From mleber at he.net  Fri May  1 05:15:22 2009
From: mleber at he.net (Mike Leber)
Date: Fri, 01 May 2009 02:15:22 -0700
Subject: [c-nsp] Anybody here is running IPv6
In-Reply-To: <16e2ac180904291052h130ad66eq2cc456365625375b@mail.gmail.com>
References: <16e2ac180904290803k750b46bu9760c23a330f3003@mail.gmail.com>
	<16e2ac180904291052h130ad66eq2cc456365625375b@mail.gmail.com>
Message-ID: <49FABDAA.9030002@he.net>


You also might try out Hurricane's free IPv6 certification/training 
service at http://ipv6.he.net/certification

Mike.

Renelson Panosky wrote:
> Thank you all for the responses on IPv6 i've learned a lot from you guys and
> i feel a lot more comfortable
> 
> Renelson
> 
> On Wed, Apr 29, 2009 at 11:03 AM, Renelson Panosky <panocisco77 at gmail.com>wrote:
> 
>> Hello fellow Engineers
>>
>> We are getting ready to start testing IPv6 at my job, if you are running
>> IPv6 right now please let me how is it working fo you?  I would like to know
>> the good, the bad and the ugly
>>
>> Renelson
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
+---------------- H U R R I C A N E - E L E C T R I C ----------------+
| Mike Leber        Wholesale IPv4 and IPv6 Transit      510 580 4100 |
| Hurricane Electric                                           AS6939 |
| mleber at he.net     Internet Backbone & Colocation      http://he.net |
+---------------------------------------------------------------------+


From SteveMc at netservicesplc.com  Fri May  1 07:20:58 2009
From: SteveMc at netservicesplc.com (Steve McCrory)
Date: Fri, 1 May 2009 12:20:58 +0100
Subject: [c-nsp] QoS Strategy for Cisco 877
In-Reply-To: <9a9d0c6a0904301316u4d9835a1o920a12a2445cdbfe@mail.gmail.com>
References: <9a9d0c6a0904301316u4d9835a1o920a12a2445cdbfe@mail.gmail.com>
Message-ID: <1C15FB264A06794F8BDE2120972B51C1050E2DA2@netexch04.ad.netservicesplc.com>

Hi Gary,

Configuring QoS on Cisco 877 routers is actually at the heart of one of
our products.

Can I ask what queuing method you are using, are you using CBWFQ or
Priority queuing?

Steven
 
Steven McCrory
 
Senior Network Engineer
 
Netservices PLC
Waters Edge Business Park
Modwen Road
Manchester, M5 3EZ
 
www.netservicesplc.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary T. Giesen
Sent: 30 April 2009 21:17
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] QoS Strategy for Cisco 877

Guys,

I've been trying a bunch of different methods, but nothing seems to
achieve what I want. Ideally I'd like to use Priority Queueing (or
something that operates the same) on the ATM0 interface of a Cisco
877.

I have 3 classes of traffic:

Telnet/SSH/ICMP/Management - High Priority
General Data - Default Priority
IP Video Camers - Low Priority

Normally I would just use a priority-list/priority-group, but I can't
seem to apply it to either the ATM0 interface or the ATM0.33 interface
(and I have also tried applying it on the PVC under the subinterface).

I would like all packets in the high priority queue to be serviced
first, then all packets in the default priority, and if there's any
bandwidth leftover, service the low priority queue. I would prefer not
to have to define minimum and maximum bandwidth for each queue (I
don't want any hard queues/bandwidth limits, I would like all
available bandwidth to be used by any particular queue as long as the
queues above it are serviced).

Can anyone recommend a QoS strategy/configuration for this that will
work on the ATM0/DSL interface (no PPPoE) on a Cisco 877?

Thanks,

GG
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

--------
NetServices plc, Company No. 4178393,
Registered Office: NetServices House, 31 Modwen Road,
Waters Edge Business Park, SALFORD, M5 3EZ
--------

From danny.vernals at gmail.com  Fri May  1 10:00:18 2009
From: danny.vernals at gmail.com (Danny Vernals)
Date: Fri, 1 May 2009 15:00:18 +0100
Subject: [c-nsp] Cisco MPLS interoperability with Mikrotik (or Linux)
	MPLS
In-Reply-To: <6bb5f5b10904292135h23af6144udea2645aee3a9af1@mail.gmail.com>
References: <6bb5f5b10904292135h23af6144udea2645aee3a9af1@mail.gmail.com>
Message-ID: <e57309fc0905010700p18103a6awaafd98cc356606f0@mail.gmail.com>

On Thu, Apr 30, 2009 at 5:35 AM, Rubens Kuhl <rubensk at gmail.com> wrote:
> Have anynone done any testing interoperating Cisco MPLS (Cat 6k or
> 7600 families) with Mikrotik (which is just packaging of MPLS Linux) ?
> I'm specially curious about EoMPLS and H-VPLS interoperating, but
> basic LDP/RSVP/MPLS-TE/MPLS-FRR also needs to be addressed, of course.
>

I can't comment to the Mikrotik aspect but I've played around with
MPLS linux (mpls-linux.sourceforge.net/) a bit recently.  The kernel
label forwarding aspect (including EoMPLS) seems well maintained and
I've managed to get a Linux instance participating with off the shelf
routers in MPLS forwarding.

Label distribution protocols don't seem to be as well maintained, LDP
being the most mature although you'll need to compile from the latest
sources downloaded from the projects' Subversion server.  There are
code trees for Quagga for MP-BGP support although I would consider
this alpha at best.  afaik there is no RSVP or VPLS support yet.



>
> Rubens
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From Michael.Robson at manchester.ac.uk  Fri May  1 10:05:35 2009
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Fri, 1 May 2009 15:05:35 +0100
Subject: [c-nsp] Optical module transmit power
In-Reply-To: <FC282C6A-178A-4535-A1E0-CC5AD433F51A@wisc.edu>
References: <5C4E7532-71EB-4056-A491-9AE1FB5919D5@manchester.ac.uk>
	<FC282C6A-178A-4535-A1E0-CC5AD433F51A@wisc.edu>
Message-ID: <A7F9BD0F-DED7-45ED-83D8-97C43F25B84A@manchester.ac.uk>



Michael
--  

Michael Robson           | Tel: +44 (0) 161 275 6113
Senior Network Engineer  | Fax: +44 (0) 161 275 6120
Net North West           | Email: Michael.Robson at manchester.ac.uk

On 30 Apr 2009, at 16:08, Dale W. Carder wrote:

>
> On Apr 30, 2009, at 9:37 AM, Michael Robson wrote:
>> We have a selection of ZR modules (XENPAK-10GB-ZR)
>
>> For these modules, none of them are transmitting at anything like  
>> their maximum of +4.0dBm (Cisco's figures for the maximum transmit  
>> power), they are in fact transmitting between +1.9dBm and +2.3dBm.
>
> This is to be expected.  Vendors just publish a tolerable
> range somewhere in which the optics will operate.
>
>> What determines what they will transmit at i.e. is it simply that  
>> better manufactured ones achieve a transmit value closer to the  
>> +4.0dBm power level
>
> Maybe it's luck.
>
As I suspected, ah well.


> Anyway, how long are your fiber spans?  If they are really
> long, and you're living on the edge now, you may end up in
> a sticky situation as these optics degrade over time.
>
They are very long distances; however these links are just stop gaps  
until we procure our DWDM equipment.


> If they are not extremely long, you may have some horrible
> jumpers or splices that are eating some dB.  Do you have
> an OTDR?
>
> Dale
>
The circuit supplier quoted dB values for the links on handover which  
should have meant that most of the links would have been within  
acceptable values: perhaps the 6500-quoted values aren't very accurate?


> p.s. My fiance did her postgraduate work at Manchester.
>     Quite a nice place!
Manchester is a great place!

Thanks,

Michael.


From alasdairm at gmail.com  Fri May  1 11:29:56 2009
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Fri, 1 May 2009 16:29:56 +0100
Subject: [c-nsp] VSS1440 to ASR1002 - MEC issues
Message-ID: <F50D6D88-4A08-4E25-89A5-AF6A47A37104@gmail.com>

Hello,

I'm currently deploying two Cisco 6509-E chassis with VS-Sup720-10GE  
(in a VSS 1440 cluster/configuration) with dual ASR 1002 routers to  
provide aggregation of multiple upstream links (running multiple BGP  
and EIGRP sessions).

I wanted to utilize MEC between each ASR and each 6509 chassis to  
build in as much resilience as possible. However this configuration  
seems to be playing up and so I thought I'd ask the experts!

Physical Topology:

ASR Gi0/0/0 into 6509 Chassis 1 Module 1 Port 1
ASR Gi0/1/0 into 6509 Chassis 2 Module 1 Port 1

The ASR is running IOS-XE 2.3.0 (IOS 12.2(33)XNC) AISK9 with dual IOS  
processes.
The VSS chassis are running IOS 12.2(33)SXI1 ISK9 with a 4x 10GE VSL  
(2 supervisor 10GE interfaces, 2 10GE interfaces on a 6708-10GE line  
card).
I'm just using CAT6 between the ASR and the 6748-GE-TX line cards in  
the VSS boxes.

ASR configuration:

interface Port-Channel1
ip address x.x.x.5 255.255.255.252
ip hello-interval eigrp 100 2
ip hold-time eigrp 100 6
ip authentication mode eigrp 100 md5
ip authentication key-chian eigrp 100 vcoresw1-chain
ip summary-address eigrp 100 0.0.0.0 0.0.0.0 255
no ip redirects
no ip unreachables
no ip proxy-arp
no shut
!

interface Gi0/0/0
channel-group 1
no shut

interface Gi0/1/0
channel-group 1
no shut

Cisco VSS configuration:

int Gi1/1/1
no switchport
channel-group 3 mode on

int Gi2/1/1
no switchport
channel-group 3 mode on

int Po3
desc *** MEC to br1-po1 ***
no ip redirects
no ip unreachables
no ip proxy-arp
ip vrf forwarding edge-vrf
ip address x.x.x.6 255.255.255.252
ip hello-interval eigrp 100 2
ip hold-time eigrp 100 6
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 br1-chain
no shut
!



The problem I am experiencing seems to be one way traffic between the  
VSS cluster and the Border Router. Pinging across this /30 subnet does  
not work in either direction. EIGRP relationships build when the Po  
interfaces first come online and then immediately time out moments  
later. The VSS cluster then does not see any further EIGRP traffic  
from the ASR. However the ASR seems to think it's successfully  
building an adjacency to the VSS. However this times out due to 'retry  
limit exceeded' every minute or so, but seems to think it re- 
establishes again.

This problem persists if we drop the PortChannel to just one Gigabit  
Ethernet interface. The second interface can be shut down or actually  
removed from the Po config (eg. no channel-group 1).

The really interesting thing is, with one link, if we remove the  
channel-group comand from the one remaining ASR interface, all of a  
sudden the link springs to life. Pings between the ASR Gi0/0/0  
interface and the Po3 VSS interface are successful. EIGRP relationship  
comes up immediately and is stable, and routes are exchanged as you'd  
expect.

How does this work? With the ASR thinking it's a non-etherchannel  
interface, but the VSS thinking it IS an EtherChannel (with 1 member),  
surely it should just fail?

Am I doing something wrong or could this be a bug in either VSS or the  
ASR?

It's not earth shattering, we could just configure 2 EIGRP sessions  
between the VSS and the ASR (4 in total with 2 ASRs) but don't think  
this is as clean an implementation as MEC across fully redundant  
chassis and line cards (one of the big selling points of the VSS !!)

Any help would be much appreciated!

Thanks
Alasdair



From md at bts.sk  Fri May  1 11:40:01 2009
From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=)
Date: Fri, 1 May 2009 17:40:01 +0200
Subject: [c-nsp] Optical module transmit power
In-Reply-To: <A7F9BD0F-DED7-45ED-83D8-97C43F25B84A@manchester.ac.uk>
References: <5C4E7532-71EB-4056-A491-9AE1FB5919D5@manchester.ac.uk>
	<FC282C6A-178A-4535-A1E0-CC5AD433F51A@wisc.edu>
	<A7F9BD0F-DED7-45ED-83D8-97C43F25B84A@manchester.ac.uk>
Message-ID: <20090501152107.M75686@bts.sk>

On Fri, 1 May 2009 15:05:35 +0100, Michael Robson wrote
> The circuit supplier quoted dB values for the links on handover which  
> should have meant that most of the links would have been within  
> acceptable values: perhaps the 6500-quoted values aren't very accurate?

Values reported by ZR XENPAKs are quite precise, so if they report RX level
which is much worse than expected, you have to look for dirty connectors, faulty
patchcord or the like problems. Our installation team tried to blame XENPAKs for
inacurrate measurements several times, but after closer investigation it always
turned out that the fault was somewhere else. It's nothing uncommon to see 3 dB
extra loss on just one dirty connector.

    M.


From SteveMc at netservicesplc.com  Fri May  1 11:50:29 2009
From: SteveMc at netservicesplc.com (Steve McCrory)
Date: Fri, 1 May 2009 16:50:29 +0100
Subject: [c-nsp] QoS Strategy for Cisco 877
In-Reply-To: <1C15FB264A06794F8BDE2120972B51C1050E2DA2@netexch04.ad.netservicesplc.com>
References: <9a9d0c6a0904301316u4d9835a1o920a12a2445cdbfe@mail.gmail.com>
	<1C15FB264A06794F8BDE2120972B51C1050E2DA2@netexch04.ad.netservicesplc.com>
Message-ID: <1C15FB264A06794F8BDE2120972B51C1050E2E1A@netexch04.ad.netservicesplc.com>

Hi Gary,

I've read through your email again and answered my own question.

My next question would be, have you given thought to the upstream
sync-speed?

Our testing highlighted that when QoS was applied to the pvc, it didn't
seem to function properly unless we applied a vbr-nrt bitrate
configuration which matched the upstream sync-speed e.g.

interface ATM0
 pvc 0/38
  vbr-nrt 832 832
  tx-ring-limit 3
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
  service-policy output dsl-out
  max-reserved-bandwidth 100


Steven
 
Steven McCrory
 
Senior Network Engineer
 
Netservices PLC
Waters Edge Business Park
Modwen Road
Manchester, M5 3EZ
 
www.netservicesplc.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steve McCrory
Sent: 01 May 2009 12:21
To: giesen at snickers.org; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] QoS Strategy for Cisco 877

Hi Gary,

Configuring QoS on Cisco 877 routers is actually at the heart of one of
our products.

Can I ask what queuing method you are using, are you using CBWFQ or
Priority queuing?

Steven
 
Steven McCrory
 
Senior Network Engineer
 
Netservices PLC
Waters Edge Business Park
Modwen Road
Manchester, M5 3EZ
 
www.netservicesplc.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary T. Giesen
Sent: 30 April 2009 21:17
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] QoS Strategy for Cisco 877

Guys,

I've been trying a bunch of different methods, but nothing seems to
achieve what I want. Ideally I'd like to use Priority Queueing (or
something that operates the same) on the ATM0 interface of a Cisco
877.

I have 3 classes of traffic:

Telnet/SSH/ICMP/Management - High Priority
General Data - Default Priority
IP Video Camers - Low Priority

Normally I would just use a priority-list/priority-group, but I can't
seem to apply it to either the ATM0 interface or the ATM0.33 interface
(and I have also tried applying it on the PVC under the subinterface).

I would like all packets in the high priority queue to be serviced
first, then all packets in the default priority, and if there's any
bandwidth leftover, service the low priority queue. I would prefer not
to have to define minimum and maximum bandwidth for each queue (I
don't want any hard queues/bandwidth limits, I would like all
available bandwidth to be used by any particular queue as long as the
queues above it are serviced).

Can anyone recommend a QoS strategy/configuration for this that will
work on the ATM0/DSL interface (no PPPoE) on a Cisco 877?

Thanks,

GG
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

--------
NetServices plc, Company No. 4178393,
Registered Office: NetServices House, 31 Modwen Road,
Waters Edge Business Park, SALFORD, M5 3EZ
--------
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

--------
NetServices plc, Company No. 4178393,
Registered Office: NetServices House, 31 Modwen Road,
Waters Edge Business Park, SALFORD, M5 3EZ
--------

From achatz at forthnet.gr  Fri May  1 12:01:18 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 01 May 2009 19:01:18 +0300
Subject: [c-nsp] VSS1440 to ASR1002 - MEC issues
In-Reply-To: <F50D6D88-4A08-4E25-89A5-AF6A47A37104@gmail.com>
References: <F50D6D88-4A08-4E25-89A5-AF6A47A37104@gmail.com>
Message-ID: <49FB1CCE.4000309@forthnet.gr>


ASR1000 doesn't -yet- support the well-known EtherChannel/LACP. If i remember right, RLS5 
will have it.

There is a feature called VLAN Mapping to Gigabit EtherChannel (GEC) Member Links, but i 
don't think it would help you much, since you have L3 portchannels on both sides.
http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_cfg_gecvlan.html

-- 
Tassos

Alasdair McWilliam wrote on 01/05/2009 18:29:
> Hello,
> 
> I'm currently deploying two Cisco 6509-E chassis with VS-Sup720-10GE (in 
> a VSS 1440 cluster/configuration) with dual ASR 1002 routers to provide 
> aggregation of multiple upstream links (running multiple BGP and EIGRP 
> sessions).
> 
> I wanted to utilize MEC between each ASR and each 6509 chassis to build 
> in as much resilience as possible. However this configuration seems to 
> be playing up and so I thought I'd ask the experts!
> 
> Physical Topology:
> 
> ASR Gi0/0/0 into 6509 Chassis 1 Module 1 Port 1
> ASR Gi0/1/0 into 6509 Chassis 2 Module 1 Port 1
> 
> The ASR is running IOS-XE 2.3.0 (IOS 12.2(33)XNC) AISK9 with dual IOS 
> processes.
> The VSS chassis are running IOS 12.2(33)SXI1 ISK9 with a 4x 10GE VSL (2 
> supervisor 10GE interfaces, 2 10GE interfaces on a 6708-10GE line card).
> I'm just using CAT6 between the ASR and the 6748-GE-TX line cards in the 
> VSS boxes.
> 
> ASR configuration:
> 
> interface Port-Channel1
> ip address x.x.x.5 255.255.255.252
> ip hello-interval eigrp 100 2
> ip hold-time eigrp 100 6
> ip authentication mode eigrp 100 md5
> ip authentication key-chian eigrp 100 vcoresw1-chain
> ip summary-address eigrp 100 0.0.0.0 0.0.0.0 255
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no shut
> !
> 
> interface Gi0/0/0
> channel-group 1
> no shut
> 
> interface Gi0/1/0
> channel-group 1
> no shut
> 
> Cisco VSS configuration:
> 
> int Gi1/1/1
> no switchport
> channel-group 3 mode on
> 
> int Gi2/1/1
> no switchport
> channel-group 3 mode on
> 
> int Po3
> desc *** MEC to br1-po1 ***
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip vrf forwarding edge-vrf
> ip address x.x.x.6 255.255.255.252
> ip hello-interval eigrp 100 2
> ip hold-time eigrp 100 6
> ip authentication mode eigrp 100 md5
> ip authentication key-chain eigrp 100 br1-chain
> no shut
> !
> 
> 
> 
> The problem I am experiencing seems to be one way traffic between the 
> VSS cluster and the Border Router. Pinging across this /30 subnet does 
> not work in either direction. EIGRP relationships build when the Po 
> interfaces first come online and then immediately time out moments 
> later. The VSS cluster then does not see any further EIGRP traffic from 
> the ASR. However the ASR seems to think it's successfully building an 
> adjacency to the VSS. However this times out due to 'retry limit 
> exceeded' every minute or so, but seems to think it re-establishes again.
> 
> This problem persists if we drop the PortChannel to just one Gigabit 
> Ethernet interface. The second interface can be shut down or actually 
> removed from the Po config (eg. no channel-group 1).
> 
> The really interesting thing is, with one link, if we remove the 
> channel-group comand from the one remaining ASR interface, all of a 
> sudden the link springs to life. Pings between the ASR Gi0/0/0 interface 
> and the Po3 VSS interface are successful. EIGRP relationship comes up 
> immediately and is stable, and routes are exchanged as you'd expect.
> 
> How does this work? With the ASR thinking it's a non-etherchannel 
> interface, but the VSS thinking it IS an EtherChannel (with 1 member), 
> surely it should just fail?
> 
> Am I doing something wrong or could this be a bug in either VSS or the ASR?
> 
> It's not earth shattering, we could just configure 2 EIGRP sessions 
> between the VSS and the ASR (4 in total with 2 ASRs) but don't think 
> this is as clean an implementation as MEC across fully redundant chassis 
> and line cards (one of the big selling points of the VSS !!)
> 
> Any help would be much appreciated!
> 
> Thanks
> Alasdair
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From giesen at snickers.org  Fri May  1 13:51:18 2009
From: giesen at snickers.org (Gary T. Giesen)
Date: Fri, 1 May 2009 13:51:18 -0400
Subject: [c-nsp] QoS Strategy for Cisco 877
In-Reply-To: <1C15FB264A06794F8BDE2120972B51C1050E2DA2@netexch04.ad.netservicesplc.com>
References: <9a9d0c6a0904301316u4d9835a1o920a12a2445cdbfe@mail.gmail.com>
	<1C15FB264A06794F8BDE2120972B51C1050E2DA2@netexch04.ad.netservicesplc.com>
Message-ID: <9a9d0c6a0905011051h63094a4bs5aaa09240b6257ee@mail.gmail.com>

I was hoping to use priority queueing, since it does exactly what I
want (service all packets in highest queue, then default queue, then
low queue) but it doesn't seem to work with a DSL/ATM interface...

GG

On Fri, May 1, 2009 at 7:20 AM, Steve McCrory
<SteveMc at netservicesplc.com> wrote:
> Hi Gary,
>
> Configuring QoS on Cisco 877 routers is actually at the heart of one of
> our products.
>
> Can I ask what queuing method you are using, are you using CBWFQ or
> Priority queuing?
>
> Steven
>
> Steven McCrory
>
> Senior Network Engineer
>
> Netservices PLC
> Waters Edge Business Park
> Modwen Road
> Manchester, M5 3EZ
>
> www.netservicesplc.com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary T. Giesen
> Sent: 30 April 2009 21:17
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] QoS Strategy for Cisco 877
>
> Guys,
>
> I've been trying a bunch of different methods, but nothing seems to
> achieve what I want. Ideally I'd like to use Priority Queueing (or
> something that operates the same) on the ATM0 interface of a Cisco
> 877.
>
> I have 3 classes of traffic:
>
> Telnet/SSH/ICMP/Management - High Priority
> General Data - Default Priority
> IP Video Camers - Low Priority
>
> Normally I would just use a priority-list/priority-group, but I can't
> seem to apply it to either the ATM0 interface or the ATM0.33 interface
> (and I have also tried applying it on the PVC under the subinterface).
>
> I would like all packets in the high priority queue to be serviced
> first, then all packets in the default priority, and if there's any
> bandwidth leftover, service the low priority queue. I would prefer not
> to have to define minimum and maximum bandwidth for each queue (I
> don't want any hard queues/bandwidth limits, I would like all
> available bandwidth to be used by any particular queue as long as the
> queues above it are serviced).
>
> Can anyone recommend a QoS strategy/configuration for this that will
> work on the ATM0/DSL interface (no PPPoE) on a Cisco 877?
>
> Thanks,
>
> GG
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --------
> NetServices plc, Company No. 4178393,
> Registered Office: NetServices House, 31 Modwen Road,
> Waters Edge Business Park, SALFORD, M5 3EZ
> --------
>
>

From mduksa at gmail.com  Fri May  1 17:10:30 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Fri, 1 May 2009 14:10:30 -0700
Subject: [c-nsp] IPv6 ND over PPP
Message-ID: <a89d89ac0905011410j1156c03fod92fe645c3e09a22@mail.gmail.com>

Hi - 1) does anyone know if Cisco (IOS) is using IPv6CP for neighbor
discovery on a PPP link or they run neighbor discovery on top of PPP link?
2) same question for  HDLC over PPP -> how do they do neighbor discovery
there - ND, or statically provisioned neighbors or Inverse ND?

Thanks,
Marlon

From mulitskiy at acedsl.com  Fri May  1 17:20:21 2009
From: mulitskiy at acedsl.com (Michael Ulitskiy)
Date: Fri, 1 May 2009 17:20:21 -0400
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
Message-ID: <200905011720.21229.mulitskiy@acedsl.com>

Hello,

We will need to terminate channelized DS3 circuit in 7200VXR router. 
The problem is that DS3 is given to us by telco (Verizon) as a single-mode fiber.
I have no experience with this kind of setup and actually limited experience with DS3 circuits.
Has anybody done this before? How it's usually done?
Is there a DS3 PA with fiber interface for 7200 routers (I don't see any) or I should use
a media converter with PA-MC-T3? If so, can you recommend one?
It seems that many media converters use proprietary DS3 encoding scheme and must be used in pairs
(or at least I've been told so), but telco is unable to give us any recommendation on how
we should terminate it on our end. 
If anyone could share the experience on terminating DS3 over fiber handoff from Verizon, East Coast,
I'd greatly appreciate it. Any pointers to appropriate documentation/tutorials/howtos/etc are also very welcome.
Thanks a lot,

Michael

From jay at west.net  Fri May  1 19:08:53 2009
From: jay at west.net (Jay Hennigan)
Date: Fri, 01 May 2009 16:08:53 -0700
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <200905011720.21229.mulitskiy@acedsl.com>
References: <200905011720.21229.mulitskiy@acedsl.com>
Message-ID: <49FB8105.4060807@west.net>

Michael Ulitskiy wrote:
> Hello,
> 
> We will need to terminate channelized DS3 circuit in 7200VXR router. 
> The problem is that DS3 is given to us by telco (Verizon) as a single-mode fiber.
> I have no experience with this kind of setup and actually limited experience with DS3 circuits.
> Has anybody done this before? How it's usually done?
> Is there a DS3 PA with fiber interface for 7200 routers (I don't see any) or I should use
> a media converter with PA-MC-T3? If so, can you recommend one?
> It seems that many media converters use proprietary DS3 encoding scheme and must be used in pairs
> (or at least I've been told so), but telco is unable to give us any recommendation on how
> we should terminate it on our end. 
> If anyone could share the experience on terminating DS3 over fiber handoff from Verizon, East Coast,
> I'd greatly appreciate it. Any pointers to appropriate documentation/tutorials/howtos/etc are also very welcome.
> Thanks a lot,

I've never seen a telco hand off a DS-3 as fiber.  Always a pair of 
75-ohm coaxial cables on BNC connectors.  Typically it comes in to the 
customer premise as a SONET fiber connection and a carrier-owned MUX and 
NID is installed with the customer handoff as co-ax.

You would need to know the exact make and model of the hardware at the 
other end of the link to procure a compatible media converter if they 
are really terminating a DS-3 this way.  And good luck when you have a 
case of trouble, the blame game on this one will not be fun.

Are you sure they're finished with the provisioning and that there isn't 
another group scheduled to install equipment?

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From ddelaros at cisco.com  Fri May  1 20:43:43 2009
From: ddelaros at cisco.com (Daniel de la Rosa (ddelaros))
Date: Fri, 1 May 2009 17:43:43 -0700
Subject: [c-nsp] VSS1440 to ASR1002 - MEC issues
In-Reply-To: <49FB1CCE.4000309@forthnet.gr>
References: <F50D6D88-4A08-4E25-89A5-AF6A47A37104@gmail.com>
	<49FB1CCE.4000309@forthnet.gr>
Message-ID: <8575A1BA6D8006418FD2CD73FCC2B2E6097D9360@xmb-sjc-231.amer.cisco.com>

That's correct, ASR1000 GEC only support static VLAN LB at the moment
and not LACP. So this can only work if you are ok on just using GEC with
VLANs on both sides as Tassos mentioned. Since you are deploying GEC for
redundancy, this VLAN static LB should be able to give you what you
need. Also you need to have the VSS on GEC mode on.

HTH 


-------------
Daniel de la Rosa
CCIE # 4622
Technical Marketing Engineer
ERBU, Cisco Systems



> 
> 
> ASR1000 doesn't -yet- support the well-known EtherChannel/LACP. If i
> remember right, RLS5
> will have it.
> 
> There is a feature called VLAN Mapping to Gigabit EtherChannel (GEC)
> Member Links, but i
> don't think it would help you much, since you have L3 portchannels on
> both sides.
>
http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_c
> fg_gecvlan.html
> 
> --
> Tassos
> 
> Alasdair McWilliam wrote on 01/05/2009 18:29:
> > Hello,
> >
> > I'm currently deploying two Cisco 6509-E chassis with VS-Sup720-10GE
> (in
> > a VSS 1440 cluster/configuration) with dual ASR 1002 routers to
> provide
> > aggregation of multiple upstream links (running multiple BGP and
> EIGRP
> > sessions).
> >
> > I wanted to utilize MEC between each ASR and each 6509 chassis to
> build
> > in as much resilience as possible. However this configuration seems
> to
> > be playing up and so I thought I'd ask the experts!
> >
> > Physical Topology:
> >
> > ASR Gi0/0/0 into 6509 Chassis 1 Module 1 Port 1
> > ASR Gi0/1/0 into 6509 Chassis 2 Module 1 Port 1
> >
> > The ASR is running IOS-XE 2.3.0 (IOS 12.2(33)XNC) AISK9 with dual
IOS
> > processes.
> > The VSS chassis are running IOS 12.2(33)SXI1 ISK9 with a 4x 10GE VSL
> (2
> > supervisor 10GE interfaces, 2 10GE interfaces on a 6708-10GE line
> card).
> > I'm just using CAT6 between the ASR and the 6748-GE-TX line cards in
> the
> > VSS boxes.
> >
> > ASR configuration:
> >
> > interface Port-Channel1
> > ip address x.x.x.5 255.255.255.252
> > ip hello-interval eigrp 100 2
> > ip hold-time eigrp 100 6
> > ip authentication mode eigrp 100 md5
> > ip authentication key-chian eigrp 100 vcoresw1-chain
> > ip summary-address eigrp 100 0.0.0.0 0.0.0.0 255
> > no ip redirects
> > no ip unreachables
> > no ip proxy-arp
> > no shut
> > !
> >
> > interface Gi0/0/0
> > channel-group 1
> > no shut
> >
> > interface Gi0/1/0
> > channel-group 1
> > no shut
> >
> > Cisco VSS configuration:
> >
> > int Gi1/1/1
> > no switchport
> > channel-group 3 mode on
> >
> > int Gi2/1/1
> > no switchport
> > channel-group 3 mode on
> >
> > int Po3
> > desc *** MEC to br1-po1 ***
> > no ip redirects
> > no ip unreachables
> > no ip proxy-arp
> > ip vrf forwarding edge-vrf
> > ip address x.x.x.6 255.255.255.252
> > ip hello-interval eigrp 100 2
> > ip hold-time eigrp 100 6
> > ip authentication mode eigrp 100 md5
> > ip authentication key-chain eigrp 100 br1-chain
> > no shut
> > !
> >
> >
> >
> > The problem I am experiencing seems to be one way traffic between
the
> > VSS cluster and the Border Router. Pinging across this /30 subnet
> does
> > not work in either direction. EIGRP relationships build when the Po
> > interfaces first come online and then immediately time out moments
> > later. The VSS cluster then does not see any further EIGRP traffic
> from
> > the ASR. However the ASR seems to think it's successfully building
an
> > adjacency to the VSS. However this times out due to 'retry limit
> > exceeded' every minute or so, but seems to think it re-establishes
> again.
> >
> > This problem persists if we drop the PortChannel to just one Gigabit
> > Ethernet interface. The second interface can be shut down or
actually
> > removed from the Po config (eg. no channel-group 1).
> >
> > The really interesting thing is, with one link, if we remove the
> > channel-group comand from the one remaining ASR interface, all of a
> > sudden the link springs to life. Pings between the ASR Gi0/0/0
> interface
> > and the Po3 VSS interface are successful. EIGRP relationship comes
up
> > immediately and is stable, and routes are exchanged as you'd expect.
> >
> > How does this work? With the ASR thinking it's a non-etherchannel
> > interface, but the VSS thinking it IS an EtherChannel (with 1
> member),
> > surely it should just fail?
> >
> > Am I doing something wrong or could this be a bug in either VSS or
> the ASR?
> >
> > It's not earth shattering, we could just configure 2 EIGRP sessions
> > between the VSS and the ASR (4 in total with 2 ASRs) but don't think
> > this is as clean an implementation as MEC across fully redundant
> chassis
> > and line cards (one of the big selling points of the VSS !!)
> >
> > Any help would be much appreciated!
> >
> > Thanks
> > Alasdair
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From sethm at rollernet.us  Fri May  1 21:05:54 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Fri, 01 May 2009 18:05:54 -0700
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <200905011720.21229.mulitskiy@acedsl.com>
References: <200905011720.21229.mulitskiy@acedsl.com>
Message-ID: <49FB9C72.3080700@rollernet.us>

Michael Ulitskiy wrote:
> Hello,
> 
> We will need to terminate channelized DS3 circuit in 7200VXR router. 
> The problem is that DS3 is given to us by telco (Verizon) as a single-mode fiber.
> I have no experience with this kind of setup and actually limited experience with DS3 circuits.
> Has anybody done this before? How it's usually done?
> Is there a DS3 PA with fiber interface for 7200 routers (I don't see any) or I should use
> a media converter with PA-MC-T3? If so, can you recommend one?
> It seems that many media converters use proprietary DS3 encoding scheme and must be used in pairs
> (or at least I've been told so), but telco is unable to give us any recommendation on how
> we should terminate it on our end. 
> If anyone could share the experience on terminating DS3 over fiber handoff from Verizon, East Coast,
> I'd greatly appreciate it. Any pointers to appropriate documentation/tutorials/howtos/etc are also very welcome.
> Thanks a lot,
> 

I've never seen anyone do that before with a DS3. Maybe they gave you
Ethernet?

~Seth

From troy at i2bnetworks.com  Fri May  1 21:16:39 2009
From: troy at i2bnetworks.com (Troy Beisigl)
Date: Fri, 1 May 2009 18:16:39 -0700
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <49FB9C72.3080700@rollernet.us>
References: <200905011720.21229.mulitskiy@acedsl.com>
	<49FB9C72.3080700@rollernet.us>
Message-ID: <649E0D65-D6ED-4C78-9028-DA923AA3B7D5@i2bnetworks.com>

Maybe they delivered a channelized OC3? I know that is an actual  
product, but have never seen a DS3 as fiber handoff.

Troy Beisigl

Sent from my iPhone

On May 1, 2009, at 6:05 PM, Seth Mattinen <sethm at rollernet.us> wrote:

> Michael Ulitskiy wrote:
>> Hello,
>>
>> We will need to terminate channelized DS3 circuit in 7200VXR router.
>> The problem is that DS3 is given to us by telco (Verizon) as a  
>> single-mode fiber.
>> I have no experience with this kind of setup and actually limited  
>> experience with DS3 circuits.
>> Has anybody done this before? How it's usually done?
>> Is there a DS3 PA with fiber interface for 7200 routers (I don't  
>> see any) or I should use
>> a media converter with PA-MC-T3? If so, can you recommend one?
>> It seems that many media converters use proprietary DS3 encoding  
>> scheme and must be used in pairs
>> (or at least I've been told so), but telco is unable to give us any  
>> recommendation on how
>> we should terminate it on our end.
>> If anyone could share the experience on terminating DS3 over fiber  
>> handoff from Verizon, East Coast,
>> I'd greatly appreciate it. Any pointers to appropriate  
>> documentation/tutorials/howtos/etc are also very welcome.
>> Thanks a lot,
>>
>
> I've never seen anyone do that before with a DS3. Maybe they gave you
> Ethernet?
>
> ~Seth
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From sethm at rollernet.us  Fri May  1 21:41:46 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Fri, 01 May 2009 18:41:46 -0700
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <649E0D65-D6ED-4C78-9028-DA923AA3B7D5@i2bnetworks.com>
References: <200905011720.21229.mulitskiy@acedsl.com>
	<49FB9C72.3080700@rollernet.us>
	<649E0D65-D6ED-4C78-9028-DA923AA3B7D5@i2bnetworks.com>
Message-ID: <49FBA4DA.9070701@rollernet.us>

Troy Beisigl wrote:
> Maybe they delivered a channelized OC3? I know that is an actual
> product, but have never seen a DS3 as fiber handoff.
> 

Maybe; odd though if one asked for a DS3. If that's the case you can
just get an OC3 port adapter.

~Seth

From pshem.k at gmail.com  Fri May  1 22:42:29 2009
From: pshem.k at gmail.com (Pshem Kowalczyk)
Date: Sat, 2 May 2009 14:42:29 +1200
Subject: [c-nsp] BGP Med and outbound metric
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9C38082C28C@PUR-EXCH07.ox.com>
References: <9418aca70904290835s453823e3p9c9ace6ca6eebceb@mail.gmail.com> 
	<1C15FB264A06794F8BDE2120972B51C1050E2BF4@netexch04.ad.netservicesplc.com>
	<FA1BA229357DB640B944218F3585FECA0236F49C@mspe2k1.cs.myharris.net> 
	<1C15FB264A06794F8BDE2120972B51C1050E2BF5@netexch04.ad.netservicesplc.com>
	<9418aca70904291209x6852365emf83323d998554972@mail.gmail.com> 
	<1C15FB264A06794F8BDE2120972B51C1050E2C79@netexch04.ad.netservicesplc.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C28C@PUR-EXCH07.ox.com>
Message-ID: <20fe625b0905011942w1c2d6f3br80336b1a3070d7c6@mail.gmail.com>

Hi,


2009/5/1 Matthew Huff <mhuff at ox.com>:
> Since we use BGP as peering to our ISPs, and don't use BGP internally in our core, I haven't used MED or local_pref much. However, we have two routers connected to another ASN (not via the internet) and I'm trying to influence their return path since we are getting asynchronous routing. I'm trying to use MED to advertise a lower preference out our second router but it doesn't seem to be working. Any suggestions?
>

{cut}

Another option that you can try is as-prepending - instead of setting
higher metric.
Try this:

route-map setMED-LOW permit 10
 match ip address routemap_ecn
 set metric 200
 set as-path prepend 14607

Even if they reset the metric this should work (unless they influence
the decision with weight or local_pref).

kind regards
Pshem

From eninja at gmail.com  Fri May  1 23:10:26 2009
From: eninja at gmail.com (Eninja)
Date: Sat, 2 May 2009 04:10:26 +0100
Subject: [c-nsp] %IPC-SPSTBY-5-WATERMARK errors on dual-sup 6500 & SXI
In-Reply-To: <49F9D281.9010008@imperial.ac.uk>
References: <49F9D281.9010008@imperial.ac.uk>
Message-ID: <BCECF86B-9CED-403C-82FC-CA598D43F97A@gmail.com>

Phil,

This doesn't seem like a hardware issue.

