stayed there for about 30m. After that it stayed at around 30-35 for the next 7.5hrs before I noticed the BGP flapping issue and shutdown the peer for troubleshooting. The load dropped back to around 16, higher than it was before the hiccup this morning. I'm at a loss to adequately explain why the load has been so jacked. I think the 30-35 load was because BGP flapping and the slightly higher load now is due to the LDP flapping issue. That's my best guess. Anyone know how to troubleshoot a LDP neighbor flapping issue? The 7613 is logging this: 730278: Mar 4 20:43:48.696 CST: LDP GR: Received FT Sess TLV from 10.64.0.34:0 (fl 0x1, rs 0x0, rconn 0, rcov 120000) 730279: Mar 4 20:43:48.696 CST: LDP GR: MFI cutover wait delay = 600000, Forwarding State Hold Timer = 600000 730280: Mar 4 20:43:48.696 CST: LDP GR: searching for down nbr record (10.64.0.34:0, 10.64.0.178) 730281: Mar 4 20:43:48.696 CST: LDP GR: Added FT Sess TLV (Rconn 120000, Rcov 0) to INIT msg to 10.64.0.34:0 The 7201 is logging this: 054705: Mar 5 00:28:19.599 CST: LDP GR: GR session 10.64.0.20:0:: lost 054706: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: created [1 total] 054707: Mar 5 00:28:19 CST: %LDP-5-GR: GR session 10.64.0.20:0 (inst. 3): interrupted--recovery pending 054708: Mar 5 00:28:19.599 CST: LDP GR: GR session 10.64.0.20:0:: bindings retained 054709: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: state change (None -> Reconnect-Wait) 054710: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: reconnect timer started [120000 msecs] 054711: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: added to bindings task queue [1 entries] 054712: Mar 5 00:28:19 CST: %LDP-5-NBRCHG: LDP Neighbor 10.64.0.20:0 (0) is DOWN (Received error notification from peer: Shut down) 054713: Mar 5 00:28:25.923 CST: LDP GR: searching for down nbr record (10.64.0.20:0, 10.64.0.179) 054714: Mar 5 00:28:25.923 CST: LDP GR: search for down nbr record (10.64.0.20:0, 10.64.0.179) returned 10.64.0.20:0 054715: Mar 5 00:28:25.923 CST: LDP GR: Added FT Sess TLV (Rconn 0, Rcov 120000) to INIT msg to 10.64.0.20:0 054716: Mar 5 00:28:25.947 CST: LDP GR: Received FT Sess TLV from 10.64.0.20:0 (fl 0x1, rs 0x0, rconn 120000, rcov 0) 054717: Mar 5 00:28:25.947 CST: LDP GR: GR session 10.64.0.20:0:: established 054718: Mar 5 00:28:25.947 CST: LDP GR: GR session 10.64.0.20:0:: found down nbr 10.64.0.20:0 054719: Mar 5 00:28:25.947 CST: LDP GR: down nbr 10.64.0.20:0:: reconnect timer stopped 054720: Mar 5 00:28:25.947 CST: LDP GR: down nbr 10.64.0.20:0:: state change (Reconnect-Wait -> Recovering) 054721: Mar 5 00:28:25.947 CST: LDP GR: down nbr 10.64.0.20:0:: recovery timer started [1 msecs] 054722: Mar 5 00:28:25 CST: %LDP-5-GR: GR session 10.64.0.20:0 (inst. 4): starting graceful recovery 054723: Mar 5 00:28:25 CST: %LDP-5-NBRCHG: LDP Neighbor 10.64.0.20:0 (4) is UP 054724: Mar 5 00:28:25.951 CST: LDP GR: down nbr 10.64.0.20:0:: recovery timer expired 054725: Mar 5 00:28:25 CST: %LDP-5-GR: GR session 10.64.0.20:0 (inst. 4): completed graceful recovery 054726: Mar 5 00:28:25.951 CST: LDP GR: down nbr 10.64.0.20:0:: destroying record [0 left] 054727: Mar 5 00:28:25.951 CST: LDP GR: down nbr 10.64.0.20:0:: state change (Recovering -> Delete-Wait) 054728: Mar 5 00:28:28.091 CST: LDP GR: Tagcon querying for up to 12 bindings update tasks [table 0] 054729: Mar 5 00:28:28.091 CST: LDP GR: down nbr 10.64.0.20:0:: requesting bindings DEL for {10.64.0.20:0, 3} 054730: Mar 5 00:28:28.091 CST: LDP GR: down nbr 10.64.0.20:0:: removed from bindings task queue [0 entries] 054731: Mar 5 00:28:28.091 CST: LDP GR: Requesting 1 bindings update tasks [0 left in queue] 10.64.0.20 is a loopback on the 7613 and 10.64.0.34 is a loopback on the 7201. I do have some interface errors which I also can't explain. They do not appear to be incrementing though. 7613: GigabitEthernet9/1 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001a.3063.0a80 (bia 001a.3063.0a80) Description: TO 2821-2.dc Gi0/0 Internet address is 10.64.0.179/31 MTU 9000 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:02, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/1936665/7581 (size/max/drops/flushes); Total output drops: 4 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 49000 bits/sec, 17 packets/sec 5 minute output rate 56000 bits/sec, 24 packets/sec L2 Switched: ucast: 52903876 pkt, 3771470311 bytes - mcast: 15056043 pkt, 1653756471 bytes L3 in Switched: ucast: 80170438 pkt, 12709078926 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 185161821 pkt, 36022953056 bytes mcast: 0 pkt, 0 bytes 150040994 packets input, 30087625055 bytes, 0 no buffer Received 15660647 broadcasts (0 IP multicasts) 30 runts, 4247159 giants, 0 throttles 1929071 input errors, 68 CRC, 0 frame, 13 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 257650143 packets output, 64726258058 bytes, 0 underruns 2 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out 7201: GigabitEthernet0/0 is up, line protocol is up Hardware is MV64460 Internal MAC, address is 0023.5ee9.ac1b (bia 0023.5ee9.ac1b) Description: TO 7613-2.clr Gi9/1 Internet address is 10.64.0.178/31 MTU 9000 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is RJ45 output flow-control is XON, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/3951/0 (size/max/drops/flushes); Total output drops: 6 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 45000 bits/sec, 19 packets/sec 5 minute output rate 64000 bits/sec, 13 packets/sec 51466122 packets input, 1916487584 bytes, 0 no buffer Received 1891956 broadcasts, 0 runts, 0 giants, 0 throttles 5 input errors, 0 CRC, 0 frame, 0 overrun, 5 ignored 0 watchdog, 2247902 multicast, 0 pause input 0 input packets with dribble condition detected 32927369 packets output, 1549013167 bytes, 0 underruns 8 output errors, 0 collisions, 1 interface resets 23 unknown protocol drops 23 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 8 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Any thoughts as to what's going on here? I can't tell for certain which of the 2 routers is causing LDP and BGP to drop. Knowing that would help me narrow my troubleshooting focus. The 7600 is running SRB1 and the 7201 is running 12.4(15)T7. Thanks Justin From blahu77 at gmail.com Thu Mar 5 03:23:48 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Thu, 5 Mar 2009 08:23:48 +0000 Subject: [c-nsp] Conflicting OSPF router-ids in separate VRFs In-Reply-To: <49AF70CA.6070007@justinshore.com> References: <49AF70CA.6070007@justinshore.com> Message-ID: <383357750903050023o665dc660uc037b8811d4fc448@mail.gmail.com> 2009/3/5 Justin Shore : > I'm trying to get multiple OSPF instances to work in separate VRFs with all > OSPF instances using the same router-id. As you noticed it won't work [...] > I have OSPF configured inside the VRF in question. ?This is the first of the > production GRE tunnels we've turned up for this product offering. Tunnel2999 > is my beta tunnel and Tunnel3013 is the production tunnel: > > Neighbor ID ? ? Pri ? State ? ? ? ? ? Dead Time ? Address ? ? ? ? Interface > %OSPF: Router process 3013 is not running, please configure a router-id > 192.168.100.1 ? ? 0 ? FULL/ ?- ? ? ? ?00:00:38 ? ?10.125.124.2 ? ?Tunnel2999 [...] > 7613-1(config-router)#router-id 10.125.124.1 > OSPF: router-id 10.125.124.1 in use by ospf process 2999 Since router-id doesn't have to be any configured IP on the box you could do something like below and still have a "good" template. router ospf 2999 vrf bla1 router-id 2.9.9.9 router ospf 3013 vrf bla2 router-id 3.0.1.3 and everything should be just fine. You can "encode" these 32bits whatever you like. Best Regards, -mat -- pgp-key 0x1C655CAB From serhat.candan at probil.com.tr Thu Mar 5 03:25:31 2009 From: serhat.candan at probil.com.tr (=?iso-8859-9?Q?Serhat_Candan_=28Probil_-_=DDstanbul=29?=) Date: Thu, 5 Mar 2009 10:25:31 +0200 Subject: [c-nsp] Cisco 7600 Router's Default IPSec Throughput Rate In-Reply-To: References: <3fc686ad0903040112p6760a191r9cb16eb7969d8960@mail.gmail.com> <2ED8C866F019B840AD21E8E29AD091CD0CB9E77410@proexc.probil.intl> Message-ID: <2ED8C866F019B840AD21E8E29AD091CD0CB9E7755B@proexc.probil.intl> Hello Marlon, Thanks for reply. I checked the topic it is about IOS support, i need some charts about IPSec throughput, pps etc. Regards, Serhat From: Marlon Duksa [mailto:mduksa at gmail.com] Sent: 04 Mart 2009 ?ar?amba 17:57 To: Serhat Candan (Probil - ?stanbul) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco 7600 Router's Default IPSec Throughput Rate Serhat - look for "ipsec support on 7600" posting on this list. A similar question was submitted a several days ago.. On Wed, Mar 4, 2009 at 1:14 AM, Serhat Candan (Probil - ?stanbul) > wrote: Hello All, I m trying to find a reference guide which has IPSec VPN throughput rates of Cisco 7600 router. I m not sure to use VPN SPA or not because of that. For example if you have 50 IPSec Sites with low speed such as 128 Kbps, do we need to use VPN SPA or just upgrade the IOS of the router by using Security Feature enabled IOS? It would be great to have such a document to determine that need. Thanks in advance, Serhat _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sbr at infonet.ee Thu Mar 5 04:33:26 2009 From: sbr at infonet.ee (Konstantin Barinov) Date: Thu, 5 Mar 2009 11:33:26 +0200 Subject: [c-nsp] Redundant SUP32-10G Message-ID: <139174052.20090305113326@infonet.ee> Hello All! Please help me to understand, if there are redundant SUP32-10GE's in chassis, is it possible to use all 4 10G ports at wire speed simultaneously? What type of interconnection do supervisors use between them? Thank you! br -- Konstantin Barinov INFONET AS, Tallinn, Estonia From perc69 at gmail.com Thu Mar 5 04:56:55 2009 From: perc69 at gmail.com (Pelle) Date: Thu, 5 Mar 2009 10:56:55 +0100 Subject: [c-nsp] ip helper and dhcp on the same device In-Reply-To: <49AE497D.20503@euroway.hu> References: <49AE497D.20503@euroway.hu> Message-ID: <746ca6da0903050156u159d187fyc224b8fa61c96f70@mail.gmail.com> Hi. > Is it possible to use ip dhcp pool XY for one host( use mac address) and ip > helper-address ?for the others (all pc is in the same subnet). If the propose is to give the PC with the known MAC-address a fixed IP-address, this is easier[1] to do on the DHCP-server. [1] At least a no-brainer on the ISC dhcp-server -- Pelle From peter at rathlev.dk Thu Mar 5 05:24:40 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 05 Mar 2009 11:24:40 +0100 Subject: [c-nsp] UDP-helper problem In-Reply-To: <2CE904AA-FF23-4480-8D58-1322E1521FBD@manchester.ac.uk> References: <2CE904AA-FF23-4480-8D58-1322E1521FBD@manchester.ac.uk> Message-ID: <1236248680.5801.134.camel@localhost.localdomain> On Wed, 2009-03-04 at 13:00 +0000, Michael Robson wrote: > I have recently moved the routing of a subnet from an old sup2/msfc2 > 6500 (Version 12.1(26)E8, RELEASE SOFTWARE (fc1)) to a newer sup3/ > msfc3 6500 (Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1)). On the old > router the udp-helper command worked fine, but on the new router I can > see the DHCP address coming in but not the reply coming back and the > DHCP server isn't seeing the request arriving. Can anyone suggest why > this might have stopped working (it isn't an ACL or firewall issue as > there aren't any in the way) and I haven't turned _off_ any component > of udp-helper (i.e. using the ip forward-protocol command). > > interface Vlan937 > description XXXYYYZZZ > ip address w.x.y.z 255.255.255.192 > ip helper-address a.b.c.d AFAIK this forwarding requires the device to have "service dhcp", which is default. Do you have "no service dhcp" defined maybe? (I might have misunderstood this requirement though.) We use this in many places for Sup720 SXF13 boxes, so it should work. Another thing could be the DHCP server. If you know "by sniff" that the packet doesn't arrive at the DHCP this is not relevant, but the DHCP server would of course only reply if e.g. netmasks are the same. Regards, Peter From peter at rathlev.dk Thu Mar 5 05:57:10 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 05 Mar 2009 11:57:10 +0100 Subject: [c-nsp] Cisco 7600 Router's Default IPSec Throughput Rate In-Reply-To: <2ED8C866F019B840AD21E8E29AD091CD0CB9E7755B@proexc.probil.intl> References: <3fc686ad0903040112p6760a191r9cb16eb7969d8960@mail.gmail.com> <2ED8C866F019B840AD21E8E29AD091CD0CB9E77410@proexc.probil.intl> <2ED8C866F019B840AD21E8E29AD091CD0CB9E7755B@proexc.probil.intl> Message-ID: <1236250630.5801.138.camel@localhost.localdomain> On Thu, 2009-03-05 at 10:25 +0200, Serhat Candan wrote: > Thanks for reply. I checked the topic it is about IOS support, i need > some charts about IPSec throughput, pps etc. Then read the thread once more. :-) If it is not supported the throughput you can rely on is exactly 0. If you need IPSec for other than management purposes (or on SR) you need an IPSec SPA. Regards, Peter From peter at rathlev.dk Thu Mar 5 06:02:52 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 05 Mar 2009 12:02:52 +0100 Subject: [c-nsp] Redundant SUP32-10G In-Reply-To: <139174052.20090305113326@infonet.ee> References: <139174052.20090305113326@infonet.ee> Message-ID: <1236250972.5801.144.camel@localhost.localdomain> On Thu, 2009-03-05 at 11:33 +0200, Konstantin Barinov wrote: > Please help me to understand, if there are redundant SUP32-10GE's > in chassis, is it possible to use all 4 10G ports at wire speed > simultaneously? Assuming the Sup32 can do wire speed on these ports at all, then yes, each port should be able to deliver 10G connectivity, and both supervisor's ports are at your disposal in a redundant setup. This doesn't mean that you can have the box take 10G in one port and send all 10G out another port though, not even on the same supervisor. > What type of interconnection do supervisors use between them? Regular bus, so inter-sup capacity is limited by this "32 Gbps" bottleneck shared with all other traffic in the box. Regards, Peter From serhat.candan at probil.com.tr Thu Mar 5 06:34:49 2009 From: serhat.candan at probil.com.tr (=?iso-8859-9?Q?Serhat_Candan_=28Probil_-_=DDstanbul=29?=) Date: Thu, 5 Mar 2009 13:34:49 +0200 Subject: [c-nsp] Cisco 7600 Router's Default IPSec Throughput Rate In-Reply-To: <1236250630.5801.138.camel@localhost.localdomain> References: <3fc686ad0903040112p6760a191r9cb16eb7969d8960@mail.gmail.com> <2ED8C866F019B840AD21E8E29AD091CD0CB9E77410@proexc.probil.intl> <2ED8C866F019B840AD21E8E29AD091CD0CB9E7755B@proexc.probil.intl> <1236250630.5801.138.camel@localhost.localdomain> Message-ID: <2ED8C866F019B840AD21E8E29AD091CD0CB9E775EA@proexc.probil.intl> Thank you so much :) Regards, Serhat -----Original Message----- From: Peter Rathlev [mailto:peter at rathlev.dk] Sent: 05 Mart 2009 Per?embe 12:57 To: Serhat Candan (Probil - ?stanbul) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco 7600 Router's Default IPSec Throughput Rate On Thu, 2009-03-05 at 10:25 +0200, Serhat Candan wrote: > Thanks for reply. I checked the topic it is about IOS support, i need > some charts about IPSec throughput, pps etc. Then read the thread once more. :-) If it is not supported the throughput you can rely on is exactly 0. If you need IPSec for other than management purposes (or on SR) you need an IPSec SPA. Regards, Peter From saku+cisco-nsp at ytti.fi Thu Mar 5 07:13:03 2009 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Thu, 5 Mar 2009 14:13:03 +0200 Subject: [c-nsp] ftp.cisco.com unusable? In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D746DEBF@xmb-ams-331.emea.cisco.com> References: <20090228170533.GJ27070@ronin.4ever.de> <78C984F8939D424697B15E4B1C1BB3D746DEBF@xmb-ams-331.emea.cisco.com> Message-ID: <20090305121303.GA10395@mx.ytti.net> On (2009-02-28 18:26 +0100), Arie Vayner (avayner) wrote: > Guys, > > I can recreate it from my PC as well. > It seems that: > - download-sj-1 and download-sj-2 work > - download-sj-3 and download-sj-4 are broken > > I will file a case for this with Cisco IT. Any news? > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Elmar K. Bins > Sent: Saturday, February 28, 2009 19:06 > To: Saku Ytti > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ftp.cisco.com unusable? > > saku+cisco-nsp at ytti.fi (Saku Ytti) wrote: > > > > ftp> ls > > > 500 EPSV: Command not recognized > > > 227 Entering Passive Mode (198,133,219,241,46,108) > > > > > > Well, doing FTP with an Apache... > > > (that's like teaching a cowboy to shoot arrows, right? > > > > Right :). Thank you for the update. Hopefully someone > > from @cisco.com picks up gets it fixed. > > I guess they will have to kick their sysadmins. > This happening or not depends on which Server DNS > gives you for "ftp.cisco.com". > > Broken: download-sj-4.cisco.com > Working: download-sj-2.cisco.com > > (Examples) > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti From kajtzu at basen.net Thu Mar 5 06:46:58 2009 From: kajtzu at basen.net (Kaj Niemi) Date: Thu, 5 Mar 2009 14:46:58 +0300 Subject: [c-nsp] ASA 5505 multiple netblock functionality In-Reply-To: <725755F5E728EE4086DAAF1A54DACF4F0B53DB2B@sea5exbe1.speakeasy.hq> References: <725755F5E728EE4086DAAF1A54DACF4F0B53DB2B@sea5exbe1.speakeasy.hq> Message-ID: <2ED4B530-2094-4548-9384-AC357B8BFF9E@basen.net> Hi, The default license allows for 2 unrestricted vlans + 1 restricted ('dmz'). The restricted one cannot initiate traffic towards one of the other vlans. # sh ver Cisco Adaptive Security Appliance Software Version 8.0(4)16 ... Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz ... Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : 10 To get around this restriction you would need to buy another license (Security Plus). As for 'multiple contexts' - the 5505 does not support any. Refer to http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html for more info. Kaj On Mar 5, 2009, at 00:55, Jonathan Brashear wrote: > Apologies if this has been addressed previously, I looked through > the last 12 months of c-nsp threads and didn't see this mentioned. > > There is some debate going on in my department over a particular > implementation and the 5505's capability to handle multiple > netblocks. A quick primer on the situation: > > Firewall IP: 1.2.3.4(publicly routable, but changing for cust privacy) > Customer netblock: 5.6.7.0/26(it's publicly routable as well, I'm > changing for sake of cust privacy) > Customer NAT: 192.168.0.0/24 > > > The /26 is statically routed to 1.2.3.4 from the router level, and > the customer wants to run NAT for their internal devices(db servers, > etc.). Our implementations guy states that the 5505 can't handle > assigning 3+ netblocks because they can't run multiple contexts. My > experience with the ASA firewalls is limited so I very well may be > wrong, but I believe the 5505s should be able to handle multiple > netblocks on the internal side of the firewall using something such > as sub-interfaces or similar. Can anyone help explain why this is or > isn't feasible? > > They don't need to be on the same physical interface necessarily, we > can run them to separate physical interfaces because this customer > is hairpinned behind a switch(and the servers are connected to said > switch instead of the firewall directly) so port density isn't a big > issue(to a point). > > We can assign a netblock to each internal port on the firewall if > need be - which seems to be the best solution from what I'm > uncovering - and that works as a reasonable alternative. It doesn't > scale very well obviously, but I don't think this customer is going > to chew through netblocks at a rate where this will be an issue. > > Network Engineer, JNCIS-M >> 214-981-1954 (office) >> 214-642-4075 (cell) >> jbrashear at hq.speakeasy.net > http://www.speakeasy.net > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Kaj -- Kaj J. Niemi FI +358 45 63 12000 KSA +966 54 52 43277 From ibrahim.abozaid at gmail.com Thu Mar 5 07:52:50 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Thu, 5 Mar 2009 14:52:50 +0200 Subject: [c-nsp] rotary-like dynamic NAT pool Message-ID: Dear All i was searching for dynamic NAT technology that utilize the NAT pool in rotary fashion for inside source addresses like rotary NAT technology does for destination addresses best regards --Ibrahim From hnyhus at gmail.com Thu Mar 5 09:00:25 2009 From: hnyhus at gmail.com (=?UTF-8?Q?H=C3=A5vard_Nyhus?=) Date: Thu, 5 Mar 2009 15:00:25 +0100 Subject: [c-nsp] Redundant SUP32-10G In-Reply-To: <139174052.20090305113326@infonet.ee> References: <139174052.20090305113326@infonet.ee> Message-ID: <6bc4a240903050600q2740fd0er8fbc303ad2478277@mail.gmail.com> > Please help me to understand, if there are redundant SUP32-10GE's > in chassis, is it possible to use all 4 10G ports at wire speed > simultaneously? What type of interconnection do supervisors use > between them? All four ports can be used at the same time - however, they will be oversubscribed 2:1 on each supervisor. There is also a limit at 15mpps ipv4 traffic (64-byte packets). The SUP32 connects to the classic bus - that is the shared 32gbps bus, which is also used between the two supervisors. This means that a SUP32-system cannot forward more than 32gbps in total, no matter which linecards you use. -- H?vard Staub Nyhus From sbr at infonet.ee Thu Mar 5 09:17:16 2009 From: sbr at infonet.ee (Konstantin Barinov) Date: Thu, 05 Mar 2009 16:17:16 +0200 Subject: [c-nsp] Redundant SUP32-10G In-Reply-To: <6bc4a240903050600q2740fd0er8fbc303ad2478277@mail.gmail.com> References: <139174052.20090305113326@infonet.ee> <6bc4a240903050600q2740fd0er8fbc303ad2478277@mail.gmail.com> Message-ID: <49AFDEEC.4050109@infonet.ee> Thank you for answers! Subject is now clear. -- Konstantin Barinov On 05-Mar-09 16:00, H?vard Nyhus wrote: >> Please help me to understand, if there are redundant SUP32-10GE's >> in chassis, is it possible to use all 4 10G ports at wire speed >> simultaneously? What type of interconnection do supervisors use >> between them? > > > All four ports can be used at the same time - however, they will be > oversubscribed 2:1 on each supervisor. There is also a limit at 15mpps > ipv4 traffic (64-byte packets). > > The SUP32 connects to the classic bus - that is the shared 32gbps bus, > which is also used between the two supervisors. This means that a > SUP32-system cannot forward more than 32gbps in total, no matter which > linecards you use. > > From ayourtch at cisco.com Thu Mar 5 11:22:44 2009 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Thu, 5 Mar 2009 17:22:44 +0100 (CET) Subject: [c-nsp] FWSM and mixed IPv4/IPv6 access-list In-Reply-To: References: <38D04BF3A4B7B2499D19EB1DB54285EA09E90498@FNB1EX01.gci.com> Message-ID: On Tue, 3 Mar 2009, Justin M. Streiner wrote: > On Tue, 3 Mar 2009, Leif Sawyer wrote: > >> Is anybody working with FWSM's and mixed-mode IPv4+IPv6 ACL's? >> >> I'm having trouble with traceroute6 not succeeding, but ping6 working >> fine: > > You might be getting caught by flawed behavior of the FWSM. I've run into > something similar with straight v4 firewall zones where certain flavors of > traceroute will be dropped by the blade. When it was first reported to us, > we thought is was a broken fixup, but the behavior persisted after the fixup > was disabled. No word on a fix from Cisco. traceroute relies on the party that is doing the traceroute being able to receive the ICMP TTL expired from all the nodes along the path back to the originator. In the presence of nat(ipv4)/ACLs you would need the icmp inspection to have it working. "Classic" traceroute uses UDP as probe packets, but windows boxes use ICMP for that purpose. If you had issues with the latter but not with the former, CSCsj53485 might be what you were encountering. If it does not match what you were experiencing and you have a case#, unicast it to me please. > > On a somewhat unrelated note, how has the v6 performance been on the FWSMs > for you? Everything I've heard from Cisco and other sources suggests that > the v6 packets are much more expensive for the FWSM to forward, so > performance would suffer greatly. Correct. thanks, andrew From hritter at cisco.com Thu Mar 5 12:06:31 2009 From: hritter at cisco.com (Harold Ritter (hritter)) Date: Thu, 5 Mar 2009 12:06:31 -0500 Subject: [c-nsp] Conflicting OSPF router-ids in separate VRFs In-Reply-To: <49AF70CA.6070007@justinshore.com> References: <49AF70CA.6070007@justinshore.com> Message-ID: Justin, The OSPF RID needs to be globally unique on the box. There is no way around it. Regards -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore Sent: Thursday, March 05, 2009 1:27 AM To: 'Cisco-nsp' Subject: [c-nsp] Conflicting OSPF router-ids in separate VRFs I'm trying to get multiple OSPF instances to work in separate VRFs with all OSPF instances using the same router-id. We're offering a VPN tunnel service to access offsite bit-for-bit data copy services in our Data Center. The tunnel of choice is a GRE tunnel with IPSec protection. The GRE tunnel interface is inside a unique VRF per customer. The IP subnet used in each VRF for this product offering is identical, as is the interface IPs on the tunnel interfaces. This makes the config templates as simple as possible since all sites are essentially identical from our perspective. I have OSPF configured inside the VRF in question. This is the first of the production GRE tunnels we've turned up for this product offering. Tunnel2999 is my beta tunnel and Tunnel3013 is the production tunnel: Neighbor ID Pri State Dead Time Address Interface %OSPF: Router process 3013 is not running, please configure a router-id 192.168.100.1 0 FULL/ - 00:00:38 10.125.124.2 Tunnel2999 The problem I'm running into is that OSPF will not run on the production tunnel because it's IP conflicts with the IP in my beta tunnel in a separate VRF. When I try to configure OSPF in the production VRF with the interface IP of the tunnel I get an error: 7613-1(config-router)#router-id 10.125.124.1 OSPF: router-id 10.125.124.1 in use by ospf process 2999 router ospf 2999 vrf dc-gre-test ignore lsa mospf ispf log-adjacency-changes redistribute bgp 65001 subnets passive-interface default no passive-interface Tunnel2999 network 10.125.124.0 0.0.0.3 area 0 network 10.125.125.0 0.0.0.255 area 0 router ospf 3013 vrf dc-customer-vrf ignore lsa mospf ispf log-adjacency-changes redistribute bgp 65001 subnets passive-interface default no passive-interface Tunnel3013 network 10.125.124.0 0.0.0.3 area 0 network 10.125.125.0 0.0.0.255 area 0 Is there some magic trick to making OSPF on a 7600 running SRB1 be truly VRF-aware? OSPF instances in separate VRFs shouldn't IP conflict with router-ids in other VRFs. If they did then what's the point of VRF separation? Any thoughts before I call TAC? Thanks Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Thu Mar 5 12:16:18 2009 From: justin at justinshore.com (Justin Shore) Date: Thu, 05 Mar 2009 11:16:18 -0600 Subject: [c-nsp] Conflicting OSPF router-ids in separate VRFs In-Reply-To: References: <49AF70CA.6070007@justinshore.com> Message-ID: <49B008E2.7070703@justinshore.com> Harold, Thanks for the reply. This sounds odd to me. Why wouldn't IOS be able to handle conflicting OSPF router-ids for OSPF processes in different VRFs? I could certainly see the problem if these were separate OSPF processes that were in the global VRF but I would think that VRF separation would take care of any conflicts in OSPF processes. Odd. Is this something that may be addressed in a future release? Thanks again for the reply Justin Harold Ritter (hritter) wrote: > Justin, > > The OSPF RID needs to be globally unique on the box. There is no way > around it. > > Regards > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore > Sent: Thursday, March 05, 2009 1:27 AM > To: 'Cisco-nsp' > Subject: [c-nsp] Conflicting OSPF router-ids in separate VRFs > > Is there some magic trick to making OSPF on a 7600 running SRB1 be truly > VRF-aware? OSPF instances in separate VRFs shouldn't IP conflict with > router-ids in other VRFs. If they did then what's the point of VRF > separation? Any thoughts before I call TAC? From lmeade at signal.ca Thu Mar 5 12:50:41 2009 From: lmeade at signal.ca (Leslie Meade) Date: Thu, 5 Mar 2009 09:50:41 -0800 Subject: [c-nsp] eigrp questions Message-ID: I have two 6509's with sup 32 running HRSP and ether channel links between them. On Vlan2 I have two routers, one that handles T1 and the other DMVPN. All devices have eigrp running. Vlan 2 is my routed network to these devices. The HRSP ip on the 6509 is 10.1.2.1 On my both of my routers that are only connected to one 6509, when I do a sh ip route eigrp 100 I get the following. D 10.1.32.0/24 [90/3072] via 10.1.2.3, 1w5d, GigabitEthernet0/0 [90/3072] via 10.1.2.2, 1w5d, GigabitEthernet0/0 D EX 10.1.204.0/24 [170/3072] via 10.1.2.3, 1w5d, GigabitEthernet0/0 [170/3072] via 10.1.2.2, 1w5d, GigabitEthernet0/0 D EX 192.168.0.0/16 [170/3072] via 10.1.2.3, 1w5d, GigabitEthernet0/0 [170/3072] via 10.1.2.2, 1w5d, GigabitEthernet0/0 vfs-core-r1#sh ip route 10.1.1.6 Routing entry for 10.1.1.0/24 Known via "eigrp 100", distance 90, metric 3072, type internal Redistributing via eigrp 100 Last update from 10.1.2.2 on GigabitEthernet0/0, 1w5d ago Routing Descriptor Blocks: * 10.1.2.3, from 10.1.2.3, 1w5d ago, via GigabitEthernet0/0 Route metric is 3072, traffic share count is 1 Total delay is 20 microseconds, minimum bandwidth is 1000000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 10.1.2.2, from 10.1.2.2, 1w5d ago, via GigabitEthernet0/0 Route metric is 3072, traffic share count is 1 Total delay is 20 microseconds, minimum bandwidth is 1000000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 11/255, Hops 1 My question is how do I change the weighting on the eigrp so that 10.1.2.1 is the preferred, then .2 then .3. The easy answer is to remove the eigrp from the 2nd 6509, but there is a move to plug them into the other 6509 for redundancy. Leslie From david.freedman at uk.clara.net Thu Mar 5 13:05:52 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 05 Mar 2009 18:05:52 +0000 Subject: [c-nsp] MPLS LDP and BGP Neighbor flapping constantly In-Reply-To: <49AF7271.40507@justinshore.com> References: <49AF7271.40507@justinshore.com> Message-ID: <49B01480.5020003@uk.clara.net> You appear to have a high number of input queue drops and input errors, granted the counters have never been cleared, do you haver any PPS graphs of the link between these two boxes? I would suspect a traffic spike or link fault causing control messages to be dropped being the cause here. Dave. Justin Shore wrote: > This afternoon I stumbled across a problem with a LDP session between a > 7613 and a 7201. Actually both LDP and iBGP were flapping every 10 > seconds or so. I had both interfaces configured for MPLS, LDP, IS-IS > (with AUTH and BFD though BFD isn't enabled on the interface itself yet) > with an interface MTU of 9000 and CLNS MTU of 1496. Nothing too fancy. > The systems as a whole are configured with MPLS graceful-restart, LDP, > no mpls ip propagate-ttl, and LDP router-ID on a loopback: > > # 7201 > mpls label protocol ldp > no mpls ip propagate-ttl > mpls ldp graceful-restart > mpls ldp router-id Loopback0 force > > # 7613 > mls mpls tunnel-recir > mpls traffic-eng tunnels > mpls ldp graceful-restart > no mpls ip propagate-ttl > mpls label protocol ldp > mpls ldp router-id Loopback0 force > > This morning at 7:05 the router stopped responding to SNMP queries for > about 15m. The load was about 13 before. Cacti shows the load doubling > in the 10m prior to the 15m of nothing. When it came back the load was > just shy of 50 and stayed there for about 30m. After that it stayed at > around 30-35 for the next 7.5hrs before I noticed the BGP flapping issue > and shutdown the peer for troubleshooting. The load dropped back to > around 16, higher than it was before the hiccup this morning. I'm at a > loss to adequately explain why the load has been so jacked. I think the > 30-35 load was because BGP flapping and the slightly higher load now is > due to the LDP flapping issue. That's my best guess. > > Anyone know how to troubleshoot a LDP neighbor flapping issue? The 7613 > is logging this: > > 730278: Mar 4 20:43:48.696 CST: LDP GR: Received FT Sess TLV from > 10.64.0.34:0 (fl 0x1, rs 0x0, rconn 0, rcov 120000) > 730279: Mar 4 20:43:48.696 CST: LDP GR: MFI cutover wait delay = > 600000, Forwarding State Hold Timer = 600000 > 730280: Mar 4 20:43:48.696 CST: LDP GR: searching for down nbr record > (10.64.0.34:0, 10.64.0.178) > 730281: Mar 4 20:43:48.696 CST: LDP GR: Added FT Sess TLV (Rconn > 120000, Rcov 0) to INIT msg to 10.64.0.34:0 > > The 7201 is logging this: > > 054705: Mar 5 00:28:19.599 CST: LDP GR: GR session 10.64.0.20:0:: lost > 054706: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: created > [1 total] > 054707: Mar 5 00:28:19 CST: %LDP-5-GR: GR session 10.64.0.20:0 (inst. > 3): interrupted--recovery pending > 054708: Mar 5 00:28:19.599 CST: LDP GR: GR session 10.64.0.20:0:: > bindings retained > 054709: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: state > change (None -> Reconnect-Wait) > 054710: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: > reconnect timer started [120000 msecs] > 054711: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: added > to bindings task queue [1 entries] > 054712: Mar 5 00:28:19 CST: %LDP-5-NBRCHG: LDP Neighbor 10.64.0.20:0 > (0) is DOWN (Received error notification from peer: Shut down) > > 054713: Mar 5 00:28:25.923 CST: LDP GR: searching for down nbr record > (10.64.0.20:0, 10.64.0.179) > 054714: Mar 5 00:28:25.923 CST: LDP GR: search for down nbr record > (10.64.0.20:0, 10.64.0.179) returned 10.64.0.20:0 > 054715: Mar 5 00:28:25.923 CST: LDP GR: Added FT Sess TLV (Rconn 0, > Rcov 120000) to INIT msg to 10.64.0.20:0 > 054716: Mar 5 00:28:25.947 CST: LDP GR: Received FT Sess TLV from > 10.64.0.20:0 (fl 0x1, rs 0x0, rconn 120000, rcov 0) > 054717: Mar 5 00:28:25.947 CST: LDP GR: GR session 10.64.0.20:0:: > established > 054718: Mar 5 00:28:25.947 CST: LDP GR: GR session 10.64.0.20:0:: found > down nbr 10.64.0.20:0 > 054719: Mar 5 00:28:25.947 CST: LDP GR: down nbr 10.64.0.20:0:: > reconnect timer stopped > 054720: Mar 5 00:28:25.947 CST: LDP GR: down nbr 10.64.0.20:0:: state > change (Reconnect-Wait -> Recovering) > 054721: Mar 5 00:28:25.947 CST: LDP GR: down nbr 10.64.0.20:0:: > recovery timer started [1 msecs] > 054722: Mar 5 00:28:25 CST: %LDP-5-GR: GR session 10.64.0.20:0 (inst. > 4): starting graceful recovery > 054723: Mar 5 00:28:25 CST: %LDP-5-NBRCHG: LDP Neighbor 10.64.0.20:0 > (4) is UP > 054724: Mar 5 00:28:25.951 CST: LDP GR: down nbr 10.64.0.20:0:: > recovery timer expired > 054725: Mar 5 00:28:25 CST: %LDP-5-GR: GR session 10.64.0.20:0 (inst. > 4): completed graceful recovery > 054726: Mar 5 00:28:25.951 CST: LDP GR: down nbr 10.64.0.20:0:: > destroying record [0 left] > 054727: Mar 5 00:28:25.951 CST: LDP GR: down nbr 10.64.0.20:0:: state > change (Recovering -> Delete-Wait) > > 054728: Mar 5 00:28:28.091 CST: LDP GR: Tagcon querying for up to 12 > bindings update tasks [table 0] > 054729: Mar 5 00:28:28.091 CST: LDP GR: down nbr 10.64.0.20:0:: > requesting bindings DEL for {10.64.0.20:0, 3} > 054730: Mar 5 00:28:28.091 CST: LDP GR: down nbr 10.64.0.20:0:: removed > from bindings task queue [0 entries] > 054731: Mar 5 00:28:28.091 CST: LDP GR: Requesting 1 bindings update > tasks [0 left in queue] > > 10.64.0.20 is a loopback on the 7613 and 10.64.0.34 is a loopback on the > 7201. > > I do have some interface errors which I also can't explain. They do not > appear to be incrementing though. 7613: > > GigabitEthernet9/1 is up, line protocol is up (connected) > Hardware is C6k 1000Mb 802.3, address is 001a.3063.0a80 (bia > 001a.3063.0a80) > Description: TO 2821-2.dc Gi0/0 > Internet address is 10.64.0.179/31 > MTU 9000 bytes, BW 1000000 Kbit, DLY 10 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Full-duplex, 1000Mb/s > input flow-control is off, output flow-control is off > Clock mode is auto > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:00:02, output 00:00:00, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/1936665/7581 (size/max/drops/flushes); Total output > drops: 4 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 5 minute input rate 49000 bits/sec, 17 packets/sec > 5 minute output rate 56000 bits/sec, 24 packets/sec > L2 Switched: ucast: 52903876 pkt, 3771470311 bytes - mcast: 15056043 > pkt, 1653756471 bytes > L3 in Switched: ucast: 80170438 pkt, 12709078926 bytes - mcast: 0 pkt, > 0 bytes mcast > L3 out Switched: ucast: 185161821 pkt, 36022953056 bytes mcast: 0 pkt, > 0 bytes > 150040994 packets input, 30087625055 bytes, 0 no buffer > Received 15660647 broadcasts (0 IP multicasts) > 30 runts, 4247159 giants, 0 throttles > 1929071 input errors, 68 CRC, 0 frame, 13 overrun, 0 ignored > 0 watchdog, 0 multicast, 0 pause input > 0 input packets with dribble condition detected > 257650143 packets output, 64726258058 bytes, 0 underruns > 2 output errors, 0 collisions, 2 interface resets > 0 babbles, 0 late collision, 0 deferred > 0 lost carrier, 0 no carrier, 0 PAUSE output > 0 output buffer failures, 0 output buffers swapped out > > 7201: > GigabitEthernet0/0 is up, line protocol is up > Hardware is MV64460 Internal MAC, address is 0023.5ee9.ac1b (bia > 0023.5ee9.ac1b) > Description: TO 7613-2.clr Gi9/1 > Internet address is 10.64.0.178/31 > MTU 9000 bytes, BW 1000000 Kbit/sec, DLY 10 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Full-duplex, 1000Mb/s, media type is RJ45 > output flow-control is XON, input flow-control is unsupported > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:00:00, output 00:00:00, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/3951/0 (size/max/drops/flushes); Total output drops: 6 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 5 minute input rate 45000 bits/sec, 19 packets/sec > 5 minute output rate 64000 bits/sec, 13 packets/sec > 51466122 packets input, 1916487584 bytes, 0 no buffer > Received 1891956 broadcasts, 0 runts, 0 giants, 0 throttles > 5 input errors, 0 CRC, 0 frame, 0 overrun, 5 ignored > 0 watchdog, 2247902 multicast, 0 pause input > 0 input packets with dribble condition detected > 32927369 packets output, 1549013167 bytes, 0 underruns > 8 output errors, 0 collisions, 1 interface resets > 23 unknown protocol drops > 23 unknown protocol drops > 0 babbles, 0 late collision, 0 deferred > 8 lost carrier, 0 no carrier, 0 pause output > 0 output buffer failures, 0 output buffers swapped out > > > Any thoughts as to what's going on here? I can't tell for certain which > of the 2 routers is causing LDP and BGP to drop. Knowing that would > help me narrow my troubleshooting focus. The 7600 is running SRB1 and > the 7201 is running 12.4(15)T7. > > Thanks > Justin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Thu Mar 5 13:05:52 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 05 Mar 2009 18:05:52 +0000 Subject: [c-nsp] MPLS LDP and BGP Neighbor flapping constantly In-Reply-To: <49AF7271.40507@justinshore.com> References: <49AF7271.40507@justinshore.com> Message-ID: <49B01480.5020003@uk.clara.net> You appear to have a high number of input queue drops and input errors, granted the counters have never been cleared, do you haver any PPS graphs of the link between these two boxes? I would suspect a traffic spike or link fault causing control messages to be dropped being the cause here. Dave. Justin Shore wrote: > This afternoon I stumbled across a problem with a LDP session between a > 7613 and a 7201. Actually both LDP and iBGP were flapping every 10 > seconds or so. I had both interfaces configured for MPLS, LDP, IS-IS > (with AUTH and BFD though BFD isn't enabled on the interface itself yet) > with an interface MTU of 9000 and CLNS MTU of 1496. Nothing too fancy. > The systems as a whole are configured with MPLS graceful-restart, LDP, > no mpls ip propagate-ttl, and LDP router-ID on a loopback: > > # 7201 > mpls label protocol ldp > no mpls ip propagate-ttl > mpls ldp graceful-restart > mpls ldp router-id Loopback0 force > > # 7613 > mls mpls tunnel-recir > mpls traffic-eng tunnels > mpls ldp graceful-restart > no mpls ip propagate-ttl > mpls label protocol ldp > mpls ldp router-id Loopback0 force > > This morning at 7:05 the router stopped responding to SNMP queries for > about 15m. The load was about 13 before. Cacti shows the load doubling > in the 10m prior to the 15m of nothing. When it came back the load was > just shy of 50 and stayed there for about 30m. After that it stayed at > around 30-35 for the next 7.5hrs before I noticed the BGP flapping issue > and shutdown the peer for troubleshooting. The load dropped back to > around 16, higher than it was before the hiccup this morning. I'm at a > loss to adequately explain why the load has been so jacked. I think the > 30-35 load was because BGP flapping and the slightly higher load now is > due to the LDP flapping issue. That's my best guess. > > Anyone know how to troubleshoot a LDP neighbor flapping issue? The 7613 > is logging this: > > 730278: Mar 4 20:43:48.696 CST: LDP GR: Received FT Sess TLV from > 10.64.0.34:0 (fl 0x1, rs 0x0, rconn 0, rcov 120000) > 730279: Mar 4 20:43:48.696 CST: LDP GR: MFI cutover wait delay = > 600000, Forwarding State Hold Timer = 600000 > 730280: Mar 4 20:43:48.696 CST: LDP GR: searching for down nbr record > (10.64.0.34:0, 10.64.0.178) > 730281: Mar 4 20:43:48.696 CST: LDP GR: Added FT Sess TLV (Rconn > 120000, Rcov 0) to INIT msg to 10.64.0.34:0 > > The 7201 is logging this: > > 054705: Mar 5 00:28:19.599 CST: LDP GR: GR session 10.64.0.20:0:: lost > 054706: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: created > [1 total] > 054707: Mar 5 00:28:19 CST: %LDP-5-GR: GR session 10.64.0.20:0 (inst. > 3): interrupted--recovery pending > 054708: Mar 5 00:28:19.599 CST: LDP GR: GR session 10.64.0.20:0:: > bindings retained > 054709: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: state > change (None -> Reconnect-Wait) > 054710: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: > reconnect timer started [120000 msecs] > 054711: Mar 5 00:28:19.599 CST: LDP GR: down nbr 10.64.0.20:0:: added > to bindings task queue [1 entries] > 054712: Mar 5 00:28:19 CST: %LDP-5-NBRCHG: LDP Neighbor 10.64.0.20:0 > (0) is DOWN (Received error notification from peer: Shut down) > > 054713: Mar 5 00:28:25.923 CST: LDP GR: searching for down nbr record > (10.64.0.20:0, 10.64.0.179) > 054714: Mar 5 00:28:25.923 CST: LDP GR: search for down nbr record > (10.64.0.20:0, 10.64.0.179) returned 10.64.0.20:0 > 054715: Mar 5 00:28:25.923 CST: LDP GR: Added FT Sess TLV (Rconn 0, > Rcov 120000) to INIT msg to 10.64.0.20:0 > 054716: Mar 5 00:28:25.947 CST: LDP GR: Received FT Sess TLV from > 10.64.0.20:0 (fl 0x1, rs 0x0, rconn 120000, rcov 0) > 054717: Mar 5 00:28:25.947 CST: LDP GR: GR session 10.64.0.20:0:: > established > 054718: Mar 5 00:28:25.947 CST: LDP GR: GR session 10.64.0.20:0:: found > down nbr 10.64.0.20:0 > 054719: Mar 5 00:28:25.947 CST: LDP GR: down nbr 10.64.0.20:0:: > reconnect timer stopped > 054720: Mar 5 00:28:25.947 CST: LDP GR: down nbr 10.64.0.20:0:: state > change (Reconnect-Wait -> Recovering) > 054721: Mar 5 00:28:25.947 CST: LDP GR: down nbr 10.64.0.20:0:: > recovery timer started [1 msecs] > 054722: Mar 5 00:28:25 CST: %LDP-5-GR: GR session 10.64.0.20:0 (inst. > 4): starting graceful recovery > 054723: Mar 5 00:28:25 CST: %LDP-5-NBRCHG: LDP Neighbor 10.64.0.20:0 > (4) is UP > 054724: Mar 5 00:28:25.951 CST: LDP GR: down nbr 10.64.0.20:0:: > recovery timer expired > 054725: Mar 5 00:28:25 CST: %LDP-5-GR: GR session 10.64.0.20:0 (inst. > 4): completed graceful recovery > 054726: Mar 5 00:28:25.951 CST: LDP GR: down nbr 10.64.0.20:0:: > destroying record [0 left] > 054727: Mar 5 00:28:25.951 CST: LDP GR: down nbr 10.64.0.20:0:: state > change (Recovering -> Delete-Wait) > > 054728: Mar 5 00:28:28.091 CST: LDP GR: Tagcon querying for up to 12 > bindings update tasks [table 0] > 054729: Mar 5 00:28:28.091 CST: LDP GR: down nbr 10.64.0.20:0:: > requesting bindings DEL for {10.64.0.20:0, 3} > 054730: Mar 5 00:28:28.091 CST: LDP GR: down nbr 10.64.0.20:0:: removed > from bindings task queue [0 entries] > 054731: Mar 5 00:28:28.091 CST: LDP GR: Requesting 1 bindings update > tasks [0 left in queue] > > 10.64.0.20 is a loopback on the 7613 and 10.64.0.34 is a loopback on the > 7201. > > I do have some interface errors which I also can't explain. They do not > appear to be incrementing though. 7613: > > GigabitEthernet9/1 is up, line protocol is up (connected) > Hardware is C6k 1000Mb 802.3, address is 001a.3063.0a80 (bia > 001a.3063.0a80) > Description: TO 2821-2.dc Gi0/0 > Internet address is 10.64.0.179/31 > MTU 9000 bytes, BW 1000000 Kbit, DLY 10 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Full-duplex, 1000Mb/s > input flow-control is off, output flow-control is off > Clock mode is auto > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:00:02, output 00:00:00, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/1936665/7581 (size/max/drops/flushes); Total output > drops: 4 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 5 minute input rate 49000 bits/sec, 17 packets/sec > 5 minute output rate 56000 bits/sec, 24 packets/sec > L2 Switched: ucast: 52903876 pkt, 3771470311 bytes - mcast: 15056043 > pkt, 1653756471 bytes > L3 in Switched: ucast: 80170438 pkt, 12709078926 bytes - mcast: 0 pkt, > 0 bytes mcast > L3 out Switched: ucast: 185161821 pkt, 36022953056 bytes mcast: 0 pkt, > 0 bytes > 150040994 packets input, 30087625055 bytes, 0 no buffer > Received 15660647 broadcasts (0 IP multicasts) > 30 runts, 4247159 giants, 0 throttles > 1929071 input errors, 68 CRC, 0 frame, 13 overrun, 0 ignored > 0 watchdog, 0 multicast, 0 pause input > 0 input packets with dribble condition detected > 257650143 packets output, 64726258058 bytes, 0 underruns > 2 output errors, 0 collisions, 2 interface resets > 0 babbles, 0 late collision, 0 deferred > 0 lost carrier, 0 no carrier, 0 PAUSE output > 0 output buffer failures, 0 output buffers swapped out > > 7201: > GigabitEthernet0/0 is up, line protocol is up > Hardware is MV64460 Internal MAC, address is 0023.5ee9.ac1b (bia > 0023.5ee9.ac1b) > Description: TO 7613-2.clr Gi9/1 > Internet address is 10.64.0.178/31 > MTU 9000 bytes, BW 1000000 Kbit/sec, DLY 10 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Full-duplex, 1000Mb/s, media type is RJ45 > output flow-control is XON, input flow-control is unsupported > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:00:00, output 00:00:00, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/3951/0 (size/max/drops/flushes); Total output drops: 6 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 5 minute input rate 45000 bits/sec, 19 packets/sec > 5 minute output rate 64000 bits/sec, 13 packets/sec > 51466122 packets input, 1916487584 bytes, 0 no buffer > Received 1891956 broadcasts, 0 runts, 0 giants, 0 throttles > 5 input errors, 0 CRC, 0 frame, 0 overrun, 5 ignored > 0 watchdog, 2247902 multicast, 0 pause input > 0 input packets with dribble condition detected > 32927369 packets output, 1549013167 bytes, 0 underruns > 8 output errors, 0 collisions, 1 interface resets > 23 unknown protocol drops > 23 unknown protocol drops > 0 babbles, 0 late collision, 0 deferred > 8 lost carrier, 0 no carrier, 0 pause output > 0 output buffer failures, 0 output buffers swapped out > > > Any thoughts as to what's going on here? I can't tell for certain which > of the 2 routers is causing LDP and BGP to drop. Knowing that would > help me narrow my troubleshooting focus. The 7600 is running SRB1 and > the 7201 is running 12.4(15)T7. > > Thanks > Justin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From geoff at pendery.net Thu Mar 5 13:11:26 2009 From: geoff at pendery.net (Geoffrey Pendery) Date: Thu, 5 Mar 2009 12:11:26 -0600 Subject: [c-nsp] eigrp questions In-Reply-To: References: Message-ID: The HSRP address is only virtual, but the 6509 should also have an actual address on VLAN 2, different from the HSRP address. It is probably the .2 or .3 you're seeing in the routing tables. Issue a "show int VLAN2" on the 6500 to see its actual address. HSRP is generally used to provide redundant gateway for host machines which can't peer with the routing protocol - that .1 address is for static routes or default gateway settings on servers and workstations, not for EIGRP. If you connect the router to both 6509s and run EIGRP, the default behavior will probably be what you see now - two equal cost routes, both 6509s. If you want to force it to use only the first one, then switch to the second in the event of a failure, you can modify the delay value on the interfaces, causing EIGRP to prefer one over the other. This could have implications in the rest of your EIGRP domain though, as this delay information will be advertised to others. If you want to establish the preference only for this router, or only for particular routes, you could use floating statics, or even a single static route to the HSRP address. Which approach is better depends on more details in your network. -Geoff On Thu, Mar 5, 2009 at 11:50 AM, Leslie Meade wrote: > I have two 6509's with sup 32 running HRSP and ether channel links > between them. > > On Vlan2 I have two routers, one that handles T1 and the other DMVPN. > > All devices have eigrp running. Vlan 2 is my routed network to these > devices. The HRSP ip on the 6509 is 10.1.2.1 > > > > On my both of my routers that are only connected to one 6509, when I do > a sh ip route eigrp 100 I get the following. > > > > ?D ? ? ? 10.1.32.0/24 [90/3072] via 10.1.2.3, 1w5d, GigabitEthernet0/0 > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [90/3072] via 10.1.2.2, 1w5d, > GigabitEthernet0/0 > > D EX ? ?10.1.204.0/24 [170/3072] via 10.1.2.3, 1w5d, GigabitEthernet0/0 > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [170/3072] via 10.1.2.2, 1w5d, > GigabitEthernet0/0 > > D EX 192.168.0.0/16 [170/3072] via 10.1.2.3, 1w5d, GigabitEthernet0/0 > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[170/3072] via 10.1.2.2, 1w5d, > GigabitEthernet0/0 > > > > vfs-core-r1#sh ip route 10.1.1.6 > > Routing entry for 10.1.1.0/24 > > ?Known via "eigrp 100", distance 90, metric 3072, type internal > > ?Redistributing via eigrp 100 > > ?Last update from 10.1.2.2 on GigabitEthernet0/0, 1w5d ago > > ?Routing Descriptor Blocks: > > ?