The answers are in the IOS errors - eXternal Data Representation - XDR  
- used by IPC for RP-to-RP and RP-LC communication failed to allocate  
memory to XDR which was probably carrying keepalive messages between  
the RPs when it choked causing the other RP not to receive keepalive  
responses and thus forcing a crash (as designed) to take over on the  
assumption the active RP was down.

Inform Cisco TAC to look into IPC buffers, memory allocation and bugs  
(because IOS should do a better job at allocating memory to this  
rather critical housekeeping function)

In the meantime, you may want to start reviewing what's different  
between your other working boxes and this one with regards to IPC  
(what do your 'show ipc ....' say?) and IOS image.

Eninja


On Apr 30, 2009, at 5:32 PM, Phil Mayers <p.mayers at imperial.ac.uk>  
wrote:

> All,
>
> We have a chassi with 2x sup720-3B and running SXI that, for the  
> second time, appears to have "lost" the standby SUP to the above  
> error messages.
>
> The first time, the pattern was:
>
> Mar 17 17:24:37.378 GMT: %XDR-6-XDRIPCNOTIFY: Message not sent to  
> slot 6/0 (6) because of
> IPC error timeout. Disabling linecard. (Expected during linecard OIR  
> or system reloads)
> Mar 17 17:24:42.826 GMT: %XDR-SPSTBY-3-XDRNOMEM: XDR failed to  
> allocate memory during ipcQ
> chunks creation.
> -Traceback= 40252F70 4025350C 40932AB8 40DD8E9C 40426BA8 40427068  
> 40427534 40427E38
> 40428608 40F465F4 40F3699C 40F36BB8 416E175C
>
> ...we did not notice these, but then a few days later the router began
> logging:
>
> Mar 21 07:17:51.798 GMT: %IPC-SPSTBY-5-WATERMARK: 1600 messages  
> pending in rcv for the
> port Card6/0:Request(2060000.7) seat 2060000
> Mar 21 07:18:21.967 GMT: %IPC-SPSTBY-5-WATERMARK: 1600 messages  
> pending in rcv for the
> port Card6/0:Request(2060000.7) seat 2060000
> Mar 21 07:18:52.126 GMT: %IPC-SPSTBY-5-WATERMARK: 1600 messages  
> pending in rcv for the
> port Card6/0:Request(2060000.7) seat 2060000
>
> ...with the number of IPC messages rising, basically forever.
>
> TAC advised a bunch of stuff that basically amounted to re-seating  
> the card, failing over to the sup to see if the sup or software was  
> faulty (yikes...), swapping the sups around in the slots, and so  
> forth. I re-seated the sup and it seemed stable, until a few days ago:
>
> Apr 21 01:26:18.815 BST: %RPC-SPSTBY-2-FAILED_USERHANDLE: Failed to  
> send
> RPC request online_diag_sp_request:get_rp_cpu_info
> -Traceback= 40252F70 4025350C 40B43D3C 410D8528 410FCEF8 4109B750
> 4109C550 4109D140 4109AAD0 4109A8E4 4088E6C0 4088E6AC
>
> ...then...
>
> Apr 24 08:18:46.367 BST: %IPC-SPSTBY-5-WATERMARK: 1600 messages  
> pending
> in rcv for the port Card6/0:Request(2060000.7) seat 2060000
>
> ...again, rising forever.
>
> I'm going to re-open the TAC case and see what they say, but I was  
> wondering if anyone had come across this. There are some similar- 
> sounding messages in the SXI release notes, but we've got other  
> identically-configured boxes that don't display these symptoms, so  
> I'm fearing a hardware fault (which would be ironic - this sup came  
> from Cisco in response to an RMA...)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From BBlackford at nwresd.k12.or.us  Fri May  1 23:37:41 2009
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Fri, 1 May 2009 20:37:41 -0700
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <49FB9C72.3080700@rollernet.us>
References: <200905011720.21229.mulitskiy@acedsl.com>,
	<49FB9C72.3080700@rollernet.us>
Message-ID: <6069A203FD01884885C037F81DD75080032AABBC0A@wsc-mail-01.intra.nwresd.k12.or.us>

I certainly haven't seen it all, but I would speculate that you have a sonnet shelf terminated by a Fujistsu Flashwave or some other device and your handoff is dual coax clear channel. You may need to extend that part?

-b  
________________________________________
From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen [sethm at rollernet.us]
Sent: Friday, May 01, 2009 6:05 PM
To: Michael Ulitskiy
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Channelized DS3 over SM fiber handoff

Michael Ulitskiy wrote:
> Hello,
>
> We will need to terminate channelized DS3 circuit in 7200VXR router.
> The problem is that DS3 is given to us by telco (Verizon) as a single-mode fiber.
> I have no experience with this kind of setup and actually limited experience with DS3 circuits.
> Has anybody done this before? How it's usually done?
> Is there a DS3 PA with fiber interface for 7200 routers (I don't see any) or I should use
> a media converter with PA-MC-T3? If so, can you recommend one?
> It seems that many media converters use proprietary DS3 encoding scheme and must be used in pairs
> (or at least I've been told so), but telco is unable to give us any recommendation on how
> we should terminate it on our end.
> If anyone could share the experience on terminating DS3 over fiber handoff from Verizon, East Coast,
> I'd greatly appreciate it. Any pointers to appropriate documentation/tutorials/howtos/etc are also very welcome.
> Thanks a lot,
>

I've never seen anyone do that before with a DS3. Maybe they gave you
Ethernet?

~Seth
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From RWerber at epiknetworks.com  Fri May  1 23:12:35 2009
From: RWerber at epiknetworks.com (Ryan Werber)
Date: Fri, 1 May 2009 23:12:35 -0400
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
References: <200905011720.21229.mulitskiy@acedsl.com><49FB9C72.3080700@rollernet.us><649E0D65-D6ED-4C78-9028-DA923AA3B7D5@i2bnetworks.com>
	<49FBA4DA.9070701@rollernet.us>
Message-ID: <4D58C7B4943F874BA4CB5D68A7924060918BDE@Epikserver2.Epik.local>

Allstream at 151 front street in Toronto does this.  They run a single
strand SMF and they terminate it into a form of a media converter, which
passes off 2x BNC as expected for a DS3.  They do this for both clear
channel and channelized DS3.

Interestingly enough, our channelized OC12s come in on a pair of SMF
from them.

I would imagine you would need a similar media converter - I'm sorry I
don't have the model number of the equipment Allstream uses.  All I know
it is some sort of WDM equipment (obviously) on the fiber side. 

Ryan Werber
Sr. Network Engineer
Epik Networks
AS21513


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen
Sent: Friday, May 01, 2009 6:42 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Channelized DS3 over SM fiber handoff

Troy Beisigl wrote:
> Maybe they delivered a channelized OC3? I know that is an actual
> product, but have never seen a DS3 as fiber handoff.
> 

Maybe; odd though if one asked for a DS3. If that's the case you can
just get an OC3 port adapter.

~Seth
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From troy at i2bnetworks.com  Sat May  2 01:22:15 2009
From: troy at i2bnetworks.com (troy at i2bnetworks.com)
Date: Fri, 1 May 2009 22:22:15 -0700 (PDT)
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <4D58C7B4943F874BA4CB5D68A7924060918BDE@Epikserver2.Epik.local>
References: <200905011720.21229.mulitskiy@acedsl.com><49FB9C72.3080700@rollernet.us><649E0D65-D6ED-4C78-9028-DA923AA3B7D5@i2bnetworks.com><49FBA4DA.9070701@rollernet.us>
	<4D58C7B4943F874BA4CB5D68A7924060918BDE@Epikserver2.Epik.local>
Message-ID: <55541.66.181.2.150.1241241735.squirrel@webmail.i2bnetworks.com>

Very interesting. Here is just one of many different media converters
found while doing a google search.

http://www.transition.com/TransitionNetworks/Products2/Product.aspx?ID=15429&CategoryName=SCSCF30xx-10x

Troy Beisigl


> Allstream at 151 front street in Toronto does this.  They run a single
> strand SMF and they terminate it into a form of a media converter, which
> passes off 2x BNC as expected for a DS3.  They do this for both clear
> channel and channelized DS3.
>
> Interestingly enough, our channelized OC12s come in on a pair of SMF
> from them.
>
> I would imagine you would need a similar media converter - I'm sorry I
> don't have the model number of the equipment Allstream uses.  All I know
> it is some sort of WDM equipment (obviously) on the fiber side.
>
> Ryan Werber
> Sr. Network Engineer
> Epik Networks
> AS21513
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen
> Sent: Friday, May 01, 2009 6:42 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Channelized DS3 over SM fiber handoff
>
> Troy Beisigl wrote:
>> Maybe they delivered a channelized OC3? I know that is an actual
>> product, but have never seen a DS3 as fiber handoff.
>>
>
> Maybe; odd though if one asked for a DS3. If that's the case you can
> just get an OC3 port adapter.
>
> ~Seth
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


From mulitskiy at acedsl.com  Sat May  2 01:37:13 2009
From: mulitskiy at acedsl.com (Michael Ulitskiy)
Date: Sat, 2 May 2009 01:37:13 -0400
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <49FBA4DA.9070701@rollernet.us>
References: <200905011720.21229.mulitskiy@acedsl.com>
	<649E0D65-D6ED-4C78-9028-DA923AA3B7D5@i2bnetworks.com>
	<49FBA4DA.9070701@rollernet.us>
Message-ID: <200905020137.13515.mulitskiy@acedsl.com>

On Friday 01 May 2009 09:41:46 pm Seth Mattinen wrote:
> Troy Beisigl wrote:
> > Maybe they delivered a channelized OC3? I know that is an actual
> > product, but have never seen a DS3 as fiber handoff.
> > 
> 
> Maybe; odd though if one asked for a DS3. If that's the case you can
> just get an OC3 port adapter.

are there any? I couldn't find any channelized OC3 PA for 7200 and search through the list 
shows that other people didn't succeed with it as well.
 
> ~Seth
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mulitskiy at acedsl.com  Sat May  2 02:07:31 2009
From: mulitskiy at acedsl.com (Michael Ulitskiy)
Date: Sat, 2 May 2009 02:07:31 -0400
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <200905011720.21229.mulitskiy@acedsl.com>
References: <200905011720.21229.mulitskiy@acedsl.com>
Message-ID: <200905020207.31770.mulitskiy@acedsl.com>

Guys!

Thanks to everybody who replied on and off-list.
Now I believe that telco will deliver channelized OC3, but I'll definitely have to reverify it with them.
I'm sure I'll have more questions, but at this point I guess I have to get more info from telco.
At least now I guess I have an idea what this is about.
Thanks a lot,

Michael

On Friday 01 May 2009 05:20:21 pm Michael Ulitskiy wrote:
> Hello,
> 
> We will need to terminate channelized DS3 circuit in 7200VXR router. 
> The problem is that DS3 is given to us by telco (Verizon) as a single-mode fiber.
> I have no experience with this kind of setup and actually limited experience with DS3 circuits.
> Has anybody done this before? How it's usually done?
> Is there a DS3 PA with fiber interface for 7200 routers (I don't see any) or I should use
> a media converter with PA-MC-T3? If so, can you recommend one?
> It seems that many media converters use proprietary DS3 encoding scheme and must be used in pairs
> (or at least I've been told so), but telco is unable to give us any recommendation on how
> we should terminate it on our end. 
> If anyone could share the experience on terminating DS3 over fiber handoff from Verizon, East Coast,
> I'd greatly appreciate it. Any pointers to appropriate documentation/tutorials/howtos/etc are also very welcome.
> Thanks a lot,
> 
> Michael
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From alasdairm at gmail.com  Sat May  2 03:01:15 2009
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Sat, 2 May 2009 08:01:15 +0100
Subject: [c-nsp] VSS1440 to ASR1002 - MEC issues
In-Reply-To: <8575A1BA6D8006418FD2CD73FCC2B2E6097D9360@xmb-sjc-231.amer.cisco.com>
References: <F50D6D88-4A08-4E25-89A5-AF6A47A37104@gmail.com>
	<49FB1CCE.4000309@forthnet.gr>
	<8575A1BA6D8006418FD2CD73FCC2B2E6097D9360@xmb-sjc-231.amer.cisco.com>
Message-ID: <4A420AF9-0E0D-4DE0-BA7A-7CFFD0BCF7A1@gmail.com>

Even if ASR only supports GEC, surely my apparent 'one way' traffic  
symptoms aren't right? I only have one Gigabit Ethernet link in the  
Port-Channel, between the ASR and the active chassis within the VSS.  
When the channel-group command is removed from the ASR's GE interface,  
and the config moved onto the GE interface, it starts to work a treat,  
despite the VSS still thinking it's an EtherChannel !

Also, the 'switch accept mode virtual' command was run on the active  
node when the switches were first converted to VSS and rebooted.

Many thanks
Alasdair



On 2 May 2009, at 01:43, Daniel de la Rosa (ddelaros) wrote:

> That's correct, ASR1000 GEC only support static VLAN LB at the moment
> and not LACP. So this can only work if you are ok on just using GEC  
> with
> VLANs on both sides as Tassos mentioned. Since you are deploying GEC  
> for
> redundancy, this VLAN static LB should be able to give you what you
> need. Also you need to have the VSS on GEC mode on.
>
> HTH
>
>
> -------------
> Daniel de la Rosa
> CCIE # 4622
> Technical Marketing Engineer
> ERBU, Cisco Systems
>
>
>
>>
>>
>> ASR1000 doesn't -yet- support the well-known EtherChannel/LACP. If i
>> remember right, RLS5
>> will have it.
>>
>> There is a feature called VLAN Mapping to Gigabit EtherChannel (GEC)
>> Member Links, but i
>> don't think it would help you much, since you have L3 portchannels on
>> both sides.
>>
> http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/ 
> lsw_c
>> fg_gecvlan.html
>>
>> --
>> Tassos
>>
>> Alasdair McWilliam wrote on 01/05/2009 18:29:
>>> Hello,
>>>
>>> I'm currently deploying two Cisco 6509-E chassis with VS-Sup720-10GE
>> (in
>>> a VSS 1440 cluster/configuration) with dual ASR 1002 routers to
>> provide
>>> aggregation of multiple upstream links (running multiple BGP and
>> EIGRP
>>> sessions).
>>>
>>> I wanted to utilize MEC between each ASR and each 6509 chassis to
>> build
>>> in as much resilience as possible. However this configuration seems
>> to
>>> be playing up and so I thought I'd ask the experts!
>>>
>>> Physical Topology:
>>>
>>> ASR Gi0/0/0 into 6509 Chassis 1 Module 1 Port 1
>>> ASR Gi0/1/0 into 6509 Chassis 2 Module 1 Port 1
>>>
>>> The ASR is running IOS-XE 2.3.0 (IOS 12.2(33)XNC) AISK9 with dual
> IOS
>>> processes.
>>> The VSS chassis are running IOS 12.2(33)SXI1 ISK9 with a 4x 10GE VSL
>> (2
>>> supervisor 10GE interfaces, 2 10GE interfaces on a 6708-10GE line
>> card).
>>> I'm just using CAT6 between the ASR and the 6748-GE-TX line cards in
>> the
>>> VSS boxes.
>>>
>>> ASR configuration:
>>>
>>> interface Port-Channel1
>>> ip address x.x.x.5 255.255.255.252
>>> ip hello-interval eigrp 100 2
>>> ip hold-time eigrp 100 6
>>> ip authentication mode eigrp 100 md5
>>> ip authentication key-chian eigrp 100 vcoresw1-chain
>>> ip summary-address eigrp 100 0.0.0.0 0.0.0.0 255
>>> no ip redirects
>>> no ip unreachables
>>> no ip proxy-arp
>>> no shut
>>> !
>>>
>>> interface Gi0/0/0
>>> channel-group 1
>>> no shut
>>>
>>> interface Gi0/1/0
>>> channel-group 1
>>> no shut
>>>
>>> Cisco VSS configuration:
>>>
>>> int Gi1/1/1
>>> no switchport
>>> channel-group 3 mode on
>>>
>>> int Gi2/1/1
>>> no switchport
>>> channel-group 3 mode on
>>>
>>> int Po3
>>> desc *** MEC to br1-po1 ***
>>> no ip redirects
>>> no ip unreachables
>>> no ip proxy-arp
>>> ip vrf forwarding edge-vrf
>>> ip address x.x.x.6 255.255.255.252
>>> ip hello-interval eigrp 100 2
>>> ip hold-time eigrp 100 6
>>> ip authentication mode eigrp 100 md5
>>> ip authentication key-chain eigrp 100 br1-chain
>>> no shut
>>> !
>>>
>>>
>>>
>>> The problem I am experiencing seems to be one way traffic between
> the
>>> VSS cluster and the Border Router. Pinging across this /30 subnet
>> does
>>> not work in either direction. EIGRP relationships build when the Po
>>> interfaces first come online and then immediately time out moments
>>> later. The VSS cluster then does not see any further EIGRP traffic
>> from
>>> the ASR. However the ASR seems to think it's successfully building
> an
>>> adjacency to the VSS. However this times out due to 'retry limit
>>> exceeded' every minute or so, but seems to think it re-establishes
>> again.
>>>
>>> This problem persists if we drop the PortChannel to just one Gigabit
>>> Ethernet interface. The second interface can be shut down or
> actually
>>> removed from the Po config (eg. no channel-group 1).
>>>
>>> The really interesting thing is, with one link, if we remove the
>>> channel-group comand from the one remaining ASR interface, all of a
>>> sudden the link springs to life. Pings between the ASR Gi0/0/0
>> interface
>>> and the Po3 VSS interface are successful. EIGRP relationship comes
> up
>>> immediately and is stable, and routes are exchanged as you'd expect.
>>>
>>> How does this work? With the ASR thinking it's a non-etherchannel
>>> interface, but the VSS thinking it IS an EtherChannel (with 1
>> member),
>>> surely it should just fail?
>>>
>>> Am I doing something wrong or could this be a bug in either VSS or
>> the ASR?
>>>
>>> It's not earth shattering, we could just configure 2 EIGRP sessions
>>> between the VSS and the ASR (4 in total with 2 ASRs) but don't think
>>> this is as clean an implementation as MEC across fully redundant
>> chassis
>>> and line cards (one of the big selling points of the VSS !!)
>>>
>>> Any help would be much appreciated!
>>>
>>> Thanks
>>> Alasdair
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/


From gert at greenie.muc.de  Sat May  2 04:03:59 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 2 May 2009 10:03:59 +0200
Subject: [c-nsp] IPv6 ND over PPP
In-Reply-To: <a89d89ac0905011410j1156c03fod92fe645c3e09a22@mail.gmail.com>
References: <a89d89ac0905011410j1156c03fod92fe645c3e09a22@mail.gmail.com>
Message-ID: <20090502080359.GP290@greenie.muc.de>

Hi,

On Fri, May 01, 2009 at 02:10:30PM -0700, Marlon Duksa wrote:
> Hi - 1) does anyone know if Cisco (IOS) is using IPv6CP for neighbor
> discovery on a PPP link or they run neighbor discovery on top of PPP link?
> 2) same question for  HDLC over PPP -> how do they do neighbor discovery
> there - ND, or statically provisioned neighbors or Inverse ND?

If you do PPP, Cisco will definitely run IPv6CP (but not for "neighbor
discovery" but for protocol negotiation).

I'm not sure if any sort of neighbor discovery is done at all for 
point-to-point links.  As there is no ARP on IPv4 point-to-point links,
there is just no need for ND.  Just stuff the packet into the pipe...

One of my last non-ethernet circuit confirms this:

Cisco-M-XII>sh ipv nei pos6/0
IPv6 Address                              Age Link-layer Addr State Interface

Cisco-M-XII>

(it's happily speaking OSPFv3 and forwarding IPv6 packets over that link,
but no need for ND)

DAD is done, though.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090502/b8b30cbc/attachment.bin>

From gert at greenie.muc.de  Sat May  2 04:07:05 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 2 May 2009 10:07:05 +0200
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <4D58C7B4943F874BA4CB5D68A7924060918BDE@Epikserver2.Epik.local>
References: <49FBA4DA.9070701@rollernet.us>
	<4D58C7B4943F874BA4CB5D68A7924060918BDE@Epikserver2.Epik.local>
Message-ID: <20090502080704.GQ290@greenie.muc.de>

Hi,

On Fri, May 01, 2009 at 11:12:35PM -0400, Ryan Werber wrote:
> Allstream at 151 front street in Toronto does this.  They run a single
> strand SMF and they terminate it into a form of a media converter, which
> passes off 2x BNC as expected for a DS3.  They do this for both clear
> channel and channelized DS3.

Yes, this is the normal way.  "Outside the house", run it on SMF fiber,
and the customer handoff is 2x BNC.  Telco provides the conversion gear
(and everything on the fiber side is their responsibility).

I've never seen a DS3 handed off as fiber either.

> Interestingly enough, our channelized OC12s come in on a pair of SMF
> from them.

I'm not sure what's "interesting" about this - there's no standard for
OC12 over anything else but fiber, and in telco world, fiber nearly
always means "SMF".

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090502/3b5647bb/attachment.bin>

From achatz at forthnet.gr  Sat May  2 04:09:56 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Sat, 02 May 2009 11:09:56 +0300
Subject: [c-nsp] VSS1440 to ASR1002 - MEC issues
In-Reply-To: <4A420AF9-0E0D-4DE0-BA7A-7CFFD0BCF7A1@gmail.com>
References: <F50D6D88-4A08-4E25-89A5-AF6A47A37104@gmail.com>
	<49FB1CCE.4000309@forthnet.gr>
	<8575A1BA6D8006418FD2CD73FCC2B2E6097D9360@xmb-sjc-231.amer.cisco.com>
	<4A420AF9-0E0D-4DE0-BA7A-7CFFD0BCF7A1@gmail.com>
Message-ID: <49FBFFD4.2080206@forthnet.gr>



Alasdair McWilliam wrote on 02/05/2009 10:01:
> Even if ASR only supports GEC, surely my apparent 'one way' traffic 
> symptoms aren't right? I only have one Gigabit Ethernet link in the 
> Port-Channel, between the ASR and the active chassis within the VSS. 
> When the channel-group command is removed from the ASR's GE interface, 
> and the config moved onto the GE interface, it starts to work a treat, 
> despite the VSS still thinking it's an EtherChannel !
> 

I think that's expected behavior since you have "on" on the VSS side (there aren't any 
negotiable protocols used between VSS and ASR).


-- 
Tassos


> Also, the 'switch accept mode virtual' command was run on the active 
> node when the switches were first converted to VSS and rebooted.
> 
> Many thanks
> Alasdair
> 
> 
> 
> On 2 May 2009, at 01:43, Daniel de la Rosa (ddelaros) wrote:
> 
>> That's correct, ASR1000 GEC only support static VLAN LB at the moment
>> and not LACP. So this can only work if you are ok on just using GEC with
>> VLANs on both sides as Tassos mentioned. Since you are deploying GEC for
>> redundancy, this VLAN static LB should be able to give you what you
>> need. Also you need to have the VSS on GEC mode on.
>>
>> HTH
>>
>>
>> -------------
>> Daniel de la Rosa
>> CCIE # 4622
>> Technical Marketing Engineer
>> ERBU, Cisco Systems
>>
>>
>>
>>>
>>>
>>> ASR1000 doesn't -yet- support the well-known EtherChannel/LACP. If i
>>> remember right, RLS5
>>> will have it.
>>>
>>> There is a feature called VLAN Mapping to Gigabit EtherChannel (GEC)
>>> Member Links, but i
>>> don't think it would help you much, since you have L3 portchannels on
>>> both sides.
>>>
>> http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_c
>>> fg_gecvlan.html
>>>
>>> -- 
>>> Tassos
>>>
>>> Alasdair McWilliam wrote on 01/05/2009 18:29:
>>>> Hello,
>>>>
>>>> I'm currently deploying two Cisco 6509-E chassis with VS-Sup720-10GE
>>> (in
>>>> a VSS 1440 cluster/configuration) with dual ASR 1002 routers to
>>> provide
>>>> aggregation of multiple upstream links (running multiple BGP and
>>> EIGRP
>>>> sessions).
>>>>
>>>> I wanted to utilize MEC between each ASR and each 6509 chassis to
>>> build
>>>> in as much resilience as possible. However this configuration seems
>>> to
>>>> be playing up and so I thought I'd ask the experts!
>>>>
>>>> Physical Topology:
>>>>
>>>> ASR Gi0/0/0 into 6509 Chassis 1 Module 1 Port 1
>>>> ASR Gi0/1/0 into 6509 Chassis 2 Module 1 Port 1
>>>>
>>>> The ASR is running IOS-XE 2.3.0 (IOS 12.2(33)XNC) AISK9 with dual
>> IOS
>>>> processes.
>>>> The VSS chassis are running IOS 12.2(33)SXI1 ISK9 with a 4x 10GE VSL
>>> (2
>>>> supervisor 10GE interfaces, 2 10GE interfaces on a 6708-10GE line
>>> card).
>>>> I'm just using CAT6 between the ASR and the 6748-GE-TX line cards in
>>> the
>>>> VSS boxes.
>>>>
>>>> ASR configuration:
>>>>
>>>> interface Port-Channel1
>>>> ip address x.x.x.5 255.255.255.252
>>>> ip hello-interval eigrp 100 2
>>>> ip hold-time eigrp 100 6
>>>> ip authentication mode eigrp 100 md5
>>>> ip authentication key-chian eigrp 100 vcoresw1-chain
>>>> ip summary-address eigrp 100 0.0.0.0 0.0.0.0 255
>>>> no ip redirects
>>>> no ip unreachables
>>>> no ip proxy-arp
>>>> no shut
>>>> !
>>>>
>>>> interface Gi0/0/0
>>>> channel-group 1
>>>> no shut
>>>>
>>>> interface Gi0/1/0
>>>> channel-group 1
>>>> no shut
>>>>
>>>> Cisco VSS configuration:
>>>>
>>>> int Gi1/1/1
>>>> no switchport
>>>> channel-group 3 mode on
>>>>
>>>> int Gi2/1/1
>>>> no switchport
>>>> channel-group 3 mode on
>>>>
>>>> int Po3
>>>> desc *** MEC to br1-po1 ***
>>>> no ip redirects
>>>> no ip unreachables
>>>> no ip proxy-arp
>>>> ip vrf forwarding edge-vrf
>>>> ip address x.x.x.6 255.255.255.252
>>>> ip hello-interval eigrp 100 2
>>>> ip hold-time eigrp 100 6
>>>> ip authentication mode eigrp 100 md5
>>>> ip authentication key-chain eigrp 100 br1-chain
>>>> no shut
>>>> !
>>>>
>>>>
>>>>
>>>> The problem I am experiencing seems to be one way traffic between
>> the
>>>> VSS cluster and the Border Router. Pinging across this /30 subnet
>>> does
>>>> not work in either direction. EIGRP relationships build when the Po
>>>> interfaces first come online and then immediately time out moments
>>>> later. The VSS cluster then does not see any further EIGRP traffic
>>> from
>>>> the ASR. However the ASR seems to think it's successfully building
>> an
>>>> adjacency to the VSS. However this times out due to 'retry limit
>>>> exceeded' every minute or so, but seems to think it re-establishes
>>> again.
>>>>
>>>> This problem persists if we drop the PortChannel to just one Gigabit
>>>> Ethernet interface. The second interface can be shut down or
>> actually
>>>> removed from the Po config (eg. no channel-group 1).
>>>>
>>>> The really interesting thing is, with one link, if we remove the
>>>> channel-group comand from the one remaining ASR interface, all of a
>>>> sudden the link springs to life. Pings between the ASR Gi0/0/0
>>> interface
>>>> and the Po3 VSS interface are successful. EIGRP relationship comes
>> up
>>>> immediately and is stable, and routes are exchanged as you'd expect.
>>>>
>>>> How does this work? With the ASR thinking it's a non-etherchannel
>>>> interface, but the VSS thinking it IS an EtherChannel (with 1
>>> member),
>>>> surely it should just fail?
>>>>
>>>> Am I doing something wrong or could this be a bug in either VSS or
>>> the ASR?
>>>>
>>>> It's not earth shattering, we could just configure 2 EIGRP sessions
>>>> between the VSS and the ASR (4 in total with 2 ASRs) but don't think
>>>> this is as clean an implementation as MEC across fully redundant
>>> chassis
>>>> and line cards (one of the big selling points of the VSS !!)
>>>>
>>>> Any help would be much appreciated!
>>>>
>>>> Thanks
>>>> Alasdair
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

From will at harg.net  Sat May  2 07:58:02 2009
From: will at harg.net (Will Hargrave)
Date: Sat, 02 May 2009 12:58:02 +0100
Subject: [c-nsp] Optical module transmit power
In-Reply-To: <A7F9BD0F-DED7-45ED-83D8-97C43F25B84A@manchester.ac.uk>
References: <5C4E7532-71EB-4056-A491-9AE1FB5919D5@manchester.ac.uk>	<FC282C6A-178A-4535-A1E0-CC5AD433F51A@wisc.edu>
	<A7F9BD0F-DED7-45ED-83D8-97C43F25B84A@manchester.ac.uk>
Message-ID: <49FC354A.6030102@harg.net>

Michael Robson wrote:

> The circuit supplier quoted dB values for the links on handover which
> should have meant that most of the links would have been within
> acceptable values: perhaps the 6500-quoted values aren't very accurate?

If you haven't done so, meticulously clean the optics, cables, ferrules.
 It can make quite a difference, and should really be standard procedure
when doing anything with singlemode imho. Also worth testing with a
lightmeter as part of the installation process.


<plug> We are hopefully going to have a presentation on this at a future
UKNOF later this year - see www.uknof.org.uk </plug>

Will

From kgraham at industrial-marshmallow.com  Sat May  2 18:20:45 2009
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Sat, 2 May 2009 15:20:45 -0700 (PDT)
Subject: [c-nsp] VSS1440 to ASR1002 - MEC issues
Message-ID: <885586.62455.qm@web907.biz.mail.mud.yahoo.com>


Your original concern was redundancy, so I'd personally go with two L3 interfaces per ASR over a static GEC. You may end up with more traffic over the VSL (as I don't believe there's a ECMP enhancement to prefer same-chassis ports as there is for MEC), but you'll avoid having to depend on UDLD, etc to protect against this type if failure mode.

[sent from my mobile]

On May 2, 2009, at 12:01 AM, Alasdair McWilliam <alasdairm at gmail.com> wrote:

Even if ASR only supports GEC, surely my apparent 'one way' traffic symptoms aren't right? I only have one Gigabit Ethernet link in the Port-Channel, between the ASR and the active chassis within the VSS. When the channel-group command is removed from the ASR's GE interface, and the config moved onto the GE interface, it starts to work a treat, despite the VSS still thinking it's an EtherChannel !

Also, the 'switch accept mode virtual' command was run on the active node when the switches were first converted to VSS and rebooted.

Many thanks
Alasdair



On 2 May 2009, at 01:43, Daniel de la Rosa (ddelaros) wrote:

That's correct, ASR1000 GEC only support static VLAN LB at the moment
and not LACP. So this can only work if you are ok on just using GEC with
VLANs on both sides as Tassos mentioned. Since you are deploying GEC for
redundancy, this VLAN static LB should be able to give you what you
need. Also you need to have the VSS on GEC mode on.

HTH


-------------
Daniel de la Rosa
CCIE # 4622
Technical Marketing Engineer
ERBU, Cisco Systems





ASR1000 doesn't -yet- support the well-known EtherChannel/LACP. If i
remember right, RLS5
will have it.

There is a feature called VLAN Mapping to Gigabit EtherChannel (GEC)
Member Links, but i
don't think it would help you much, since you have L3 portchannels on
both sides.

http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_c
fg_gecvlan.html

--
Tassos

Alasdair McWilliam wrote on 01/05/2009 18:29:
Hello,

I'm currently deploying two Cisco 6509-E chassis with VS-Sup720-10GE
(in
a VSS 1440 cluster/configuration) with dual ASR 1002 routers to
provide
aggregation of multiple upstream links (running multiple BGP and
EIGRP
sessions).

I wanted to utilize MEC between each ASR and each 6509 chassis to
build
in as much resilience as possible. However this configuration seems
to
be playing up and so I thought I'd ask the experts!

Physical Topology:

ASR Gi0/0/0 into 6509 Chassis 1 Module 1 Port 1
ASR Gi0/1/0 into 6509 Chassis 2 Module 1 Port 1

The ASR is running IOS-XE 2.3.0 (IOS 12.2(33)XNC) AISK9 with dual
IOS
processes.
The VSS chassis are running IOS 12.2(33)SXI1 ISK9 with a 4x 10GE VSL
(2
supervisor 10GE interfaces, 2 10GE interfaces on a 6708-10GE line
card).
I'm just using CAT6 between the ASR and the 6748-GE-TX line cards in
the
VSS boxes.

ASR configuration:

interface Port-Channel1
ip address x.x.x.5 255.255.255.252
ip hello-interval eigrp 100 2
ip hold-time eigrp 100 6
ip authentication mode eigrp 100 md5
ip authentication key-chian eigrp 100 vcoresw1-chain
ip summary-address eigrp 100 0.0.0.0 0.0.0.0 255
no ip redirects
no ip unreachables
no ip proxy-arp
no shut
!

interface Gi0/0/0
channel-group 1
no shut

interface Gi0/1/0
channel-group 1
no shut

Cisco VSS configuration:

int Gi1/1/1
no switchport
channel-group 3 mode on

int Gi2/1/1
no switchport
channel-group 3 mode on

int Po3
desc *** MEC to br1-po1 ***
no ip redirects
no ip unreachables
no ip proxy-arp
ip vrf forwarding edge-vrf
ip address x.x.x.6 255.255.255.252
ip hello-interval eigrp 100 2
ip hold-time eigrp 100 6
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 br1-chain
no shut
!



The problem I am experiencing seems to be one way traffic between
the
VSS cluster and the Border Router. Pinging across this /30 subnet
does
not work in either direction. EIGRP relationships build when the Po
interfaces first come online and then immediately time out moments
later. The VSS cluster then does not see any further EIGRP traffic
from
the ASR. However the ASR seems to think it's successfully building
an
adjacency to the VSS. However this times out due to 'retry limit
exceeded' every minute or so, but seems to think it re-establishes
again.

This problem persists if we drop the PortChannel to just one Gigabit
Ethernet interface. The second interface can be shut down or
actually
removed from the Po config (eg. no channel-group 1).

The really interesting thing is, with one link, if we remove the
channel-group comand from the one remaining ASR interface, all of a
sudden the link springs to life. Pings between the ASR Gi0/0/0
interface
and the Po3 VSS interface are successful. EIGRP relationship comes
up
immediately and is stable, and routes are exchanged as you'd expect.

How does this work? With the ASR thinking it's a non-etherchannel
interface, but the VSS thinking it IS an EtherChannel (with 1
member),
surely it should just fail?

Am I doing something wrong or could this be a bug in either VSS or
the ASR?

It's not earth shattering, we could just configure 2 EIGRP sessions
between the VSS and the ASR (4 in total with 2 ASRs) but don't think
this is as clean an implementation as MEC across fully redundant
chassis
and line cards (one of the big selling points of the VSS !!)

Any help would be much appreciated!

Thanks
Alasdair


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From ddelaros at cisco.com  Sun May  3 23:23:28 2009
From: ddelaros at cisco.com (Daniel de la Rosa (ddelaros))
Date: Sun, 3 May 2009 20:23:28 -0700
Subject: [c-nsp] VSS1440 to ASR1002 - MEC issues
In-Reply-To: <4A420AF9-0E0D-4DE0-BA7A-7CFFD0BCF7A1@gmail.com>
References: <F50D6D88-4A08-4E25-89A5-AF6A47A37104@gmail.com>
	<49FB1CCE.4000309@forthnet.gr>
	<8575A1BA6D8006418FD2CD73FCC2B2E6097D9360@xmb-sjc-231.amer.cisco.com>
	<4A420AF9-0E0D-4DE0-BA7A-7CFFD0BCF7A1@gmail.com>
Message-ID: <8575A1BA6D8006418FD2CD73FCC2B2E6097D94C1@xmb-sjc-231.amer.cisco.com>

No, they are not right but since you have configured the main port
channel as a L3 interface, and that's not supported ( that's what I
meant by only VLANS), anything can happen from ASR1000 perspective

HTH

> 
> Even if ASR only supports GEC, surely my apparent 'one way' traffic
> symptoms aren't right? I only have one Gigabit Ethernet link in the
> Port-Channel, between the ASR and the active chassis within the VSS.
> When the channel-group command is removed from the ASR's GE interface,
> and the config moved onto the GE interface, it starts to work a treat,
> despite the VSS still thinking it's an EtherChannel !
> 
> Also, the 'switch accept mode virtual' command was run on the active
> node when the switches were first converted to VSS and rebooted.
> 
> Many thanks
> Alasdair
> 
> 
> 
> On 2 May 2009, at 01:43, Daniel de la Rosa (ddelaros) wrote:
> 
> > That's correct, ASR1000 GEC only support static VLAN LB at the
moment
> > and not LACP. So this can only work if you are ok on just using GEC
> > with
> > VLANs on both sides as Tassos mentioned. Since you are deploying GEC
> > for
> > redundancy, this VLAN static LB should be able to give you what you
> > need. Also you need to have the VSS on GEC mode on.
> >
> > HTH
> >
> >
> > -------------
> > Daniel de la Rosa
> > CCIE # 4622
> > Technical Marketing Engineer
> > ERBU, Cisco Systems
> >
> >
> >
> >>
> >>
> >> ASR1000 doesn't -yet- support the well-known EtherChannel/LACP. If
i
> >> remember right, RLS5
> >> will have it.
> >>
> >> There is a feature called VLAN Mapping to Gigabit EtherChannel
(GEC)
> >> Member Links, but i
> >> don't think it would help you much, since you have L3 portchannels
> on
> >> both sides.
> >>
> > http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/
> > lsw_c
> >> fg_gecvlan.html
> >>
> >> --
> >> Tassos
> >>
> >> Alasdair McWilliam wrote on 01/05/2009 18:29:
> >>> Hello,
> >>>
> >>> I'm currently deploying two Cisco 6509-E chassis with VS-Sup720-
> 10GE
> >> (in
> >>> a VSS 1440 cluster/configuration) with dual ASR 1002 routers to
> >> provide
> >>> aggregation of multiple upstream links (running multiple BGP and
> >> EIGRP
> >>> sessions).
> >>>
> >>> I wanted to utilize MEC between each ASR and each 6509 chassis to
> >> build
> >>> in as much resilience as possible. However this configuration
seems
> >> to
> >>> be playing up and so I thought I'd ask the experts!
> >>>
> >>> Physical Topology:
> >>>
> >>> ASR Gi0/0/0 into 6509 Chassis 1 Module 1 Port 1
> >>> ASR Gi0/1/0 into 6509 Chassis 2 Module 1 Port 1
> >>>
> >>> The ASR is running IOS-XE 2.3.0 (IOS 12.2(33)XNC) AISK9 with dual
> > IOS
> >>> processes.
> >>> The VSS chassis are running IOS 12.2(33)SXI1 ISK9 with a 4x 10GE
> VSL
> >> (2
> >>> supervisor 10GE interfaces, 2 10GE interfaces on a 6708-10GE line
> >> card).
> >>> I'm just using CAT6 between the ASR and the 6748-GE-TX line cards
> in
> >> the
> >>> VSS boxes.
> >>>
> >>> ASR configuration:
> >>>
> >>> interface Port-Channel1
> >>> ip address x.x.x.5 255.255.255.252
> >>> ip hello-interval eigrp 100 2
> >>> ip hold-time eigrp 100 6
> >>> ip authentication mode eigrp 100 md5
> >>> ip authentication key-chian eigrp 100 vcoresw1-chain
> >>> ip summary-address eigrp 100 0.0.0.0 0.0.0.0 255
> >>> no ip redirects
> >>> no ip unreachables
> >>> no ip proxy-arp
> >>> no shut
> >>> !
> >>>
> >>> interface Gi0/0/0
> >>> channel-group 1
> >>> no shut
> >>>
> >>> interface Gi0/1/0
> >>> channel-group 1
> >>> no shut
> >>>
> >>> Cisco VSS configuration:
> >>>
> >>> int Gi1/1/1
> >>> no switchport
> >>> channel-group 3 mode on
> >>>
> >>> int Gi2/1/1
> >>> no switchport
> >>> channel-group 3 mode on
> >>>
> >>> int Po3
> >>> desc *** MEC to br1-po1 ***
> >>> no ip redirects
> >>> no ip unreachables
> >>> no ip proxy-arp
> >>> ip vrf forwarding edge-vrf
> >>> ip address x.x.x.6 255.255.255.252
> >>> ip hello-interval eigrp 100 2
> >>> ip hold-time eigrp 100 6
> >>> ip authentication mode eigrp 100 md5
> >>> ip authentication key-chain eigrp 100 br1-chain
> >>> no shut
> >>> !
> >>>
> >>>
> >>>
> >>> The problem I am experiencing seems to be one way traffic between
> > the
> >>> VSS cluster and the Border Router. Pinging across this /30 subnet
> >> does
> >>> not work in either direction. EIGRP relationships build when the
Po
> >>> interfaces first come online and then immediately time out moments
> >>> later. The VSS cluster then does not see any further EIGRP traffic
> >> from
> >>> the ASR. However the ASR seems to think it's successfully building
> > an
> >>> adjacency to the VSS. However this times out due to 'retry limit
> >>> exceeded' every minute or so, but seems to think it re-establishes
> >> again.
> >>>
> >>> This problem persists if we drop the PortChannel to just one
> Gigabit
> >>> Ethernet interface. The second interface can be shut down or
> > actually
> >>> removed from the Po config (eg. no channel-group 1).
> >>>
> >>> The really interesting thing is, with one link, if we remove the
> >>> channel-group comand from the one remaining ASR interface, all of
a
> >>> sudden the link springs to life. Pings between the ASR Gi0/0/0
> >> interface
> >>> and the Po3 VSS interface are successful. EIGRP relationship comes
> > up
> >>> immediately and is stable, and routes are exchanged as you'd
> expect.
> >>>
> >>> How does this work? With the ASR thinking it's a non-etherchannel
> >>> interface, but the VSS thinking it IS an EtherChannel (with 1
> >> member),
> >>> surely it should just fail?
> >>>
> >>> Am I doing something wrong or could this be a bug in either VSS or
> >> the ASR?
> >>>
> >>> It's not earth shattering, we could just configure 2 EIGRP
sessions
> >>> between the VSS and the ASR (4 in total with 2 ASRs) but don't
> think
> >>> this is as clean an implementation as MEC across fully redundant
> >> chassis
> >>> and line cards (one of the big selling points of the VSS !!)
> >>>
> >>> Any help would be much appreciated!
> >>>
> >>> Thanks
> >>> Alasdair
> >>>
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/


From d.nostra at gmail.com  Sun May  3 23:55:45 2009
From: d.nostra at gmail.com (Michel de Nostredame)
Date: Sun, 3 May 2009 20:55:45 -0700
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <20090502080704.GQ290@greenie.muc.de>
References: <49FBA4DA.9070701@rollernet.us>
	<4D58C7B4943F874BA4CB5D68A7924060918BDE@Epikserver2.Epik.local>
	<20090502080704.GQ290@greenie.muc.de>
Message-ID: <454d328c0905032055hd298a7cv35af8b329783705a@mail.gmail.com>

I had a DS3 line from ISP that handed over by a fiber, but ISP provide
a box convert fiber to 75ohm standard BNC cable to my router. (my
router interface is clear DS3, not channelized)

The converter came from Transition, don't remember the actual model,
but something similar to
http://www.transition.com/TransitionNetworks/Products2/Family.aspx?Name=SCSCF30xx-10x

--
Michel~


On Sat, May 2, 2009 at 1:07 AM, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Fri, May 01, 2009 at 11:12:35PM -0400, Ryan Werber wrote:
>> Allstream at 151 front street in Toronto does this. ?They run a single
>> strand SMF and they terminate it into a form of a media converter, which
>> passes off 2x BNC as expected for a DS3. ?They do this for both clear
>> channel and channelized DS3.
>
> Yes, this is the normal way. ?"Outside the house", run it on SMF fiber,
> and the customer handoff is 2x BNC. ?Telco provides the conversion gear
> (and everything on the fiber side is their responsibility).
>
> I've never seen a DS3 handed off as fiber either.
>
>> Interestingly enough, our channelized OC12s come in on a pair of SMF
>> from them.
>
> I'm not sure what's "interesting" about this - there's no standard for
> OC12 over anything else but fiber, and in telco world, fiber nearly
> always means "SMF".
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? //www.muc.de/~gert/
> Gert Doering - Munich, Germany ? ? ? ? ? ? ? ? ? ? ? ? ? ? gert at greenie.muc.de
> fax: +49-89-35655025 ? ? ? ? ? ? ? ? ? ? ? ?gert at net.informatik.tu-muenchen.de
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rakotovaot at gmail.com  Mon May  4 02:25:34 2009
From: rakotovaot at gmail.com (tah)
Date: Mon, 4 May 2009 09:25:34 +0300
Subject: [c-nsp] Defining new radius attribute on a Cisco NAS
In-Reply-To: <653ba8cf0905032307v5f47846bw8bf9e2ad77840248@mail.gmail.com>
References: <653ba8cf0905032307v5f47846bw8bf9e2ad77840248@mail.gmail.com>
Message-ID: <653ba8cf0905032325n7fc05e62s1c0cc0d3e5aacb32@mail.gmail.com>

 Hello,

I would like to ask you how to define a new radius attribute on a Cisco NAS
(Cisco 3825).
We have already define the attribute on our AAA server, but we don't know
how to configure the Cisco NAS for this new attribute.

Could you give some suggestions please ?

Thanks.

Best regards


-- 
I love this game !

From rens at autempspourmoi.be  Mon May  4 03:18:34 2009
From: rens at autempspourmoi.be (Rens)
Date: Mon, 4 May 2009 09:18:34 +0200
Subject: [c-nsp] L2TPv3 with MTU difference
In-Reply-To: <7A41C87ED8454252B78FF92B8C87205A@EU.corp.clearwire.com>
References: <7A41C87ED8454252B78FF92B8C87205A@EU.corp.clearwire.com>
Message-ID: <21233E3EABF5445FA8EA524B24C784FF@EU.corp.clearwire.com>

Nobody that can help me with this?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rens
Sent: vendredi 17 avril 2009 14:43
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] L2TPv3 with MTU difference

Hi,

 

I have an OSPF broadcast configured with several routers.

 

Some of the routers have a higher MTU then others so I use ip ospf mtu
ignore on all the neighbours. (to compensate with the fragmentation at
higher bandwidths)

 

I have routers with mtu 1600 and others have the default 1500 because of
FastEthernet interfaces

 

I have a L2TPv3 tunnel that runs over this IP network, when I configure a
tunnel between a router that has 1600 & 1500 mtu I can't pass any frames of
1518

 

When doing 1518, the tester that is connected to the router that does 1600
is receiving them, but the tester that is connected to the router that does
1500 isn't receiving anything.

 

When I lower it to 1280 it works again.

 

All help welcome

 

Regards,

 

Rens

 

 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From rens at autempspourmoi.be  Mon May  4 05:43:41 2009
From: rens at autempspourmoi.be (Rens)
Date: Mon, 4 May 2009 11:43:41 +0200
Subject: [c-nsp] L2TPv3 with MTU difference
In-Reply-To: <A42033FF9D655E4D8200BFF349C5931D0A3E65925C@n120531.nknetworks.com>
References: <7A41C87ED8454252B78FF92B8C87205A@EU.corp.clearwire.com>
	<21233E3EABF5445FA8EA524B24C784FF@EU.corp.clearwire.com>
	<A42033FF9D655E4D8200BFF349C5931D0A3E65925C@n120531.nknetworks.com>
Message-ID: <6379AC0E12194918AF0CA124C56F79DD@EU.corp.clearwire.com>

Hi Ahmad,

When I do the same test but lower the MTU again on the physical interface
towards the L2TPv3 tunnel (MTU 1500), so that they are identical again, the
1518 frames pass again with the testers. (Fragmentation)

So I'm more thinking when the MTU is different between the 2 routers, it
drops all the frames that are too big? Shouldn't the sender start to
fragment?

Here some tests:

7200#sh int GigabitEthernet 0/2.801
GigabitEthernet0/2.801 is up, line protocol is up 
  Hardware is BCM1250 Internal MAC, address is 0006.d6ca.481a (bia
0006.d6ca.481a)
  Description: #backbone: VLAN801-dot1q 
  Internet address is 80.91.151.1/27
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 2/255, rxload 2/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  801.
  ARP type: ARPA, ARP Timeout 04:00:00
  Last clearing of "show interface" counters never

r1841#sh int Fa0/0.801
FastEthernet0/0.801 is up, line protocol is up 
  Hardware is Gt96k FE, address is 0023.0447.4ce4 (bia 0023.0447.4ce4)
  Description: #backbone: VLAN801-dot1q [100M]
  Internet address is 80.91.151.3/27
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
     reliability 255/255, txload 25/255, rxload 13/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  801.
  ARP type: ARPA, ARP Timeout 04:00:00
  Last clearing of "show interface" counters never
r1841#

r1841#ping 80.91.151.1 size 1518

Type escape sequence to abort.
Sending 5, 1518-byte ICMP Echos to 80.91.151.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
r1841#

When I now higher the MTU on 7200 to 1600, the pings aren't being
fragmented:

r1841#ping 80.91.151.1 size 1518

Type escape sequence to abort.
Sending 5, 1518-byte ICMP Echos to 80.91.151.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1841#



-----Original Message-----
From: Cheikh-Moussa Ahmad [mailto:acm at axians.de] 
Sent: lundi 4 mai 2009 9:45
To: Rens
Subject: AW: [c-nsp] L2TPv3 with MTU difference

Hi Rens,

1518 is too big for a FastEthernet Interface. Did you tried 1480 ?
20 Bytes for udp and l2tp header should you removed from the max frame
size.

Regards, 
 Ahmad


> -----Urspr?ngliche Nachricht-----
> Von: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] Im Auftrag von Rens
> Gesendet: Montag, 4. Mai 2009 09:19
> An: cisco-nsp at puck.nether.net
> Betreff: Re: [c-nsp] L2TPv3 with MTU difference
> 
> Nobody that can help me with this?
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rens
> Sent: vendredi 17 avril 2009 14:43
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] L2TPv3 with MTU difference
> 
> Hi,
> 
> 
> 
> I have an OSPF broadcast configured with several routers.
> 
> 
> 
> Some of the routers have a higher MTU then others so I use ip ospf mtu
> ignore on all the neighbours. (to compensate with the fragmentation at
> higher bandwidths)
> 
> 
> 
> I have routers with mtu 1600 and others have the default 1500 because
> of
> FastEthernet interfaces
> 
> 
> 
> I have a L2TPv3 tunnel that runs over this IP network, when I configure
> a
> tunnel between a router that has 1600 & 1500 mtu I can't pass any
> frames of
> 1518
> 
> 
> 
> When doing 1518, the tester that is connected to the router that does
> 1600
> is receiving them, but the tester that is connected to the router that
> does
> 1500 isn't receiving anything.
> 
> 
> 
> When I lower it to 1280 it works again.
> 
> 
> 
> All help welcome
> 
> 
> 
> Regards,
> 
> 
> 
> Rens
> 
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


Sitz der NK Networks & Services GmbH: Von-der-Wettern-Stra?e 15, 51149 K?ln
Registergericht: Amtsgericht K?ln, Registernummer HRB 30805
Gesch?ftsf?hrer: Tonis R?sche


From james at mor-pah.net  Mon May  4 07:18:46 2009
From: james at mor-pah.net (James Greig)
Date: Mon, 4 May 2009 12:18:46 +0100
Subject: [c-nsp] Dropped packets and poor performance
Message-ID: <A30D0234DD7F4C28AE9B3B33DADB00A1@x64>

Hi Guys,

 

As per the subject we're seeing this on a 3845 (we've also swapped in a 7204vxr (npe-400) and seeing the same issue).

 

Background:- one upstream talking BGP to two of their peers taking 100mbit transit via Ethernet.  3845 statically routing the announced /21 to a 3750 stack behind.

 

We're seeing asymmetrical speed problems through the 3845 to various internet locations including another pop of ours taking transit from the same provider.  We can upstream ~80mbit/s to this location but cant do more than around 11mbit/s downstream in a single flow, the same applies to other remote locations.

 

We've checked cabling/duplex, checked for interface errors, cef is on, disabled things like netflow just to be sure, routers cpu utilisation is low  ~5-10%.  We had a maintenance window last night where we called in the transit provider to help debug the issue.  Eventually we got to a point where a laptop was jacked straight into their Ethernet handoff and throughput was fine at almost 90mbit/s as we'd expect, so this is pointing at router config, as mentioned we've swapped in a 7204 and still seeing the issue so its ruled out bad hardware. 



We're also seeing dropped packets when pinging from the router to the ISPs next hop, but were not seeing this when pinging from a laptop to the ISPs next hop.

 

At this point we don't know where to go from here, if anyone has any suggestions we'd be most greatful, config can be provided if needed.

 

Regards

 

James Greig

 

From maillist at webjogger.net  Mon May  4 09:36:40 2009
From: maillist at webjogger.net (Adam Greene)
Date: Mon, 4 May 2009 09:36:40 -0400
Subject: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP
References: <9396D49753F24294A8D788749A309A26@GINKGO>
	<49F66E15.5040702@indo.net.id>
Message-ID: <4F9B90F44C5640BEAF5EF4C00C11E186@GINKGO>

I never said thanks to all those who responded on and offlist to this thread 
last week. It was very helpful, thanks, and sorry for the delay 
acknowledging your help.



From avayner at cisco.com  Mon May  4 11:46:55 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 4 May 2009 17:46:55 +0200
Subject: [c-nsp] Per session shaping
In-Reply-To: <1C15FB264A06794F8BDE2120972B51C1050E2D09@netexch04.ad.netservicesplc.com>
References: <1C15FB264A06794F8BDE2120972B51C1050E2D09@netexch04.ad.netservicesplc.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D7932CB2@xmb-ams-331.emea.cisco.com>

Steve,

Just to provide a complete feedback:

There is no support for per session qos for sessions forwarded over L2TP
as there is no real interface to use in order to apply the policy on...

The only option I see would be to deploy a DPI (deep packet inspection)
device that can do L2TP.
Specifically, Cisco has the SCE2000 (2x1GE) or SCE8000 (multiple 10GE)
that can do this, and has L2TP support. It can basically see inside the
L2TP tunnel, and identify specific sessions, applying QOS and DPI
policies per subscriber.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steve McCrory
Sent: Thursday, April 30, 2009 19:35
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Per session shaping

Afternoon all,

 

I've been asked to look into the capabilities of the Cisco IOS feature
'Per-Session Shaping and Queuing' and I am looking for some expertise
from anyone who has utilized this feature.

 

I would like to know if it is possible to shape an SSS session that is
forwarded on to another LNS or is this feature specifically for shaping
subscriber sessions that terminate locally?

 

I tried configuring a service policy on the virtual-template that is
associated with the VPDN group for the incoming L2TP tunnel but this
appear to break everything and debugging radius identifies a 'nas-error'
as the cause:

 

*Apr 30 15:26:50.187: RADIUS:  Acct-Terminate-Cause[49]  6   nas-error
[9]

 

Cheers

 

Steven

 

Steven McCrory

 

Senior Network Engineer

 

Netservices PLC

Waters Edge Business Park

Modwen Road

Manchester, M5 3EZ

 

www.netservicesplc.com <http://www.netservicesplc.com> 

 



--------
NetServices plc, Company No. 4178393,
Registered Office: NetServices House, 31 Modwen Road,
Waters Edge Business Park, SALFORD, M5 3EZ
--------
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From achatz at forthnet.gr  Mon May  4 11:55:46 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Mon, 04 May 2009 18:55:46 +0300
Subject: [c-nsp] SBC proccess on ASR1000 is using memory although not used
Message-ID: <49FF1002.2020900@forthnet.gr>

Any idea why SBC is using 74MB of memory an a ASR1000 (RLS3), although it shouldn't be used at all?

ASR#sh mem alloc total | i SBC
     PC          Total   Count  Name
0x120DB11C   53892660      52  SBC main process
0x120E8BAC   20480096       1  SBC main process
0x125ADB5C      65588       1  SBC message response chunks
0x120DE430      25696       1  SBC main process
0x10B2A0FC       2820       5  SBC main process
0x1212FF68        912       4  SBC main process
0x10B2A118        596       3  SBC main process

ASR#sh proc mem | i SBC
  PID TTY  Allocated      Freed    Holding    Getbufs    Retbufs Process
   52   0          0          0      17140          0          0 SBC IPC Hold Que
  104   0          0          0      17140          0          0 SBC Msg Ack Time
  142   0          0          0      17140          0          0 SBC Dump Diagnos
  147   0     205488          0      11488          0          0 SBC initializer
  334   0   74502032        788   74672104          0          0 SBC main process

ASR#sh proc cpu | i SBC
  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
   52           0         2          0  0.00%  0.00%  0.00%   0 SBC IPC Hold Que
  104           0         1          0  0.00%  0.00%  0.00%   0 SBC Msg Ack Time
  142           0         1          0  0.00%  0.00%  0.00%   0 SBC Dump Diagnos
  147           1         1       1000  0.00%  0.00%  0.00%   0 SBC initializer
  334        2643    345775          7  0.00%  0.00%  0.00%   0 SBC main process


I checked the following docs, but i didn't find any relevant config applied by default.

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/sbc/2_xe/sbc_2_xe_book.html
http://www.cisco.com/en/US/docs/ios/sbc/command/reference/sbc_01.html

--
Tassos

From achatz at forthnet.gr  Mon May  4 12:36:18 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Mon, 04 May 2009 19:36:18 +0300
Subject: [c-nsp] Per session shaping
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7932CB2@xmb-ams-331.emea.cisco.com>
References: <1C15FB264A06794F8BDE2120972B51C1050E2D09@netexch04.ad.netservicesplc.com>
	<78C984F8939D424697B15E4B1C1BB3D7932CB2@xmb-ams-331.emea.cisco.com>
Message-ID: <49FF1982.90108@forthnet.gr>


Arie Vayner (avayner) wrote on 04/05/2009 18:46:
> Steve,
> 
> Just to provide a complete feedback:
> 
> There is no support for per session qos for sessions forwarded over L2TP
> as there is no real interface to use in order to apply the policy on...
> 

Although not a real interface, can't the SSS session be used?

-- 
Tassos

From josh.fleishman at gmail.com  Mon May  4 12:48:29 2009
From: josh.fleishman at gmail.com (Josh Fleishman)
Date: Mon, 4 May 2009 12:48:29 -0400
Subject: [c-nsp] VRF-lite dynamic NAT
Message-ID: <31f82fd80905040948u4f59d7eas800f9901b8ff79ce@mail.gmail.com>

I have a CE configured with VRF-lite. Packets coming into the CE from the
core destined to two /32 addresses need to be translated to a single real ip
address of a server connected to the CE LAN.  This is a two to one dynamic
NAT translation.  Since this is outside-to-inside traffic, I have attempted
the following configuration using an NVI, but it's failing:

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(23), RELEASE SOFTWARE (fc1)

ip nat pool inside-global 1.1.1.100 1.1.1.100 netmask
255.255.255.0              ! Testing with one address, but will require two

access-list 1 permit 172.21.240.74

ip route vrf TEST 1.1.1.100 255.255.255.255 GigabitEthernet0/1.52
172.21.240.74

ip nat source list 1 pool inside-global vrf TEST

interface GigabitEthernet0/0/0.921
  ip nat enable

interface GigabitEthernet0/1.52
 description vlan CE LAN
 encapsulation dot1Q 52
 ip vrf forwarding TEST
 ip address 172.21.240.73 255.255.255.248
 ip nat enable
 ip virtual-reassembly

interface GigabitEthernet0/0/0.921
 description CORE
 encapsulation dot1Q 921
 ip vrf forwarding TEST
 ip address 172.21.128.22 255.255.255.252
 ip nat enable

May  4 16:30:39.104 GMT: NAT: no portlist for proto 17 globaladdr 1.1.1.100
port 60165
May  4 16:30:41.812 GMT: NAT*: Can't create new inside entry -
forced_punt_flags: 0
May  4 16:30:42.176 GMT: NAT: expiring 1.1.1.100 (172.21.240.74) udp 60165
(60165)
May  4 16:30:42.176 GMT: NAT: no portlist for proto 17 globaladdr 1.1.1.100
port 60165
May  4 16:30:43.808 GMT: NAT*: Can't create new inside entry -
forced_punt_flags: 0
May  4 16:30:45.248 GMT: NAT: expiring 1.1.1.100 (172.21.240.74) udp 60165
(60165)
May  4 16:30:45.248 GMT: NAT: no portlist for proto 17 globaladdr 1.1.1.100
port 60165
May  4 16:30:45.808 GMT: NAT*: Can't create new inside entry -
forced_punt_flags: 0
May  4 16:30:47.808 GMT: NAT*: Can't create new inside entry -
forced_punt_flags: 0
May  4 16:30:48.320 GMT: NAT: expiring 1.1.1.100 (172.21.240.74) udp 60165
(60165)

inside to outside translations appear to be working fine for traffic
originating from the server sent towards the core.

This will work with a static NAT translation without issue.  I've also
attempted outside-to-inside with route-maps using the 'reversible' keyword,
but without success.  Any suggestions?

Thanks,
Josh

From justin at justinshore.com  Mon May  4 14:13:21 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 04 May 2009 13:13:21 -0500
Subject: [c-nsp] Cisco ASA 5505 limitations
In-Reply-To: <007b01c9c9b6$4bce2c1c$0600a8c0@whgroup.com>
References: <007b01c9c9b6$4bce2c1c$0600a8c0@whgroup.com>
Message-ID: <49FF3041.5060000@justinshore.com>

Or you could buy an ISR 881 for less than half the cost of the ASA 5505. 
  That's basically what we've switched to.  We were deploying 5505s for 
remote workers and we're now deploying 881s with wifi.  The cost of a 
5505 and AP1131 is on par as the cost of the 881W w/ Adv IP license and 
PoE PSU.  The ASA loses its appeal when you see the cost of doing more 
than 1 VLAN.  With the ISR 881 I can have a pair of VLANs for secured 
voice and data (wired and wifi, only company machines allowed on it) and 
another unsecured VLAN for guest access (wired and wifi).  That way I 
can prohibit access to our corporate LAN from the unsecured side of our 
remote user's network.  Works like a champ.  Plus you have Cisco wifi so 
getting it to work with Cisco cordless phones is a breeze.

Justin


Jason Link wrote:
> The 5505 will support as many VLANs as you are licensed for.  The base license won't do what you are asking, but the plus license will.  You can configure the VLANs with ACLs to make them function as you wish (DMZ1 / DMZ2 / etc).  As for the routing, it should do OSPF and EIGRP - but it can't do everything the 5510 and up can do.
> 
> -----Original Message-----
> From: Jonathan Soler (Europe) <Jonathan.Soler at eu.didata.com>
> Sent: Thursday, April 30, 2009 12:03 PM
> To: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Cisco ASA 5505 limitations
> 
> Hello,
> 
>  
> 
> ?Does Cisco ASA5505 support 4 network segments, one inside, one outside and two DMZs?
> 
> ?Does Cisco ASA5505 support all ASA5510, 5520... functionalities, like for example OSPF?
> 
>  
> 
> Thanks
> 
> Jonathan 
> 
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From Charles at thewybles.com  Mon May  4 16:21:04 2009
From: Charles at thewybles.com (Charles at thewybles.com)
Date: Mon, 4 May 2009 20:21:04 +0000
Subject: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP
Message-ID: <66087561-1241468477-cardhu_decombobulator_blackberry.rim.net-163043037-@bxe1197.bisx.prod.on.blackberry>

Can you post a summary? 
------Original Message------
From: Adam Greene
Sender: cisco-nsp-bounces at puck.nether.net
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP
Sent: May 4, 2009 6:36 AM

I never said thanks to all those who responded on and offlist to this thread 
last week. It was very helpful, thanks, and sorry for the delay 
acknowledging your help.


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



Sent via BlackBerry from T-Mobile

From peter at rathlev.dk  Mon May  4 17:25:35 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 04 May 2009 23:25:35 +0200
Subject: [c-nsp] 6500 12.2(18)SXF EoL notice?
Message-ID: <1241472335.7357.2.camel@localhost.localdomain>

Does anybody know what happened to the EoL notice about 12.2(18)SXF from
end of april? The link from the FN doesn't seem to work for me anymore.
Now I only have the mail.

Thank,
Peter



From MLouis at nwnit.com  Mon May  4 17:55:24 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Mon, 4 May 2009 17:55:24 -0400
Subject: [c-nsp] Out of Band Network
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25EF1F8070C@mncmx1.NWNIT.CORP>

Hey Folks,

I am building an out of band network and was wondering what everyones experience was with the following products. I am planning on using an 1841 configured as terminal server in each closet with 1-2 HWIC-8A slots in each router depending on the number of lines that I need for the devices in that closet. I am going to be linking them all 1841s in each closet together with 8 port 2960s or reused 2950 series switches coresident. These 2960/2950s will all be home runned over fiber back to a core for the out of band network.  Some of the closets in the design are uplinked into distribution layer closets over Cat5e cable. Nothing exceeds 300 ft, however, I am not sure how far I can stretch these Async lines to the console ports from the distribution to access layer switches. Does anyone know how far I can go with an RS-232 line over Cat5e? All I need is 9600 baud to talk to the console port at the other end.

Thanks in advance

Mike

________________________________
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.

From mksmith at adhost.com  Mon May  4 18:17:23 2009
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Mon, 4 May 2009 15:17:23 -0700
Subject: [c-nsp] Out of Band Network
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25EF1F8070C@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25EF1F8070C@mncmx1.NWNIT.CORP>
Message-ID: <17838240D9A5544AAA5FF95F8D52031605EC1778@ad-exh01.adhost.lan>



<snip>
Some of the closets in the design are uplinked into distribution layer
closets over Cat5e cable. Nothing exceeds 300 ft, however, I am not sure
how far I can stretch these Async lines to the console ports from the
distribution to access layer switches. Does anyone know how far I can go
with an RS-232 line over Cat5e? All I need is 9600 baud to talk to the
console port at the other end.

</snip>

You might be able to do it with hi-grade cable and if the Cisco ports
are following the spec.  Here's a pretty good tutorial.

http://marcspages.co.uk/tech/long232.htm

Regards,

Mike

From sethm at rollernet.us  Mon May  4 18:34:34 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Mon, 04 May 2009 15:34:34 -0700
Subject: [c-nsp] Out of Band Network
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25EF1F8070C@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25EF1F8070C@mncmx1.NWNIT.CORP>
Message-ID: <49FF6D7A.40005@rollernet.us>

Mike Louis wrote:
> Hey Folks,
> 
> I am building an out of band network and was wondering what everyones experience was with the following products. I am planning on using an 1841 configured as terminal server in each closet with 1-2 HWIC-8A slots in each router depending on the number of lines that I need for the devices in that closet. I am going to be linking them all 1841s in each closet together with 8 port 2960s or reused 2950 series switches coresident. These 2960/2950s will all be home runned over fiber back to a core for the out of band network.  Some of the closets in the design are uplinked into distribution layer closets over Cat5e cable. Nothing exceeds 300 ft, however, I am not sure how far I can stretch these Async lines to the console ports from the distribution to access layer switches. Does anyone know how far I can go with an RS-232 line over Cat5e? All I need is 9600 baud to talk to the console port at the other end.
> 

You could also pick up a pair of RS422 converters. The downside is
additional cost, however, it could be a wash if you end up needing
expensive cable to do long 232 runs.

~Seth

From tkacprzynski at SpencerStuart.com  Tue May  5 10:28:09 2009
From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com)
Date: Tue, 5 May 2009 09:28:09 -0500
Subject: [c-nsp] Out of Band Network
In-Reply-To: <49FF6D7A.40005@rollernet.us>
References: <CBBF2C7B2547D14A910A349B58810AC25EF1F8070C@mncmx1.NWNIT.CORP>
	<49FF6D7A.40005@rollernet.us>
Message-ID: <A8A11BA006DA57498FAC0A56686865042A7978A3@usilwdex04.spencerstuart.com>

Mike
Have you looked at the Raritan Dominion SX devices
(http://www.raritan.com/products/serial-console-switches/Dominion-SX/) .
Maybe they could workout for you better.


Tom


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen
Sent: Monday, May 04, 2009 5:35 PM
To: cisco-nsp
Subject: Re: [c-nsp] Out of Band Network

Mike Louis wrote:
> Hey Folks,
> 
> I am building an out of band network and was wondering what everyones
experience was with the following products. I am planning on using an
1841 configured as terminal server in each closet with 1-2 HWIC-8A slots
in each router depending on the number of lines that I need for the
devices in that closet. I am going to be linking them all 1841s in each
closet together with 8 port 2960s or reused 2950 series switches
coresident. These 2960/2950s will all be home runned over fiber back to
a core for the out of band network.  Some of the closets in the design
are uplinked into distribution layer closets over Cat5e cable. Nothing
exceeds 300 ft, however, I am not sure how far I can stretch these Async
lines to the console ports from the distribution to access layer
switches. Does anyone know how far I can go with an RS-232 line over
Cat5e? All I need is 9600 baud to talk to the console port at the other
end.
> 

You could also pick up a pair of RS422 converters. The downside is
additional cost, however, it could be a wash if you end up needing
expensive cable to do long 232 runs.

~Seth
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ashnet2009 at gmail.com  Tue May  5 11:19:52 2009
From: ashnet2009 at gmail.com (Ash Net)
Date: Tue, 5 May 2009 11:19:52 -0400
Subject: [c-nsp] Nexus 7000 feedback
Message-ID: <896a291f0905050819p3d427047v9918a6cc8ed3a95b@mail.gmail.com>

Hello all,

we're considering deploying Nexus 7000 as the next Core/Aggregation switch
Platform in our Data Centers and looking for some feedback from individuals
who have had experiences with it. Specs and Featureset wise, the product
looks amazing and truly appears to have solved the 10Gig Aggregation
requirements of a Data Center upto an extent.

Any feedback in relation to the stability of the product and the NX-OS,
issues encountered during deployment and Post implementation/Daily
operations support, Integration of the Nexus with current Management systems
and any challenges encountered, interoperability with other Cisco switch
Platforms such at Cat6k, 4900 at Routing and Switching Layers (OSPF/EIGRP
Adjacencies/ STP/RPVST Interop), Dual Sup vs Single Sup configiurations,
ISSU, Netflow, Graceful Restart and VDC's

All feedback is welcome and would be greatly appreciated.
Thanks in advance

Ash

From tincan at gmail.com  Tue May  5 17:53:26 2009
From: tincan at gmail.com (Inca)
Date: Tue, 5 May 2009 14:53:26 -0700
Subject: [c-nsp] alternatives to Cisco's SFPs
Message-ID: <f8da69c80905051453u1462e155p5e13c03030f4fb05@mail.gmail.com>

Hello,

Does anyone have good experience with non-Cisco SFPs? In particular,
we're trying to look for lower cost alternatives to GLC-T (or
SFP-GE-T), GLC-SX-MM (SFP-GE-S) and  GLC-LH-SM (SFP-GE-L). Also, any
problem with using non-Cisco SFPs (even after enabling "service
unsupported-transceiver")?

Thanks,
Nathan

From sthaug at nethelp.no  Tue May  5 18:18:16 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Wed, 06 May 2009 00:18:16 +0200 (CEST)
Subject: [c-nsp] alternatives to Cisco's SFPs
In-Reply-To: <f8da69c80905051453u1462e155p5e13c03030f4fb05@mail.gmail.com>
References: <f8da69c80905051453u1462e155p5e13c03030f4fb05@mail.gmail.com>
Message-ID: <20090506.001816.41703097.sthaug@nethelp.no>

> Does anyone have good experience with non-Cisco SFPs? In particular,
> we're trying to look for lower cost alternatives to GLC-T (or
> SFP-GE-T), GLC-SX-MM (SFP-GE-S) and  GLC-LH-SM (SFP-GE-L). Also, any
> problem with using non-Cisco SFPs (even after enabling "service
> unsupported-transceiver")?

You can buy "Cisco coded" SFPs from a significant number of vendors,
at much better price than Cisco. We have bought such SFPs from, among
others, Zycko. We never had a problem using SFPs not purchased from
Cisco - but buyer beware, there *are* definitely lower quality SFPs
out there. YMMV.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


From p.mayers at imperial.ac.uk  Tue May  5 18:51:22 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 5 May 2009 23:51:22 +0100
Subject: [c-nsp] alternatives to Cisco's SFPs
In-Reply-To: <20090506.001816.41703097.sthaug@nethelp.no>
References: <f8da69c80905051453u1462e155p5e13c03030f4fb05@mail.gmail.com>
	<20090506.001816.41703097.sthaug@nethelp.no>
Message-ID: <20090505225122.GA8378@wildfire.net.ic.ac.uk>

On Tue, May 05, 2009 at 11:18:16PM +0100, sthaug at nethelp.no wrote:
>> Does anyone have good experience with non-Cisco SFPs? In particular,
>> we're trying to look for lower cost alternatives to GLC-T (or
>> SFP-GE-T), GLC-SX-MM (SFP-GE-S) and  GLC-LH-SM (SFP-GE-L). Also, any
>> problem with using non-Cisco SFPs (even after enabling "service
>> unsupported-transceiver")?
>
>You can buy "Cisco coded" SFPs from a significant number of vendors,
>at much better price than Cisco. We have bought such SFPs from, among

Yep

>others, Zycko. We never had a problem using SFPs not purchased from

We buy the ProLabs ones, from hardware.com

They're excellent.

>Cisco - but buyer beware, there *are* definitely lower quality SFPs
>out there. YMMV.

Ho ho. We once paid a not-inconsiderable amount for a try of "real" 
Cisco SFPs that turned out to be fakes.

Beware of fakes - as well as having crappy lasers, sensors and build 
quality, many of them have duplicate serial numbers and two such SFPs 
WILL NOT work in most Cisco kit, "service unsupp" is no help.

From MLouis at nwnit.com  Tue May  5 20:16:11 2009
From: MLouis at nwnit.com (Mike Louis)
Date: Tue, 5 May 2009 20:16:11 -0400
Subject: [c-nsp] 500 msec timers on Cisco GLC-T
Message-ID: <CBBF2C7B2547D14A910A349B58810AC25EF1F80A08@mncmx1.NWNIT.CORP>

Hey Folks,

One of my Cisco SEs told me the other day that there was a limitation in the GLC-T GBICs that prevented the switch from recognizing a  link up/down faster than 500 msec. This could cause a noticeable blip in a voice call. Apparently this is not an issue in the fiber SFPs. Has anyone ever heard of this  before. He was referencing a 3750 series switch when we were discussing the issue. I am not sure if its platform or GBIC specific. I also wonder if it affects normal 10/100/1000 ports the same way. Any ideas or thoughts? Ever heard of anything like this on other platforms?