* 10.1.2.3, from 10.1.2.3, 1w5d ago, via GigabitEthernet0/0 > > ? ? ?Route metric is 3072, traffic share count is 1 > > ? ? ?Total delay is 20 microseconds, minimum bandwidth is 1000000 Kbit > > ? ? ?Reliability 255/255, minimum MTU 1500 bytes > > ? ? ?Loading 1/255, Hops 1 > > ? ?10.1.2.2, from 10.1.2.2, 1w5d ago, via GigabitEthernet0/0 > > ? ? ?Route metric is 3072, traffic share count is 1 > > ? ? ?Total delay is 20 microseconds, minimum bandwidth is 1000000 Kbit > > ? ? ?Reliability 255/255, minimum MTU 1500 bytes > > ? ? ?Loading 11/255, Hops 1 > > > > My question is how do I change the weighting on the eigrp so that > 10.1.2.1 is the preferred, then .2 then .3. > > The easy answer is to remove the eigrp from the 2nd 6509, but there is a > move to plug them into the other 6509 for redundancy. > > > > > > Leslie > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From damin at nacs.net Thu Mar 5 16:53:07 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Thu, 5 Mar 2009 16:53:07 -0500 Subject: [c-nsp] Cisco Dial-Plan Assistance Message-ID: <141f01c99ddc$c4d96fc0$4e8c4f40$@net> Hello, I have a few Cisco 2600s configured as PRI gateways. Most of them have very simple dial-plans, but I'm struggling w/ a more complex plan for a Dual-PRI configuration and I think I'm missing something simple. Here is a run-down of the configuration Carrier PRI <-> Serial 1/0:23 Customer PBX <-> Serial 1/1:23 The routing challenge that I am having is fairly simple, but I'm not finding a solution in the documentation that I'm looking at. Here is run-down of the configuration (Stripped of extra crap) interface Serial1/0:23 description Two-Way PRI to Carrier for 800 Origination/Termination ! interface Serial1/1:23 description Two-Way PRI to Customer dial-peer voice 2000 voip preference 1 destination-pattern 8885551212 session protocol sipv2 session target sip-server dial-peer voice 2001 voip preference 2 huntstop destination-pattern .T session protocol sipv2 session target sip-server dial-peer voice 1000 pots preference 1 destination-pattern 8885551212 direct-inward-dial port 1/1:23 dial-peer voice 1002 pots preference 2 huntstop destination-pattern .T direct-inward-dial port 1/0:23 Currently, this works, but not in the way that I need it to. As it is configured, calls coming in from the Carrier that match the dest "8885551212" are sent directly to the customer's PBX. I need those calls to be sent to the VoIP server first, where we need to record the RTP streams. The Asterisk server, will then deliver the call back to the gateway and hopefully over S1/1:23 to the customer's PBX. So the call flow that I'm looking for is: Carrier PRI -> Cisco -> Asterisk Server -> Cisco -> Customer PBX I feel like I'm missing something really simple.. I don't do a lot of Dial-Plan work on IOS... From kwoody at citytel.net Thu Mar 5 18:22:05 2009 From: kwoody at citytel.net (Keith) Date: Thu, 5 Mar 2009 15:22:05 -0800 (PST) Subject: [c-nsp] 7206vxr cpu usage. Message-ID: <20090305150921.P69720@pop.citytel.net> Have a 7206vxr w/NPE-G1 and a couple of PA gig adapters, one with an SFP one with a GBIC. We have a fiber connection that was 100Meg, plugged into GE0/1. We added another fiber connection that is GigE and connected to the GBIC. This morning I cut over from the old 100meg fiber to the fiber in the GBIC. It was just a matter of moving the IP address of GE0/1 to GE1/0 and we were away and running. Since then, the router CPU has gone up by about 10%. Normally at this time of day its about 22-23%, it is now about 32%. Normally at peak times the CPU barely broke 25%. I'm guessing but it looks like it might break 40% at peak times now. Is the router working harder because of the GBIC and using gig ethernet rather than faste? We were using a gig port on the NPE at 100 meg. sh proc cpu shows that IP input is the top process and ip cef is enabled. Thanks for any input. Keith From stevend at uidaho.edu Thu Mar 5 19:50:12 2009 From: stevend at uidaho.edu (Dodd, Steven) Date: Thu, 5 Mar 2009 16:50:12 -0800 Subject: [c-nsp] 7206vxr cpu usage. In-Reply-To: <20090305150921.P69720@pop.citytel.net> References: <20090305150921.P69720@pop.citytel.net> Message-ID: <4C0A1E4AB1B97642AFB097A8CDA0B223CD8E77@EXVS1.its.uidaho.edu> Are you pushing more traffic through using the new GigE interface? The 7200 uses CPU for everything. -Steve -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Keith Sent: Thursday, March 05, 2009 3:22 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7206vxr cpu usage. Have a 7206vxr w/NPE-G1 and a couple of PA gig adapters, one with an SFP one with a GBIC. We have a fiber connection that was 100Meg, plugged into GE0/1. We added another fiber connection that is GigE and connected to the GBIC. This morning I cut over from the old 100meg fiber to the fiber in the GBIC. It was just a matter of moving the IP address of GE0/1 to GE1/0 and we were away and running. Since then, the router CPU has gone up by about 10%. Normally at this time of day its about 22-23%, it is now about 32%. Normally at peak times the CPU barely broke 25%. I'm guessing but it looks like it might break 40% at peak times now. Is the router working harder because of the GBIC and using gig ethernet rather than faste? We were using a gig port on the NPE at 100 meg. sh proc cpu shows that IP input is the top process and ip cef is enabled. Thanks for any input. Keith _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kwoody at citytel.net Thu Mar 5 19:57:15 2009 From: kwoody at citytel.net (Keith) Date: Thu, 5 Mar 2009 16:57:15 -0800 (PST) Subject: [c-nsp] 7206vxr cpu usage. In-Reply-To: <4C0A1E4AB1B97642AFB097A8CDA0B223CD8E77@EXVS1.its.uidaho.edu> References: <20090305150921.P69720@pop.citytel.net> <4C0A1E4AB1B97642AFB097A8CDA0B223CD8E77@EXVS1.its.uidaho.edu> Message-ID: <20090305165559.R69720@pop.citytel.net> On Thu, 5 Mar 2009, Dodd, Steven wrote: |->Are you pushing more traffic through using the new GigE interface? The |->7200 uses CPU for everything. No, traffic levels are the same right now. We were maxing out the 100 meg link sometimes at peak times. During the day the link does avg about 70-80 megs. From brad.henshaw at qcn.com.au Thu Mar 5 20:04:23 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Fri, 6 Mar 2009 11:04:23 +1000 Subject: [c-nsp] Cisco Dial-Plan Assistance Message-ID: <8B25B862BC09784B9B74FB950D4F64D40F81B1@qcnapp01.corp.qcn> Gregory Boehnlein wrote: > I have a few Cisco 2600s configured as PRI gateways... > So the call flow that I'm looking for is: > Carrier PRI -> Cisco -> Asterisk Server -> Cisco -> Customer PBX You need to give the VOIP dial-peer a lower preference: dial-peer voice 2000 voip preference 1 dial-peer voice 1000 pots preference 2 Alternatively you might be able to use trunkgroups and the associated preference parameter but I'm not sure that will work with VoIP/SIP peers. Regards, Brad From justin at justinshore.com Thu Mar 5 20:07:27 2009 From: justin at justinshore.com (Justin Shore) Date: Thu, 05 Mar 2009 19:07:27 -0600 Subject: [c-nsp] 7206vxr cpu usage. In-Reply-To: <20090305150921.P69720@pop.citytel.net> References: <20090305150921.P69720@pop.citytel.net> Message-ID: <49B0774F.2030803@justinshore.com> Keith wrote: > Have a 7206vxr w/NPE-G1 and a couple of PA gig adapters, one with > an SFP one with a GBIC. > > We have a fiber connection that was 100Meg, plugged into GE0/1. > > We added another fiber connection that is GigE and connected to the GBIC. > This morning I cut over from the old 100meg fiber to the fiber in the > GBIC. It was just a matter of moving the IP address of GE0/1 to GE1/0 and > we were away and running. > > Since then, the router CPU has gone up by about 10%. Normally at this time > of day its about 22-23%, it is now about 32%. Normally at peak times the > CPU barely broke 25%. I'm guessing but it looks like it might break 40% at > peak times now. > > Is the router working harder because of the GBIC and using gig ethernet > rather than faste? We were using a gig port on the NPE at 100 meg. > > sh proc cpu shows that IP input is the top process and ip cef is enabled. So before you had data coming in Gi0/1. Where was it going to? My thought here is that the data is now coming in Gi1/0 on a PA which has to cross one of the PCI buses. Were you to say that track used to come in Gi0/1 and exit Gi0/2 then I wouldn't expect the load to go up because of the PCI bus. Of course if it's now coming in Gi1/0 on a PA, dropping onto the PCI bus and then exiting on onboard GigE int (or for that matter another PA) then I would expect the PCI bus to be loaded more and the load on the router to increase accordingly. Maybe someone from Cisco.com could give us more insight. I'm curious about this too because one day I may find myself in a similar situation. Justin From sf at lists.esoteric.ca Thu Mar 5 20:54:57 2009 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Thu, 05 Mar 2009 20:54:57 -0500 Subject: [c-nsp] 12.2 SXI, 12.2 SRC route-map question. Message-ID: <49B08271.7030509@lists.esoteric.ca> Hi all, I am banging my head against the wall with a particular route-map, and I'm seriously wondering if I drank the stupidity kool-aid today. I'm testing a route-map between two BGP speakers, a 7600 running 12.2(33)SRC1 and an ME6524 running 12.2(33)SXI, and for the life of me I cannot get either to match based on a defined community. The matching is done for inbound prefixes. Outbound prefixes from the peer are not filtered, and are visible as (received) when soft-reconfiguration is configured. The specific community below is one of several that may accompany a route. Here is a sample, stripping out the identifying details: (two sample routes, 1.1.1.0/24 and 2.2.2.0/24) - snip - ip community-list TEST-COMMUNITY 65000:1234 ip prefix-list TEST-PREFIX-LIST permit 1.1.1.1/24 route-map TEST-IN permit 100 match ip address prefix-list TEST-PREFIX-LIST route-map TEST-IN permit 200 match community TEST-COMMUNITY set local-pref 90 route-map TEST-IN deny 999 desc The End. - snip - The first route, 1.1.1.1/24 is received and entered into the RIB successfully. The second, which should be matched based on community, is not. It is listed as received, but that's all. What the heck am I missing? -- Stephen From sf at lists.esoteric.ca Thu Mar 5 21:02:17 2009 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Thu, 05 Mar 2009 21:02:17 -0500 Subject: [c-nsp] 12.2 SXI, 12.2 SRC route-map question. In-Reply-To: <49B08271.7030509@lists.esoteric.ca> References: <49B08271.7030509@lists.esoteric.ca> Message-ID: <49B08429.2080304@lists.esoteric.ca> Scratch that, I fell off the stupid tree today. -- Stephen Stephen Fulton wrote: > Hi all, > > I am banging my head against the wall with a particular route-map, and > I'm seriously wondering if I drank the stupidity kool-aid today. I'm > testing a route-map between two BGP speakers, a 7600 running > 12.2(33)SRC1 and an ME6524 running 12.2(33)SXI, and for the life of me I > cannot get either to match based on a defined community. The matching > is done for inbound prefixes. Outbound prefixes from the peer are not > filtered, and are visible as (received) when soft-reconfiguration is > configured. The specific community below is one of several that may > accompany a route. > > Here is a sample, stripping out the identifying details: > > (two sample routes, 1.1.1.0/24 and 2.2.2.0/24) > > - snip - > > ip community-list TEST-COMMUNITY 65000:1234 > > ip prefix-list TEST-PREFIX-LIST permit 1.1.1.1/24 > > route-map TEST-IN permit 100 > match ip address prefix-list TEST-PREFIX-LIST > > route-map TEST-IN permit 200 > match community TEST-COMMUNITY > set local-pref 90 > > route-map TEST-IN deny 999 > desc The End. > > - snip - > > The first route, 1.1.1.1/24 is received and entered into the RIB > successfully. The second, which should be matched based on community, is > not. It is listed as received, but that's all. > > What the heck am I missing? > > -- Stephen > From gert at greenie.muc.de Fri Mar 6 01:41:40 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Mar 2009 07:41:40 +0100 Subject: [c-nsp] ftp.cisco.com unusable? In-Reply-To: References: <49A88BB5.8050901@bromirski.net> <20090228085447.GA4503@mx.ytti.net> Message-ID: <20090306064140.GY290@greenie.muc.de> Hi, On Sat, Feb 28, 2009 at 06:19:47PM +0000, Bernhard Schmidt wrote: > I've sent an email to my SE and all DNS contacts at cisco.com I could > find a week ago, but no answer so far. I'll kick my SE on Monday if it > hasn't improved until then. Any news? (The ftp.cisco.com brokenness has plagued me as well, but I've completely given up complaining about issues with www or ftp.cisco.com) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Stig.Johansen at atea.no Fri Mar 6 02:01:02 2009 From: Stig.Johansen at atea.no (Stig Johansen) Date: Fri, 6 Mar 2009 08:01:02 +0100 Subject: [c-nsp] ftp.cisco.com unusable? In-Reply-To: <20090306064140.GY290@greenie.muc.de> References: <49A88BB5.8050901@bromirski.net> <20090228085447.GA4503@mx.ytti.net> <20090306064140.GY290@greenie.muc.de> Message-ID: <5EB9799F396A304686962AFFF740ED0CE96C436F@NOOSLEXCH001.adno.local> >(The ftp.cisco.com brokenness has plagued me as well, but I've completely given up complaining about issues with www or ftp.cisco.com) Because of the borked ftp.cisco.com, I have generally used ftp-sj.cisco.com instead, and it works just fine "all the time". /Stig From euang+cisco-nsp at lists.eusahues.co.uk Fri Mar 6 05:31:41 2009 From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway) Date: Fri, 6 Mar 2009 10:31:41 +0000 Subject: [c-nsp] 7206vxr cpu usage. In-Reply-To: <20090305150921.P69720@pop.citytel.net> References: <20090305150921.P69720@pop.citytel.net> Message-ID: <20090306103141.GA5094@hyperion.eusahues.co.uk> On Thu, Mar 05, 2009 at 03:22:05PM -0800, Keith wrote: > Since then, the router CPU has gone up by about 10%. Normally at this time > of day its about 22-23%, it is now about 32%. Normally at peak times the > CPU barely broke 25%. I'm guessing but it looks like it might break 40% at > peak times now. > > Is the router working harder because of the GBIC and using gig ethernet > rather than faste? We were using a gig port on the NPE at 100 meg. The main BCM1250 processor on the NPE-G1 is what provides the gig ports on the NPE. It shouldn't be too surprising to find that it's easier to just pass bits around inside the CPU rather than out through the processor's seperate PCI I/O capability to reach the PCI backplanes in the VXR chassis in order to chat with the PA-GEs. The performance figures for an NPE-G1 are always onboard to onboard. Using a PA really takes the edge off of the NPE-G1. I've not yet had a play with the 7201 which is similar but different, in that none of the onboard are on the main CPU, but 3 are "directly" on one supporting chip, and the fourth is hung of that chip's PCI-X bus. I wonder what interesting brokenness awaits there. -- Euan Galloway From Michael.Robson at manchester.ac.uk Fri Mar 6 06:30:00 2009 From: Michael.Robson at manchester.ac.uk (Michael Robson) Date: Fri, 6 Mar 2009 11:30:00 +0000 Subject: [c-nsp] UDP-helper problem In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D32B2@LMC-MAIL2.exempla.org> References: <35870.1236192857@lavin-llc.com> <2B8F519A-BE98-44BA-841D-4C304E19CD11@manchester.ac.uk> <4288131ED5E3024C9CD4782CECCAD2C7065D32B2@LMC-MAIL2.exempla.org> Message-ID: <134CA3C2-4B00-4D44-835A-2FA2EF2BF285@manchester.ac.uk> Yup. On 4 Mar 2009, at 21:30, Matlock, Kenneth L wrote: > Extended ping using the source interface of Vlan937 as well works? > > Ken Matlock > Network Analyst > Exempla Healthcare > (303) 467-4671 > matlockk at exempla.org > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Robson > Sent: Wednesday, March 04, 2009 2:28 PM > To: chris at lavin-llc.com > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] UDP-helper problem > > Yes there is a route to a.b.c.d and yes we can ping the DHCP server > from everywhere, including the new sup. > > On 4 Mar 2009, at 18:54, wrote: > >> On Wed Mar 4 8:00 , Michael Robson sent: >> >>> I have recently moved the routing of a subnet from an old sup2/msfc2 >>> 6500 (Version 12.1(26)E8, RELEASE SOFTWARE (fc1)) to a newer sup3/ >>> msfc3 6500 (Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1)). On the >>> old >>> router the udp-helper command worked fine, but on the new router I >>> can >>> see the DHCP address coming in but not the reply coming back and the >>> DHCP server isn't seeing the request arriving. Can anyone suggest >>> why >>> this might have stopped working (it isn't an ACL or firewall issue >>> as >>> there aren't any in the way) and I haven't turned _off_ any >>> component >>> of udp-helper (i.e. using the ip forward-protocol command). >>> >>> interface Vlan937 >>> description XXXYYYZZZ >>> ip address w.x.y.z 255.255.255.192 >>> ip helper-address a.b.c.d >>> >> >> From this new sup, do you have a route to a.b.c.d? Can you ping the >> DHCP server from this new sup? >> >> >> -chris >> > > > Michael > -- > > Michael Robson | Tel: +44 (0) 161 275 6113 > Senior Network Engineer | Fax: +44 (0) 161 275 6120 > Net North West | Email: Michael.Robson at manchester.ac.uk > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Michael -- Michael Robson | Tel: +44 (0) 161 275 6113 Senior Network Engineer | Fax: +44 (0) 161 275 6120 Net North West | Email: Michael.Robson at manchester.ac.uk From networkstuff.training at gmail.com Fri Mar 6 09:23:11 2009 From: networkstuff.training at gmail.com (Swati Sharma) Date: Fri, 6 Mar 2009 19:53:11 +0530 Subject: [c-nsp] sup redundancy - hot vs warm Message-ID: <8a93d4b30903060623m5ce48252kc6259b5424fe2241@mail.gmail.com> Hi, On 6500 i can see below information... once it says hot standby and anotherside it says warm... any idea !!!! Peer Processor Information : ---------------------------- Standby Location = slot 6 Current Software state = STANDBY HOT Uptime in current state = 3 minutes Image Version = Cisco Internetwork Operating System Software IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF12a, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Thu 10-Jan-08 23:52 by kellythw BOOT = disk0:s72033-adventerprisek9_wan-mz.122-18.SXF12a.bin,12 CONFIG_FILE = BOOTLDR = Configuration register = 0x2102 Router#sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL26K 5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAL112 6 2 Supervisor Engine 720 (Warm) WS-SUP720-3BXL SAL122 Mod MAC addresses Hw Fw Regards, From James.Pender at PAETEC.com Fri Mar 6 09:34:01 2009 From: James.Pender at PAETEC.com (Pender, James) Date: Fri, 6 Mar 2009 09:34:01 -0500 Subject: [c-nsp] sup redundancy - hot vs warm In-Reply-To: <8a93d4b30903060623m5ce48252kc6259b5424fe2241@mail.gmail.com> References: <8a93d4b30903060623m5ce48252kc6259b5424fe2241@mail.gmail.com> Message-ID: Are you running SSO? Have you given the processors a change to sync after what looks like a reboot? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Swati Sharma Sent: Friday, March 06, 2009 9:23 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] sup redundancy - hot vs warm Hi, On 6500 i can see below information... once it says hot standby and anotherside it says warm... any idea !!!! Peer Processor Information : ---------------------------- Standby Location = slot 6 Current Software state = STANDBY HOT Uptime in current state = 3 minutes Image Version = Cisco Internetwork Operating System Software IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF12a, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Thu 10-Jan-08 23:52 by kellythw BOOT = disk0:s72033-adventerprisek9_wan-mz.122-18.SXF12a.bin,12 CONFIG_FILE = BOOTLDR = Configuration register = 0x2102 Router#sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL26K 5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAL112 6 2 Supervisor Engine 720 (Warm) WS-SUP720-3BXL SAL122 Mod MAC addresses Hw Fw Regards, _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From saku+cisco-nsp at ytti.fi Fri Mar 6 10:13:25 2009 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Fri, 6 Mar 2009 17:13:25 +0200 Subject: [c-nsp] ftp.cisco.com unusable? In-Reply-To: <5EB9799F396A304686962AFFF740ED0CE96C436F@NOOSLEXCH001.adno.local> References: <49A88BB5.8050901@bromirski.net> <20090228085447.GA4503@mx.ytti.net> <20090306064140.GY290@greenie.muc.de> <5EB9799F396A304686962AFFF740ED0CE96C436F@NOOSLEXCH001.adno.local> Message-ID: <20090306151325.GA17796@mx.ytti.net> On (2009-03-06 08:01 +0100), Stig Johansen wrote: > >(The ftp.cisco.com brokenness has plagued me as well, but I've completely given up complaining about issues with www or ftp.cisco.com) > > Because of the borked ftp.cisco.com, I have generally used ftp-sj.cisco.com instead, and it works just fine "all the time". I noticed this same years ago, this is why I use ftp-sj. However somewhere between beginning of time and now it seems to have lost relevance: [ytti at ytti.fi ~]% dig ftp.cisco.com +short 198.133.219.241 [ytti at ytti.fi ~]% dig ftp-sj.cisco.com +short download-sj.cisco.com. 198.133.219.241 -- ++ytti From justin at justinshore.com Fri Mar 6 10:29:13 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 06 Mar 2009 09:29:13 -0600 Subject: [c-nsp] OT: TCL Book recommendation for Cisco EEM Message-ID: <49B14149.7050702@justinshore.com> Does anyone have any suggestions on a good book on TCL scripting for Cisco's EEM? As a complete TCL novice, a good TCL intro would be good. I can probably use existing EEM examples to learn the intricacies of using TCL for Cisco I think, unless someone knows of a book that covers that too. http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview.html Thanks Justin From blahu77 at gmail.com Fri Mar 6 10:31:26 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Fri, 6 Mar 2009 15:31:26 +0000 Subject: [c-nsp] ftp.cisco.com unusable? In-Reply-To: <20090306151325.GA17796@mx.ytti.net> References: <49A88BB5.8050901@bromirski.net> <20090228085447.GA4503@mx.ytti.net> <20090306064140.GY290@greenie.muc.de> <5EB9799F396A304686962AFFF740ED0CE96C436F@NOOSLEXCH001.adno.local> <20090306151325.GA17796@mx.ytti.net> Message-ID: <383357750903060731q1e43cdccxd9d28d2df921d259@mail.gmail.com> > I noticed this same years ago, this is why I use ftp-sj. However somewhere > between beginning of time and now it seems to have lost relevance: > > [ytti at ytti.fi ~]% dig ftp.cisco.com +short > 198.133.219.241 > [ytti at ytti.fi ~]% dig ftp-sj.cisco.com +short > download-sj.cisco.com. > 198.133.219.241 1 IP does not mean same machine these days -- pgp-key 0x1C655CAB From Michael.Robson at manchester.ac.uk Fri Mar 6 10:59:46 2009 From: Michael.Robson at manchester.ac.uk (Michael Robson) Date: Fri, 6 Mar 2009 15:59:46 +0000 Subject: [c-nsp] UDP-helper problem In-Reply-To: <1236248680.5801.134.camel@localhost.localdomain> References: <2CE904AA-FF23-4480-8D58-1322E1521FBD@manchester.ac.uk> <1236248680.5801.134.camel@localhost.localdomain> Message-ID: On 5 Mar 2009, at 10:24, Peter Rathlev wrote: > On Wed, 2009-03-04 at 13:00 +0000, Michael Robson wrote: >> I have recently moved the routing of a subnet from an old sup2/msfc2 >> 6500 (Version 12.1(26)E8, RELEASE SOFTWARE (fc1)) to a newer sup3/ >> msfc3 6500 (Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1)). On the >> old >> router the udp-helper command worked fine, but on the new router I >> can >> see the DHCP address coming in but not the reply coming back and the >> DHCP server isn't seeing the request arriving. Can anyone suggest why >> this might have stopped working (it isn't an ACL or firewall issue as >> there aren't any in the way) and I haven't turned _off_ any component >> of udp-helper (i.e. using the ip forward-protocol command). >> >> interface Vlan937 >> description XXXYYYZZZ >> ip address w.x.y.z 255.255.255.192 >> ip helper-address a.b.c.d > > AFAIK this forwarding requires the device to have "service dhcp", > which > is default. Do you have "no service dhcp" defined maybe? > > (I might have misunderstood this requirement though.) > The DHCP is no on a router, but a linux server several hops away. > We use this in many places for Sup720 SXF13 boxes, so it should work. > > Another thing could be the DHCP server. If you know "by sniff" that > the > packet doesn't arrive at the DHCP this is not relevant, but the DHCP > server would of course only reply if e.g. netmasks are the same. The traffic doesn't arrive at the DHCP server. Thanks, Michael -- From moua0100 at umn.edu Fri Mar 6 11:02:42 2009 From: moua0100 at umn.edu (Ge Moua) Date: Fri, 06 Mar 2009 10:02:42 -0600 Subject: [c-nsp] OT: TCL Book recommendation for Cisco EEM In-Reply-To: <49B14149.7050702@justinshore.com> References: <49B14149.7050702@justinshore.com> Message-ID: <49B14922.2030803@umn.edu> The "monkey book" was what I started with. Very detailed with pretty good intro. http://oreilly.com/catalog/expect/chapter/ch03.html Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Justin Shore wrote: > Does anyone have any suggestions on a good book on TCL scripting for > Cisco's EEM? As a complete TCL novice, a good TCL intro would be > good. I can probably use existing EEM examples to learn the > intricacies of using TCL for Cisco I think, unless someone knows of a > book that covers that too. > > http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview.html > > > Thanks > Justin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From elparis at cisco.com Fri Mar 6 11:36:22 2009 From: elparis at cisco.com (Eloy Paris) Date: Fri, 6 Mar 2009 11:36:22 -0500 Subject: [c-nsp] OT: TCL Book recommendation for Cisco EEM In-Reply-To: <49B14922.2030803@umn.edu> References: <49B14149.7050702@justinshore.com> <49B14922.2030803@umn.edu> Message-ID: <20090306163622.GG7620@cisco.com> On Fri, Mar 06, 2009 at 10:02:42AM -0600, Ge Moua wrote: > The "monkey book" was what I started with. Very detailed with pretty > good intro. > > http://oreilly.com/catalog/expect/chapter/ch03.html Agreed - the Expect book has a great Tcl introduction. Just one chapter but it goes over the most important Tcl aspects. I also reference this short tutorial a lot: http://www.tcl.tk/man/tcl8.5/tutorial/tcltutorial.html Keep in mind that none of these have any information about Cisco EEM - it's basic Tcl, and for Cisco EEM you'll need to read the Cisco EEM documentation. Cheers, -- Eloy Paris Cisco PSIRT Ph: +1 919 392-9118 From saku+cisco-nsp at ytti.fi Fri Mar 6 11:37:16 2009 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Fri, 6 Mar 2009 18:37:16 +0200 Subject: [c-nsp] ftp.cisco.com unusable? In-Reply-To: <383357750903060731q1e43cdccxd9d28d2df921d259@mail.gmail.com> References: <49A88BB5.8050901@bromirski.net> <20090228085447.GA4503@mx.ytti.net> <20090306064140.GY290@greenie.muc.de> <5EB9799F396A304686962AFFF740ED0CE96C436F@NOOSLEXCH001.adno.local> <20090306151325.GA17796@mx.ytti.net> <383357750903060731q1e43cdccxd9d28d2df921d259@mail.gmail.com> Message-ID: <20090306163716.GB18235@mx.ytti.net> On (2009-03-06 15:31 +0000), Mateusz Blaszczyk wrote: > > I noticed this same years ago, this is why I use ftp-sj. However somewhere > > between beginning of time and now it seems to have lost relevance: > > > > [ytti at ytti.fi ~]% dig ftp.cisco.com +short > > 198.133.219.241 > > [ytti at ytti.fi ~]% dig ftp-sj.cisco.com +short > > download-sj.cisco.com. > > 198.133.219.241 > > 1 IP does not mean same machine these days Unlike HTTP/1.1 FTP does not tell which was the DNS name attempted, as that information is lost SLB can not use that information to steer traffic. Connecting with ftp to ftp.cisco.com, ftp-sj.cisco.com or 198.133.219.241 in above case would be equal. Of course we can't determine where 198.133.219.241 will end up, but where ever it will be, ftp-sj or ftp does not make difference. Thanks, -- ++ytti From Michael.Robson at manchester.ac.uk Fri Mar 6 12:09:11 2009 From: Michael.Robson at manchester.ac.uk (Michael Robson) Date: Fri, 6 Mar 2009 17:09:11 +0000 Subject: [c-nsp] UDP-helper problem In-Reply-To: <200903061010200.SM05152@Inbox> References: <200903061010200.SM05152@Inbox> Message-ID: <27EE268A-8634-497B-97E1-E34C807995DB@manchester.ac.uk> > Make sure u dont have no service dhcp in your config. > >>> ... >> >> AFAIK this forwarding requires the device to have "service dhcp", >> which >> is default. Do you have "no service dhcp" defined maybe? >> >> ... Ahh the penny finally drops, thanks. Yes the router had "no service DHCP" set. I had wrongly thought that this command was for the DHCP server feature on the router, I didn't realise it was for the relaying side too. Thanks all, Michael -- From justin at justinshore.com Fri Mar 6 12:12:00 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 06 Mar 2009 11:12:00 -0600 Subject: [c-nsp] OT: TCL Book recommendation for Cisco EEM In-Reply-To: <20090306163622.GG7620@cisco.com> References: <49B14149.7050702@justinshore.com> <49B14922.2030803@umn.edu> <20090306163622.GG7620@cisco.com> Message-ID: <49B15960.8040507@justinshore.com> Eloy Paris wrote: > On Fri, Mar 06, 2009 at 10:02:42AM -0600, Ge Moua wrote: > >> The "monkey book" was what I started with. Very detailed with pretty >> good intro. >> >> http://oreilly.com/catalog/expect/chapter/ch03.html > > Agreed - the Expect book has a great Tcl introduction. Just one chapter > but it goes over the most important Tcl aspects. > > I also reference this short tutorial a lot: > > http://www.tcl.tk/man/tcl8.5/tutorial/tcltutorial.html > > Keep in mind that none of these have any information about Cisco EEM - > it's basic Tcl, and for Cisco EEM you'll need to read the Cisco EEM > documentation. Thanks for the replies, guys. I believe I may already have that book. I'll have to look when I get home. The tutorial looks very useful too. Thanks for the info! Justin From blahu77 at gmail.com Fri Mar 6 12:18:56 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Fri, 6 Mar 2009 17:18:56 +0000 Subject: [c-nsp] ftp.cisco.com unusable? In-Reply-To: <20090306163716.GB18235@mx.ytti.net> References: <49A88BB5.8050901@bromirski.net> <20090228085447.GA4503@mx.ytti.net> <20090306064140.GY290@greenie.muc.de> <5EB9799F396A304686962AFFF740ED0CE96C436F@NOOSLEXCH001.adno.local> <20090306151325.GA17796@mx.ytti.net> <383357750903060731q1e43cdccxd9d28d2df921d259@mail.gmail.com> <20090306163716.GB18235@mx.ytti.net> Message-ID: <383357750903060918k5b0b7b1er7022bedaf9fee9de@mail.gmail.com> 2009/3/6 Saku Ytti : > On (2009-03-06 15:31 +0000), Mateusz Blaszczyk wrote: >> 1 IP does not mean same machine these days > > Unlike HTTP/1.1 FTP does not tell which was the DNS name attempted, as > that information is lost SLB can not use that information to steer > traffic. Another day, another thing I learnt, I thank You. > Connecting with ftp to ftp.cisco.com, ftp-sj.cisco.com or > 198.133.219.241 in above case would be equal. > Of course we can't determine where 198.133.219.241 will end up, > but where ever it will be, ftp-sj or ftp does not make difference. I agree -- pgp-key 0x1C655CAB From mailinglists at unix-scripts.com Fri Mar 6 13:12:09 2009 From: mailinglists at unix-scripts.com (Shaun R.) Date: Fri, 6 Mar 2009 10:12:09 -0800 Subject: [c-nsp] Input Errors Message-ID: I seam to be having a few customer complain about latency and I'm not sure what's going on. There traceroutes always show the latency on my layer2 side of the connect from my upstream. It always seams to be the same upstream but my other two don't really move too much traffic. One thing I did notice is that I'm seeing input errors on some interested. I'm seeing input errors on the interface that connects to the upstream, as well as input errors on interfaces that are connecting my borders to my core/access switch. I try to trace from my gear out to the customers ip and the trace goes out the same upstream but latency looks normal and is half what they see when coming in. I'm been trying to figure out what might be going on but it's proving difficult. So what's causing these input errors? I have them on every interface on both my borders. Whats weird is that on my core/access switches that connect to the borders i dont see any errors on those interfaces. My network design is simple. * two border routers, 7206VXR-NPE-G2 * 3750 stack as core/access * gigE connection between borders and core/access * gigE connection between borders * gigE connection to all 3 upstreams. * full BGP between borders * OSPF between borders and core/access * full BGP to upstreams * Primary upstream pushes about 200mbit * secondary upstream pushes around 40mbit * third upstream pushes around 10mbit. Any help would be appreciated, thanks in advance! border1#sh int | inc input errors 16 input errors, 0 CRC, 0 frame, 0 overrun, 16 ignored [ GigE 0/1 ] 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored [ FE/02 Shutdown] 6 input errors, 0 CRC, 0 frame, 0 overrun, 6 ignored [GigE 0/2] 6464 input errors, 0 CRC, 0 frame, 0 overrun, 6464 ignored [ GigE 0/3 ] 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored [FE1/0 Shutdown] 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort [Loopback0] border2#sh int | inc input errors 6712 input errors, 0 CRC, 0 frame, 0 overrun, 6712 ignored [ GigE 0/1 ] 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored [ FE 0/2 Shutdown ] 23 input errors, 0 CRC, 0 frame, 0 overrun, 23 ignored [ GigE 0/2 ] 14805 input errors, 0 CRC, 0 frame, 0 overrun, 14805 ignored [ GigE 0/3 ] 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored [ FE 1/0 Shutdown ] 257 input errors, 0 CRC, 0 frame, 66 overrun, 191 ignored [ GigE 2/0 ] 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort [Loopback0] ~Shaun From rodunn at cisco.com Fri Mar 6 13:31:28 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 6 Mar 2009 13:31:28 -0500 Subject: [c-nsp] Input Errors In-Reply-To: References: Message-ID: <20090306183128.GV23482@rtp-cse-489.cisco.com> Very unlikely the ignores are causing latency that would be noticed for transit packets going through a 72xx due to it's architecture. It will introduce a very small amount because it signals the rx ring filled up with packets coming in. But given the transit packet forwarding speed to drain that rx ring it would be very very minimal. These ignores ususally come from microburst on the wire where the upstream sent a gige linerate type burst that the 72xx couldn't pull off the wire fast enough. It's the most common issue seen on 72xx's (or any sw forwarding gige box) that connects to a device that can do linerate gige on transmit. There have been some other improvements to prevent things like 'sh ver' from blocking interrupts for a very small amount of time so make sure you are on something pretty recents such ast 12.4(20) or later mainline or 12.4(20)T or later. Rodney On Fri, Mar 06, 2009 at 10:12:09AM -0800, Shaun R. wrote: > I seam to be having a few customer complain about latency and I'm not sure > what's going on. There traceroutes always show the latency on my layer2 > side of the connect from my upstream. It always seams to be the same > upstream but my other two don't really move too much traffic. One thing I > did notice is that I'm seeing input errors on some interested. I'm seeing > input errors on the interface that connects to the upstream, as well as > input errors on interfaces that are connecting my borders to my core/access > switch. I try to trace from my gear out to the customers ip and the trace > goes out the same upstream but latency looks normal and is half what they > see when coming in. I'm been trying to figure out what might be going on > but it's proving difficult. > > So what's causing these input errors? I have them on every interface on > both my borders. Whats weird is that on my core/access switches that > connect to the borders i dont see any errors on those interfaces. > > My network design is simple. > > * two border routers, 7206VXR-NPE-G2 > * 3750 stack as core/access > * gigE connection between borders and core/access > * gigE connection between borders > * gigE connection to all 3 upstreams. > * full BGP between borders > * OSPF between borders and core/access > * full BGP to upstreams > * Primary upstream pushes about 200mbit > * secondary upstream pushes around 40mbit > * third upstream pushes around 10mbit. > > Any help would be appreciated, thanks in advance! > > border1#sh int | inc input errors > 16 input errors, 0 CRC, 0 frame, 0 overrun, 16 ignored [ GigE 0/1 ] > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored [ FE/02 Shutdown] > 6 input errors, 0 CRC, 0 frame, 0 overrun, 6 ignored [GigE 0/2] > 6464 input errors, 0 CRC, 0 frame, 0 overrun, 6464 ignored [ GigE 0/3 ] > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored [FE1/0 Shutdown] > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort > [Loopback0] > > border2#sh int | inc input errors > 6712 input errors, 0 CRC, 0 frame, 0 overrun, 6712 ignored [ GigE 0/1 ] > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored [ FE 0/2 > Shutdown ] > 23 input errors, 0 CRC, 0 frame, 0 overrun, 23 ignored [ GigE 0/2 ] > 14805 input errors, 0 CRC, 0 frame, 0 overrun, 14805 ignored [ GigE > 0/3 ] > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored [ FE 1/0 > Shutdown ] > 257 input errors, 0 CRC, 0 frame, 66 overrun, 191 ignored [ GigE 2/0 ] > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort > [Loopback0] > > > ~Shaun > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From behrnetworks at gmail.com Fri Mar 6 13:42:28 2009 From: behrnetworks at gmail.com (Chris) Date: Fri, 6 Mar 2009 13:42:28 -0500 Subject: [c-nsp] Forward protocol 41 on PIX 501? Message-ID: <64aa03030903061042p6d5782te95edc9f16738202@mail.gmail.com> Is it possible to forward protocol 41 (or any protocol # for that matter) on a PIX 501 running 6.3(5) or is that a 7.x thing only? I'm poking at ACL syntax but maybe I'm just missing something. Thanks! From mailinglists at unix-scripts.com Fri Mar 6 13:43:55 2009 From: mailinglists at unix-scripts.com (Shaun R.) Date: Fri, 6 Mar 2009 10:43:55 -0800 Subject: [c-nsp] Input Errors In-Reply-To: <20090306183128.GV23482@rtp-cse-489.cisco.com> References: <20090306183128.GV23482@rtp-cse-489.cisco.com> Message-ID: I'm running 12.4(15)T7 right now. Looks like cisco changed there site a bit and the latest release of mainline is 12.4.23(MD), anybody see any problems upgrading to this? ~Shaun From zeusdadog at gmail.com Fri Mar 6 14:25:57 2009 From: zeusdadog at gmail.com (Jay Nakamura) Date: Fri, 6 Mar 2009 14:25:57 -0500 Subject: [c-nsp] IOS content filtering with Trend Micro Message-ID: <9418aca70903061125p5fda1f3cw3d76681437624ddc@mail.gmail.com> I was looking into doing web content filtering on ISRs with the trend micro/IOS content filtering for some rudimentary blocking of bad sites. Wanted to see if anyone has used it, and any thought/opinions on it. Does it tax the router much? How effective is it? Thanks! From gert at greenie.muc.de Fri Mar 6 17:45:16 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 6 Mar 2009 23:45:16 +0100 Subject: [c-nsp] ftp.cisco.com unusable? In-Reply-To: <5EB9799F396A304686962AFFF740ED0CE96C436F@NOOSLEXCH001.adno.local> References: <49A88BB5.8050901@bromirski.net> <20090228085447.GA4503@mx.ytti.net> <20090306064140.GY290@greenie.muc.de> <5EB9799F396A304686962AFFF740ED0CE96C436F@NOOSLEXCH001.adno.local> Message-ID: <20090306224516.GV290@greenie.muc.de> Hi, On Fri, Mar 06, 2009 at 08:01:02AM +0100, Stig Johansen wrote: > Because of the borked ftp.cisco.com, I have generally used > ftp-sj.cisco.com instead, and it works just fine "all the time". Unfortunately, it doesn't. ftp-sj is also balanced to 4 different servers, half of them choking on EPSV commands. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From lukasz at bromirski.net Fri Mar 6 17:48:16 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Fri, 06 Mar 2009 23:48:16 +0100 Subject: [c-nsp] Input Errors In-Reply-To: References: <20090306183128.GV23482@rtp-cse-489.cisco.com> Message-ID: <49B1A830.1090207@bromirski.net> On 2009-03-06 19:43, Shaun R. wrote: > I'm running 12.4(15)T7 right now. Looks like cisco changed there > site a bit and the latest release of mainline is 12.4.23(MD), anybody > see any problems upgrading to this? That won't be an 'upgrade' - 12.4(15)T7 you're running is a technical (read: more features, possibly some new bugs) train for 12.4. 12.4(23) you're choosing is actually 'older' version of IOS, the one 12.4T was branched some time ago. But 12.4 "mainline" got only bug fixes in meantime, and Rodney pointed You to some new fixes in the IOS code focused around CEF to better service traffic under load. I believe they were commited only to "T" code, so You better bet would be something like newest rebuild of 12.4(20)T or 12.4(22)T. -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From asturluismi at gmail.com Fri Mar 6 18:42:53 2009 From: asturluismi at gmail.com (luismi) Date: Sat, 07 Mar 2009 00:42:53 +0100 Subject: [c-nsp] Disabling "enable" command for users at privilege 0 Message-ID: <1236382973.7344.0.camel@dsba-ipso> Is possible to disable "enable" command for users at privilege 0? From amsoares at netcabo.pt Fri Mar 6 21:27:20 2009 From: amsoares at netcabo.pt (Antonio Soares) Date: Sat, 7 Mar 2009 02:27:20 -0000 Subject: [c-nsp] Disabling "enable" command for users at privilege 0 In-Reply-To: <1236382973.7344.0.camel@dsba-ipso> References: <1236382973.7344.0.camel@dsba-ipso> Message-ID: <0640DEEAA56B4A428B55F6FAAB1326AF@int.convex.pt> privilege exec level 1 enable Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: sexta-feira, 6 de Mar?o de 2009 23:43 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Disabling "enable" command for users at privilege 0 Is possible to disable "enable" command for users at privilege 0? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From bitkraft at gmail.com Fri Mar 6 21:35:40 2009 From: bitkraft at gmail.com (Brian Spade) Date: Fri, 6 Mar 2009 18:35:40 -0800 Subject: [c-nsp] Issue with 16MB flash card in ls1010 Message-ID: <505b616c0903061835v46a1ebd3yf22f3dff85c1ff6e@mail.gmail.com> Hey all, I'm trying to install a 16mb flash card into an LS1010 running 12.0(10). The LS1010 recognizes the card from a 'sh ver' but pauses and spits out a traceback when viewing: Cisco Internetwork Operating System Software IOS (tm) LS1010 WA4-5 Software (LS1010-WP-M), Version 12.0(10), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Wed 22-Mar-00 08:39 by phanguye Image text-base: 0x60010930, data-base: 0x60696000 ROM: System Bootstrap, Version 11.2(1.4.WA3.0) [integ 1.4.WA3.0], RELEASE SOFTWARE RegIV_1010 uptime is 14 minutes System restarted by reload Running default software cisco LS1010 (R4600) processor with 65536K bytes of memory. R4700 processor, Implementation 33, Revision 1.0 Last reset from power-on 1 Ethernet/IEEE 802.3 interface(s) 10 ATM network interface(s) 123K bytes of non-volatile configuration memory. 16384K bytes of Flash PCMCIA card at slot 0 (Sector size 128K). 8192K bytes of Flash internal SIMM (Sector size 256K). --More-- *Mar 6 18:49:26.159: %SYS-3-CPUHOG: Task ran for 4804 msec (50/0), process = Exec, PC = 600A8E90. -Traceback= 600A8E98 60038260 6003895C 60038374 60038118 6003895C 60038374 60057794 6004BAFC 600569F4 6009701Configuration register is 0x2102 I try to format the card and get the same error: IV_1010#format slot0: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "slot0:". Continue? [confirm] %Error formatting slot0: (Error reading for erase check) RegIV_1010# *Mar 6 18:52:31.111: %SYS-3-CPUHOG: Task ran for 4844 msec (43/0), process = Exec, PC = 600A8E90. -Traceback= 600A8E98 60038260 6003895C 60038374 600CAEF4 6004BAFC 600569F4 6009701C 60097008 Any ideas on what's going on? Thanks, /bs From kgraham at industrial-marshmallow.com Fri Mar 6 20:50:10 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Fri, 6 Mar 2009 17:50:10 -0800 (PST) Subject: [c-nsp] Disabling "enable" command for users at privilege 0 References: <1236382973.7344.0.camel@dsba-ipso> Message-ID: <171978.68228.qm@web902.biz.mail.mud.yahoo.com> > Is possible to disable "enable" command for users at privilege 0? With a "parser view" you can exclude-command enable; then just assign those users that view (ie. "username noc view LIMITED passsword 0 test"). This works under 12.4T, there is a (still undetermined) bug that prevents it from working properly in earlier releases. From bitkraft at gmail.com Fri Mar 6 22:16:50 2009 From: bitkraft at gmail.com (Brian Spade) Date: Fri, 6 Mar 2009 19:16:50 -0800 Subject: [c-nsp] Issue with 16mb flash card on an LS1010 Message-ID: <505b616c0903061916v59a55553sf3add4dca50674e7@mail.gmail.com> Hi all, I have installed a 16 mb flash card into an LS1010. From the 'sh ver', the card is shown/recognized, but I get a trackback error: Cisco Internetwork Operating System Software IOS (tm) LS1010 WA4-5 Software (LS1010-WP-M), Version 12.0(10), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Wed 22-Mar-00 08:39 by phanguye Image text-base: 0x60010930, data-base: 0x60696000 ROM: System Bootstrap, Version 11.2(1.4.WA3.0) [integ 1.4.WA3.0], RELEASE SOFTWARE RegIV_1010 uptime is 14 minutes System restarted by reload Running default software cisco LS1010 (R4600) processor with 65536K bytes of memory. R4700 processor, Implementation 33, Revision 1.0 Last reset from power-on 1 Ethernet/IEEE 802.3 interface(s) 10 ATM network interface(s) 123K bytes of non-volatile configuration memory. 16384K bytes of Flash PCMCIA card at slot 0 (Sector size 128K). 8192K bytes of Flash internal SIMM (Sector size 256K). --More-- *Mar 6 18:49:26.159: %SYS-3-CPUHOG: Task ran for 4804 msec (50/0), process = Exec, PC = 600A8E90. -Traceback= 600A8E98 60038260 6003895C 60038374 60038118 6003895C 60038374 60057794 6004BAFC 600569F4 6009701Configuration register is 0x2102 I can't format the card either: IV_1010#format slot0: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "slot0:". Continue? [confirm] %Error formatting slot0: (Error reading for erase check) RegIV_1010# *Mar 6 18:52:31.111: %SYS-3-CPUHOG: Task ran for 4844 msec (43/0), process = Exec, PC = 600A8E90. -Traceback= 600A8E98 60038260 6003895C 60038374 600CAEF4 6004BAFC 600569F4 6009701C 60097008 Any idea on what's going on? Thanks.... /bs From charles at thewybles.com Fri Mar 6 22:23:17 2009 From: charles at thewybles.com (Charles Wyble) Date: Fri, 06 Mar 2009 19:23:17 -0800 Subject: [c-nsp] Resetting an RSM password/config Message-ID: <49B1E8A5.8070807@thewybles.com> All, I recently purchased some cisco gear for my lab. One of the things I am doing is configuring a Catalyst 5505 with a Route Switch Module (RSM). Any idea how to reset the config to factory defaults? I bought it second hand and need to clear the configs as I don't know the password. I googled a bit and didn't find anything. Thanks. -- Charles N Wyble charles at thewybles.com (818)280-7059 http://charlesnw.blogspot.com CTO SocalWiFI.net From mksmith at adhost.com Fri Mar 6 22:48:25 2009 From: mksmith at adhost.com (Michael K. Smith) Date: Fri, 06 Mar 2009 19:48:25 -0800 Subject: [c-nsp] Horrible MPPP Performance Message-ID: Hello Everyone: I have two 2800 series routers with 4, clear-channel T-1's between. I'm running MPPP with the 4 T1's in the bundle. Performance is *awful*. 100 byte packets, 40 ms with 98% delivered. 1500 byte packets, 900 ms latency with 25% packet loss. Here are my config snippets from the two routers. I've done everything I can think of and nothing seems to change the performance. Any help would be greatly appreciated. I've tried moving clock from one side to another, tried running with network-clock-participate on the line-clocked side, set both sides to line, set both sides to internal. The configuration below is the only one that shows no slips, but the performance is still terrible. I've also tried changing the load-balancing from per-packet to per-destination to FIFO to Fair queue. Nothing changes. Note, I only included one of each of the T-1 controllers and Serial interfaces because the others are exactly the same. ----- Side A ---------- WIC Slot 0 and 1: T1 (2 port) Multi-Flex Trunk WAN daughter card Hardware revision 1.0 Board revision B0 Serial number 34720142 Part number 800-04477-04 FRU Part Number VWIC-2MFT-T1= no network-clock-participate wic 0 no network-clock-participate wic 1 ip cef ! controller T1 0/0/0 framing esf clock source internal linecode b8zs channel-group 0 timeslots 24 ! ! interface Multilink1 description Uplink to Market Range via 4 Bonded T-1's ip address 172.16.1.5 255.255.255.252 no cdp enable ppp multilink ppp multilink links maximum 4 ppp multilink group 1 ! interface Serial0/0/0:0 no ip address ip load-sharing per-packet encapsulation ppp no keepalive no fair-queue ppp multilink ppp multilink group 1 ! ip route 10.2.0.0 255.255.0.0 Multilink1 ! -------- Side B -------- WIC Slot 0 and 1: T1 (2 port) Multi-Flex Trunk WAN daughter card Hardware revision 1.0 Board revision B0 Serial number 34720142 Part number 800-04477-04 FRU Part Number VWIC-2MFT-T1= no network-clock-participate wic 0 no network-clock-participate wic 1 ! ip cef ! controller T1 0/0/0 framing esf linecode b8zs channel-group 0 timeslots 24 ! interface Multilink1 description Uplink to Adhost via 4 Bonded T-1's ip address 172.16.1.6 255.255.255.252 no cdp enable ppp multilink ppp multilink links maximum 4 ppp multilink group 1 ! interface Serial0/0/0:0 no ip address ip load-sharing per-packet encapsulation ppp no keepalive no fair-queue ppp multilink ppp multilink group 1 ! ip route 0.0.0.0 0.0.0.0 Multilink1 Regards, Mike From sethm at rollernet.us Fri Mar 6 23:12:54 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 06 Mar 2009 20:12:54 -0800 Subject: [c-nsp] Horrible MPPP Performance In-Reply-To: References: Message-ID: <49B1F446.2050704@rollernet.us> Michael K. Smith wrote: > Hello Everyone: > > I have two 2800 series routers with 4, clear-channel T-1's between. I'm > running MPPP with the 4 T1's in the bundle. Performance is *awful*. 100 > byte packets, 40 ms with 98% delivered. 1500 byte packets, 900 ms latency > with 25% packet loss. > > Here are my config snippets from the two routers. I've done everything I > can think of and nothing seems to change the performance. Any help would be > greatly appreciated. > > I've tried moving clock from one side to another, tried running with > network-clock-participate on the line-clocked side, set both sides to line, > set both sides to internal. The configuration below is the only one that > shows no slips, but the performance is still terrible. > > I've also tried changing the load-balancing from per-packet to > per-destination to FIFO to Fair queue. Nothing changes. > Why do you have load-sharing with MLPPP? ~Seth From mksmith at adhost.com Sat Mar 7 00:29:41 2009 From: mksmith at adhost.com (Michael K. Smith) Date: Fri, 06 Mar 2009 21:29:41 -0800 Subject: [c-nsp] Horrible MPPP Performance In-Reply-To: <49B1F446.2050704@rollernet.us> Message-ID: Hello Seth: On 3/6/09 8:12 PM, "Seth Mattinen" wrote: > Michael K. Smith wrote: >> Hello Everyone: >> >> I have two 2800 series routers with 4, clear-channel T-1's between. I'm >> running MPPP with the 4 T1's in the bundle. Performance is *awful*. 100 >> byte packets, 40 ms with 98% delivered. 1500 byte packets, 900 ms latency >> with 25% packet loss. >> >> Here are my config snippets from the two routers. I've done everything I >> can think of and nothing seems to change the performance. Any help would be >> greatly appreciated. >> >> I've tried moving clock from one side to another, tried running with >> network-clock-participate on the line-clocked side, set both sides to line, >> set both sides to internal. The configuration below is the only one that >> shows no slips, but the performance is still terrible. >> >> I've also tried changing the load-balancing from per-packet to >> per-destination to FIFO to Fair queue. Nothing changes. >> > > > Why do you have load-sharing with MLPPP? > As far as I can tell, with CEF enabled, it's either per-packet or per-destination, with per-destination being the default (not printed to the config). I tried doing the "no" on the per-packet with no change. Regards, Mike From mksmith at adhost.com Sat Mar 7 00:36:12 2009 From: mksmith at adhost.com (Michael K. Smith) Date: Fri, 06 Mar 2009 21:36:12 -0800 Subject: [c-nsp] Horrible MPPP Performance SOLVED In-Reply-To: Message-ID: Hello Everyone: Sorry for the post-to-my-own-post. Jeremy Gaddis was kind enough not to out me on the list, but what the hey. I only had one 64k channel enabled on each T-1. > channel-group 0 timeslots 24 I used to know T-1's, I swear. Thanks Jeremy! Regards, Mike On 3/6/09 7:48 PM, "Michael Smith" wrote: > Hello Everyone: > > I have two 2800 series routers with 4, clear-channel T-1's between. I'm > running MPPP with the 4 T1's in the bundle. Performance is *awful*. 100 > byte packets, 40 ms with 98% delivered. 1500 byte packets, 900 ms latency > with 25% packet loss. > > Here are my config snippets from the two routers. I've done everything I > can think of and nothing seems to change the performance. Any help would be > greatly appreciated. > > I've tried moving clock from one side to another, tried running with > network-clock-participate on the line-clocked side, set both sides to line, > set both sides to internal. The configuration below is the only one that > shows no slips, but the performance is still terrible. > > I've also tried changing the load-balancing from per-packet to > per-destination to FIFO to Fair queue. Nothing changes. > > Note, I only included one of each of the T-1 controllers and Serial > interfaces because the others are exactly the same. > > ----- Side A ---------- > WIC Slot 0 and 1: > T1 (2 port) Multi-Flex Trunk WAN daughter card > Hardware revision 1.0 Board revision B0 > Serial number 34720142 Part number 800-04477-04 > FRU Part Number VWIC-2MFT-T1= > > > no network-clock-participate wic 0 > no network-clock-participate wic 1 > ip cef > ! > controller T1 0/0/0 > framing esf > clock source internal > linecode b8zs > channel-group 0 timeslots 24 > ! > ! > interface Multilink1 > description Uplink to Market Range via 4 Bonded T-1's > ip address 172.16.1.5 255.255.255.252 > no cdp enable > ppp multilink > ppp multilink links maximum 4 > ppp multilink group 1 > ! > interface Serial0/0/0:0 > no ip address > ip load-sharing per-packet > encapsulation ppp > no keepalive > no fair-queue > ppp multilink > ppp multilink group 1 > ! > ip route 10.2.0.0 255.255.0.0 Multilink1 > ! > -------- Side B -------- > > WIC Slot 0 and 1: > T1 (2 port) Multi-Flex Trunk WAN daughter card > Hardware revision 1.0 Board revision B0 > Serial number 34720142 Part number 800-04477-04 > FRU Part Number VWIC-2MFT-T1= > > no network-clock-participate wic 0 > no network-clock-participate wic 1 > ! > ip cef > ! > controller T1 0/0/0 > framing esf > linecode b8zs > channel-group 0 timeslots 24 > ! > interface Multilink1 > description Uplink to Adhost via 4 Bonded T-1's > ip address 172.16.1.6 255.255.255.252 > no cdp enable > ppp multilink > ppp multilink links maximum 4 > ppp multilink group 1 > ! > interface Serial0/0/0:0 > no ip address > ip load-sharing per-packet > encapsulation ppp > no keepalive > no fair-queue > ppp multilink > ppp multilink group 1 > ! > ip route 0.0.0.0 0.0.0.0 Multilink1 > > Regards, > > Mike > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ip at ioshints.info Sat Mar 7 03:17:35 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Sat, 7 Mar 2009 09:17:35 +0100 Subject: [c-nsp] OT: TCL Book recommendation for Cisco EEM In-Reply-To: <49B14149.7050702@justinshore.com> References: <49B14149.7050702@justinshore.com> Message-ID: <004501c99efd$2d1e8860$0a00000a@nil.si> Tcl/TK: A developer's guide http://www.msen.com/~clif/DevGuide.html A bit more advanced book when you want to go slightly beyond the basics. I wasn't too happy with it, but it did the job. Ivan > -----Original Message----- > From: Justin Shore [mailto:justin at justinshore.com] > Sent: Friday, March 06, 2009 4:29 PM > To: 'Cisco-nsp' > Subject: [c-nsp] OT: TCL Book recommendation for Cisco EEM > > Does anyone have any suggestions on a good book on TCL > scripting for Cisco's EEM? As a complete TCL novice, a good > TCL intro would be good. > I can probably use existing EEM examples to learn the > intricacies of using TCL for Cisco I think, unless someone > knows of a book that covers that too. > > http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guid > e/nm_eem_overview.html > > Thanks > Justin From gert at greenie.muc.de Sat Mar 7 04:39:22 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 7 Mar 2009 10:39:22 +0100 Subject: [c-nsp] Resetting an RSM password/config In-Reply-To: <49B1E8A5.8070807@thewybles.com> References: <49B1E8A5.8070807@thewybles.com> Message-ID: <20090307093922.GX290@greenie.muc.de> Hi, On Fri, Mar 06, 2009 at 07:23:17PM -0800, Charles Wyble wrote: > I recently purchased some cisco gear for my lab. One of the things I am > doing is configuring a Catalyst 5505 with a Route Switch Module (RSM). > > Any idea how to reset the config to factory defaults? I bought it second > hand and need to clear the configs as I don't know the password. > > I googled a bit and didn't find anything. The RSM has a console port - and from there, you should be able to follow the standard password recovery procedure documented on CCO. Search www.cisco.com for "password recovery". If the RSM is not documented anymore (being end-of-life), follow the procedure for a router from that time - a RSP* or 3640 should be similar. Don't follow the procedures for *switches*, though - the RSM is a bog-standard IOS router in a switch blade, not a switch in itself. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From manafo at hotmail.com Sat Mar 7 09:49:47 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Sat, 7 Mar 2009 16:49:47 +0200 Subject: [c-nsp] 3750ME CPU Utilization Message-ID: Hi all, what does the "HULC DAI Process" stands for when executing the command "show process cpu" in 3750ME switch. I found an abnormal behavior on this process ID and it is frequently goes high. Regards, Manaf From ibrahim.abozaid at gmail.com Sat Mar 7 10:10:27 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Sat, 7 Mar 2009 17:10:27 +0200 Subject: [c-nsp] Multicast RPF check and unicast default route Message-ID: Hi All i have a question about multicast RPF check that checks routing table for source address and ensure traffic incoming interface is the same as route next hop does this check supports default routes ? is there a feature like allow-default used in uRPF ? best regards --Ibrahim From tdurack at gmail.com Sat Mar 7 10:41:51 2009 From: tdurack at gmail.com (Tim Durack) Date: Sat, 7 Mar 2009 10:41:51 -0500 Subject: [c-nsp] BGP community and MP-BGP route-target Message-ID: <9e246b4d0903070741w45312990o6bf36ea5a9a07569@mail.gmail.com> If I use AS:100 as a BGP community, is this the same as vrf route-target AS:100? I guess what I'm asking is: Do AS:nn BGP communities and AS:nn MP-BGP route-targets share the same "community-space"? Tim:> From peter at rathlev.dk Sat Mar 7 10:57:08 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 07 Mar 2009 16:57:08 +0100 Subject: [c-nsp] BGP community and MP-BGP route-target In-Reply-To: <9e246b4d0903070741w45312990o6bf36ea5a9a07569@mail.gmail.com> References: <9e246b4d0903070741w45312990o6bf36ea5a9a07569@mail.gmail.com> Message-ID: <1236441428.2073.2.camel@localhost.localdomain> On Sat, 2009-03-07 at 10:41 -0500, Tim Durack wrote: > If I use AS:100 as a BGP community, is this the same as vrf route-target AS:100? > > I guess what I'm asking is: Do AS:nn BGP communities and AS:nn MP-BGP > route-targets share the same "community-space"? They don't, the RT is an extended community. There is no overlapping and no conflicts. You can set it with "set extcommunity rt ...". Regards, Peter From berni at birkenwald.de Sat Mar 7 10:24:41 2009 From: berni at birkenwald.de (Bernhard Schmidt) Date: Sat, 07 Mar 2009 16:24:41 +0100 Subject: [c-nsp] ftp.cisco.com unusable? In-Reply-To: <20090306224516.GV290@greenie.muc.de> References: <49A88BB5.8050901@bromirski.net> <20090228085447.GA4503@mx.ytti.net> <20090306064140.GY290@greenie.muc.de> <5EB9799F396A304686962AFFF740ED0CE96C436F@NOOSLEXCH001.adno.local> <20090306224516.GV290@greenie.muc.de> Message-ID: <49B291B9.2040000@birkenwald.de> On 06.03.2009 23:45, Gert Doering wrote: > On Fri, Mar 06, 2009 at 08:01:02AM +0100, Stig Johansen wrote: >> Because of the borked ftp.cisco.com, I have generally used >> ftp-sj.cisco.com instead, and it works just fine "all the time". > Unfortunately, it doesn't. ftp-sj is also balanced to 4 different > servers, half of them choking on EPSV commands. But it isn't affected by broken DNS for AAAA records, so it works better than ftp.cisco.com :-\ *sigh* Bernhard From ibrahim.abozaid at gmail.com Sat Mar 7 12:08:22 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Sat, 7 Mar 2009 19:08:22 +0200 Subject: [c-nsp] Multicast RPF check and unicast default route [7:134602] In-Reply-To: <7F338D54E95EF14BAE0631DBEF9A2C8201D421@INK.backbone.dpsciences.com> References: <200903071510.n27FAxwo029911@groupstudy.com> <7F338D54E95EF14BAE0631DBEF9A2C8201D421@INK.backbone.dpsciences.com> Message-ID: yes Rohynas that what i mean but my question is that work with multicast RPF check or works for unicast only ? best regards --Ibrahim On Sat, Mar 7, 2009 at 6:30 PM, Rohyans, Aaron wrote: > I believe you're referring to: > > interface fastEthernet 0/0 > ip verify unicast source reachable-via any > > ...this allows the router to use the default route for Reverse Path check. > > Hope this helps, > > Aaron T. Rohyans > Senior Network Engineer > CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, > JNCIA-ER > DPSciences Corporation > 7400 N. Shadeland Ave., Suite 245 > Indianapolis, IN 46250 > Office: (317) 348-0099 > Fax: (317) 849-7134 > arohyans at dpsciences.com > http://www.dpsciences.com/ > > > -----Original Message----- > From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of > Ibrahim Abo Zaid > Sent: Saturday, March 07, 2009 10:11 AM > To: cisco at groupstudy.com > Subject: Multicast RPF check and unicast default route [7:134602] > > Hi All > > i have a question about multicast RPF check that checks routing table for > source address and ensure traffic incoming interface is the same as route > next hop > > does this check supports default routes ? is there a feature like > allow-default used in uRPF ? > > > best regards > --Ibrahim > > > > > Message Posted at: > http://www.groupstudy.com/form/read.php?f=7&i=134602&t=134602 > -------------------------------------------------- > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > From mtinka at globaltransit.net Sat Mar 7 11:39:34 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 8 Mar 2009 00:39:34 +0800 Subject: [c-nsp] BGP community and MP-BGP route-target In-Reply-To: <9e246b4d0903070741w45312990o6bf36ea5a9a07569@mail.gmail.com> References: <9e246b4d0903070741w45312990o6bf36ea5a9a07569@mail.gmail.com> Message-ID: <200903080039.44983.mtinka@globaltransit.net> On Saturday 07 March 2009 11:41:51 pm Tim Durack wrote: > I guess what I'm asking is: Do AS:nn BGP communities and > AS:nn MP-BGP route-targets share the same > "community-space"? No they don't. VRF RT's are part of the extended communities definition which support a 64-bit value, and would appear only on the routes associated with that particular VRF or per your configuration. Assuming your garden-variety IP network, standard communities support 32-bit values and would generally apply to routes in your global routing table. Having said that, it is possible to attach both standard and extended communities to a route. In such a case, the router would handle each type of community per their individual RFC specifications. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From blahu77 at gmail.com Sat Mar 7 12:44:07 2009 From: blahu77 at gmail.com (Mateusz Błaszczyk) Date: Sat, 7 Mar 2009 17:44:07 +0000 (IST) Subject: [c-nsp] 3750ME CPU Utilization In-Reply-To: Message-ID: Dynamic Arp Inspection is what comes to my mind? 2009/3/7 Manaf Al Oqlah : > Hi all, > > what does the "HULC DAI Process" stands for when executing the command "show process cpu" in 3750ME switch. I found an abnormal behavior on this process ID and it is frequently goes high. > > Regards, > Manaf > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- pgp-key 0x1C655CAB -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From asturluismi at gmail.com Sat Mar 7 12:54:59 2009 From: asturluismi at gmail.com (luismi) Date: Sat, 07 Mar 2009 18:54:59 +0100 Subject: [c-nsp] Disabling "enable" command for users at privilege 0 In-Reply-To: <0640DEEAA56B4A428B55F6FAAB1326AF@int.convex.pt> References: <1236382973.7344.0.camel@dsba-ipso> <0640DEEAA56B4A428B55F6FAAB1326AF@int.convex.pt> Message-ID: <1236448499.8327.4.camel@dsba-ipso> Thanks it works perfectly for me :D El s?b, 07-03-2009 a las 02:27 +0000, Antonio Soares escribi?: > privilege exec level 1 enable From tdurack at gmail.com Sat Mar 7 13:02:43 2009 From: tdurack at gmail.com (Tim Durack) Date: Sat, 7 Mar 2009 13:02:43 -0500 Subject: [c-nsp] BGP community and MP-BGP route-target In-Reply-To: <200903080039.44983.mtinka@globaltransit.net> References: <9e246b4d0903070741w45312990o6bf36ea5a9a07569@mail.gmail.com> <200903080039.44983.mtinka@globaltransit.net> Message-ID: <9e246b4d0903071002m7c458a8t38558f54a1173499@mail.gmail.com> On Sat, Mar 7, 2009 at 11:39 AM, Mark Tinka wrote: > On Saturday 07 March 2009 11:41:51 pm Tim Durack wrote: > >> I guess what I'm asking is: Do AS:nn BGP communities and >> AS:nn MP-BGP route-targets share the same >> "community-space"? > > No they don't. > That's what I needed to know - thanks! Tim:> From asturluismi at gmail.com Sat Mar 7 13:04:52 2009 From: asturluismi at gmail.com (luismi) Date: Sat, 07 Mar 2009 19:04:52 +0100 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? Message-ID: <1236449092.8327.12.camel@dsba-ipso> Hi all, I am looking for an open source solution to deploy some radius in our network. The primary goal is to connect to those radius to provide auth services: - The VPN Concentrators and vpn accounts (we would move all the vpn accounts info to the radius) - Validate ip http auth-proxy users Radius service should be able to be managed using a web interface. I don't really mind if there is a proper web interface of if we need to install webadmin. It also must support accounting. And it would be great if it is possible to have the back-end into MySQL. I was checking FreeRadius and Radiator. Any other options? All comments are welcome. Thanks From lowen at pari.edu Sat Mar 7 13:06:01 2009 From: lowen at pari.edu (Lamar Owen) Date: Sat, 7 Mar 2009 13:06:01 -0500 Subject: [c-nsp] Resetting an RSM password/config In-Reply-To: <49B1E8A5.8070807@thewybles.com> References: <49B1E8A5.8070807@thewybles.com> Message-ID: <200903071306.01589.lowen@pari.edu> On Friday 06 March 2009 22:23:17 Charles Wyble wrote: > I recently purchased some cisco gear for my lab. One of the things I am > doing is configuring a Catalyst 5505 with a Route Switch Module (RSM). > > Any idea how to reset the config to factory defaults? I bought it second > hand and need to clear the configs as I don't know the password. http://www.cisco.com/en/US/products/hw/switches/ps686/products_password_recovery09186a00801d1248.shtml Connect to the female DB-25 on the RSM itself and send the BREAK sequence (with Minicom under Linux, for instance, this is CTRL-A F or ALT-F, depending on version and console) right after you see the ROMMON banner. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From p.mayers at imperial.ac.uk Sat Mar 7 13:15:15 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sat, 7 Mar 2009 18:15:15 +0000 Subject: [c-nsp] Multicast RPF check and unicast default route In-Reply-To: References: Message-ID: <20090307181514.GB19698@wildfire.net.ic.ac.uk> On Sat, Mar 07, 2009 at 03:10:27PM +0000, Ibrahim Abo Zaid wrote: >Hi All > >i have a question about multicast RPF check that checks routing table for >source address and ensure traffic incoming interface is the same as route >next hop > >does this check supports default routes ? is there a feature like Yes >allow-default used in uRPF ? What does that mean? Can you describe what you are trying to achieve? From p.mayers at imperial.ac.uk Sat Mar 7 13:17:49 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sat, 7 Mar 2009 18:17:49 +0000 Subject: [c-nsp] Multicast RPF check and unicast default route [7:134602] In-Reply-To: References: <200903071510.n27FAxwo029911@groupstudy.com> <7F338D54E95EF14BAE0631DBEF9A2C8201D421@INK.backbone.dpsciences.com> Message-ID: <20090307181749.GC19698@wildfire.net.ic.ac.uk> On Sat, Mar 07, 2009 at 05:08:22PM +0000, Ibrahim Abo Zaid wrote: >yes Rohynas that what i mean but my question is that work with multicast RPF >check or works for unicast only ? I don't believe this works for multicast, and find it hard to conceive of a circumstance where it would be useful. What are you trying to achieve? You can use a separate set of routes to do the multicast RPF check - for example, a set of network statements under the "ipv4 multicast" BGP family, or static "ip mroute" commands, but whether that's useful will depend. From Charles at thewybles.com Sat Mar 7 13:52:50 2009 From: Charles at thewybles.com (Charles at thewybles.com) Date: Sat, 7 Mar 2009 18:52:50 +0000 Subject: [c-nsp] Open Source solution to deploy a radius server againstCisco devices? Message-ID: <2044551257-1236451993-cardhu_decombobulator_blackberry.rim.net-2132750851-@bxe1216.bisx.prod.on.blackberry> Those seem to be the category killers. ------Original Message------ From: luismi Sender: cisco-nsp-bounces at puck.nether.net To: Cisco Network Service Providers Subject: [c-nsp] Open Source solution to deploy a radius server againstCisco devices? Sent: Mar 7, 2009 10:04 AM Hi all, I am looking for an open source solution to deploy some radius in our network. The primary goal is to connect to those radius to provide auth services: - The VPN Concentrators and vpn accounts (we would move all the vpn accounts info to the radius) - Validate ip http auth-proxy users Radius service should be able to be managed using a web interface. I don't really mind if there is a proper web interface of if we need to install webadmin. It also must support accounting. And it would be great if it is possible to have the back-end into MySQL. I was checking FreeRadius and Radiator. Any other options? All comments are welcome. Thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Sent via BlackBerry from T-Mobile From Charles at thewybles.com Sat Mar 7 14:01:16 2009 From: Charles at thewybles.com (Charles at thewybles.com) Date: Sat, 7 Mar 2009 19:01:16 +0000 Subject: [c-nsp] Resetting an RSM password/config Message-ID: <2137577677-1236452498-cardhu_decombobulator_blackberry.rim.net-598636238-@bxe1216.bisx.prod.on.blackberry> Thanks to all. Standard ios reset procedure it is. :) ------Original Message------ From: Lamar Owen Sender: To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Resetting an RSM password/config Sent: Mar 7, 2009 10:06 AM On Friday 06 March 2009 22:23:17 Charles Wyble wrote: > I recently purchased some cisco gear for my lab. One of the things I am > doing is configuring a Catalyst 5505 with a Route Switch Module (RSM). > > Any idea how to reset the config to factory defaults? I bought it second > hand and need to clear the configs as I don't know the password. http://www.cisco.com/en/US/products/hw/switches/ps686/products_password_recovery09186a00801d1248.shtml Connect to the female DB-25 on the RSM itself and send the BREAK sequence (with Minicom under Linux, for instance, this is CTRL-A F or ALT-F, depending on version and console) right after you see the ROMMON banner. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Sent via BlackBerry from T-Mobile From lists at quux.de Sat Mar 7 13:49:09 2009 From: lists at quux.de (Jens Link) Date: Sat, 07 Mar 2009 19:49:09 +0100 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <1236449092.8327.12.camel@dsba-ipso> (luismi's message of "Sat\, 07 Mar 2009 19\:04\:52 +0100") References: <1236449092.8327.12.camel@dsba-ipso> Message-ID: <87tz655ftm.fsf@laphroiag.quux.de> luismi writes: > Radius service should be able to be managed using a web interface. I > don't really mind if there is a proper web interface of if we need to > install webadmin. It also must support accounting. And it would be > great if it is possible to have the back-end into MySQL. > > I was checking FreeRadius and Radiator. Any other options? All > comments are welcome. FreeRADIUS is used in several big installations. It can use MySQL as database backend. It ships withs DialUp-Admin, a web based interface for the *user* administration which also can use MySQL. cheers Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink at guug.de | ------------------------------------------------------------------------- From mustafa.golam at gmail.com Sat Mar 7 15:02:25 2009 From: mustafa.golam at gmail.com (Mustafa Golam -) Date: Sat, 7 Mar 2009 23:02:25 +0300 Subject: [c-nsp] 3750ME CPU Utilization In-Reply-To: References:

Message-ID: Ref to: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swdynarp.html *no ip arp inspection vlan vlan-range *should solve the problem than. //Mustafa ** On Sat, Mar 7, 2009 at 10:40 PM, Manaf Al Oqlah wrote: > Yes it is Dynamic ARP Inspection. it is frequently goes 100%. > > *From:* Mustafa Golam - > *Sent:* Saturday, March 07, 2009 7:48 PM > *To:* Mateusz B??aszczyk > *Cc:* Manaf Al Oqlah > *Subject:* Re: [c-nsp] 3750ME CPU Utilization > > > > On Sat, Mar 7, 2009 at 8:44 PM, Mateusz B??aszczyk wrote: > >> Dynamic Arp Inspection is what comes to my mind? >> > True!!! > > >> >> 2009/3/7 Manaf Al Oqlah : > > > -- > -- > *??) > ?.???.?*??) ?.?*?) > (?.?? (?.?` *Mustafa Golam,CCIE(..)'.'`,. > -.*.-JNCIS,RHCE,CC{D,I,N,S,V}P`et. al.'.'`,. > GPRS/MPBN Soultion Integrator, Madagascar. > LM Ericsson SA Ltd. www.ericsson.com. > Email : mustafa.golam at gmail.com > Mobile : +(261)034-111-77-28 > http://journey2ccie.wordpress.com/ > -- -- *??) ?.???.?*??) ?.?*?) (?.?? (?.?` *Mustafa Golam,CCIE(..)'.'`,. -.*.-JNCIS,RHCE,CC{D,I,N,S,V}P`et. al.'.'`,. GPRS/MPBN Soultion Integrator, Madagascar. LM Ericsson SA Ltd. www.ericsson.com. Email : mustafa.golam at gmail.com Mobile : +(261)034-111-77-28 http://journey2ccie.wordpress.com/ From manafo at hotmail.com Sat Mar 7 18:25:30 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Sun, 8 Mar 2009 01:25:30 +0200 Subject: [c-nsp] 3750ME CPU Utilization In-Reply-To: References:

Message-ID: but I can't live without this option! it is mandatory to prevent users ARP and DHCP spoofing From: Mustafa Golam - Sent: Saturday, March 07, 2009 10:02 PM To: Manaf Al Oqlah Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3750ME CPU Utilization Ref to: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swdynarp.html no ip arp inspection vlan vlan-range should solve the problem than. //Mustafa On Sat, Mar 7, 2009 at 10:40 PM, Manaf Al Oqlah wrote: Yes it is Dynamic ARP Inspection. it is frequently goes 100%. From: Mustafa Golam - Sent: Saturday, March 07, 2009 7:48 PM To: Mateusz B??aszczyk Cc: Manaf Al Oqlah Subject: Re: [c-nsp] 3750ME CPU Utilization On Sat, Mar 7, 2009 at 8:44 PM, Mateusz B??aszczyk wrote: Dynamic Arp Inspection is what comes to my mind? True!!! 2009/3/7 Manaf Al Oqlah : -- -- *??) ?.???.?*??) ?.?*?) (?.?? (?.?` *Mustafa Golam,CCIE(..)'.'`,. -.*.-JNCIS,RHCE,CC{D,I,N,S,V}P`et. al.'.'`,. GPRS/MPBN Soultion Integrator, Madagascar. LM Ericsson SA Ltd. www.ericsson.com. Email : mustafa.golam at gmail.com Mobile : +(261)034-111-77-28 http://journey2ccie.wordpress.com/ -- -- *??) ?.???.?*??) ?.?*?) (?.?? (?.?` *Mustafa Golam,CCIE(..)'.'`,. -.*.-JNCIS,RHCE,CC{D,I,N,S,V}P`et. al.'.'`,. GPRS/MPBN Soultion Integrator, Madagascar. LM Ericsson SA Ltd. www.ericsson.com. Email : mustafa.golam at gmail.com Mobile : +(261)034-111-77-28 http://journey2ccie.wordpress.com/ From moua0100 at umn.edu Sat Mar 7 22:09:02 2009 From: moua0100 at umn.edu (Ge Moua) Date: Sat, 07 Mar 2009 21:09:02 -0600 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <1236449092.8327.12.camel@dsba-ipso> References: <1236449092.8327.12.camel@dsba-ipso> Message-ID: <49B336CE.3090608@umn.edu> We use Radiator over here to manage over 6,000 cisco devices; works pretty good on server class hardware. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services luismi wrote: > Hi all, > > I am looking for an open source solution to deploy some radius in our > network. > The primary goal is to connect to those radius to provide auth services: > - The VPN Concentrators and vpn accounts (we would move all the vpn > accounts info to the radius) > - Validate ip http auth-proxy users > > Radius service should be able to be managed using a web interface. > I don't really mind if there is a proper web interface of if we need to > install webadmin. > It also must support accounting. > And it would be great if it is possible to have the back-end into MySQL. > > I was checking FreeRadius and Radiator. > Any other options? > All comments are welcome. > > Thanks > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From abalashov at evaristesys.com Sat Mar 7 23:26:46 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Sat, 7 Mar 2009 23:26:46 -0500 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <49B336CE.3090608@umn.edu> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> Message-ID: FreeRADIUS has not been a problem for us. -- Sent from mobile device On Mar 7, 2009, at 10:09 PM, Ge Moua wrote: > We use Radiator over here to manage over 6,000 cisco devices; works > pretty good on server class hardware. > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > > > > luismi wrote: >> Hi all, >> >> I am looking for an open source solution to deploy some radius in our >> network. >> The primary goal is to connect to those radius to provide auth >> services: >> - The VPN Concentrators and vpn accounts (we would move all the vpn >> accounts info to the radius) >> - Validate ip http auth-proxy users >> >> Radius service should be able to be managed using a web interface. >> I don't really mind if there is a proper web interface of if we >> need to >> install webadmin. >> It also must support accounting. >> And it would be great if it is possible to have the back-end into >> MySQL. >> >> I was checking FreeRadius and Radiator. >> Any other options? >> All comments are welcome. >> >> Thanks >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mustafa.golam at gmail.com Sun Mar 8 01:53:29 2009 From: mustafa.golam at gmail.com (Mustafa Golam -) Date: Sun, 8 Mar 2009 09:53:29 +0300 Subject: [c-nsp] 3750ME CPU Utilization In-Reply-To: References:

Message-ID: Issue a TAC ticket than. You must be missing something else. Please show us your running config. WR, Mustafa On Sun, Mar 8, 2009 at 2:25 AM, Manaf Al Oqlah wrote: > but I can't live without this option! it is mandatory to prevent users > ARP and DHCP spoofing > From deric.kwok2000 at gmail.com Sun Mar 8 18:34:12 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Sun, 8 Mar 2009 18:34:12 -0400 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> Message-ID: <40d8a95a0903081534u2da8e6b7qa7ed69ae3d07c5e@mail.gmail.com> freeradius is good. I used it in debian (woody and ethic) before. At that time, it can support 12,000 DSL users The database was around 2G. 2G memory and Pentium 4 CPU On Sun, Mar 8, 2009 at 12:26 AM, Alex Balashov wrote: > FreeRADIUS has not been a problem for us. > > -- > Sent from mobile device > > > On Mar 7, 2009, at 10:09 PM, Ge Moua wrote: > > We use Radiator over here to manage over 6,000 cisco devices; works pretty >> good on server class hardware. >> >> Regards, >> Ge Moua | Email: moua0100 at umn.edu >> >> Network Design Engineer >> University of Minnesota | Networking & Telecommunications Services >> >> >> >> luismi wrote: >> >>> Hi all, >>> >>> I am looking for an open source solution to deploy some radius in our >>> network. >>> The primary goal is to connect to those radius to provide auth services: >>> - The VPN Concentrators and vpn accounts (we would move all the vpn >>> accounts info to the radius) >>> - Validate ip http auth-proxy users >>> >>> Radius service should be able to be managed using a web interface. >>> I don't really mind if there is a proper web interface of if we need to >>> install webadmin. >>> It also must support accounting. >>> And it would be great if it is possible to have the back-end into MySQL. >>> >>> I was checking FreeRadius and Radiator. >>> Any other options? >>> All comments are welcome. >>> >>> Thanks >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From David at hughes.com.au Sun Mar 8 18:07:53 2009 From: David at hughes.com.au (David Hughes) Date: Mon, 9 Mar 2009 08:07:53 +1000 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <49B336CE.3090608@umn.edu> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> Message-ID: <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> On 08/03/2009, at 1:09 PM, Ge Moua wrote: > We use Radiator over here to manage over 6,000 cisco devices; works > pretty good on server class hardware. +1 for Radiator. It's not opensource as the original poster requested, but it's certainly a solid and flexible radius server. David ... From Kris.Amy at EIP.net.au Sun Mar 8 20:32:20 2009 From: Kris.Amy at EIP.net.au (Kris Amy) Date: Mon, 9 Mar 2009 10:32:20 +1000 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> Message-ID: Another +1 for radiator On 9/03/09 8:07 AM, "David Hughes" wrote: On 08/03/2009, at 1:09 PM, Ge Moua wrote: > We use Radiator over here to manage over 6,000 cisco devices; works > pretty good on server class hardware. +1 for Radiator. It's not opensource as the original poster requested, but it's certainly a solid and flexible radius server. David ... _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From chaz at chaz6.com Sun Mar 8 23:29:54 2009 From: chaz at chaz6.com (Chris Hills) Date: Mon, 09 Mar 2009 04:29:54 +0100 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> Message-ID: David Hughes wrote: > +1 for Radiator. It's not opensource as the original poster requested, > but it's certainly a solid and flexible radius server. Radiator /is/ open-source, but it is not free. From musmanashraf at gmail.com Mon Mar 9 04:47:29 2009 From: musmanashraf at gmail.com (M Usman Ashraf) Date: Mon, 9 Mar 2009 13:47:29 +0500 Subject: [c-nsp] How to assign same virtual interface to a PPPoE customer Message-ID: <9149d2410903090147n39b96601t836e01ea7132be89@mail.gmail.com> Hi list, Is there any way by which we can assign same virtual access interface to a PPPoE customer? We are terminating PPPoE customers on 7301 with 12.2(31)SB14 using BBA groups with virtual-templates and want that a customer X should always get virtual-interface A. Any idea? -- Regards, M Usman Ashraf From benny+usenet at amorsen.dk Mon Mar 9 04:56:04 2009 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Mon, 09 Mar 2009 09:56:04 +0100 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: (Chris Hills's message of "Mon\, 09 Mar 2009 04\:29\:54 +0100") References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> Message-ID: Chris Hills writes: > Radiator /is/ open-source, but it is not free. The fact that you get the source code doesn't by itself make the software open-source. The license may be this one: http://www.open.com.au/license.html but it says that any click-through license overrides what is written there, so don't put too much faith in that. /Benny From oboehmer at cisco.com Mon Mar 9 05:01:46 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 9 Mar 2009 10:01:46 +0100 Subject: [c-nsp] How to assign same virtual interface to a PPPoE customer In-Reply-To: <9149d2410903090147n39b96601t836e01ea7132be89@mail.gmail.com> References: <9149d2410903090147n39b96601t836e01ea7132be89@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406FF3150@xmb-ams-333.emea.cisco.com> M Usman Ashraf <> wrote on Monday, March 09, 2009 09:47: > Hi list, > > Is there any way by which we can assign same virtual access interface > to a PPPoE customer? We are terminating PPPoE customers on 7301 with > 12.2(31)SB14 using BBA groups with virtual-templates and want that a > customer X should always get virtual-interface A. Any idea? no idea, don't think this is possible. What are you trying to achieve? If you want to apply user-specific attributes, take a look at AAA per-user config.. oli From A.L.M.Buxey at lboro.ac.uk Mon Mar 9 05:09:32 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 9 Mar 2009 09:09:32 +0000 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> Message-ID: <20090309090932.GB14149@lboro.ac.uk> Hi, > +1 for Radiator. It's not opensource as the original poster requested, > but it's certainly a solid and flexible radius server. it is Open Source, its just not free. you, as a user are free to look at the source code... please dont confuse 'open source' with 'free software', GPL , BSD, etc that said, their licence is onorous and feels like its a verbatim shrink-wrap EULA rather than dealing with what you get. does reading their PERL mean I am disassembling it? for this last reaosn alone, I'm +1 for FreeRADIUS alan From musmanashraf at gmail.com Mon Mar 9 06:16:02 2009 From: musmanashraf at gmail.com (M Usman Ashraf) Date: Mon, 9 Mar 2009 15:16:02 +0500 Subject: [c-nsp] How to assign same virtual interface to a PPPoE customer In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406FF3150@xmb-ams-333.emea.cisco.com> References: <9149d2410903090147n39b96601t836e01ea7132be89@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406FF3150@xmb-ams-333.emea.cisco.com> Message-ID: <9149d2410903090316g446afbefo1f0a6762532e5a98@mail.gmail.com> Hi Oliver, Just wanted to plot MRTG for customers whose CPE has no SNMP support or who does not want to enable SNMP. Is there any MIB that lists PPPoE username against the assigned virtual-interface. On Mon, Mar 9, 2009 at 2:01 PM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > M Usman Ashraf <> wrote on Monday, March 09, 2009 09:47: > > > Hi list, > > > > Is there any way by which we can assign same virtual access interface > > to a PPPoE customer? We are terminating PPPoE customers on 7301 with > > 12.2(31)SB14 using BBA groups with virtual-templates and want that a > > customer X should always get virtual-interface A. Any idea? > > no idea, don't think this is possible. What are you trying to achieve? > If you want to apply user-specific attributes, take a look at AAA > per-user config.. > > oli > -- Regards, M Usman Ashraf From asturluismi at gmail.com Mon Mar 9 06:34:08 2009 From: asturluismi at gmail.com (luismi) Date: Mon, 09 Mar 2009 11:34:08 +0100 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <20090309090932.GB14149@lboro.ac.uk> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> <20090309090932.GB14149@lboro.ac.uk> Message-ID: <1236594848.10690.1.camel@dsba-ipso> Hi all, As I can see there is just two options over the table: Freeradius and Radiator. Is there anyone here with any of them working against VPN Concentrators? I ask that because it would be the primary goal of the radius. El lun, 09-03-2009 a las 09:09 +0000, A.L.M.Buxey at lboro.ac.uk escribi?: > Hi, > > > +1 for Radiator. It's not opensource as the original poster requested, > > but it's certainly a solid and flexible radius server. > > it is Open Source, its just not free. you, as a user are free to > look at the source code... > > please dont confuse 'open source' with 'free software', GPL , BSD, etc > > that said, their licence is onorous and feels like its a verbatim > shrink-wrap EULA rather than dealing with what you get. does reading > their PERL mean I am disassembling it? > > for this last reaosn alone, I'm +1 for FreeRADIUS > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From musmanashraf at gmail.com Mon Mar 9 07:02:39 2009 From: musmanashraf at gmail.com (M Usman Ashraf) Date: Mon, 9 Mar 2009 16:02:39 +0500 Subject: [c-nsp] How to assign same virtual interface to a PPPoE customer In-Reply-To: <9149d2410903090401p30239bd2j61c7638819f52103@mail.gmail.com> References: <9149d2410903090147n39b96601t836e01ea7132be89@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406FF3150@xmb-ams-333.emea.cisco.com> <9149d2410903090316g446afbefo1f0a6762532e5a98@mail.gmail.com> <9149d2410903090401p30239bd2j61c7638819f52103@mail.gmail.com> Message-ID: <9149d2410903090402x7249162fi250ec71e2b951101@mail.gmail.com> > > Hi Junaid, > > Customers have Ethernet based connectivity on Alcatel ONTs that does not > have SNMP support. Their PPPoE session are terminated on 7301. So we can > only look for customers stats from this 7301. > > > On Mon, Mar 9, 2009 at 3:32 PM, Junaid wrote: > >> Hi, >> >> Why don't you try poll (via SNMP) the customer's port on the access >> device (DSLAM). In this case, you will not have to deal with the >> dynamic allocation of the interface as the port will be fixed for a >> customer. >> >> Regards, >> Junaid >> >> >> On Mon, Mar 9, 2009 at 3:16 PM, M Usman Ashraf >> wrote: >> > Hi Oliver, >> > >> > Just wanted to plot MRTG for customers whose CPE has no SNMP support or >> who >> > does not want to enable SNMP. Is there any MIB that lists PPPoE username >> > against the assigned virtual-interface. >> > >> > On Mon, Mar 9, 2009 at 2:01 PM, Oliver Boehmer (oboehmer) < >> > oboehmer at cisco.com> wrote: >> > >> >> M Usman Ashraf <> wrote on Monday, March 09, 2009 09:47: >> >> >> >> > Hi list, >> >> > >> >> > Is there any way by which we can assign same virtual access interface >> >> > to a PPPoE customer? We are terminating PPPoE customers on 7301 with >> >> > 12.2(31)SB14 using BBA groups with virtual-templates and want that a >> >> > customer X should always get virtual-interface A. Any idea? >> >> >> >> no idea, don't think this is possible. What are you trying to achieve? >> >> If you want to apply user-specific attributes, take a look at AAA >> >> per-user config.. >> >> >> >> oli >> >> >> > >> > >> > >> > -- >> > Regards, >> > >> > M Usman Ashraf >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> > > > > -- Regards, M Usman Ashraf From rmikisa at gmail.com Mon Mar 9 07:09:12 2009 From: rmikisa at gmail.com (Mikisa Richard) Date: Mon, 9 Mar 2009 14:09:12 +0300 Subject: [c-nsp] Static mapping behind 2 ASA firewall In-Reply-To: <20090309090932.GB14149@lboro.ac.uk> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> <20090309090932.GB14149@lboro.ac.uk> Message-ID: <49B4F8D8.1070201@gmail.com> Hi all, Scenario below. I have two ASA5520 in my network. Static mapping for nodes in LAN A work fine however mappings in LAN B don't. I am making the mapping on ASA1. Any ideas as to get mappings for LAN B accessible. Internet | | | ASA1---- LAN A - (192.168.0.0/16) | | | ASA2---- LAN B - (10.101.0.0/16) Richard From david.freedman at uk.clara.net Mon Mar 9 08:27:27 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 09 Mar 2009 12:27:27 +0000 Subject: [c-nsp] How to assign same virtual interface to a PPPoE customer In-Reply-To: <9149d2410903090316g446afbefo1f0a6762532e5a98@mail.gmail.com> References: <9149d2410903090147n39b96601t836e01ea7132be89@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406FF3150@xmb-ams-333.emea.cisco.com> <9149d2410903090316g446afbefo1f0a6762532e5a98@mail.gmail.com> Message-ID: I would strongly advise against this, take a look at RADIUS interim accounting and then storing that in RRD databases. Dave. M Usman Ashraf wrote: > Hi Oliver, > > Just wanted to plot MRTG for customers whose CPE has no SNMP support or who > does not want to enable SNMP. Is there any MIB that lists PPPoE username > against the assigned virtual-interface. > > On Mon, Mar 9, 2009 at 2:01 PM, Oliver Boehmer (oboehmer) < > oboehmer at cisco.com> wrote: > >> M Usman Ashraf <> wrote on Monday, March 09, 2009 09:47: >> >>> Hi list, >>> >>> Is there any way by which we can assign same virtual access interface >>> to a PPPoE customer? We are terminating PPPoE customers on 7301 with >>> 12.2(31)SB14 using BBA groups with virtual-templates and want that a >>> customer X should always get virtual-interface A. Any idea? >> no idea, don't think this is possible. What are you trying to achieve? >> If you want to apply user-specific attributes, take a look at AAA >> per-user config.. >> >> oli >> > > > From tim at muppetz.com Mon Mar 9 08:01:47 2009 From: tim at muppetz.com (TiM) Date: Mon, 9 Mar 2009 12:01:47 -0000 (GMT) Subject: [c-nsp] GLBP Groups Question Message-ID: Hi, Short version of question: Does putting multiple SVI's in the same GLBP group save resources? i.e. is it more efficent to have 10 SVI's in 5 GLBP groups, or is there no difference in resource usage? Long version of question: I'm looking to have ~10 3750 stacks connected to a couple of Cisco 7609s. To avoid any spanning tree hassles, a vlan on one stack will not appear on any other stack. A decision has been made to keep the management of the 3750's in a seperate VLAN, therefore I'll need ~10 extra vlans to manage all 3750 stacks. Therefore, assume that each stack has a Data, Voice and Management VLAN. I'm going to be running GLBP on the 7609's, so that traffic is spread over the 7609s and there is redundancy in th event of 7609 failure. In order to ensure that I can always manage a 3750 Stack, I'm going to be adding the Management VLAN into GLBP as well. Will the extra 10 GLBP sessions add extra CPU overhead/load to the 7609s? Using the group feature, if I have a group 10 for Stack 1, group 20 for stack 2 etc, does adding the Management VLAN to that group save on CPU/keepalive traffic? Really my question boils down to: Is this configuration: interface Vlan10 description Data Stack 1 ip address x.x.x.x 255.255.255.0 glbp 10 ip x.x.x.x ! interface Vlan11 description Management Stack 1 ip address y.y.y.y 255.255.255.0 glbp 10 ip y.y.y.y anymore efficent than this configuration: interface Vlan10 description Data Stack 1 ip address x.x.x.x 255.255.255.0 glbp 10 ip x.x.x.x ! interface Vlan11 description Management Stack 1 ip address y.y.y.y 255.255.255.0 glbp 11 ip y.y.y.y Many Thanks, Tim From cmadams at hiwaay.net Mon Mar 9 09:02:21 2009 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 9 Mar 2009 08:02:21 -0500 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <20090309090932.GB14149@lboro.ac.uk> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> <20090309090932.GB14149@lboro.ac.uk> Message-ID: <20090309130221.GA1282392@hiwaay.net> Once upon a time, A.L.M.Buxey at lboro.ac.uk said: > it is Open Source, its just not free. you, as a user are free to > look at the source code... > > please dont confuse 'open source' with 'free software', GPL , BSD, etc "Open Source" is a trademarked term that has specific requirements. Freedom to modify and redistribute the source code is a major part of that (e.g. GPL, BSD license, etc.). Don't confuse "you can look but not touch" with "Open Source". -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From oboehmer at cisco.com Mon Mar 9 09:04:00 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 9 Mar 2009 14:04:00 +0100 Subject: [c-nsp] How to assign same virtual interface to a PPPoE customer In-Reply-To: References: <9149d2410903090147n39b96601t836e01ea7132be89@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406FF3150@xmb-ams-333.emea.cisco.com><9149d2410903090316g446afbefo1f0a6762532e5a98@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406FF33B7@xmb-ams-333.emea.cisco.com> Agreed, this is much better as you don't have to periodically poll and watch for session re-connects.. If you still want to go down the SNMP path: You can poll the AAA-SESSION-MIB, and use casnVaiIfIndex OID which references the ifIndex for this particular user.. oli David Freedman <> wrote on Monday, March 09, 2009 13:27: > I would strongly advise against this, take a look at RADIUS interim > accounting and then storing that in RRD databases. > > Dave. > > M Usman Ashraf wrote: >> Hi Oliver, >> >> Just wanted to plot MRTG for customers whose CPE has no SNMP support >> or who does not want to enable SNMP. Is there any MIB that lists >> PPPoE username against the assigned virtual-interface. >> >> On Mon, Mar 9, 2009 at 2:01 PM, Oliver Boehmer (oboehmer) < >> oboehmer at cisco.com> wrote: >> >>> M Usman Ashraf <> wrote on Monday, March 09, 2009 09:47: >>> >>>> Hi list, >>>> >>>> Is there any way by which we can assign same virtual access >>>> interface to a PPPoE customer? We are terminating PPPoE customers >>>> on 7301 with >>>> 12.2(31)SB14 using BBA groups with virtual-templates and want that >>>> a customer X should always get virtual-interface A. Any idea? >>> no idea, don't think this is possible. What are you trying to >>> achieve? If you want to apply user-specific attributes, take a look >>> at AAA per-user config.. >>> >>> oli >>> >> >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Mon Mar 9 09:48:26 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 09 Mar 2009 13:48:26 +0000 Subject: [c-nsp] GLBP Groups Question In-Reply-To: References: Message-ID: <49B51E2A.7010305@imperial.ac.uk> > > Really my question boils down to: > > Is this configuration: > > interface Vlan10 > description Data Stack 1 > ip address x.x.x.x 255.255.255.0 > glbp 10 ip x.x.x.x > ! > interface Vlan11 > description Management Stack 1 > ip address y.y.y.y 255.255.255.0 > glbp 10 ip y.y.y.y > > anymore efficent than this configuration: > > interface Vlan10 > description Data Stack 1 > ip address x.x.x.x 255.255.255.0 > glbp 10 ip x.x.x.x > ! > interface Vlan11 > description Management Stack 1 > ip address y.y.y.y 255.255.255.0 > glbp 11 ip y.y.y.y I don't think so. The GLBP groups are local to an SVI. HOWEVER - each GLBP group uses a different GLBP virtual MAC address, and the sup has a limit as to the size of it's MAC receive filter - 64 on older hardware, and 1024 on newer hardware - so using the same group is still valuable HSRP has a feature called "hsrp multiple group optimisation" that will do what you want, but it doesn't work on SVIs - only subints (bah). From jmaimon at ttec.com Mon Mar 9 11:33:08 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Mon, 09 Mar 2009 11:33:08 -0400 Subject: [c-nsp] How to assign same virtual interface to a PPPoE customer In-Reply-To: <9149d2410903090316g446afbefo1f0a6762532e5a98@mail.gmail.com> References: <9149d2410903090147n39b96601t836e01ea7132be89@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406FF3150@xmb-ams-333.emea.cisco.com> <9149d2410903090316g446afbefo1f0a6762532e5a98@mail.gmail.com> Message-ID: <49B536B4.6020105@ttec.com> Assuming you use a radius server that can place its accounting data in a sql server, this should work fairly well for you http://www.jmaimon.com/freeradius/mrtg-radsql/mrtg-radsql.tar.gz M Usman Ashraf wrote: > Hi Oliver, > > Just wanted to plot MRTG for customers whose CPE has no SNMP support or who > does not want to enable SNMP. Is there any MIB that lists PPPoE username > against the assigned virtual-interface. > > On Mon, Mar 9, 2009 at 2:01 PM, Oliver Boehmer (oboehmer) < > oboehmer at cisco.com> wrote: > >> M Usman Ashraf <> wrote on Monday, March 09, 2009 09:47: >> >>> Hi list, >>> >>> Is there any way by which we can assign same virtual access interface >>> to a PPPoE customer? We are terminating PPPoE customers on 7301 with >>> 12.2(31)SB14 using BBA groups with virtual-templates and want that a >>> customer X should always get virtual-interface A. Any idea? >> no idea, don't think this is possible. What are you trying to achieve? >> If you want to apply user-specific attributes, take a look at AAA >> per-user config.. >> >> oli >> > > > From deric.kwok2000 at gmail.com Mon Mar 9 11:59:56 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Mon, 9 Mar 2009 11:59:56 -0400 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <1236594848.10690.1.camel@dsba-ipso> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> <20090309090932.GB14149@lboro.ac.uk> <1236594848.10690.1.camel@dsba-ipso> Message-ID: <40d8a95a0903090859u31b633d3u2eb5db04d5160581@mail.gmail.com> To me, I haven't used freeradius for VPN Concentrator. and haven't used Radiator But I think you can try it Just use computer to install any distribution of linux (debian is better) + freeradius. (if you have installation quesiton, i try to help) or Post this in freeradius newsgroup http://freeradius.org/list/index.html "Anyone to use freeradius in VPN Concentrator" I think you can get immediately response HTH On Mon, Mar 9, 2009 at 6:34 AM, luismi wrote: > Hi all, > > As I can see there is just two options over the table: Freeradius and > Radiator. > > Is there anyone here with any of them working against VPN Concentrators? > I ask that because it would be the primary goal of the radius. > > El lun, 09-03-2009 a las 09:09 +0000, A.L.M.Buxey at lboro.ac.uk escribi?: > > Hi, > > > > > +1 for Radiator. It's not opensource as the original poster requested, > > > but it's certainly a solid and flexible radius server. > > > > it is Open Source, its just not free. you, as a user are free to > > look at the source code... > > > > please dont confuse 'open source' with 'free software', GPL , BSD, etc > > > > that said, their licence is onorous and feels like its a verbatim > > shrink-wrap EULA rather than dealing with what you get. does reading > > their PERL mean I am disassembling it? > > > > for this last reaosn alone, I'm +1 for FreeRADIUS > > > > alan > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From A.L.M.Buxey at lboro.ac.uk Mon Mar 9 12:21:23 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 9 Mar 2009 16:21:23 +0000 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <40d8a95a0903090859u31b633d3u2eb5db04d5160581@mail.gmail.com> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> <20090309090932.GB14149@lboro.ac.uk> <1236594848.10690.1.camel@dsba-ipso> <40d8a95a0903090859u31b633d3u2eb5db04d5160581@mail.gmail.com> Message-ID: <20090309162123.GB15892@lboro.ac.uk> Hi, > Post this in freeradius newsgroup http://freeradius.org/list/index.html > "Anyone to use freeradius in VPN Concentrator" alternatively use google. do most sites now ban access to google? :-) "freeradius cisco vpn concentrator" eg http://1000milesnetwork.blogspot.com/2005/12/freeradius-iii.html alan From mradulovic at comutel.co.rs Mon Mar 9 11:01:19 2009 From: mradulovic at comutel.co.rs (Miodrag Radulovic) Date: Mon, 9 Mar 2009 16:01:19 +0100 Subject: [c-nsp] AUTO: Miodrag Radulovic is out of the office (returning 16-03-2009) Message-ID: I am out of the office until 16-03-2009. Privremeno nedostupan - Out-of-Office Message. Poruka koju ste poslali je prispela i bice sacuvana, napominjem da je za vreme mog puta pristup elektronskoj posti veoma ogranicen. The message that you have sent will be saved in my inbox, but please note that I will be out of the country and my access to my email will be very limited. Miodrag Radulovic General Manager COMUTEL Note: This is an automated response to your message "cisco-nsp Digest, Vol 76, Issue 26" sent on 9.3.2009 11:34:21. This is the only notification you will receive while this person is away. From justin at justinshore.com Mon Mar 9 12:30:33 2009 From: justin at justinshore.com (Justin Shore) Date: Mon, 09 Mar 2009 11:30:33 -0500 Subject: [c-nsp] MPLS LDP and BGP Neighbor flapping constantly In-Reply-To: <49B01480.5020003@uk.clara.net> References: <49AF7271.40507@justinshore.com> <49B01480.5020003@uk.clara.net> Message-ID: <49B54429.2080505@justinshore.com> This message slipped through the cracks. It leads me to giving an update on the problem though. I worked with TAC to troubleshoot the issue last week. The TAC engineer also noticed the giants on the 7600's side. He tried sending large ICMPs through to the 7600 from the 7201. Nothing over 1508 would pass even though the interface MTU was 9000 on both sides (and the IP MTU followed). Even sending ICMPs WITHOUT df set still resulted in a failure. We dropped the MTU to 1500 and suddenly we could send large ICMPs that needed to be fragged. Very weird. It gets weirder though. Prior to calling TAC I upgraded the code on another 7201 that's dual-homed to both 7613s in the core. As soon as I reloaded that 7201 LDP on it also started flapping to BOTH 7600s (the original 7201 was only single-homed to one 7600). BGP appears to be unaffected on this 7201. So now I have 2 7201s with constantly flapping LDP neighbors. The 2nd 7201 also can't ping either 7600 with large ICMPs. However, and this is weird, BOTH 7600s can ping the loopback on the 7201 with 9000 byte ICMPs. When I wrote that last sentence it got me thinking. I was pinging from the 7201s to Lo0 on the 7600s. Large ICMPs weren't getting there and giants were logged on the incoming L3 interface on the 7600s. I can ping from the 2nd 7201 to the directly-connected interface on either 7600 with large ICMPs and they are not dropped and no giants are logged. Even though it can send large frames to the directly-connected interface it can't to the loopback. I don't believe that's normal. From the 7600 I can turn around and ping the loopback on the 2nd 7201 with jumbo frames without any problems. It's like MTU is only being honored in one direction. This is a confusing one to me that smells like a bug. I'm running SRB1 on both 7600s and was running different 12.4(15)Tn releases on the 7201s. They are both now running 12.2(24)T. I'll drop one of them back to an early 12.4(15)Tn tonight to troubleshoot if I have to. The problem occured on the 1st 7201 without a code change and didn't occur on the 2nd until after the code change and reboot. Any thoughts? Justin David Freedman wrote: > You appear to have a high number of input queue drops and input errors, > granted the counters have never been cleared, do you haver any PPS > graphs of the link between these two boxes? I would suspect a traffic > spike or link fault causing control messages to be dropped being the > cause here. From jmaimon at ttec.com Mon Mar 9 12:52:38 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Mon, 09 Mar 2009 12:52:38 -0400 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <20090309090932.GB14149@lboro.ac.uk> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> <20090309090932.GB14149@lboro.ac.uk> Message-ID: <49B54956.6080107@ttec.com> A.L.M.Buxey at lboro.ac.uk wrote: > Hi, > >> +1 for Radiator. It's not opensource as the original poster requested, >> but it's certainly a solid and flexible radius server. > > it is Open Source, its just not free. you, as a user are free to > look at the source code... > > please dont confuse 'open source' with 'free software', GPL , BSD, etc This really isnt the time and place, but to prevent any confusion: Open Source has an official meaning and definition, which I believe the thread is referring to, as opposed to any other informal or incorrect meaning of the phrase. http://www.opensource.org/docs/osd Source Available does not mean Open Source. > that said, their licence is onorous and feels like its a verbatim > shrink-wrap EULA rather than dealing with what you get. does reading > their PERL mean I am disassembling it? Doesnt sound like it is Open Source by any definition. > > for this last reaosn alone, I'm +1 for FreeRADIUS > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From frnkblk at iname.com Mon Mar 9 14:32:33 2009 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Mon, 9 Mar 2009 13:32:33 -0500 Subject: [c-nsp] Egress shaping/policing for bandwidth control on a 3750-ME Message-ID: I have two Cisco 3750-ME (Metro) where we are trying to apply an 8 Mbps bandwidth limit to it. We tried HQM shaping but got a lovely message that "Hierarchical service-policies are only supported on ES interfaces". When we tried policing, we can't seem to apply the "mls qos bridged" command to it: router(config)#interface vlan 260 router(config-if)#mls ? % Unrecognized command router(config-if)#mls This is the relevant configuration to our policing attempt: ip access-list extended customer-policer_inbound permit ip any any ip access-list extended customer-policer_outbound permit ip any any class-map match-any customer-networks match access-group name customer-policer_inbound match access-group name customer-policer_outbound ! policy-map customer-policer class customer-networks police 8000000 1000000 exceed-action drop ! interface Vlan260 mls qos bridged service-policy input customer-policer service-policy output customer-policer ! interface Gi1/0/1 mls qos vlan-based ! To get shaping work we should have had the uplink interface use non-ES ports and the interface facing our core use the ES ports. Any other ideas in terms or policing/shaping? Regards, Frank From peter at rathlev.dk Mon Mar 9 17:15:44 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 09 Mar 2009 22:15:44 +0100 Subject: [c-nsp] FWSM HA secondary reload & long downtime Message-ID: <1236633344.3572.13.camel@localhost.localdomain> Hi, We've had some problems with an old pair of FWSMs lately running 2.3(4). We're testing and collecting information to maybe open a ticket, but during this I found something I hadn't expected. Currently we have experienced ~10 secs failover from active to standby in a HA pair when using 3 sec hello and 10 sec downtime. This is fine for us. On a running system we can switch around with "no failover active" / "failover active" with no problems either. BUT: When we reload the standby unit, we experience very long downtime. It seems to happen when the standby unit resurfaces and seems to be for as long as they're replicating configurations. This time around it was the configured secondary that was active. When the primary was brought up the secondary's logs said: Mar 09 2009 16:39:56: %FWSM-1-709003: (Secondary) Beginning configuration replication: Send to mate. Mar 09 2009 16:41:26: %FWSM-1-709004: (Secondary) End Configuration Replication (ACT) Are we supposed to have this much downtime for an _up_ convergence? This pair is configured with 19 contexts, so replication of course must take some time. I just don't see why the running active has to stop forwarding traffic. I can't seem to find any information on this on cisco.com, still looking though. I can't test it very much because we only have one spare FWSM. :-( Failover configuration from sys context: failover failover lan unit secondary failover lan interface failover vlan 553 failover polltime unit 3 holdtime 10 failover polltime interface 3 failover interface-policy 1 failover replication http failover link statefullfailover vlan 554 failover interface ip failover 10.220.254.1 255.255.255.0 standby 10.220.254.2 failover interface ip statefullfailover 10.220.253.1 255.255.255.0 standby 10.220.253.2 The primary (standby) is of course configured similarly. Any comments/pointers very much appreciated. :-) Regards, Peter From david at hughes.com.au Mon Mar 9 19:02:42 2009 From: david at hughes.com.au (David Hughes) Date: Tue, 10 Mar 2009 09:02:42 +1000 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> Message-ID: On 09/03/2009, at 1:29 PM, Chris Hills wrote: > David Hughes wrote: >> +1 for Radiator. It's not opensource as the original poster >> requested, >> but it's certainly a solid and flexible radius server. > > Radiator /is/ open-source, but it is not free. Nope. Commercial licensed product. Which isn't a bad thing - it helps the guys writing the code feed themselves. David ... From jay at west.net Mon Mar 9 19:14:33 2009 From: jay at west.net (Jay Hennigan) Date: Mon, 09 Mar 2009 16:14:33 -0700 Subject: [c-nsp] snmp-server ifindex persist - store data on flash/disk? Message-ID: <49B5A2D9.5000106@west.net> We have a number of 7206VXR boxes terminating ATM ADSL aggregation circuits. With a large number of interfaces, the persistent index table is too large for NVRAM and the interface IDs change on reboot just as if the command weren't specified. Is there a workaround or command to store the persistent data on the flash disk which has plenty of room? -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From jlewis at lewis.org Mon Mar 9 19:16:49 2009 From: jlewis at lewis.org (Jon Lewis) Date: Mon, 9 Mar 2009 19:16:49 -0400 (EDT) Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <1236594848.10690.1.camel@dsba-ipso> References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> <20090309090932.GB14149@lboro.ac.uk> <1236594848.10690.1.camel@dsba-ipso> Message-ID: On Mon, 9 Mar 2009, luismi wrote: > Hi all, > > As I can see there is just two options over the table: Freeradius and > Radiator. Another option is Cistron Radius http://www.radius.cistron.nl/ which is probably going to be pretty similar to Freeradius, since the latter is apparently a fork of the former. Radiator is perl, so you get the 'source code', but it's not open source and you do need to buy a license to use it. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From deric.kwok2000 at gmail.com Mon Mar 9 19:20:12 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Mon, 9 Mar 2009 19:20:12 -0400 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au>