Thanks

Mike




________________________________
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.

From md at bts.sk  Wed May  6 03:32:13 2009
From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=)
Date: Wed, 6 May 2009 09:32:13 +0200
Subject: [c-nsp] 500 msec timers on Cisco GLC-T
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25EF1F80A08@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25EF1F80A08@mncmx1.NWNIT.CORP>
Message-ID: <20090506073208.M81289@bts.sk>

On Tue, 5 May 2009 20:16:11 -0400, Mike Louis wrote
> Hey Folks,
> 
> One of my Cisco SEs told me the other day that there was a limitation 
> in the GLC-T GBICs that prevented the switch from recognizing a  link 
> up/down faster than 500 msec. This could cause a noticeable blip in a 
> voice call. Apparently this is not an issue in the fiber SFPs. Has 
> anyone ever heard of this  before. He was referencing a 3750 series 
> switch when we were discussing the issue. I am not sure if its 
> platform or GBIC specific. I also wonder if it affects normal 
> 10/100/1000 ports the same way. Any ideas or thoughts? Ever heard of 
> anything like this on other platforms?

This explains it in detail:

http://www.shoshin.co.jp/c/nc/NC/pdf/White%20Papers/Link%20Up%20&%20Down%20Time.pdf

    M.


From achatz at forthnet.gr  Wed May  6 04:19:17 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Wed, 06 May 2009 11:19:17 +0300
Subject: [c-nsp] 500 msec timers on Cisco GLC-T
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC25EF1F80A08@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC25EF1F80A08@mncmx1.NWNIT.CORP>
Message-ID: <4A014805.2070904@forthnet.gr>

I think it's a general case that link failure detection time on copper is about 500ms, while on fiber is about 50ms.

Also, the default debounce timer is much lower on fiber ports:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/intrface.html#wp1044898

--
Tassos

Mike Louis wrote on 06/05/2009 03:16:
> Hey Folks,
> 
> One of my Cisco SEs told me the other day that there was a limitation in the GLC-T GBICs that prevented the switch from recognizing a  link up/down faster than 500 msec. This could cause a noticeable blip in a voice call. Apparently this is not an issue in the fiber SFPs. Has anyone ever heard of this  before. He was referencing a 3750 series switch when we were discussing the issue. I am not sure if its platform or GBIC specific. I also wonder if it affects normal 10/100/1000 ports the same way. Any ideas or thoughts? Ever heard of anything like this on other platforms?
> 
> Thanks
> 
> Mike
> 
> 
> 
> 
> ________________________________
> Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From mh+cisco-nsp at zugschlus.de  Wed May  6 05:57:58 2009
From: mh+cisco-nsp at zugschlus.de (Marc Haber)
Date: Wed, 6 May 2009 11:57:58 +0200
Subject: [c-nsp] Lightweight Radius Server for small installation and Windows
Message-ID: <20090506095758.GA1441@torres.zugschlus.de>

Hi,

a small company is planning to deploy client VPN using the Cisco VPN
client and an 1841 in their office. They have 50 employees, about 15
of them mobile, a couple of Windows 2003 servers (no virtualization
yet) and are mostly an all-windows shop. They neither want their users
to authenticate to the VPN via their Windows password (which, to my
knowledge, rules out authenticating against the AD), nor do they want
to use the cisco command line to generate the user accounts on the
1841 itself.

Is there a lightweight, resource-easy Radius server for Windows which
can be installed on one of the existing servers which has a clickable
frontend for account management? It doesn't need to be end-user safe,
the admins are going to manage the account, but they cringe at the
thought of doing the "conf t; foo; copy running-config startup-config"
dance.

Just in case, in which price range do the "cheapest"
one-time-password-token authentication schemes start for this user
count?

Any hints will be appreciated.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

From thomas.braun at flashstudy.de  Wed May  6 07:05:28 2009
From: thomas.braun at flashstudy.de (Thomas Braun)
Date: Wed, 06 May 2009 13:05:28 +0200
Subject: [c-nsp] Lightweight Radius Server for small installation and
 Windows
In-Reply-To: <20090506095758.GA1441@torres.zugschlus.de>
References: <20090506095758.GA1441@torres.zugschlus.de>
Message-ID: <4A016EF8.3090205@flashstudy.de>

Hi,

i use freeradius for the same installation on linux.
There is also a windows port of freeradius, it needs cygwin.
I haven't used it under windows, but under Linux you can do anything you 
want.

Maybe you give it a try.
Regards
thomas

>
> a small company is planning to deploy client VPN using the Cisco VPN
> client and an 1841 in their office. They have 50 employees, about 15
> of them mobile, a couple of Windows 2003 servers (no virtualization
> yet) and are mostly an all-windows shop. They neither want their users
> to authenticate to the VPN via their Windows password (which, to my
> knowledge, rules out authenticating against the AD), nor do they want
> to use the cisco command line to generate the user accounts on the
> 1841 itself.
>
> Is there a lightweight, resource-easy Radius server for Windows which
> can be installed on one of the existing servers which has a clickable
> frontend for account management? It doesn't need to be end-user safe,
> the admins are going to manage the account, but they cringe at the
> thought of doing the "conf t; foo; copy running-config startup-config"
> dance.
>
> Just in case, in which price range do the "cheapest"
> one-time-password-token authentication schemes start for this user
> count?
>
> Any hints will be appreciated.
>
> Greetings
> Marc
>
>   


From zivl at gilat.net  Wed May  6 07:13:18 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Wed, 6 May 2009 14:13:18 +0300
Subject: [c-nsp] Lightweight Radius Server for small installation
	and	Windows
In-Reply-To: <20090506095758.GA1441@torres.zugschlus.de>
References: <20090506095758.GA1441@torres.zugschlus.de>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622FCA95E18@exch2k7.gilat.local>

The cheapest solution is already there, Windows2003 server can act as a radius server, it doesn't have to use necessarily the same users, new users can be added to a special new group only for the VPN authentication.
Also using the AD can be useful, the user can be set to have permission to access through VPN or not, so not every user in the system can connect.
Cisco knows to interface with the above, so I don't see a reason to invest more money in another product.
All they need is someone that is good enough with Win2003 server to make it happen, the Cisco part is the easiest once the radius is set.
Hope this helps,
Ziv







-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marc Haber
Sent: Wednesday, May 06, 2009 12:58 PM
To: cisco-nsp
Subject: [c-nsp] Lightweight Radius Server for small installation and Windows

Hi,

a small company is planning to deploy client VPN using the Cisco VPN
client and an 1841 in their office. They have 50 employees, about 15
of them mobile, a couple of Windows 2003 servers (no virtualization
yet) and are mostly an all-windows shop. They neither want their users
to authenticate to the VPN via their Windows password (which, to my
knowledge, rules out authenticating against the AD), nor do they want
to use the cisco command line to generate the user accounts on the
1841 itself.

Is there a lightweight, resource-easy Radius server for Windows which
can be installed on one of the existing servers which has a clickable
frontend for account management? It doesn't need to be end-user safe,
the admins are going to manage the account, but they cringe at the
thought of doing the "conf t; foo; copy running-config startup-config"
dance.

Just in case, in which price range do the "cheapest"
one-time-password-token authentication schemes start for this user
count?

Any hints will be appreciated.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


From patrickg at layer8llc.com  Wed May  6 06:55:21 2009
From: patrickg at layer8llc.com (Patrick J Greene)
Date: Wed, 6 May 2009 06:55:21 -0400
Subject: [c-nsp] Lightweight Radius Server for small installation and
 Windows
In-Reply-To: <20090506095758.GA1441@torres.zugschlus.de>
References: <20090506095758.GA1441@torres.zugschlus.de>
Message-ID: <4716E5BFA7B2514D84F8F8885F37799F058446DB47@mse18be2.mse18.exchange.ms>

The Windows server platform includes Internet Authentication Services (IAS) which provides RADIUS authentication against either AD or the local user database on the Windows server itself.  Just install the service.

Patrick

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marc Haber
Sent: Wednesday, May 06, 2009 5:58 AM
To: cisco-nsp
Subject: [c-nsp] Lightweight Radius Server for small installation and Windows

Hi,

a small company is planning to deploy client VPN using the Cisco VPN
client and an 1841 in their office. They have 50 employees, about 15
of them mobile, a couple of Windows 2003 servers (no virtualization
yet) and are mostly an all-windows shop. They neither want their users
to authenticate to the VPN via their Windows password (which, to my
knowledge, rules out authenticating against the AD), nor do they want
to use the cisco command line to generate the user accounts on the
1841 itself.

Is there a lightweight, resource-easy Radius server for Windows which
can be installed on one of the existing servers which has a clickable
frontend for account management? It doesn't need to be end-user safe,
the admins are going to manage the account, but they cringe at the
thought of doing the "conf t; foo; copy running-config startup-config"
dance.

Just in case, in which price range do the "cheapest"
one-time-password-token authentication schemes start for this user
count?

Any hints will be appreciated.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From braaen at zcorum.com  Wed May  6 07:45:58 2009
From: braaen at zcorum.com (Brian Raaen)
Date: Wed, 06 May 2009 07:45:58 -0400
Subject: [c-nsp] Lightweight Radius Server for small installation and
 Windows
In-Reply-To: <4716E5BFA7B2514D84F8F8885F37799F058446DB47@mse18be2.mse18.exchange.ms>
References: <20090506095758.GA1441@torres.zugschlus.de>
	<4716E5BFA7B2514D84F8F8885F37799F058446DB47@mse18be2.mse18.exchange.ms>
Message-ID: <4A017876.70901@zcorum.com>

I concur with Patrick, if you already have a Windows domain/AD server
install the IAS service and configure it to set up your VPN.  I set up a
Pix 306E to authenticate off a companies AD on one of the jobs I did. 
As I recall the only pain was finding out that I needed to install IAS
services which is included with the default license.

-- 
-----------------
Brian Raaen
Network Engineer
email: /braaen at zcorum.com/ <mailto:braaen at zcorum.com>


Patrick J Greene wrote:
> The Windows server platform includes Internet Authentication Services (IAS) which provides RADIUS authentication against either AD or the local user database on the Windows server itself.  Just install the service.
>
> Patrick
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marc Haber
> Sent: Wednesday, May 06, 2009 5:58 AM
> To: cisco-nsp
> Subject: [c-nsp] Lightweight Radius Server for small installation and Windows
>
> Hi,
>
> a small company is planning to deploy client VPN using the Cisco VPN
> client and an 1841 in their office. They have 50 employees, about 15
> of them mobile, a couple of Windows 2003 servers (no virtualization
> yet) and are mostly an all-windows shop. They neither want their users
> to authenticate to the VPN via their Windows password (which, to my
> knowledge, rules out authenticating against the AD), nor do they want
> to use the cisco command line to generate the user accounts on the
> 1841 itself.
>
> Is there a lightweight, resource-easy Radius server for Windows which
> can be installed on one of the existing servers which has a clickable
> frontend for account management? It doesn't need to be end-user safe,
> the admins are going to manage the account, but they cringe at the
> thought of doing the "conf t; foo; copy running-config startup-config"
> dance.
>
> Just in case, in which price range do the "cheapest"
> one-time-password-token authentication schemes start for this user
> count?
>
> Any hints will be appreciated.
>
> Greetings
> Marc
>
>   

From lists at quux.de  Wed May  6 07:57:29 2009
From: lists at quux.de (Jens Link)
Date: Wed, 06 May 2009 13:57:29 +0200
Subject: [c-nsp] Lightweight Radius Server for small installation and
	Windows
In-Reply-To: <4A016EF8.3090205@flashstudy.de> (Thomas Braun's message of "Wed\,
	06 May 2009 13\:05\:28 +0200")
References: <20090506095758.GA1441@torres.zugschlus.de>
	<4A016EF8.3090205@flashstudy.de>
Message-ID: <87ab5qphp2.fsf@laphroiag.quux.de>

Thomas Braun <thomas.braun at flashstudy.de> writes:

> There is also a windows port of freeradius, it needs cygwin.

I remember reading something about "not for production use" on the
freeradius mailing list.

> I haven't used it under windows, but under Linux you can do anything you
> want.

Excluding the GUI (Yes I know about Dialup-Admin) 

Jens
-- 
-------------------------------------------------------------------------
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264         |
| http://www.quux.de | http://blog.quux.de   | jabber: jenslink at guug.de |
-------------------------------------------------------------------------

From mikie.simpson at gmail.com  Wed May  6 08:08:50 2009
From: mikie.simpson at gmail.com (Michael Simpson)
Date: Wed, 6 May 2009 13:08:50 +0100
Subject: [c-nsp] Lightweight Radius Server for small installation and
	Windows
In-Reply-To: <20090506095758.GA1441@torres.zugschlus.de>
References: <20090506095758.GA1441@torres.zugschlus.de>
Message-ID: <82abd3a70905060508k35ae61d4jea6eecddddd7e781@mail.gmail.com>

On 06/05/2009, Marc Haber <mh+cisco-nsp at zugschlus.de> wrote:
> Hi,
>
> Just in case, in which price range do the "cheapest"
> one-time-password-token authentication schemes start for this user
> count?
>

Yubikey is nice

http://www.yubico.com/home/index/

mike

From ziliomarcelo at gmail.com  Wed May  6 08:11:32 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Wed, 6 May 2009 09:11:32 -0300
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
Message-ID: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>

Hi,

I'm working in a migration of a CheckPoint Firewall to an ASA5520. I freeze
on a situation that seems ASA cannot "reproduce" CheckPoint configuration.
Follow the scenario:

- IP Address X on the Internet access IP Address X1 in the Inside network
through the X-NAT Address.
- IP Address Y on the Internet access IP Address Y1 in the Inside network
through the same X-NAT Address.

CheckPoint already does this, but I couldn't find a way to do the same with
ASA.
I've tried with Policy NAT, but it seems it doesn't work well to static
translations.

Have anyone done this before?

Any suggestions will be appreciated

Thanks
Marcelo

From sforcejr at yahoo.com  Wed May  6 08:24:52 2009
From: sforcejr at yahoo.com (Johnny Ramirez Colmenares)
Date: Wed, 6 May 2009 05:24:52 -0700 (PDT)
Subject: [c-nsp] Wireless Splash Screen Cisco AP Aironet
Message-ID: <197999.78903.qm@web110416.mail.gq1.yahoo.com>

We have a guest network and I would like redirect the users to a simple screen that welcomes them to our network, have them read our terms and continue. ...That's it. Not a login screen, just information.
We have 3 Cisco Aironet 1200 series connected to the Guest VLAN.?
How can this be done?
JR Colmenares


      

From koug at intracom.gr  Wed May  6 09:41:49 2009
From: koug at intracom.gr (John Kougoulos)
Date: Wed, 6 May 2009 16:41:49 +0300 (GTB Daylight Time)
Subject: [c-nsp] Wireless Splash Screen Cisco AP Aironet
In-Reply-To: <197999.78903.qm@web110416.mail.gq1.yahoo.com>
References: <197999.78903.qm@web110416.mail.gq1.yahoo.com>
Message-ID: <alpine.WNT.2.00.0905061640190.2760@pckoug1.intranet.gr>

Hello,

have a look at consent feature for routers

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/auth_fw.html

you can also setup something like chillispot:
http://www.chillispot.info/

Regards,
John

On Wed, 6 May 2009, Johnny Ramirez Colmenares wrote:

> We have a guest network and I would like redirect the users to a simple 
> screen that welcomes them to our network, have them read our terms and 
> continue. ...That's it. Not a login screen, just information. We have 3 
> Cisco Aironet 1200 series connected to the Guest VLAN.
?? How can this be done?
> JR Colmenares
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ppauly at gmail.com  Wed May  6 10:59:31 2009
From: ppauly at gmail.com (Peter Pauly)
Date: Wed, 6 May 2009 10:59:31 -0400
Subject: [c-nsp] Wireless Splash Screen Cisco AP Aironet
In-Reply-To: <alpine.WNT.2.00.0905061640190.2760@pckoug1.intranet.gr>
References: <197999.78903.qm@web110416.mail.gq1.yahoo.com>
	<alpine.WNT.2.00.0905061640190.2760@pckoug1.intranet.gr>
Message-ID: <eefbdb720905060759j778be366x6a20ed21f78cf0d3@mail.gmail.com>

Is it possible to use this without a AAA server? Guests typically
don't have a userid and password. We just want them to agree to our
usage terms.

On Wed, May 6, 2009 at 9:41 AM, John Kougoulos <koug at intracom.gr> wrote:
> Hello,
>
> have a look at consent feature for routers
>
> http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/auth_fw.html
>
> you can also setup something like chillispot:
> http://www.chillispot.info/
>
> Regards,
> John
>
> On Wed, 6 May 2009, Johnny Ramirez Colmenares wrote:
>
>> We have a guest network and I would like redirect the users to a simple
>> screen that welcomes them to our network, have them read our terms and
>> continue. ...That's it. Not a login screen, just information. We have 3
>> Cisco Aironet 1200 series connected to the Guest VLAN.
>
> ?? How can this be done?
>>
>> JR Colmenares
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From chris at chrisserafin.com  Wed May  6 12:45:45 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Wed, 06 May 2009 11:45:45 -0500
Subject: [c-nsp] Nexus 5000?
Message-ID: <4A01BEB9.4080402@chrisserafin.com>

I have a client that Cisoc is recommending the Nexus line of switches 
for their data center. They will be using IBM blade switches and I'm 
guessing these would be the 'core'.

They are looking at (2) Nexus 5010's and (2) Nexus 2000's.....totaling 60K.

I'm wondering why this would be recommended, since the only added 
feature of the Nexus line from Cisco.com's video is that they have 10GB 
ports.....and really nothing else.

I'm almost ready to recommend my favorites....3750G's for this scenario.

Anyone have real world experience wirking with these devices and can 
share comments? good or bad, and why you went with them?

Thanks

Chris

From koug at intracom.gr  Wed May  6 13:02:24 2009
From: koug at intracom.gr (John Kougoulos)
Date: Wed, 6 May 2009 20:02:24 +0300 (GTB Daylight Time)
Subject: [c-nsp] Wireless Splash Screen Cisco AP Aironet
In-Reply-To: <eefbdb720905060759j778be366x6a20ed21f78cf0d3@mail.gmail.com>
References: <197999.78903.qm@web110416.mail.gq1.yahoo.com>
	<alpine.WNT.2.00.0905061640190.2760@pckoug1.intranet.gr>
	<eefbdb720905060759j778be366x6a20ed21f78cf0d3@mail.gmail.com>
Message-ID: <alpine.WNT.2.00.0905061951550.2760@pckoug1.intranet.gr>


I haven't tested how exactly this feature works. 
But you can always have in the usage terms "if you agree please login with 
username guest, password guest".

another thing is that you can preprint card for visitor access cards with 
username/password on them so that in case you want to locate eg. who of 
your visitors has a virus on his laptop that melts your router's cpu, you 
will be able to track him.



On Wed, 6 May 2009, Peter Pauly wrote:

> Is it possible to use this without a AAA server? Guests typically
> don't have a userid and password. We just want them to agree to our
> usage terms.
>
> On Wed, May 6, 2009 at 9:41 AM, John Kougoulos <koug at intracom.gr> wrote:
>> Hello,
>>
>> have a look at consent feature for routers
>>
>> http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/auth_fw.html
>>
>> you can also setup something like chillispot:
>> http://www.chillispot.info/
>>
>> Regards,
>> John
>>
>> On Wed, 6 May 2009, Johnny Ramirez Colmenares wrote:
>>
>>> We have a guest network and I would like redirect the users to a simple
>>> screen that welcomes them to our network, have them read our terms and
>>> continue. ...That's it. Not a login screen, just information. We have 3
>>> Cisco Aironet 1200 series connected to the Guest VLAN.
>>
>> ?? How can this be done?
>>>
>>> JR Colmenares
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

From charles at thewybles.com  Wed May  6 13:36:38 2009
From: charles at thewybles.com (Charles Wyble)
Date: Wed, 06 May 2009 10:36:38 -0700
Subject: [c-nsp] Lightweight Radius Server for small installation	and
 Windows
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622FCA95E18@exch2k7.gilat.local>
References: <20090506095758.GA1441@torres.zugschlus.de>
	<EC993E87D960A541A66BF21D62AA42A622FCA95E18@exch2k7.gilat.local>
Message-ID: <4A01CAA6.2020502@thewybles.com>

I agree.

I set this up with windows 2008 recently. My Linksys wireless router and 
my cisco 1841 authenticate to AD. I haven't hooked it up to a VPN yet 
but that's possible.

As for one time passwords, http://www.wikidsystems.com/community-version 
and http://directory.apache.org/

I don't know why they wouldn't want users using the AD environment 
that's in place. That's just ridiculous in my mind. Create a specific 
group for VPN users, but don't have another authentication database.

Ziv Leyes wrote:
> The cheapest solution is already there, Windows2003 server can act as a radius server, it doesn't have to use necessarily the same users, new users can be added to a special new group only for the VPN authentication.
> Also using the AD can be useful, the user can be set to have permission to access through VPN or not, so not every user in the system can connect.
> Cisco knows to interface with the above, so I don't see a reason to invest more money in another product.
> All they need is someone that is good enough with Win2003 server to make it happen, the Cisco part is the easiest once the radius is set.
> Hope this helps,
> Ziv
> 
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marc Haber
> Sent: Wednesday, May 06, 2009 12:58 PM
> To: cisco-nsp
> Subject: [c-nsp] Lightweight Radius Server for small installation and Windows
> 
> Hi,
> 
> a small company is planning to deploy client VPN using the Cisco VPN
> client and an 1841 in their office. They have 50 employees, about 15
> of them mobile, a couple of Windows 2003 servers (no virtualization
> yet) and are mostly an all-windows shop. They neither want their users
> to authenticate to the VPN via their Windows password (which, to my
> knowledge, rules out authenticating against the AD), nor do they want
> to use the cisco command line to generate the user accounts on the
> 1841 itself.
> 
> Is there a lightweight, resource-easy Radius server for Windows which
> can be installed on one of the existing servers which has a clickable
> frontend for account management? It doesn't need to be end-user safe,
> the admins are going to manage the account, but they cringe at the
> thought of doing the "conf t; foo; copy running-config startup-config"
> dance.
> 
> Just in case, in which price range do the "cheapest"
> one-time-password-token authentication schemes start for this user
> count?
> 
> Any hints will be appreciated.
> 
> Greetings
> Marc
> 

From tvarriale at comcast.net  Wed May  6 13:42:40 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Wed, 6 May 2009 12:42:40 -0500
Subject: [c-nsp] Nexus 5000?
References: <4A01BEB9.4080402@chrisserafin.com>
Message-ID: <017A14F8A2B54120866A622AE40628B3@flamdt01>

It sounds like you aren't using FC through them, so I'm guessing they were 
positioned as a high density, low cost 10g solution.  Along with being 
cheaper, they will also be more green.

The 2ks are high density low cost 1g solutions.

Note there is no layer 3 on the 5ks at this time.

tv
----- Original Message ----- 
From: "ChrisSerafin" <chris at chrisserafin.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, May 06, 2009 11:45 AM
Subject: [c-nsp] Nexus 5000?


>I have a client that Cisoc is recommending the Nexus line of switches for 
>their data center. They will be using IBM blade switches and I'm guessing 
>these would be the 'core'.
>
> They are looking at (2) Nexus 5010's and (2) Nexus 2000's.....totaling 
> 60K.
>
> I'm wondering why this would be recommended, since the only added feature 
> of the Nexus line from Cisco.com's video is that they have 10GB 
> ports.....and really nothing else.
>
> I'm almost ready to recommend my favorites....3750G's for this scenario.
>
> Anyone have real world experience wirking with these devices and can share 
> comments? good or bad, and why you went with them?
>
> Thanks
>
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From jay-ford at uiowa.edu  Wed May  6 13:28:30 2009
From: jay-ford at uiowa.edu (Jay Ford)
Date: Wed, 6 May 2009 12:28:30 -0500 (CDT)
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <4A01BEB9.4080402@chrisserafin.com>
References: <4A01BEB9.4080402@chrisserafin.com>
Message-ID: <alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>

On Wed, 6 May 2009, ChrisSerafin wrote:
> I have a client that Cisoc is recommending the Nexus line of switches for 
> their data center. They will be using IBM blade switches and I'm guessing 
> these would be the 'core'.
>
> They are looking at (2) Nexus 5010's and (2) Nexus 2000's.....totaling 60K.
>
> I'm wondering why this would be recommended, since the only added feature of 
> the Nexus line from Cisco.com's video is that they have 10GB ports.....and 
> really nothing else.
>
> I'm almost ready to recommend my favorites....3750G's for this scenario.
>
> Anyone have real world experience wirking with these devices and can share 
> comments? good or bad, and why you went with them?

We don't have any yet, but we're looking at them.

Nexus 5000 pros (+) & cons (-):
    +  front-to-back air flow
    +  redundant power supplies & fans
    +  high throughput (1.04 Tbps in 5020, 520 Gbps in 5010)
    +  interface flexibility (due to SFP+ ports)
    -  have to buy an SFP/SFP+ module/cable for every port you want to light
    -  no 10/100; copper Ether is 1G only
    -  only first few ports (16 in 5020, 8 in 5010) can do 1G;
       the rest are 10G only

The Nexus 2000 fabric extender also seems limited to 1G only; no 10/100. 
Note that it isn't a normal switch, with port-to-port switching;  all inbound 
edge-port traffic is sent to the uplinks for switching by the host 5000 box. 
This isn't necessarily a problem, but it is different.

It's a tough choice right now between established top-of-rack switches (3750, 
4948, 4900m) & the Nexus boxes.

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951

From jeff-kell at utc.edu  Wed May  6 14:42:10 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 06 May 2009 14:42:10 -0400
Subject: [c-nsp] 3750/4500 as PE?
Message-ID: <4A01DA02.8090105@utc.edu>

Anyone running a 3750 or 4500 as a PE router (nothing fancy, just
inter-VRF iBGP that really "imports/exports" routes)?

We have a VRF-lite network but at this point only one iBGP mesh point
(PE).  There are cases where some of the nodes attached to the current
PE could ideally route between VRFs locally without spitting it out to
the PE and back.  In our case we have a "core services" VRF that is
essentially imported into every VRF.  It's a straight shot across the
core IX subnet if I could put the "core services" presence on some of
the CEs rather than the extra hop to route through the core.

Trying to avoid statics...

Jeff

From cisco-nsp at slepicka.net  Wed May  6 14:58:59 2009
From: cisco-nsp at slepicka.net (James Slepicka)
Date: Wed, 06 May 2009 13:58:59 -0500
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <4A01BEB9.4080402@chrisserafin.com>
References: <4A01BEB9.4080402@chrisserafin.com>
Message-ID: <4A01DDF3.9050907@slepicka.net>

I've deployed a couple of 5020s with 2148ts because I need the 10Gb port 
density (for low-latency communication between a lot of 10Gb servers and 
for aggregation of 1Gb ports).  I don't know enough of your client's 
requirements to say whether this is the right choice for them, but one 
potential deal-breaker is that the Nexus 5k is layer 2 only, so it may 
be inappropriate for use in the 'core'.

In any event, I haven't spent a ton of time working on these devices, 
but I, or members of my team, have run into a few 'issues':

    * It's not IOS.  Probably not a big deal, but there are some
      potential training issues, some changes in the way you normally do
      things, etc.
    * No VTP support (yeah, I know, but I use it and like it)
    * QoS support is limited (due to cut-through switching, I suppose). 
      No DSCP, no marking functionality, ...
    * 2148t ports are 1Gb only (5k SFP ports as well?).  No place to
      plug in my cheap-o 100Mb management switches/devices.

In my opinion, if you don't need the 10Gb port density, you're probably 
better off with what you're already using.

James

ChrisSerafin wrote:
> I have a client that Cisoc is recommending the Nexus line of switches 
> for their data center. They will be using IBM blade switches and I'm 
> guessing these would be the 'core'.
>
> They are looking at (2) Nexus 5010's and (2) Nexus 2000's.....totaling 
> 60K.
>
> I'm wondering why this would be recommended, since the only added 
> feature of the Nexus line from Cisco.com's video is that they have 
> 10GB ports.....and really nothing else.
>
> I'm almost ready to recommend my favorites....3750G's for this scenario.
>
> Anyone have real world experience wirking with these devices and can 
> share comments? good or bad, and why you went with them?
>
> Thanks
>
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From rshughes at gmail.com  Wed May  6 15:04:04 2009
From: rshughes at gmail.com (Ryan Hughes)
Date: Wed, 6 May 2009 15:04:04 -0400
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
Message-ID: <e44f1b0e0905061204j1e4a066dl1eb639abd416c020@mail.gmail.com>

The other con to deploying N2K/N5K today is that they don't yet support port
channeling of 1G connections down to the hosts which is sometimes common for
Oracle RAC clusters or VMware ESX environments. This will be resolved when
they start supporting virtual Port-Channels in the N5K series sometime later
this summer.

You can negate some of the cost of the 10G between switch and hosts through
what they're calling Twinax connectivity which is a molded SFP+ connection
which has serious distance limitations (5-7m cable being the longest) for
row to row connectivity but in most cases sufficient for inrack or rack to
rack connectivity. List price is around $250 per cable which includes both
SFP+ to light up the connection. Cisco is additionally looking at another
cost effective solution for 10G connectivity this summer called Ultra Short
Reach.

You additionally cannot connect another switch up to the 2148 as it is
intended only for host connectivity (BPDU Guard is enabled by default and
cannot be disabled). Best description of the 2148 is that it is a remote
line card off of the 5000 and cannot be used without it - similar to a
linecard without the hardware forwarding capability for local traffic. But
again, the price point of it makes it very attractive.

To summarize why Cisco might leading with Nexus instead of the classic
Catalyst solutions in the data center is that they've taken some of the
engineering benefits of both the 4948's (redundant power, fast switching)
and 3750's (stack management) and pulled that into the N5K/N2K offering
without tying you into a modular switch solution that leads to some tougher
cabling costs (patch panels) as you can get the switch physically closer to
the host.

Ryan

On Wed, May 6, 2009 at 1:28 PM, Jay Ford <jay-ford at uiowa.edu> wrote:

> On Wed, 6 May 2009, ChrisSerafin wrote:
>
>> I have a client that Cisoc is recommending the Nexus line of switches for
>> their data center. They will be using IBM blade switches and I'm guessing
>> these would be the 'core'.
>>
>> They are looking at (2) Nexus 5010's and (2) Nexus 2000's.....totaling
>> 60K.
>>
>> I'm wondering why this would be recommended, since the only added feature
>> of the Nexus line from Cisco.com's video is that they have 10GB
>> ports.....and really nothing else.
>>
>> I'm almost ready to recommend my favorites....3750G's for this scenario.
>>
>> Anyone have real world experience wirking with these devices and can share
>> comments? good or bad, and why you went with them?
>>
>
> We don't have any yet, but we're looking at them.
>
> Nexus 5000 pros (+) & cons (-):
>   +  front-to-back air flow
>   +  redundant power supplies & fans
>   +  high throughput (1.04 Tbps in 5020, 520 Gbps in 5010)
>   +  interface flexibility (due to SFP+ ports)
>   -  have to buy an SFP/SFP+ module/cable for every port you want to light
>   -  no 10/100; copper Ether is 1G only
>   -  only first few ports (16 in 5020, 8 in 5010) can do 1G;
>      the rest are 10G only
>
> The Nexus 2000 fabric extender also seems limited to 1G only; no 10/100.
> Note that it isn't a normal switch, with port-to-port switching;  all
> inbound edge-port traffic is sent to the uplinks for switching by the host
> 5000 box. This isn't necessarily a problem, but it is different.
>
> It's a tough choice right now between established top-of-rack switches
> (3750, 4948, 4900m) & the Nexus boxes.
>
> ________________________________________________________________________
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From Michael.Balasko at cityofhenderson.com  Wed May  6 14:39:18 2009
From: Michael.Balasko at cityofhenderson.com (Michael Balasko)
Date: Wed, 6 May 2009 11:39:18 -0700
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <017A14F8A2B54120866A622AE40628B3@flamdt01>
References: <4A01BEB9.4080402@chrisserafin.com>
	<017A14F8A2B54120866A622AE40628B3@flamdt01>
Message-ID: <9AF22D15085E7D409ED5710CBC779E930A2D8441@COHNTCS09.ci.henderson.nv.us>

They are OMG deep(30 inches) so make sure that doesn't cause you any
issues. My understanding is that the current 5K line will NEVER do L3,
but someone more internal to Cisco can confirm/rebuff that statement. 

My pet peeve is that on the 5010's we bought you cannot assign an IP
address to a VLAN for MGMT, you have to use the single (1) non-
redundant dedicated copper management port. 

I understand that in most cases, that's better(tm), but for our
installation it makes it a bit inconvenient, like if the switch that the
5K is connected to goes down, you can no longer manage it regardless of
how much redundancy you put in place. 

And no, using a terminal server to access the console is not the same:)


Last tidbit, if you're not worried about Spanning tree interoperability
issues, take a look at Arista Networks. We had the 7148SX, in place and
they were awesome minus the spanning tree issue.(We run rpvst+ here)
Support was awesome, they were solid as a rock and just a good group of
guys in general. 



Michael Balasko
CCNP,CCSP,MCSE,MCNE
Network Specialist II
City of Henderson, Nevada


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Wednesday, May 06, 2009 10:43 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Nexus 5000?

It sounds like you aren't using FC through them, so I'm guessing they
were 
positioned as a high density, low cost 10g solution.  Along with being 
cheaper, they will also be more green.

The 2ks are high density low cost 1g solutions.

Note there is no layer 3 on the 5ks at this time.

tv
----- Original Message ----- 
From: "ChrisSerafin" <chris at chrisserafin.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, May 06, 2009 11:45 AM
Subject: [c-nsp] Nexus 5000?


>I have a client that Cisoc is recommending the Nexus line of switches
for 
>their data center. They will be using IBM blade switches and I'm
guessing 
>these would be the 'core'.
>
> They are looking at (2) Nexus 5010's and (2) Nexus 2000's.....totaling

> 60K.
>
> I'm wondering why this would be recommended, since the only added
feature 
> of the Nexus line from Cisco.com's video is that they have 10GB 
> ports.....and really nothing else.
>
> I'm almost ready to recommend my favorites....3750G's for this
scenario.
>
> Anyone have real world experience wirking with these devices and can
share 
> comments? good or bad, and why you went with them?
>
> Thanks
>
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From drew.weaver at thenap.com  Wed May  6 15:36:53 2009
From: drew.weaver at thenap.com (Drew Weaver)
Date: Wed, 6 May 2009 12:36:53 -0700
Subject: [c-nsp] Stupid SNMP tricks.
Message-ID: <F3318834F1F89D46857972DD4B411D700DAA8D9F@EXCHANGE.thenap.com>

Hey all, I'm trying to script a few things using SNMP (data collection, mainly).

I've essentially found the OIDs I need, but it seems like there is no way to separate routes by how they originate.

For example if you do an snmpwalk ... ipRouteNextHop, it shows you all of the routes in the entire system including EIGP, IGP, locally originated.

Does anyone know of any way to only get information for a specific type of route?

In my case I only want to see the locally originated routes.

Thanks,
-Drew


From ross at kallisti.us  Wed May  6 15:53:11 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 6 May 2009 15:53:11 -0400
Subject: [c-nsp] The mechanics of SSO
Message-ID: <20090506195311.GA8001@kallisti.us>

Hey guys,

Today, due to what appears to be a major problem in SXF13, we
experienced two sequential crashes, taking out both SUPs in a 6500
within the time it takes to boot.  TAC case is going.

According to the crashinfo droppings left along the way, we
experienced three crashes:

1) module 6 is active SUP, IOS crashes at 13:43
2) module 5 takes over, IOS crashes at 13:52
3) module 6 is still booting, IOS crashes at 13:52

The third crash is the perplexing one.  The RP crashinfo logs:
	00:07:25: %CPU_MONITOR-STDBY-3-PEER_EXCEPTION: CPU_MONITOR peer has failed due to exception , reset by [6/0]

	%Software-forced reload

The SP crashinfo says:
	00:00:04: %PFREDUN-6-STANDBY: Initializing as STANDBY processor
	[snip usual bootup messages]
	00:01:39: SP-STDBY: SP: Currently running ROMMON from F1 region
	00:01:42: %DIAG-SP-STDBY-6-RUN_MINIMUM: Module 6: Running Minimal Diagnostics...
	00:02:03: %DIAG-SP-STDBY-6-DIAG_OK: Module 6: Passed Online Diagnostics
	00:07:24: %PFREDUN-SP-STDBY-6-STANDBY: Failure of ACTIVE detected, STANDBY not ready and reset

	%Software-forced reload


I guess this means there is a point in the bootup process where a
supervisor that is booting as a STANDBY cannot become ACTIVE without
restarting?

My guess is that this period is during the time the config is being
loaded from the ACTIVE module.  Can anyone confirm?  Are there things
that can make this potential window smaller? (compressed configs,
maybe)

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From peter at rathlev.dk  Wed May  6 16:00:56 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 06 May 2009 22:00:56 +0200
Subject: [c-nsp] 3750/4500 as PE?
In-Reply-To: <4A01DA02.8090105@utc.edu>
References: <4A01DA02.8090105@utc.edu>
Message-ID: <1241640056.5740.3.camel@localhost.localdomain>

On Wed, 2009-05-06 at 14:42 -0400, Jeff Kell wrote:
> Anyone running a 3750 or 4500 as a PE router (nothing fancy, just
> inter-VRF iBGP that really "imports/exports" routes)?
> 
> We have a VRF-lite network but at this point only one iBGP mesh point
> (PE).  There are cases where some of the nodes attached to the current
> PE could ideally route between VRFs locally without spitting it out to
> the PE and back.  In our case we have a "core services" VRF that is
> essentially imported into every VRF.  It's a straight shot across the
> core IX subnet if I could put the "core services" presence on some of
> the CEs rather than the extra hop to route through the core.

If you're just looking for route leaking the 3750 can do that with just
the MP-BGP you might already have defined in a VRF Lite network.

Look out for TCAM starvation; the 3750 can hold ~8k routes (with the
"routing" SDM template) so it might not be the best PE. Leaking between
VRFs means a single prefix takes up multiple TCAM entries.

Regards,
Peter



From ncnet at sbcglobal.net  Wed May  6 16:21:32 2009
From: ncnet at sbcglobal.net (Larry Stites)
Date: Wed, 06 May 2009 13:21:32 -0700
Subject: [c-nsp] alternatives to Cisco's SFPs
In-Reply-To: <f8da69c80905051453u1462e155p5e13c03030f4fb05@mail.gmail.com>
Message-ID: <C6273F5C.14B385%ncnet@sbcglobal.net>

It's my understanding that Non Cisco SFPs which are Cisco coded have DOM
?Digital Optical Monitoring? specified in the part number description, which
is what Cisco specs for these units. Does anyone else have information on
determining how non Cisco SFP are Cisco coded?

As far as 'lower quality' SFPs - counterfeits are mostly manufactured in
China - so we stay away from those. Plus if the price is too good to be
true, it usually is. We have supplied the following Cisco compatible SFPs to
numerous customers who installed into Cisco gear with no compatibility
issues. They have been functioning for years. These SFPs are coded to work
in Cisco units:

GLC-T-OEM
Cisco Compatible 1000Base-T SFP Copper 100 Meter 30-1410-02 Rev2 $179.each
SFP-GE-S-OEM 
Cisco Compatible 1000BASE-SX SFP Transceiver, with DOM $124.each
SFP-GE-L-OEM 
Cisco Compatible 1000BASE-LX/LH SFP Transceiver with DOM $169.each
1 year warranty

 
Best regards,


Larry E. Stites
Northern California Networks, Inc.
Nevada City, CA 95959
cell 530 320 4194
land 530 265 2588
ncnet at sbcglobal.net
IM: LESGGN



on 5/5/09 2:53 PM, Inca wrote:

> Hello,
> 
> Does anyone have good experience with non-Cisco SFPs? In particular,
> we're trying to look for lower cost alternatives to GLC-T (or
> SFP-GE-T), GLC-SX-MM (SFP-GE-S) and  GLC-LH-SM (SFP-GE-L). Also, any
> problem with using non-Cisco SFPs (even after enabling "service
> unsupported-transceiver")?
> 
> Thanks,
> Nathan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 






From charles at thewybles.com  Wed May  6 16:29:11 2009
From: charles at thewybles.com (Charles Wyble)
Date: Wed, 06 May 2009 13:29:11 -0700
Subject: [c-nsp] The mechanics of SSO
In-Reply-To: <20090506195311.GA8001@kallisti.us>
References: <20090506195311.GA8001@kallisti.us>
Message-ID: <4A01F317.5080401@thewybles.com>

Ouch..... nasty race condition from the looks of it. Those little corner 
cases that are oh so very sharp.



Ross Vandegrift wrote:
> Hey guys,
> 
> Today, due to what appears to be a major problem in SXF13, we
> experienced two sequential crashes, taking out both SUPs in a 6500
> within the time it takes to boot.  TAC case is going.
> 
> According to the crashinfo droppings left along the way, we
> experienced three crashes:
> 
> 1) module 6 is active SUP, IOS crashes at 13:43
> 2) module 5 takes over, IOS crashes at 13:52
> 3) module 6 is still booting, IOS crashes at 13:52
> 
> The third crash is the perplexing one.  The RP crashinfo logs:
> 	00:07:25: %CPU_MONITOR-STDBY-3-PEER_EXCEPTION: CPU_MONITOR peer has failed due to exception , reset by [6/0]
> 
> 	%Software-forced reload
> 
> The SP crashinfo says:
> 	00:00:04: %PFREDUN-6-STANDBY: Initializing as STANDBY processor
> 	[snip usual bootup messages]
> 	00:01:39: SP-STDBY: SP: Currently running ROMMON from F1 region
> 	00:01:42: %DIAG-SP-STDBY-6-RUN_MINIMUM: Module 6: Running Minimal Diagnostics...
> 	00:02:03: %DIAG-SP-STDBY-6-DIAG_OK: Module 6: Passed Online Diagnostics
> 	00:07:24: %PFREDUN-SP-STDBY-6-STANDBY: Failure of ACTIVE detected, STANDBY not ready and reset
> 
> 	%Software-forced reload
> 
> 
> I guess this means there is a point in the bootup process where a
> supervisor that is booting as a STANDBY cannot become ACTIVE without
> restarting?
> 
> My guess is that this period is during the time the config is being
> loaded from the ACTIVE module.  Can anyone confirm?  Are there things
> that can make this potential window smaller? (compressed configs,
> maybe)
> 

From sthaug at nethelp.no  Wed May  6 16:29:59 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Wed, 06 May 2009 22:29:59 +0200 (CEST)
Subject: [c-nsp] alternatives to Cisco's SFPs
In-Reply-To: <C6273F5C.14B385%ncnet@sbcglobal.net>
References: <f8da69c80905051453u1462e155p5e13c03030f4fb05@mail.gmail.com>
	<C6273F5C.14B385%ncnet@sbcglobal.net>
Message-ID: <20090506.222959.71094248.sthaug@nethelp.no>

> It's my understanding that Non Cisco SFPs which are Cisco coded have DOM
> ?Digital Optical Monitoring? specified in the part number description, which
> is what Cisco specs for these units. Does anyone else have information on
> determining how non Cisco SFP are Cisco coded?

Not necessarily. Both DOM and non-DOM version exist from alternative
vendors, Cisco coded.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From jared at puck.nether.net  Wed May  6 16:39:40 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Wed, 6 May 2009 16:39:40 -0400
Subject: [c-nsp] The mechanics of SSO
In-Reply-To: <4A01F317.5080401@thewybles.com>
References: <20090506195311.GA8001@kallisti.us>
	<4A01F317.5080401@thewybles.com>
Message-ID: <B5B94675-D4E9-4829-9416-AF8AD4204499@puck.nether.net>

I would recommend trying to get the devices on SXF16 or SXI1 if  
possible.  You may need to send a break and interrupt the boot process  
on one (hope you have good OOB and know how to do this).

This is also reinforces the reason some people do not run dual  
processor systems.  They sometimes fail in really bad ways.

- Jared

On May 6, 2009, at 4:29 PM, Charles Wyble wrote:

> Ouch..... nasty race condition from the looks of it. Those little  
> corner cases that are oh so very sharp.
>
>
>
> Ross Vandegrift wrote:
>> Hey guys,
>> Today, due to what appears to be a major problem in SXF13, we
>> experienced two sequential crashes, taking out both SUPs in a 6500
>> within the time it takes to boot.  TAC case is going.
>> According to the crashinfo droppings left along the way, we
>> experienced three crashes:
>> 1) module 6 is active SUP, IOS crashes at 13:43
>> 2) module 5 takes over, IOS crashes at 13:52
>> 3) module 6 is still booting, IOS crashes at 13:52
>> The third crash is the perplexing one.  The RP crashinfo logs:
>> 	00:07:25: %CPU_MONITOR-STDBY-3-PEER_EXCEPTION: CPU_MONITOR peer  
>> has failed due to exception , reset by [6/0]
>> 	%Software-forced reload
>> The SP crashinfo says:
>> 	00:00:04: %PFREDUN-6-STANDBY: Initializing as STANDBY processor
>> 	[snip usual bootup messages]
>> 	00:01:39: SP-STDBY: SP: Currently running ROMMON from F1 region
>> 	00:01:42: %DIAG-SP-STDBY-6-RUN_MINIMUM: Module 6: Running Minimal  
>> Diagnostics...
>> 	00:02:03: %DIAG-SP-STDBY-6-DIAG_OK: Module 6: Passed Online  
>> Diagnostics
>> 	00:07:24: %PFREDUN-SP-STDBY-6-STANDBY: Failure of ACTIVE detected,  
>> STANDBY not ready and reset
>> 	%Software-forced reload
>> I guess this means there is a point in the bootup process where a
>> supervisor that is booting as a STANDBY cannot become ACTIVE without
>> restarting?
>> My guess is that this period is during the time the config is being
>> loaded from the ACTIVE module.  Can anyone confirm?  Are there things
>> that can make this potential window smaller? (compressed configs,
>> maybe)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From ross at kallisti.us  Wed May  6 16:50:04 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 6 May 2009 16:50:04 -0400
Subject: [c-nsp] The mechanics of SSO
In-Reply-To: <B5B94675-D4E9-4829-9416-AF8AD4204499@puck.nether.net>
References: <20090506195311.GA8001@kallisti.us>
	<4A01F317.5080401@thewybles.com>
	<B5B94675-D4E9-4829-9416-AF8AD4204499@puck.nether.net>
Message-ID: <20090506205004.GA8553@kallisti.us>

On Wed, May 06, 2009 at 04:39:40PM -0400, Jared Mauch wrote:
> I would recommend trying to get the devices on SXF16 or SXI1 if  
> possible.  You may need to send a break and interrupt the boot process  
> on one (hope you have good OOB and know how to do this).

What do you mean "you may need to send a break and interrupt the boot
process on one"?  I mean, I know how to do that, and know why I might
under a variety of conditions, but what circumstances are you
referring to?

We've been stuck on SXF becasue of the CSM, but after hitting this
bug, we'll be spinning up our CSMs in a spare chassis just so we can
avoid the bug that started the whole damn thing.

> This is also reinforces the reason some people do not run dual  
> processor systems.  They sometimes fail in really bad ways.

Indeed, though honestly, it was no worse than the reboot time we'd see
from a single SUP.  And it has saved me before.

I can imagine that others may have seen much worse from dual SUPs :)

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From brhedlun at cisco.com  Wed May  6 16:58:01 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Wed, 06 May 2009 15:58:01 -0500
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <9AF22D15085E7D409ED5710CBC779E930A2D8441@COHNTCS09.ci.henderson.nv.us>
Message-ID: <C6276409.34603%brhedlun@cisco.com>



On 5/6/09 1:39 PM, "Michael Balasko" <Michael.Balasko at cityofhenderson.com>
wrote:

> My understanding is that the current 5K line will NEVER do L3,
> but someone more internal to Cisco can confirm/rebuff that statement.

This is true.  Nexus 5000 is a low latency cut through switching
architecture.  High performance and low price per port 10G server access
connections is where Nexus 5000 was designed to fit, not to mention unified
server I/O.

> My pet peeve is that on the 5010's we bought you cannot assign an IP
> address to a VLAN for MGMT, you have to use the single (1) non-
> redundant dedicated copper management port.

Actually, you can assign an IP address to a VLAN for management.
First you need to enable 'feature interface-vlan'
>From there create an interface vlan for MGMT and assign it an IP address and
away you go.



Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org




From charles at thewybles.com  Wed May  6 17:04:45 2009
From: charles at thewybles.com (Charles Wyble)
Date: Wed, 06 May 2009 14:04:45 -0700
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
Message-ID: <4A01FB6D.10703@thewybles.com>


>    -  no 10/100; copper Ether is 1G only

Why? Can't the silicon do 10/100/1000? I mean that is what most kit is 
sold as right?

I mean granted many folks have 1gbps ports on their kit.... but it 
almost seems like they go out of there way to avoid the 10/100 
compatibility.

From mhuff at ox.com  Wed May  6 17:48:15 2009
From: mhuff at ox.com (Matthew Huff)
Date: Wed, 6 May 2009 17:48:15 -0400
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <4A01FB6D.10703@thewybles.com>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
	<4A01FB6D.10703@thewybles.com>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>

It's an SFP port rather than a copper 10/100/1000. Every Cisco SFP port fiber or copper is 1g only.

----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com? | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Charles Wyble
Sent: Wednesday, May 06, 2009 5:05 PM
To: Jay Ford
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Nexus 5000?


>    -  no 10/100; copper Ether is 1G only

Why? Can't the silicon do 10/100/1000? I mean that is what most kit is 
sold as right?

I mean granted many folks have 1gbps ports on their kit.... but it 
almost seems like they go out of there way to avoid the 10/100 
compatibility.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From misha at netspark.org  Wed May  6 19:02:56 2009
From: misha at netspark.org (Michael)
Date: Thu, 7 May 2009 03:02:56 +0400
Subject: [c-nsp] Wireless Splash Screen Cisco AP Aironet
In-Reply-To: <eefbdb720905060759j778be366x6a20ed21f78cf0d3@mail.gmail.com>
References: <197999.78903.qm@web110416.mail.gq1.yahoo.com>
	<alpine.WNT.2.00.0905061640190.2760@pckoug1.intranet.gr>
	<eefbdb720905060759j778be366x6a20ed21f78cf0d3@mail.gmail.com>
Message-ID: <20090506230256.GA3418@netspark.org>

Peter Pauly wrote:
> Is it possible to use this without a AAA server? Guests typically
> don't have a userid and password. We just want them to agree to our
> usage terms.

Sorry, just being curious, what would you do if a client clicks "I don't
agree"?

From ibrahim.abozaid at gmail.com  Wed May  6 19:03:44 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Thu, 7 May 2009 02:03:44 +0300
Subject: [c-nsp] The mechanics of SSO
In-Reply-To: <20090506205004.GA8553@kallisti.us>
References: <20090506195311.GA8001@kallisti.us>
	<4A01F317.5080401@thewybles.com>
	<B5B94675-D4E9-4829-9416-AF8AD4204499@puck.nether.net>
	<20090506205004.GA8553@kallisti.us>
Message-ID: <a48927f70905061603r487c1153kf4fa2c614a4081b2@mail.gmail.com>

Hi Ross


actually i can't get if SUP running SSO why you think configuration will be
loaded from active to standby during switchover ? !

SSO maintains control plane and data plane resiliency and both SUP have
active IOS image and synchronized configuration


best regards
--Ibrahim



On Wed, May 6, 2009 at 11:50 PM, Ross Vandegrift <ross at kallisti.us> wrote:

> On Wed, May 06, 2009 at 04:39:40PM -0400, Jared Mauch wrote:
> > I would recommend trying to get the devices on SXF16 or SXI1 if
> > possible.  You may need to send a break and interrupt the boot process
> > on one (hope you have good OOB and know how to do this).
>
> What do you mean "you may need to send a break and interrupt the boot
> process on one"?  I mean, I know how to do that, and know why I might
> under a variety of conditions, but what circumstances are you
> referring to?
>
> We've been stuck on SXF becasue of the CSM, but after hitting this
> bug, we'll be spinning up our CSMs in a spare chassis just so we can
> avoid the bug that started the whole damn thing.
>
> > This is also reinforces the reason some people do not run dual
> > processor systems.  They sometimes fail in really bad ways.
>
> Indeed, though honestly, it was no worse than the reboot time we'd see
> from a single SUP.  And it has saved me before.
>
> I can imagine that others may have seen much worse from dual SUPs :)
>
> --
> Ross Vandegrift
> ross at kallisti.us
>
> "If the fight gets hot, the songs get hotter.  If the going gets tough,
> the songs get tougher."
>        --Woody Guthrie
> _______________________________________________
>  cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From lobo at allstream.net  Wed May  6 19:40:15 2009
From: lobo at allstream.net (Jose)
Date: Wed, 06 May 2009 19:40:15 -0400
Subject: [c-nsp] Loose uRPF behaving like strict mode on 7600
In-Reply-To: <Pine.LNX.4.61.0904300018100.6312@soloth.lewis.org>
References: <49F91A9A.9060403@allstream.net>
	<Pine.LNX.4.61.0904300018100.6312@soloth.lewis.org>
Message-ID: <4A021FDF.3030100@allstream.net>

Well, according to the TAC case I had opened on this, it seems that 
because the SUP32 has its TCAM full and is getting exception errors (it 
has the full internet routing tables), this is likely the culprit to why 
uRPF in loose mode is not behaving as expected.

I guess this is more fuel for the fire to get these gateways upgraded to 
something more robust.

Jose

Jon Lewis wrote:
> On Wed, 29 Apr 2009, Jose wrote:
>
>> I was wondering if someone might have an explanation as to why we 
>> encountered an issue with uRPF (loose mode) when we tried enabling it 
>> on our upstream facing links.  We have 2 x 7603s w/ SUP32 acting as 
>> our Gwy routers and our transit providers connect into them (one on 
>> each gwy + private peers).  We are fed from each of them the entire 
>> internet table along with a default route.
>>
>> Now I know that we are multi-homed and obviously have asymmetrical 
>> routing occurring so I decided to implement loose uRPF on the 
>> interfaces:  ip verify unicast source reachable-via any
>>
>> However shortly after enabling it we got calls that our customers 
>> could not reach parts of the internet.  Specifically destinations 
>> where the packets would travel over the links that had RPF enabled on 
>> them and were our transits.  Traffic to and from our private peers 
>> appeared fine though with RPF.  Pings to our internal CIDRs from 
>> external route-servers would fail as well so long as the path was 
>> over the transits.  Disabling RPF on the interfaces resolved the 
>> problem immediately.
>>
>> From my understanding of this feature, it would seem as if the RPF 
>> check was working in strict mode vs loose mode.  Could there have 
>> been something that we missed?  Should the "allow-default" be used in 
>> this case?  I've never had to use it before when I've implemented 
>> loose mode in other environments.
>>
>> The 7603s are running 12.2(18)SXF11 Advanced IP Services.
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/hybrid/release/notes/ol_4563.html#wp210802 
>
>
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.285 / Virus Database: 270.12.9/2087 - Release Date: 04/29/09 18:03:00
>
>   


From ddelaros at cisco.com  Wed May  6 20:10:53 2009
From: ddelaros at cisco.com (Daniel de la Rosa (ddelaros))
Date: Wed, 6 May 2009 17:10:53 -0700
Subject: [c-nsp] Cisco 7304/NSE-100 L2TP session problem
In-Reply-To: <1240614163.20989.19.camel@wks02.probe-networks.de>
References: <1240614163.20989.19.camel@wks02.probe-networks.de>
Message-ID: <8575A1BA6D8006418FD2CD73FCC2B2E6098871AC@xmb-sjc-231.amer.cisco.com>

Probably too late to resolve this issue.. but at least for the record..
7304/NSE100 doesn't officially support DSL/L2TPv2 aggregation, so that's
you can configure this but it just doesn't work.. 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Jonas Frey
> Sent: Friday, April 24, 2009 4:03 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco 7304/NSE-100 L2TP session problem
> 
> Hello,
> 
> i am using a 7304 w/NSE-100 for DSL aggregation. Am running 12.2.33SB5
> now (also tried 12.2.31 and 12.2.28).
> However i cant get things to work, L2TP tunnels are getting
established
> but as soon as sessions are coming in they are getting closed. My
> config
> as follows:
> 
> virtual-profile if-needed
> vpdn enable
> vpdn multihop
> vpdn logging
> vpdn logging local
> vpdn logging remote
> vpdn logging user
> vpdn logging tunnel-drop
> 
> 
> vpdn-group 2
>   accept-dialin
>   protocol l2tp
>   virtual-template 2
>  session-limit 1000
>  terminate-from hostname xxxxxxxxx
>  source-ip x.x.x.x
>  local name xxxx
>  lcp renegotiation always
>  l2tp tunnel password 7 xxx
>  l2tp tunnel receive-window 100
>  l2tp tunnel retransmit timeout min 2
> 
> interface Virtual-Template2
>  mtu 1492
>  ip unnumbered Loopback0
>  no ip redirects
>  no ip proxy-arp
>  ip mtu 1492
>  no logging event link-status
>  peer default ip address pool test1
>  keepalive 60
>  ppp mtu adaptive
>  ppp authentication pap ADSL
>  ppp authorization ADSL
>  ppp accounting ADSL
>  no clns route-cache
> 
> As for errors i do get these:
> 
> 00:18:35: %VPDN-4-MIDERROR: L2TP LNS xxxx unable to terminate user
> shdsl-0/001; Result 1, Error 1, Dataplane down
> 
> note: 12.2.31 and 12.2.28 give a different message:
> 
> 00:49:37: %VPDN-6-CLOSED: L2TP LNS xxxx closed  user
> shdsl-0/001; Result 1, Error 0, nas-error/VPDN Carrier Loss
> 
> Also the system prints the following error from time to time:
> 
> 00:18:39: %SW_MGR-3-CM_ERROR: Connection Manager Error - provision
> segment failed [ADJ:L2TP:5041] - hardware platform error.
> -Traceback= 40812F84 408134C8 41177478 4117754C 42123DC8 41174DD0
> 42A0FEF4 42A0FFB4 411757F8 41175988 41166FB8 42A0FEF4 42A0FFB4
41167BC0
> 411627C4 41166250
> 
> And debug vodn l2x-events gives:
> 
> 00:21:21: L2TP _____:032E1:0000C9C5: Open sock
> x.x.x.x:1701->y.y.y.y:1701
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn ev Sock-Ready
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn    in Wt-Rx-ICCN
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn do Ignore-Sock-Up
> 00:21:21: L2TP _____:032E1:0000C9C5:
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn ev DP-Setup
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn    in Wt-Rx-ICCN
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn do Ignore-DP-Setup
> 00:21:21: L2TP tnl   162F2:0000ABED: Congestion Control event received
> is positive acknowledgement
> 00:21:21: L2TP tnl   162F2:0000ABED: Congestion Window size, Cwnd 2
> 00:21:21: L2TP tnl   162F2:0000ABED: Slow Start threshold, Ssthresh 8
> 00:21:21: L2TP tnl   162F2:0000ABED: Remote Window size, 8
> 00:21:21: L2TP tnl   162F2:0000ABED: Congestion Ctrl Mode is Slow
Start
> 00:21:21: L2TP tnl   162F2:0000ABED: FSM-CC ev Rx-SCCCN
> 00:21:21: L2TP tnl   162F2:0000ABED: FSM-CC    Wt-SCCCN->Proc-SCCCN
> 00:21:21: L2TP tnl   162F2:0000ABED: FSM-CC do Rx-SCCCN
> 00:21:21: L2TP tnl   162F2:0000ABED: Got a response in SCCCN from xxxx
> 00:21:21: L2TP tnl   162F2:0000ABED: Tunnel Authentication success
> 00:21:21: L2TP tnl   162F2:0000ABED: Control connection authentication
> skipped/passed.
> 00:21:21: L2TP tnl   162F2:0000ABED: FSM-CC ev SCCCN-OK
> 00:21:21: L2TP tnl   162F2:0000ABED: FSM-CC    Proc-SCCCN->established
> 00:21:21: L2TP tnl   162F2:0000ABED: FSM-CC do Established
> 00:21:21: L2TP tnl   162F2:0000ABED: Control channel up
> 00:21:21: L2TP tnl   162F2:0000ABED:   x.x.x.x<->y.y.y.y
> 00:21:21: L2TP tnl   162F2:0000ABED: Control connection authentication
> skipped/passed.
> 00:21:21: L2X  _____:_____:________: Create logical session
> 00:21:21: L2TP _____:_____:________: Create session
> 00:21:21: L2TP _____:_____:________:   Using ICRQ FSM
> 00:21:21: L2TP _____:_____:________: FSM-Sn ev created
> 00:21:21: L2TP _____:_____:________: FSM-Sn    Init->Idle
> 00:21:21: L2TP _____:_____:________: FSM-Sn do none
> 00:21:21: L2TP _____:_____:________:     remote ip set to y.y.y.y
> 00:21:21: L2TP _____:_____:________:     local ip set to x.x.x.x
> 00:21:21: L2TP tnl   162F2:0000ABED: FSM-CC ev Session-Conn
> 00:21:21: L2TP tnl   162F2:0000ABED: FSM-CC    in established
> 00:21:21: L2TP tnl   162F2:0000ABED: FSM-CC do Session-Conn-Est
> 00:21:21: L2TP tnl   162F2:0000ABED:   Session count now 1
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn ev CC-Up
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn    in Idle
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn do CC-Up-Ignore0-1
> 00:21:21: L2TP _____:162F2:00004873: Session attached
> 00:21:21: L2TP _____:162F2:00004873: no cookies enabled
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn ev Rx-ICRQ
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn    Idle->Proc-ICRQ
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn do Rx-ICRQ
> 00:21:21: L2TP _____:162F2:00004873:   Chose application VPDN
> 00:21:21: L2TP _____:162F2:00004873:   App type set to VPDN
> 00:21:21: L2TP tnl   162F2:0000ABED:   VPDN Session count now 1
> 00:21:21: L2TP _____:162F2:00004873: VPDN: process AVPs
> 00:21:21: L2TP _____:162F2:00004873: Local AC is now UP
> 00:21:21: L2TP _____:162F2:00004873: Remote AC is now UP
> 00:21:21: L2TP _____:162F2:00004873:
> 00:21:21: L2TP tnl   032E1:00006170: Control connection authentication
> skipped/passed.
> 00:21:21: L2TP tnl   032E1:00006170: Congestion Control event received
> is positive acknowledgement
> 00:21:21: L2TP tnl   032E1:00006170: Congestion Window size, Cwnd 7
> 00:21:21: L2TP tnl   032E1:00006170: Slow Start threshold, Ssthresh 64
> 00:21:21: L2TP tnl   032E1:00006170: Remote Window size, 64
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn ev Rx-ICCN
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn    Wt-Rx-ICCN->Proc-ICCN
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn do Rx-ICCN
> 00:21:21: L2TP _____:032E1:0000C9C5:   MTU is 65535
> 00:21:21: L2TP _____:032E1:0000C9C5: Session data plane UP
> 00:21:21: L2TP _____:032E1:0000C9C5: VPDN: process AVPs
> 00:21:21: L2TP _____:032E1:0000C9C5:
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn ev ICCN-OK
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn    Proc-ICCN->established
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn do Established
> 00:21:21: L2TP _____:032E1:0000C9C5: Session up
> 00:21:21: L2TP _____:032E1:0000C9C5:   x.x.x.x<->y.y.y.y
> 00:21:21: L2X:Session DB (Tnl/Sn: 24944/51653): Stored the switching
> session in the session DB
> 00:21:21: L2TP:(Tnl24944:Sn51653)L2X s/w switching session provisioned
> 00:21:21: L2TP _____:032E1:0000C9C5: Received a SSM L2TP segment down
> event
> 00:21:21: L2TP _____:032E1:0000C9C5:
> 00:21:21: L2TUN APP: uid:119handle/5217Destroying app session
> 00:21:21: L2TUN APP: uid:119handle/5217Stopping service selection
> 00:21:21: L2TP _____:162F2:00004873:   App type set to VPDN
> 00:21:21: L2TP _____:162F2:00004873:   Conditional debugging is
enabled
> 00:21:21: L2TP _____:162F2:00004873:   UDP checksum ignore is enabled
> 00:21:21: L2TP _____:162F2:00004873:   Framing set to sync
> 00:21:21: L2TP _____:162F2:00004873:   Bearer set to none
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn ev ICRQ-OK
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn    Proc-ICRQ->Wt-Tx-ICRP
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn do Tx-ICRP-Local-Check
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn ev Local-Cont
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn    Wt-Tx-ICRP->Wt-Rx-ICCN
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn do Tx-ICRP
> 00:21:21: L2TP _____:162F2:00004873: Open sock
> x.x.x.x:1701->y.y.y.y:1701
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn ev Sock-Ready
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn    in Wt-Rx-ICCN
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn do Ignore-Sock-Up
> 00:21:21: L2TP _____:162F2:00004873:
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn ev DP-Setup
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn    in Wt-Rx-ICCN
> 00:21:21: L2TP _____:162F2:00004873: FSM-Sn do Ignore-DP-Setup
> 00:21:21: L2TP _____:032E1:0000C9C5:
> 00:21:21: L2TP _____:032E1:0000C9C5:   App type set to VPDN
> 00:21:21: L2TP _____:032E1:0000C9C5:   Framing set to sync
> 00:21:21: L2TP _____:032E1:0000C9C5:   Bearer set to none
> 00:21:21: L2TP _____:032E1:0000C9C5:
> 00:21:21: L2TP _____:032E1:0000C9C5: Shutting down session
> 00:21:21: L2TP _____:032E1:0000C9C5:   Result Code
> 00:21:21: L2TP _____:032E1:0000C9C5:     Loss of carrier (1)
> 00:21:21: L2TP _____:032E1:0000C9C5:   Error Code
> 00:21:21: L2TP _____:032E1:0000C9C5:     No error (0)
> 00:21:21: L2TP _____:032E1:0000C9C5:   Vendor Error
> 00:21:21: L2TP _____:032E1:0000C9C5:     None (0)
> 00:21:21: L2TP _____:032E1:0000C9C5:   Optional Message
> 00:21:21: L2TP _____:032E1:0000C9C5:     "Dataplane down"
> 00:21:21: L2TP _____:032E1:0000C9C5:
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn ev App-Disc
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn    in established
> 00:21:21: L2TP _____:032E1:0000C9C5: FSM-Sn do App-Disc-Active
> 00:21:21: L2TP _____:032E1:0000C9C5: Session down
> 00:21:21: L2TP _____:032E1:0000C9C5:   x.x.x.x<->y.y.y.y
> 00:21:21: L2TP _____:032E1:0000C9C5: Destroying session
> 00:21:21: L2TP _____:032E1:0000C9C5: Request teardown data plane
> 00:21:21: L2TP tnl   032E1:00006170: FSM-CC ev Session-Disc
> 00:21:21: L2TP tnl   032E1:00006170: FSM-CC    in established
> 00:21:21: L2TP tnl   032E1:00006170: FSM-CC do Session-Disc-Est
> 00:21:21: L2TP tnl   032E1:00006170:   Session count now 0
> 00:21:21: L2TP tnl   032E1:00006170:   VPDN Session count now 0
> 00:21:21: L2TP tnl   032E1:00006170: FSM-CC ev No-Users
> 00:21:21: L2TP tnl   032E1:00006170: FSM-CC
established->Est-No-User
> 00:21:21: L2TP tnl   032E1:00006170: FSM-CC do No-Users
> 00:21:21: L2TP tnl   032E1:00006170: No more cc users, shutdown
> (likely)
> in 15 secs
> 00:21:21: L2TP _____:_____:________: Session detached
> 00:21:21: L2X  _____:_____:________: Destroying logical session
> 00:21:21: L2TP:(Tnl24944:Sn51653)L2X s/w switching session
> unprovisioned
> 00:21:21: L2X:Session DB (Tnl/Sn: 24944/51653): Removed the switching
> session from the session DB
> 
> Does anyone have any idea howto solve this? Unfortunatly i do not have
> access to the LAC as to where these tunnels are coming from.
> 
> Regards,
> Jonas
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From Charles at thewybles.com  Wed May  6 20:20:16 2009
From: Charles at thewybles.com (Charles at thewybles.com)
Date: Thu, 7 May 2009 00:20:16 +0000
Subject: [c-nsp] Wireless Splash Screen Cisco AP Aironet
Message-ID: <1058580608-1241655632-cardhu_decombobulator_blackberry.rim.net-1440766366-@bxe1197.bisx.prod.on.blackberry>

Which is entirely possible on an ATM/kiosk style interface. 
------Original Message------
From: Michael
Sender: cisco-nsp-bounces at puck.nether.net
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Wireless Splash Screen Cisco AP Aironet
Sent: May 6, 2009 4:02 PM

Peter Pauly wrote:
> Is it possible to use this without a AAA server? Guests typically
> don't have a userid and password. We just want them to agree to our
> usage terms.

Sorry, just being curious, what would you do if a client clicks "I don't
agree"?
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



Sent via BlackBerry from T-Mobile

From Charles at thewybles.com  Wed May  6 20:24:16 2009
From: Charles at thewybles.com (Charles at thewybles.com)
Date: Thu, 7 May 2009 00:24:16 +0000
Subject: [c-nsp] Nexus 5000?
Message-ID: <1076676110-1241655871-cardhu_decombobulator_blackberry.rim.net-580942233-@bxe1197.bisx.prod.on.blackberry>

Ah. Makes sense. 


------Original Message------
From: Matthew Huff
To: Charles Wyble
To: Jay Ford
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Nexus 5000?
Sent: May 6, 2009 2:48 PM

It's an SFP port rather than a copper 10/100/1000. Every Cisco SFP port fiber or copper is 1g only.

----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com? | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Charles Wyble
Sent: Wednesday, May 06, 2009 5:05 PM
To: Jay Ford
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Nexus 5000?


>    -  no 10/100; copper Ether is 1G only

Why? Can't the silicon do 10/100/1000? I mean that is what most kit is 
sold as right?

I mean granted many folks have 1gbps ports on their kit.... but it 
almost seems like they go out of there way to avoid the 10/100 
compatibility.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



Sent via BlackBerry from T-Mobile

From andy.saykao at staff.netspace.net.au  Thu May  7 01:17:32 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Thu, 7 May 2009 15:17:32 +1000
Subject: [c-nsp] How to apply individual QoS policies to on an ingress
	Interface?
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654D84@vic-cr-ex1.staff.netspace.net.au>

Hi All,
 
I know you can only have one service-policy in/out on an interface - but
what if you need to rate limit mulitple IP's that transit through the
interface???
 
A bit of background first...
 
We have several customers  (100's of them) who we handle the IP/Internet
side of things for and we use another Provider to provide the physical
side of things (layer 2 hand off).
 
Physical topology looks like this:
 
Customer #1 to #100 --- (10Mb) --> Provider A --- (400Mb) --> Netspace
---> Internet
 
Provider A currently provides the customer with a 10Mb/sec connection
and we would like to rate limit some of these customers to 2Mb, and
others to 4Mb at our ingress, etc.. Is this possible without needing a
class-map and policy-map for each customer???
 
The config on our border router that peers with Provide A looks like
this:
 
interface GigabitEthernet0/1.120
 description Interconnect with Provider A
 bandwidth 400000
 encapsulation dot1Q 120
 ip address 203.17.98.x 255.255.255.252
 service-policy input POLICY-RATE-LIMIT
 service-policy output POLICY-RATE-LIMIT
 
We currently route the customer's IP through that interface and apply a
policy-map on the interface.
 
ip route 202.45.102.248 255.255.255.248 203.17.98.y
ip route 202.45.118.132 255.255.255.252 203.17.98.y
 
Each customer IP is then placed into an ACL for each class of service
(eg: IP's that receive 2Mb go into ACL-TEST-2MB, etc). 
 
ip access-list extended ACL-TEST-2MB
 remark Customer #1
 permit ip any host 202.45.118.134
 permit ip host 202.45.118.134 any
 remark Customer #2
 permit ip any host 202.45.102.250
 permit ip host 202.45.102.250 any
!
class-map match-all RATE-LIMIT-2MB
  match access-group name ACL-TEST-2MB
!
policy-map POLICY-RATE-LIMIT
  class RATE-LIMIT-2MB
   police 2000000 375000 750000    conform-action transmit
exceed-action transmit     violate-action drop
 
However, when I went to lab this up, each customer IP did not receive
their full bandwidth allocation but were instead using the shared
bandwidth with all the other customer IP's in the same ACL. My lab
demonstrated that Customer #1 and #2 were both sharing the allotted 2Mb
bandwidth whilst both were doing a download (eg: Customer #1 50-70KB/sec
and Customer #2 150-175KB/sec). When I cancelled the download of
Customer #2, Customer #1's transfer rate increased to used the entire
2Mb and vice versa if I had cancelled Customer #1's download. Iff my
understanding is correct, all the IP's in the ACL end up sharing the 2Mb
bandwidth as if was just one big pipe (or bucket) rather than each
customer IP having it's on little 2Mb bucket (which is what I want to
see happen).
 
I think to get around this, each customer needs their own class-map and
policy-map like so:
 
class-map match-all CUSTOMER1-2MB
 match access-group name ACL-CUSTOMER1
class-map match-all CUSTOMER2-2MB
 match access-group name ACL-CUSTOMER2
!
policy-map POLICY-RATE-LIMIT
  class RATE-LIMIT-CUSTOMER1-2MB
   police 2000000 375000 750000    conform-action transmit
exceed-action transmit     violate-action drop
  class RATE-LIMIT-CUSTOMER2-2MB
   police 2000000 375000 750000    conform-action transmit
exceed-action transmit     violate-action drop
!
ip access-list extended ACL-CUSTOMER1

 permit ip any host 202.45.118.134
 permit ip host 202.45.118.134 any
ip access-list extended ACL-CUSTOMER2
 permit ip any host 202.45.102.250
 permit ip host 202.45.102.250 any


The policy-map applied to the interface remains the same.
 
interface GigabitEthernet0/1.120
 service-policy input POLICY-RATE-LIMIT
 service-policy output POLICY-RATE-LIMIT
 
So my question really is, do we need a class-map and policy-map for each
customer or is there a more elegant solution. Can't imagine having to
configure 100's of class-maps, policy-maps and ACL's for each customer
or the impact to the CPU if it has to go through 100's of classes to
find a match :)
 
Thanks.
 
Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From rocker.rockerfeller at gmail.com  Thu May  7 01:22:11 2009
From: rocker.rockerfeller at gmail.com (Rocker Feller)
Date: Thu, 7 May 2009 08:22:11 +0300
Subject: [c-nsp] Multiple BGP sessions on one router.
Message-ID: <2299bfcb0905062222u50032dd0hd2df873a8a5969b7@mail.gmail.com>

Morning,

I have been working with BGP for a few months now and am trying to get a
grasp of it.

I have an assignment that requires to have multiple bgp sessions running on
a single router and the prefixes advertised from each prefix appearing so.

Does this make sense? Am a bit foggy on this and would appreciate any
direction advise on how this can be achieved.

What do I want to achieve?
In short I want to consolidate to AS numbers in to one.

Which options do I have to achieve this and with minimal disruptions to my
customers?

Many Thanks
Rocker.

From David at Hughes.com.au  Thu May  7 02:50:53 2009
From: David at Hughes.com.au (David Hughes)
Date: Thu, 7 May 2009 16:50:53 +1000
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
	<4A01FB6D.10703@thewybles.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
Message-ID: <D1E8BD06-0D3E-4F0B-936D-37CFF7338989@Hughes.com.au>


On 07/05/2009, at 7:48 AM, Matthew Huff wrote:

> It's an SFP port rather than a copper 10/100/1000. Every Cisco SFP  
> port fiber or copper is 1g only.

Annoyingly, the current Nexus 2000 FEX box (2148T) offers GigE only  
copper ports (1G-BASE-T via RJ45) which is a real shame as it's a nice  
way to get sub-10GE connectivity into a 5k.  10/100/1000 would have  
been nice on a FEX box - not sure if that may be available in a future  
model though.


David
...