Message-ID: <40d8a95a0903091620j1c707e14k4e6a65f1f1564b9d@mail.gmail.com> Yes. isn't bad It depends on the budget You can spend hundred thousand dollars to buy 10G router or buy $1,500 a (4 cores) computer running quagga to have $6,000 a 10G card on it. On Mon, Mar 9, 2009 at 7:02 PM, David Hughes wrote: > > On 09/03/2009, at 1:29 PM, Chris Hills wrote: > > David Hughes wrote: >> >>> +1 for Radiator. It's not opensource as the original poster requested, >>> but it's certainly a solid and flexible radius server. >>> >> >> Radiator /is/ open-source, but it is not free. >> > > Nope. Commercial licensed product. Which isn't a bad thing - it helps the > guys writing the code feed themselves. > > > > David > ... > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cmadams at hiwaay.net Mon Mar 9 19:50:53 2009 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 9 Mar 2009 18:50:53 -0500 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> <20090309090932.GB14149@lboro.ac.uk> <1236594848.10690.1.camel@dsba-ipso> Message-ID: <20090309235053.GA604180@hiwaay.net> Once upon a time, Jon Lewis said: > Another option is Cistron Radius http://www.radius.cistron.nl/ which is > probably going to be pretty similar to Freeradius, since the latter is > apparently a fork of the former. Cistron RADIUS (which was based on the original Livingston RADIUS server) development has pretty much stopped in favor of FreeRADIUS. There is also a fork of FreeRADIUS called OpenRADIUS; I don't remember the reasons for the fork. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From brad.henshaw at qcn.com.au Mon Mar 9 19:59:19 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Tue, 10 Mar 2009 09:59:19 +1000 Subject: [c-nsp] Egress shaping/policing for bandwidth control on a 3750-ME Message-ID: <8B25B862BC09784B9B74FB950D4F64D40F81CF@qcnapp01.corp.qcn> Frank Bulk - iName.com wrote: > I have two Cisco 3750-ME (Metro) where we are trying to apply > an 8 Mbps bandwidth limit to it. > We tried HQM shaping but got a lovely message that "Hierarchical > service-policies are only supported on ES interfaces". Frank, The 3750ME can only do per-VLAN shaping on the ES ports. You can shape standard ports (but not per-VLAN) in increments of 10% of the port speed using the 'srr-queue bandwidth limit' command. To achieve 8Mbps with this you'd need to lock the [FastEthernet] port to 10Mbps and set the limit to 80%. Buffering of packets is less than ideal. The 3750ME supports hierarchical dual-level *ingress* policies on SVIs. To use these you need to set 'mls qos vlan-based' on the port and may or may not need to use a 'match input-interface' statement in the class of a subpolicy. (I've never used these so can't comment with authority) I'd provide an example but I'd just be ripping it from page 35-71 of the 3750 Metro 12.2(46)SE Software Configuration Guide ;-) I'm pretty sure neither SVIs nor standard ports support output policies so you'd best do as much as you can on the ES ports on ingress from your core. Note that ingress service policies on 12.2(44)SE1 seem to be broken - This may also affect other versions. We never logged a bug because it's fixed in 12.2(46)SE. Overall I think the quality control on IOS releases for the 3750ME leaves a BLOODY LOT to be desired. Regards, Brad From andy.saykao at staff.netspace.net.au Mon Mar 9 21:19:27 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 10 Mar 2009 12:19:27 +1100 Subject: [c-nsp] L3 MPLS VPN Question - Redundant Internet Access Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654C4E@vic-cr-ex1.staff.netspace.net.au> Hi All, I'm trying to build some redundancy for our L3 MPLS VPN customers for Internet access. At the moment, customers gain Internet access via their Central Site. We configure a default route on the PE connecting the Central Site and use BGP to redistribute the default route to all other PE's with the "default-information originate" command like so: ip route vrf NSTEST 0.0.0.0 0.0.0.0 GigabitEthernet0/1.902 10.15.99.2 ! interface GigabitEthernet0/1.902 description NSTEST VPN Link encapsulation dot1Q 902 ip vrf forwarding NSTEST ip address 10.15.99.1 255.255.255.252 ! address-family ipv4 vrf NSTEST redistribute connected redistribute static default-information originate no auto-summary no synchronization exit-address-family In the event that the VPN link to the Central Site goes down and branch sites can no longer gain Internet access via the Central Site, I've set up a NAT-PE for Internet traffic as a form of redundancy. [WWW] <-- [NAT-PE] <-- [Branch Site] --> [Central Site] --> [WWW] To accomplish this, I configured a default route on the NAT-PE and can "manuallly" trigger the default route to be redistributed to the PE's when the Central Site is down - just wondering if there a way to do this automatically so that when the Central Site is down, Internet traffic goes via the NAT-PE and when the Central Site is back up, Internet traffic once again goes via the Central Site??? The NAT-PE is a dedicated router and has no CE's attached to it. I've tried a few different things, but couldn't get it to work. I'm not sure if you can alter the way iBGP behaves and maybe give the default route learnt from the NAT-PE via iBGP a higher admistrative distance of say 250 (rather than the default 200) so that when the Central Site is down, the default route from the NAT-PE gets installed. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From oboehmer at cisco.com Tue Mar 10 03:01:28 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 10 Mar 2009 08:01:28 +0100 Subject: [c-nsp] L3 MPLS VPN Question - Redundant Internet Access In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654C4E@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654C4E@vic-cr-ex1.staff.netspace.net.au> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840704CE8C@xmb-ams-333.emea.cisco.com> Andy Saykao <> wrote on Tuesday, March 10, 2009 02:19: [...] > In the event that the VPN link to the Central Site goes down and > branch sites can no longer gain Internet access via the Central Site, > I've set > up a NAT-PE for Internet traffic as a form of redundancy. > > [WWW] <-- [NAT-PE] <-- [Branch Site] --> [Central Site] --> [WWW] > > To accomplish this, I configured a default route on the NAT-PE and can > "manuallly" trigger the default route to be redistributed to the PE's > when the Central Site is down - just wondering if there a way to do > this automatically so that when the Central Site is down, Internet > traffic goes via the NAT-PE and when the Central Site is back up, Internet > traffic once again goes via the Central Site??? The NAT-PE is a > dedicated router and has no CE's attached to it. sure: on the NAT-PE, you can have the default-route up all the time (as there is no CE attached to it), so just advertise it with a lower local-pref: address-family ipv4 vrf .. default-information originate redistribute static route-map foo ! ip route vrf 0.0.0.0 0.0.0.0 oif next-hop ! route-map foo set local-preference 80 if you don't want the NAT-PE to always have the static default up, you need to use a floating static and manipulate the weight so the central site's default route will overwrite it: ip route vrf 0.0.0.0 0.0.0.0 oif next-hop 210 route-map foo set local-preference 80 set weight 0 HTH, oli From manafo at hotmail.com Tue Mar 10 03:41:59 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Tue, 10 Mar 2009 09:41:59 +0200 Subject: [c-nsp] OSPF Default Route Message-ID: Hi, Is there any way to advertise default route in OSPF with a specific metric to an interface and another metric to another interface. For example, I want to advertise default route (default-information originate) for neighbor connected to gigabit 1/0 with metric 10 and for neighbor connected to gigabit 1/1 with metric 20. Thank you From b.turnbow at twt.it Tue Mar 10 04:22:41 2009 From: b.turnbow at twt.it (Brian Turnbow) Date: Tue, 10 Mar 2009 09:22:41 +0100 Subject: [c-nsp] snmp-server ifindex persist - store data on flash/disk? In-Reply-To: <49B5A2D9.5000106@west.net> References: <49B5A2D9.5000106@west.net> Message-ID: I'm guessing you want the fixed ifindex for snmp polling purposes. If that is the case try the aal5 cisco mib where you can poll based on vc data. Note that it seems to not work well if you have persistent indexes in use , at least on 12.2SB. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan Sent: marted? 10 marzo 2009 0.15 To: cisco-nsp at puck.nether.net Subject: [c-nsp] snmp-server ifindex persist - store data on flash/disk? We have a number of 7206VXR boxes terminating ATM ADSL aggregation circuits. With a large number of interfaces, the persistent index table is too large for NVRAM and the interface IDs change on reboot just as if the command weren't specified. Is there a workaround or command to store the persistent data on the flash disk which has plenty of room? -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Tue Mar 10 05:40:42 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 10 Mar 2009 10:40:42 +0100 Subject: [c-nsp] OSPF Default Route In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840704CFBA@xmb-ams-333.emea.cisco.com> Manaf Al Oqlah <> wrote on Tuesday, March 10, 2009 08:42: > Hi, > > Is there any way to advertise default route in OSPF with a specific > metric to an interface and another metric to another interface. For > example, I want to advertise default route (default-information > originate) for neighbor connected to gigabit 1/0 with metric 10 and > for neighbor connected to gigabit 1/1 with metric 20. generally no, OSPF is a link-state protocol, so all routers in the area have the same visibility.. I guess you need to play with interface costs on the neighbors to achieve what you want.. oli From manafo at hotmail.com Tue Mar 10 03:41:59 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Tue, 10 Mar 2009 09:41:59 +0200 Subject: [c-nsp] OSPF Default Route Message-ID: Hi, Is there any way to advertise default route in OSPF with a specific metric to an interface and another metric to another interface. For example, I want to advertise default route (default-information originate) for neighbor connected to gigabit 1/0 with metric 10 and for neighbor connected to gigabit 1/1 with metric 20. Thank you From howie at thingy.com Tue Mar 10 06:00:53 2009 From: howie at thingy.com (Howard Jones) Date: Tue, 10 Mar 2009 10:00:53 +0000 Subject: [c-nsp] L2TPv3 sizing? Message-ID: <49B63A55.4020401@thingy.com> Can anyone point me to any documentation/whitepaper regarding router sizing for L2TPv3 throughput? We're trying to understand what the startup cost would be for a couple of ~100Mbit/sec L2TPv3 ethernet-to-ethernet tunnels as an alternative to a full MPLS solution. Is there any Cisco (or 3rd party) information on what size routers would be needed for given link sizes? My google-fu is weak on this. Thanks in advance for any pointers, Howie From sam_mailinglists at spacething.org Tue Mar 10 06:23:10 2009 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 10 Mar 2009 10:23:10 +0000 Subject: [c-nsp] Buggy interface counters in12.2(33)SB2 ? Message-ID: <49B63F8E.8070008@spacething.org> Hey guys, It looks like we are seeing bogus interface counters (SNMP and CLI) in 12.2(33)SB2 on a 7304 NSE150. I'm just trying good ol' bog standard MRTG to rule out our monitoring systems, but I'm curious if anyone else has seen this? Sam From A.L.M.Buxey at lboro.ac.uk Tue Mar 10 07:23:06 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Tue, 10 Mar 2009 11:23:06 +0000 Subject: [c-nsp] OSPF Default Route In-Reply-To: References: Message-ID: <20090310112306.GF18951@lboro.ac.uk> Hi, > Hi, > > Is there any way to advertise default route in OSPF with a specific metric to an interface and another metric to another interface. For example, I want to advertise default route (default-information originate) for neighbor connected to gigabit 1/0 with metric 10 and for neighbor connected to gigabit 1/1 with metric 20. yes. I'll dig through my bookmarks to see if i can.....ah yes, here: http://www.nil.si/ipcorner/OSPFDefaultMysteries/ (PS thanks Ivan!) alan From hiromasa.sekiguchi at ctc-g.co.jp Tue Mar 10 07:25:31 2009 From: hiromasa.sekiguchi at ctc-g.co.jp (Hiromasa Sekiguchi) Date: Tue, 10 Mar 2009 20:25:31 +0900 Subject: [c-nsp] 802.3z document Message-ID: <49B64E2B.7090004@ctc-g.co.jp> Hi all, I would like to know signaling procedure on gigamit ethernet(802.3z). Does anyonw have 802.3z standard document? Regards, Hiromasa From hiromasa.sekiguchi at ctc-g.co.jp Tue Mar 10 07:34:00 2009 From: hiromasa.sekiguchi at ctc-g.co.jp (Hiromasa Sekiguchi) Date: Tue, 10 Mar 2009 20:34:00 +0900 Subject: [c-nsp] 802.3z document In-Reply-To: <49B64E2B.7090004@ctc-g.co.jp> References: <49B64E2B.7090004@ctc-g.co.jp> Message-ID: <49B65028.3040407@ctc-g.co.jp> Hi all, I have an additional questions. We have two line cards. - WS-X4506-GB-T - WS-X4448-GB-SFP Do they work fine 802.3z? We have some interoperability issue... So, we would like to know two line cards support 802.3z or not. Is there any document? Regards, Hiromasa On 2009/03/10 20:25, Hiromasa Sekiguchi wrote: > Hi all, > > I would like to know signaling procedure on gigamit ethernet(802.3z). > > Does anyonw have 802.3z standard document? > > Regards, > Hiromasa From sam_mailinglists at spacething.org Tue Mar 10 07:35:37 2009 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 10 Mar 2009 11:35:37 +0000 Subject: [c-nsp] Buggy interface counters in12.2(33)SB2 ? In-Reply-To: <49B63F8E.8070008@spacething.org> References: <49B63F8E.8070008@spacething.org> Message-ID: <49B65089.1010602@spacething.org> Sam Stickland wrote: > Hey guys, > > It looks like we are seeing bogus interface counters (SNMP and CLI) in > 12.2(33)SB2 on a 7304 NSE150. > > I'm just trying good ol' bog standard MRTG to rule out our monitoring > systems, but I'm curious if anyone else has seen this? MRTG just started graphing the same nonsense values (and yes I am using SNMP v2c ;) ), so it definately looks like a bug. Time for a TAC case. Sam From topperm9 at gmail.com Tue Mar 10 07:41:59 2009 From: topperm9 at gmail.com (Matthew Topper) Date: Tue, 10 Mar 2009 07:41:59 -0400 Subject: [c-nsp] Buggy interface counters in12.2(33)SB2 ? In-Reply-To: <49B63F8E.8070008@spacething.org> References: <49B63F8E.8070008@spacething.org> Message-ID: <20090310074159.595d21bd@gmail.com> We had the exact same problem here. Specifically, while we were polling ifInBroadcastPkts, the value appeared to be going down! After some investigation, it turned out that the 32 bit counter was wrapping so we tried the ifHCInBroadcastPkts counter. Well, it wasn't wrapping but it was going up by almost exactly 2^32 whenever it went up at all. Upgrading to SB3 fixed the issue for us. -Matt On Tue, 10 Mar 2009 10:23:10 +0000 Sam Stickland wrote: > Hey guys, > > It looks like we are seeing bogus interface counters (SNMP and CLI) > in 12.2(33)SB2 on a 7304 NSE150. > > I'm just trying good ol' bog standard MRTG to rule out our monitoring > systems, but I'm curious if anyone else has seen this? > > Sam > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From alexmoya at bellsouth.net Tue Mar 10 07:45:53 2009 From: alexmoya at bellsouth.net (Alex Moya) Date: Tue, 10 Mar 2009 07:45:53 -0400 Subject: [c-nsp] Egress shaping/policing for bandwidth control on a 3750-ME In-Reply-To: <8B25B862BC09784B9B74FB950D4F64D40F81CF@qcnapp01.corp.qcn> References: <8B25B862BC09784B9B74FB950D4F64D40F81CF@qcnapp01.corp.qcn> Message-ID: <8110A8DE-9DDE-4463-ADBE-39A00541603D@bellsouth.net> Try policing the port Sent from my iPhone On Mar 9, 2009, at 7:59 PM, "Brad Henshaw" wrote: > Frank Bulk - iName.com wrote: > >> I have two Cisco 3750-ME (Metro) where we are trying to apply >> an 8 Mbps bandwidth limit to it. >> We tried HQM shaping but got a lovely message that "Hierarchical >> service-policies are only supported on ES interfaces". > > Frank, > > The 3750ME can only do per-VLAN shaping on the ES ports. > > You can shape standard ports (but not per-VLAN) in increments of 10% > of > the port speed using the 'srr-queue bandwidth limit' command. To > achieve > 8Mbps with this you'd need to lock the [FastEthernet] port to 10Mbps > and > set the limit to 80%. Buffering of packets is less than ideal. > > The 3750ME supports hierarchical dual-level *ingress* policies on > SVIs. > To use these you need to set 'mls qos vlan-based' on the port and may > or may not need to use a 'match input-interface' statement in the > class > of a subpolicy. (I've never used these so can't comment with > authority) > > I'd provide an example but I'd just be ripping it from page 35-71 of > the 3750 Metro 12.2(46)SE Software Configuration Guide ;-) > > I'm pretty sure neither SVIs nor standard ports support output > policies > so you'd best do as much as you can on the ES ports on ingress from > your > core. > > Note that ingress service policies on 12.2(44)SE1 seem to be broken - > This may also affect other versions. We never logged a bug because > it's > fixed in 12.2(46)SE. > > Overall I think the quality control on IOS releases for the 3750ME > leaves a BLOODY LOT to be desired. > > Regards, > Brad > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From howie at thingy.com Tue Mar 10 08:23:27 2009 From: howie at thingy.com (Howard Jones) Date: Tue, 10 Mar 2009 12:23:27 +0000 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: References: <1236449092.8327.12.camel@dsba-ipso> <49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> <20090309090932.GB14149@lboro.ac.uk> <1236594848.10690.1.camel@dsba-ipso> Message-ID: <49B65BBF.5000204@thingy.com> Jon Lewis wrote: > Another option is Cistron Radius http://www.radius.cistron.nl/ which > is probably going to be pretty similar to Freeradius, since the latter > is apparently a fork of the former. > > Radiator is perl, so you get the 'source code', but it's not open > source and you do need to buy a license to use it. The perl aspect also makes it pretty easy to add new functionality or backends too (assuming you have some perl experience!) - we added some stuff to restrict what IP addresses could appear in a Framed-IP-Address entry in about an hour or so, for example. The Radiator guys also have excellent support, the few times we've needed to use it. Definitely would recommend it. Howie From skeeve at skeeve.org Tue Mar 10 08:26:42 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Tue, 10 Mar 2009 23:26:42 +1100 Subject: [c-nsp] Supress STP on a port? Message-ID: Is it possible to suppress STP on a specific port? .Skeeve -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum From brad.henshaw at qcn.com.au Tue Mar 10 08:31:55 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Tue, 10 Mar 2009 22:31:55 +1000 Subject: [c-nsp] Supress STP on a port? References: Message-ID: <8B25B862BC09784B9B74FB950D4F64D401F8FA@qcnapp01.corp.qcn> Skeeve Stevens wrote: > Is it possible to suppress STP on a specific port? spanning-tree bpdufilter enable Regards, Brad From csirek at cooler.hu Tue Mar 10 08:39:45 2009 From: csirek at cooler.hu (Nemeth Laszlo) Date: Tue, 10 Mar 2009 13:39:45 +0100 Subject: [c-nsp] Etherchannel guard vs. mstp Message-ID: <49B65F91.8000807@cooler.hu> Dear List, I have 6500/SUP720-3BXL with ipservicesk9-mz.122-18.SXF13.bin (this is Router A) , a 7600/RSP720-3CXL with advipservicesk9-mz.122-33.SRC3.bin (this is Router B), and a Router C 6500/3BXL with ipservicesk9-mz.122-18.SXF6.bin. The topology is: Router A == 4x10G (lacp) == Router B == 2x10G (pagp) == Router C All routers run Rapid-PVSTP. I needed to change the STP from RSTP to MSTP on all devices. The first router was the Router A. It changed without problem. But when i sent the "spanning-tree mode mstp" to Router B it put down the 4x10G Etherchannel link with Router A and logged it: Mar 9 16:04:57.669 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig error detected on Te1/3, putting Te1/3 in err-disable state Mar 9 16:04:57.677 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig error detected on Te1/4, putting Te1/4 in err-disable state Mar 9 16:04:57.685 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig error detected on Te2/3, putting Te2/3 in err-disable state Mar 9 16:04:57.701 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig error detected on Te2/4, putting Te2/4 in err-disable state Mar 9 16:04:57.641 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po3, putting Te1/3 in err-disable state Mar 9 16:04:57.653 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po3, putting Te1/4 in err-disable state Mar 9 16:04:57.665 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po3, putting Te2/3 in err-disable state Mar 9 16:04:57.673 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po3, putting Te2/4 in err-disable state Mar 9 16:04:57.685 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po3, putting Po3 in err-disable state The Etherchannel with Router C stilled UP only the Router A went down. If i deleted and recreated the port channel with LACP or PAGP or other etherchannel number, the result always it: put down the links. If i changed back to RSTP on the Router B, all links went UP with router A and it's working without problem. So the topology now is: Router A runs MSTP, router B runs RSTP and router C runs RSTP too. I think the STP's etherchannel guard put down the link, but i don't found any bug that made this problem in the BugTool at Cisco.com. Any idea? Thanks Laszlo From ibrahim.abozaid at gmail.com Tue Mar 10 08:45:37 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Tue, 10 Mar 2009 14:45:37 +0200 Subject: [c-nsp] default route and PBR set ip next-hop Message-ID: Hi All I was checking when routers PBR traffic to certain NH , it checks if NH route exit in routing table or not , if exist , traffic is PBR and if not traffic is normally routed so my question is , if there is a default route , will it considered a valid route to reach the specified NH or this check depends on specific routes ? best regards --Ibrahim From csirek at cooler.hu Tue Mar 10 08:51:26 2009 From: csirek at cooler.hu (Nemeth Laszlo) Date: Tue, 10 Mar 2009 13:51:26 +0100 Subject: [c-nsp] Etherchannel guard vs. mstp] Message-ID: <49B6624E.90108@cooler.hu> Hi I make a mistake in the Routers name. This is the good version: I have a 7600/RSP720-3CXL with advipservicesk9-mz.122-33.SRC3.bin (this is Router A), 6500/SUP720-3BXL with ipservicesk9-mz.122-18.SXF13.bin (this is Router B) and a C 6500/3BXL with ipservicesk9-mz.122-18.SXF6.bin (Router C) The topology is: Router A == 4x10G (lacp) == Router B == 2x10G (pagp) == Router C All routers run Rapid-PVSTP. I needed to change the STP from RSTP to MSTP on all devices. The first router was the Router A. It changed without problem. But when i sent the "spanning-tree mode mstp" to Router B it put down the 4x10G Etherchannel link with Router A and logged it: Mar 9 16:04:57.669 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig error detected on Te1/3, putting Te1/3 in err-disable state Mar 9 16:04:57.677 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig error detected on Te1/4, putting Te1/4 in err-disable state Mar 9 16:04:57.685 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig error detected on Te2/3, putting Te2/3 in err-disable state Mar 9 16:04:57.701 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig error detected on Te2/4, putting Te2/4 in err-disable state Mar 9 16:04:57.641 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po3, putting Te1/3 in err-disable state Mar 9 16:04:57.653 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po3, putting Te1/4 in err-disable state Mar 9 16:04:57.665 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po3, putting Te2/3 in err-disable state Mar 9 16:04:57.673 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po3, putting Te2/4 in err-disable state Mar 9 16:04:57.685 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po3, putting Po3 in err-disable state The Etherchannel with Router C stilled UP only the Router A went down. If i deleted and recreated the port channel with LACP or PAGP or other etherchannel number, the result always it: put down the links. If i changed back to RSTP on the Router B, all links went UP with router A and it's working without problem. So the topology now is: Router A runs MSTP, router B runs RSTP and router C runs RSTP too. I think the STP's etherchannel guard put down the link, but i don't found any bug that made this problem in the BugTool at Cisco.com. Any idea? Thanks Laszlo _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From skeeve at skeeve.org Tue Mar 10 08:53:57 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Tue, 10 Mar 2009 23:53:57 +1100 Subject: [c-nsp] Supress STP on a port? In-Reply-To: <8B25B862BC09784B9B74FB950D4F64D401F8FA@qcnapp01.corp.qcn> References: <8B25B862BC09784B9B74FB950D4F64D401F8FA@qcnapp01.corp.qcn> Message-ID: Thanks Brad and Glovanni -----Original Message----- From: Brad Henshaw [mailto:brad.henshaw at qcn.com.au] Sent: Tuesday, 10 March 2009 11:32 PM To: skeeve at skeeve.org; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Supress STP on a port? Skeeve Stevens wrote: > Is it possible to suppress STP on a specific port? spanning-tree bpdufilter enable Regards, Brad From blahu77 at gmail.com Tue Mar 10 09:07:27 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Tue, 10 Mar 2009 13:07:27 +0000 Subject: [c-nsp] Etherchannel guard vs. mstp] In-Reply-To: <49B6624E.90108@cooler.hu> References: <49B6624E.90108@cooler.hu> Message-ID: <383357750903100607n255c4dadw8b7a8549977175d1@mail.gmail.com> I would suggest a reload after changing the spanning tree mode 2009/3/10 Nemeth Laszlo : > Hi > > I make a mistake in the Routers name. > > This is the good version: > > I have a 7600/RSP720-3CXL with advipservicesk9-mz.122-33.SRC3.bin > (this is Router A), 6500/SUP720-3BXL with ipservicesk9-mz.122-18.SXF13.bin > (this is Router B) and a C 6500/3BXL with ipservicesk9-mz.122-18.SXF6.bin > (Router C) > > The topology is: > > Router A ?== 4x10G (lacp) == ?Router B ?== 2x10G (pagp) == ?Router C > > > All routers run Rapid-PVSTP. > > I needed to change the STP from RSTP to MSTP on all devices. > > The first router was the Router A. It changed without problem. > But when i sent the "spanning-tree mode mstp" to Router B it put down > the 4x10G Etherchannel link with Router A and logged it: > > Mar ?9 16:04:57.669 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig > error detected on Te1/3, putting Te1/3 in err-disable state > Mar ?9 16:04:57.677 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig > error detected on Te1/4, putting Te1/4 in err-disable state > Mar ?9 16:04:57.685 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig > error detected on Te2/3, putting Te2/3 in err-disable state > Mar ?9 16:04:57.701 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig > error detected on Te2/4, putting Te2/4 in err-disable state > > Mar ?9 16:04:57.641 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error > detected on Po3, putting Te1/3 in err-disable state > Mar ?9 16:04:57.653 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error > detected on Po3, putting Te1/4 in err-disable state > Mar ?9 16:04:57.665 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error > detected on Po3, putting Te2/3 in err-disable state > Mar ?9 16:04:57.673 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error > detected on Po3, putting Te2/4 in err-disable state > Mar ?9 16:04:57.685 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig error > detected on Po3, putting Po3 in err-disable state > > > The Etherchannel with Router C stilled UP only the Router A went down. > > If i deleted and recreated the port channel with LACP or PAGP or other > etherchannel number, the result always it: put down the links. > > If i changed back to RSTP on the Router B, all links went UP with router > A and it's working without problem. > > So the topology now is: Router A runs MSTP, router B runs RSTP and > router C runs ?RSTP too. > > I think the STP's etherchannel guard put down the link, but i don't > found any bug that made this problem in the BugTool at Cisco.com. > > Any idea? > > Thanks > > Laszlo > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- pgp-key 0x1C655CAB From rens at autempspourmoi.be Tue Mar 10 09:11:56 2009 From: rens at autempspourmoi.be (Rens) Date: Tue, 10 Mar 2009 14:11:56 +0100 Subject: [c-nsp] L2TPv3 sizing? In-Reply-To: <49B63A55.4020401@thingy.com> References: <49B63A55.4020401@thingy.com> Message-ID: Have a look at Cisco Routing Performance sheet. This already gives you an indication of the speed with 64 byte packet sizes without L2TPv3. The second think you need to make sure is that the router does not fragment any of the big packets. I have only been able to test this with 7206VXR platform, not sure how well other routers handle fragmentation. I have already seen speeds of 300Mbps+ with L2TPv3 tunnel with 2x 7206VXR NPE-400 (with 1024-1522 frame sizes) I guess if you want also that speed with 64 byte you will have to need NPE-G1. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Jones Sent: mardi 10 mars 2009 11:01 To: cisco-nsp at puck.nether.net Subject: [c-nsp] L2TPv3 sizing? Can anyone point me to any documentation/whitepaper regarding router sizing for L2TPv3 throughput? We're trying to understand what the startup cost would be for a couple of ~100Mbit/sec L2TPv3 ethernet-to-ethernet tunnels as an alternative to a full MPLS solution. Is there any Cisco (or 3rd party) information on what size routers would be needed for given link sizes? My google-fu is weak on this. Thanks in advance for any pointers, Howie _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Tue Mar 10 09:44:51 2009 From: cchurc05 at harris.com (Church, Charles) Date: Tue, 10 Mar 2009 08:44:51 -0500 Subject: [c-nsp] 100FX duplex Message-ID: Hey all, Sorry about the really basic question. Can't find a definitive answer anywhere else. Does 100FX do auto-negotiation of duplex? If not, do they default to half or full? We're seeing odd things on our stuff, some are Cisco to Cisco links, some are Cisco to various brands of media converters on into a 10/100 port. Odd things such as collisions on ports set to full, huge amounts of FCS errors at places, etc. The semi-dumb media converters have dip switches that mention duplex, but the directions seem to indication that it affects the copper side of it only. Any good advice? Thanks, Chuck From ross at kallisti.us Tue Mar 10 10:07:56 2009 From: ross at kallisti.us (Ross Vandegrift) Date: Tue, 10 Mar 2009 10:07:56 -0400 Subject: [c-nsp] 802.3z document In-Reply-To: <49B64E2B.7090004@ctc-g.co.jp> References: <49B64E2B.7090004@ctc-g.co.jp> Message-ID: <20090310140756.GA22881@kallisti.us> On Tue, Mar 10, 2009 at 08:25:31PM +0900, Hiromasa Sekiguchi wrote: > Hi all, > > I would like to know signaling procedure on gigamit ethernet(802.3z). > > Does anyonw have 802.3z standard document? You can get all of IEEE 802 for free directly from IEEE. Check out: http://standards.ieee.org/getieee802/ for PDF downlods. -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From ross at kallisti.us Tue Mar 10 10:16:55 2009 From: ross at kallisti.us (Ross Vandegrift) Date: Tue, 10 Mar 2009 10:16:55 -0400 Subject: [c-nsp] Etherchannel guard vs. mstp In-Reply-To: <49B65F91.8000807@cooler.hu> References: <49B65F91.8000807@cooler.hu> Message-ID: <20090310141655.GB22881@kallisti.us> On Tue, Mar 10, 2009 at 01:39:45PM +0100, Nemeth Laszlo wrote: > The first router was the Router A. It changed without problem. > But when i sent the "spanning-tree mode mstp" to Router B it put down > the 4x10G Etherchannel link with Router A and logged it: > > Mar 9 16:04:57.669 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig > error detected on Te1/3, putting Te1/3 in err-disable state > Mar 9 16:04:57.677 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig > error detected on Te1/4, putting Te1/4 in err-disable state > Mar 9 16:04:57.685 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig > error detected on Te2/3, putting Te2/3 in err-disable state > Mar 9 16:04:57.701 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel-misconfig > error detected on Te2/4, putting Te2/4 in err-disable state I'm running ethernetchannel with MSTP and don't have any problems. Do you have STP config on the associated member interfaces? If changing the STP mode causes problems, I'm guessing you have config left on the individual interfaces and this causes the STP state machine to change the state of the member interfaces. On some platforms (6500, for example), the port bundler freaks out if you change anything on the member interfaces. On other platforms (2960, for example), IOS will simply refuse to apply any changes. Ross -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From hiromasa.sekiguchi at ctc-g.co.jp Tue Mar 10 10:26:01 2009 From: hiromasa.sekiguchi at ctc-g.co.jp (Hiromasa Sekiguchi) Date: Tue, 10 Mar 2009 23:26:01 +0900 Subject: [c-nsp] 802.3z document In-Reply-To: <49B65028.3040407@ctc-g.co.jp> References: <49B64E2B.7090004@ctc-g.co.jp> <49B65028.3040407@ctc-g.co.jp> Message-ID: <49B67879.90003@ctc-g.co.jp> Hi all, Do they support clause 36, 37 on 802.3z? Regards, Hiromasa On 2009/03/10 20:34, Hiromasa Sekiguchi wrote: > Hi all, > > I have an additional questions. > > We have two line cards. > - WS-X4506-GB-T > - WS-X4448-GB-SFP > > Do they work fine 802.3z? > > We have some interoperability issue... > > So, we would like to know two line cards support 802.3z or not. > Is there any document? > > Regards, > Hiromasa > > > On 2009/03/10 20:25, Hiromasa Sekiguchi wrote: >> Hi all, >> >> I would like to know signaling procedure on gigamit ethernet(802.3z). >> >> Does anyonw have 802.3z standard document? >> >> Regards, >> Hiromasa >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From will at harg.net Tue Mar 10 13:39:38 2009 From: will at harg.net (Will Hargrave) Date: Tue, 10 Mar 2009 17:39:38 +0000 Subject: [c-nsp] 100FX duplex In-Reply-To: References: Message-ID: <49B6A5DA.2070607@harg.net> Church, Charles wrote: > Sorry about the really basic question. Can't find a > definitive answer anywhere else. Does 100FX do auto-negotiation of > duplex? If not, do they default to half or full? We're seeing odd > things on our stuff, some are Cisco to Cisco links, some are Cisco to > various brands of media converters on into a 10/100 port. Odd things > such as collisions on ports set to full, huge amounts of FCS errors at > places, etc. The semi-dumb media converters have dip switches that > mention duplex, but the directions seem to indication that it affects > the copper side of it only. Any good advice? 100FX doesn't support any form of autoneg so you need to configure all of the devices involved. I imagine the media converters (if they are just media converters rather than bridges) will have DIP switches which set duplex on both sides. Will From achatz at forthnet.gr Tue Mar 10 14:52:02 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 10 Mar 2009 20:52:02 +0200 Subject: [c-nsp] power down of standby sup is not possible Message-ID: <49B6B6D2.4000308@forthnet.gr> Anyone care to explain why such a limitation? 7609(config)#no power enable module 5 %Error: no power control on supervisor cards 7609#sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 5 2 Supervisor Engine 720 (Hot) WS-SUP720-3BXL 6 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL I'm trying to power down the standby sup and i though cisco's green agenda would have though of that. -- Tassos From frnkblk at iname.com Tue Mar 10 14:52:08 2009 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Tue, 10 Mar 2009 13:52:08 -0500 Subject: [c-nsp] Egress shaping/policing for bandwidth control on a 3750-ME In-Reply-To: <8110A8DE-9DDE-4463-ADBE-39A00541603D@bellsouth.net> References: <8B25B862BC09784B9B74FB950D4F64D40F81CF@qcnapp01.corp.qcn> <8110A8DE-9DDE-4463-ADBE-39A00541603D@bellsouth.net> Message-ID: Thanks for the idea, but the port carries multiple VLANs. Only one of them needs to be rate-limited. Frank -----Original Message----- From: Alex Moya [mailto:alexmoya at bellsouth.net] Sent: Tuesday, March 10, 2009 6:46 AM To: Brad Henshaw Cc: ; Subject: Re: [c-nsp] Egress shaping/policing for bandwidth control on a 3750-ME Try policing the port Sent from my iPhone On Mar 9, 2009, at 7:59 PM, "Brad Henshaw" wrote: > Frank Bulk - iName.com wrote: > >> I have two Cisco 3750-ME (Metro) where we are trying to apply >> an 8 Mbps bandwidth limit to it. >> We tried HQM shaping but got a lovely message that "Hierarchical >> service-policies are only supported on ES interfaces". > > Frank, > > The 3750ME can only do per-VLAN shaping on the ES ports. > > You can shape standard ports (but not per-VLAN) in increments of 10% > of > the port speed using the 'srr-queue bandwidth limit' command. To > achieve > 8Mbps with this you'd need to lock the [FastEthernet] port to 10Mbps > and > set the limit to 80%. Buffering of packets is less than ideal. > > The 3750ME supports hierarchical dual-level *ingress* policies on > SVIs. > To use these you need to set 'mls qos vlan-based' on the port and may > or may not need to use a 'match input-interface' statement in the > class > of a subpolicy. (I've never used these so can't comment with > authority) > > I'd provide an example but I'd just be ripping it from page 35-71 of > the 3750 Metro 12.2(46)SE Software Configuration Guide ;-) > > I'm pretty sure neither SVIs nor standard ports support output > policies > so you'd best do as much as you can on the ES ports on ingress from > your > core. > > Note that ingress service policies on 12.2(44)SE1 seem to be broken - > This may also affect other versions. We never logged a bug because > it's > fixed in 12.2(46)SE. > > Overall I think the quality control on IOS releases for the 3750ME > leaves a BLOODY LOT to be desired. > > Regards, > Brad > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Tue Mar 10 15:53:16 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 10 Mar 2009 14:53:16 -0500 Subject: [c-nsp] L3VPN Voice VRF Message-ID: <49B6C52C.10305@justinshore.com> I'm trying to figure out the best, safest, most secure and of course least expensive (in my time, hair, sleep at night, etc) way to implement a voice MPLS/VPN across our network. I'm sure people on c-nsp have done it before so I'm hoping for a few pointers. What we have today are a pair of MetaSwitches, one in each main POP. In front of them at each POP are a pair of HA PIXs. Customer RTP and signaling from our CATV MTAs, IP DSLAMs, FTTH, etc enter through the PIXs. Communication between the 2 MetaSwitches and MS management servers is across an IPSec tunnel on the PIXs. That works well enough but I need to do a few things to make it better. First off the IPSec tunnel needs to go. It's a real PITA because it randomly fails, forcing me to literally power cycle one of the sets of PIXs (taking down the remote POP's voice service entirely). I can't clear anything crypto on these PIXs so I can't bring up the tunnel remotely. I also can't see into the IPSec tunnel to identify traffic needing QoS preference or not. My plan was to put the protected MS equipment along with the backside of the PIXs in a VRF which can span both POPs. Traffic from the unprotected side to the protected side would hair-pin from the core routers through the PIXs back into the core router(s) at that site and into the VRF. That's not too hard to do, it's just getting the time to plan and do it. The second problem is that this does not allow for roving remote users with IP phones. My ACLs on the MS PIXs are tight and I want to keep it that way. We bought a pair of Ditech SBCs to address the roving user problem (horrible pieces of junk; I only recommend them to competitors). They will straddle the unprotected and protected network boundary, just like the PIXs more or less. That's not too hard either. I only plan on pointing remote roving users at the SBCs; not VoIP users that are using fixed phones on our own SP network. My current problem is that we're entering into the realm of managed voice service. We're CLECing a remote city and offering managed VoIP with SIP for businesses over DS1s and LRE (G.SHDSL). The CE for voice customers is managed by us to ensure QoS is properly configured. The VoIP phones are Linksys currently and will be connected either directly to the router (ISR) or a managed PoE switch (Cisco again). Voice will be on a voice VLAN configured as such on the switchports (so it's only reachable by devices that speak CDP and look like a phone). One problem with this offering is with remote access to the phones in the voice VLAN on the managed-CE. We could configure IPSec client VPNs on each of the managed CEs but that gets exponentially ugly as the number of users grows. My favorite thought is to extend MPLS all the way down to the managed-CE (which dictates a minimum of a 2800 ISR, 2811 or bigger for our needs, running Adv IP). Then we could extend a common voice VRF to that managed-CE. The voice VLAN would be put into that voice VRF. This would give us the ability to access the GUI config of the customer's phone to configure it, command it to resync, reboot it, etc. Otherwise we're forced to either have the user power cycle the phone by unplugging it from the network or figure out which switchport it is and cut the power to it. We could also generate a truck roll to do something as trivial as adding a speed dial; not a cost-effective idea. I favor the voice VRF idea but I struggle to figure out how to fully implement it. On the managed-CE side it's not very hard. MPLS, LDP, mBGP, IGP (IS-IS), address the phones uniquely for each site in the common VRF, etc. Back in the main POPs is where I'm having the most difficulties with this concept. Do I consider a phone hung off of a managed switchport trustworthy enough to bring it in BEHIND my firewalls and SBCs and allow it direct access to the secured MetaSwitch network? If so then this really isn't that hard. I'll use the same VRF at all VoIP sites that I'm going to use behind the MS PIXs. If I don't consider it trustworthy then I have to run the voice traffic through the PIXs or SBCs to get the filtered traffic to the MSs, either through the outside int of the PIXs or through a DMZ int. The DMZ interface thought opens up some possibilities at least; I can somewhat envision that int being tied to a VLAN that's part of the voice customer VRF. That gives me a device to bridge the gap between the a customer voice VRF and the MS VRF. If I didn't use the DMZ then I wouldn't know how to pop customers out of the voice VRF to gain access to the public side of the PIXs which are in our default VRF. BTW, all public traffic on our network is in the default VRF. This is a rather complicated problem, or at least I'm mentally making it complicated. I think I could continue using the PIXs and SBCs to bridge the gap between the protected MetaSwitch VRF and the unprotected public Internet. It's what to do with the Voice VRF that perplexes me the most. The Voice VRF concept is a popular example in Cisco Press books like the MPLS Architectures books. Unfortunately those books don't really tell you how to implement it end to end which is what I need. It also doesn't help you decide when the traffic is secure and when it's not. Does anyone have any suggestions, pointers to example scenarios, guides, howtos, etc? I'm sure this can be done but I'm missing some critical pieces at this point. Thanks Justin From rskjels at pogostick.net Tue Mar 10 16:11:55 2009 From: rskjels at pogostick.net (Rikard Stemland Skjelsvik) Date: Tue, 10 Mar 2009 21:11:55 +0100 (MET) Subject: [c-nsp] Error upgrading CSS: error in script playbackA Message-ID: Dear all, We are having trouble upgrading Cisco CSS that runs sg0750004 to sg0810503 We have tried upgrading according to both the manual procedyre and the automatic. Both of them fails when we try to do the "set primary boot-file sg0810503" command. We also tried upgrading from sg0750004 to sg0750103 with the same error The error we get is: Error in script playback line:949 >>> primary boot-file ${new_version} We would be grateful if anyone could provide us with some help. Regards, Rikard From A.L.M.Buxey at lboro.ac.uk Tue Mar 10 16:48:05 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Tue, 10 Mar 2009 20:48:05 +0000 Subject: [c-nsp] power down of standby sup is not possible In-Reply-To: <49B6B6D2.4000308@forthnet.gr> References: <49B6B6D2.4000308@forthnet.gr> Message-ID: <20090310204805.GC20682@lboro.ac.uk> Hi, > Anyone care to explain why such a limitation? > > 7609(config)#no power enable module 5 > %Error: no power control on supervisor cards > > 7609#sh mod > Mod Ports Card Type Model Serial No. > --- ----- -------------------------------------- ------------------ ----------- > 5 2 Supervisor Engine 720 (Hot) WS-SUP720-3BXL > 6 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL > > > I'm trying to power down the standby sup and i though cisco's green agenda would have though of that. supervisors are the 'brain' of the box, as it were - and therefore when people buy 2 of them, they'd rather have them both running..eg in SSO mode. i found this 'situation' out as you possibly did - attempting to do a remote reload by just doing a 'power enable'-cycle? :-) alan From achatz at forthnet.gr Tue Mar 10 17:08:26 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 10 Mar 2009 23:08:26 +0200 Subject: [c-nsp] power down of standby sup is not possible In-Reply-To: <20090310204805.GC20682@lboro.ac.uk> References: <49B6B6D2.4000308@forthnet.gr> <20090310204805.GC20682@lboro.ac.uk> Message-ID: <49B6D6CA.4090100@forthnet.gr> A.L.M.Buxey at lboro.ac.uk wrote on 10/03/2009 22:48: > Hi, >> Anyone care to explain why such a limitation? >> >> 7609(config)#no power enable module 5 >> %Error: no power control on supervisor cards >> >> 7609#sh mod >> Mod Ports Card Type Model Serial No. >> --- ----- -------------------------------------- ------------------ ----------- >> 5 2 Supervisor Engine 720 (Hot) WS-SUP720-3BXL >> 6 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL >> >> >> I'm trying to power down the standby sup and i though cisco's green agenda would have though of that. > > supervisors are the 'brain' of the box, as it were - and therefore > when people buy 2 of them, they'd rather have them both running..eg > in SSO mode. i found this 'situation' out as you possibly did - > attempting to do a remote reload by just doing a 'power enable'-cycle? :-) > > alan > Well, i don't like the idea of strictly following Cisco's concept of redundancy. In my case, i don't want to enable redundancy on this box, but i want to have 2 sups inside (with the 2nd one being powered-off). I guess that's not possible :( Alan, you can do "hw-module module x reset" in order to reset a module (sup included). I was just trying to have a 2nd sup disabled. I don't need any syncing between the sups and power saving would be a welcome addition. Talking about power-saving, i haven't found any way to disable power reservation of a sup slot, when that one is not being used. You can always put another module there, but i can't consider this as a solution. -- Tassos From peter at rathlev.dk Tue Mar 10 17:10:08 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 10 Mar 2009 22:10:08 +0100 Subject: [c-nsp] FWSM HA secondary reload & long downtime In-Reply-To: References: <1236633344.3572.13.camel@localhost.localdomain> Message-ID: <1236719408.4513.51.camel@localhost.localdomain> On Tue, 2009-03-10 at 11:32 +0100, Andrew Yourtchenko wrote: > if it is merely a new standby that is coming up, the active should not > stop forwarding the traffic. That's what I would've assumed too. :-) I do seem to remember that we've seen this before though, when we had random reboots (CSCse15099 if I remember correctly) of secondary units resulting in downtime. > I'd watch out for "logging standby" - I vaguely remember there were > some issues where the newly coming up box would try to send the > traffic with the wrong IP/MAC and/or send the gratuitous arp with the > wrong info in there. > > Especially may be true if you are bringing up primary as standby - at > this moment the secondary/active is forwarding the traffic using the > primary's mac addresses. Standby logging is disabled on all contexts, so this shouldn't be the issue. Of course if the module coming up sends out gratuitous ARPs this could break things with the way PIX/FWSM/ASA does HA, using the same MAC-address. I had thought that the unit coming up would start by looking at the failover interface(s) to see if there is already an active unit, and then start acting as active/standby depending of what it hears. Otherwise a crashing/rebooting primary unit would always introduce downtime when coming up again. > Of course, interesting would be to check if indeed this is on all the > contexts or only some of them, etc. The log buffer (logging errors) on the contexts on the standby unit (which is the configured primary) didn't say "' >From the sys context on the standby: Mar 09 2009 16:41:04: %FWSM-4-411003: Interface statefullfailover, changed state to administratively up Mar 09 2009 16:41:05: %FWSM-5-504001: Security context admin was added to the system ... Mar 09 2009 16:41:07: %FWSM-5-504001: Security context sample was added to the system Mar 09 2009 16:41:26: %FWSM-1-709006: (Primary) End Configuration Replication (STB) Mar 09 2009 16:42:02: %FWSM-6-210022: LU missed 4837568 updates >From one of the contexts, still the standby unit: Mar 09 2009 16:41:35: %FWSM-1-105006: (Primary) Link status 'Up' on interface internet Mar 09 2009 16:41:35: %FWSM-1-105003: (Primary) Monitoring on interface internet waiting Mar 09 2009 16:41:35: %FWSM-1-105006: (Primary) Link status 'Up' on interface aars_pro Mar 09 2009 16:41:35: %FWSM-1-105003: (Primary) Monitoring on interface aars_pro waiting Mar 09 2009 16:41:35: %FWSM-1-105006: (Primary) Link status 'Up' on interface inside Mar 09 2009 16:41:35: %FWSM-1-105003: (Primary) Monitoring on interface inside waiting Mar 09 2009 16:41:35: %FWSM-1-105006: (Primary) Link status 'Up' on interface aars_interfw Mar 09 2009 16:41:35: %FWSM-1-105003: (Primary) Monitoring on interface aars_interfw waiting Mar 09 2009 16:41:44: %FWSM-1-105004: (Primary) Monitoring on interface internet normal Mar 09 2009 16:41:44: %FWSM-1-105004: (Primary) Monitoring on interface aars_pro normal Mar 09 2009 16:41:44: %FWSM-1-105004: (Primary) Monitoring on interface inside normal Mar 09 2009 16:41:44: %FWSM-1-105004: (Primary) Monitoring on interface aars_interfw normal So the contexts weren't really activated (with "Up" interfaces) during all the downtime, just at the end. To me that seems to suggest that it's not just simply that it "steals" the traffic for the interfaces. It seems we have to try and replicate it in the lab to find out what actually happened. :-) Thank you for the input. Regards, Peter From sethm at rollernet.us Tue Mar 10 18:50:50 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 10 Mar 2009 15:50:50 -0700 Subject: [c-nsp] power down of standby sup is not possible In-Reply-To: <49B6B6D2.4000308@forthnet.gr> References: <49B6B6D2.4000308@forthnet.gr> Message-ID: <49B6EECA.4090602@rollernet.us> Tassos Chatzithomaoglou wrote: > Anyone care to explain