From peter at rathlev.dk  Thu May  7 03:08:08 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Thu, 07 May 2009 09:08:08 +0200
Subject: [c-nsp] Multiple BGP sessions on one router.
In-Reply-To: <2299bfcb0905062222u50032dd0hd2df873a8a5969b7@mail.gmail.com>
References: <2299bfcb0905062222u50032dd0hd2df873a8a5969b7@mail.gmail.com>
Message-ID: <1241680088.3434.5.camel@localhost.localdomain>

On Thu, 2009-05-07 at 08:22 +0300, Rocker Feller wrote:
> I have been working with BGP for a few months now and am trying to get
> a grasp of it.
> 
> I have an assignment that requires to have multiple bgp sessions
> running on a single router and the prefixes advertised from each
> prefix appearing so.
> 
> Does this make sense? Am a bit foggy on this and would appreciate any
> direction advise on how this can be achieved.
> 
> What do I want to achieve?
> In short I want to consolidate to AS numbers in to one.

AFAIK you can't have two BGP instances on one Cisco device. You can do
something else though, namely use "local-as" on your neighbor session.
This would present your router as belonging to another AS.

+--------+          +--------+
| AS 100 |----------| AS 200 |
+--------+          +--------+

If you're on the left, paths from you would normally look like e.g. "100
i" to the ASBR in AS 200. If you configure "local-as 300" he would
instead see "300 100 i", as if you stuck the other AS in between you.
>From your side his paths would look like "300 200 i".

> Which options do I have to achieve this and with minimal disruptions
> to my customers?

Changing local-as requires the session to be reset to take effect.

Regards,
Peter



From Ronny.Faessler at srgssrideesuisse.ch  Thu May  7 03:17:34 2009
From: Ronny.Faessler at srgssrideesuisse.ch (=?iso-8859-1?Q?F=E4ssler=2C_Ronny?=)
Date: Thu, 7 May 2009 09:17:34 +0200
Subject: [c-nsp] 3750/4500 as PE? (Peter Rathlev)
In-Reply-To: <mailman.211.1241636695.2469.cisco-nsp@puck.nether.net>
References: <mailman.211.1241636695.2469.cisco-nsp@puck.nether.net>
Message-ID: <4D958EB6FC3CC442B053B06F57497F7E01225832@seginus.GD.AD.PROD>

Hy Jeff,

We have a Metro Network with 3750Stacks, Vlan in between, Vrf Life on the Boxes, EIGRP ans Core Routing Protocol,.... 

Works quite well aslong you don't do special things like Multicast (cisco meand: not recomendet on this Setup ;-)), Advanced QOS (Box has just 4 Hardware Ques, 3 Treshholds...) etc... 

As we have a ring topoplogy the configuration is guite complex... Even if you don't need the vrf at the location you have to at least span the vlan all over the ring....

If you can i would go for a "real" MPLS solution - we start to migrate very soon ;-)

If you need more information just drop me a mail....

Ronny

------------------------------

Message: 6
Date: Wed, 06 May 2009 14:42:10 -0400
From: Jeff Kell <jeff-kell at utc.edu>
Subject: [c-nsp] 3750/4500 as PE?
To: cisco-nsp <cisco-nsp at puck.nether.net>
Message-ID: <4A01DA02.8090105 at utc.edu>
Content-Type: text/plain; charset=ISO-8859-1

Anyone running a 3750 or 4500 as a PE router (nothing fancy, just
inter-VRF iBGP that really "imports/exports" routes)?

We have a VRF-lite network but at this point only one iBGP mesh point
(PE).  There are cases where some of the nodes attached to the current
PE could ideally route between VRFs locally without spitting it out to
the PE and back.  In our case we have a "core services" VRF that is
essentially imported into every VRF.  It's a straight shot across the
core IX subnet if I could put the "core services" presence on some of
the CEs rather than the extra hop to route through the core.

Trying to avoid statics...

Jeff

From avayner at cisco.com  Thu May  7 03:38:40 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Thu, 7 May 2009 09:38:40 +0200
Subject: [c-nsp] How to apply individual QoS policies to on an
	ingressInterface?
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654D84@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03654D84@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D79950EE@xmb-ams-331.emea.cisco.com>

Andy,

Reading quickly through your email, I think you need to look at a more
advanced QOS solution.
Cisco has the SCE devices implementing per-subscriber QOS policies.

You can read about it a bit here:
http://www.cisco.com/en/US/products/ps6135/index.html
http://www.cisco.com/en/US/products/ps6151/index.html

This solution would enable you to identify subscribers by their IP
address (either dynamically or statically), and apply an advanced QOS
policy (including things like P2P, and other L7 apps and things like
quota) per subscriber. 

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Saykao
Sent: Thursday, May 07, 2009 08:18
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] How to apply individual QoS policies to on an
ingressInterface?

Hi All,
 
I know you can only have one service-policy in/out on an interface - but
what if you need to rate limit mulitple IP's that transit through the
interface???
 
A bit of background first...
 
We have several customers  (100's of them) who we handle the IP/Internet
side of things for and we use another Provider to provide the physical
side of things (layer 2 hand off).
 
Physical topology looks like this:
 
Customer #1 to #100 --- (10Mb) --> Provider A --- (400Mb) --> Netspace
---> Internet
 
Provider A currently provides the customer with a 10Mb/sec connection
and we would like to rate limit some of these customers to 2Mb, and
others to 4Mb at our ingress, etc.. Is this possible without needing a
class-map and policy-map for each customer???
 
The config on our border router that peers with Provide A looks like
this:
 
interface GigabitEthernet0/1.120
 description Interconnect with Provider A
 bandwidth 400000
 encapsulation dot1Q 120
 ip address 203.17.98.x 255.255.255.252
 service-policy input POLICY-RATE-LIMIT
 service-policy output POLICY-RATE-LIMIT
 
We currently route the customer's IP through that interface and apply a
policy-map on the interface.
 
ip route 202.45.102.248 255.255.255.248 203.17.98.y
ip route 202.45.118.132 255.255.255.252 203.17.98.y
 
Each customer IP is then placed into an ACL for each class of service
(eg: IP's that receive 2Mb go into ACL-TEST-2MB, etc). 
 
ip access-list extended ACL-TEST-2MB
 remark Customer #1
 permit ip any host 202.45.118.134
 permit ip host 202.45.118.134 any
 remark Customer #2
 permit ip any host 202.45.102.250
 permit ip host 202.45.102.250 any
!
class-map match-all RATE-LIMIT-2MB
  match access-group name ACL-TEST-2MB
!
policy-map POLICY-RATE-LIMIT
  class RATE-LIMIT-2MB
   police 2000000 375000 750000    conform-action transmit
exceed-action transmit     violate-action drop
 
However, when I went to lab this up, each customer IP did not receive
their full bandwidth allocation but were instead using the shared
bandwidth with all the other customer IP's in the same ACL. My lab
demonstrated that Customer #1 and #2 were both sharing the allotted 2Mb
bandwidth whilst both were doing a download (eg: Customer #1 50-70KB/sec
and Customer #2 150-175KB/sec). When I cancelled the download of
Customer #2, Customer #1's transfer rate increased to used the entire
2Mb and vice versa if I had cancelled Customer #1's download. Iff my
understanding is correct, all the IP's in the ACL end up sharing the 2Mb
bandwidth as if was just one big pipe (or bucket) rather than each
customer IP having it's on little 2Mb bucket (which is what I want to
see happen).
 
I think to get around this, each customer needs their own class-map and
policy-map like so:
 
class-map match-all CUSTOMER1-2MB
 match access-group name ACL-CUSTOMER1
class-map match-all CUSTOMER2-2MB
 match access-group name ACL-CUSTOMER2
!
policy-map POLICY-RATE-LIMIT
  class RATE-LIMIT-CUSTOMER1-2MB
   police 2000000 375000 750000    conform-action transmit
exceed-action transmit     violate-action drop
  class RATE-LIMIT-CUSTOMER2-2MB
   police 2000000 375000 750000    conform-action transmit
exceed-action transmit     violate-action drop
!
ip access-list extended ACL-CUSTOMER1

 permit ip any host 202.45.118.134
 permit ip host 202.45.118.134 any
ip access-list extended ACL-CUSTOMER2
 permit ip any host 202.45.102.250
 permit ip host 202.45.102.250 any


The policy-map applied to the interface remains the same.
 
interface GigabitEthernet0/1.120
 service-policy input POLICY-RATE-LIMIT
 service-policy output POLICY-RATE-LIMIT
 
So my question really is, do we need a class-map and policy-map for each
customer or is there a more elegant solution. Can't imagine having to
configure 100's of class-maps, policy-maps and ACL's for each customer
or the impact to the CPU if it has to go through 100's of classes to
find a match :)
 
Thanks.
 
Andy

This email and any files transmitted with it are confidential and
intended
 solely for the use of the individual or entity to whom they are
addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note
that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From A.L.M.Buxey at lboro.ac.uk  Thu May  7 03:47:15 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Thu, 7 May 2009 08:47:15 +0100
Subject: [c-nsp] Wireless Splash Screen Cisco AP Aironet
In-Reply-To: <20090506230256.GA3418@netspark.org>
References: <197999.78903.qm@web110416.mail.gq1.yahoo.com>
	<alpine.WNT.2.00.0905061640190.2760@pckoug1.intranet.gr>
	<eefbdb720905060759j778be366x6a20ed21f78cf0d3@mail.gmail.com>
	<20090506230256.GA3418@netspark.org>
Message-ID: <20090507074715.GA24702@lboro.ac.uk>

Hi,

> Sorry, just being curious, what would you do if a client clicks "I don't
> agree"?

..they dont get access to the network?  after all, the agreement is a 
contract to show the party is happy with the terms of network provision.

alan

From perc69 at gmail.com  Thu May  7 04:03:51 2009
From: perc69 at gmail.com (Per Carlson)
Date: Thu, 7 May 2009 10:03:51 +0200
Subject: [c-nsp] How to apply individual QoS policies to on an ingress
	Interface?
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654D84@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03654D84@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <746ca6da0905070103t3c7d304dp6f316b61c7093301@mail.gmail.com>

Hi Andy.

> So my question really is, do we need a class-map and policy-map for each
> customer or is there a more elegant solution.

You could probably use the ISG framework [1] for this (look for IP
Subscriber Sessions). Just be aware there are quite a lot of hardware
limitations as well as licensing fees involved. I haven't used it my
self, so I don't have any experiences to share...

[1] http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/12_2sr/isg_12_2sr_book.html

-- 
Pelle

From ip at ioshints.info  Thu May  7 07:36:58 2009
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Thu, 7 May 2009 13:36:58 +0200
Subject: [c-nsp] Multiple BGP sessions on one router.
In-Reply-To: <1241680088.3434.5.camel@localhost.localdomain>
References: <2299bfcb0905062222u50032dd0hd2df873a8a5969b7@mail.gmail.com>
	<1241680088.3434.5.camel@localhost.localdomain>
Message-ID: <01f101c9cf08$225e1950$0a00000a@nil.si>

If the "local-as" feature is what you're looking for, this might help you
get started: 

http://wiki.nil.com/Network_migration_or_merger_with_BGP_Local-AS_feature

Unfortunately I haven't covered the "replace-as" functionality yet, but
Arden has written a short article a while ago that covers it:

http://ardenpackeer.com/routing-protocols/bgp-allowas-in-bgp-local-as-tips-a
nd-tricks/

Best regards
Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/

> -----Original Message-----
> From: Peter Rathlev [mailto:peter at rathlev.dk] 
> Sent: Thursday, May 07, 2009 9:08 AM
> To: Rocker Feller
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Multiple BGP sessions on one router.
> 
> On Thu, 2009-05-07 at 08:22 +0300, Rocker Feller wrote:
> > I have been working with BGP for a few months now and am 
> trying to get 
> > a grasp of it.
> > 
> > I have an assignment that requires to have multiple bgp sessions 
> > running on a single router and the prefixes advertised from each 
> > prefix appearing so.
> > 
> > Does this make sense? Am a bit foggy on this and would 
> appreciate any 
> > direction advise on how this can be achieved.
> > 
> > What do I want to achieve?
> > In short I want to consolidate to AS numbers in to one.
> 
> AFAIK you can't have two BGP instances on one Cisco device. 
> You can do something else though, namely use "local-as" on 
> your neighbor session.
> This would present your router as belonging to another AS.
> 
> +--------+          +--------+
> | AS 100 |----------| AS 200 |
> +--------+          +--------+
> 
> If you're on the left, paths from you would normally look 
> like e.g. "100 i" to the ASBR in AS 200. If you configure 
> "local-as 300" he would instead see "300 100 i", as if you 
> stuck the other AS in between you.
> >From your side his paths would look like "300 200 i".
> 
> > Which options do I have to achieve this and with minimal 
> disruptions 
> > to my customers?
> 
> Changing local-as requires the session to be reset to take effect.
> 
> Regards,
> Peter
> 
> 
> 
> 


From mh+cisco-nsp at zugschlus.de  Thu May  7 08:31:19 2009
From: mh+cisco-nsp at zugschlus.de (Marc Haber)
Date: Thu, 7 May 2009 14:31:19 +0200
Subject: [c-nsp] Lightweight Radius Server for small installation
	and	Windows
In-Reply-To: <4716E5BFA7B2514D84F8F8885F37799F058446DB47@mse18be2.mse18.exchange.ms>
References: <20090506095758.GA1441@torres.zugschlus.de>
	<4716E5BFA7B2514D84F8F8885F37799F058446DB47@mse18be2.mse18.exchange.ms>
Message-ID: <20090507123119.GE29957@torres.zugschlus.de>

On Wed, May 06, 2009 at 06:55:21AM -0400, Patrick J Greene wrote:
> The Windows server platform includes Internet Authentication Services
> (IAS) which provides RADIUS authentication against either AD or the
> local user database on the Windows server itself.  Just install the
> service.

The company doesn't want to use the Windows passwords for VPN
authentication since a single compromised password does not only allow
access to the VPN but also to all Windows resources. Think of the
"different password" requirement as "poor-man's two factor auth".

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

From mh+cisco-nsp at zugschlus.de  Thu May  7 08:35:59 2009
From: mh+cisco-nsp at zugschlus.de (Marc Haber)
Date: Thu, 7 May 2009 14:35:59 +0200
Subject: [c-nsp] Lightweight Radius Server for small installation
	and	Windows
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622FCA95E18@exch2k7.gilat.local>
References: <20090506095758.GA1441@torres.zugschlus.de>
	<EC993E87D960A541A66BF21D62AA42A622FCA95E18@exch2k7.gilat.local>
Message-ID: <20090507123559.GG29957@torres.zugschlus.de>

On Wed, May 06, 2009 at 02:13:18PM +0300, Ziv Leyes wrote:
> The cheapest solution is already there, Windows2003 server can act as
> a radius server, it doesn't have to use necessarily the same users,
> new users can be added to a special new group only for the VPN
> authentication.

So a user would have two AD accounts, one for the VPN which doesn't
give any Windows privileges, and one for all the rest? Can this be
separated via a domain, so that joe.luser can be joe.luser at example.com
for his Windows account and joe.luser at vpn.company.com for the VPN?

> All they need is someone that is good enough with Win2003 server to
> make it happen,

Alas, I am not that one :-/

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

From karl.gaissmaier at uni-ulm.de  Thu May  7 08:12:54 2009
From: karl.gaissmaier at uni-ulm.de (Karl Gaissmaier)
Date: Thu, 07 May 2009 14:12:54 +0200
Subject: [c-nsp] Stupid SNMP tricks.
In-Reply-To: <F3318834F1F89D46857972DD4B411D700DAA8D9F@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700DAA8D9F@EXCHANGE.thenap.com>
Message-ID: <4A02D046.9070303@uni-ulm.de>

Hi Drew,

Drew Weaver schrieb:
> Hey all, I'm trying to script a few things using SNMP (data collection, mainly).
> 
> I've essentially found the OIDs I need, but it seems like there is no way to separate routes by how they originate.
> 
> For example if you do an snmpwalk ... ipRouteNextHop, it shows you all of the routes in the entire system including EIGP, IGP, locally originated.
> 
> Does anyone know of any way to only get information for a specific type of route?
> 
> In my case I only want to see the locally originated routes.

why not using the ipRouteProto (1.3.6.1.2.1.4.21.1.9) or
the ipCidrRouteTable (1.3.6.1.2.1.4.24.4) of the IP-FORWARD-MIB?

Greetings
	Charly

From braaen at zcorum.com  Thu May  7 09:58:40 2009
From: braaen at zcorum.com (Brian Raaen)
Date: Thu, 07 May 2009 09:58:40 -0400
Subject: [c-nsp] Lightweight Radius Server for small installation	and
 Windows
In-Reply-To: <20090507123119.GE29957@torres.zugschlus.de>
References: <20090506095758.GA1441@torres.zugschlus.de>	<4716E5BFA7B2514D84F8F8885F37799F058446DB47@mse18be2.mse18.exchange.ms>
	<20090507123119.GE29957@torres.zugschlus.de>
Message-ID: <4A02E910.3040503@zcorum.com>

You would set up a second account for their VPN then.  In IAS you can
set it to only authenticate if certain attributes match.

Marc Haber wrote:
> On Wed, May 06, 2009 at 06:55:21AM -0400, Patrick J Greene wrote:
>   
>> The Windows server platform includes Internet Authentication Services
>> (IAS) which provides RADIUS authentication against either AD or the
>> local user database on the Windows server itself.  Just install the
>> service.
>>     
>
> The company doesn't want to use the Windows passwords for VPN
> authentication since a single compromised password does not only allow
> access to the VPN but also to all Windows resources. Think of the
> "different password" requirement as "poor-man's two factor auth".
>
> Greetings
> Marc
>
>   

From ross at kallisti.us  Thu May  7 11:32:53 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Thu, 7 May 2009 11:32:53 -0400
Subject: [c-nsp] The mechanics of SSO
In-Reply-To: <a48927f70905061603r487c1153kf4fa2c614a4081b2@mail.gmail.com>
References: <20090506195311.GA8001@kallisti.us>
	<4A01F317.5080401@thewybles.com>
	<B5B94675-D4E9-4829-9416-AF8AD4204499@puck.nether.net>
	<20090506205004.GA8553@kallisti.us>
	<a48927f70905061603r487c1153kf4fa2c614a4081b2@mail.gmail.com>
Message-ID: <20090507153253.GA14311@kallisti.us>

On Thu, May 07, 2009 at 02:03:44AM +0300, Ibrahim Abo Zaid wrote:
> actually i can't get if SUP running SSO why you think configuration will be
> loaded from active to standby during switchover ? !
>
> SSO maintains control plane and data plane resiliency and both SUP have
> active IOS image and synchronized configuration

Not during switchover - during bootup.  When the standby SUP is
booting, it needs to fetch the config from the active.

That is the syncronization problem I ran into yesterday.

Ross

> 
> 
> best regards
> --Ibrahim
> 
> 
> 
> On Wed, May 6, 2009 at 11:50 PM, Ross Vandegrift <ross at kallisti.us> wrote:
> 
> > On Wed, May 06, 2009 at 04:39:40PM -0400, Jared Mauch wrote:
> > > I would recommend trying to get the devices on SXF16 or SXI1 if
> > > possible.  You may need to send a break and interrupt the boot process
> > > on one (hope you have good OOB and know how to do this).
> >
> > What do you mean "you may need to send a break and interrupt the boot
> > process on one"?  I mean, I know how to do that, and know why I might
> > under a variety of conditions, but what circumstances are you
> > referring to?
> >
> > We've been stuck on SXF becasue of the CSM, but after hitting this
> > bug, we'll be spinning up our CSMs in a spare chassis just so we can
> > avoid the bug that started the whole damn thing.
> >
> > > This is also reinforces the reason some people do not run dual
> > > processor systems.  They sometimes fail in really bad ways.
> >
> > Indeed, though honestly, it was no worse than the reboot time we'd see
> > from a single SUP.  And it has saved me before.
> >
> > I can imagine that others may have seen much worse from dual SUPs :)
> >
> > --
> > Ross Vandegrift
> > ross at kallisti.us
> >
> > "If the fight gets hot, the songs get hotter.  If the going gets tough,
> > the songs get tougher."
> >        --Woody Guthrie
> > _______________________________________________
> >  cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From jeff-kell at utc.edu  Thu May  7 12:14:18 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Thu, 07 May 2009 12:14:18 -0400
Subject: [c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
Message-ID: <4A0308DA.9040802@utc.edu>

We have some 3550 EMIs that have some ACLs on their SVIs.  I just ran
across (through troubleshooting something else) a case where an access
list with "deny ...  log" is NOT being logged.

I ran some other cases across the access list, with some additional
logging, and I have been unable to get any logging out of the egress ACL
(ip access-group foo-ACL out).

Ingress logging works fine.  Egress logging is nonexistent.  Not just
dropping the occasional ones, but entirely nonexistent.  The egress
filtering (by the ACL) works, it just doesn't log.

I have known for some time that ACL counters are borked on most
lower-end Catalysts, but I thought ACL logging worked.

It doesn't appear to be a known bug, but then my searching abilities may
be lacking.

Bug or feature?

Jeff

From Carlos.Bulleri at matsci.com  Thu May  7 13:46:04 2009
From: Carlos.Bulleri at matsci.com (Bulleri, Carlos)
Date: Thu, 7 May 2009 12:46:04 -0500
Subject: [c-nsp] Replacing Network switch
Message-ID: <EE3BD7EE588FFD4B9B0B6B5CDA91CFAC03B5127618@msc-egv-exch.matsci.com>

I'm replacing a 2924 XL switch with a 2960 48TC-S

The 2924 currently links to a 6913 and to another 2924 through the 2 100BaseFX interfaces. I want to make sure that I can get at lease the link to the 6913 switch to worm and it seems to me that I'll need a transceiver to do so. Anyone can tell me exactly what model I'll need I would appreciate it.

Thanks



Carlos Bulleri
Network Engineer
(847) 439-2210 ext. 8225
Carlos.Bulleri at matsci.com<mailto:Carlos.Bulleri at matsci.com>




From alasdairm at gmail.com  Thu May  7 16:41:36 2009
From: alasdairm at gmail.com (Alasdair McWilliam)
Date: Thu, 7 May 2009 21:41:36 +0100
Subject: [c-nsp] VSS1440 to ASR1002 - MEC issues
In-Reply-To: <885586.62455.qm@web907.biz.mail.mud.yahoo.com>
References: <885586.62455.qm@web907.biz.mail.mud.yahoo.com>
Message-ID: <12372664-8D81-4387-86C9-CE9F8B0E26E1@gmail.com>

Thank you for all your comments both on and off list, we've gone for  
four L3 interfaces (two per router) and I've raised this with our  
account manager for progression :-)

regards
Alasdair


On 2 May 2009, at 23:20, Kevin Graham wrote:

>
> Your original concern was redundancy, so I'd personally go with two  
> L3 interfaces per ASR over a static GEC. You may end up with more  
> traffic over the VSL (as I don't believe there's a ECMP enhancement  
> to prefer same-chassis ports as there is for MEC), but you'll avoid  
> having to depend on UDLD, etc to protect against this type if  
> failure mode.
>
> [sent from my mobile]
>
> On May 2, 2009, at 12:01 AM, Alasdair McWilliam  
> <alasdairm at gmail.com> wrote:
>
> Even if ASR only supports GEC, surely my apparent 'one way' traffic  
> symptoms aren't right? I only have one Gigabit Ethernet link in the  
> Port-Channel, between the ASR and the active chassis within the VSS.  
> When the channel-group command is removed from the ASR's GE  
> interface, and the config moved onto the GE interface, it starts to  
> work a treat, despite the VSS still thinking it's an EtherChannel !
>
> Also, the 'switch accept mode virtual' command was run on the active  
> node when the switches were first converted to VSS and rebooted.
>
> Many thanks
> Alasdair
>
>
>
> On 2 May 2009, at 01:43, Daniel de la Rosa (ddelaros) wrote:
>
> That's correct, ASR1000 GEC only support static VLAN LB at the moment
> and not LACP. So this can only work if you are ok on just using GEC  
> with
> VLANs on both sides as Tassos mentioned. Since you are deploying GEC  
> for
> redundancy, this VLAN static LB should be able to give you what you
> need. Also you need to have the VSS on GEC mode on.
>
> HTH
>
>
> -------------
> Daniel de la Rosa
> CCIE # 4622
> Technical Marketing Engineer
> ERBU, Cisco Systems
>
>
>
>
>
> ASR1000 doesn't -yet- support the well-known EtherChannel/LACP. If i
> remember right, RLS5
> will have it.
>
> There is a feature called VLAN Mapping to Gigabit EtherChannel (GEC)
> Member Links, but i
> don't think it would help you much, since you have L3 portchannels on
> both sides.
>
> http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/ 
> lsw_c
> fg_gecvlan.html
>
> --
> Tassos
>
> Alasdair McWilliam wrote on 01/05/2009 18:29:
> Hello,
>
> I'm currently deploying two Cisco 6509-E chassis with VS-Sup720-10GE
> (in
> a VSS 1440 cluster/configuration) with dual ASR 1002 routers to
> provide
> aggregation of multiple upstream links (running multiple BGP and
> EIGRP
> sessions).
>
> I wanted to utilize MEC between each ASR and each 6509 chassis to
> build
> in as much resilience as possible. However this configuration seems
> to
> be playing up and so I thought I'd ask the experts!
>
> Physical Topology:
>
> ASR Gi0/0/0 into 6509 Chassis 1 Module 1 Port 1
> ASR Gi0/1/0 into 6509 Chassis 2 Module 1 Port 1
>
> The ASR is running IOS-XE 2.3.0 (IOS 12.2(33)XNC) AISK9 with dual
> IOS
> processes.
> The VSS chassis are running IOS 12.2(33)SXI1 ISK9 with a 4x 10GE VSL
> (2
> supervisor 10GE interfaces, 2 10GE interfaces on a 6708-10GE line
> card).
> I'm just using CAT6 between the ASR and the 6748-GE-TX line cards in
> the
> VSS boxes.
>
> ASR configuration:
>
> interface Port-Channel1
> ip address x.x.x.5 255.255.255.252
> ip hello-interval eigrp 100 2
> ip hold-time eigrp 100 6
> ip authentication mode eigrp 100 md5
> ip authentication key-chian eigrp 100 vcoresw1-chain
> ip summary-address eigrp 100 0.0.0.0 0.0.0.0 255
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no shut
> !
>
> interface Gi0/0/0
> channel-group 1
> no shut
>
> interface Gi0/1/0
> channel-group 1
> no shut
>
> Cisco VSS configuration:
>
> int Gi1/1/1
> no switchport
> channel-group 3 mode on
>
> int Gi2/1/1
> no switchport
> channel-group 3 mode on
>
> int Po3
> desc *** MEC to br1-po1 ***
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip vrf forwarding edge-vrf
> ip address x.x.x.6 255.255.255.252
> ip hello-interval eigrp 100 2
> ip hold-time eigrp 100 6
> ip authentication mode eigrp 100 md5
> ip authentication key-chain eigrp 100 br1-chain
> no shut
> !
>
>
>
> The problem I am experiencing seems to be one way traffic between
> the
> VSS cluster and the Border Router. Pinging across this /30 subnet
> does
> not work in either direction. EIGRP relationships build when the Po
> interfaces first come online and then immediately time out moments
> later. The VSS cluster then does not see any further EIGRP traffic
> from
> the ASR. However the ASR seems to think it's successfully building
> an
> adjacency to the VSS. However this times out due to 'retry limit
> exceeded' every minute or so, but seems to think it re-establishes
> again.
>
> This problem persists if we drop the PortChannel to just one Gigabit
> Ethernet interface. The second interface can be shut down or
> actually
> removed from the Po config (eg. no channel-group 1).
>
> The really interesting thing is, with one link, if we remove the
> channel-group comand from the one remaining ASR interface, all of a
> sudden the link springs to life. Pings between the ASR Gi0/0/0
> interface
> and the Po3 VSS interface are successful. EIGRP relationship comes
> up
> immediately and is stable, and routes are exchanged as you'd expect.
>
> How does this work? With the ASR thinking it's a non-etherchannel
> interface, but the VSS thinking it IS an EtherChannel (with 1
> member),
> surely it should just fail?
>
> Am I doing something wrong or could this be a bug in either VSS or
> the ASR?
>
> It's not earth shattering, we could just configure 2 EIGRP sessions
> between the VSS and the ASR (4 in total with 2 ASRs) but don't think
> this is as clean an implementation as MEC across fully redundant
> chassis
> and line cards (one of the big selling points of the VSS !!)
>
> Any help would be much appreciated!
>
> Thanks
> Alasdair
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


From rblayzor.bulk at inoc.net  Thu May  7 16:50:05 2009
From: rblayzor.bulk at inoc.net (Robert Blayzor)
Date: Thu, 7 May 2009 16:50:05 -0400
Subject: [c-nsp] IOS SLB and IPv6
Message-ID: <0D325FCC-FF38-440A-A880-888E3A10330F@inoc.net>

As we get closer to pushing IPv6 dual stacking into our server farm  
one thing poses a problem with some of them.  IOS SLB does not appear  
to be IPv6 capable.  Anyone know if this exists or is on the roadmap  
or should we just look at moving SLB rolls into external boxes?  Are  
there any server load balancing switches or appliances that support  
this today?

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/




From rick at woofpaws.com  Thu May  7 17:52:51 2009
From: rick at woofpaws.com (Rick Ernst)
Date: Thu, 7 May 2009 14:52:51 -0700 (PDT)
Subject: [c-nsp] Cat7600/Sup720 and IPv4 vs IPv6 performance
Message-ID: <48595.69.30.17.85.1241733171.squirrel@www.woofpaws.com>


The specs for the Sup720/3BXL indicate support for 1,000,000 IPv4 routes
and 400Mpps. The numbers drop in half for IPv6 (500K routes,200Mpps)

I can't find information on how the routing/capacity is partitioned.  If I
run IPv6 are my combined IPv4 and IPv6 table limited to 500K routes?  Can
I carve out the memory so I can support a combination like 500K IPv4
routes and 250K IPv6 routes?  Will the platform mix and match v4 and v6 in
the same chunk of memory?  Same/similar question for a combined IPv4/IPv6
platform; if I run both protocols is the aggregate traffic limited by the
IPv6 specs?

I don't know much more about IPv6 than how it is spelled, and I need to
start hitting the books for it.  I've seen the IPv4 BGP table grow from
less than 100,000 routes 10 years ago to almost 300,000 routes now, but
don't have the same feel for IPv6.  I'm trying to get an idea of expected
lifetime/capacity when deploying new equipment.

Thanks,


From adrian at creative.net.au  Thu May  7 18:10:45 2009
From: adrian at creative.net.au (Adrian Chadd)
Date: Fri, 8 May 2009 06:10:45 +0800
Subject: [c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
In-Reply-To: <4A0308DA.9040802@utc.edu>
References: <4A0308DA.9040802@utc.edu>
Message-ID: <20090507221045.GD6025@skywalker.creative.net.au>

On Thu, May 07, 2009, Jeff Kell wrote:

> Bug or feature?

>From my POV, Feature. I've never had 100% reliable ACL logging on
the Catalyst 3550 and thus don't rely on it. :)

(It forwards packets good though!)



Adrian


From swmike at swm.pp.se  Thu May  7 18:16:44 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Fri, 8 May 2009 00:16:44 +0200 (CEST)
Subject: [c-nsp] Cat7600/Sup720 and IPv4 vs IPv6 performance
In-Reply-To: <48595.69.30.17.85.1241733171.squirrel@www.woofpaws.com>
References: <48595.69.30.17.85.1241733171.squirrel@www.woofpaws.com>
Message-ID: <alpine.DEB.1.10.0905080015060.22851@uplift.swm.pp.se>

On Thu, 7 May 2009, Rick Ernst wrote:

> I can't find information on how the routing/capacity is partitioned.  If I
> run IPv6 are my combined IPv4 and IPv6 table limited to 500K routes?  Can

These are the defaults:

#sh mls cef maximum-routes
FIB TCAM maximum routes :
=======================
Current :-
-------
  IPv4 + MPLS         - 512k (default)
  IPv6 + IP Multicast - 256k (default)

> I carve out the memory so I can support a combination like 500K IPv4
> routes and 250K IPv6 routes?  Will the platform mix and match v4 and v6 in
> the same chunk of memory?  Same/similar question for a combined IPv4/IPv6
> platform; if I run both protocols is the aggregate traffic limited by the
> IPv6 specs?

No, you can change this, you have 1M total to play with, this is 
partitioned between L2, L3 (IPv4/v6/MPLS etc).

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From lukasz at bromirski.net  Thu May  7 18:24:58 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Fri, 08 May 2009 00:24:58 +0200
Subject: [c-nsp] Cat7600/Sup720 and IPv4 vs IPv6 performance
In-Reply-To: <48595.69.30.17.85.1241733171.squirrel@www.woofpaws.com>
References: <48595.69.30.17.85.1241733171.squirrel@www.woofpaws.com>
Message-ID: <4A035FBA.5010003@bromirski.net>

On 2009-05-07 23:52, Rick Ernst wrote:
>
> The specs for the Sup720/3BXL indicate support for 1,000,000 IPv4
> routes and 400Mpps. The numbers drop in half for IPv6 (500K
> routes,200Mpps)

Yep, assuming you're doing either IPv4 or IPv6, not both at the same
time.

> I can't find information on how the routing/capacity is partitioned.
> If I run IPv6 are my combined IPv4 and IPv6 table limited to 500K
> routes?  Can I carve out the memory so I can support a combination
> like 500K IPv4 routes and 250K IPv6 routes?  Will the platform mix
> and match v4 and v6 in the same chunk of memory?  Same/similar
> question for a combined IPv4/IPv6 platform; if I run both protocols
> is the aggregate traffic limited by the IPv6 specs?

The 6500 PFCs and DFCs TCAMs can be partitioned to support IPv4, MPLS,
IP multicast and IPv6. The IPv4 and MPLS entries take 72 bits, the
IP mutlicast and IPv6 entries take two entries - thus 144 bits are
needed. TCAMs have to be statically configured to serve this, so
after changing the allocation you have to reload the box.

For current settings you can check 'sh mls cef maximum-routes'
which will show (among other things):

FIB TCAM maximum routes :
=======================
Current :-
-------
IPv4 + MPLS         - 512k (default)
IPv6 + IP Multicast - 256k (default)

To change the scheme to be able to fit more IPv4 or IPv6 routes you
can do a 'mls cef maximum-routes ip | ipv6' (and other options),
but if You're allocating more for IPv6 you will loose capacity for
IPv4 and vice versa.

> I don't know much more about IPv6 than how it is spelled, and I need
> to start hitting the books for it.  I've seen the IPv4 BGP table grow
> from less than 100,000 routes 10 years ago to almost 300,000 routes
> now, but don't have the same feel for IPv6.  I'm trying to get an
> idea of expected lifetime/capacity when deploying new equipment.

If you're looking for edge BGP peering router, you should look at
ASR 1k series, not 6500 which is positioned as a switch for enterprises.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From sethm at rollernet.us  Thu May  7 19:02:14 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 07 May 2009 16:02:14 -0700
Subject: [c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
In-Reply-To: <4A0308DA.9040802@utc.edu>
References: <4A0308DA.9040802@utc.edu>
Message-ID: <4A036876.2050606@rollernet.us>

Jeff Kell wrote:
> We have some 3550 EMIs that have some ACLs on their SVIs.  I just ran
> across (through troubleshooting something else) a case where an access
> list with "deny ...  log" is NOT being logged.
> 
> I ran some other cases across the access list, with some additional
> logging, and I have been unable to get any logging out of the egress ACL
> (ip access-group foo-ACL out).
> 
> Ingress logging works fine.  Egress logging is nonexistent.  Not just
> dropping the occasional ones, but entirely nonexistent.  The egress
> filtering (by the ACL) works, it just doesn't log.
> 
> I have known for some time that ACL counters are borked on most
> lower-end Catalysts, but I thought ACL logging worked.
> 
> It doesn't appear to be a known bug, but then my searching abilities may
> be lacking.
> 
> Bug or feature?
> 

Never personally expected it to work when it's not hitting the CPU.

~Seth

From jlewis at lewis.org  Thu May  7 20:21:48 2009
From: jlewis at lewis.org (Jon Lewis)
Date: Thu, 7 May 2009 20:21:48 -0400 (EDT)
Subject: [c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
In-Reply-To: <4A036876.2050606@rollernet.us>
References: <4A0308DA.9040802@utc.edu> <4A036876.2050606@rollernet.us>
Message-ID: <Pine.LNX.4.61.0905072014240.6312@soloth.lewis.org>

On Thu, 7 May 2009, Seth Mattinen wrote:

>> Ingress logging works fine.  Egress logging is nonexistent.  Not just
>> dropping the occasional ones, but entirely nonexistent.  The egress
>> filtering (by the ACL) works, it just doesn't log.
>>
>> I have known for some time that ACL counters are borked on most
>> lower-end Catalysts, but I thought ACL logging worked.
>>
>> It doesn't appear to be a known bug, but then my searching abilities may
>> be lacking.
>>
>> Bug or feature?
>>
>
> Never personally expected it to work when it's not hitting the CPU.

I didn't think ACL logging worked in either direction on the 3550.  I ran 
across something even more disturbing recently.  A customer had an 
apparently compromised system found SSH scanning remote hosts.  I put a 
simple ACL on the customer's layer 3 port (i.e. no switchport, ip address 
...),
ip access-list extended f0/48-in-acl
  deny   tcp any any eq 22
  permit ip any any

int f0/48
  ip access-group f0/48-in-acl in

According to netflow (on our 6500s upstream of the 3550s) some SSH 
scanning traffic was still getting through...or remote hosts just happened 
to be sending this customer tcp traffic from their port 22 to random high 
ports.  This is under 12.1(22)EA10b.  I haven't gotten around to testing 
this further.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From andy.saykao at staff.netspace.net.au  Thu May  7 22:16:07 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Fri, 8 May 2009 12:16:07 +1000
Subject: [c-nsp] How to apply individual QoS policies to on an ingress
	Interface?
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654D8F@vic-cr-ex1.staff.netspace.net.au>

Thanks Pelle for the link.

>From that link, I took a look at "Configuring MQC Support for IP
Sessions" but the IOS I am using c7301-a3jk91s-mz.122-31.SB13.bin
doesn't support the command to apply the service policy to.

http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_mqc_ipse
ssion_ps6922_TSD_Products_Configuration_Guide_Chapter.html

Router(config-pmap-c)# policy-map type service PREMIUM_SERVICE
Router(config-service-policymap)# service-policy input PREMIUM_MARK_IN
<-- not supported
Router(config-service-policymap)# service-policy output PREMIUM_UB_OUT
<-- not supported

Might just take the simple route and configure separate class-maps and
policy-maps for each customer. At present we only have a handful
customers that we need to rate limit.

Cheers.

Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From bep at whack.org  Fri May  8 01:54:54 2009
From: bep at whack.org (Bruce Pinsky)
Date: Thu, 07 May 2009 22:54:54 -0700
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
Message-ID: <4A03C92E.30900@whack.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marcelo Zilio wrote:
> Hi,
>
> I'm working in a migration of a CheckPoint Firewall to an ASA5520. I freeze
> on a situation that seems ASA cannot "reproduce" CheckPoint configuration.
> Follow the scenario:
>
> - IP Address X on the Internet access IP Address X1 in the Inside network
> through the X-NAT Address.
> - IP Address Y on the Internet access IP Address Y1 in the Inside network
> through the same X-NAT Address.
>

Can you give us a more concrete example please?  I'm not grok'ing what you
are trying to accomplish.


- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoDyS4ACgkQE1XcgMgrtybXvgCcDqe/dvPscRV6TQOzHmR5j8wf
QkEAnjvietbq2yhO6RMIFOb6HvHHYgbu
=7Dnq
-----END PGP SIGNATURE-----

From gert at greenie.muc.de  Fri May  8 03:12:54 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 8 May 2009 09:12:54 +0200
Subject: [c-nsp] Cat7600/Sup720 and IPv4 vs IPv6 performance
In-Reply-To: <4A035FBA.5010003@bromirski.net>
References: <48595.69.30.17.85.1241733171.squirrel@www.woofpaws.com>
	<4A035FBA.5010003@bromirski.net>
Message-ID: <20090508071254.GJ290@greenie.muc.de>

Hi,

On Fri, May 08, 2009 at 12:24:58AM +0200, ?ukasz Bromirski wrote:
> If you're looking for edge BGP peering router, you should look at
> ASR 1k series, not 6500 which is positioned as a switch for enterprises.

The 6500/Sup720-3BXL combo will do the job reasonably well :-) (and it's
not actually "positioned as a switch for enterprises").

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090508/d7ee8b49/attachment.bin>

From swmike at swm.pp.se  Fri May  8 03:38:34 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Fri, 8 May 2009 09:38:34 +0200 (CEST)
Subject: [c-nsp] Cat7600/Sup720 and IPv4 vs IPv6 performance
In-Reply-To: <20090508071254.GJ290@greenie.muc.de>
References: <48595.69.30.17.85.1241733171.squirrel@www.woofpaws.com>
	<4A035FBA.5010003@bromirski.net>
	<20090508071254.GJ290@greenie.muc.de>
Message-ID: <alpine.DEB.1.10.0905080937540.22851@uplift.swm.pp.se>

On Fri, 8 May 2009, Gert Doering wrote:

> The 6500/Sup720-3BXL combo will do the job reasonably well :-) (and it's 
> not actually "positioned as a switch for enterprises").

... and the RSP720 is the same listprice and has a much quicker CPU, so I 
hope people do get that one instead of the SUP720 nowadays.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From lukasz at bromirski.net  Fri May  8 03:54:40 2009
From: lukasz at bromirski.net (Lukasz Bromirski)
Date: Fri, 08 May 2009 09:54:40 +0200
Subject: [c-nsp] Cat7600/Sup720 and IPv4 vs IPv6 performance
In-Reply-To: <20090508071254.GJ290@greenie.muc.de>
References: <48595.69.30.17.85.1241733171.squirrel@www.woofpaws.com>
	<4A035FBA.5010003@bromirski.net>
	<20090508071254.GJ290@greenie.muc.de>
Message-ID: <4A03E540.7020109@bromirski.net>

On 2009-05-08 09:12, Gert Doering wrote:

> On Fri, May 08, 2009 at 12:24:58AM +0200, ?ukasz Bromirski wrote:
>> If you're looking for edge BGP peering router, you should look at
>> ASR 1k series, not 6500 which is positioned as a switch for enterprises.
> The 6500/Sup720-3BXL combo will do the job reasonably well :-)

Sure, of course 48Mpps with DFC per slot (yeah, we know that) is not
reachable for ASR1k, but given the scalability of FIB and NetFlow
of the ESPs in ASR, I'd position ASR as edge router.

 > (and it's not actually "positioned as a switch for enterprises").

Well, there's a lot of positioning regarding the 6500/7600 split and
it doesn't make sense to argue, but it's summarized on the first page
of the 6500 CCO site:

"With industry-leading services and performance, the Cisco Catalyst
  6500 Series Switch is Cisco?s flagship switching solution. It
  delivers the most comprehensive feature sets for core, distribution,
  wiring closet, data center, enterprise WAN routing, and Metro-Ethernet
  deployments."

For the ME deployments you'd actually use ME-series, for WAN routing
it's of course capable with support of SIPs, old and new VPN service
modules and recent extensions to BFD that made it to 12.2(33)SXI.
But the BU is already focused on adding services, not extending routing
capabilities.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From achatz at forthnet.gr  Fri May  8 04:51:27 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 08 May 2009 11:51:27 +0300
Subject: [c-nsp] How to apply individual QoS policies to on an ingress
 Interface?
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654D8F@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03654D8F@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <4A03F28F.1070205@forthnet.gr>

I think the setup you're trying to do is supported only on 7600s.

We use the following on our 7200s:

class-map type traffic match-any TEST-CLASS
  match access-group input name IN-ACL
  match access-group output name OUT-ACL
!

policy-map type service TEST-POLICY
  1 class type traffic TEST-CLASS
   police input 1000000 187500 375000
   police output 24000000 4500000 9000000
  !


-- 
Tassos

Andy Saykao wrote on 08/05/2009 05:16:
> Thanks Pelle for the link.
> 
>>From that link, I took a look at "Configuring MQC Support for IP
> Sessions" but the IOS I am using c7301-a3jk91s-mz.122-31.SB13.bin
> doesn't support the command to apply the service policy to.
> 
> http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_mqc_ipse
> ssion_ps6922_TSD_Products_Configuration_Guide_Chapter.html
> 
> Router(config-pmap-c)# policy-map type service PREMIUM_SERVICE
> Router(config-service-policymap)# service-policy input PREMIUM_MARK_IN
> <-- not supported
> Router(config-service-policymap)# service-policy output PREMIUM_UB_OUT
> <-- not supported
> 
> Might just take the simple route and configure separate class-maps and
> policy-maps for each customer. At present we only have a handful
> customers that we need to rate limit.
> 
> Cheers.
> 
> Andy
> 
> This email and any files transmitted with it are confidential and intended
>  solely for the use of the individual or entity to whom they are addressed. 
> Please notify the sender immediately by email if you have received this 
> email by mistake and delete this email from your system. Please note that
>  any views or opinions presented in this email are solely those of the
>  author and do not necessarily represent those of the organisation. 
> Finally, the recipient should check this email and any attachments for 
> the presence of viruses. The organisation accepts no liability for any 
> damage caused by any virus transmitted by this email.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From gert at greenie.muc.de  Fri May  8 05:29:42 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 8 May 2009 11:29:42 +0200
Subject: [c-nsp] Cat7600/Sup720 and IPv4 vs IPv6 performance
In-Reply-To: <alpine.DEB.1.10.0905080937540.22851@uplift.swm.pp.se>
References: <48595.69.30.17.85.1241733171.squirrel@www.woofpaws.com>
	<4A035FBA.5010003@bromirski.net>
	<20090508071254.GJ290@greenie.muc.de>
	<alpine.DEB.1.10.0905080937540.22851@uplift.swm.pp.se>
Message-ID: <20090508092942.GK290@greenie.muc.de>

Hi,

On Fri, May 08, 2009 at 09:38:34AM +0200, Mikael Abrahamsson wrote:
> On Fri, 8 May 2009, Gert Doering wrote:
> 
> >The 6500/Sup720-3BXL combo will do the job reasonably well :-) (and it's 
> >not actually "positioned as a switch for enterprises").
> 
> ... and the RSP720 is the same listprice and has a much quicker CPU, so I 
> hope people do get that one instead of the SUP720 nowadays.

Wrong BU.  To avoid saying nasty things.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090508/dc7d4a10/attachment.bin>

From gert at greenie.muc.de  Fri May  8 05:30:57 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 8 May 2009 11:30:57 +0200
Subject: [c-nsp] Cat7600/Sup720 and IPv4 vs IPv6 performance
In-Reply-To: <4A03E540.7020109@bromirski.net>
References: <48595.69.30.17.85.1241733171.squirrel@www.woofpaws.com>
	<4A035FBA.5010003@bromirski.net>
	<20090508071254.GJ290@greenie.muc.de>
	<4A03E540.7020109@bromirski.net>
Message-ID: <20090508093057.GL290@greenie.muc.de>

Hi,

On Fri, May 08, 2009 at 09:54:40AM +0200, Lukasz Bromirski wrote:
> But the BU is already focused on adding services, not extending routing
> capabilities.

I never understood why people always think you need to "extend routing
capabilities" on a box that perfectly well does whatever it needs to
do :-)

The BU split is a reason to by ASR1k, I agree on that.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090508/5aa7acff/attachment-0001.bin>

From kratzers at ctinetworks.com  Fri May  8 08:46:50 2009
From: kratzers at ctinetworks.com (Stephen Kratzer)
Date: Fri, 8 May 2009 08:46:50 -0400
Subject: [c-nsp] SUP720 IDB Limit
Message-ID: <200905080846.50229.kratzers@ctinetworks.com>

All,

We're looking to step up from the 7200 series to the 7600 series for DSL 
aggregation. Anyone know what the IDB limit is for this platform (#show idb)? 
We're at about 15000. Thanks.

Stephen Kratzer
Network Engineer
CTI Networks, Inc.

From jeff-kell at utc.edu  Fri May  8 09:28:24 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Fri, 08 May 2009 09:28:24 -0400
Subject: [c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
In-Reply-To: <Pine.LNX.4.61.0905072014240.6312@soloth.lewis.org>
References: <4A0308DA.9040802@utc.edu> <4A036876.2050606@rollernet.us>
	<Pine.LNX.4.61.0905072014240.6312@soloth.lewis.org>
Message-ID: <4A043378.4030702@utc.edu>

Jon Lewis wrote:
> I didn't think ACL logging worked in either direction on the 3550.  I
> ran across something even more disturbing recently.  A customer had an
> apparently compromised system found SSH scanning remote hosts.  I put
> a simple ACL on the customer's layer 3 port (i.e. no switchport, ip
> address ...),
> ip access-list extended f0/48-in-acl
>  deny   tcp any any eq 22
>  permit ip any any
>
> According to netflow (on our 6500s upstream of the 3550s) some SSH
> scanning traffic was still getting through...

That was "sort of" the case here.  There was an ACL that enumerated a
list of IPs that were permitted to access a server, applied as "ip
access-group named-acl out" to the SVI of the server's subnet.

There was an addition to be made, the new address was in a ticket, but
when we called to verify, they said they "already had access".

That was when I discovered the no logging issue (there was a deny ip any
any log to catch the punted packets).  I then nmapped the server from an
unauthorized IP, and got the expected "filtered" returns, but no logging.

I have been unable to reproduce the "traffic goes through anyway" case
(that's scarier than the no logging bit).

Don't have this problem with 3560s and up, they behave as expected. 
(Just verified on a 3560 w/12.2(35)SE).  Appears to be a 3550-thing. 
Maybe I just need a stimulus upgrade grant :-)

Jeff

From adrian at creative.net.au  Fri May  8 09:34:41 2009
From: adrian at creative.net.au (Adrian Chadd)
Date: Fri, 8 May 2009 21:34:41 +0800
Subject: [c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
In-Reply-To: <4A043378.4030702@utc.edu>
References: <4A0308DA.9040802@utc.edu> <4A036876.2050606@rollernet.us>
	<Pine.LNX.4.61.0905072014240.6312@soloth.lewis.org>
	<4A043378.4030702@utc.edu>
Message-ID: <20090508133441.GE6025@skywalker.creative.net.au>

On Fri, May 08, 2009, Jeff Kell wrote:

> Don't have this problem with 3560s and up, they behave as expected. 
> (Just verified on a 3560 w/12.2(35)SE).  Appears to be a 3550-thing. 
> Maybe I just need a stimulus upgrade grant :-)

Have you tried it on a 3550 running 12.2?




Adrian


From elmi at 4ever.de  Fri May  8 09:03:28 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Fri, 8 May 2009 15:03:28 +0200
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <200905080846.50229.kratzers@ctinetworks.com>
References: <200905080846.50229.kratzers@ctinetworks.com>
Message-ID: <20090508130328.GX29526@ronin.4ever.de>

kratzers at ctinetworks.com (Stephen Kratzer) wrote:

> All,
> 
> We're looking to step up from the 7200 series to the 7600 series for DSL 
> aggregation. Anyone know what the IDB limit is for this platform (#show idb)? 
> We're at about 15000. Thanks.

My 6503/SUP720 says:
   ----!

rt#sh idb

Maximum number of Software IDBs 20050.  In use 13.

Elmar.

From avayner at cisco.com  Fri May  8 09:54:16 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Fri, 8 May 2009 15:54:16 +0200
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <200905080846.50229.kratzers@ctinetworks.com>
References: <200905080846.50229.kratzers@ctinetworks.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D799573E@xmb-ams-331.emea.cisco.com>

Stephan,

Actually, scalability numbers on 7600 for DSL or broadband aggregation
is not really directly related to IDB numbers, but to the scale of the
HW modules - as sessions are terminated on distributed hardware
resources.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephen Kratzer
Sent: Friday, May 08, 2009 15:47
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] SUP720 IDB Limit

All,

We're looking to step up from the 7200 series to the 7600 series for DSL

aggregation. Anyone know what the IDB limit is for this platform (#show
idb)? 
We're at about 15000. Thanks.

Stephen Kratzer
Network Engineer
CTI Networks, Inc.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From achatz at forthnet.gr  Fri May  8 10:03:41 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 08 May 2009 17:03:41 +0300
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <20090508130328.GX29526@ronin.4ever.de>
References: <200905080846.50229.kratzers@ctinetworks.com>
	<20090508130328.GX29526@ronin.4ever.de>
Message-ID: <4A043BBD.5070305@forthnet.gr>

7609/RSP720 (SRD)
Maximum number of Software IDBs 49152.  In use 254.

7606/SUP720-3BXL (SRB)
Maximum number of Software IDBs 49152.  In use 107.

6509/SUP720-3BXL (SXI)
Maximum number of Software IDBs 12000.  In use 146.


strange...

--
Tassos

Elmar K. Bins wrote on 08/05/2009 16:03:
> kratzers at ctinetworks.com (Stephen Kratzer) wrote:
> 
>> All,
>>
>> We're looking to step up from the 7200 series to the 7600 series for DSL 
>> aggregation. Anyone know what the IDB limit is for this platform (#show idb)? 
>> We're at about 15000. Thanks.
> 
> My 6503/SUP720 says:
>    ----!
> 
> rt#sh idb
> 
> Maximum number of Software IDBs 20050.  In use 13.
> 
> Elmar.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From kratzers at ctinetworks.com  Fri May  8 11:26:23 2009
From: kratzers at ctinetworks.com (Stephen Kratzer)
Date: Fri, 8 May 2009 11:26:23 -0400
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D799573E@xmb-ams-331.emea.cisco.com>
References: <200905080846.50229.kratzers@ctinetworks.com>
	<78C984F8939D424697B15E4B1C1BB3D799573E@xmb-ams-331.emea.cisco.com>
Message-ID: <200905081126.23603.kratzers@ctinetworks.com>

Arie,

We're running at about 75% of the IDB limit on the 7200s, but I believe we're 
suffering from an IOS bug affecting the reclaiming of IDBs for virtual 
interfaces. In the absence of this bug or behavior, IDB limits shouldn't be a 
limiting factor.

What kind of hardware module limitations might bite us? We're just growing 
beyond the OC-3 level (ATM side) and looking to move up to an OC-12.

Stephen

On Friday 08 May 2009 09:54:16 Arie Vayner (avayner) wrote:
> Stephan,
>
> Actually, scalability numbers on 7600 for DSL or broadband aggregation
> is not really directly related to IDB numbers, but to the scale of the
> HW modules - as sessions are terminated on distributed hardware
> resources.
>
> Arie
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephen Kratzer
> Sent: Friday, May 08, 2009 15:47
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] SUP720 IDB Limit
>
> All,
>
> We're looking to step up from the 7200 series to the 7600 series for DSL
>
> aggregation. Anyone know what the IDB limit is for this platform (#show
> idb)?
> We're at about 15000. Thanks.
>
> Stephen Kratzer
> Network Engineer
> CTI Networks, Inc.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From jlewis at lewis.org  Fri May  8 11:37:38 2009
From: jlewis at lewis.org (Jon Lewis)
Date: Fri, 8 May 2009 11:37:38 -0400 (EDT)
Subject: [c-nsp] Loose uRPF behaving like strict mode on 7600
In-Reply-To: <4A021FDF.3030100@allstream.net>
References: <49F91A9A.9060403@allstream.net>
	<Pine.LNX.4.61.0904300018100.6312@soloth.lewis.org>
	<4A021FDF.3030100@allstream.net>
Message-ID: <Pine.LNX.4.61.0905081130410.6312@soloth.lewis.org>

On Wed, 6 May 2009, Jose wrote:

> Well, according to the TAC case I had opened on this, it seems that because 
> the SUP32 has its TCAM full and is getting exception errors (it has the full 
> internet routing tables), this is likely the culprit to why uRPF in loose 
> mode is not behaving as expected.

I glossed over the fact that you're running SUP32's with full BGP tables. 
I didn't think that was even possible due to TCAM limitations.

The important bit from the URL I sent is:

Configuring the Unicast RPF Check Mode

There are two unicast RPF check modes:

???Strict check mode, which verifies that the source IP address exists in 
the FIB table and verifies that the source IP address is reachable through 
the input port.

???Exist-only check mode, which only verifies that the source IP address 
exists in the FIB table.

Note The most recently configured mode is automatically applied to all 
ports configured for unicast RPF check.

I assumed you were trying to mix loose and strict RPF.

Assuming you can't immediately upgrade to SUP720-3bxl or better, you might 
consider some filtering.  Have a look at 
http://jonsblog.lewis.org/2008/01/19#bgp

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From mksmith at adhost.com  Fri May  8 12:35:00 2009
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Fri, 8 May 2009 09:35:00 -0700
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
Message-ID: <17838240D9A5544AAA5FF95F8D5203160605CD53@ad-exh01.adhost.lan>

Hello Marcelo:

> I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
> freeze
> on a situation that seems ASA cannot "reproduce" CheckPoint
> configuration.
> Follow the scenario:
> 
> - IP Address X on the Internet access IP Address X1 in the Inside
> network
> through the X-NAT Address.
> - IP Address Y on the Internet access IP Address Y1 in the Inside
> network
> through the same X-NAT Address.
> 
> CheckPoint already does this, but I couldn't find a way to do the same
> with
> ASA.
> I've tried with Policy NAT, but it seems it doesn't work well to
static
> translations.
> 

If you mean the following it can't be done on the ASA.

static (inside,outside) 1.2.3.4 192.168.1.1
static (inside,outside) 5.6.7.8 192.168.1.1

There is a 1:1 relationship with static NAT's.  You could do PAT if that
suits.

static (inside,outside) tcp 1.2.3.4 http 192.168.1.1 http
static (inside,outside) tcp 5.6.7.8 smtp 192.168.1.1 smtp

Regards,

Mike

From lists at memetic.org  Fri May  8 14:17:58 2009
From: lists at memetic.org (Adam Armstrong)
Date: Fri, 08 May 2009 19:17:58 +0100
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <200905080846.50229.kratzers@ctinetworks.com>
References: <200905080846.50229.kratzers@ctinetworks.com>
Message-ID: <4A047756.70102@memetic.org>

Stephen Kratzer wrote:
> All,
>
> We're looking to step up from the 7200 series to the 7600 series for DSL 
> aggregation. Anyone know what the IDB limit is for this platform (#show idb)? 
> We're at about 15000. Thanks.
>   
Isn't the 7600 a particularly bad choice for this job?

Wouldn't an ASR1K be better?

adam.

From knight at ktamerica.com  Fri May  8 15:06:16 2009
From: knight at ktamerica.com (Kim , Jongwon)
Date: Fri, 8 May 2009 12:06:16 -0700
Subject: [c-nsp] IP transit Price in US
Message-ID: <00e501c9d010$10d6da60$32848f20$@com>

Hi All,

 

It is somewhat away from the topic , but I need your help.

 

I'd like to know current IP Transit service price in US.

Is Tier1 price cheaper than Tier2  or vice versa?

 

Any comments will be appreciated.

 

 

 

 

 

Kim, Jongwon(Jeff)     

Network Director

 


From lists at memetic.org  Fri May  8 15:17:26 2009
From: lists at memetic.org (Adam Armstrong)
Date: Fri, 08 May 2009 20:17:26 +0100
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <200905081448.57859.kratzers@pa.net>
References: <200905080846.50229.kratzers@ctinetworks.com>
	<4A047756.70102@memetic.org> <200905081448.57859.kratzers@pa.net>
Message-ID: <4A048546.2090902@memetic.org>

Stephen Kratzer wrote:
> On Friday 08 May 2009 14:17:58 Adam Armstrong wrote:
>   
>> Stephen Kratzer wrote:
>>     
>>> All,
>>>
>>> We're looking to step up from the 7200 series to the 7600 series for DSL
>>> aggregation. Anyone know what the IDB limit is for this platform (#show
>>> idb)? We're at about 15000. Thanks.
>>>       
>> Isn't the 7600 a particularly bad choice for this job?
>>
>> Wouldn't an ASR1K be better?
>>
>> adam.
>>     
>
> The ASR is certainly a better choice, but cost is an overriding factor. What 
> in particular makes the 7600 a poor choice aside from the existence of better 
> alternatives? Thanks.
>   
Because it's essentially a large switch with an ASIC shoved up its arse? 
(run by a BU who seem to hate switches with ASICs.)

I'm assuming that the PFC isn't particularly adept at bRAS functionality?

I've never tried it, of course. Cisco historically liked to pimp the ESR 
for this job, though that was always ridiculously priced, IMO, for the 
job it did. I always tended to just use 7301/7201s, but recently have 
started to move towards the ASR.

adam.

From kratzers at ctinetworks.com  Fri May  8 15:18:35 2009
From: kratzers at ctinetworks.com (Stephen Kratzer)
Date: Fri, 8 May 2009 15:18:35 -0400
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <4A047756.70102@memetic.org>
References: <200905080846.50229.kratzers@ctinetworks.com>
	<4A047756.70102@memetic.org>
Message-ID: <200905081518.35505.kratzers@ctinetworks.com>

On Friday 08 May 2009 14:17:58 Adam Armstrong wrote:
> Stephen Kratzer wrote:
> > All,
> >
> > We're looking to step up from the 7200 series to the 7600 series for DSL
> > aggregation. Anyone know what the IDB limit is for this platform (#show
> > idb)? We're at about 15000. Thanks.
>
> Isn't the 7600 a particularly bad choice for this job?
>
> Wouldn't an ASR1K be better?
>
> adam.

The ASR is certainly a better choice, but cost is an overriding factor. Does 
anything in particular makes the 7600 a poor choice aside from the existence 
of better alternatives? Thanks.

Stephen

From sethm at rollernet.us  Fri May  8 15:25:53 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Fri, 08 May 2009 12:25:53 -0700
Subject: [c-nsp] IP transit Price in US
In-Reply-To: <00e501c9d010$10d6da60$32848f20$@com>
References: <00e501c9d010$10d6da60$32848f20$@com>
Message-ID: <4A048741.2050605@rollernet.us>

Kim , Jongwon wrote:
> Hi All,
> 
>  
> 
> It is somewhat away from the topic , but I need your help.
> 
>  
> 
> I'd like to know current IP Transit service price in US.

It can vary wildly depending on where you are in the country and who
you're buying from. In a quest to move my facility this year, I've
received T3 and Ethernet over SONET quotes anywhere from $6000/mo to
$2000/mo, all from "tier 1" providers. But in general, lit buildings and
colo facilities are always cheaper. Then there's outliers like Cogent
who are always really, really cheap with their on-net pricing.


> Is Tier1 price cheaper than Tier2  or vice versa?
> 

A tier 2 is typically an ISP buying from a tier 1, although this can be
argued to death. Tier 2 is typically cheaper, but sometimes you pay more
than a lower price. I learned the hard way years ago that nobody but the
big players (Sprint, Verizon, SAVVIS, etc.) knew how to run a proper
network in my area. All of the locals (and one CLEC who was acquired by
a company who admitted they didn't have any BGP customers before) are
BGP retarded, can't really provide high capacity service, or think
making service-impacting changes without notice is acceptable.

~Seth

From lukasz at bromirski.net  Fri May  8 15:28:00 2009
From: lukasz at bromirski.net (=?UTF-8?B?xYF1a2FzeiBCcm9taXJza2k=?=)
Date: Fri, 08 May 2009 21:28:00 +0200
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <200905081518.35505.kratzers@ctinetworks.com>
References: <200905080846.50229.kratzers@ctinetworks.com>	<4A047756.70102@memetic.org>
	<200905081518.35505.kratzers@ctinetworks.com>
Message-ID: <4A0487C0.2050801@bromirski.net>

On 2009-05-08 21:18, Stephen Kratzer wrote:

> The ASR is certainly a better choice, but cost is an overriding factor. Does
> anything in particular makes the 7600 a poor choice aside from the existence
> of better alternatives? Thanks.

Define what you're doing currently on the 7200. If you expect to
do MQC-style shaping per user on WS-X6[12357]xx LCs then you're
unfortunately wrong - You'd need SIPs or ES20/40s to do the job.

What else?

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From nbernadeau at gallantsys.com  Fri May  8 15:58:41 2009
From: nbernadeau at gallantsys.com (nbernadeau at gallantsys.com)
Date: Fri, 08 May 2009 15:58:41 -0400
Subject: [c-nsp] Question on CRS-MSC-40G
Message-ID: <20090508155841.ybhkvhd080cogsgo@webmail.gallantsys.com>

When you purchase a CRS-MSC-40G default, does it come with 40Gbps  
license/sofware embedded in the MSC or do you have to put in a key  
code or CD ROM to access 40 gig license?

-- 
regards,

Nathaniel Bernadeau
Gallant Systems,  LLC
11064 Livingston RD Suite 106-C
Fort Washington, MD 20744
Toll Free: 888-836-3751
Ph: 301-627-6358
Fax: 240-823-6897
Cell: 202-246-2229
nbernadeau at gallantsys.com
www.gallantsys.com




From nbernadeau at gallantsys.com  Fri May  8 16:10:40 2009
From: nbernadeau at gallantsys.com (nbernadeau at gallantsys.com)
Date: Fri, 08 May 2009 16:10:40 -0400
Subject: [c-nsp] Question on CRS-MSC-40G
In-Reply-To: <046401c9d018$a5eb7aec$78fca8c0@BREW.AD>
References: <046401c9d018$a5eb7aec$78fca8c0@BREW.AD>
Message-ID: <20090508161040.60bheevj4gkc4occ@webmail.gallantsys.com>

I'm sorry I didn't get an answer in your last email..

regards,

Nathaniel Bernadeau
Gallant Systems,  LLC
11064 Livingston RD Suite 106-C
Fort Washington, MD 20744
Toll Free: 888-836-3751
Ph: 301-627-6358
Fax: 240-823-6897
Cell: 202-246-2229
nbernadeau at gallantsys.com
www.gallantsys.com



Quoting Bob McWhorter <bmcwhorter at bmctotalcare.com>:

>
>
> Sent from my Windows Mobile? phone.
>
> -----Original Message-----
> From: nbernadeau at gallantsys.com <nbernadeau at gallantsys.com>
> Sent: Friday, May 08, 2009 1:06 PM
> To: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Question on CRS-MSC-40G
>
> When you purchase a CRS-MSC-40G default, does it come with 40Gbps
> license/sofware embedded in the MSC or do you have to put in a key
> code or CD ROM to access 40 gig license?
>
> --
> regards,
>
> Nathaniel Bernadeau
> Gallant Systems,  LLC
> 11064 Livingston RD Suite 106-C
> Fort Washington, MD 20744
> Toll Free: 888-836-3751
> Ph: 301-627-6358
> Fax: 240-823-6897
> Cell: 202-246-2229
> nbernadeau at gallantsys.com
> www.gallantsys.com
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




From paul at paulstewart.org  Fri May  8 15:52:47 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 8 May 2009 15:52:47 -0400
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <4A047756.70102@memetic.org>
References: <200905080846.50229.kratzers@ctinetworks.com>
	<4A047756.70102@memetic.org>
Message-ID: <007301c9d016$9079d050$b16d70f0$@org>

I would tend to agree - ASR series from Cisco would be next upgrade, at
least that's where we're headed at some point I think....

To answer your original question though, we've found on the 7206VXR-NPE2G
that we'll run out of CPU long before IDB's.  Here's a box running at
average of 30% CPU at any given time:

Maximum number of Software IDBs 32000.  In use 2166.

                       HWIDBs     SWIDBs
Active                   2160       2161
Inactive                    4          5
Total IDBs               2164       2166
Size each (bytes)        3072       1328
Total bytes           6647808    2876448

We figure this box will top out at about 5-6000 before the CPU is too high
(50% or so is where we like to max out at).

Just my two cents worth ;)

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adam Armstrong
Sent: May 8, 2009 2:18 PM
To: kratzers at ctinetworks.com; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] SUP720 IDB Limit

Stephen Kratzer wrote:
> All,
>
> We're looking to step up from the 7200 series to the 7600 series for DSL 
> aggregation. Anyone know what the IDB limit is for this platform (#show
idb)? 
> We're at about 15000. Thanks.
>   
Isn't the 7600 a particularly bad choice for this job?

Wouldn't an ASR1K be better?

adam.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From bmcwhorter at bmctotalcare.com  Fri May  8 16:05:44 2009
From: bmcwhorter at bmctotalcare.com (Bob McWhorter)
Date: Fri, 8 May 2009 13:05:44 -0700
Subject: [c-nsp] Question on CRS-MSC-40G
Message-ID: <046401c9d018$a5eb7aec$78fca8c0@BREW.AD>



Sent from my Windows Mobile? phone.

-----Original Message-----
From: nbernadeau at gallantsys.com <nbernadeau at gallantsys.com>
Sent: Friday, May 08, 2009 1:06 PM
To: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Subject: [c-nsp] Question on CRS-MSC-40G

When you purchase a CRS-MSC-40G default, does it come with 40Gbps  
license/sofware embedded in the MSC or do you have to put in a key  
code or CD ROM to access 40 gig license?

-- 
regards,

Nathaniel Bernadeau
Gallant Systems,  LLC
11064 Livingston RD Suite 106-C
Fort Washington, MD 20744
Toll Free: 888-836-3751
Ph: 301-627-6358
Fax: 240-823-6897
Cell: 202-246-2229
nbernadeau at gallantsys.com
www.gallantsys.com



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From petelists at templin.org  Fri May  8 17:25:31 2009
From: petelists at templin.org (Pete Templin)
Date: Fri, 08 May 2009 16:25:31 -0500
Subject: [c-nsp] MRTG on SONET APS?
Message-ID: <4A04A34B.2090703@templin.org>

List,

I'm in the process of bringing up my first SONET APS-protected 
(single-router APS) link, and it's been an adventure.  Aside from the 
carrier having to tickle their DACS cross-connect to get the circuit to 
work, and learning that I needed to use the Loopback0 address as the APS 
protect address, and then learning that I needed to allow UDP/1972 in my 
receive ACL (I guess I figured something had to be allowed), the link is 
now up.  IPv4 and IPv6 OSPF adjacencies are up, and the working port is 
showing 1-2kbps of traffic.

Unfortunately, MRTG is only seeing 16bps on one port, and 0bps on the 
others.  Is there something special to tracking the traffic on an APS pair?

Pete

From kratzers at ctinetworks.com  Fri May  8 22:47:30 2009
From: kratzers at ctinetworks.com (Stephen Kratzer)
Date: Fri, 08 May 2009 22:47:30 -0400
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <4A0487C0.2050801@bromirski.net>
References: <200905080846.50229.kratzers@ctinetworks.com>
	<4A047756.70102@memetic.org>
	<200905081518.35505.kratzers@ctinetworks.com>
	<4A0487C0.2050801@bromirski.net>
Message-ID: <1241837250.7857.4.camel@kratzers-laptop>

On Fri, 2009-05-08 at 21:28 +0200, ?ukasz Bromirski wrote:
> On 2009-05-08 21:18, Stephen Kratzer wrote:
> 
> > The ASR is certainly a better choice, but cost is an overriding factor. Does
> > anything in particular makes the 7600 a poor choice aside from the existence
> > of better alternatives? Thanks.
> 
> Define what you're doing currently on the 7200. If you expect to
> do MQC-style shaping per user on WS-X6[12357]xx LCs then you're
> unfortunately wrong - You'd need SIPs or ES20/40s to do the job.
> 
> What else?

Not doing anything too special. L2TP, VPDN, PPPoE, OSPF, netflow. No
per-session shaping or policing. Does the 7600 family lack anything that
the 7200 series has?

Stephen


From merlyn at Geeks.ORG  Sat May  9 01:18:35 2009
From: merlyn at Geeks.ORG (Doug McIntyre)
Date: Sat, 9 May 2009 00:18:35 -0500
Subject: [c-nsp] Replacing Network switch
In-Reply-To: <EE3BD7EE588FFD4B9B0B6B5CDA91CFAC03B5127618@msc-egv-exch.matsci.com>
References: <EE3BD7EE588FFD4B9B0B6B5CDA91CFAC03B5127618@msc-egv-exch.matsci.com>
Message-ID: <20090509051835.GA97494@geeks.org>

On Thu, May 07, 2009 at 12:46:04PM -0500, Bulleri, Carlos wrote:
> I'm replacing a 2924 XL switch with a 2960 48TC-S
> 
> The 2924 currently links to a 6913 and to another 2924 through the 2 100BaseFX interfaces. I want to make sure that I can get at lease the link to the 6913 switch to worm and it seems to me that I'll need a transceiver to do so. Anyone can tell me exactly what model I'll need I would appreciate it.

The GLC-FE-100FX which the compatibility matrix says should work with
at least 12.2(37)EY installed.
http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL632702.html

Seems like kind of a waste though. 



From sshafi at gmail.com  Sat May  9 05:45:54 2009
From: sshafi at gmail.com (Lala Lander)
Date: Sat, 9 May 2009 02:45:54 -0700
Subject: [c-nsp] Hub-Spoke QoS
Message-ID: <afa2a8cd0905090245j5aa80475y3dabae9def1d7990@mail.gmail.com>

Hi Experts,

I have a quick question for you folks. I am looking for your experience/best
practices recommendation for Hub-Spoke QoS scenario.

Assume there is a hub site with 2 OC12s and 20 spoke sites with link speeds
ranging from DS3 to OC3. How are you going to configure QoS/Policing/Shaper
on hub site so it cannot overwhelm a DS3 or OC3 site with say like 100~200
Mbps traffic? I am looking for your suggestions how you are dealing with
link speed mismatches in WAN especially when I am dealing with OC12 and DS3
links.


thanks in advance,
Lala

From dale.shaw+cisco-nsp at gmail.com  Sat May  9 06:24:21 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Sat, 9 May 2009 20:24:21 +1000
Subject: [c-nsp] Hub-Spoke QoS
In-Reply-To: <afa2a8cd0905090245j5aa80475y3dabae9def1d7990@mail.gmail.com>
References: <afa2a8cd0905090245j5aa80475y3dabae9def1d7990@mail.gmail.com>
Message-ID: <3329cbb40905090324x5c53c54ke0a1673778f21727@mail.gmail.com>

Hi,

On Sat, May 9, 2009 at 7:45 PM, Lala Lander <sshafi at gmail.com> wrote:
> How are you going to configure QoS/Policing/Shaper
> on hub site so it cannot overwhelm a DS3 or OC3 site with say like 100~200
> Mbps traffic? I am looking for your suggestions how you are dealing with
> link speed mismatches in WAN especially when I am dealing with OC12 and DS3
> links.

Disclaimer: I don't know much about ATM.

Are those links access tails into a provider MPLS network? Do you use
kind of tunneling? What router hardware/interfaces/encapsulation do
you have? Do you have QoS set up already?

Assuming it's a really simple network, here's a quick, generic and
completely untested example that I'm sure someone will find a problem
with! :-)

ip access-list extended SITE1
 permit ip any 10.1.0.0 0.0.0.255
!
ip access-list extended SITE2
 permit ip any 10.2.0.0 0.0.0.255
!
class-map SITE1
 match access-group name SITE1
!
class-map SITE2
 match access-group name SITE2
!
policy-map HUB
 class SITE1
  shape average 154400000
 class SITE2
  shape average 154400000
!
interface WanInterfaceX/X
 service-policy output HUB

Things get more complicated with tunnels, platform limitations/quirks,
incorporating existing QoS settings, multicast, and so on, but it's
still possible.