why such a limitation? > > 7609(config)#no power enable module 5 > %Error: no power control on supervisor cards > > 7609#sh mod > Mod Ports Card Type Model > Serial No. > --- ----- -------------------------------------- ------------------ > ----------- > 5 2 Supervisor Engine 720 (Hot) WS-SUP720-3BXL > 6 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL > > > I'm trying to power down the standby sup and i though cisco's green > agenda would have though of that. > > It's not a "green" thing, but a "redundant" thing. A second supervisor is for redundancy, and if it's off and unconfigured, you might as well just store it on a shelf and swap it in when needed because you won't be able to power it up anyway if the active sup fails. They're doing more than just synchronizing config changes when in standby mode. ~Seth From todd at newfrontierssolutions.com Tue Mar 10 19:49:44 2009 From: todd at newfrontierssolutions.com (Todd Shipway) Date: Tue, 10 Mar 2009 19:49:44 -0400 Subject: [c-nsp] 7500 Channelized DS3 Issues Message-ID: <1236728984.8428.8.camel@booger> We are experiencing weird issues on a channelized DS3 card with interfaces dying at random. DS3 card is divided into multiple T1 interfaces. All interfaces have been running without problems for weeks. Last week 1 interface went down, and when it came back up, no traffic will go across the interface. The int shows as up/up, manually setting a route doesn't help anything. Copying the int config to a different channel on the same card fixes the issue and traffic is back to normal. Today, we had 2 interfaces that were part of a multilink ppp interface go down and right back up. All interfaces were up/up including the MLPPP interface. Moving them to different channels resulted in the same issue. Moving 1 T1 to a Multi-channel T1 card and keeping the other T1 on the channelized DS3 allowed the multilink interface to come up and traffic went back to normal. No errors or alarms on any cards. Cards aren't over provisioned, and I can't pinpoint why this issue is occurring. It seems like it's slowly spreading from interface to interface. Has anyone experienced something similar or have any clues as to what I could possibly look for? Thanks, Todd -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From achatz at forthnet.gr Tue Mar 10 20:12:37 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 11 Mar 2009 02:12:37 +0200 Subject: [c-nsp] power down of standby sup is not possible In-Reply-To: <49B6EECA.4090602@rollernet.us> References: <49B6B6D2.4000308@forthnet.gr> <49B6EECA.4090602@rollernet.us> Message-ID: <49B701F5.1000206@forthnet.gr> Seth Mattinen wrote on 11/03/2009 00:50: > Tassos Chatzithomaoglou wrote: >> Anyone care to explain why such a limitation? >> >> 7609(config)#no power enable module 5 >> %Error: no power control on supervisor cards >> >> 7609#sh mod >> Mod Ports Card Type Model >> Serial No. >> --- ----- -------------------------------------- ------------------ >> ----------- >> 5 2 Supervisor Engine 720 (Hot) WS-SUP720-3BXL >> 6 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL >> >> >> I'm trying to power down the standby sup and i though cisco's green >> agenda would have though of that. >> >> > > It's not a "green" thing, but a "redundant" thing. A second supervisor > is for redundancy, and if it's off and unconfigured, you might as well > just store it on a shelf and swap it in when needed because you won't be > able to power it up anyway if the active sup fails. They're doing more > than just synchronizing config changes when in standby mode. > > ~Seth Seth, There are remote locations (with more than one box installed) that i don't have a shelf and i prefer to have one sup "online" (but not as standby) serving all boxes. That way i can watch it through my inventory management system. In case of an emergency, someone staying nearby can go there and just plug it in, replacing the active sup in any box. -- Tassos From sethm at rollernet.us Tue Mar 10 20:25:03 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 10 Mar 2009 17:25:03 -0700 Subject: [c-nsp] power down of standby sup is not possible In-Reply-To: <49B701F5.1000206@forthnet.gr> References: <49B6B6D2.4000308@forthnet.gr> <49B6EECA.4090602@rollernet.us> <49B701F5.1000206@forthnet.gr> Message-ID: <49B704DF.4050206@rollernet.us> Tassos Chatzithomaoglou wrote: > > > Seth Mattinen wrote on 11/03/2009 00:50: >> Tassos Chatzithomaoglou wrote: >>> Anyone care to explain why such a limitation? >>> >>> 7609(config)#no power enable module 5 >>> %Error: no power control on supervisor cards >>> >>> 7609#sh mod >>> Mod Ports Card Type Model >>> Serial No. >>> --- ----- -------------------------------------- ------------------ >>> ----------- >>> 5 2 Supervisor Engine 720 (Hot) WS-SUP720-3BXL >>> 6 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL >>> >>> >>> I'm trying to power down the standby sup and i though cisco's green >>> agenda would have though of that. >>> >>> >> >> It's not a "green" thing, but a "redundant" thing. A second supervisor >> is for redundancy, and if it's off and unconfigured, you might as well >> just store it on a shelf and swap it in when needed because you won't be >> able to power it up anyway if the active sup fails. They're doing more >> than just synchronizing config changes when in standby mode. >> >> ~Seth > > Seth, > > There are remote locations (with more than one box installed) that i > don't have a shelf and i prefer to have one sup "online" (but not as > standby) serving all boxes. That way i can watch it through my inventory > management system. In case of an emergency, someone staying nearby can > go there and just plug it in, replacing the active sup in any box. > Basically your storage space is a supervisor slot. Someone from Cisco should know if this is just a config thing or actually in the hardware design. ~Seth From andy.saykao at staff.netspace.net.au Tue Mar 10 23:30:17 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Wed, 11 Mar 2009 14:30:17 +1100 Subject: [c-nsp] BGP Route Selection Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654C54@vic-cr-ex1.staff.netspace.net.au> Hi All, Just trying to get my head around why BGP prefers a certain route over others in my example below. I've read up on how BGP makes it's path selection decision but I can't follow why it hasn't chosen a route with a higher local preferences. Here's my example... Edge-Router#sh ip bgp 202.134.39.34 BGP routing table entry for 202.134.39.0/24, version 1469850 Paths: (6 available, best #2, table Default-IP-Routing-Table) Advertised to update-groups: 7 8 9 7606 9837 9837 9837 18250, (Received from a RR-client), (received & used) 198.32.212.61 (metric 20) from 203.17.96.105 (203.17.101.40) Origin IGP, metric 0, localpref 90, valid, internal Community: 4854:6002 Originator: 203.17.101.24, Cluster list: 203.17.101.40, 203.17.101.22 7606 9837 9837 9837 18250, (Received from a RR-client), (received & used) 198.32.212.61 (metric 20) from 203.17.96.101 (203.17.101.40) Origin IGP, metric 0, localpref 90, valid, internal, best Community: 4854:6002 Originator: 203.17.101.24, Cluster list: 203.17.101.40, 203.17.101.22 1221 2764 9837 18250, (received-only) 203.62.252.39 from 203.62.252.39 (203.62.252.39) Origin IGP, localpref 100, valid, external 1221 2764 9837 18250 203.62.252.241 from 203.62.252.241 (203.62.252.241) Origin IGP, metric 120, localpref 50, valid, external Community: 4854:2001 1221 2764 9837 18250, (received-only) 203.62.252.241 from 203.62.252.241 (203.62.252.241) Origin IGP, localpref 100, valid, external 1221 2764 9837 18250, (received-only) 203.62.252.240 from 203.62.252.240 (203.62.252.240) Origin IGP, localpref 100, valid, external Edge-Router#sh ip route 202.134.39.34 Routing entry for 202.134.39.0/24 Known via "bgp 4854", distance 200, metric 0 Tag 7606, type internal Redistributing via ospf 200 Last update from 198.32.212.61 6d11h ago Routing Descriptor Blocks: * 198.32.212.61, from 203.17.96.101, 6d11h ago Route metric is 0, traffic share count is 1 AS Hops 5 Route tag 7606 I can only imagine it has something to do with the output below which gives me a better indication of which prefixes have been received by this router and their local preference. After looking at that, it would make sense why it chose #2 from above. Edge-Router#sh ip bgp 202.134.39.0 255.255.255.0 longer-prefixes BGP table version is 1511449, local router ID is 203.17.101.35 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * i202.134.39.0 198.32.212.61 0 90 0 7606 9837 9837 9837 18250 i *>i 198.32.212.61 0 90 0 7606 9837 9837 9837 18250 i * 203.62.252.241 120 50 0 1221 2764 9837 18250 i What's the relationship between the "sh ip bgp A.B.C.D" and "sh ip bgp longer-prefixes" command? Why are there "(received-only)" routes and what does that mean? The "(received-only)" routes have a higher local preferences but why aren't they shown with the "sh ip bgp longer-prefixes" command? Thanks for everyone's help... Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From oboehmer at cisco.com Tue Mar 10 23:46:25 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 11 Mar 2009 04:46:25 +0100 Subject: [c-nsp] BGP Route Selection In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654C54@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654C54@vic-cr-ex1.staff.netspace.net.au> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840704D4DC@xmb-ams-333.emea.cisco.com> Andy Saykao <> wrote on Wednesday, March 11, 2009 04:30: > Hi All, > > Just trying to get my head around why BGP prefers a certain route over > others in my example below. I've read up on how BGP makes it's path > selection decision but I can't follow why it hasn't chosen a route > with a higher local preferences. because all the paths with a higher local-pref are ignored as they are "received-only", i.e. stored in the table due to "soft-recoconfiguration inbound" config on your neighbors.. [..] > > What's the relationship between the "sh ip bgp A.B.C.D" and "sh ip bgp > longer-prefixes" command? the latter only shows the non-received-only paths.. > Why are there "(received-only)" routes and > what does that mean? The "(received-only)" routes have a higher local > preferences but why aren't they shown with the "sh ip bgp > longer-prefixes" command? see above: because they are ignored.. this is also described in http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009 4431.shtml.. oli From samantha at cairns.net.au Wed Mar 11 03:15:58 2009 From: samantha at cairns.net.au (Regional Connect (Samantha)) Date: Wed, 11 Mar 2009 17:15:58 +1000 Subject: [c-nsp] Access Servers (LNS) Message-ID: Hi List I am doing some enquiries so I can remove our l2tpns machines. I have bought some cheap npe-225 ciscos off ebay, orginally as source of spares for our 7206G1 (Power Supplies) After reading I found out I may be better off deplying the current l2tpns servers elsewhere If I do this I am trying to get some questions answerwed but been unable to find the answers (as they differ so much) What is the max number of sessions I could expect from 2 of these machines? And if I choose to use npe-400 what would it be How much ram would I need in both scenerios to be "workable" Thanks in advance Samantha Regional Internet Connect samantha at regionalconnect.com.au --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 090310-0, 10/03/2009 Tested on: 11/03/2009 5:15:59 PM avast! - copyright (c) 1988-2009 ALWIL Software. http://www.avast.com From asad747 at cyber.net.pk Wed Mar 11 04:12:30 2009 From: asad747 at cyber.net.pk (Asad Ul-Islam) Date: Wed, 11 Mar 2009 13:12:30 +0500 Subject: [c-nsp] CPU Usage for standby SUP720? Message-ID: <003c01c9a221$1f6bf8c0$5e43ea40$@net.pk> Dear friends I am trying to poll for CPU usage of Standby SUP7203b in 6500 Chassis. I have tried polling PROCESS MIB but its returning only two Values for cpmCPUTotalPhysicalIndex , which are of ACTIVE SUP. (SUP in Slot 8 is in Standby state) SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.1 = INTEGER: 4017 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.2 = INTEGER: 4001 However walking on ENTITY MIB for entPhysicalIndex shows the CPU index for both SUPs SNMPv2-SMI::mib-2.47.1.1.1.1.2.4001 = STRING: "CPU of Switching Processor 7" SNMPv2-SMI::mib-2.47.1.1.1.1.2.4017 = STRING: "CPU of Routing Processor 7" SNMPv2-SMI::mib-2.47.1.1.1.1.2.5001 = STRING: "CPU of Switching Processor 8" SNMPv2-SMI::mib-2.47.1.1.1.1.2.5017 = STRING: "CPU of Routing Processor 8" I wonder why PROCESS MIB is not returning values for Standby SUP.. Is it some limitation that Standby SUP cannot be polled? Or I am making some mistake here?? Regards, Asad From soonkian.wong at gmail.com Wed Mar 11 04:38:43 2009 From: soonkian.wong at gmail.com (Soon Kian) Date: Wed, 11 Mar 2009 16:38:43 +0800 Subject: [c-nsp] PVDM resources required for VIC3-2FXS WIC ? Message-ID: <371cac6a0903110138k78d78841nafb4191157c57c0d@mail.gmail.com> Hi all, Wondering if PVDM is required for VIC3-2FXS WIC ? I'm using the following - Cisco2811 - IP Voice feature set - Version: 124-24.T Thanks in advance From skoal at skoal.name Wed Mar 11 04:49:34 2009 From: skoal at skoal.name (Gergely Antal) Date: Wed, 11 Mar 2009 09:49:34 +0100 Subject: [c-nsp] CPU Usage for standby SUP720? In-Reply-To: <003c01c9a221$1f6bf8c0$5e43ea40$@net.pk> References: <003c01c9a221$1f6bf8c0$5e43ea40$@net.pk> Message-ID: <49B77B1E.1010707@skoal.name> If i'm not mistaken you can only poll the active sup ,and if a switchover occures then you can poll the new active sup based on the indexes by the entity-mib Asad Ul-Islam wrote: > Dear friends > > > > I am trying to poll for CPU usage of Standby SUP7203b in 6500 Chassis. > > > > I have tried polling PROCESS MIB but its returning only two Values for > cpmCPUTotalPhysicalIndex , which are of ACTIVE SUP. (SUP in Slot 8 is in > Standby state) > > > > SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.1 = INTEGER: 4017 > > SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.2 = INTEGER: 4001 > > > > However walking on ENTITY MIB for entPhysicalIndex shows the CPU index for > both SUPs > > > > SNMPv2-SMI::mib-2.47.1.1.1.1.2.4001 = STRING: "CPU of Switching Processor 7" > > SNMPv2-SMI::mib-2.47.1.1.1.1.2.4017 = STRING: "CPU of Routing Processor 7" > > SNMPv2-SMI::mib-2.47.1.1.1.1.2.5001 = STRING: "CPU of Switching Processor 8" > > SNMPv2-SMI::mib-2.47.1.1.1.1.2.5017 = STRING: "CPU of Routing Processor 8" > > > > I wonder why PROCESS MIB is not returning values for Standby SUP.. Is it > some limitation that Standby SUP cannot be polled? Or I am making some > mistake here?? > > > > Regards, > > > Asad > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From skoal at skoal.name Wed Mar 11 05:01:55 2009 From: skoal at skoal.name (Gergely Antal) Date: Wed, 11 Mar 2009 10:01:55 +0100 Subject: [c-nsp] CPU Usage for standby SUP720? In-Reply-To: <49B77B1E.1010707@skoal.name> References: <003c01c9a221$1f6bf8c0$5e43ea40$@net.pk> <49B77B1E.1010707@skoal.name> Message-ID: <49B77E03.8050008@skoal.name> If you use cacti then here is a good template for your problem http://forums.cacti.net/about27623.html Gergely Antal wrote: > If i'm not mistaken you can only poll the active sup > ,and if a switchover occures then you can poll the new active sup based > on the indexes by the entity-mib > > Asad Ul-Islam wrote: >> Dear friends >> >> >> >> I am trying to poll for CPU usage of Standby SUP7203b in 6500 Chassis. >> >> >> >> I have tried polling PROCESS MIB but its returning only two Values for >> cpmCPUTotalPhysicalIndex , which are of ACTIVE SUP. (SUP in Slot 8 is in >> Standby state) >> >> >> >> SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.1 = INTEGER: 4017 >> >> SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.2 = INTEGER: 4001 >> >> >> >> However walking on ENTITY MIB for entPhysicalIndex shows the CPU index for >> both SUPs >> >> >> >> SNMPv2-SMI::mib-2.47.1.1.1.1.2.4001 = STRING: "CPU of Switching Processor 7" >> >> SNMPv2-SMI::mib-2.47.1.1.1.1.2.4017 = STRING: "CPU of Routing Processor 7" >> >> SNMPv2-SMI::mib-2.47.1.1.1.1.2.5001 = STRING: "CPU of Switching Processor 8" >> >> SNMPv2-SMI::mib-2.47.1.1.1.1.2.5017 = STRING: "CPU of Routing Processor 8" >> >> >> >> I wonder why PROCESS MIB is not returning values for Standby SUP.. Is it >> some limitation that Standby SUP cannot be polled? Or I am making some >> mistake here?? >> >> >> >> Regards, >> >> >> Asad >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From gert at greenie.muc.de Wed Mar 11 05:10:59 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 11 Mar 2009 10:10:59 +0100 Subject: [c-nsp] CPU Usage for standby SUP720? In-Reply-To: <003c01c9a221$1f6bf8c0$5e43ea40$@net.pk> References: <003c01c9a221$1f6bf8c0$5e43ea40$@net.pk> Message-ID: <20090311091059.GZ290@greenie.muc.de> Hi, On Wed, Mar 11, 2009 at 01:12:30PM +0500, Asad Ul-Islam wrote: > I am trying to poll for CPU usage of Standby SUP7203b in 6500 Chassis. Should the standby SUP show more than neglible CPU usage? If yes, why? (I'm genuinely curious what it might do that causes CPU load) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From A.L.M.Buxey at lboro.ac.uk Wed Mar 11 05:23:59 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 11 Mar 2009 09:23:59 +0000 Subject: [c-nsp] CPU Usage for standby SUP720? In-Reply-To: <20090311091059.GZ290@greenie.muc.de> References: <003c01c9a221$1f6bf8c0$5e43ea40$@net.pk> <20090311091059.GZ290@greenie.muc.de> Message-ID: <20090311092359.GA22892@lboro.ac.uk> Hi, > Should the standby SUP show more than neglible CPU usage? If yes, why? > > (I'm genuinely curious what it might do that causes CPU load) in an active standby mode, the primary and standby are constantly sharing stuff and storing details...that said, you cant do much with the one that isnt active... 'Standby console disabled' etc alan From anderson.levi at gmail.com Wed Mar 11 05:29:09 2009 From: anderson.levi at gmail.com (Anderson Levi) Date: Wed, 11 Mar 2009 12:29:09 +0300 Subject: [c-nsp] ME3400 Message-ID: Hi, I need to find out how many routes a Cisco ME3400 can hold. Anyone with an idea or pointer as to where I can find out? Any help would be appreciated. Thanks. From A.L.M.Buxey at lboro.ac.uk Wed Mar 11 05:33:36 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 11 Mar 2009 09:33:36 +0000 Subject: [c-nsp] power down of standby sup is not possible In-Reply-To: <49B6D6CA.4090100@forthnet.gr> References: <49B6B6D2.4000308@forthnet.gr> <20090310204805.GC20682@lboro.ac.uk> <49B6D6CA.4090100@forthnet.gr> Message-ID: <20090311093336.GB22892@lboro.ac.uk> Hi, > Alan, you can do "hw-module module x reset" in order to reset a module (sup included). i know - in fact, i think it was this particular issue that made me find the hw-module command :-) > I was just trying to have a 2nd sup disabled. I don't need any syncing > between the sups and power saving would be a welcome addition. no sync'ing? so how do you ensure your spare sup has the right config when it is needed? what process or procedure is followed? > Talking about power-saving, i haven't found any way to disable power > reservation of a sup slot, when that one is not being used. You can > always put another module there, but i can't consider this as a solution. power reserved != power used. the system just ensures that the right amount is reserved so it can be used, rather than not being able to provide the juice. alan From achatz at forthnet.gr Wed Mar 11 05:39:52 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 11 Mar 2009 11:39:52 +0200 Subject: [c-nsp] CPU Usage for standby SUP720? In-Reply-To: <20090311092359.GA22892@lboro.ac.uk> References: <003c01c9a221$1f6bf8c0$5e43ea40$@net.pk> <20090311091059.GZ290@greenie.muc.de> <20090311092359.GA22892@lboro.ac.uk> Message-ID: <49B786E8.6060001@forthnet.gr> A.L.M.Buxey at lboro.ac.uk wrote on 11/03/2009 11:23: > Hi, > >> Should the standby SUP show more than neglible CPU usage? If yes, why? >> >> (I'm genuinely curious what it might do that causes CPU load) > > in an active standby mode, the primary and standby are constantly > sharing stuff and storing details...that said, you cant do much > with the one that isnt active... 'Standby console disabled' etc > > alan 7609(config)#redundancy 7609(config-red)#main-cpu 7609(config-r-mc)#standby console ? enable Enable At least in SRD1 (quite strangely it's not the default, but it's also not shown in the config when configured). -- Tassos From ayourtch at cisco.com Wed Mar 11 06:16:36 2009 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Wed, 11 Mar 2009 11:16:36 +0100 (CET) Subject: [c-nsp] FWSM HA secondary reload & long downtime In-Reply-To: <1236719408.4513.51.camel@localhost.localdomain> References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> Message-ID: On Tue, 10 Mar 2009, Peter Rathlev wrote: > On Tue, 2009-03-10 at 11:32 +0100, Andrew Yourtchenko wrote: >> if it is merely a new standby that is coming up, the active should not >> stop forwarding the traffic. > > That's what I would've assumed too. :-) I do seem to remember that we've > seen this before though, when we had random reboots (CSCse15099 if I > remember correctly) of secondary units resulting in downtime. ahha. interesting - so there's probably also something specific to the setup that might be contributing to seeing this. > >> I'd watch out for "logging standby" - I vaguely remember there were >> some issues where the newly coming up box would try to send the >> traffic with the wrong IP/MAC and/or send the gratuitous arp with the >> wrong info in there. >> >> Especially may be true if you are bringing up primary as standby - at >> this moment the secondary/active is forwarding the traffic using the >> primary's mac addresses. > > Standby logging is disabled on all contexts, so this shouldn't be the > issue. Of course if the module coming up sends out gratuitous ARPs this > could break things with the way PIX/FWSM/ASA does HA, using the same > MAC-address. > > I had thought that the unit coming up would start by looking at the > failover interface(s) to see if there is already an active unit, and > then start acting as active/standby depending of what it hears. > That's precisely how it is supposed to work :-) > Otherwise a crashing/rebooting primary unit would always introduce > downtime when coming up again. > >> Of course, interesting would be to check if indeed this is on all the >> contexts or only some of them, etc. > > The log buffer (logging errors) on the contexts on the standby unit > (which is the configured primary) didn't say "' > >> From the sys context on the standby: > > Mar 09 2009 16:41:04: %FWSM-4-411003: Interface statefullfailover, changed state to administratively up > Mar 09 2009 16:41:05: %FWSM-5-504001: Security context admin was added to the system > ... > Mar 09 2009 16:41:07: %FWSM-5-504001: Security context sample was added to the system > Mar 09 2009 16:41:26: %FWSM-1-709006: (Primary) End Configuration Replication (STB) > Mar 09 2009 16:42:02: %FWSM-6-210022: LU missed 4837568 updates > >> From one of the contexts, still the standby unit: > > Mar 09 2009 16:41:35: %FWSM-1-105006: (Primary) Link status 'Up' on interface internet > Mar 09 2009 16:41:35: %FWSM-1-105003: (Primary) Monitoring on interface internet waiting > Mar 09 2009 16:41:35: %FWSM-1-105006: (Primary) Link status 'Up' on interface aars_pro > Mar 09 2009 16:41:35: %FWSM-1-105003: (Primary) Monitoring on interface aars_pro waiting > Mar 09 2009 16:41:35: %FWSM-1-105006: (Primary) Link status 'Up' on interface inside > Mar 09 2009 16:41:35: %FWSM-1-105003: (Primary) Monitoring on interface inside waiting > Mar 09 2009 16:41:35: %FWSM-1-105006: (Primary) Link status 'Up' on interface aars_interfw > Mar 09 2009 16:41:35: %FWSM-1-105003: (Primary) Monitoring on interface aars_interfw waiting > Mar 09 2009 16:41:44: %FWSM-1-105004: (Primary) Monitoring on interface internet normal > Mar 09 2009 16:41:44: %FWSM-1-105004: (Primary) Monitoring on interface aars_pro normal > Mar 09 2009 16:41:44: %FWSM-1-105004: (Primary) Monitoring on interface inside normal > Mar 09 2009 16:41:44: %FWSM-1-105004: (Primary) Monitoring on interface aars_interfw normal > > So the contexts weren't really activated (with "Up" interfaces) during > all the downtime, just at the end. To me that seems to suggest that it's > not just simply that it "steals" the traffic for the interfaces. Right. That was why I was wondering whether indeed "all" (as in "absolutely all, i swear" :) the traffic was affected, or only some part of it, and with what timing. Also interesting thing to check if the existing TCP connections continue to run ok (so then the problem area could be isolated to session path and up). Of course, in the real-world scenario there's frequently simply not enough time to look at those details, but they might be definitely helpful. > > It seems we have to try and replicate it in the lab to find out what > actually happened. :-) Yes, that would be most ideal - if this issue is reproducible in the lab, then a case to further nail it down would be the way to go. cheers, andrew From marco at linuxgoeroe.dhs.org Wed Mar 11 05:34:30 2009 From: marco at linuxgoeroe.dhs.org (marco at linuxgoeroe.dhs.org) Date: Wed, 11 Mar 2009 10:34:30 +0100 (CET) Subject: [c-nsp] ME3400 In-Reply-To: References: Message-ID: <31371.212.142.33.197.1236764070.squirrel@www.vive-id.nl> > I need to find out how many routes a Cisco ME3400 can hold. Anyone with an > idea or pointer as to where I can find out? Any help would be appreciated. Datasheet says 5000: http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6580/product_data_sheet0900aecd8034fef3.html Regards, Marco. From asad747 at cyber.net.pk Wed Mar 11 06:41:51 2009 From: asad747 at cyber.net.pk (Asad Ul-Islam) Date: Wed, 11 Mar 2009 15:41:51 +0500 Subject: [c-nsp] CPU Usage for standby SUP720? In-Reply-To: <20090311092359.GA22892@lboro.ac.uk> References: <003c01c9a221$1f6bf8c0$5e43ea40$@net.pk> <20090311091059.GZ290@greenie.muc.de> <20090311092359.GA22892@lboro.ac.uk> Message-ID: <005f01c9a235$fd13f600$f73be200$@net.pk> Hello! My initial question was to poll CPU of Standby SUP via SNMP I don't think enabling or disabling Console of Standby will have anything to do with SNMP?? I just want to confirm if it's possible to Poll CPU of Standby SUP. Or it's not possible Logically, or is it some bug? Bcos we are doing same for Junipers with redundant REs. Regards, Asad. -----Original Message----- From: A.L.M.Buxey at lboro.ac.uk [mailto:A.L.M.Buxey at lboro.ac.uk] Sent: Wednesday, March 11, 2009 2:24 PM To: Gert Doering Cc: Asad Ul-Islam; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] CPU Usage for standby SUP720? Hi, > Should the standby SUP show more than neglible CPU usage? If yes, why? > > (I'm genuinely curious what it might do that causes CPU load) in an active standby mode, the primary and standby are constantly sharing stuff and storing details...that said, you cant do much with the one that isnt active... 'Standby console disabled' etc alan From dv at dv.ru Wed Mar 11 06:44:21 2009 From: dv at dv.ru (Dmitry Valdov) Date: Wed, 11 Mar 2009 13:44:21 +0300 (MSK) Subject: [c-nsp] ME3400 In-Reply-To: <31371.212.142.33.197.1236764070.squirrel@www.vive-id.nl> References: <31371.212.142.33.197.1236764070.squirrel@www.vive-id.nl> Message-ID: <20090311134228.T56136@xkis.kis.ru> Hi! The device says 9K total (5K directly connected and 4K indirect).. === #sh sdm pref The current template is "default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 5K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 9K number of directly-connected IPv4 hosts: 5K number of indirect IPv4 routes: 4K number of IPv4 policy based routing aces: 0.5K number of IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 1K On Wed, 11 Mar 2009, marco at linuxgoeroe.dhs.org wrote: > >> I need to find out how many routes a Cisco ME3400 can hold. Anyone with an >> idea or pointer as to where I can find out? Any help would be appreciated. > > Datasheet says 5000: > http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6580/product_data_sheet0900aecd8034fef3.html > > Regards, > > Marco. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Dmitry Valdov CCIE #15379 (R&S and SP) From Marcus.Gerdon at versatel.de Wed Mar 11 06:45:40 2009 From: Marcus.Gerdon at versatel.de (Marcus.Gerdon) Date: Wed, 11 Mar 2009 11:45:40 +0100 Subject: [c-nsp] Sup720 crashing at RP boot - HW revision dependent ? Message-ID: <227142482560EF458FF1F7E784E26AB84727E8@FLBVEXCH01.versatel.local> Hi @all, yesterday I've been hit by a somewhat strange - and possibly worrying - effect with Sup720 in 6500. I've got 3 Sup720-3BXL, one with an older HW revision (Sup: 4.4 / PFC: 1.6 / MSFC: 2.5) and 2 with newer (Sup: 5.2 / PFC: 1.8 / MSFC: 2.5). All three have been tested in a 6509 successfully by the supplier. According the test sheets they've used a Rev. 3.0 chassis. For offline testing and preparation I've an 6509 and 6506 spare chassis at hands, both of them being Rev. 2.0. When trying to boot those Sup in my 6509 the older one boots fine and everything is ok. The newer ones both start to boot and after switching to boot the RP it stalls (download doesn't even start, hangs after memory is displayed). After a minute or two a 'software forced crash' occurs and I'm thrown do SP rommon. Up to this point no updates, config changes or anything other than plugging them in the chassis and turning the power on has been done. It doesn't matter if they're put in slot 5 or 6, if the working one is already active in slot 5 or if I'm manually booting from rommon instead of autoboot. Also the IOS used doesn't change anything (18SXF, 18SXI, 17SXd) Interestingly in the Rev. 2.0 6506 all three are booting fine. I've done both rom updates in the 6506 and tried again in the 6509 - without any change. To me this looks like there's some dependancy between HW revisions of the Sup or PFC (MSFC rev. is the same on all threee) and the 6509 chassis (6506 wasn't effected). I've searched cisco.com for quite some time but without any hint to this issue. The only thing I found was that there're a few 6509-NEB eeprom updates to be applied to the chassis itself. So in fact there is some active rom part with the chassis that supposedly will differ between revisions. Does someone stumbled upon this, had similar issues or maybe even know or did see any document (comp. matrix, workaround or alike) about this ? regards, Marcus From p.mayers at imperial.ac.uk Wed Mar 11 07:14:30 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 11 Mar 2009 11:14:30 +0000 Subject: [c-nsp] Sup720 crashing at RP boot - HW revision dependent ? In-Reply-To: <227142482560EF458FF1F7E784E26AB84727E8@FLBVEXCH01.versatel.local> References: <227142482560EF458FF1F7E784E26AB84727E8@FLBVEXCH01.versatel.local> Message-ID: <49B79D16.3040809@imperial.ac.uk> Marcus.Gerdon wrote: > Hi @all, > > yesterday I've been hit by a somewhat strange - and possibly worrying - > effect with Sup720 in 6500. > > I've got 3 Sup720-3BXL, one with an older HW revision (Sup: 4.4 / PFC: > 1.6 / MSFC: 2.5) and 2 with newer (Sup: 5.2 / PFC: 1.8 / MSFC: 2.5). All > three have been tested in a 6509 successfully by the supplier. According > the test sheets they've used a Rev. 3.0 chassis. > > For offline testing and preparation I've an 6509 and 6506 spare chassis > at hands, both of them being Rev. 2.0. > > When trying to boot those Sup in my 6509 the older one boots fine and > everything is ok. The newer ones both start to boot and after switching > to boot the RP it stalls (download doesn't even start, hangs after > memory is displayed). After a minute or two a 'software forced crash' > occurs and I'm thrown do SP rommon. I've seen this exact symptom a couple of times with new supervisors. It generally "goes away" after a bit of ill-specified fiddling (I know, that's not very helpful) The last time it happened, I ended up booting from a really old IOS off the bootflash, re-formatting the CF card, loading a new IOS on then re-loading again. If you pin this down definitively I'd love to know the cause; there was another post on the list recently with similar symptoms, so you're not alone. From achatz at forthnet.gr Wed Mar 11 07:25:25 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 11 Mar 2009 13:25:25 +0200 Subject: [c-nsp] Sup720 crashing at RP boot - HW revision dependent ? In-Reply-To: <227142482560EF458FF1F7E784E26AB84727E8@FLBVEXCH01.versatel.local> References: <227142482560EF458FF1F7E784E26AB84727E8@FLBVEXCH01.versatel.local> Message-ID: <49B79FA5.6010800@forthnet.gr> Marcus, are you using the latest rommon in the SP (8.5(3)) and RP (12.2(17r)SX5)? 6500#remote command switch sh ver | i ROM: ROM: System Bootstrap, Version 8.5(3) 6500#sh ver | i ROM: ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1) -- Tassos Marcus.Gerdon wrote on 11/03/2009 12:45: > Hi @all, > > yesterday I've been hit by a somewhat strange - and possibly worrying - > effect with Sup720 in 6500. > > I've got 3 Sup720-3BXL, one with an older HW revision (Sup: 4.4 / PFC: > 1.6 / MSFC: 2.5) and 2 with newer (Sup: 5.2 / PFC: 1.8 / MSFC: 2.5). All > three have been tested in a 6509 successfully by the supplier. According > the test sheets they've used a Rev. 3.0 chassis. > > For offline testing and preparation I've an 6509 and 6506 spare chassis > at hands, both of them being Rev. 2.0. > > When trying to boot those Sup in my 6509 the older one boots fine and > everything is ok. The newer ones both start to boot and after switching > to boot the RP it stalls (download doesn't even start, hangs after > memory is displayed). After a minute or two a 'software forced crash' > occurs and I'm thrown do SP rommon. > > Up to this point no updates, config changes or anything other than > plugging them in the chassis and turning the power on has been done. > > It doesn't matter if they're put in slot 5 or 6, if the working one is > already active in slot 5 or if I'm manually booting from rommon instead > of autoboot. Also the IOS used doesn't change anything (18SXF, 18SXI, > 17SXd) > > Interestingly in the Rev. 2.0 6506 all three are booting fine. I've done > both rom updates in the 6506 and tried again in the 6509 - without any > change. > > To me this looks like there's some dependancy between HW revisions of > the Sup or PFC (MSFC rev. is the same on all threee) and the 6509 > chassis (6506 wasn't effected). > > I've searched cisco.com for quite some time but without any hint to this > issue. The only thing I found was that there're a few 6509-NEB eeprom > updates to be applied to the chassis itself. So in fact there is some > active rom part with the chassis that supposedly will differ between > revisions. > > > Does someone stumbled upon this, had similar issues or maybe even know > or did see any document (comp. matrix, workaround or alike) about this ? > > > > regards, > > Marcus > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From hegedus.gabor at euroway.hu Wed Mar 11 07:59:59 2009 From: hegedus.gabor at euroway.hu (Hegedus Gabor) Date: Wed, 11 Mar 2009 12:59:59 +0100 Subject: [c-nsp] vlan trunking problem Message-ID: <49B7A7BF.3000700@euroway.hu> Hi all! I have a problem: I have c2960 with vlan 200, 300, and 1 for management, and it connected to 861w router, but the 861w has just 2 vlan allowed(vlan 1 -management, vlan 300 for second vlan). how can I "switch" the vlan200(c2960) traffic to the vlan1(861w). I tried the native vlan but didn't work: c2960: interface FastEthernet0/30 switchport trunk native vlan 200 switchport trunk allowed vlan 200,300 switchport mode trunk spanning-tree portfast 861: vlan 300 interface FastEthernet0 switchport mode trunk interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip tcp adjust-mss 1452 interface Vlan300 ip address 192.168.2.1 255.255.255.0 Any idea how can i resolve this problem? thank you! Gabor From Marcus.Gerdon at versatel.de Wed Mar 11 08:05:20 2009 From: Marcus.Gerdon at versatel.de (Marcus.Gerdon) Date: Wed, 11 Mar 2009 13:05:20 +0100 Subject: [c-nsp] Sup720 crashing at RP boot - HW revision dependent ? Message-ID: <227142482560EF458FF1F7E784E26AB84728AE@FLBVEXCH01.versatel.local> Tassos, they've been delivered and supplier-tested with 8.4(2) and 12.2(17r)S4 and bootet with those smoothly in the 6506. I'm running 8.5(1) and 12.2(17r)SX5 everywhere and updated those Sup's accordingly. But it didn't make difference. regards, Marcus > -----Urspr?ngliche Nachricht----- > Von: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von > Tassos Chatzithomaoglou > Gesendet: Mittwoch, 11. M?rz 2009 12:25 > An: cisco-nsp at puck.nether.net > Betreff: Re: [c-nsp] Sup720 crashing at RP boot - HW revision > dependent ? > > Marcus, are you using the latest rommon in the SP (8.5(3)) > and RP (12.2(17r)SX5)? > > 6500#remote command switch sh ver | i ROM: > ROM: System Bootstrap, Version 8.5(3) > > 6500#sh ver | i ROM: > ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1) > > > -- > Tassos > > > Marcus.Gerdon wrote on 11/03/2009 12:45: > > Hi @all, > > > > yesterday I've been hit by a somewhat strange - and > possibly worrying - > > effect with Sup720 in 6500. > > > > I've got 3 Sup720-3BXL, one with an older HW revision (Sup: > 4.4 / PFC: > > 1.6 / MSFC: 2.5) and 2 with newer (Sup: 5.2 / PFC: 1.8 / > MSFC: 2.5). All > > three have been tested in a 6509 successfully by the > supplier. According > > the test sheets they've used a Rev. 3.0 chassis. > > > > For offline testing and preparation I've an 6509 and 6506 > spare chassis > > at hands, both of them being Rev. 2.0. > > > > When trying to boot those Sup in my 6509 the older one > boots fine and > > everything is ok. The newer ones both start to boot and > after switching > > to boot the RP it stalls (download doesn't even start, hangs after > > memory is displayed). After a minute or two a 'software > forced crash' > > occurs and I'm thrown do SP rommon. > > > > Up to this point no updates, config changes or anything other than > > plugging them in the chassis and turning the power on has been done. > > > > It doesn't matter if they're put in slot 5 or 6, if the > working one is > > already active in slot 5 or if I'm manually booting from > rommon instead > > of autoboot. Also the IOS used doesn't change anything > (18SXF, 18SXI, > > 17SXd) > > > > Interestingly in the Rev. 2.0 6506 all three are booting > fine. I've done > > both rom updates in the 6506 and tried again in the 6509 - > without any > > change. > > > > To me this looks like there's some dependancy between HW > revisions of > > the Sup or PFC (MSFC rev. is the same on all threee) and the 6509 > > chassis (6506 wasn't effected). > > > > I've searched cisco.com for quite some time but without any > hint to this > > issue. The only thing I found was that there're a few > 6509-NEB eeprom > > updates to be applied to the chassis itself. So in fact > there is some > > active rom part with the chassis that supposedly will differ between > > revisions. > > > > > > Does someone stumbled upon this, had similar issues or > maybe even know > > or did see any document (comp. matrix, workaround or alike) > about this ? > > > > > > > > regards, > > > > Marcus > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Wed Mar 11 09:17:13 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 11 Mar 2009 15:17:13 +0200 Subject: [c-nsp] Sup720 crashing at RP boot - HW revision dependent ? In-Reply-To: <227142482560EF458FF1F7E784E26AB84728AE@FLBVEXCH01.versatel.local> References: <227142482560EF458FF1F7E784E26AB84728AE@FLBVEXCH01.versatel.local> Message-ID: <49B7B9D9.9060707@forthnet.gr> Marcus, since you're experiencing a software force crash, maybe you should open a tac case. In a similar case of mine (booting seemed stuck for mins, but there wasn't any crash), i upgraded the flash monlib ("upgrade filesystem monlib") and it worked fine afterwards. -- Tassos Marcus.Gerdon wrote on 11/03/2009 14:05: > Tassos, > > they've been delivered and supplier-tested with 8.4(2) and 12.2(17r)S4 and bootet with those smoothly in the 6506. > > I'm running 8.5(1) and 12.2(17r)SX5 everywhere and updated those Sup's accordingly. But it didn't make difference. > > > > regards, > > Marcus > > >> -----Urspru"ngliche Nachricht----- >> Von: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von >> Tassos Chatzithomaoglou >> Gesendet: Mittwoch, 11. Ma"rz 2009 12:25 >> An: cisco-nsp at puck.nether.net >> Betreff: Re: [c-nsp] Sup720 crashing at RP boot - HW revision >> dependent ? >> >> Marcus, are you using the latest rommon in the SP (8.5(3)) >> and RP (12.2(17r)SX5)? >> >> 6500#remote command switch sh ver | i ROM: >> ROM: System Bootstrap, Version 8.5(3) >> >> 6500#sh ver | i ROM: >> ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1) >> >> >> -- >> Tassos >> >> >> Marcus.Gerdon wrote on 11/03/2009 12:45: >>> Hi @all, >>> >>> yesterday I've been hit by a somewhat strange - and >> possibly worrying - >>> effect with Sup720 in 6500. >>> >>> I've got 3 Sup720-3BXL, one with an older HW revision (Sup: >> 4.4 / PFC: >>> 1.6 / MSFC: 2.5) and 2 with newer (Sup: 5.2 / PFC: 1.8 / >> MSFC: 2.5). All >>> three have been tested in a 6509 successfully by the >> supplier. According >>> the test sheets they've used a Rev. 3.0 chassis. >>> >>> For offline testing and preparation I've an 6509 and 6506 >> spare chassis >>> at hands, both of them being Rev. 2.0. >>> >>> When trying to boot those Sup in my 6509 the older one >> boots fine and >>> everything is ok. The newer ones both start to boot and >> after switching >>> to boot the RP it stalls (download doesn't even start, hangs after >>> memory is displayed). After a minute or two a 'software >> forced crash' >>> occurs and I'm thrown do SP rommon. >>> >>> Up to this point no updates, config changes or anything other than >>> plugging them in the chassis and turning the power on has been done. >>> >>> It doesn't matter if they're put in slot 5 or 6, if the >> working one is >>> already active in slot 5 or if I'm manually booting from >> rommon instead >>> of autoboot. Also the IOS used doesn't change anything >> (18SXF, 18SXI, >>> 17SXd) >>> >>> Interestingly in the Rev. 2.0 6506 all three are booting >> fine. I've done >>> both rom updates in the 6506 and tried again in the 6509 - >> without any >>> change. >>> >>> To me this looks like there's some dependancy between HW >> revisions of >>> the Sup or PFC (MSFC rev. is the same on all threee) and the 6509 >>> chassis (6506 wasn't effected). >>> >>> I've searched cisco.com for quite some time but without any >> hint to this >>> issue. The only thing I found was that there're a few >> 6509-NEB eeprom >>> updates to be applied to the chassis itself. So in fact >> there is some >>> active rom part with the chassis that supposedly will differ between >>> revisions. >>> >>> >>> Does someone stumbled upon this, had similar issues or >> maybe even know >>> or did see any document (comp. matrix, workaround or alike) >> about this ? >>> >>> >>> regards, >>> >>> Marcus >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From link at pobox.com Wed Mar 11 09:26:34 2009 From: link at pobox.com (Terje Bless) Date: Wed, 11 Mar 2009 14:26:34 +0100 Subject: [c-nsp] Sup720 crashing at RP boot - HW revision dependent ? In-Reply-To: <227142482560EF458FF1F7E784E26AB84727E8@FLBVEXCH01.versatel.local> References: <227142482560EF458FF1F7E784E26AB84727E8@FLBVEXCH01.versatel.local> Message-ID: <47ac005a0903110626r7fc65ea3h8e92c4e3b86869e@mail.gmail.com> On Wed, Mar 11, 2009 at 11:45 AM, Marcus.Gerdon wrote: > When trying to boot those Sup in my 6509 the older one boots fine and > everything is ok. The newer ones both start to boot and after switching > to boot the RP it stalls (download doesn't even start, hangs after > memory is displayed). After a minute or two a 'software forced crash' > occurs and I'm thrown do SP rommon. We saw symptoms like these in a 6509 with SupII's when we'd upgraded the DRAM on the RP but forgotten to upgrade the DRAM on the SP (D'oh!). The box booted the SP fine and then stalled at the point where it would usually download the image, and then crashed. Once both SP and RP had enough DRAM to run the IOS image the box suddenly booted fine. Not an identical scenario, but it might be worth checking. -link From jfitz at Princeton.EDU Wed Mar 11 09:32:30 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Wed, 11 Mar 2009 09:32:30 -0400 Subject: [c-nsp] vlan trunking problem In-Reply-To: <49B7A7BF.3000700@euroway.hu> References: <49B7A7BF.3000700@euroway.hu> Message-ID: The mismatch in natives should work as long as you have CDP disabled on those ports and maybe even STP disabled for vlan 1 and 200 on both boxes. What error message do you get when you have mismatched natives? Jeff Fitzwater OIT Network Systems Princeton University On Mar 11, 2009, at 7:59 AM, Hegedus Gabor wrote: > Hi all! > > I have a problem: > > I have c2960 with vlan 200, 300, and 1 for management, > and it connected to 861w router, but the 861w has just 2 vlan > allowed(vlan 1 -management, vlan 300 for second vlan). > > how can I "switch" the vlan200(c2960) traffic to the vlan1(861w). > > I tried the native vlan but didn't work: > > c2960: > interface FastEthernet0/30 > switchport trunk native vlan 200 > switchport trunk allowed vlan 200,300 > switchport mode trunk > spanning-tree portfast > > 861: > vlan 300 > interface FastEthernet0 > switchport mode trunk > > interface Vlan1 > ip address 192.168.1.1 255.255.255.0 > ip tcp adjust-mss 1452 > > interface Vlan300 > ip address 192.168.2.1 255.255.255.0 > > > Any idea how can i resolve this problem? > > thank you! > Gabor > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From anderson.levi at gmail.com Wed Mar 11 09:40:44 2009 From: anderson.levi at gmail.com (Anderson Levi) Date: Wed, 11 Mar 2009 16:40:44 +0300 Subject: [c-nsp] ME3400 In-Reply-To: <458B3EC21E4A3044998E917199AACB2F01A6459A@GNBEX02.gnb.ca> References: <458B3EC21E4A3044998E917199AACB2F01A6459A@GNBEX02.gnb.ca> Message-ID: Thanks, for the info everyone! On Wed, Mar 11, 2009 at 4:17 PM, Munroe, James (DSS/MAS) < James.Munroe at gnb.ca> wrote: > An output from the "show sdm pref" command. > > The current template is "default" template. > The selected template optimizes the resources in > the switch to support this level of features for > 8 routed interfaces and 1024 VLANs. > > number of unicast mac addresses: 5K > number of IPv4 IGMP groups + multicast routes: 1K > number of IPv4 unicast routes: 9K > number of directly-connected IPv4 hosts: 5K > number of indirect IPv4 routes: 4K > number of IPv4 policy based routing aces: 0.5K > number of IPv4/MAC qos aces: 0.5K > number of IPv4/MAC security aces: 1K > > Hope this helps... > > Jim > > -----Original Message----- > From: Anderson Levi [mailto:anderson.levi at gmail.com] > Sent: Wednesday, March 11, 2009 6:29 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ME3400 > > Hi, > > I need to find out how many routes a Cisco ME3400 can hold. Anyone with > an idea or pointer as to where I can find out? Any help would be > appreciated. > Thanks. > > From skeeve at skeeve.org Wed Mar 11 09:48:00 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Thu, 12 Mar 2009 00:48:00 +1100 Subject: [c-nsp] Stopping VTP on a specific port Message-ID: Hey all, I might have asked this ages ago... but you never know, might be worth asking again. We manage multiple networks which are all Ethernet connected to each other in a Datacenter. We don't manage some of the end networks though... and while on the middle transiting networks I can set vtp transparent and put a password... I would actually like to be using it. But MetroE customers are becoming a problem. I can't stop two end networks using our middle network as a middleman for VTP issues... I would like to block any VTP traffic on a specific port. If this doesn't make sense... let me know. -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum From nicotine at warningg.com Wed Mar 11 09:49:21 2009 From: nicotine at warningg.com (Brandon Ewing) Date: Wed, 11 Mar 2009 08:49:21 -0500 Subject: [c-nsp] ME3400 In-Reply-To: <20090311134228.T56136@xkis.kis.ru> References: <31371.212.142.33.197.1236764070.squirrel@www.vive-id.nl> <20090311134228.T56136@xkis.kis.ru> Message-ID: <20090311134921.GL24628@biological.warningg.com> On Wed, Mar 11, 2009 at 01:44:21PM +0300, Dmitry Valdov wrote: > Hi! > > The device says 9K total (5K directly connected and 4K indirect).. > === > > #sh sdm pref > The current template is "default" template. > The selected template optimizes the resources in > the switch to support this level of features for > 8 routed interfaces and 1024 VLANs. > > number of unicast mac addresses: 5K > number of IPv4 IGMP groups + multicast routes: 1K > number of IPv4 unicast routes: 9K > number of directly-connected IPv4 hosts: 5K > number of indirect IPv4 routes: 4K > number of IPv4 policy based routing aces: 0.5K > number of IPv4/MAC qos aces: 0.5K > number of IPv4/MAC security aces: 1K If it's like a 3560's SDM, be careful: A connected subnet is 4 "indirect IPv4 routes" -- it stores a CEF receive entry for the network address, broadcast address, assigned IP, and then the CEF attach for the actual netblock. And even though "directly-connected IPv4 hosts" is listed under the "unicast routes" prefix, it isn't counting connected networks. Each connected subnet is a glean in the "directly-attached" section, and each IP -> ARP address is an adjacency in the "directly-attached" section, so it's really more a limitation on the amount of ARP entries the switch can store. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From jlewis at lewis.org Wed Mar 11 10:16:49 2009 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 11 Mar 2009 10:16:49 -0400 (EDT) Subject: [c-nsp] Stopping VTP on a specific port In-Reply-To: References: Message-ID: On Thu, 12 Mar 2009, Skeeve Stevens wrote: > Hey all, > > I might have asked this ages ago... but you never know, might be worth > asking again. You asked about a year ago. Did you try any of the suggestions? http://www.gossamer-threads.com/lists/cisco/nsp/85833 ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From A.L.M.Buxey at lboro.ac.uk Wed Mar 11 10:33:14 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 11 Mar 2009 14:33:14 +0000 Subject: [c-nsp] Stopping VTP on a specific port In-Reply-To: References: Message-ID: <20090311143314.GA23978@lboro.ac.uk> Hi, > I might have asked this ages ago... but you never know, might be worth > asking again. not sure why you'd think that - the asnwers given back then are all valid many options, though these 2 are trivial: 1) block the MAC address used for such packets - multicast MAC 01-00-0c-cc-cc-cc 2) set the links to switchport mode access (vtp only works over trunks) alan From petelists at templin.org Wed Mar 11 10:38:12 2009 From: petelists at templin.org (Pete Templin) Date: Wed, 11 Mar 2009 09:38:12 -0500 Subject: [c-nsp] BGP Route Selection In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654C54@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654C54@vic-cr-ex1.staff.netspace.net.au> Message-ID: <49B7CCD4.1000702@templin.org> Andy Saykao wrote: > Hi All, > > Just trying to get my head around why BGP prefers a certain route over > others in my example below. I've read up on how BGP makes it's path > selection decision but I can't follow why it hasn't chosen a route with > a higher local preferences. To rehash what Oliver said, you and the router ignore the (received-only) routes when choosing a best path. The (received-only) shows you the routes received from (soft-reconfig-enabled) neighbors in the exact form received, in other words before your inbound route-map is applied to those routes. pt From dan at beanfield.com Wed Mar 11 09:41:39 2009 From: dan at beanfield.com (Dan Armstrong) Date: Wed, 11 Mar 2009 09:41:39 -0400 Subject: [c-nsp] ME3400 In-Reply-To: References: Message-ID: <6C016A4A-CA92-40A1-84C0-CCC9D2BFE4F8@beanfield.com> Nowhere near a full table. :-) Our busiest ME3400 has about 10,000 OSPF routes in it, and doesn't break a sweat. Without doing any math, I wouldn't put any more than that in there though. On 11-Mar-09, at 5:29 AM, Anderson Levi wrote: > Hi, > > I need to find out how many routes a Cisco ME3400 can hold. Anyone > with an > idea or pointer as to where I can find out? Any help would be > appreciated. > Thanks. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From petelists at templin.org Wed Mar 11 10:43:58 2009 From: petelists at templin.org (Pete Templin) Date: Wed, 11 Mar 2009 09:43:58 -0500 Subject: [c-nsp] 7500 Channelized DS3 Issues In-Reply-To: <1236728984.8428.8.camel@booger> References: <1236728984.8428.8.camel@booger> Message-ID: <49B7CE2E.7060005@templin.org> Todd Shipway wrote: > DS3 card is divided into multiple T1 interfaces. All interfaces have > been running without problems for weeks. Last week 1 interface went > down, and when it came back up, no traffic will go across the interface. > The int shows as up/up, manually setting a route doesn't help anything. > Copying the int config to a different channel on the same card fixes the > issue and traffic is back to normal. > > Today, we had 2 interfaces that were part of a multilink ppp interface > go down and right back up. All interfaces were up/up including the > MLPPP interface. Moving them to different channels resulted in the same > issue. Moving 1 T1 to a Multi-channel T1 card and keeping the other T1 > on the channelized DS3 allowed the multilink interface to come up and > traffic went back to normal. Usual questions first: what chassis, what RSP, what IPs/VIPs/PAs, particularly for the DS3 work, what IOS, and why have you selected that IOS? I had odd problems with 7507/RSP4+RSP4/VIP2-50+PA-FE-TX/VIP2-50+PA-FE-TX VIP2-50+PA-MC-2T3+ boxes on IOS 12.0(27)S1 back in the day. "Something" would happen, and one T3 port would stop passing traffic. RMA on the PA-MC-2T3 helped, but 12.0(27)S3 made all the difference (and 12.0(27)S5 has been even better). We chose 12.0(27)S back then as it was perhaps the newest 12.0S at the time and seemed to have the general following for CT3 work. We've tried 12.0(31)S (for various rebuilds of that S) with very poor success on Ethernet work, and have left 12.0(27)S5 in place for CT3s ever since. It's as close to "set and let" as we've ever seen with 7507s. Pete From skeeve at skeeve.org Wed Mar 11 11:07:28 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Thu, 12 Mar 2009 02:07:28 +1100 Subject: [c-nsp] Stopping VTP on a specific port In-Reply-To: References: Message-ID: Hey Jon, 1) They are trunk ports and must be trunk ports 2) I actually like CDP... very useful in diagnosing issues with customers 3) Doesn't stop being used as an bridge between two networks 4) hmmmm does just changing the native vlan on a trunk stop VTP by any chance? ...Skeeve -----Original Message----- From: Jon Lewis [mailto:jlewis at lewis.org] Sent: Thursday, 12 March 2009 1:17 AM To: Skeeve Stevens Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Stopping VTP on a specific port On Thu, 12 Mar 2009, Skeeve Stevens wrote: > Hey all, > > I might have asked this ages ago... but you never know, might be worth > asking again. You asked about a year ago. Did you try any of the suggestions? http://www.gossamer-threads.com/lists/cisco/nsp/85833 ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From skeeve at skeeve.org Wed Mar 11 11:08:38 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Thu, 12 Mar 2009 02:08:38 +1100 Subject: [c-nsp] Stopping VTP on a specific port In-Reply-To: <20090311143314.GA23978@lboro.ac.uk> References: <20090311143314.GA23978@lboro.ac.uk> Message-ID: Needs to be trunk... How do I block the MAC on a trunk? Is that possible? -----Original Message----- From: A.L.M.Buxey at lboro.ac.uk [mailto:A.L.M.Buxey at lboro.ac.uk] Sent: Thursday, 12 March 2009 1:33 AM To: Skeeve Stevens Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Stopping VTP on a specific port Hi, > I might have asked this ages ago... but you never know, might be worth > asking again. not sure why you'd think that - the asnwers given back then are all valid many options, though these 2 are trivial: 1) block the MAC address used for such packets - multicast MAC 01-00-0c-cc-cc-cc 2) set the links to switchport mode access (vtp only works over trunks) alan From psirt at cisco.com Wed Mar 11 11:40:00 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wednesday, 11 March 2009 10:40:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager IP Phone Personal Address Book Synchronizer Privilege Escalation Vulnerability Message-ID: <200903111040.cucmpab@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager IP Phone Personal Address Book Synchronizer Privilege Escalation Vulnerability Advisory ID: cisco-sa-20090311-cucmpab Revision 1.0 For Public Release 2009 March 11 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco Unified Communications Manager, formerly CallManager, contains a privilege escalation vulnerability in the IP Phone Personal Address Book (PAB) Synchronizer feature that may allow an attacker to gain complete administrative access to a vulnerable Cisco Unified Communications Manager system. If Cisco Unified Communications Manager is integrated with an external directory service, it may be possible for an attacker to leverage the privilege escalation vulnerability to gain access to additional systems configured to use the directory service for authentication. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090311-cucmpab.shtml Affected Products ================= Vulnerable Products +------------------ The following products are vulnerable: * Cisco Unified CallManager 4.1 versions * Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4b * Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1b * Cisco Unified Communications Manager 5.x versions prior to 5.1(3e) * Cisco Unified Communications Manager 6.x versions prior to 6.1(3) * Cisco Unified Communications Manager 7.0 versions prior to 7.0(2) Administrators of systems that are running Cisco Unified Communications Manager software version 4.x can determine the software version by navigating to Help > About Cisco Unified CallManager and selecting the Details button via the Cisco Unified Communications Manager administration interface. Administrators of systems that are running Cisco Unified Communications Manager software versions 5.x, 6.x, and 7.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager administration interface. The software version can also be determined by running the command show version active via the command line interface (CLI). Products Confirmed Not Vulnerable +-------------------------------- Cisco Unified Communications Manager Express is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details ======= The Cisco IP Phone Personal Address Book (PAB) Synchronizer feature of Cisco Unified Communications Manager allows users to keep their Cisco Unified Communications Manager address book synchronized with their Microsoft Windows address book. The IP Phone PAB Synchronizer feature contains a privilege escalation vulnerability that may allow an attacker to obtain complete administrative access to a vulnerable Cisco Unified Communications Manager system. After an IP Phone PAB Synchronizer client successfully authenticates to a Cisco Unified Communications Manager device over a HTTPS connection, the Cisco Unified Communications Manager returns credentials for a user account that is used to manage the Cisco Unified Communications Manager directory service. If an attacker is able to intercept the credentials, they can perform unauthorized modifications to the Cisco Unified Communications Manager configuration and extend their privileges. The IP Phone PAB Synchronizer client has been redesigned to allow address book synchronization without requiring the directory service credentials. This vulnerability does not allow an attacker to gain access to the underlying platform operating system of any Cisco Unified Communications Manager system. Cisco Unified Communications Manager 4.x +--------------------------------------- Cisco Unified Communications Manager software version 4.x by default stores user information using an internal Lightweight Directory Access Protocol (LDAP) server called DC Directory. After an IP Phone PAB Synchronizer client successfully authenticates, the Cisco Unified Communications Manager returns credentials for the DC Directory user that will be used by the client to synchronize a user's address book. Depending on how a Cisco Unified Communications Manager is configured, an attacker may obtain different privilege levels using the intercepted credentials. By default, Cisco Unified Communications Manager software version 4.x administrator accounts are created as part of an underlying Microsoft Windows operating system. Cisco Unified Communications Manager is commonly deployed using the Multi-Level Administration (MLA) feature to ease the integration of Cisco Unified Communications Manager into enterprise environments. If MLA is enabled, Cisco Unified Communications Manager stores administrator accounts in the Cisco Unified Communications Manager DC Directory service. If an attacker obtains the DC Directory credentials and MLA is enabled, the attacker can add an existing account to the Cisco Unified Communications Manager super-user group. The attacker can then access the Cisco Unified Communications Manager management interface with complete administrative access. If MLA is not enabled, the attacker cannot escalate their privileges; however, they can modify any user settings in the directory. The Cisco Unified Communications Manager 4.x IP Phone PAB Synchronizer client uses an unencrypted LDAP connection to perform address book synchronization. The DC Directory credentials are passed in the clear over the network and are vulnerable to being sniffed by an attacker. If using the DC Directory internal LDAP server, the IP Phone PAB Synchronizer client communicates to Cisco Unified Communications Manager on TCP ports 8404 and 8405. Cisco Unified Communications Manager 5.x, 6.x, 7.x +------------------------------------------------- Cisco Unified Communications Manager software versions 5.x, 6.x, and 7.x store user information as a part of the internal Cisco Unified Communications Manager configuration database. The IP Phone PAB Synchronizer client uses the AXL application programming interface (API) to perform address book synchronization. After a client successfully authenticates, the Cisco Unified Communications Manager returns credentials for a database user account named TabSyncSysUser that will be used by the client to synchronize an user's address book. The TabSyncSysUser account has full read and write privileges to the Cisco Unified Communications Manager configuration database. Using the TabSyncSysUser credentials via the AXL API, an attacker can modify any parameter in the database including creating new administrator accounts. Directory Service Integration +---------------------------- Cisco Unified Communications Manager software versions 4.x, 5.x, 6.x, and 7.x can be integrated with Microsoft Active Directory and several non-Microsoft LDAP servers to perform user authentication. In order to function properly, the integration process requires that appropriate user credentials for the directory service are provided to Cisco Unified Communications Manager. If an attacker intercepts or sniffs the directory service credentials returned by a Cisco Unified Communications Manager responding to an IP Phone PAB Synchronizer client, the attacker may be able to leverage the credentials to gain access to additional systems configured to use the directory service for authentication. Administrators should ensure that any directory service credentials used for the Cisco Unified Communications Manager integration process are configured to follow the principle of least privilege. The credentials should be configured with only the privileges necessary to access the directory service data needed for the integration process to function properly. The use of overly privileged administrator accounts is discouraged. Please see the Workarounds section for more information on performing the integration of Cisco Unified Communications Manager with AD using the least privilege concept. This vulnerability is documented in Cisco Bug IDs CSCso76587 and CSCso78528 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0632. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCso76587 - Directory Manager password sent in clear from client CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCso78528 - TabSyncSysUser (axl user) password sent in clear from client CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may allow an attacker to intercept user credentials that allow the attacker to escalate their privilege level and obtain complete administrative access to a vulnerable Cisco Unified Communications Manager system. If integrated with an external directory service, the intercepted user credentials may allow an attacker to gain access to additional systems configured to use the directory service for authentication. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified Communications Manager software version 4.2(3)SR4b contains the fix for this vulnerability. Administrators of Cisco Unified CallManager software version 4.1 systems are encouraged to upgrade to Cisco Unified Communications Manager software version 4.2 (3)SR4b in order to obtain fixed software. Version 4.2(3)SR4b can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280264388&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20CallManager%20Version%204.2&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Cisco Unified Communications Manager software version 4.3(2)SR1b contains the fix for this vulnerability. Version 4.3(2)SR1b can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280771554&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%204.3&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Cisco Unified Communications Manager software version 5.1(3e) contains the fix for this vulnerability. Version 5.1(3e) can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Cisco Unified Communications Manager software version 6.1(3) contains the fix for this vulnerability. Version 6.1(3) can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Cisco Unified Communications Manager software version 7.0(2) contains the fix for this vulnerability. Version 7.0(2) can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=&isPlatform=Y&mdfid=281941895&sftType=Unified+Communications+Manager+Updates&treeName=Voice+and+Unified+Communications&modelName=Cisco+Unified+Communications+Manager+Version+7.0&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=&hybrid=Y&imst=N Workarounds =========== It is possible to mitigate against this vulnerability using the following workarounds. Cisco Unified Communications Manager 4.x +--------------------------------------- It is possible to mitigate this vulnerability by moving the ASP script that IP Phone Personal Address Book (PAB) Scynchronizer clients interact with to a directory location that is not accessible to the Cisco Unified Communications Manager web server. The system drive where the ASP script resides depends on how Cisco Unified Communications Manager was installed. Employing this workaround will prevent address book synchronization; however, the PAB application will continue to function. The ASP script can be moved using the following command: C:\> move c:\CiscoWebs\User\LDAPDetails.asp c:\temp It is also possible to mitigate this vulnerability by implementing filtering on screening devices or using the Windows firewall. Administrators are advised to permit access to TCP ports 8404 and 8405 only from trusted networks. Cisco Unified Communications Manager 5.x, 6.x, 7.x +------------------------------------------------- It is possible to mitigate this vulnerability by restricting the permissions of the TabSyncSysUser database user account. In the Cisco Unified Communications Manager Administration interface, navigate to User Management > Application User and search for the TabSyncSysUser account. Remove all groups from the account and change the password. Employing this workaround will prevent address book synchronization; however, the PAB application will continue to function. Active Directory Integration +--------------------------- To improve the security of Cisco Unified Communications Manager integration with Active Directory (AD), Cisco has produced a whitepaper that provides a detailed explanation of how to perform Cisco Unified Communications Manager integration with AD using the least-privileged principle. The whitepaper can be downloaded here: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080a83435.shtml Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090311-cucmpab.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. The vulnerability in Cisco Unified Communications Manager 4.x software versions was reported to Cisco by Olivier Grosjeanne of Dimension Data France. The vulnerability in Cisco Unified Communications Manager 5.x, 6.x and 7.x software versions was reported by Oliver Dewdney of LBI. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090311-cucmpab.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-March-11 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFJt9DF86n/Gc8U/uARAtjqAJ9eE9ETbc4lyUJV8GrCEmiaJeS1NACdExbB dLmiSiaPCdGHpVKTKvZj78k= =C3h7 -----END PGP SIGNATURE----- From A.L.M.Buxey at lboro.ac.uk Wed Mar 11 12:25:31 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 11 Mar 2009 16:25:31 +0000 Subject: [c-nsp] Stopping VTP on a specific port In-Reply-To: References: <20090311143314.GA23978@lboro.ac.uk> Message-ID: <20090311162531.GB24260@lboro.ac.uk> Hi, > Needs to be trunk... How do I block the MAC on a trunk? Is that possible? regarding port ACLs (of which MAC ACLs are one of: to quote cisco press "When applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When applied to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs" http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4 alan From justin at justinshore.com Wed Mar 11 12:25:48 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 11 Mar 2009 11:25:48 -0500 Subject: [c-nsp] Stopping VTP on a specific port In-Reply-To: References: Message-ID: <49B7E60C.2090409@justinshore.com> Skeeve Stevens wrote: > We don't manage some of the end networks though... and while on the middle > transiting networks I can set vtp transparent and put a password... > > I would actually like to be using it. But MetroE customers are becoming a > problem. > > I can't stop two end networks using our middle network as a middleman for > VTP issues... > > I would like to block any VTP traffic on a specific port. Would a L2TP tunnel be appropriate here? If the customers want to use VTP and you want to use VTP (why is anyone's guess!) but not mix them then the only way I know of doing this would be a L2TP tunnel so that you ignore their VTP messages and tunnel them to the far side. http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/65met_wp.htm#wp40056 Justin From ardabalkanay at gmail.com Wed Mar 11 12:33:19 2009 From: ardabalkanay at gmail.com (Arda Balkanay) Date: Wed, 11 Mar 2009 18:33:19 +0200 Subject: [c-nsp] Stopping VTP on a specific port In-Reply-To: <20090311162531.GB24260@lboro.ac.uk> References: <20090311143314.GA23978@lboro.ac.uk> <20090311162531.GB24260@lboro.ac.uk> Message-ID: <9af987420903110933y74e22e7bs746308861a084028@mail.gmail.com> hi , does QinQ make sense ? make switchport mode dot1q tunnel and assign a vlan (access vlan X as outer vlan) and disable l2protocol tunnelling (to not carry cdp, stp like information at customer vlans, you may also partially block l2 protocols) if you are at the middle of a L2 point to point service QinQ can make sense this way. If you are terminating vlans which comes via trunk of customer you will need special hardware (like 7600 and ES20 or SIP400) to terminate QinQ at ip interface. On Wed, Mar 11, 2009 at 6:25 PM, wrote: > Hi, > > Needs to be trunk... How do I block the MAC on a trunk? Is that possible? > > regarding port ACLs (of which MAC ACLs are one of: > > to quote cisco press "When applied to a trunk port, the ACL filters traffic > on all VLANs present on the trunk port. When applied to a port with voice > VLAN, the ACL filters traffic on both data and voice VLANs" > > http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4 > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Wed Mar 11 13:47:06 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 11 Mar 2009 18:47:06 +0100 Subject: [c-nsp] FWSM HA secondary reload & long downtime In-Reply-To: References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> Message-ID: <1236793626.3563.339.camel@localhost.localdomain> On Wed, 2009-03-11 at 11:16 +0100, Andrew Yourtchenko wrote: > > So the contexts weren't really activated (with "Up" interfaces) > > during all the downtime, just at the end. To me that seems to > > suggest that it's not just simply that it "steals" the traffic for > > the interfaces. > > Right. That was why I was wondering whether indeed "all" (as in > "absolutely all, i swear" :) the traffic was affected, or only some part > of it, and with what timing. Also interesting thing to check if the > existing TCP connections continue to run ok (so then the problem area > could be isolated to session path and up). Of course, in the real-world > scenario there's frequently simply not enough time to look at those > details, but they might be definitely helpful. Hmm... I have discovered that my original analysis was flawed. I knew TCP sessions without activity survived this, among others a couple of SSH sessions I had going through two of the contexts to test exactly this. I had setup a ping job (200 ms interval) between two hosts for traffic crossing two contexts. This job lost 509 packets during the downtime, and I assumed this meant that the total time-to-recover for the system was ~100 seconds. This conclusion was not right though; assumption bit me again. :-D I have looked at the log-files in a more thorough and systematic fashion, and actually it was only traffic through one context that was impacted. All the contexts, including the impacted one, have logged continuously with no problems. When I saw SYN Timeouts on the others contexts too it was always for connections coming from the one with problems. This of course points to something else being the problem, not the FWSM. Or at least that it is something concerning the context, not the hardware or system configuration. The switch housing the FWSM logged some things during the bootup, but only the usual stuff and only before the break: Mar 9 16:37:00.303: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (Reset) Mar 9 16:39:01.552: %PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module 2, opcode 0x330 Mar 9 16:39:02.572: %DIAG-SP-6-RUN_MINIMUM: Module 2: Running Minimum Online Diagnostics... Mar 9 16:39:04.624: %DIAG-SP-6-DIAG_OK: Module 2: Passed Online Diagnostics Mar 9 16:39:05.076: %OIR-SP-6-INSCARD: Card inserted in slot 2, interfaces are now online Mar 9 16:39:12.079: %PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module 2, opcode 0x330 Mar 9 16:39:22.579: %PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module 2, opcode 0x330 The break was just around 16:40:10. Nothing in those messages make me concerned. I think we'll let it rest here. It was a much lower impact than we thought, so no biggie. And Andrew: Thank you very much for your input. :-) Regards, Peter From ayourtch at cisco.com Wed Mar 11 14:14:10 2009 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Wed, 11 Mar 2009 19:14:10 +0100 (CET) Subject: [c-nsp] FWSM HA secondary reload & long downtime In-Reply-To: <1236793626.3563.339.camel@localhost.localdomain> References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> Message-ID: On Wed, 11 Mar 2009, Peter Rathlev wrote: > Hmm... I have discovered that my original analysis was flawed. I knew > TCP sessions without activity survived this, among others a couple of hmm, so "no traffic during the problem" = "survival"... for those sessions that died in the process, would be interesting to see the reason in the syslog. If it's "reset-I" or "reset-O" at the time of sync, then the next step would be to look in more detail where and how the reset comes from. Iterative PCAP. > SSH sessions I had going through two of the contexts to test exactly > this. I had setup a ping job (200 ms interval) between two hosts for > traffic crossing two contexts. This job lost 509 packets during the > downtime, and I assumed this meant that the total time-to-recover for > the system was ~100 seconds. > > This conclusion was not right though; assumption bit me again. :-D > > I have looked at the log-files in a more thorough and systematic > fashion, and actually it was only traffic through one context that was > impacted. All the contexts, including the impacted one, have logged > continuously with no problems. When I saw SYN Timeouts on the others > contexts too it was always for connections coming from the one with > problems. ahha. "Never assume anything unless you have hard proof" is a good rule of thumb that helps a lot. Though of course the reality dictates the probabilistic shortcuts at times. > > This of course points to something else being the problem, not the FWSM. *bling* too strong of an assumption :). I'd not discard it right away, but from the practical standpoint the fact that some contexts survive the replication just fine and it is only one that has an issue, gives a very good jumpstart to look for differences between the problematic context and the others - configuration, topology, traffic volumes, anything. The good point is that this is a non-intrusive (although a bit time-consuming) exercise. > Or at least that it is something concerning the context, not the > hardware or system configuration. yup, with this I totally agree. > > The switch housing the FWSM logged some things during the bootup, but > only the usual stuff and only before the break: > > Mar 9 16:37:00.303: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (Reset) > Mar 9 16:39:01.552: %PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module 2, opcode 0x330 > Mar 9 16:39:02.572: %DIAG-SP-6-RUN_MINIMUM: Module 2: Running Minimum Online Diagnostics... > Mar 9 16:39:04.624: %DIAG-SP-6-DIAG_OK: Module 2: Passed Online Diagnostics > Mar 9 16:39:05.076: %OIR-SP-6-INSCARD: Card inserted in slot 2, interfaces are now online > Mar 9 16:39:12.079: %PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module 2, opcode 0x330 > Mar 9 16:39:22.579: %PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module 2, opcode 0x330 > > The break was just around 16:40:10. Nothing in those messages make me > concerned. +1 > > I think we'll let it rest here. It was a much lower impact than we > thought, so no biggie. > Indeed - though still would be good to nail it down. The latent problems are worse in a sense that they usually pop up at the worst possible times in combination with something else, and complicate the life a lot. It's like walking on the rails is practically not a huge issue, and a high-speed train passing by is not of an issue, but combined the two events are highly undesirable :) > And Andrew: Thank you very much for your input. :-) My pleasure :) cheers, andrew From lowen at pari.edu Wed Mar 11 17:20:47 2009 From: lowen at pari.edu (Lamar Owen) Date: Wed, 11 Mar 2009 17:20:47 -0400 Subject: [c-nsp] Tracking connection resets on a 7500 trunking GEIP+ Message-ID: <200903111720.47935.lowen@pari.edu> Ok, I'm having an odd difficulty, and am trying to determine how to go about troubleshooting it. I have two routers at my border, a 7401ASR and a 7507/RSP8, both running 12.4 mainline. The two routers are both running iBGP to each other and eBGP to my provider. The two routers are providing HSRP to a server subnet, an APS- protected OC3 POS WAN link, and Stateful NAT with several static entries and a dynamic pool. CBAC is in use, and the ACL isn't terribly long. The two routers connect to both the server farm and the ISP through two Gige trunks to a Catalyst 5505 switch, using two SupIIIG's for the GigE-LX trunks and a WS-X5225R 24 port 10/100 blade to connect to the ISP through a pair of ports on two VLANs, and to the server farm through other VLANs. While the 7401 (the APS protect) is active on the OC3 and set as active for HSRP, everything works as it should. When the 7507 is doing this duty, some websites become deathly slow, to the point of showing 'connection reset by peer' errors. I'm looking for just a pointer or two as to how to trace this issue and narrow down to the port on the Cat5505 SupIIIG, the two GBIC's, the fiber path, the GEIP+ on the 7507, or maybe even the RSP8 on the 7507. I do see a very few framing errors on the GigE between the GEIP+ and the SupIIIG, but they are very few and far between. So any pointer (except 'upgrade your hardware') is desired. I would love to upgrade, but, in this economy? The best idea I've had yet is to remove the 7401, replace with another known good 7507 that I have, drop to 12.0S, and do my NAT and firewalling on this end of the OC3 with a single or dual 7401ASR setup (using hardware I have at my disposal). Then I'll use GRE tunnels to the RSFC's on the two SupIIIG's to get to the server farm at that end. From david at hughes.com.au Wed Mar 11 18:59:17 2009 From: david at hughes.com.au (David Hughes) Date: Thu, 12 Mar 2009 08:59:17 +1000 Subject: [c-nsp] Etherchannel guard vs. mstp In-Reply-To: <49B65F91.8000807@cooler.hu> References: <49B65F91.8000807@cooler.hu> Message-ID: <624DA659-C8A9-4503-A1B2-E7497037ECF0@hughes.com.au> We are running etherchannel on 6500s with MST all over the place. Shouldn't be a problem. Also swapping from RPVST+ to MST without a reload should not be a problem (did it many times when we migrated to MST). Please post your physical interface and portchannel interface configs from both ends of the bundle that isn't working. Thanks David ... On 10/03/2009, at 10:39 PM, Nemeth Laszlo wrote: > \The first router was the Router A. It changed without problem. > But when i sent the "spanning-tree mode mstp" to Router B it put > down the 4x10G Etherchannel link with Router A and logged it: > > Mar 9 16:04:57.669 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel- > misconfig error detected on Te1/3, putting Te1/3 in err-disable state > Mar 9 16:04:57.677 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel- > misconfig error detected on Te1/4, putting Te1/4 in err-disable state > Mar 9 16:04:57.685 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel- > misconfig error detected on Te2/3, putting Te2/3 in err-disable state > Mar 9 16:04:57.701 MET: %PM-SP-STDBY-4-ERR_DISABLE: channel- > misconfig error detected on Te2/4, putting Te2/4 in err-disable state > > Mar 9 16:04:57.641 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig > error detected on Po3, putting Te1/3 in err-disable state > Mar 9 16:04:57.653 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig > error detected on Po3, putting Te1/4 in err-disable state > Mar 9 16:04:57.665 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig > error detected on Po3, putting Te2/3 in err-disable state > Mar 9 16:04:57.673 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig > error detected on Po3, putting Te2/4 in err-disable state > Mar 9 16:04:57.685 MET: %PM-SP-4-ERR_DISABLE: channel-misconfig > error detected on Po3, putting Po3 in err-disable state From andy.saykao at staff.netspace.net.au Wed Mar 11 20:51:27 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Thu, 12 Mar 2009 11:51:27 +1100 Subject: [c-nsp] NBAR support for 7600-SIP-400 ? Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654C57@vic-cr-ex1.staff.netspace.net.au> Does anyone know if NBAR is supported on the 7600-SIP-400 (4-subslot SPA Interface Processor-400)? I've applied "ip nbar protocol-discovery" on Gig4/0/2 but do not see any matches. This is a 7606 SUP32 running 12.2(33)SRB3. interface GigabitEthernet4/0/2 bandwidth 200000 ip address 203.x.x.x 255.255.255.252 ip nbar protocol-discovery load-interval 30 negotiation auto mpls ip #sh ip nbar protocol-discovery interface g4/0/2 top-n 1 GigabitEthernet4/0/2 Input Output ----- ------ Protocol Packet Count Packet Count Byte Count Byte Count 30sec Bit Rate (bps) 30sec Bit Rate (bps) 30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps) ------------------------ ------------------------ ------------------------ bgp 0 0 0 0 0 0 0 0 unknown 0 0 0 0 0 0 0 0 Total 0 0 0 0 0 0 0 0 Googling around, I found a previous nsp post that said NBAR was only available on the 7600-SIP-200 but this post is 3 years old. "NBAR with Sup720 is only supported on FlexWAN, Enhanced FlexWAN, and the 7600-SIP-200 modules" Also read the data sheet on the 7600-SIP-400 and no mention of NBAR support on there? http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sh eet0900aecd8027c9e6.html Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From justin at justinshore.com Wed Mar 11 20:59:15 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 11 Mar 2009 19:59:15 -0500 Subject: [c-nsp] MTU nightmare Message-ID: <49B85E63.3080000@justinshore.com> My recent post about LDP and BGP flapping turns out to be caused by MTU errors. The problem just happened early one morning. No config changes were made; it just broke. RANCID confirms that no changes were made for 12hrs before and almost as many after the problem first happened. I've been working with TAC on the issue but I they seem to be stuck on the fiber media converters I'm using (I'm forced to use due to a lack of single-strand optics from Cisco that go farther than 10k). I have several dozen of these same MCs spread out across my network and almost all of them carry links with MTUs of 9000 or 9216. The link in question worked find for several weeks, nearly 2 months, before it suddenly broke last week. We've gone through more debugging than I can recall. We've looked for frames with elam on my 7600s and dove into the DFC to look at the registers on the rohini. We haven't found anything at this point. My layout is fairly simple. I have a pair of 7613s in the core with 6748s (and DFCs). One of the 6748s connects to a Versitron MC, crosses several miles of our fiber, out another MC and into a 7201 (Gi0/0, non-PCI bus interface). Interface MTUs are set to 9000 on both sides. IP and MPLS MTUs were default originally when it was working (both follow interface MTUs). CLNS MTU was 1496 to keep IS-IS from getting pissy with me. Up until tonight neither the 7201 or 7613 can ping the remote IP on the directly-connected subnet with packets larger than 1500 bytes. 1501 fails. This is without df set so it should frag it. Dropping the MTU back down to 1500 fixed pings including fragging packets but of course that hurts other MPLS things. Neither box can hit the other's loopback either. This evening I came out to this CO to disconnect from the MC and connect directly to the 7201. I'm using a 2821 so I can up the MTU on the onboard ports. I did that and ICMPs passed fine all the way up to 9000. I reconnected to the MC and I can again ping the 7613 but not constantly. If I start pinging at 9000 it works about half the time. If I use 1600 it works maybe 95% of the time. That holds true all the way down to 1501. The first packet or 2 are usually dropped for some reason. Currently IP MTU on the 7613 is set to 1500 with interface set to 9000 and MPLS MTU set to 1524. This was part of the testing left-over from several hours hours on the phone today with TAC. At this point I would say that I think the problem is the media converters BUT when I remove the IP MTU from the 7613 all ICMPs greater than 1500 fail. Clearly this MTU problem is not just the MCs but has to also be the 7613. Doesn't it? This has been a huge mind-bender for me. I can't for the life of me figure out what's going on here. The worst part is that it's not 100% consistent. Yesterday with a slightly more intelligent pair of MCs I could send 1508 but not 1509. I swapped them last night with a known good pair of completely dumb MCs (no settings, switches, etc at all). These MCs are purely FIFO compared to the ones that are 2-port switches. I have several of these dumb ones in my network. I have 8 of them back to back spanning about 120mi carrying frames of 9000 bytes without any problems. They just work. Does anyone have any ideas? WAGs would even be welcomed at this point. I don't know if the problem is the 7201 or 7613 or the 7613's code (SRB1). I'm ready to bump the case to P1 but I'm afraid the finger will still be pointed at the MCs and I can't prove it's not them. Confused, Justin From ltd at cisco.com Wed Mar 11 22:42:22 2009 From: ltd at cisco.com (Lincoln Dale) Date: Thu, 12 Mar 2009 13:42:22 +1100 Subject: [c-nsp] MTU nightmare In-Reply-To: <49B85E63.3080000@justinshore.com> References: <49B85E63.3080000@justinshore.com> Message-ID: <49B8768E.4020207@cisco.com> Justin Shore wrote: > (I'm forced to use due to a lack of single-strand optics from Cisco > that go farther than 10k) you can most certainly use CWDM SFPs to achieve what you want. you can use CWDM SFPs "back to back" without a MUX in the middle, transmit on one wavelength, receive on a different one. single strand. it "works" because of wideband receivers. cheers, lincoln. From mylists at battleop.com Wed Mar 11 23:23:43 2009 From: mylists at battleop.com (Richey) Date: Wed, 11 Mar 2009 23:23:43 -0400 Subject: [c-nsp] T3 fixed when cables are reseated.. Message-ID: <005e01c9a2c1$f2d62c80$d8828580$@com> I had this happen a year or two ago on another router on a different card. I have a 7206 with a PA-MC-T3 with about 25 T1s go down tonight. I couldn't fix it remotely so I drove to the office to see what was going on. I unplugged the TX cable and plugged it in and then the same with the RX cable. I went back checked the T3 and all of the T1s were backup. Has anyone had this happen before? I can't find any clues as to what happened. My only guess is that the far end is looped when I unplug the cables and it may reset the far end. Richey From jay at west.net Thu Mar 12 01:19:39 2009 From: jay at west.net (Jay Hennigan) Date: Wed, 11 Mar 2009 22:19:39 -0700 Subject: [c-nsp] T3 fixed when cables are reseated.. In-Reply-To: <005e01c9a2c1$f2d62c80$d8828580$@com> References: <005e01c9a2c1$f2d62c80$d8828580$@com> Message-ID: <49B89B6B.6070709@west.net> Richey wrote: > I had this happen a year or two ago on another router on a different card. > I have a 7206 with a PA-MC-T3 with about 25 T1s go down tonight. I > couldn't fix it remotely so I drove to the office to see what was going on. > I unplugged the TX cable and plugged it in and then the same with the RX > cable. I went back checked the T3 and all of the T1s were backup. Has > anyone had this happen before? I can't find any clues as to what happened. > My only guess is that the far end is looped when I unplug the cables and it > may reset the far end. If the T3 cable run is fairly short I've seen issues with Cisco PAs getting screwy because the signal level in to the PA is too high, regardless of the cable length setting (which just affects the transmitted level). Usually this just manifests itself as a constant low-level stream of errors. The fix is an attenuator inline with the receive jack on the port adapter. 10dB seems to do the trick. http://www.pasternack.com/product-75-OHM-BNC-ATTENUATOR-DC-TO-1-GHz-1-WATT-PE7009-10-71538.html Where size matters: http://tinyurl.com/csb7rt If the far end were looped, you would see the loop on "show interface" and unplug-replug wouldn't fix it. Also verify clocking is provisioned correctly, that there is exactly one clock source on the T3. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From bbc at misn.com Thu Mar 12 01:20:45 2009 From: bbc at misn.com (Bryan Campbell) Date: Thu, 12 Mar 2009 00:20:45 -0500 Subject: [c-nsp] MTU nightmare In-Reply-To: <49B85E63.3080000@justinshore.com> References: <49B85E63.3080000@justinshore.com> Message-ID: <1236835245.5856.26.camel@home-desktop> O.K. WAG-ing away . . . If you are willing to defend the MC hardware, so be it. But, the first thing you should do is look for a microbend in a fiber jumper. Replace all the jumpers with known good and clean jumpers. Second, replace all the copper cables with known good cables. Make sure that you have certification data for all the cables/jumpers. You have to be able to trust your cabling and jumpers. Second, throw a switch in that can handle the traffic from the MC to the router. Mirror out the data to a workstation running wireshark or something of the like. Capture your BGP data. Do the same on the other end of the link. You should be able to isolate the problem this way. If Cisco can't find anything wrong with the configs, it has to be a physical part. Interfaces, media converters, cables/jumpers are the first place to look. It is not very common for Cisco parts to just up and fail with no warning. If Cisco stuff fails, it usually goes down in a blaze of glory with a pile of data left behind to inspect. FWIW, every time we have had a failure of this nature it has been a media converter failure, or a microbend in a fiber jumper. bbc at misn.com On Wed, 2009-03-11 at 19:59 -0500, Justin Shore wrote: > My recent post about LDP and BGP flapping turns out to be caused by MTU > errors. The problem just happened early one morning. No config changes > were made; it just broke. RANCID confirms that no changes were made for > 12hrs before and almost as many after the problem first happened. > > I've been working with TAC on the issue but I they seem to be stuck on > the fiber media converters I'm using (I'm forced to use due to a lack of > single-strand optics from Cisco that go farther than 10k). I have > several dozen of these same MCs spread out across my network and almost > all of them carry links with MTUs of 9000 or 9216. The link in question > worked find for several weeks, nearly 2 months, before it suddenly broke > last week. We've gone through more debugging than I can recall. We've > looked for frames with elam on my 7600s and dove into the DFC to look at > the registers on the rohini. We haven't found anything at this point. > > My layout is fairly simple. I have a pair of 7613s in the core with > 6748s (and DFCs). One of the 6748s connects to a Versitron MC, crosses > several miles of our fiber, out another MC and into a 7201 (Gi0/0, > non-PCI bus interface). Interface MTUs are set to 9000 on both sides. > IP and MPLS MTUs were default originally when it was working (both > follow interface MTUs). CLNS MTU was 1496 to keep IS-IS from getting > pissy with me. > > Up until tonight neither the 7201 or 7613 can ping the remote IP on the > directly-connected subnet with packets larger than 1500 bytes. 1501 > fails. This is without df set so it should frag it. Dropping the MTU > back down to 1500 fixed pings including fragging packets but of course > that hurts other MPLS things. Neither box can hit the other's loopback > either. This evening I came out to this CO to disconnect from the MC > and connect directly to the 7201. I'm using a 2821 so I can up the MTU > on the onboard ports. I did that and ICMPs passed fine all the way up > to 9000. I reconnected to the MC and I can again ping the 7613 but not > constantly. If I start pinging at 9000 it works about half the time. > If I use 1600 it works maybe 95% of the time. That holds true all the > way down to 1501. The first packet or 2 are usually dropped for some > reason. Currently IP MTU on the 7613 is set to 1500 with interface set > to 9000 and MPLS MTU set to 1524. This was part of the testing > left-over from several hours hours on the phone today with TAC. At this > point I would say that I think the problem is the media converters BUT > when I remove the IP MTU from the 7613 all ICMPs greater than 1500 fail. > Clearly this MTU problem is not just the MCs but has to also be the > 7613. Doesn't it? > > This has been a huge mind-bender for me. I can't for the life of me > figure out what's going on here. The worst part is that it's not 100% > consistent. Yesterday with a slightly more intelligent pair of MCs I > could send 1508 but not 1509. I swapped them last night with a known > good pair of completely dumb MCs (no settings, switches, etc at all). > These MCs are purely FIFO compared to the ones that are 2-port switches. > I have several of these dumb ones in my network. I have 8 of them > back to back spanning about 120mi carrying frames of 9000 bytes without > any problems. They just work. > > Does anyone have any ideas? WAGs would even be welcomed at this point. > I don't know if the problem is the 7201 or 7613 or the 7613's code > (SRB1). I'm ready to bump the case to P1 but I'm afraid the finger will > still be pointed at the MCs and I can't prove it's not them. > > Confused, > Justin > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From skeeve at skeeve.org Thu Mar 12 02:37:37 2009 From: skeeve at skeeve.org (Skeeve Stevens) Date: Thu, 12 Mar 2009 17:37:37 +1100 Subject: [c-nsp] Supress STP on a port? In-Reply-To: <49B65E75.4010702@ninds.nih.gov> References: <49B65E75.4010702@ninds.nih.gov> Message-ID: What about if it is a trunk port... which isn't portfasted.... and you can only do that command on a portfast port yes? ...Skeeve -----Original Message----- From: Giovanni Torres [mailto:torresgi at ninds.nih.gov] Sent: Tuesday, 10 March 2009 11:35 PM To: skeeve at skeeve.org Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Supress STP on a port? Switch(config-if)# spanning-tree bpdufilter enable Skeeve Stevens wrote: > Is it possible to suppress STP on a specific port? > > .Skeeve > > -- > Skeeve Stevens, RHCE > skeeve at skeeve.org / www.skeeve.org > Cell +61 (0)414 753 383 / skype://skeeve > > eintellego - skeeve at eintellego.net - www.eintellego.net > -- > I'm a groove licked love child king of the verse > Si vis pacem, para bellum > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ltd at cisco.com Thu Mar 12 02:42:32 2009 From: ltd at cisco.com (Lincoln Dale) Date: Thu, 12 Mar 2009 17:42:32 +1100 Subject: [c-nsp] Supress STP on a port? In-Reply-To: References: <49B65E75.4010702@ninds.nih.gov> Message-ID: <49B8AED8.8070900@cisco.com> its a matter of SHOULD you. enabling eating BPDUs is never a wise thing IMHO. not sure what you're looking for exactly - are you looking to have multiple VLANs on a port, but not have that port as a 'network' port? if so, why not enable it as 'edge trunk' port? best of both worlds & keep your STP protective measures in place (loop guard et al) ? cheers, lincoln. Skeeve Stevens wrote: > What about if it is a trunk port... which isn't portfasted.... and you can > only do that command on a portfast port yes? > > ...Skeeve > > -----Original Message----- > From: Giovanni Torres [mailto:torresgi at ninds.nih.gov] > Sent: Tuesday, 10 March 2009 11:35 PM > To: skeeve at skeeve.org > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Supress STP on a port? > > Switch(config-if)# spanning-tree bpdufilter enable > > Skeeve Stevens wrote: > >> Is it possible to suppress STP on a specific port? >> >> .Skeeve >> >> -- >> Skeeve Stevens, RHCE >> skeeve at skeeve.org / www.skeeve.org >> Cell +61 (0)414 753 383 / skype://skeeve >> >> eintellego - skeeve at eintellego.net - www.eintellego.net >> -- >> I'm a groove licked love child king of the verse >> Si vis pacem, para bellum >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From brad.henshaw at qcn.com.au Thu Mar 12 02:48:22 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Thu, 12 Mar 2009 16:48:22 +1000 Subject: [c-nsp] Supress STP on a port? Message-ID: <8B25B862BC09784B9B74FB950D4F64D40F81F7@qcnapp01.corp.qcn> Skeeve Stevens wrote: >What about if it is a trunk port... which isn't portfasted.... >and you can only do that command on a portfast port yes? To the best of my knowledge 'spanning-tree bpdufilter enable' will filter all STP BPDUs on a port regardless of whether it's a trunk port or whether portfast is enabled. Regards, Brad From mksmith at adhost.com Thu Mar 12 02:57:02 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Wed, 11 Mar 2009 23:57:02 -0700 Subject: [c-nsp] Supress STP on a port? In-Reply-To: <49B8AED8.8070900@cisco.com> References: <49B65E75.4010702@ninds.nih.gov> <49B8AED8.8070900@cisco.com> Message-ID: <17838240D9A5544AAA5FF95F8D52031605B41D84@ad-exh01.adhost.lan> I echo what Lincoln said as loudly as I can without typing in all caps. If you enable filtering and you get a second path somehow or somewhere (customers can be very helpful by doing "stuff" when you're not looking), you will loop up your entire network. This will happen at 3 am 2 years from now on a Sunday when you're out of town and your front line tech is asleep in a hut somewhere. Trust me. BPDU-filter bad. Really. Mike > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Lincoln Dale > Sent: Wednesday, March 11, 2009 11:43 PM > To: skeeve at skeeve.org > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Supress STP on a port? > > its a matter of SHOULD you. enabling eating BPDUs is never a wise thing > IMHO. > > not sure what you're looking for exactly - are you looking to have > multiple VLANs on a port, but not have that port as a 'network' port? > > if so, why not enable it as 'edge trunk' port? best of both worlds & > keep your STP protective measures in place (loop guard et al) ? > > > > cheers, > > lincoln. > > Skeeve Stevens wrote: > > What about if it is a trunk port... which isn't portfasted.... and you can > > only do that command on a portfast port yes? > > > > ...Skeeve > > > > -----Original Message----- > > From: Giovanni Torres [mailto:torresgi at ninds.nih.gov] > > Sent: Tuesday, 10 March 2009 11:35 PM > > To: skeeve at skeeve.org > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Supress STP on a port? > > > > Switch(config-if)# spanning-tree bpdufilter enable > > > > Skeeve Stevens wrote: > > > >> Is it possible to suppress STP on a specific port? > >> > >> .Skeeve > >> > >> -- > >> Skeeve Stevens, RHCE > >> skeeve at skeeve.org / www.skeeve.org > >> Cell +61 (0)414 753 383 / skype://skeeve > >> > >> eintellego - skeeve at eintellego.net - www.eintellego.net > >> -- > >> I'm a groove licked love child king of the verse > >> Si vis pacem, para bellum > >> > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From gert at greenie.muc.de Thu Mar 12 04:19:28 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 12 Mar 2009 09:19:28 +0100 Subject: [c-nsp] T3 fixed when cables are reseated.. In-Reply-To: <005e01c9a2c1$f2d62c80$d8828580$@com> References: <005e01c9a2c1$f2d62c80$d8828580$@com> Message-ID: <20090312081928.GP290@greenie.muc.de> Hi, On Wed, Mar 11, 2009 at 11:23:43PM -0400, Richey wrote: > I unplugged the TX cable and plugged it in and then the same with the RX > cable. I went back checked the T3 and all of the T1s were backup. Has We've seen this on E3s and T3s every now and then. No idea why, though. My theory is that "a good old loss-of-signal" will reset all framers etc involved, and enable re-synchronization. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Marcus.Gerdon at versatel.de Thu Mar 12 05:23:19 2009 From: Marcus.Gerdon at versatel.de (Marcus.Gerdon) Date: Thu, 12 Mar 2009 10:23:19 +0100 Subject: [c-nsp] Sup720 crashing at RP boot - HW revision dependent ? Message-ID: <227142482560EF458FF1F7E784E26AB84AD1EB@FLBVEXCH01.versatel.local> Hello, I got another pair of Sup720, Rev 5.2 and 5.7 and we've done a bunch of additional tests yesterday and there're some new results on this. As before the 5.2 crashes in the 6509, but the 5.7 boots fine. This 5.2 gave me 'EOBC Jam's in addtion. So at least there seems to be no >=5.2 or somewhat general issue. Our supplier did some additional tests based on the revisions and came out with Sup720 Rev 5.2 booting fine in a 6509 Rev 2.0. Although now all 3 Rev 5.2 engines aren't booting in my 6509 whilst 4.4 and 5.7 are working fine I begin to think whether my chassis might simply be defect. It's been productive for years and up to now everything worked smoothly as expected except those 3 Sup720's. But the only other cause in case the chassis is ok I can think of would mean a revision-based issue Sup 5.2/chassis 2.0 only occuring randomly (3 out of 3 is still random?) or with a subset of Sup's manufactured in Rev 5.2. This sounds too unlikely to me. It can't be this one http://www.cisco.com/en/US/ts/fn/620/fn62606.html, but the note especially on Rev 5.2 makes me somewhat suspicious. regards, Marcus > -----Urspr?ngliche Nachricht----- > Von: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von > Marcus.Gerdon > Gesendet: Mittwoch, 11. M?rz 2009 11:46 > An: cisco-nsp at puck.nether.net > Betreff: [c-nsp] Sup720 crashing at RP boot - HW revision dependent ? > > Hi @all, > > yesterday I've been hit by a somewhat strange - and possibly > worrying - > effect with Sup720 in 6500. > > I've got 3 Sup720-3BXL, one with an older HW revision (Sup: 4.4 / PFC: > 1.6 / MSFC: 2.5) and 2 with newer (Sup: 5.2 / PFC: 1.8 / > MSFC: 2.5). All > three have been tested in a 6509 successfully by the > supplier. According > the test sheets they've used a Rev. 3.0 chassis. > > For offline testing and preparation I've an 6509 and 6506 > spare chassis > at hands, both of them being Rev. 2.0. > > When trying to boot those Sup in my 6509 the older one boots fine and > everything is ok. The newer ones both start to boot and after > switching > to boot the RP it stalls (download doesn't even start, hangs after > memory is displayed). After a minute or two a 'software forced crash' > occurs and I'm thrown do SP rommon. > > Up to this point no updates, config changes or anything other than > plugging them in the chassis and turning the power on has been done. > > It doesn't matter if they're put in slot 5 or 6, if the working one is > already active in slot 5 or if I'm manually booting from > rommon instead > of autoboot. Also the IOS used doesn't change anything (18SXF, 18SXI, > 17SXd) > > Interestingly in the Rev. 2.0 6506 all three are booting > fine. I've done > both rom updates in the 6506 and tried again in the 6509 - without any > change. > > To me this looks like there's some dependancy between HW revisions of > the Sup or PFC (MSFC rev. is the same on all threee) and the 6509 > chassis (6506 wasn't effected). > > I've searched cisco.com for quite some time but without any > hint to this > issue. The only thing I found was that there're a few 6509-NEB eeprom > updates to be applied to the chassis itself. So in fact there is some > active rom part with the chassis that supposedly will differ between > revisions. > > > Does someone stumbled upon this, had similar issues or maybe even know > or did see any document (comp. matrix, workaround or alike) > about this ? > > > > regards, > > Marcus > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pl+list at pmacct.net Thu Mar 12 05:38:43 2009 From: pl+list at pmacct.net (Paolo Lucente) Date: Thu, 12 Mar 2009 09:38:43 +0000 Subject: [c-nsp] NBAR support for 7600-SIP-400 ? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654C57@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654C57@vic-cr-ex1.staff.netspace.net.au> Message-ID: <20090312093842.GA18487@london.pmacct.net> Hi Andy, Generally you would need a SUP32-PISA supervisor in order to get NBAR on a 6500 platform. Don't know about the SIP-400, but i see too there is no mention around about it supporting the feature. http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9e6.html Cheers, Paolo On Thu, Mar 12, 2009 at 11:51:27AM +1100, Andy Saykao wrote: > Does anyone know if NBAR is supported on the 7600-SIP-400 (4-subslot SPA > Interface Processor-400)? I've applied "ip nbar protocol-discovery" on > Gig4/0/2 but do not see any matches. This is a 7606 SUP32 running > 12.2(33)SRB3. > > interface GigabitEthernet4/0/2 > bandwidth 200000 > ip address 203.x.x.x 255.255.255.252 > ip nbar protocol-discovery > load-interval 30 > negotiation auto > mpls ip > > #sh ip nbar protocol-discovery interface g4/0/2 top-n 1 > > GigabitEthernet4/0/2 > Input Output > ----- ------ > Protocol Packet Count Packet Count > Byte Count Byte Count > 30sec Bit Rate (bps) 30sec Bit Rate > (bps) > 30sec Max Bit Rate (bps) 30sec Max Bit Rate > (bps) > ------------------------ ------------------------ > ------------------------ > bgp 0 0 > 0 0 > 0 0 > 0 0 > unknown 0 0 > 0 0 > 0 0 > 0 0 > Total 0 0 > 0 0 > 0 0 > 0 0 > > > Googling around, I found a previous nsp post that said NBAR was only > available on the 7600-SIP-200 but this post is 3 years old. > > "NBAR with Sup720 is only supported on FlexWAN, Enhanced FlexWAN, and > the 7600-SIP-200 modules" > > Also read the data sheet on the 7600-SIP-400 and no mention of NBAR > support on there? > > http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sh > eet0900aecd8027c9e6.html > > Thanks. > > Andy From rodunn at cisco.com Thu Mar 12 10:14:55 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 12 Mar 2009 10:14:55 -0400 Subject: [c-nsp] NBAR support for 7600-SIP-400 ? In-Reply-To: <20090312093842.GA18487@london.pmacct.net> References: <56F211C5E3F24F47B103EA1B253822BE03654C57@vic-cr-ex1.staff.netspace.net.au> <20090312093842.GA18487@london.pmacct.net> Message-ID: <20090312141455.GE15487@rtp-cse-489.cisco.com> I don't think it is on any other card other than SIP200, Flexwan and then sup32 PISA. . The Flexwan and SIP-200 had some limited support since they were software forwarding based on some of the VIP code that had NBAR support. The PISA was the other option for NBAR as you mentioned. Rodney On Thu, Mar 12, 2009 at 09:38:43AM +0000, Paolo Lucente wrote: > Hi Andy, > > Generally you would need a SUP32-PISA supervisor in order to get NBAR > on a 6500 platform. Don't know about the SIP-400, but i see too there > is no mention around about it supporting the feature. > > http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9e6.html > > Cheers, > Paolo > > > On Thu, Mar 12, 2009 at 11:51:27AM +1100, Andy Saykao wrote: > > Does anyone know if NBAR is supported on the 7600-SIP-400 (4-subslot SPA > > Interface Processor-400)? I've applied "ip nbar protocol-discovery" on > > Gig4/0/2 but do not see any matches. This is a 7606 SUP32 running > > 12.2(33)SRB3. > > > > interface GigabitEthernet4/0/2 > > bandwidth 200000 > > ip address 203.x.x.x 255.255.255.252 > > ip nbar protocol-discovery > > load-interval 30 > > negotiation auto > > mpls ip > > > > #sh ip nbar protocol-discovery interface g4/0/2 top-n 1 > > > > GigabitEthernet4/0/2 > > Input Output > > ----- ------ > > Protocol Packet Count Packet Count > > Byte Count Byte Count > > 30sec Bit Rate (bps) 30sec Bit Rate > > (bps) > > 30sec Max Bit Rate (bps) 30sec Max Bit Rate > > (bps) > > ------------------------ ------------------------ > > ------------------------ > > bgp 0 0 > > 0 0 > > 0 0 > > 0 0 > > unknown 0 0 > > 0 0 > > 0 0 > > 0 0 > > Total 0 0 > > 0 0 > > 0 0 > > 0 0 > > > > > > Googling around, I found a previous nsp post that said NBAR was only > > available on the 7600-SIP-200 but this post is 3 years old. > > > > "NBAR with Sup720 is only supported on FlexWAN, Enhanced FlexWAN, and > > the 7600-SIP-200 modules" > > > > Also read the data sheet on the 7600-SIP-400 and no mention of NBAR > > support on there? > > > > http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sh > > eet0900aecd8027c9e6.html > > > > Thanks. > > > > Andy > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From billw at waveform.net Thu Mar 12 11:38:52 2009 From: billw at waveform.net (billw at waveform.net) Date: Thu, 12 Mar 2009 11:38:52 -0400 (EDT) Subject: [c-nsp] T3 fixed when cables are reseated.. In-Reply-To: <005e01c9a2c1$f2d62c80$d8828580$@com> References: <005e01c9a2c1$f2d62c80$d8828580$@com> Message-ID: <10eafa5eb339095b72fa03def0f1fb2d.squirrel@webmail.waveform.net> I've seen this a few times in the past with loose connectors. The cause has generally been either a loose connection on the center pin (usually in the connector on the card, but sometimes the crimp on the center pin of the connector isn't tight enough onto the center conductor of the cable). Occasionally it's a loose ferrule on the connector but that's rare. I have seen connectors that have a strand or two of the shield that make intermittent contact to the center pin to cause a short. Many of these loose connector problems magically disappear when the connector is either unplugged/replugged or is just "wiggled a little". The problem is that over time the loose connector will fail again so the real solution has been to either replace the problem cable or cut off the bad connector and put on a new one. -Bill > I had this happen a year or two ago on another router on a different card. > I have a 7206 with a PA-MC-T3 with about 25 T1s go down tonight. I > couldn't fix it remotely so I drove to the office to see what was going > on. > I unplugged the TX cable and plugged it in and then the same with the RX > cable. I went back checked the T3 and all of the T1s were backup. Has > anyone had this happen before? I can't find any clues as to what > happened. > My only guess is that the far end is looped when I unplug the cables and > it > may reset the far end. > > > > Richey From clinton at scripty.com Thu Mar 12 12:07:16 2009 From: clinton at scripty.com (Clinton Work) Date: Thu, 12 Mar 2009 10:07:16 -0600 Subject: [c-nsp] VRF aware syslog - feature enhancement CSCsu22476 Message-ID: <49B93334.9060100@scripty.com> I created a feature enhancement for VRF-aware syslog support in IOS 12.4T so you can actually set the source interface. If you interested in the feature, please go ahead and let your account team know or open a case against the enhancement ID. The feature probably won't be implemented until 12.5T or later. Support for managing a CE router via a separate management VRF is almost complete. CSCsu22476 - Set source interface for VRF-aware syslog messages Clinton. From ATolstykh at integrysgroup.com Thu Mar 12 11:37:07 2009 From: ATolstykh at integrysgroup.com (Tolstykh, Andrew) Date: Thu, 12 Mar 2009 10:37:07 -0500 Subject: [c-nsp] NBAR support for 7600-SIP-400 ? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654C57@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE03654C57@vic-cr-ex1.staff.netspace.net.au> Message-ID: Do you have "ip flow ingress/egress" or "ip route-cache flow" enabled on this interface? Also is this a P/PE MPLS router? SUP-32 supports NetFlow just fine. Thanks, Andrew -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Saykao Sent: Wednesday, March 11, 2009 7:51 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NBAR support for 7600-SIP-400 ? Does anyone know if NBAR is supported on the 7600-SIP-400 (4-subslot SPA Interface Processor-400)? I've applied "ip nbar protocol-discovery" on Gig4/0/2 but do not see any matches. This is a 7606 SUP32 running 12.2(33)SRB3. interface GigabitEthernet4/0/2 bandwidth 200000 ip address 203.x.x.x 255.255.255.252 ip nbar protocol-discovery load-interval 30 negotiation auto mpls ip #sh ip nbar protocol-discovery interface g4/0/2 top-n 1 GigabitEthernet4/0/2 Input Output ----- ------ Protocol Packet Count Packet Count Byte Count Byte Count 30sec Bit Rate (bps) 30sec Bit Rate (bps) 30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps) ------------------------ ------------------------ ------------------------ bgp 0 0 0 0 0 0 0 0 unknown 0 0 0 0 0 0 0 0 Total 0 0 0 0 0 0 0 0 Googling around, I found a previous nsp post that said NBAR was only available on the 7600-SIP-200 but this post is 3 years old. "NBAR with Sup720 is only supported on FlexWAN, Enhanced FlexWAN, and the 7600-SIP-200 modules" Also read the data sheet on the 7600-SIP-400 and no mention of NBAR support on there? http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sh eet0900aecd8027c9e6.html Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ASikkema at office.unet.nl Thu Mar 12 12:20:47 2009 From: ASikkema at office.unet.nl (Andreas Sikkema) Date: Thu, 12 Mar 2009 17:20:47 +0100 Subject: [c-nsp] Sending connected number from AS5350 Message-ID: Hi, I've got a Cisco AS5350XM connected to a couple of ISDN30s from one of the local telcos. The 5350 converts ISDN to SIP and vice versa. Some of our customers on the SIP side have complained that every now and then when they are called from the PSTN side the calling party sees the "main number" of our ISDN lines appear instead of the called number when the call has been answered. The telco apparently has the policy that they will send out the line number when we don't provide the connected number or overwrite it when we send an "illegal" number. The only thing the telco so far has offered us is to set presentation to not allowed for all outgoing connected numbers which will solve the presentation of the line number but might give some calling parties the wrong impression. The problem is that I haven't been able to find a way make our 5350 send a "connected number" IE on the ISDN side. (isdn outgoing ie connected-number hasn't yet solved the problem as far as I can see). Is there a way to force the 5350 to send a connected number IE for instance when receiving an UPDATE message or on receipt of a 200 OK message? The only logging a debug isdn q931 will give on a CONNECT message being sent is this: Mar 12 16:28:10.935: ISDN Se3/5:15 Q931: TX -> CONNECT pd = 8 callref = 0xF001 Or am I way off track and should be looking at something else? -- Andreas Sikkema From techconfig at yahoo.com Thu Mar 12 13:06:36 2009 From: techconfig at yahoo.com (Mark Tech) Date: Thu, 12 Mar 2009 10:06:36 -0700 (PDT) Subject: [c-nsp] 95th percentile billing software Message-ID: <677003.85629.qm@web44807.mail.sp1.yahoo.com> Hi I am the lookout for 95th billing software and I'm not sure where to start.?I am open to either commercial or open souce software; just wondering what other people are using/have thoughts on? Currently we use Cisco 7600s and GSRs for our ISP platform Your input is appreciated Regards Mark From chris at nmedia.net Thu Mar 12 13:45:08 2009 From: chris at nmedia.net (Chris Cappuccio) Date: Thu, 12 Mar 2009 10:45:08 -0700 Subject: [c-nsp] 95th percentile billing software In-Reply-To: <677003.85629.qm@web44807.mail.sp1.yahoo.com> References: <677003.85629.qm@web44807.mail.sp1.yahoo.com> Message-ID: <20090312174508.GN10872@ref.nmedia.net> RTG http://rtg.sourceforge.net/ is popular because it stores real 95th data, without averaging it, into a database for accurate billing. Unfortunately the software itself is poorly written so if it doesn't work properly on your platform or your number of targets, then it sucks. The latest release is from 2003 but the mailing list is active. The CVS code is newer. People in the mailing list seem to have work arounds for the poller bugs, by using other pollers. http://lists.grdata.com/pipermail/rtg/ RTG-Report http://search.cpan.org/~msimerson/RTG-Report-1.16/ can be used to pull RTG data out of your RTG database into Perl scripts. JRTG http://jrtg.sourceforge.net/ is less popular, but maintained. Oddly, it is migrating to JRRD, which is exactly what RTG was trying to avoid (a database that would average data into larger timeslots as it ages.) CACTI http://www.cacti.net/ has a 95th percentile mode for its graphs, but is considered less accurate as it averages samples together (because it uses RRD) thus lowering the overall 95th percentile rating for customers with less constant usage. The monthly graph uses a 30 minute average, and the yearly graph uses a 1 day average. Many customers will have a significantly lower 1 day average, due to low night time usage, for instance... Plenty of other network monitoring tools have a 95th percentile mode too, but most of them use an averaging data store, which doesn't provide you with any sort of long term way to maintain the data! The data you use to bill one month gets averaged into larger chunks the next month with RRD stores. Mark Tech [techconfig at yahoo.com] wrote: > > Hi > I am the lookout for 95th billing software and I'm not sure where to start.?I am open to either commercial or open souce software; just wondering what other people are using/have thoughts on? > > Currently we use Cisco 7600s and GSRs for our ISP platform > > Your input is appreciated > > Regards > > Mark > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Only failure makes us experts From cmadams at hiwaay.net Thu Mar 12 13:59:54 2009 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 12 Mar 2009 12:59:54 -0500 Subject: [c-nsp] 95th percentile billing software In-Reply-To: <20090312174508.GN10872@ref.nmedia.net> References: <677003.85629.qm@web44807.mail.sp1.yahoo.com> <20090312174508.GN10872@ref.nmedia.net> Message-ID: <20090312175954.GD536710@hiwaay.net> Once upon a time, Chris Cappuccio said: > CACTI http://www.cacti.net/ has a 95th percentile mode for its graphs, but is considered less accurate as it averages samples together (because it uses RRD) thus lowering the overall 95th percentile rating for customers with less constant usage. The monthly graph uses a 30 minute average, and the yearly graph uses a 1 day average. Many customers will have a significantly lower 1 day average, due to low night time usage, for instance... That's not a function of RRD, that's a function of how RRD is configured. For example, Cricket uses default RRDs that only keep 5 minute snapshots for a couple of days, but it is easy to configure it to keep them longer (which of course makes them larger). This can be done on a per-targetType basis (so you could build a 95th percentile target type and set it to keep 5 minute data for 30 or 60 days). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From dwcarder at wisc.edu Thu Mar 12 14:23:14 2009 From: dwcarder at wisc.edu (Dale W. Carder) Date: Thu, 12 Mar 2009 13:23:14 -0500 Subject: [c-nsp] 95th percentile billing software In-Reply-To: <20090312175954.GD536710@hiwaay.net> References: <677003.85629.qm@web44807.mail.sp1.yahoo.com> <20090312174508.GN10872@ref.nmedia.net> <20090312175954.GD536710@hiwaay.net> Message-ID: <0FA7CF79-9E52-49EB-B340-E2FBDC64B018@wisc.edu> On Mar 12, 2009, at 12:59 PM, Chris Adams wrote: > That's not a function of RRD, that's a function of how RRD is > configured. For example, Cricket uses default RRDs that only keep 5 > minute snapshots for a couple of days, but it is easy to configure > it to > keep them longer (which of course makes them larger). This can be > done > on a per-targetType basis (so you could build a 95th percentile target > type and set it to keep 5 minute data for 30 or 60 days). MRTG can too. Here's a cfg example for keeping approx a year's worth of data: RRDRowCount[$target]: 105408 Cheers, Dale From chris at nmedia.net Thu Mar 12 15:44:52 2009 From: chris at nmedia.net (Chris Cappuccio) Date: Thu, 12 Mar 2009 12:44:52 -0700 Subject: [c-nsp] 95th percentile billing software In-Reply-To: <20090312175954.GD536710@hiwaay.net> References: <677003.85629.qm@web44807.mail.sp1.yahoo.com> <20090312174508.GN10872@ref.nmedia.net> <20090312175954.GD536710@hiwaay.net> Message-ID: <20090312194452.GR10872@ref.nmedia.net> Chris Adams [cmadams at hiwaay.net] wrote: > That's not a function of RRD, that's a function of how RRD is > configured. For example, Cricket uses default RRDs that only keep 5 > minute snapshots for a couple of days, but it is easy to configure it to > keep them longer (which of course makes them larger). This can be done > on a per-targetType basis (so you could build a 95th percentile target > type and set it to keep 5 minute data for 30 or 60 days). > Yes, but what's the point of using an RRD based grapher if you aren't going to take advantage of RRD? You have to work around RRD just to keep the data in a form that you can use for legal purposes. This was the primary design consideration of RTG, anyways. From cmadams at hiwaay.net Thu Mar 12 15:49:20 2009 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 12 Mar 2009 14:49:20 -0500 Subject: [c-nsp] 95th percentile billing software In-Reply-To: <20090312194452.GR10872@ref.nmedia.net> References: <677003.85629.qm@web44807.mail.sp1.yahoo.com> <20090312174508.GN10872@ref.nmedia.net> <20090312175954.GD536710@hiwaay.net> <20090312194452.GR10872@ref.nmedia.net> Message-ID: <20090312194919.GA1143421@hiwaay.net> Once upon a time, Chris Cappuccio said: > Yes, but what's the point of using an RRD based grapher if you aren't going to take advantage of RRD? You have to work around RRD just to keep the data in a form that you can use for legal purposes. This was the primary design consideration of RTG, anyways. It isn't a "work-around", it is just a configuration option. When you create an RRD file, you tell rrdtool how many of each data point to keep. If you tell it to keep 576 5 minute interval data points, you get 2 days. If you tell it 17280, you get 60 days. You still get all the advantages of RRD (round-robin databases, quick-and-easy graphs, etc.). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From peter at rathlev.dk Thu Mar 12 16:22:28 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 12 Mar 2009 21:22:28 +0100 Subject: [c-nsp] FWSM HA secondary reload & long downtime In-Reply-To: References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> Message-ID: <1236889348.4133.15.camel@localhost.localdomain> On Wed, 2009-03-11 at 19:14 +0100, Andrew Yourtchenko wrote: > On Wed, 11 Mar 2009, Peter Rathlev wrote: > > This of course points to something else being the problem, not the > > FWSM. > > *bling* too strong of an assumption :). Ironically that was a very precise observation. ;-) I've looked much more thoroughly at the logs now, and finally I discovered what would've taken only few moments to see had I just opened my eyes. It turns out that more than one context had problems. I think I was tired when I looked at the configuration differences. Specifically all contexts with no "monitor-interface"-configuration were affected. Every context with at least one "monitor-interface" had no problems. I seem to remember that we stopped using "monitor-interface" in the individual contexts a year or so back, thinking that when failover is always system wide anyway, and since all the relevant VLANs share the same underlying (redundant) path, we could just as well only monitor one interface in the admin context. By chance a couple of other contexts had some monitors that weren't removed back then. It is of course a joy to have figured this out, but I can't seem to find anything much on what "monitor-interface" in a multiple context setup actually does or doesn't do. Should every context have one monitor-interface? Should all interfaces be monitored or just one per context? Regards, Peter From cphillips at wbsconnect.com Thu Mar 12 17:28:35 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Thu, 12 Mar 2009 14:28:35 -0700 Subject: [c-nsp] Interworking on 6500s Message-ID: <49B97E83.2010708@wbsconnect.com> Looking at interworking on 6500s with SUP720-3BXLs running SXI on non-PA, non-OSM and non-SIP/SPA cards. The command takes going Ethernet to Ethernet. connect TEST1 FastEthernet 9/25 FastEthernet 9/26 sh connect ID Name Segment 1 Segment 2 State ================================================================================ 6 TEST1 Fa9/25 Fa9/26 ADMIN UP or... connect TEST2 FastEthernet 9/26 GigabitEthernet 7/16.4080 interworking ethernet sh connect ID Name Segment 1 Segment 2 State ================================================================================ 5 TEST2 Fa9/26 Gi7/16.4080 ADMIN UP However, traffic does not seem to want to pass. Looked over a few documents online. They seem to suggest that interworking is only supported on SIP/SPA, OSM and PA cards. ####### Cisco 7600 and 6500 Series Router Restrictions ?Layer 2 Local Switching supports the following port adapters and interface processors on the Cisco 7600-SUP720/MSFC3 router: ?All port adapters on the Enhanced FlexWAN module ?All SPAs on the SIP-200 line cards ?On the Cisco 6500 series and 7600 series routers, only like-to-like local switching is supported (ATM to ATM and Frame Relay to Frame Relay). ?Same-port switching is not supported on the Cisco 6500 series and 7600 series routers. ####### Has anyone have any experience to the contrary? -- Chris Phillips From andy.saykao at staff.netspace.net.au Thu Mar 12 17:33:25 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Fri, 13 Mar 2009 08:33:25 +1100 Subject: [c-nsp] NBAR support for 7600-SIP-400 ? Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654C5C@vic-cr-ex1.staff.netspace.net.au> Hi Andrew, I tried applying "ip flow ingress" on the interface but still no go. This is a P MPLS router in our network. interface GigabitEthernet4/0/2 bandwidth 200000 ip address 203.x.x.x 255.255.255.252 ip nbar protocol-discovery ip flow ingress load-interval 30 negotiation auto mpls ip On other platforms I tested (eg: 7301), even without the "ip flow ingress", NBAR was still functioning fine. Thanks for your reply. Cheers. Andy -----Original Message----- From: Tolstykh, Andrew [mailto:ATolstykh at integrysgroup.com] Sent: Friday, 13 March 2009 2:37 AM To: Andy Saykao; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] NBAR support for 7600-SIP-400 ? Do you have "ip flow ingress/egress" or "ip route-cache flow" enabled on this interface? Also is this a P/PE MPLS router? SUP-32 supports NetFlow just fine. Thanks, Andrew This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From vijay.ramcharan at verizonbusiness.com Thu Mar 12 17:25:25 2009 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Thu, 12 Mar 2009 21:25:25 +0000 Subject: [c-nsp] FWSM HA secondary reload & long downtime In-Reply-To: <1236889348.4133.15.camel@localhost.localdomain> Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB33BEED1@ASHEVS006.mcilink.com> Not that I'm helping any... We've always enabled monitoring on every interface whether the FWSM was running single or multi mode and I've always taken it for granted that it was configured that way. The FWSM 3.2 config guide says "In multiple context mode, you must configure interface monitoring from within each context." Also that if an interface is shared between contexts you can monitor that interface in just one context. That doesn't say a whole lot obviously as you already know. Normally if you configure interface monitoring the unit runs a series of tests (link, activity, arp, broadcast) to determine whether an interface has failed and what should be done according to the failover policy. If all interfaces within a context are not monitored then I wonder, what is the behavior of a unit booting up? Does that newly booted up context with no monitored interface go active for some time and mess with traffic coming/going to/from it for some period of time? Obviously the "correct" behavior would be to "see" the peer as active and go into standby. I know that for active/standby all contexts on a unit are either active or standby but obviously something else is going on. What does "show monitor" on a context with no monitored interfaces look like? Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: March 12, 2009 16:22 To: ayourtch at cisco.com Cc: cisco-nsp Subject: Re: [c-nsp] FWSM HA secondary reload & long downtime On Wed, 2009-03-11 at 19:14 +0100, Andrew Yourtchenko wrote: > On Wed, 11 Mar 2009, Peter Rathlev wrote: > > This of course points to something else being the problem, not the > > FWSM. > > *bling* too strong of an assumption :). Ironically that was a very precise observation. ;-) I've looked much more thoroughly at the logs now, and finally I discovered what would've taken only few moments to see had I just opened my eyes. It turns out that more than one context had problems. I think I was tired when I looked at the configuration differences. Specifically all contexts with no "monitor-interface"-configuration were affected. Every context with at least one "monitor-interface" had no problems. I seem to remember that we stopped using "monitor-interface" in the individual contexts a year or so back, thinking that when failover is always system wide anyway, and since all the relevant VLANs share the same underlying (redundant) path, we could just as well only monitor one interface in the admin context. By chance a couple of other contexts had some monitors that weren't removed back then. It is of course a joy to have figured this out, but I can't seem to find anything much on what "monitor-interface" in a multiple context setup actually does or doesn't do. Should every context have one monitor-interface? Should all interfaces be monitored or just one per context? Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ From jeff-kell at utc.edu Thu Mar 12 22:20:38 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Thu, 12 Mar 2009 22:20:38 -0400 Subject: [c-nsp] PBR/VRF sanity check... Message-ID: <49B9C2F6.9000903@utc.edu> Aren't PBR and VRF mutually exclusive on all Catalysts, or are they possible concurrently on a 4500 or 6500? Jeff From td_miles at yahoo.com Thu Mar 12 22:45:55 2009 From: td_miles at yahoo.com (Tony) Date: Thu, 12 Mar 2009 19:45:55 -0700 (PDT) Subject: [c-nsp] PBR/VRF sanity check... Message-ID: <186062.14699.qm@web110109.mail.gq1.yahoo.com> Hi Jeff, I've tested both PBR & VRF on a 3550 with extended match routing SDM. It works, but adding VRF's when using PBR forced it to use software/CPU instead of hardware/ASIC forwarding. This caused max PBR + VRF throughput to be just over 30Mbps with 100% CPU. Don't know about the higher end platforms you've mentioned. regards, Tony. --- On Fri, 13/3/09, Jeff Kell wrote: > From: Jeff Kell > Subject: [c-nsp] PBR/VRF sanity check... > To: "'NSP List'" > Date: Friday, 13 March, 2009, 1:20 PM > > Aren't PBR and VRF mutually exclusive > on all Catalysts, or are they possible concurrently on a > 4500 or 6500? > > Jeff > From ltd at cisco.com Fri Mar 13 01:42:26 2009 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 13 Mar 2009 16:42:26 +1100 Subject: [c-nsp] PBR/VRF sanity check... In-Reply-To: <49B9C2F6.9000903@utc.edu> References: <49B9C2F6.9000903@utc.edu> Message-ID: <49B9F242.3090305@cisco.com> Jeff Kell wrote: > Aren't PBR and VRF mutually exclusive on all Catalysts, or are they > possible concurrently on a 4500 or 6500? Catalyst 6500: see http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_mltvrf_slct_pbr.html Nexus 7000: you can certainly do 'set vrf' on PBR with it remaining in hardware switching path. cheers, lincoln. From david.freedman at uk.clara.net Fri Mar 13 05:04:17 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Fri, 13 Mar 2009 09:04:17 +0000 Subject: [c-nsp] Interworking on 6500s In-Reply-To: <49B97E83.2010708@wbsconnect.com> References: <49B97E83.2010708@wbsconnect.com> Message-ID: <49BA2191.8060801@uk.clara.net> I believe that layer 2 local switching is not supported on LAN cards such as yours on your platform, Can I just ask why you would want to do such a thing ? Connecting two ports can be achieved by bridging them together (vlan), you can preserve 802.1q tags with dot1qtunnelling and allow many BPDUs to pass transparently without the device intervening using l2protocoltunnel (l2pt) If you wish to interwork from tagged to untagged, you could use use the "native" vlan on a bridged pair (as above) to achieve this. Dave. Chris Phillips wrote: > Looking at interworking on 6500s with SUP720-3BXLs running SXI on > non-PA, non-OSM and non-SIP/SPA cards. The command takes going Ethernet > to Ethernet. > > connect TEST1 FastEthernet 9/25 FastEthernet 9/26 > > sh connect > > ID Name Segment 1 Segment 2 State > ================================================================================ > > 6 TEST1 Fa9/25 Fa9/26 ADMIN UP > > or... > > connect TEST2 FastEthernet 9/26 GigabitEthernet 7/16.4080 interworking > ethernet > > sh connect > > ID Name Segment 1 Segment 2 State > ================================================================================ > > 5 TEST2 Fa9/26 Gi7/16.4080 ADMIN UP > > However, traffic does not seem to want to pass. > > Looked over a few documents online. They seem to suggest that > interworking is only supported on SIP/SPA, OSM and PA cards. > > ####### > Cisco 7600 and 6500 Series Router Restrictions > > ?Layer 2 Local Switching supports the following port adapters and > interface processors on the Cisco 7600-SUP720/MSFC3 router: > > ?All port adapters on the Enhanced FlexWAN module > > ?All SPAs on the SIP-200 line cards > > ?On the Cisco 6500 series and 7600 series routers, only like-to-like > local switching is supported (ATM to ATM and Frame Relay to Frame Relay). > > ?Same-port switching is not supported on the Cisco 6500 series and 7600 > series routers. > ####### > > Has anyone have any experience to the contrary? > From david.freedman at uk.clara.net Fri Mar 13 05:04:17 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Fri, 13 Mar 2009 09:04:17 +0000 Subject: [c-nsp] Interworking on 6500s In-Reply-To: <49B97E83.2010708@wbsconnect.com> References: <49B97E83.2010708@wbsconnect.com> Message-ID: <49BA2191.8060801@uk.clara.net> I believe that layer 2 local switching is not supported on LAN cards such as yours on your platform, Can I just ask why you would want to do such a thing ? Connecting two ports can be achieved by bridging them together (vlan), you can preserve 802.1q tags with dot1qtunnelling and allow many BPDUs to pass transparently without the device intervening using l2protocoltunnel (l2pt) If you wish to interwork from tagged to untagged, you could use use the "native" vlan on a bridged pair (as above) to achieve this. Dave. Chris Phillips wrote: > Looking at interworking on 6500s with SUP720-3BXLs running SXI on > non-PA, non-OSM and non-SIP/SPA cards. The command takes going Ethernet > to Ethernet. > > connect TEST1 FastEthernet 9/25 FastEthernet 9/26 > > sh connect > > ID Name Segment 1 Segment 2 State > ================================================================================ > > 6 TEST1 Fa9/25 Fa9/26 ADMIN UP > > or... > > connect TEST2 FastEthernet 9/26 GigabitEthernet 7/16.4080 interworking > ethernet > > sh connect > > ID Name Segment 1 Segment 2 State > ================================================================================ > > 5 TEST2 Fa9/26 Gi7/16.4080 ADMIN UP > > However, traffic does not seem to want to pass. > > Looked over a few documents online. They seem to suggest that > interworking is only supported on SIP/SPA, OSM and PA cards. > > ####### > Cisco 7600 and 6500 Series Router Restrictions > > ?Layer 2 Local Switching supports the following port adapters and > interface processors on the Cisco 7600-SUP720/MSFC3 router: > > ?All port adapters on the Enhanced FlexWAN module > > ?All SPAs on the SIP-200 line cards > > ?On the Cisco 6500 series and 7600 series routers, only like-to-like > local switching is supported (ATM to ATM and Frame Relay to Frame Relay). > > ?Same-port switching is not supported on the Cisco 6500 series and 7600 > series routers. > ####### > > Has anyone have any experience to the contrary? > From Steven.Glogger at swisscom.com Fri Mar 13 05:31:00 2009 From: Steven.Glogger at swisscom.com (Steven.Glogger at swisscom.com) Date: Fri, 13 Mar 2009 10:31:00 +0100 Subject: [c-nsp] OSPF Default Route In-Reply-To: References: Message-ID: <1FC8A0BAFBBD9749BB1F06010D23C8A55F20EA7F@sg000035.corproot.net> hi manaf one quick "hack" would be: run 2 different ospf processes and do redistribute between them. unfortunately you're then seeing all the routes as ospf external.. -steven -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Manaf Al Oqlah Sent: Tuesday, March 10, 2009 8:42 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] OSPF Default Route Hi, Is there any way to advertise default route in OSPF with a specific metric to an interface and another metric to another interface. For example, I want to advertise default route (default-information originate) for neighbor connected to gigabit 1/0 with metric 10 and for neighbor connected to gigabit 1/1 with metric 20. Thank you _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Fri Mar 13 08:34:58 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 13 Mar 2009 05:34:58 -0700 Subject: [c-nsp] Quick question regarding trunking and routing. Message-ID: We have a 3550 which connects to two 6500s. The 3550 has some L3 vlans on it, but we also need to trunk a few of the ports up to the 6500s. I've been banging my head because I cannot figure out how to make the two uplink ports on the 3550 both trunk and route. What I mean is, currently the ports have ip addresses assigned directly to them (/30s). I have to remove the IP to enable trunking, but then the L3 VLANs that originate directly on the 3550 no longer function. I'm thinking there has to be some way to use uplink ports for both trunking and routing but I just can't seem to figure it out. I realize that the "normal" network topology would be to just create all the vlans on the 6500s and just trunk everything from the 3550 to the 6500s but for legacy purposes that isn't really an option. Any advice would be great. thanks, -Drew From jfitz at Princeton.EDU Fri Mar 13 08:49:44 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Fri, 13 Mar 2009 08:49:44 -0400 Subject: [c-nsp] PBR/VRF sanity check... In-Reply-To: <49B9C2F6.9000903@utc.edu> References: <49B9C2F6.9000903@utc.edu> Message-ID: <5C9C2326-B5CB-45B9-BB64-AAA000923FFF@princeton.edu> Hello Jeff. I just implemented VRF and PBR on a 6500 720-CXL running SXI code, and have pushed 600Mb so far with switch CPU and Router CPU showing no increase. Jeff Fitzwater OIT Network Systems Princeton University On Mar 12, 2009, at 10:20 PM, Jeff Kell wrote: > Aren't PBR and VRF mutually exclusive on all Catalysts, or are they > possible concurrently on a 4500 or 6500? > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jfitz at Princeton.EDU Fri Mar 13 08:51:46 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Fri, 13 Mar 2009 08:51:46 -0400 Subject: [c-nsp] PBR/VRF sanity check... In-Reply-To: <49B9F242.3090305@cisco.com> References: <49B9C2F6.9000903@utc.edu> <49B9F242.3090305@cisco.com> Message-ID: <70F571C5-CAD1-4D8F-B401-D78DF9606CFE@princeton.edu> I might mention that the "set vrf" is also in the SXI code and works on 6500 with 720-CXL. Jeff Fitzwater OIT Network Systems Princeton University On Mar 13, 2009, at 1:42 AM, Lincoln Dale wrote: > Jeff Kell wrote: >> Aren't PBR and VRF mutually exclusive on all Catalysts, or are they >> possible concurrently on a 4500 or 6500? > Catalyst 6500: see http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_mltvrf_slct_pbr.html > Nexus 7000: you can certainly do 'set vrf' on PBR with it remaining > in hardware switching path. > > > cheers, > > lincoln. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jfitz at Princeton.EDU Fri Mar 13 09:02:12 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Fri, 13 Mar 2009 09:02:12 -0400 Subject: [c-nsp] Quick question regarding trunking and routing. In-Reply-To: References: Message-ID: Use an SVI for the routing and the L2 port for the trunking. ! SVI interface vlan 100 ip address 10.10.10.10 255.255.255.0 interface gi1/0/1 switchport switchport mode trunk ! Use the following if you need to use a native vlan. ! switchport trunk native vlan nnnn !Use the following to restrict what vlans you want on the trunk ! swithcport trunk allowed vlans 100,200,300,400,500 switchport nonegotiate Jeff On Mar 13, 2009, at 8:34 AM, Drew Weaver wrote: > We have a 3550 which connects to two 6500s. > > The 3550 has some L3 vlans on it, but we also need to trunk a few of > the ports up to the 6500s. > > I've been banging my head because I cannot figure out how to make > the two uplink ports on the 3550 both trunk and route. > > What I mean is, currently the ports have ip addresses assigned > directly to them (/30s). > > I have to remove the IP to enable trunking, but then the L3 VLANs > that originate directly on the 3550 no longer function. > > I'm thinking there has to be some way to use uplink ports for both > trunking and routing but I just can't seem to figure it out. > > I realize that the "normal" network topology would be to just create > all the vlans on the 6500s and just trunk everything from the 3550 > to the 6500s but for legacy purposes that isn't really an option. > > Any advice would be great. > > thanks, > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Stig.Johansen at atea.no Fri Mar 13 09:11:10 2009 From: Stig.Johansen at atea.no (Stig Johansen) Date: Fri, 13 Mar 2009 14:11:10 +0100 Subject: [c-nsp] Quick question regarding trunking and routing. In-Reply-To: References: Message-ID: <5EB9799F396A304686962AFFF740ED0CE9C50312@NOOSLEXCH001.adno.local> >We have a 3550 which connects to two 6500s. >The 3550 has some L3 vlans on it, but we also need to trunk a few of the ports up to the 6500s. >I've been banging my head because I cannot figure out how to make the two uplink ports on the 3550 both trunk and route. >What I mean is, currently the ports have ip addresses assigned directly to them (/30s). >I have to remove the IP to enable trunking, but then the L3 VLANs that originate directly on the 3550 no longer function. >I'm thinking there has to be some way to use uplink ports for both trunking and routing but I just can't seem to figure it out. >I realize that the "normal" network topology would be to just create all the vlans on the 6500s and just trunk everything from the 3550 to the 6500s but for legacy purposes that isn't really an option. >Any advice would be great. You'll have to establish one or two VLAN's between the 3550 and the 6500'es and let this VLAN over the trunk. As in: Old config: interface FastEthernet0/1 description to 6500-1 ip address 1.2.3.2 255.255.255.252 ! interface FastEthernet0/2 description to 6500-2 ip address 2.3.4.2 255.255.255.252 New config: vlan 100 name 3550-to-6500-1 ! vlan 200 name 3550-to-6500-2 ! interface FastEthernet0/1 description L2 to 6500-1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 100 ! And all of the other VLAN's you want to trunk up to 6500-1. switchport mode trunk ! interface FastEthernet0/2 description L2 to 6500-2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 200 ! And all of the other VLAN's you want to trunk up to 6500-2. switchport mode trunk ! interface Vlan100 description L3 to 6500-1 ip address 1.2.3.2 255.255.255.252 ! interface Vlan200 description L3 to 6500-2 ip address 2.3.4.2 255.255.255.252 ! Best regards, Stig Meireles Johansen From jeff-kell at utc.edu Fri Mar 13 09:27:26 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 13 Mar 2009 09:27:26 -0400 Subject: [c-nsp] Quick question regarding trunking and routing. In-Reply-To: References: Message-ID: <49BA5F3E.10006@utc.edu> Drew Weaver wrote: > We have a 3550 which connects to two 6500s. > The 3550 has some L3 vlans on it, but we also need to trunk a few of the ports up to the 6500s. > I've been banging my head because I cannot figure out how to make the two uplink ports on the 3550 both trunk and route. > What I mean is, currently the ports have ip addresses assigned directly to them (/30s). Take your /30 endpoints and make them SVIs on an unused vlan, and add that vlan to the trunk allowed vlans. If you slap 'ip address' on an interface, it's going to be an L3 endpoint. But keeping an SVI should let you do what you want, provided that you properly "prune" the trunk on both ends (switchport trunk allowed vlan ...) to avoid unintended leakage over the trunk. Jeff From denyipanyany at gmail.com Fri Mar 13 09:41:21 2009 From: denyipanyany at gmail.com (Deny IP Any Any) Date: Fri, 13 Mar 2009 09:41:21 -0400 Subject: [c-nsp] determining cause of CPU spike in ASA after-the-fact? Message-ID: Hello. I've got a pair of Cisco ASA 5540s running the latest 8.0.4 in an active/standby cluster; early this morning the CPU on the active box went from 3% to 100% (as reported by SNMP), and sat there for about 20 minutes. The only thing in the logs during this time is the Active unit started testing one of the interfaces about 4 times a minute (not sure if this was the cause or a symptom); by the time I was woken up to look at it, the CPU usage was back to normal. It does strike me as slightly odd that the Secondary ASA didn't report losing comm with the Primary during this same period. Is there any way to, after-the-fact, figure out the cause of this? A 'show processes cpu-hog' doesn't show any thing during the time frame. Mar 13 2009 01:47:22: %ASA-1-105005: (Primary) Lost Failover communications with mate on interface webdmz Mar 13 2009 01:47:22: %ASA-1-105008: (Primary) Testing Interface webdmz Mar 13 2009 01:47:23: %ASA-1-105009: (Primary) Testing on interface webdmz Passed Mar 13 2009 01:47:37: %ASA-1-105005: (Primary) Lost Failover communications with mate on interface webdmz Mar 13 2009 01:47:37: %ASA-1-105008: (Primary) Testing Interface webdmz Mar 13 2009 01:47:38: %ASA-1-105009: (Primary) Testing on interface webdmz Passed Mar 13 2009 01:48:02: %ASA-1-105005: (Primary) Lost Failover communications with mate on interface webdmz Mar 13 2009 01:48:02: %ASA-1-105008: (Primary) Testing Interface webdmz Mar 13 2009 01:48:03: %ASA-1-105009: (Primary) Testing on interface webdmz Passed Mar 13 2009 01:48:17: %ASA-1-105005: (Primary) Lost Failover communications with mate on interface webdmz Mar 13 2009 01:48:17: %ASA-1-105008: (Primary) Testing Interface webdmz Mar 13 2009 01:48:18: %ASA-1-105009: (Primary) Testing on interface webdmz Passed Mar 13 2009 01:48:32: %ASA-1-105005: (Primary) Lost Failover communications with mate on interface webdmz Mar 13 2009 01:48:32: %ASA-1-105008: (Primary) Testing Interface webdmz Mar 13 2009 01:48:33: %ASA-1-105009: (Primary) Testing on interface webdmz Passed Mar 13 2009 01:48:52: %ASA-1-105005: (Primary) Lost Failover communications with mate on interface webdmz Mar 13 2009 01:48:52: %ASA-1-105008: (Primary) Testing Interface webdmz Mar 13 2009 01:48:53: %ASA-1-105009: (Primary) Testing on interface webdmz Passed -- deny ip any any (4393649193 matches) From schilling2006 at gmail.com Fri Mar 13 10:48:28 2009 From: schilling2006 at gmail.com (schilling) Date: Fri, 13 Mar 2009 10:48:28 -0400 Subject: [c-nsp] Cisco ACL Manager 1.6 Broke after enable MPLS Message-ID: Hi All, We had ACL manager 1.6 managing ACLs on our Catalyst 6500. We recently enabled MPLS on some of our core switches, ACL manger now will not open the device. The error is "Exception while getting device attributes: IDL AclmModule/AclmException:1.0". We only did the following in terms of MPLS. int loopback10 description MPLS-LDP-ID ip address 192.168.253.5 255.255.255.255 ip access-list standard mpls-loopbacks-only permit 192.168.253.0 0.0.0.63 permit any exit mpls label protocol ldp mpls ldp router-id loopback10 force no mpls ldp advertise-labels mpls ldp advertise-labels for mpls-loopbacks-only Then enabled mpls ip on backbone vlans. I sniffed the traffic of working one, ACL manager is using snmp and tftp to change the router configuration in our environment. Could somebody give some insight on this? Thanks. Schilling From ray at oneunified.net Fri Mar 13 11:48:15 2009 From: ray at oneunified.net (Ray Burkholder) Date: Fri, 13 Mar 2009 12:48:15 -0300 Subject: [c-nsp] 15km optics In-Reply-To: References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> Message-ID: <33f001c9a3f3$3de0c190$b9a244b0$@net> I have a carrier which has about 13km to 15km of fibre to their CO. They run 1310 nm alcatel equipment on their end. I was wanting to use a Cisco GLC-LH-SM on my end but that is rated for 10km. The GLC-ZX-SM is 1550 nm 70km device which is incompatible. Does anyone have suggestions on how to complete this link? inexpensive optical regenerator? small intermediate alcaltel box? a cisco SFP running 1310 nm and has longer range? Ray -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean. From paul at paulstewart.org Fri Mar 13 12:07:50 2009 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 13 Mar 2009 12:07:50 -0400 Subject: [c-nsp] 15km optics In-Reply-To: <33f001c9a3f3$3de0c190$b9a244b0$@net> References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> <33f001c9a3f3$3de0c190$b9a244b0$@net> Message-ID: <000301c9a3f5$e8f057b0$bad10710$@org> Hi Ray.. Use the ZX SFP and check the levels - if needed, put attenuators inline to drop the signal back down.... we have some runs with ZX in place at 12-15km and no attenuation with no issues - they have been in place for several years now... I don't have the specs but the receiver sensitivity I believe is the key (what highs and lows it can tolerate).... someone may have a more technical explanation for you ;) Take care, Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ray Burkholder Sent: Friday, March 13, 2009 11:48 AM To: 'cisco-nsp' Subject: [c-nsp] 15km optics I have a carrier which has about 13km to 15km of fibre to their CO. They run 1310 nm alcatel equipment on their end. I was wanting to use a Cisco GLC-LH-SM on my end but that is rated for 10km. The GLC-ZX-SM is 1550 nm 70km device which is incompatible. Does anyone have suggestions on how to complete this link? inexpensive optical regenerator? small intermediate alcaltel box? a cisco SFP running 1310 nm and has longer range? Ray -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From greg at ip-man.net Fri Mar 13 12:15:31 2009 From: greg at ip-man.net (Gregoire Huet) Date: Fri, 13 Mar 2009 17:15:31 +0100 Subject: [c-nsp] 15km optics In-Reply-To: <33f001c9a3f3$3de0c190$b9a244b0$@net> References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> <33f001c9a3f3$3de0c190$b9a244b0$@net> Message-ID: <49BA86A3.6020102@ip-man.net> Ray Burkholder a ?crit : > I have a carrier which has about 13km to 15km of fibre to their CO. They > run 1310 nm alcatel equipment on their end. I was wanting to use a Cisco > GLC-LH-SM on my end but that is rated for 10km. The GLC-ZX-SM is 1550 nm > 70km device which is incompatible. Hello We have a 16km link on 1310 fiber with LH, it works perfectly, so it might be worth giving it a try. Greg From Marcus.Gerdon at versatel.de Fri Mar 13 12:23:36 2009 From: Marcus.Gerdon at versatel.de (Marcus.Gerdon) Date: Fri, 13 Mar 2009 17:23:36 +0100 Subject: [c-nsp] 15km optics Message-ID: <227142482560EF458FF1F7E784E26AB84ADBB3@FLBVEXCH01.versatel.local> Ray, best check the transmission power and sensibility of the SFP (just look it up at Cisco's site) against the attenuation of the fibers (both directions). Longest link I had working were 14.6 km according OTDR with a LX GBIC and up to 12 km occur quite some time, so there's the possibility this will still work with LH-SM. Of course nearly fully utilizing the power budget raises the risk of fiber caused connection outage as a bend in a patch can become the .5 dB to much attenuation. Attenuated ZX is the saver one, so maybe converting 1310 to 1550 in the CO might be an option. regards, Marcus > -----Urspr?ngliche Nachricht----- > Von: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von Ray > Burkholder > Gesendet: Freitag, 13. M?rz 2009 16:48 > An: 'cisco-nsp' > Betreff: [c-nsp] 15km optics > > I have a carrier which has about 13km to 15km of fibre to > their CO. They > run 1310 nm alcatel equipment on their end. I was wanting to > use a Cisco > GLC-LH-SM on my end but that is rated for 10km. The > GLC-ZX-SM is 1550 nm > 70km device which is incompatible. > > Does anyone have suggestions on how to complete this link? > inexpensive > optical regenerator? small intermediate alcaltel box? a > cisco SFP running > 1310 nm and has longer range? > > Ray > > > -- > Scanned for viruses and dangerous content at > http://www.oneunified.net and is believed to be clean. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Fri Mar 13 12:57:13 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 13 Mar 2009 17:57:13 +0100 Subject: [c-nsp] 15km optics In-Reply-To: <33f001c9a3f3$3de0c190$b9a244b0$@net> References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> <33f001c9a3f3$3de0c190$b9a244b0$@net> Message-ID: <20090313165713.GC290@greenie.muc.de> Hi, On Fri, Mar 13, 2009 at 12:48:15PM -0300, Ray Burkholder wrote: > I have a carrier which has about 13km to 15km of fibre to their CO. They > run 1310 nm alcatel equipment on their end. I was wanting to use a Cisco > GLC-LH-SM on my end but that is rated for 10km. The GLC-ZX-SM is 1550 nm > 70km device which is incompatible. > > Does anyone have suggestions on how to complete this link? inexpensive > optical regenerator? small intermediate alcaltel box? a cisco SFP running > 1310 nm and has longer range? There's 3rd-party "LX40" modules that are 1310 and can go up to 40km, available as GBIC or SFP. We use a few of those and are quite happy. Of course IOS complains "bah, bah, don't do that". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From md at bts.sk Fri Mar 13 13:00:06 2009 From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=) Date: Fri, 13 Mar 2009 18:00:06 +0100 Subject: [c-nsp] 15km optics In-Reply-To: <33f001c9a3f3$3de0c190$b9a244b0$@net> References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> <33f001c9a3f3$3de0c190$b9a244b0$@net> Message-ID: <20090313165221.M33041@bts.sk> On Fri, 13 Mar 2009 12:48:15 -0300, Ray Burkholder wrote > I have a carrier which has about 13km to 15km of fibre to their CO. They > run 1310 nm alcatel equipment on their end. I was wanting to use a Cisco > GLC-LH-SM on my end but that is rated for 10km. The GLC-ZX-SM is 1550 > nm 70km device which is incompatible. > > Does anyone have suggestions on how to complete this link? inexpensive > optical regenerator? small intermediate alcaltel box? a cisco SFP running > 1310 nm and has longer range? SFPs for 20 km, 40 km or even 55 km reach running at 1310 nm are commonly available on the market, but not from Cisco. Power budget upto 22 dB could be supported at 1310 nm. With kind regards, M. From swmike at swm.pp.se Fri Mar 13 14:21:15 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 13 Mar 2009 19:21:15 +0100 (CET) Subject: [c-nsp] 15km optics In-Reply-To: <33f001c9a3f3$3de0c190$b9a244b0$@net> References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> <33f001c9a3f3$3de0c190$b9a244b0$@net> Message-ID: On Fri, 13 Mar 2009, Ray Burkholder wrote: > I have a carrier which has about 13km to 15km of fibre to their CO. They > run 1310 nm alcatel equipment on their end. I was wanting to use a Cisco > GLC-LH-SM on my end but that is rated for 10km. The GLC-ZX-SM is 1550 nm > 70km device which is incompatible. Why is the ZX incompatible? "All" 1310nm optics have wideband receivers so getting the ZX into the LX at the other end is not a problem (apart from that you might want to attenuate it 5-10dB at the ZX launch end), and the ZX has -24dB receiver sensitivity meaning you gain there as well. This works. Been there done, that plenty of times. -- Mikael Abrahamsson email: swmike at swm.pp.se From skoal at skoal.name Fri Mar 13 15:18:35 2009 From: skoal at skoal.name (Gergely Antal) Date: Fri, 13 Mar 2009 20:18:35 +0100 Subject: [c-nsp] 15km optics In-Reply-To: <20090313165713.GC290@greenie.muc.de> References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> <33f001c9a3f3$3de0c190$b9a244b0$@net> <20090313165713.GC290@greenie.muc.de> Message-ID: <49BAB18B.3040007@skoal.name> Is there similar options also in the 10G market... I have the same problem like Ray but on 10G with cisco LR modules i have -16.5 RX receive power,and the telco says that thay dont support ER or ZR. Gert Doering wrote: > Hi, > > On Fri, Mar 13, 2009 at 12:48:15PM -0300, Ray Burkholder wrote: >> I have a carrier which has about 13km to 15km of fibre to their CO. They >> run 1310 nm alcatel equipment on their end. I was wanting to use a Cisco >> GLC-LH-SM on my end but that is rated for 10km. The GLC-ZX-SM is 1550 nm >> 70km device which is incompatible. >> >> Does anyone have suggestions on how to complete this link? inexpensive >> optical regenerator? small intermediate alcaltel box? a cisco SFP running >> 1310 nm and has longer range? > > There's 3rd-party "LX40" modules that are 1310 and can go up to 40km, > available as GBIC or SFP. > > We use a few of those and are quite happy. Of course IOS complains > "bah, bah, don't do that". > > gert -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From ayourtch at cisco.com Fri Mar 13 15:37:45 2009 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Fri, 13 Mar 2009 20:37:45 +0100 (CET) Subject: [c-nsp] FWSM HA secondary reload & long downtime In-Reply-To: <1236889348.4133.15.camel@localhost.localdomain> References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> <1236889348.4133.15.camel@localhost.localdomain> Message-ID: On Thu, 12 Mar 2009, Peter Rathlev wrote: > On Wed, 2009-03-11 at 19:14 +0100, Andrew Yourtchenko wrote: >> On Wed, 11 Mar 2009, Peter Rathlev wrote: >>> This of course points to something else being the problem, not the >>> FWSM. >> >> *bling* too strong of an assumption :). > > Ironically that was a very precise observation. ;-) I've looked much > more thoroughly at the logs now, and finally I discovered what would've > taken only few moments to see had I just opened my eyes. > > It turns out that more than one context had problems. I think I was > tired when I looked at the configuration differences. Specifically all > contexts with no "monitor-interface"-configuration were affected. Every > context with at least one "monitor-interface" had no problems. > > I seem to remember that we stopped using "monitor-interface" in the > individual contexts a year or so back, thinking that when failover is > always system wide anyway, and since all the relevant VLANs share the > same underlying (redundant) path, we could just as well only monitor one > interface in the admin context. By chance a couple of other contexts had > some monitors that weren't removed back then. > > It is of course a joy to have figured this out, but I can't seem to find > anything much on what "monitor-interface" in a multiple context setup > actually does or doesn't do. if all the interfaces go over the exact same path, there is probably not an entirely huge benefit of it. > > Should every context have one monitor-interface? Should all interfaces > be monitored or just one per context? >From the practical perspective, if the "magic trick" of having at least one monitored interface per context solves it - business needs first, let's put it in. But otherwise it should not be needed. Would be very cool if you have some cycles to try this in the lab - if this is reproducible, I think we should treat it as a bug if not already. I'm on PTO the next two weeks, after that open the SR# and shoot me unicast. cheers, andrew From ajadav at gmail.com Fri Mar 13 16:25:52 2009 From: ajadav at gmail.com (Asheesh Jadav) Date: Fri, 13 Mar 2009 13:25:52 -0700 Subject: [c-nsp] Fast Reroute - Detour Object support ? Message-ID: Hi, Is the DETOUR Object as specified in RFC 4090 supported on Cisco IOS? I'm trying to set up a detour through a Cisco 7600 but the system doesn't seem to like the PATH message. I'm using the Version 12.2(33)SRB5 on a 7600 chassis. Router# Router# *Sep 5 07:21:10.999: RSVP: Found unknown object (63) when parsing message *Sep 5 07:21:10.999: RSVP: 7.7.7.7_1->8.8.8.8_1[7.7.7.7]: Found unknown object (63) when parsing Path message *Sep 5 07:21:10.999: RSVP: 7.7.7.7_1->8.8.8.8_1[7.7.7.7]: Sending PathError message to 20.20.20.7 *Sep 5 07:21:11.007: RSVP-MSG: 7.7.7.7_1->8.8.8.8_1[7.7.7.7]: Received PathTear message from 7.7.7.7 (on GigabitEthernet4/1) Router# Router#show mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 4 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC SAL0735KZKL 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL1208GKQA Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 4 000d.bdf5.2bbc to 000d.bdf5.2bc3 3.0 5.4(2) 8.6(0.434)BA Ok 5 0017.9444.2688 to 0017.9444.268b 5.3 8.5(2) 12.2(33)SRB5 Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 5 Policy Feature Card 3 WS-F6K-PFC3B SAL1126W66V 2.2 Ok 5 MSFC3 Daughterboard WS-SUP720 SAL1126W66E 2.3 Ok Mod Online Diag Status ---- ------------------- 4 Pass 5 Pass Router# Thanks. Asheesh From tdurack at gmail.com Fri Mar 13 16:30:50 2009 From: tdurack at gmail.com (Tim Durack) Date: Fri, 13 Mar 2009 16:30:50 -0400 Subject: [c-nsp] 12.2(33)SXI vpnv6 Message-ID: <9e246b4d0903131330v72e9d04dgce7d78273faeac89@mail.gmail.com> I'm running 12.2(33)SXI on some boxes in a PE-PE setup. I'm trying to enable vpnv6. BGP side of things is working: rtr-1#sh ipv6 route vrf v101 IPv6 Routing Table - v101 - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 B 1:0:1:1::1/128 [200/0] via 1:0:1970::1%Default, indirectly connected B 1:0:1:1::2/128 [200/0] via 1:0:1970::2%Default, indirectly connected LC 1:0:1970:1::3/128 [0/0] via Loopback101, receive L FF00::/8 [0/0] via Null0, receive But cef/labels aren't being programmed: rtr-1#sh mls cef ipv6 vrf v101 Codes: + - Push label Index Prefix Adjacency 196640 1:0:1970:1::3/128 receive 196672 ::/127 drop 196704 FE80::/10 receive 196736 FF00::/8 glean 197152 ::/0 drop vpnv4 is working fine, IPv6 in the global table is working, but not vpnv6. Any ideas? Tim:> From ras at e-gerbil.net Fri Mar 13 16:48:17 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Fri, 13 Mar 2009 15:48:17 -0500 Subject: [c-nsp] 15km optics In-Reply-To: <33f001c9a3f3$3de0c190$b9a244b0$@net> References: <1236633344.3572.13.camel@localhost.localdomain> <1236719408.4513.51.camel@localhost.localdomain> <1236793626.3563.339.camel@localhost.localdomain> <33f001c9a3f3$3de0c190$b9a244b0$@net> Message-ID: <20090313204817.GE51443@gerbil.cluepon.net> On Fri, Mar 13, 2009 at 12:48:15PM -0300, Ray Burkholder wrote: > I have a carrier which has about 13km to 15km of fibre to their CO. They > run 1310 nm alcatel equipment on their end. I was wanting to use a Cisco > GLC-LH-SM on my end but that is rated for 10km. The GLC-ZX-SM is 1550 nm > 70km device which is incompatible. I think this has already been answered to death by everyone else on the list, but I'd like to try and summarize a few points into something which can be pointed to on the list archives the next time someone asks this question. 1. All SMF optics have wideband receivers and will happily accept any signal from any other source (typically 1270-1610nm), with absolutely no requirement that it match what the other side is sending. Don't think of a fiber circuit as a single link, think of it as two completely distinct links running in opposite directions which just happen to be parallel to each other for TX and RX. 2. Distances specified on optics mean absolutely nothing, they are there to give you a rough estimation of what you could expect under the worst possible conditions. Optical budget (and at higher speeds, things like dispersion penalties) are pretty much all you care about (ignoring goofy things like reflections which aren't relevent to this discussion). 3. Not all optics perform the same. Think of it like how processors are made, they make a batch and some of them perform better than others. A certain number perform completely outside of spec and have to be thrown away, but even within the "good" batch there will be varying levels of performance and quality. For example, Cisco LX/LH optics have a TX power spec of between -3 to -9.5 dBm, and a RX power spec of between -3 to -20 dBm. The max TX of -3 is so that incase you have two LX optics side by side, the signal isn't so strong that it blinds the other side. The distance spec is calculated assuming the worst possible conditions, a TX over -9.5 dBm, running over old crappy SMF28 fiber. In reality, you're likely to find that most of your LX/LH optics operate much closer to the -3 side than the -9.5 side, and infact you may find some that are hotter than spec. Fixing something thats too hot is easy, you just add an attenuator. You'll find that you can almost always go at least 2dB below your RX budget too, before you actually start taking errors. Think of it like the max capacity sign on an elevator, they actually make the steel cables to hold many times more than that max capacity, "just incase". Also optics tend to cool over time, so what shipped as a +1 might end up as a -1 after a few years, and they don't want your link randomly going out and you complaining. :) 4. Often times, links can be extended simply by changing out one side of the pair with a longer reach optic. When you upgrade one side, not only do you increase the transmitted signal strength (and often switch the signal from 1310 to 1550, which has a lower rate of loss per unit of distance), you're also increasing the receiver sensitivity. The far side can hear you because you're transmitting a stronger signal in a band that has less loss over distance, and you can hear the far side because you have a more sensitive receiver. At the end of the day, almost all your questions (well at least all the simple ones :P) can be answered by a light meter or integrated optical monitoring on newer optics. Anyone who doesn't have a light meter would do well to get themselves over to ebay and spend a couple hundred bucks. Also, please for the love of god read the instruction manual and learn the difference between "absolute power mode" (i.e. how much signal am I receiving?) and "relative loss mode" (i.e. how much loss does this cable have assuming that there is a known fixed-strength signal generator on the other side?). I'm seriously sick and tired of 95% of supposedly trained remote hands techs telling me I'm transmitting +65dBm. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From tdurack at gmail.com Fri Mar 13 17:00:53 2009 From: tdurack at gmail.com (Tim Durack) Date: Fri, 13 Mar 2009 17:00:53 -0400 Subject: [c-nsp] 12.2(33)SXI vpnv6 In-Reply-To: <49BAC823.6080901@whack.org> References: <9e246b4d0903131330v72e9d04dgce7d78273faeac89@mail.gmail.com> <49BAC823.6080901@whack.org> Message-ID: <9e246b4d0903131400v527bf7e2s483b284155e3e416@mail.gmail.com> On Fri, Mar 13, 2009 at 4:54 PM, Bruce Pinsky wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tim Durack wrote: > > I'm running 12.2(33)SXI on some boxes in a PE-PE setup. I'm trying to > enable > > vpnv6. BGP side of things is working: > > > > rtr-1#sh ipv6 route vrf v101 > > IPv6 Routing Table - v101 - 4 entries > > Codes: C - Connected, L - Local, S - Static, U - Per-user Static route > > B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 > > IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP > > external > > O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext > 2 > > ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 > > B 1:0:1:1::1/128 [200/0] > > via 1:0:1970::1%Default, indirectly connected > > B 1:0:1:1::2/128 [200/0] > > via 1:0:1970::2%Default, indirectly connected > > LC 1:0:1970:1::3/128 [0/0] > > via Loopback101, receive > > L FF00::/8 [0/0] > > via Null0, receive > > > > But cef/labels aren't being programmed: > > > > rtr-1#sh mls cef ipv6 vrf v101 > > > > Codes: + - Push label > > Index Prefix Adjacency > > 196640 1:0:1970:1::3/128 receive > > 196672 ::/127 drop > > 196704 FE80::/10 receive > > 196736 FF00::/8 glean > > 197152 ::/0 drop > > > > vpnv4 is working fine, IPv6 in the global table is working, but not > vpnv6. > > > > Any ideas? > > > > Got a config? > > Assume you did enable "mls ipv6 vrf"... > Yup: rtr-1#sh run | i mls ipv6 vrf mls ipv6 vrf (same on all PE) From rinse.kloek at isp.solcon.nl Fri Mar 13 16:13:32 2009 From: rinse.kloek at isp.solcon.nl (Rinse Kloek) Date: Fri, 13 Mar 2009 21:13:32 +0100 Subject: [c-nsp] PPPoEoQinQ works but PPPoE o VLAN doesn't on 7600 Message-ID: <49BABE6C.4040805@isp.solcon.nl> Hello, I try to do PPPoE terminating of sessions on a 7600-RSP7203C with WS-X6724-SFP Lan cards (12.2(33)SRC). I have a trunk that carries VLAN 710 and is connected to Gi1/1: The following config with pppoe enabled on the physical interface, doesn't work. The CPU doesn't process the PPPoE packets. interface GigabitEthernet1/1 description "Trunk with VLAN 710 for PPPoE" no ip address vlan-id dot1q 710 pppoe enable group global exit-vlan-config ! ! However, when I do dot1q tunneling, PPPoE packets get processed: interface GigabitEthernet1/1 description "Trunk with VLAN 710 for PPPoE" switchport switchport access vlan 720 switchport mode dot1q-tunnel ! interface vlan 720 no ip address vlan-id dot1q 710 pppoe enable group global exit-vlan-config ! ! What do I miss. Do the Cisco WS-X67xx LAN cards discard PPPoE packets and only process them when doing dot1q tunneling ? Rinse Kloek From bep at whack.org Fri Mar 13 16:54:59 2009 From: bep at whack.org (Bruce Pinsky) Date: Fri, 13 Mar 2009 13:54:59 -0700 Subject: [c-nsp] 12.2(33)SXI vpnv6 In-Reply-To: <9e246b4d0903131330v72e9d04dgce7d78273faeac89@mail.gmail.com> References: <9e246b4d0903131330v72e9d04dgce7d78273faeac89@mail.gmail.com> Message-ID: <49BAC823.6080901@whack.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim Durack wrote: > I'm running 12.2(33)SXI on some boxes in a PE-PE setup. I'm trying to enable > vpnv6. BGP side of things is working: > > rtr-1#sh ipv6 route vrf v101 > IPv6 Routing Table - v101 - 4 entries > Codes: C - Connected, L - Local, S - Static, U - Per-user Static route > B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 > IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP > external > O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 > ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 > B 1:0:1:1::1/128 [200/0] > via 1:0:1970::1%Default, indirectly connected > B 1:0:1:1::2/128 [200/0] > via 1:0:1970::2%Default, indirectly connected > LC 1:0:1970:1::3/128 [0/0] > via Loopback101, receive > L FF00::/8 [0/0] > via Null0, receive > > But cef/labels aren't being programmed: > > rtr-1#sh mls cef ipv6 vrf v101 > > Codes: + - Push label > Index Prefix Adjacency > 196640 1:0:1970:1::3/128 receive > 196672 ::/127 drop > 196704 FE80::/10 receive > 196736 FF00::/8 glean > 197152 ::/0 drop > > vpnv4 is working fine, IPv6 in the global table is working, but not vpnv6. > > Any ideas? > Got a config? Assume you did enable "mls ipv6 vrf"... - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm6yCMACgkQE1XcgMgrtyboiwCgyBTo9Cf9MZjOh089Zc7UgxSM TwMAn0b70Quqei+R/+S7ldKtePLDII6d =184z -----END PGP SIGNATURE----- From sethm at rollernet.us Fri Mar 13 18:35:26 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 13 Mar 2009 15:35:26 -0700 Subject: [c-nsp] HWIC-4T1/E1 Platform Support Message-ID: <49BADFAE.9030900@rollernet.us> I'm looking at the HWIC-4T1/E1 and according to its data sheet, it's only supported in the 2821, 2851 and 3800's. On the 2800 data sheet, the big table says it's OK for all 2800's. Which one is correct? ~Seth From todd at newfrontierssolutions.com Fri Mar 13 19:38:01 2009 From: todd at newfrontierssolutions.com (Todd Shipway) Date: Fri, 13 Mar 2009 19:38:01 -0400 Subject: [c-nsp] Virtual Access int down after IOS upgrade Message-ID: <1236987481.10690.12.camel@booger> We just upgraded a 7500 to 12.4(23) and everything works great except DSL connections over atm card. ATM interfaces are up, all configuration is in place, pvc interfaces are up, virtual templates are in place. But the virtual-access interface refuses to come up. Anyone have any clues as to what we shoudl be looking at? Everything I see seems like it shoudl be working good. summit#sh interfaces atm 10/0/0 ATM10/0/0 is up, line protocol is up Hardware is cyBus ATM MTU 4470 bytes, sub MTU 4470, BW 155520 Kbit/sec, DLY 80 usec, reliability 129/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Encapsulation(s): AAL5 , PVC mode 2047 maximum active VCs, 1024 VCs per VP, 88 current VCCs VC Auto Creation Disabled. VC idle disconnect time: 300 seconds Last input 00:02:08, output 00:02:08, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 30000 bits/sec, 56 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 37010 packets input, 2527473 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 37305 input errors, 0 CRC, 0 frame, 63 overrun, 0 ignored, 1 abort 1 packets output, 56 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out summit#sh interfaces atm 10/0/0.1 ATM10/0/0.1 is up, line protocol is up Hardware is cyBus ATM MTU 4470 bytes, BW 155520 Kbit/sec, DLY 80 usec, reliability 128/255, txload 1/255, rxload 1/255 Encapsulation ATM 35184 packets input, 2260236 bytes 0 packets output, 0 bytes 1 OAM cells input, 1 OAM cells output AAL5 Oversized SDUs : 0 Last clearing of "show interface" counters never summit#sh interfaces virtual-access 1 Virtual-Access1 is down, line protocol is down Hardware is Virtual Access interface MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Closed Base VtMgr vaccess Vaccess status 0x0, loopback not set DTR is pulsed for 5 seconds on reset Last input never, output never, output hang never Last clearing of "show interface" counters 00:11:07 Input queue: 0/4096/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From mcdonald.richards at gmail.com Fri Mar 13 20:42:47 2009 From: mcdonald.richards at gmail.com (McDonald Richards) Date: Sat, 14 Mar 2009 11:42:47 +1100 Subject: [c-nsp] Sending connected number from AS5350 In-Reply-To: References: Message-ID: <8bde567b0903131742r36510054rd578c3826c1cdff4@mail.gmail.com> This is fairly common policy for a telco and I think you are probably heading in the wrong direction with your analysis. The calling party IE is sent in the ISDN setup message. You should use translation profiles on the SIP leg of the call to normalise the calling party number as the call hits the gateway and present the expected format to your provider. Here's a sample configuration on how to overstamp incoming calls from a customer assuming you use a digit prepend or similar to identify them on your gateway (in this case the digit prepend being 00022): voice translation-profile OVERSTAMP-CUSTOMER-A translate calling 100 ! voice translation-rule 100 rule 1 /^.*/ /$customer_number/ ! dial-peer 100 description incoming calls from customer-a translation-profile incoming OVERSTAMP-CUSTOMER-A incoming called-number 00022.T The above config snippets will take any number coming in that matches dial-peer 100 and set the calling-party to whatever you have entered in $customer_number. Using this you can present your provider the correct numbers and preserve CLI integrity. On Fri, Mar 13, 2009 at 3:20 AM, Andreas Sikkema wrote: > Hi, > > I've got a Cisco AS5350XM connected to a couple of ISDN30s from one of the > local telcos. The 5350 converts ISDN to SIP and vice versa. Some of our > customers on the SIP side have complained that every now and then when > they are called from the PSTN side the calling party sees the "main > number" of our ISDN lines appear instead of the called number when the > call has been answered. > > The telco apparently has the policy that they will send out the line > number when we don't provide the connected number or overwrite it when we > send an "illegal" number. The only thing the telco so far has offered us > is to set presentation to not allowed for all outgoing connected numbers > which will solve the presentation of the line number but might give some > calling parties the wrong impression. > > The problem is that I haven't been able to find a way make our 5350 send a > "connected number" IE on the ISDN side. (isdn outgoing ie connected-number > hasn't yet solved the problem as far as I can see). > > Is there a way to force the 5350 to send a connected number IE for > instance when receiving an UPDATE message or on receipt of a 200 OK > message? The only logging a debug isdn q931 will give on a CONNECT message > being sent is this: > Mar 12 16:28:10.935: ISDN Se3/5:15 Q931: TX -> CONNECT pd = 8 callref = > 0xF001 > > > Or am I way off track and should be looking at something else? > > -- > Andreas Sikkema > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oboehmer at cisco.com Sat Mar 14 02:59:17 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 14 Mar 2009 07:59:17 +0100 Subject: [c-nsp] Fast Reroute - Detour Object support ? In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840709C44A@xmb-ams-333.emea.cisco.com> Asheesh Jadav <> wrote on Friday, March 13, 2009 21:26: > Hi, > > Is the DETOUR Object as specified in RFC 4090 supported on Cisco > IOS? I'm trying to set up a detour through a Cisco 7600 but the > system doesn't seem to like the PATH message. I'm using the Version > 12.2(33)SRB5 on a 7600 chassis. no, we do not support detour, we support facility.. oli From mtinka at globaltransit.net Fri Mar 13 23:56:20 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 14 Mar 2009 11:56:20 +0800 Subject: [c-nsp] Supress STP on a port? In-Reply-To: <17838240D9A5544AAA5FF95F8D52031605B41D84@ad-exh01.adhost.lan> References: <49B8AED8.8070900@cisco.com> <17838240D9A5544AAA5FF95F8D52031605B41D84@ad-exh01.adhost.lan> Message-ID: <200903141157.00430.mtinka@globaltransit.net> On Thursday 12 March 2009 02:57:02 pm Michael K. Smith - Adhost wrote: > I echo what Lincoln said as loudly as I can without > typing in all caps. If you enable filtering and you get > a second path somehow or somewhere (customers can be very > helpful by doing "stuff" when you're not looking), you > will loop up your entire network. This will happen at 3 > am 2 years from now on a Sunday when you're out of town > and your front line tech is asleep in a hut somewhere. > Trust me. BPDU-filter bad. Really. As one poster subtly mentioned, limit BPDU filtering to Edge ports (Portfast-enabled ports in Cisco speak). Trunk ports would still process BPDU's, as they are typically not configured as Edge ports. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From p.mayers at imperial.ac.uk Sat Mar 14 09:43:44 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sat, 14 Mar 2009 13:43:44 +0000 Subject: [c-nsp] 12.2(33)SXI vpnv6 In-Reply-To: <9e246b4d0903131330v72e9d04dgce7d78273faeac89@mail.gmail.com> References: <9e246b4d0903131330v72e9d04dgce7d78273faeac89@mail.gmail.com> Message-ID: <49BBB490.8080303@imperial.ac.uk> Tim Durack wrote: > I'm running 12.2(33)SXI on some boxes in a PE-PE setup. I'm trying to enable > vpnv6. BGP side of things is working: > > rtr-1#sh ipv6 route vrf v101 > IPv6 Routing Table - v101 - 4 entries > Codes: C - Connected, L - Local, S - Static, U - Per-user Static route > B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 > IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP > external > O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 > ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 > B 1:0:1:1::1/128 [200/0] > via 1:0:1970::1%Default, indirectly connected > B 1:0:1:1::2/128 [200/0] > via 1:0:1970::2%Default, indirectly connected > LC 1:0:1970:1::3/128 [0/0] > via Loopback101, receive > L FF00::/8 [0/0] > via Null0, receive > > But cef/labels aren't being programmed: > > rtr-1#sh mls cef ipv6 vrf v101 > > Codes: + - Push label > Index Prefix Adjacency > 196640 1:0:1970:1::3/128 receive > 196672 ::/127 drop > 196704 FE80::/10 receive > 196736 FF00::/8 glean > 197152 ::/0 drop > > vpnv4 is working fine, IPv6 in the global table is working, but not vpnv6. > > Any ideas? I've definitely had this working; what's your config? From paul at paulstewart.org Sat Mar 14 09:52:07 2009 From: paul at paulstewart.org (Paul Stewart) Date: Sat, 14 Mar 2009 09:52:07 -0400 Subject: [c-nsp] Sup720-3BXL Stable IOS Message-ID: <00d001c9a4ac$10871c30$31955490$@org> Hi there. We're seeing issues occasionally with BGP sessions on Sup720-3BXL getting "stuck". When adding a new session in particular it won't come up and sometimes after removing and adding back into the config it works.. Other strange unexplained stuff once in a while.. Anyways, talked to a few peers and they tell me "wow, you're on the bleeding edge" because we're running 12.2.33SRD and 12.2.33SRC releases. I am thinking of moving to 12.2.33SRA7 release as it's listed as LD vs ED and is very current still - am I playing with fire? Any feedback? Box is running IPv4/IPv6, OSPF and BGP Many thanks, Paul This message was delivered by MDaemon - http://www.altn.com/MDaemon/ From todd at newfrontierssolutions.com Sat Mar 14 14:22:34 2009 From: todd at newfrontierssolutions.com (Todd Shipway) Date: Sat, 14 Mar 2009 14:22:34 -0400 Subject: [c-nsp] Virtual Access int down after IOS upgrade In-Reply-To: <1236987481.10690.12.camel@booger> References: <1236987481.10690.12.camel@booger> Message-ID: <1237054954.7369.6.camel@booger> I had to go back to 12.4(3) to get the virtual-access interface working again. But below is the config I'm using for the dsl's on the atm card. Is there something I'm missing that has changed since 12.4(3) and (23)? I'm sure there is, but it's becoming a huge pain to track it down. Just looking for possible suggestions, I'm digging through release notes now to see if I can find more info. The problem is that after upgrading to 12.4(23), the Virtual-Access interface stays in a down/down state. atm and pvc interfaces are up/up. Since the Virtual-Access int is down, no traffic passes from DSL connections. This is on a 7513 with 12.0(10r)S1 bootstrap. ATM Card: NAME: "Card Slot 10, Bay 0", DESCR: "ATM Lite Port Adaptor (SM)" PID: PA-ATM-LITE-SM , VID: Hardware Version : 1.1 Board Revision : D0, SN: 16743213 Current 12.4(3) config: interface ATM10/0/0 no ip address no atm ilmi-keepalive no clns route-cache ! interface ATM10/0/0.1 multipoint pvc 1/6 encapsulation aal5snap protocol ppp Virtual-Template16 ! pvc 1/9 encapsulation aal5snap protocol ppp Virtual-Template13 interface Virtual-Template13 ip unnumbered FastEthernet4/0 peer default ip address pool dsl13 ! interface Virtual-Template14 ip unnumbered FastEthernet4/0 peer default ip address pool dsl14 ! interface Virtual-Template15 ip unnumbered FastEthernet4/0 peer default ip address pool dsl15 ! interface Virtual-Template16 ip unnumbered FastEthernet4/0 peer default ip address pool dsl16 ! ip local pool dsl13 63.168.160.164 ip local pool dsl14 63.168.160.165 ip local pool dsl15 63.168.160.166 ip local pool dsl16 198.70.13.130 198.70.13.142 On Fri, 2009-03-13 at 19:38 -0400, Todd Shipway wrote: > We just upgraded a 7500 to 12.4(23) and everything works great except > DSL connections over atm card. ATM interfaces are up, all configuration > is in place, pvc interfaces are up, virtual templates are in place. > But the virtual-access interface refuses to come up. Anyone have any > clues as to what we shoudl be looking at? Everything I see seems like > it shoudl be working good. > > > summit#sh interfaces atm 10/0/0 > ATM10/0/0 is up, line protocol is up > Hardware is cyBus ATM > MTU 4470 bytes, sub MTU 4470, BW 155520 Kbit/sec, DLY 80 usec, > reliability 129/255, txload 1/255, rxload 1/255 > Encapsulation ATM, loopback not set > Encapsulation(s): AAL5 , PVC mode > 2047 maximum active VCs, 1024 VCs per VP, 88 current VCCs > VC Auto Creation Disabled. > VC idle disconnect time: 300 seconds > Last input 00:02:08, output 00:02:08, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 5 minute input rate 30000 bits/sec, 56 packets/sec > 5 minute output rate 0 bits/sec, 0 packets/sec > 37010 packets input, 2527473 bytes, 0 no buffer > Received 0 broadcasts, 0 runts, 0 giants, 0 throttles > 37305 input errors, 0 CRC, 0 frame, 63 overrun, 0 ignored, 1 abort > 1 packets output, 56 bytes, 0 underruns > 0 output errors, 0 collisions, 0 interface resets > 0 unknown protocol drops > 0 output buffer failures, 0 output buffers swapped out > summit#sh interfaces atm 10/0/0.1 > ATM10/0/0.1 is up, line protocol is up > Hardware is cyBus ATM > MTU 4470 bytes, BW 155520 Kbit/sec, DLY 80 usec, > reliability 128/255, txload 1/255, rxload 1/255 > Encapsulation ATM > 35184 packets input, 2260236 bytes > 0 packets output, 0 bytes > 1 OAM cells input, 1 OAM cells output > AAL5 Oversized SDUs : 0 > Last clearing of "show interface" counters never > summit#sh interfaces virtual-access 1 > Virtual-Access1 is down, line protocol is down > Hardware is Virtual Access interface > MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100000 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation PPP, LCP Closed > Base VtMgr vaccess > Vaccess status 0x0, loopback not set > DTR is pulsed for 5 seconds on reset > Last input never, output never, output hang never > Last clearing of "show interface" counters 00:11:07 > Input queue: 0/4096/0/0 (size/max/drops/flushes); Total output drops: > 0 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 5 minute input rate 0 bits/sec, 0 packets/sec > 5 minute output rate 0 bits/sec, 0 packets/sec > 0 packets input, 0 bytes, 0 no buffer > Received 0 broadcasts, 0 runts, 0 giants, 0 throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort > 0 packets output, 0 bytes, 0 underruns > 0 output errors, 0 collisions, 0 interface resets > 0 unknown protocol drops > 0 output buffer failures, 0 output buffers swapped out > 0 carrier transitions > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From tdurack at gmail.com Sat Mar 14 15:21:24 2009 From: tdurack at gmail.com (Tim Durack) Date: Sat, 14 Mar 2009 15:21:24 -0400 Subject: [c-nsp] 12.2(33)SXI vpnv6 In-Reply-To: <49BBB490.8080303@imperial.ac.uk> References: <9e246b4d0903131330v72e9d04dgce7d78273faeac89@mail.gmail.com> <49BBB490.8080303@imperial.ac.uk> Message-ID: <9e246b4d0903141221p6e6674cckeb9de7fbe9ca6fc8@mail.gmail.com> > > I've definitely had this working; what's your config? > vrf definition v101 rd 10.1.0.3:101 route-target export xxx:101 route-target import xxx:101 ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ! interface Loopback101 vrf forwarding v101 ip address 10.1.0.3 255.255.255.255 ipv6 address 1:0:1970:1::3/128 ! router bgp 65001 ! address-family ipv4 vrf v101 redistribute connected no synchronization exit-address-family ! ! address-family ipv6 vrf v101 redistribute connected no synchronization exit-address-family ! ! end Can't see anything missing. MP-BGP is working, VPN routes are being exchanged, but IPv6 isn't getting label switched. Feels like I'm missing something stupid. Tim:> From tdurack at gmail.com Sat Mar 14 15:55:50 2009 From: tdurack at gmail.com (Tim Durack) Date: Sat, 14 Mar 2009 15:55:50 -0400 Subject: [c-nsp] 12.2(33)SXI vpnv6 In-Reply-To: <9e246b4d0903141221p6e6674cckeb9de7fbe9ca6fc8@mail.gmail.com> References: <9e246b4d0903131330v72e9d04dgce7d78273faeac89@mail.gmail.com> <49BBB490.8080303@imperial.ac.uk> <9e246b4d0903141221p6e6674cckeb9de7fbe9ca6fc8@mail.gmail.com> Message-ID: <9e246b4d0903141255r3091a2e5m6e451616bbed7ab8@mail.gmail.com> On Sat, Mar 14, 2009 at 3:21 PM, Tim Durack wrote: >> >> I've definitely had this working; what's your config? >> > > vrf definition v101 > ?rd 10.1.0.3:101 > ?route-target export xxx:101 > ?route-target import xxx:101 > ?! > ?address-family ipv4 > ?exit-address-family > ?! > ?address-family ipv6 > ?exit-address-family > ! > ! > interface Loopback101 > ?vrf forwarding v101 > ?ip address 10.1.0.3 255.255.255.255 > ?ipv6 address 1:0:1970:1::3/128 > ! > router bgp 65001 > ! > address-family ipv4 vrf v101 > ?redistribute connected > ?no synchronization > ?exit-address-family > ! > ! > address-family ipv6 vrf v101 > ?redistribute connected > ?no synchronization > ?exit-address-family > ! > ! > end > > Can't see anything missing. MP-BGP is working, VPN routes are being > exchanged, but IPv6 isn't getting label switched. Feels like I'm > missing something stupid. > > Tim:> > Maybe vpnv6 should be activated on my IPv4 peering sessions, not IPv6 sessions. Let me try that. Tim:> From tdurack at gmail.com Sat Mar 14 16:40:27 2009 From: tdurack at gmail.com (Tim Durack) Date: Sat, 14 Mar 2009 16:40:27 -0400 Subject: [c-nsp] 12.2(33)SXI vpnv6 In-Reply-To: <9e246b4d0903141255r3091a2e5m6e451616bbed7ab8@mail.gmail.com> References: <9e246b4d0903131330v72e9d04dgce7d78273faeac89@mail.gmail.com> <49BBB490.8080303@imperial.ac.uk> <9e246b4d0903141221p6e6674cckeb9de7fbe9ca6fc8@mail.gmail.com> <9e246b4d0903141255r3091a2e5m6e451616bbed7ab8@mail.gmail.com> Message-ID: <9e246b4d0903141340y48769f00v56f9bc49b938e569@mail.gmail.com> > > Maybe vpnv6 should be activated on my IPv4 peering sessions, not IPv6 > sessions. Let me try that. > > Tim:> > That was it. I guess this is why Cisco docs say stuff like: Restrictions for Implementing IPv6 VPN over MPLS 6VPE supports an MPLS IPv4-signaled core. An MPLS IPv6-signaled core is not supported. I'm not really trying to run 6VPE, just IPv6 VPNs, over a dual-stack infrastructure. Somewhat counter-intuitive to *not* enable IPv6 peers for VPNv6. Even more confusing that VPNv6 will exchange routes over IPv6 sessions, but then not work due to the missing label path. Guess this is due to the lack of IPv6 LDP. Hopefully this will get fixed sooner rather than later. Tim:> From damin at nacs.net Sat Mar 14 17:50:20 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Sat, 14 Mar 2009 17:50:20 -0400 Subject: [c-nsp] AS5200 / 5300 Modem Cards Message-ID: <036001c9a4ee$defc7af0$9cf570d0$@net> I'm having a tough time locating this information on CCO. I have an AS5200 sitting in the back, and am wondering if I can move the two Mica carrier cards into an AS5300? Are they interchangeable? From bdikici at gmail.com Sat Mar 14 19:13:17 2009 From: bdikici at gmail.com (Burak Dikici) Date: Sun, 15 Mar 2009 01:13:17 +0200 Subject: [c-nsp] BGP - Multihoming Message-ID: Hello , I would like consult some subject about BGP to the experienced BGP users. We are making a BGP connection to a two different ISPs via central site router. We are announcing our subnet via ISP-1 normally , but for ISP2 we are announcing the subnet with AS path prepending configuration. As a result , we still see inbound traffic from internet to our subnet via ISP-2. Is that possible to adjust more tuning for inbound traffic ? We would like to achieve that there will be no inbound traffic via ISP-2. By the way , in the next step of the configuration we would like to configure our multihomed BGP router with PBR & NBAR. What we are going to try with this is that for example p2p traffic from our subnet to the internet will be detected with NBAR and it will be forwarded to the ISP-2 connection with PBR and the return traffic of this connection will be come through the ISP-2 connection. (Symmetric traffic flow) How can be achive that ? Kind Regards... Burak Dikici Note: I am writing the configuration of our multihomed BGP router below. (the real configuration's ip addresses and BGP AS numbers has beed changed in the text which is writing below.) router bgp 100 bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 222 neighbor 2.2.2.2 description ISP_2 neighbor 1.1.1.1 remote-as 111 neighbor 1.1.1.1 description ISP_1 ! address-family ipv4 no synchronization network X.Y.0.0 mask 255.255.0.0 neighbor 2.2.2.2 activate neighbor 2.2.2.2 route-map AS_path_prepend_for_ISP2 out neighbor 2.2.2.2 filter-list 10 out neighbor 1.1.1.1 activate neighbor 1.1.1.1 route-map UPDATES_FOR_ISP1 in neighbor 1.1.1.1 filter-list 10 out no auto-summary exit-address-family ip as-path access-list 10 permit ^$ access-list 10 permit any access-list 20 permit X.Y.0.0 0.0.255.255 route-map UPDATES_FOR_ISP1 permit 10 match ip address 10 set weight 100 route-map AS_path_prepend_for_ISP2 permit 10 match ip address 20 set as-path prepend 100 100 100 100 100 route-map AS_path_prepend_for_ISP2 permit 20 From Stig.Johansen at atea.no Sat Mar 14 20:07:09 2009 From: Stig.Johansen at atea.no (Stig Johansen) Date: Sun, 15 Mar 2009 01:07:09 +0100 Subject: [c-nsp] BGP - Multihoming In-Reply-To: References: Message-ID: <5EB9799F396A304686962AFFF740ED0CE9C50383@NOOSLEXCH001.adno.local> Burak Dikici wrote: >I would like consult some subject about BGP to the experienced BGP users. We are making a BGP connection to a two different ISPs via central site router. >We are announcing our subnet via ISP-1 normally , but for ISP2 we are announcing the subnet with AS path prepending configuration. As a result , we still see inbound traffic from internet to our subnet via ISP-2. Is that possible to adjust more tuning for inbound traffic ? We would like to achieve that there will be no inbound traffic via ISP-2. >By the way , in the next step of the configuration we would like to configure our multihomed BGP router with PBR & NBAR. What we are going to try with this is that for example p2p traffic from our subnet to the internet will be detected with NBAR and it will be forwarded to the ISP-2 connection with PBR and the return traffic of this connection will be come through the ISP-2 connection. (Symmetric traffic flow) How can be achive that ? Hi there, Maybe someone has better ideas, but here goes anyway; 1) If you prepend your AS various times towards ISP-2, the BGP best path selection should prefer the path with the shortest AS-PATH, and therefore use your ISP-1 connection. 2) If your ISP-2 has a policy of assigning a higher LOCAL PREFERENCE for prefixes originated from any of it's customers, all of the customers of ISP-2 (and the ISP-2 it self) will use ISP-2's connection to you by default. This is reasonable for ISP-2, as it would use it's own internal network to reach you. I'm not sure if ISP-2 would like to change this configuration, as it would inflict a higher usage of it's other peeringlinks, but asking doesn't hurt.. :) If you want certain traffic to use the ISP-2 link with PBR, you would need to make sure the traffic uses IP-addresses which are preferred on the ISP-link. If you don't know which source-addresses will need to use this link, but use NBAR to discover this, you'll have to use NAT'ing. A) Either get a pool of IP-addresses from ISP-2 (which will be preferred on ISP-2 anyway), or use a smaller prefix of your own addresses (and make sure they are preferred on the ISP-2 link, using the methods as cited above) B) Use PBR with NBAR to make the interesting traffic use the ISP-2-link and configure NAT'ing to the addresses you aquired in A). Best regards, Stig Meireles Johansen From christian at broknrobot.com Sat Mar 14 20:34:27 2009 From: christian at broknrobot.com (Christian Koch) Date: Sat, 14 Mar 2009 17:34:27 -0700 Subject: [c-nsp] BGP - Multihoming In-Reply-To: <5EB9799F396A304686962AFFF740ED0CE9C50383@NOOSLEXCH001.adno.local> References: <5EB9799F396A304686962AFFF740ED0CE9C50383@NOOSLEXCH001.adno.local> Message-ID: I'd agree with Stig's suggestions and his assumption about the local pref is probably correct. I'd also suggest you check if your SP's have defined communities to send in order to alter attributes of the prefixes you are sending. On Sat, Mar 14, 2009 at 5:07 PM, Stig Johansen wrote: > Burak Dikici wrote: >>I would like consult some subject about BGP to the experienced BGP users. We are making a BGP connection to a two different ISPs via central site router. >>We are announcing our subnet via ISP-1 normally , but for ISP2 we are announcing the subnet with AS path prepending configuration. As a result , we still see inbound traffic from internet to our subnet via ISP-2. Is that possible to adjust more tuning for inbound traffic ? We would like to achieve that there will be no inbound traffic via ISP-2. >>By the way , in the next step of the configuration we would like to configure our multihomed BGP router with PBR & NBAR. What we are going to try with this is that for example p2p traffic from our subnet to the internet will be detected with NBAR and it will be forwarded to the ISP-2 connection with PBR and the return traffic of this connection will be come through the ISP-2 connection. (Symmetric traffic flow) How can be achive that ? > > Hi there, > > Maybe someone has better ideas, but here goes anyway; > > 1) If you prepend your AS various times towards ISP-2, the BGP best path selection should prefer the path with the shortest AS-PATH, and therefore use your ISP-1 connection. > 2) If your ISP-2 has a policy of assigning a higher LOCAL PREFERENCE for prefixes originated from any of it's customers, all of the customers of ISP-2 (and the ISP-2 it self) will use ISP-2's connection to you by default. This is reasonable for ISP-2, as it would use it's own internal network to reach you. > > I'm not sure if ISP-2 would like to change this configuration, as it would inflict a higher usage of it's other peeringlinks, but asking doesn't hurt.. :) > > If you want certain traffic to use the ISP-2 link with PBR, you would need to make sure the traffic uses IP-addresses which are preferred on the ISP-link. If you don't know which source-addresses will need to use this link, but use NBAR to discover this, you'll have to use NAT'ing. > > A) Either get a pool of IP-addresses from ISP-2 (which will be preferred on ISP-2 anyway), or use a smaller prefix of your own addresses (and make sure they are preferred on the ISP-2 link, using the methods as cited above) > B) Use PBR with NBAR to make the interesting traffic use the ISP-2-link and configure NAT'ing to the addresses you aquired in A). > > Best regards, > Stig Meireles Johansen > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jlewis at lewis.org Sat Mar 14 21:21:32 2009 From: jlewis at lewis.org (Jon Lewis) Date: Sat, 14 Mar 2009 21:21:32 -0400 (EDT) Subject: [c-nsp] AS5200 / 5300 Modem Cards In-Reply-To: <036001c9a4ee$defc7af0$9cf570d0$@net> References: <036001c9a4ee$defc7af0$9cf570d0$@net> Message-ID: On Sat, 14 Mar 2009, Gregory Boehnlein wrote: > I'm having a tough time locating this information on CCO. I have an AS5200 > sitting in the back, and am wondering if I can move the two Mica carrier > cards into an AS5300? Are they interchangeable? I'm relatively certain the answer is no. IIRC, 5300s are quite a bit deeper and the cards for them would be longer....not to mention they're newer, higher density units. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From justin at justinshore.com Sat Mar 14 21:34:07 2009 From: justin at justinshore.com (Justin Shore) Date: Sat, 14 Mar 2009 20:34:07 -0500 Subject: [c-nsp] service unsupported-transceiver in a 7201 Message-ID: <49BC5B0F.6090302@justinshore.com> Does anyone know if 'service unsupported-transceiver' is or is not supported in a 7201 running 12.4(24)T? I'm trying it on one of mine and it is not working. 7201-1.dc(config)#service unsupported-transceiver ^ % Invalid input detected at '^' marker. The command is accepted in my 7613. For that matter it's not accepted in one of my 7206s either. Is there a command that's specific to the 7200s? Thanks Justin From mtinka at globaltransit.net Sun Mar 15 02:43:01 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 15 Mar 2009 14:43:01 +0800 Subject: [c-nsp] 12.2(33)SXI vpnv6 In-Reply-To: <9e246b4d0903141340y48769f00v56f9bc49b938e569@mail.gmail.com> References: <9e246b4d0903131330v72e9d04dgce7d78273faeac89@mail.gmail.com> <9e246b4d0903141255r3091a2e5m6e451616bbed7ab8@mail.gmail.com> <9e246b4d0903141340y48769f00v56f9bc49b938e569@mail.gmail.com> Message-ID: <200903151443.06934.mtinka@globaltransit.net> On Sunday 15 March 2009 04:40:27 am Tim Durack wrote: > Guess this is due to the lack of IPv6 LDP. Hopefully this > will get fixed sooner rather than later. The draft is already out. Indications from the leading vendors are that it'll be in the code by the end of the year. Your guess is as good as mine whether that actually pans out. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From gert at greenie.muc.de Sun Mar 15 08:17:37 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 15 Mar 2009 13:17:37 +0100 Subject: [c-nsp] service unsupported-transceiver in a 7201 In-Reply-To: <49BC5B0F.6090302@justinshore.com> References: <49BC5B0F.6090302@justinshore.com> Message-ID: <20090315121737.GF290@greenie.muc.de> Hi, On Sat, Mar 14, 2009 at 08:34:07PM -0500, Justin Shore wrote: > 7201-1.dc(config)#service unsupported-transceiver It's a "switch" thing. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From bdikici at gmail.com Sun Mar 15 09:06:05 2009 From: bdikici at gmail.com (Burak Dikici) Date: Sun, 15 Mar 2009 15:06:05 +0200 Subject: [c-nsp] BGP conditional advertisemet - NON-EXIST route map's access-list problem Message-ID: I am getting full internet route from ISP-1 and getting just a default route from ISP-2. ( Both ISP connection is terminated on the one central site router.) What i am trying to do , to make an ISP-2 connection is completly backup for inbound traffic. To achieve that ,i am trying to use BGP conditional advertisemet configuration. I have got a problem with NON-EXIST route map's access-list. In the NON-EXIST router map i am using the commands which is written below ; ip as-path access-list 1 permit ^200 !!! (ISP-1 AS number) !!! access-list 65 permit any !!! (permit any packet from ISP-2) !!! route-map NON-EXIST permit 10 !!! (this matches any route from AS200) !!! match ip address 65 match as-path 1 router bgp 10 !!! (My AS number) !!! neighbor X.Y.Z.W (ISP-2 ip address) advertise-map ADVERTISE non-exist-map NON-EXIST !!! (What is says. This router will only advertise "networks defined in the route-map named ADVERTISE" if and only if "routes that are defined in the route-map named NON-EXISTS" do not appear in the BGP routing table.) !!! with this configuration when the ISP-1 connection is up , my router still adversite my subnet to the ISP-2. What should i write in the access-list 65 to not advertise my subnet to the ISP-2 until the failure of ISP-1 connection ? ( As i said , i am getting the full internet table from ISP-1.) Kind Regards... Burak Dikici From andy.bierlair at root.lu Sun Mar 15 10:45:30 2009 From: andy.bierlair at root.lu (Andy BIERLAIR) Date: Sun, 15 Mar 2009 15:45:30 +0100 Subject: [c-nsp] Netflow on SUP720-3BXL Message-ID: <000501c9a57c$b05aacb0$11100610$@bierlair@root.lu> I'm trying to run netflow on one of our Cisco core routers (SUP720-3BXL with SXF15a), but I think I am hitting some limitations because of this: %EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [99%] The setup of netflow looks like this (globally): ip flow-cache entries 524288 mls aging fast time 5 threshold 32 mls aging long 300 mls aging normal 60 mls netflow usage notify 80 300 mls flow ip full no mls flow ipv6 mls nde sender version 5 no mls verify ip checksum no mls acl tcam share-global ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-export destination Then I have this enabled on all border interfaces/vlans (peering / transit / other core routers) that are of interest for my stats: ip route-cache flow Some more details about the problem: #sh mls netflow table-contention detailed Earl in Module 5 Detailed Netflow CAM (TCAM and ICAM) Utilization ================================================ TCAM Utilization : 100% ICAM Utilization : 13% Netflow TCAM count : 262033 Netflow ICAM count : 17 Netflow Creation Failures : 4822220 Netflow CAM aliases : 1 #sh mls netflow table-contention aggregate Earl in Module 5 Aggregate Netflow CAM Contention Information ============================================= Netflow Creation Failures : 130003616 Netflow Hash Aliases : 4 #sh mls netflow flowmask current ip flowmask for unicast: full current ipv6 flowmask for unicast: null I understand that the TCAM is full, but what can I do against it? This is a busy core router: Aggregated traffic: 7-8 GBIT/s Packets per Second: 1.0 - 1.2 Million I have heard that more agressive aging might help, but I expect the router's traffic and pps to increase dramatically, so I'll be hitting the roof over and over again. I wouldn't mind analyzing only every 10th or 100th flow (sampling), which seems to be a common practice, but will it help? What is the common netflow setup without additional DFCs for a busy router? Any good piece of advice is welcome. Thanks! - Andy From blahu77 at gmail.com Sun Mar 15 10:53:25 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Sun, 15 Mar 2009 14:53:25 +0000 (IST) Subject: [c-nsp] BGP conditional advertisemet - NON-EXIST route map's access-list problem In-Reply-To: Message-ID: Burak, > ip as-path access-list 1 permit ^200 !!! (ISP-1 AS number) !!! > > access-list 65 permit any !!! (permit any packet from ISP-2) !!! > > route-map NON-EXIST permit 10 !!! (this matches any route from AS200) !!! > match ip address 65 > match as-path 1 you can match only on ACL and prefix-list int the *-EXIST-MAPs. Also you dont match packets rather prefixes. So choose a ISP-1 prefix (some infrastructure IPs or so) and match in prefix-list/route-map. Then if it is gone, start advertisiing to routes in ADVERTISE Best Regards, -mat -- pgp-key 0x1C655CAB -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From justin at justinshore.com Sun Mar 15 10:59:24 2009 From: justin at justinshore.com (Justin Shore) Date: Sun, 15 Mar 2009 09:59:24 -0500 Subject: [c-nsp] service unsupported-transceiver in a 7201 In-Reply-To: <20090315121737.GF290@greenie.muc.de> References: <49BC5B0F.6090302@justinshore.com> <20090315121737.GF290@greenie.muc.de> Message-ID: <49BD17CC.9090403@justinshore.com> Gert Doering wrote: > Hi, > > On Sat, Mar 14, 2009 at 08:34:07PM -0500, Justin Shore wrote: >> 7201-1.dc(config)#service unsupported-transceiver > > It's a "switch" thing. D'oh! You're breaking my heart, Gert. Justin From drew.weaver at thenap.com Sun Mar 15 11:54:02 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Sun, 15 Mar 2009 08:54:02 -0700 Subject: [c-nsp] Opinions of DDoS appliances, other techniques, most notably Cisco Guard Message-ID: Hi, Does anyone here have any real world experience with Cisco Guard or other products such as Arbor's Peakflow that they can share? If you've tried multiple systems and ended up with a specific one, please share the reasoning behind it. Also, without a dedicated DDoS system deployed, what is the most reliable/fastest way to determine the destination(s) of the attacks (SNMP, NetFlow, etc)? Any particular software tools which are helpful for detecting this, NetFlow for us has been slightly difficult to use for this task mainly because we haven't found software that is really designed for security rather than performance (would be nice if it did both?) Either systems/techniques that automatically mitigate or systems that simply recommend mitigation steps/alert are both being evaluated. By mitigation I mean Null routing sources, null routing destinations upstream (via communities), et cetera. Any opinions would be helpful, we'd need something that will handle 3-6Gbps and is hopefully vertically scalable. Thanks, -Drew From andy-lists at bourges.de Sun Mar 15 12:18:19 2009 From: andy-lists at bourges.de (Andreas Bourges) Date: Sun, 15 Mar 2009 17:18:19 +0100 Subject: [c-nsp] Netflow on SUP720-3BXL In-Reply-To: <000501c9a57c$b05aacb0$11100610$@bierlair@root.lu> References: <000501c9a57c$b05aacb0$11100610$@bierlair@root.lu> Message-ID: <200903151718.22464.andy-lists@bourges.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Sunday 15 March 2009 15:45:30 Andy BIERLAIR wrote: > I'm trying to run netflow on one of our Cisco core routers (SUP720-3BXL > with SXF15a), but I think I am hitting some limitations because of this: > mls aging fast time 5 threshold 32 > mls aging long 300 > mls aging normal 60 > Then I have this enabled on all border interfaces/vlans (peering / transit > / other core routers) that are of interest for my stats: > > ip route-cache flow This command only affects packets processed by the MSFC - so at least with your IOS it doesn't matter if you configured it on all interfaces or only on some. Once MLS NDE is activated, it exports all observed flows regardless of the "ip route cache flow" command... You could upgrade to an IOS >= SXH, which lets you enable mls nde on a per interface basis - this would (depending on your setup) reduce the amount of created flow entries (I suspect...). > I have heard that more agressive aging might help, but I expect the > router's traffic and pps to increase dramatically, so I'll be hitting the > roof over and over again. > > I wouldn't mind analyzing only every 10th or 100th flow (sampling), which > seems to be a common practice, but will it help? This won't help on 65K/76K, since they only support "flow-sampling" - which means all flows are created in the tcam but not all of them are exported to the collector (to reduce export load and collector load). > What is the common netflow setup without additional DFCs for a busy router? Since you are already equipped with Sup720-3BXL the one thing that can help is to set the mls aging timers more aggressive, I suppose. If (and I'm not sure about that) per-interface mls nde reduces the created flows in the tcam, an upgrade to SXH could help, too... Another thing would be to set the flow-mask to something different than "full" - - which gives you less information but produces less flows, too. Depends on your needs. Regards, Andy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkm9KksACgkQRrny/uOBVy490wCgiEtIs6b2GDeQiWwxOgp4Pnxg xi0AmwRN26/oeMbBhCMFFninhmtjW4si =ERFo -----END PGP SIGNATURE----- From rdobbins at cisco.com Sun Mar 15 12:39:57 2009 From: rdobbins at cisco.com (Roland Dobbins) Date: Mon, 16 Mar 2009 00:39:57 +0800 Subject: [c-nsp] Opinions of DDoS appliances, other techniques, most notably Cisco Guard In-Reply-To: References: Message-ID: <725C9117-BE48-468B-A39E-B69347853BAB@cisco.com> On Mar 15, 2009, at 11:54 PM, Drew Weaver wrote: > Also, without a dedicated DDoS system deployed, what is the most > reliable/fastest way to determine the destination(s) of the attacks > (SNMP, NetFlow, etc)? With or without a dedicated DDoS mitigation system, NetFlow-based anomaly-detection is generally considered to be the most scalable solution which provides network visibility of inbound/outbound/ crossbound traffic. > Any particular software tools which are helpful for detecting this, > NetFlow for us has been slightly difficult to use for this task > mainly because we haven't found software that is really designed for > security rather than performance (would be nice if it did both?) Arbor Peakflow SP, Narus Insight Manager, and Lancope StealthWatch Xe are three commercial NetFlow-based anomaly-detection systems. There's a free (but not open-source, AFAIK) system which has recently been released on Windows (*NIX to come later); I haven't played with it myself, but here's a link: > Either systems/techniques that automatically mitigate or systems > that simply recommend mitigation steps/alert are both being evaluated. I'm generally not a big fan of automatic mitigation, except possibly in some very limited situations/domains, as there's always the possibility it could be gamed. > By mitigation I mean Null routing sources, null routing destinations > upstream (via communities), et cetera. Again, think carefully before automating any sort of blackholing or other mitigation mechanism. ----------------------------------------------------------------------- Roland Dobbins