Have a look at the Hiearchical Queuing Framework (HQF) and per-tunnel
QoS in 12.4(22)T. I haven't played with it myself -- I've found some
12.4(22)T too flaky -- but it looks promising.

cheers,
Dale

From sshafi at gmail.com  Sat May  9 07:30:33 2009
From: sshafi at gmail.com (Lala Lander)
Date: Sat, 9 May 2009 04:30:33 -0700
Subject: [c-nsp] Hub-Spoke QoS
In-Reply-To: <3329cbb40905090324x5c53c54ke0a1673778f21727@mail.gmail.com>
References: <afa2a8cd0905090245j5aa80475y3dabae9def1d7990@mail.gmail.com>
	<3329cbb40905090324x5c53c54ke0a1673778f21727@mail.gmail.com>
Message-ID: <afa2a8cd0905090430i6ba6a0d0wf39031cb10b03e37@mail.gmail.com>

Hi Dale,

thanks for your prompt reply. Yes these are all MPLS L3VPN links and yes QoS
with 5 different classes is already configured on the  hub router.

On Sat, May 9, 2009 at 3:24 AM, Dale Shaw
<dale.shaw+cisco-nsp at gmail.com<dale.shaw%2Bcisco-nsp at gmail.com>
> wrote:

> Hi,
>
> On Sat, May 9, 2009 at 7:45 PM, Lala Lander <sshafi at gmail.com> wrote:
> > How are you going to configure QoS/Policing/Shaper
> > on hub site so it cannot overwhelm a DS3 or OC3 site with say like
> 100~200
> > Mbps traffic? I am looking for your suggestions how you are dealing with
> > link speed mismatches in WAN especially when I am dealing with OC12 and
> DS3
> > links.
>
> Disclaimer: I don't know much about ATM.
>
> Are those links access tails into a provider MPLS network? Do you use
> kind of tunneling? What router hardware/interfaces/encapsulation do
> you have? Do you have QoS set up already?
>
> Assuming it's a really simple network, here's a quick, generic and
> completely untested example that I'm sure someone will find a problem
> with! :-)
>
> ip access-list extended SITE1
>  permit ip any 10.1.0.0 0.0.0.255
> !
> ip access-list extended SITE2
>  permit ip any 10.2.0.0 0.0.0.255
> !
> class-map SITE1
>  match access-group name SITE1
> !
> class-map SITE2
>  match access-group name SITE2
> !
> policy-map HUB
>  class SITE1
>  shape average 154400000
>  class SITE2
>  shape average 154400000
> !
> interface WanInterfaceX/X
>  service-policy output HUB
>
> Things get more complicated with tunnels, platform limitations/quirks,
> incorporating existing QoS settings, multicast, and so on, but it's
> still possible.
>
> Have a look at the Hiearchical Queuing Framework (HQF) and per-tunnel
> QoS in 12.4(22)T. I haven't played with it myself -- I've found some
> 12.4(22)T too flaky -- but it looks promising.
>
> cheers,
> Dale
>

From maillist at webjogger.net  Sat May  9 08:59:39 2009
From: maillist at webjogger.net (Adam Greene)
Date: Sat, 9 May 2009 08:59:39 -0400
Subject: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP
References: <66087561-1241468477-cardhu_decombobulator_blackberry.rim.net-163043037-@bxe1197.bisx.prod.on.blackberry>
Message-ID: <6BB79BCF1DC74542979D020B7F7284FF@GINKGO>

Hi Charles,

Everyone said *not* to inject customer eBGP routes into OSPF and then back 
into eBGP for upstream providers.

In general, it was suggested that the customer-facing BGP router should 
communicate with the Internet-facing BGP routers via iBGP. That way, 
whatever attributes the customer advertises to us can be retained (if 
desired) on the advertisements to our upstream providers.

Something I hadn't expected was that many suggested that OSPF only be used 
to propagate infrastructure routes throughout our backbone, and that iBGP be 
used for all other (i.e. customer) routes. A link describing this best 
practice was offered: 
www.ripe.net/meetings/regional/manama-2006/presentations/BGP-BCP.pdf.

Hope that helps,

Adam



----- Original Message ----- 
From: <Charles at thewybles.com>
To: "Adam Greene" <maillist at webjogger.net>; 
<cisco-nsp-bounces at puck.nether.net>; <cisco-nsp at puck.nether.net>
Sent: Monday, May 04, 2009 4:21 PM
Subject: Re: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP


> Can you post a summary?
> ------Original Message------
> From: Adam Greene
> Sender: cisco-nsp-bounces at puck.nether.net
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP
> Sent: May 4, 2009 6:36 AM
>
> I never said thanks to all those who responded on and offlist to this 
> thread
> last week. It was very helpful, thanks, and sorry for the delay
> acknowledging your help.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> Sent via BlackBerry from T-Mobile
>
> 



From ziliomarcelo at gmail.com  Sat May  9 09:10:28 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Sat, 9 May 2009 10:10:28 -0300
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <4A03C72B.5070803@pinskyfamily.org>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<4A03C72B.5070803@pinskyfamily.org>
Message-ID: <62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com>

Hi,

Thank you for the feedback.

What I must do is for example:

200.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.1 (inside)
190.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.2 (inside)

When packets come from 200.1.1.1 towards 80.1.1.1 ASA should redirect to
inside IP 10.1.1.1.
When packets come from 190.1.1.1 towards 80.1.1.1 ASA should redirect to
inside IP 10.1.1.2.

That is, packets are forwarded to inside network based on source Internet
address. There are dozens of servers in this situation.
Don't ask me why, this is the way checkpoint works today and I need to
reproduce the same configuration at ASA. :)

Port redirection is not an option today because there are overlapping ports
in some servers.

Thanks
Marcelo


2009/5/8 Bruce Pinsky <bep at pinskyfamily.org>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marcelo Zilio wrote:
> > Hi,
> >
> > I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
> freeze
> > on a situation that seems ASA cannot "reproduce" CheckPoint
> configuration.
> > Follow the scenario:
> >
> > - IP Address X on the Internet access IP Address X1 in the Inside network
> > through the X-NAT Address.
> > - IP Address Y on the Internet access IP Address Y1 in the Inside network
> > through the same X-NAT Address.
> >
>
> Can you give us a more concrete example please?  I'm not grok'ing what you
> are trying to accomplish.
>
>
> - --
> =========
> bep
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkoDxysACgkQE1XcgMgrtyZOMgCg8Yj4idWNvx9iTz32Pdy9QELy
> raAAn1pjQvIpoP31virlnmmlJc3JEz73
> =cP6b
> -----END PGP SIGNATURE-----
>

From swmike at swm.pp.se  Sat May  9 09:11:50 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Sat, 9 May 2009 15:11:50 +0200 (CEST)
Subject: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP
In-Reply-To: <6BB79BCF1DC74542979D020B7F7284FF@GINKGO>
References: <66087561-1241468477-cardhu_decombobulator_blackberry.rim.net-163043037-@bxe1197.bisx.prod.on.blackberry>
	<6BB79BCF1DC74542979D020B7F7284FF@GINKGO>
Message-ID: <alpine.DEB.1.10.0905091509040.22851@uplift.swm.pp.se>

On Sat, 9 May 2009, Adam Greene wrote:

> used for all other (i.e. customer) routes. A link describing this best 
> practice was offered: 
> www.ripe.net/meetings/regional/manama-2006/presentations/BGP-BCP.pdf.

It's also highly encouraged to read "ISP essentials", either buy the book 
or download the previous version that's floating around as a PDF
(you have to do some googling).

It basically says the same thing, plus contains a lot of other excellent 
suggestions.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From sthaug at nethelp.no  Sat May  9 09:14:24 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Sat, 09 May 2009 15:14:24 +0200 (CEST)
Subject: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP
In-Reply-To: <6BB79BCF1DC74542979D020B7F7284FF@GINKGO>
References: <66087561-1241468477-cardhu_decombobulator_blackberry.rim.net-163043037-@bxe1197.bisx.prod.on.blackberry>
	<6BB79BCF1DC74542979D020B7F7284FF@GINKGO>
Message-ID: <20090509.151424.74732978.sthaug@nethelp.no>

> Something I hadn't expected was that many suggested that OSPF only be used 
> to propagate infrastructure routes throughout our backbone, and that iBGP be 
> used for all other (i.e. customer) routes. A link describing this best 
> practice was offered: 

Yes, this is standard practice, at least for larger ISPs. Your IGP (OSPF
or IS-IS) carries links and loopbacks, BGP basically carries everything
else.

Also, some ISPs choose to exclude links from the IGP, using it to carry
loopbacks only. In such a configuration, the links are in BGP.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From ziliomarcelo at gmail.com  Sat May  9 09:15:24 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Sat, 9 May 2009 10:15:24 -0300
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <17838240D9A5544AAA5FF95F8D5203160605CD53@ad-exh01.adhost.lan>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D5203160605CD53@ad-exh01.adhost.lan>
Message-ID: <62f79b510905090615h54208c69l1fbe80ff2b0fcf1b@mail.gmail.com>

Hi Mike,

Thank you for your response.
This in not exactelly what I need as you can see in my previous reply.

Even though I think somehow this can be accomplished according to this doc:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

Thanks and regards
Marcelo

2009/5/8 Michael K. Smith - Adhost <mksmith at adhost.com>

> Hello Marcelo:
>
> > I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
> > freeze
> > on a situation that seems ASA cannot "reproduce" CheckPoint
> > configuration.
> > Follow the scenario:
> >
> > - IP Address X on the Internet access IP Address X1 in the Inside
> > network
> > through the X-NAT Address.
> > - IP Address Y on the Internet access IP Address Y1 in the Inside
> > network
> > through the same X-NAT Address.
> >
> > CheckPoint already does this, but I couldn't find a way to do the same
> > with
> > ASA.
> > I've tried with Policy NAT, but it seems it doesn't work well to
> static
> > translations.
> >
>
> If you mean the following it can't be done on the ASA.
>
> static (inside,outside) 1.2.3.4 192.168.1.1
> static (inside,outside) 5.6.7.8 192.168.1.1
>
> There is a 1:1 relationship with static NAT's.  You could do PAT if that
> suits.
>
> static (inside,outside) tcp 1.2.3.4 http 192.168.1.1 http
> static (inside,outside) tcp 5.6.7.8 smtp 192.168.1.1 smtp
>
> Regards,
>
> Mike
>

From frnkblk at iname.com  Sat May  9 12:00:39 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Sat, 9 May 2009 11:00:39 -0500
Subject: [c-nsp] Cisco 2950T-24 crashing
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABhxy0b5q1HTYJ/yclTDx2xAQAAAAA=@iname.com>

I have a Cisco 2950T-24 that's crashed at least 165 times in the last few
months.  I've included the latest dump below, as my googlefu has turned up
nothing productive so far.

Since it has a very simple configuration, I suspect a hardware issue.

Frank

.May  8 06:04:33.938 CDT: %PLATFORM-1-CRASHED: System previously crashed
with the following message:
.May  8 06:04:37.770 CDT: %PLATFORM-1-CRASHED: Crash info file is
flash:/crashinfo/crashinfo_165
.May  8 06:04:37.770 CDT: %PLATFORM-1-CRASHED:
.May  8 06:04:37.774 CDT: %PLATFORM-1-CRASHED: C2950 Software
(C2950-I6Q4L2-M), Version 12.1(22)EA13, RELEASE SOFTWARE (fc2)
.May  8 06:04:37.774 CDT: %PLATFORM-1-CRASHED: Technical Support:
http://www.cisco.com/techsupport
.May  8 06:04:37.774 CDT: %PLATFORM-1-CRASHED: Compiled Fri 27-Feb-09 22:20
by amvarma
.May  8 06:04:37.774 CDT: %PLATFORM-1-CRASHED: Signal = 23, Code = 0x24,
Uptime 2d01h
.May  8 06:04:37.774 CDT: %PLATFORM-1-CRASHED: r0: 00000000, AT: 00000000,
v0: 80880000, v1: 8087B2C0
.May  8 06:04:37.778 CDT: %PLATFORM-1-CRASHED: a0: 8087B9C4, a1: 0000E700,
a2: 00000000, a3: 0000002D
.May  8 06:04:37.778 CDT: %PLATFORM-1-CRASHED: t0: 802D5DD8, t1: 1000E701,
t2: 802D5DD8, t3: FFFF00FF
.May  8 06:04:37.778 CDT: %PLATFORM-1-CRASHED: t4: 802D5DD8, t5: 00000000,
t6: 000054BD, t7: 80DAD558
.May  8 06:04:37.778 CDT: %PLATFORM-1-CRASHED: s0: 00000000, s1: 00000000,
s2: 80780000, s3: 00000000
.May  8 06:04:37.778 CDT: %PLATFORM-1-CRASHED: s4: 00000001, s5: 00000000,
s6: 0000017C, s7: A098011C
.May  8 06:04:37.782 CDT: %PLATFORM-1-CRASHED: t8: 80DAD478, t9: 00000000,
k0: 00000000, k1: 00000000
.May  8 06:04:37.782 CDT: %PLATFORM-1-CRASHED: gp: 807E7860, sp: 80DAD968,
s8: 7FFFFFFF, ra: 801DDFE4
.May  8 06:04:37.782 CDT: %PLATFORM-1-CRASHED: EPC: 801DF980, ErrEPC:
802D37A4, BadVA: 0x05002000, SREG: 1000E703
.May  8 06:04:37.782 CDT: %PLATFORM-1-CRASHED: Cause: 0x00000024 (code 9):
Breakpoint exception
.May  8 06:04:37.786 CDT: %PLATFORM-1-CRASHED:  Signal 23, Exception code
(0x0024)!
.May  8 06:04:37.786 CDT: %PLATFORM-1-CRASHED:
.May  8 06:04:37.786 CDT: %PLATFORM-1-CRASHED: Frame 00: SP = 0x80DAD968
PC = 0x801DF980
.May  8 06:04:37.786 CDT: %PLATFORM-1-CRASHED: Frame 01: SP = 0x80DAD968
PC = 0x801DDFE4
.May  8 06:04:37.786 CDT: %PLATFORM-1-CRASHED: Frame 02: SP = 0x80DAD988
PC = 0x801C9574
.May  8 06:04:37.790 CDT: %PLATFORM-1-CRASHED: Frame 03: SP = 0x80DAD9B8
PC = 0x801C4C90
.May  8 06:04:37.790 CDT: %PLATFORM-1-CRASHED: Frame 04: SP = 0x80DAD9D8
PC = 0x801C5684
.May  8 06:04:37.790 CDT: %PLATFORM-1-CRASHED: Frame 05: SP = 0x80DADA20
PC = 0x801C90C8
.May  8 06:04:37.790 CDT: %PLATFORM-1-CRASHED: Frame 06: SP = 0x80DADA78
PC = 0x801C4774
.May  8 06:04:37.790 CDT: %PLATFORM-1-CRASHED: Frame 07: SP = 0x80DADAA8
PC = 0x8017EC70
.May  8 06:04:37.794 CDT: %PLATFORM-1-CRASHED: Frame 08: SP = 0x80DADAD0
PC = 0x8017EFA4
.May  8 06:04:37.794 CDT: %PLATFORM-1-CRASHED: Frame 09: SP = 0x80DADAF8
PC = 0x8017F56C
.May  8 06:04:37.794 CDT: %PLATFORM-1-CRASHED: Frame 10: SP = 0x80DADB58
PC = 0x80223284
.May  8 06:04:37.794 CDT: %PLATFORM-1-CRASHED: Frame 11: SP = 0x80DADB78
PC = 0x8022A4E4
.May  8 06:04:37.794 CDT: %PLATFORM-1-CRASHED: Frame 12: SP = 0x80DADB98
PC = 0x8022A6A0
.May  8 06:04:37.798 CDT: %PLATFORM-1-CRASHED: Frame 13: SP = 0x80DADBC8
PC = 0x8023230C
.May  8 06:04:37.798 CDT: %PLATFORM-1-CRASHED: Frame 14: SP = 0x80DADC10
PC = 0x80232F6C
.May  8 06:04:37.798 CDT: %PLATFORM-1-CRASHED: Frame 15: SP = 0x80DADC48
PC = 0x8022EE28
.May  8 06:04:37.798 CDT: %PLATFORM-1-CRASHED:
.May  8 06:04:37.798 CDT: %PLATFORM-1-CRASHED:
.May  8 06:04:37.802 CDT: %PLATFORM-1-CRASHED: -Traceback= 801DF980 801DDFE4
801C9574 801C4C90 801C5684 801C90C8 801C4774 8017EC70 8017EFA4 8017F56C
80223284 8022A4E4 8022A6A0 8023230C 80232F6C 8022EE28


From lobo at allstream.net  Sat May  9 12:18:10 2009
From: lobo at allstream.net (Jose)
Date: Sat, 09 May 2009 12:18:10 -0400
Subject: [c-nsp] Loose uRPF behaving like strict mode on 7600
In-Reply-To: <Pine.LNX.4.61.0905081130410.6312@soloth.lewis.org>
References: <49F91A9A.9060403@allstream.net>
	<Pine.LNX.4.61.0904300018100.6312@soloth.lewis.org>
	<4A021FDF.3030100@allstream.net>
	<Pine.LNX.4.61.0905081130410.6312@soloth.lewis.org>
Message-ID: <4A05ACC2.5090603@allstream.net>

Jon Lewis wrote:
> On Wed, 6 May 2009, Jose wrote:
>
>> Well, according to the TAC case I had opened on this, it seems that 
>> because the SUP32 has its TCAM full and is getting exception errors 
>> (it has the full internet routing tables), this is likely the culprit 
>> to why uRPF in loose mode is not behaving as expected.
>
> I glossed over the fact that you're running SUP32's with full BGP 
> tables. I didn't think that was even possible due to TCAM limitations.
>
> The important bit from the URL I sent is:
>
> Configuring the Unicast RPF Check Mode
>
> There are two unicast RPF check modes:
>
> ???Strict check mode, which verifies that the source IP address exists 
> in the FIB table and verifies that the source IP address is reachable 
> through the input port.
>
> ???Exist-only check mode, which only verifies that the source IP 
> address exists in the FIB table.
>
> Note The most recently configured mode is automatically applied to all 
> ports configured for unicast RPF check.
>
> I assumed you were trying to mix loose and strict RPF.
>
> Assuming you can't immediately upgrade to SUP720-3bxl or better, you 
> might consider some filtering. Have a look at 
> http://jonsblog.lewis.org/2008/01/19#bgp
>
> ----------------------------------------------------------------------
> Jon Lewis | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.325 / Virus Database: 270.12.22/2105 - Release Date: 05/08/09 11:43:00
>
>   
Thanks for the tips Jon.

Jose

From paul at paulstewart.org  Sat May  9 14:51:50 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Sat, 9 May 2009 14:51:50 -0400
Subject: [c-nsp] Sup720 Errors - Revisited
Message-ID: <011201c9d0d7$3734e810$a59eb830$@org>

Hi folks.

 

I posted about this before and was told it was either bad memory or bad sup
cards.. Have a pair of 7606's with sup720-3bxl . these errors occur on one
system and not the other.  To top it off, we got these same errors showing
up a couple of times now on 6509 with sup2/msfc2 recently..

 

May  9 07:16:21: %SYSTEM_CONTROLLER-SP-STDBY-3-ERROR: Error condition
detected: TM_DATA_PARITY_ERROR

May  9 07:16:21: %SYSTEM_CONTROLLER-SP-STDBY-3-EXCESSIVE_RESET: System
Controller is getting reset so frequently

 

Both 7606 chassis are running 12.2(33)SRA7 and this also occurred when they
were running SXF train.   We have many 6500's and only one of them so far
has exhibited the same errors and it is running 12.2(18)SXF16 

 

Just looking for thoughts. we swapped spare supervisors between the 7600
showing issues and the one that doesn't log any errors, kicked it over and
still see these issues.. Bad chassis??

 

Are these errors critical in nature or more just informative?

 

Thanks for your time,

 

Paul

 

 

 


From ibrahim.abozaid at gmail.com  Sat May  9 21:12:30 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Sun, 10 May 2009 04:12:30 +0300
Subject: [c-nsp] Sup720 Errors - Revisited
In-Reply-To: <011201c9d0d7$3734e810$a59eb830$@org>
References: <011201c9d0d7$3734e810$a59eb830$@org>
Message-ID: <a48927f70905091812x630364a6g693f59b32137d1af@mail.gmail.com>

Hi Paul

I think it is a phsyical problem with this chases , may be due to the
position or electrical conditions causes some sort of biasing for memory
ASIC and leads to this reload loop

you can start check chaises postition , electrical isolation , grounding and
supply and tenperature

and if it didn't work , might be persistent problem with backplane


best regards
--Ibrahim

On Sat, May 9, 2009 at 9:51 PM, Paul Stewart <paul at paulstewart.org> wrote:

> Hi folks.
>
>
>
> I posted about this before and was told it was either bad memory or bad sup
> cards.. Have a pair of 7606's with sup720-3bxl . these errors occur on one
> system and not the other.  To top it off, we got these same errors showing
> up a couple of times now on 6509 with sup2/msfc2 recently..
>
>
>
> May  9 07:16:21: %SYSTEM_CONTROLLER-SP-STDBY-3-ERROR: Error condition
> detected: TM_DATA_PARITY_ERROR
>
> May  9 07:16:21: %SYSTEM_CONTROLLER-SP-STDBY-3-EXCESSIVE_RESET: System
> Controller is getting reset so frequently
>
>
>
> Both 7606 chassis are running 12.2(33)SRA7 and this also occurred when they
> were running SXF train.   We have many 6500's and only one of them so far
> has exhibited the same errors and it is running 12.2(18)SXF16
>
>
>
> Just looking for thoughts. we swapped spare supervisors between the 7600
> showing issues and the one that doesn't log any errors, kicked it over and
> still see these issues.. Bad chassis??
>
>
>
> Are these errors critical in nature or more just informative?
>
>
>
> Thanks for your time,
>
>
>
> Paul
>
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rshughes at gmail.com  Sat May  9 23:26:55 2009
From: rshughes at gmail.com (Ryan Hughes)
Date: Sat, 9 May 2009 23:26:55 -0400
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <62f79b510905090615h54208c69l1fbe80ff2b0fcf1b@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D5203160605CD53@ad-exh01.adhost.lan>
	<62f79b510905090615h54208c69l1fbe80ff2b0fcf1b@mail.gmail.com>
Message-ID: <e44f1b0e0905092026n4e5208e4p4d8cb892a6d4b179@mail.gmail.com>

Then you should use an access-list for interesting traffic to match on those
specific conditions. This is static policy nat. See the ASA 8.0 config
guide:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042553

static (inside,outside) 80.1.1.1 access-list CONDITION1
static (inside,outside) 80.1.1.1 access-list CONDITION2

access-list CONDITION1 permit ip host 10.1.1.1 host 200.1.1.1
access-list CONDITION2 permit ip host 10.1.1.2 host 190.1.1.1

On Sat, May 9, 2009 at 9:15 AM, Marcelo Zilio <ziliomarcelo at gmail.com>wrote:

> Hi Mike,
>
> Thank you for your response.
> This in not exactelly what I need as you can see in my previous reply.
>
> Even though I think somehow this can be accomplished according to this doc:
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml
>
> Thanks and regards
> Marcelo
>
> 2009/5/8 Michael K. Smith - Adhost <mksmith at adhost.com>
>
> > Hello Marcelo:
> >
> > > I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
> > > freeze
> > > on a situation that seems ASA cannot "reproduce" CheckPoint
> > > configuration.
> > > Follow the scenario:
> > >
> > > - IP Address X on the Internet access IP Address X1 in the Inside
> > > network
> > > through the X-NAT Address.
> > > - IP Address Y on the Internet access IP Address Y1 in the Inside
> > > network
> > > through the same X-NAT Address.
> > >
> > > CheckPoint already does this, but I couldn't find a way to do the same
> > > with
> > > ASA.
> > > I've tried with Policy NAT, but it seems it doesn't work well to
> > static
> > > translations.
> > >
> >
> > If you mean the following it can't be done on the ASA.
> >
> > static (inside,outside) 1.2.3.4 192.168.1.1
> > static (inside,outside) 5.6.7.8 192.168.1.1
> >
> > There is a 1:1 relationship with static NAT's.  You could do PAT if that
> > suits.
> >
> > static (inside,outside) tcp 1.2.3.4 http 192.168.1.1 http
> > static (inside,outside) tcp 5.6.7.8 smtp 192.168.1.1 smtp
> >
> > Regards,
> >
> > Mike
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From dudepron at gmail.com  Sat May  9 23:52:20 2009
From: dudepron at gmail.com (Aaron)
Date: Sat, 9 May 2009 23:52:20 -0400
Subject: [c-nsp] MRTG on SONET APS?
In-Reply-To: <4A04A34B.2090703@templin.org>
References: <4A04A34B.2090703@templin.org>
Message-ID: <480dad640905092052v72e5da31j5055f8a7a85e195a@mail.gmail.com>

Just monitor both ports as normal. One for each. That's what we used to do.

Aaron

On Fri, May 8, 2009 at 17:25, Pete Templin <petelists at templin.org> wrote:

> List,
>
> I'm in the process of bringing up my first SONET APS-protected
> (single-router APS) link, and it's been an adventure.  Aside from the
> carrier having to tickle their DACS cross-connect to get the circuit to
> work, and learning that I needed to use the Loopback0 address as the APS
> protect address, and then learning that I needed to allow UDP/1972 in my
> receive ACL (I guess I figured something had to be allowed), the link is now
> up.  IPv4 and IPv6 OSPF adjacencies are up, and the working port is showing
> 1-2kbps of traffic.
>
> Unfortunately, MRTG is only seeing 16bps on one port, and 0bps on the
> others.  Is there something special to tracking the traffic on an APS pair?
>
> Pete
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ib_cims at yahoo.com  Sun May 10 03:28:13 2009
From: ib_cims at yahoo.com (Ibrahim Alsharif)
Date: Sun, 10 May 2009 00:28:13 -0700 (PDT)
Subject: [c-nsp] (no subject)
Message-ID: <697159.42338.qm@web63804.mail.re1.yahoo.com>

Hello Dear,
I'm trying to configure Failover on 2 ASA Firewalls, their work is in multiple context mode.
so when I'm trying to connect them the synchronization between the primary unit & secondary unit is not completed, I don't know why.
there are 2 Security Contexts and only one context is synchronized the other one is  not synchronized.

I wish you help me to solve this issue, or if anybody has configured failover in multiple security contexts environment could advise what to do

Thanks
Ibrahim Alsharif



      

From zivl at gilat.net  Sun May 10 06:23:03 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Sun, 10 May 2009 13:23:03 +0300
Subject: [c-nsp] Stupid SNMP tricks.
In-Reply-To: <F3318834F1F89D46857972DD4B411D700DAA8D9F@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700DAA8D9F@EXCHANGE.thenap.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622FCB9FCC1@exch2k7.gilat.local>

If you're running this from a script it can be possible to cut out the lines you need using grep and then cutting the text.
I have a few scripts in a linux that I use to fetch different values from several devices.
Let me know if you need further assistance with it, or send me an example of what you sample, what is the whole output and what are the relevant lines you need out of it. I can write you a little script for you that can format the output as you want.
Ziv






-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver
Sent: Wednesday, May 06, 2009 10:37 PM
To: 'cisco-nsp at puck.nether.net'
Subject: [c-nsp] Stupid SNMP tricks.

Hey all, I'm trying to script a few things using SNMP (data collection, mainly).

I've essentially found the OIDs I need, but it seems like there is no way to separate routes by how they originate.

For example if you do an snmpwalk ... ipRouteNextHop, it shows you all of the routes in the entire system including EIGP, IGP, locally originated.

Does anyone know of any way to only get information for a specific type of route?

In my case I only want to see the locally originated routes.

Thanks,
-Drew

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


From paul at paulstewart.org  Sun May 10 08:13:54 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Sun, 10 May 2009 08:13:54 -0400
Subject: [c-nsp] Sup720 Errors - Revisited
In-Reply-To: <a48927f70905091812x630364a6g693f59b32137d1af@mail.gmail.com>
References: <011201c9d0d7$3734e810$a59eb830$@org>
	<a48927f70905091812x630364a6g693f59b32137d1af@mail.gmail.com>
Message-ID: <018401c9d168$ca3d0390$5eb70ab0$@org>

Thanks Ibrahim - I tend to agree (as much as I don't like too).  The strange
thing is that the 6500 where this same error occurred is 100 miles away in a
different data center, but we've only really seen it occur there once...

 

I was *really* hoping someone had come across these errors and found it to
be in software somewhere but it doesn't look like my luck is going to get
that good ;)

 

Take care,

 

Paul

 

 

From: Ibrahim Abo Zaid [mailto:ibrahim.abozaid at gmail.com] 
Sent: May 9, 2009 9:13 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Sup720 Errors - Revisited

 

Hi Paul

 

I think it is a phsyical problem with this chases , may be due to the
position or electrical conditions causes some sort of biasing for memory
ASIC and leads to this reload loop

 

you can start check chaises postition , electrical isolation , grounding and
supply and tenperature

 

and if it didn't work , might be persistent problem with backplane 

 

 

best regards

--Ibrahim

On Sat, May 9, 2009 at 9:51 PM, Paul Stewart <paul at paulstewart.org> wrote:

Hi folks.



I posted about this before and was told it was either bad memory or bad sup
cards.. Have a pair of 7606's with sup720-3bxl . these errors occur on one
system and not the other.  To top it off, we got these same errors showing
up a couple of times now on 6509 with sup2/msfc2 recently..



May  9 07:16:21: %SYSTEM_CONTROLLER-SP-STDBY-3-ERROR: Error condition
detected: TM_DATA_PARITY_ERROR

May  9 07:16:21: %SYSTEM_CONTROLLER-SP-STDBY-3-EXCESSIVE_RESET: System
Controller is getting reset so frequently



Both 7606 chassis are running 12.2(33)SRA7 and this also occurred when they
were running SXF train.   We have many 6500's and only one of them so far
has exhibited the same errors and it is running 12.2(18)SXF16



Just looking for thoughts. we swapped spare supervisors between the 7600
showing issues and the one that doesn't log any errors, kicked it over and
still see these issues.. Bad chassis??



Are these errors critical in nature or more just informative?



Thanks for your time,



Paul







_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 


From zivl at gilat.net  Sun May 10 09:29:28 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Sun, 10 May 2009 16:29:28 +0300
Subject: [c-nsp] Stupid SNMP tricks.
In-Reply-To: <F3318834F1F89D46857972DD4B411D700DAA8D9F@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700DAA8D9F@EXCHANGE.thenap.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622FCB9FD49@exch2k7.gilat.local>

Also, you could use a combination of ipRouteNextHop followed by ipRouteProto which gives you the info about every routing type (BGP, local, etc)


Hope this helps,
Ziv




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver
Sent: Wednesday, May 06, 2009 10:37 PM
To: 'cisco-nsp at puck.nether.net'
Subject: [c-nsp] Stupid SNMP tricks.

Hey all, I'm trying to script a few things using SNMP (data collection, mainly).

I've essentially found the OIDs I need, but it seems like there is no way to separate routes by how they originate.

For example if you do an snmpwalk ... ipRouteNextHop, it shows you all of the routes in the entire system including EIGP, IGP, locally originated.

Does anyone know of any way to only get information for a specific type of route?

In my case I only want to see the locally originated routes.

Thanks,
-Drew

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


From gert at greenie.muc.de  Sun May 10 09:49:59 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sun, 10 May 2009 15:49:59 +0200
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <1241837250.7857.4.camel@kratzers-laptop>
References: <200905080846.50229.kratzers@ctinetworks.com>
	<4A047756.70102@memetic.org>
	<200905081518.35505.kratzers@ctinetworks.com>
	<4A0487C0.2050801@bromirski.net>
	<1241837250.7857.4.camel@kratzers-laptop>
Message-ID: <20090510134959.GR290@greenie.muc.de>

Hi,

On Fri, May 08, 2009 at 10:47:30PM -0400, Stephen Kratzer wrote:
> Not doing anything too special. L2TP, VPDN, PPPoE, OSPF, netflow. No
> per-session shaping or policing. Does the 7600 family lack anything that
> the 7200 series has?

The 7600 is incredibly fast and rock-solid *if* the feature you want can
be done by its hardware.  Some things will fall back to slow path (CPU)
(which, from your list, would be L2TP, VPDN, PPPoE), others will just not
be possible at all on "LAN" hardware (distinct VLAN space per port, VPLS,
MAC accounting).

Basic 6500/7600s are ethernet switch with extra brains - fast, but with
some restrictions.  If you add the incredibly expensive ES line cards, 
more features will be possible (VPLS, better QoS), but at a cost, obviously.

We like the 6500s, even if we have bit by the stupid-BU-bullshit (read 
the archives).  But we are well aware of its limitations.

So: if you are going to use the box for VPDN stuff, go for something
else (7201 or ASR1k).  If you want something that will just forward
packets, but not do layers and layers of fancy encapsulation stuff, go
for the 6500/7600.  Spec out what you need, and have your Cisco reseller
sign(!) that these requirements are met by whatever box they are selling
you.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090510/0f430768/attachment.bin>

From will at harg.net  Sun May 10 12:26:53 2009
From: will at harg.net (Will Hargrave)
Date: Sun, 10 May 2009 17:26:53 +0100
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
References: <4A01BEB9.4080402@chrisserafin.com>	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>	<4A01FB6D.10703@thewybles.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
Message-ID: <4A07004D.50302@harg.net>

Matthew Huff wrote:
> It's an SFP port rather than a copper 10/100/1000. Every Cisco SFP port fiber or copper is 1g only.

Not true.

E.g. on a c3750g

ap-c3750g-1#show int status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi1/0/6   ap-974a            connected    trunk      a-full a-1000
1000BaseSX SFP
Gi1/0/10  ap-ups1            connected    1          a-full  a-100
10/100/1000BaseTX SFP
Gi1/0/11  ap-rt1             connected    trunk      a-full a-1000
10/100/1000BaseTX SFP


From Charles at thewybles.com  Sun May 10 13:19:56 2009
From: Charles at thewybles.com (Charles at thewybles.com)
Date: Sun, 10 May 2009 17:19:56 +0000
Subject: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP
In-Reply-To: <6BB79BCF1DC74542979D020B7F7284FF@GINKGO>
References: <66087561-1241468477-cardhu_decombobulator_blackberry.rim.net-163043037-@bxe1197.bisx.prod.on.blackberry><6BB79BCF1DC74542979D020B7F7284FF@GINKGO>
Message-ID: <857018647-1241976015-cardhu_decombobulator_blackberry.rim.net-1661590927-@bxe1197.bisx.prod.on.blackberry>

Thanks for the update.  Yes this architecture seems to make a lot of sense. 

Sent via BlackBerry from T-Mobile

-----Original Message-----
From: "Adam Greene" <maillist at webjogger.net>

Date: Sat, 9 May 2009 08:59:39 
To: <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP


Hi Charles,

Everyone said *not* to inject customer eBGP routes into OSPF and then back 
into eBGP for upstream providers.

In general, it was suggested that the customer-facing BGP router should 
communicate with the Internet-facing BGP routers via iBGP. That way, 
whatever attributes the customer advertises to us can be retained (if 
desired) on the advertisements to our upstream providers.

Something I hadn't expected was that many suggested that OSPF only be used 
to propagate infrastructure routes throughout our backbone, and that iBGP be 
used for all other (i.e. customer) routes. A link describing this best 
practice was offered: 
www.ripe.net/meetings/regional/manama-2006/presentations/BGP-BCP.pdf.

Hope that helps,

Adam



----- Original Message ----- 
From: <Charles at thewybles.com>
To: "Adam Greene" <maillist at webjogger.net>; 
<cisco-nsp-bounces at puck.nether.net>; <cisco-nsp at puck.nether.net>
Sent: Monday, May 04, 2009 4:21 PM
Subject: Re: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP


> Can you post a summary?
> ------Original Message------
> From: Adam Greene
> Sender: cisco-nsp-bounces at puck.nether.net
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP
> Sent: May 4, 2009 6:36 AM
>
> I never said thanks to all those who responded on and offlist to this 
> thread
> last week. It was very helpful, thanks, and sorry for the delay
> acknowledging your help.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> Sent via BlackBerry from T-Mobile
>
> 


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From paul.stainton at talktalk.net  Sun May 10 12:49:27 2009
From: paul.stainton at talktalk.net (Paul Stainton)
Date: Sun, 10 May 2009 17:49:27 +0100
Subject: [c-nsp] PIX 515E Downgrade
Message-ID: <000001c9d18f$54614880$0514a8c0@support>

Hi

 

Is it possible to downgrade a PIX 515E from pix804.bin  to pix613.bin

 

I have tried and so far been unsuccessful using copy ttfp and write net
commands.

 

I have heard that the pix613  uses a different flash file system than the
pix804. Does anyone know if this is correct and if so can anything be done
about it?

 

How can I remove the asdm file from flash as the pix613.bin does not use it

 

Regards

Paul

 


From petelists at templin.org  Sun May 10 13:11:12 2009
From: petelists at templin.org (Pete Templin)
Date: Sun, 10 May 2009 12:11:12 -0500
Subject: [c-nsp] MRTG on SONET APS?
In-Reply-To: <480dad640905092052v72e5da31j5055f8a7a85e195a@mail.gmail.com>
References: <4A04A34B.2090703@templin.org>
	<480dad640905092052v72e5da31j5055f8a7a85e195a@mail.gmail.com>
Message-ID: <4A070AB0.1050806@templin.org>

Aaron wrote:
> Just monitor both ports as normal. One for each. That's what we used to do.

I'm not getting valid/expected data on either.

pt


From daryl at introspect.net  Sun May 10 15:55:21 2009
From: daryl at introspect.net (Daryl G. Jurbala)
Date: Sun, 10 May 2009 15:55:21 -0400
Subject: [c-nsp] The mechanics of SSO
In-Reply-To: <20090507153253.GA14311@kallisti.us>
References: <20090506195311.GA8001@kallisti.us>
	<4A01F317.5080401@thewybles.com>
	<B5B94675-D4E9-4829-9416-AF8AD4204499@puck.nether.net>
	<20090506205004.GA8553@kallisti.us>
	<a48927f70905061603r487c1153kf4fa2c614a4081b2@mail.gmail.com>
	<20090507153253.GA14311@kallisti.us>
Message-ID: <9DDF8614-6181-4AE5-B15D-07637735662D@introspect.net>


On May 7, 2009, at 11:32 AM, Ross Vandegrift wrote:

> On Thu, May 07, 2009 at 02:03:44AM +0300, Ibrahim Abo Zaid wrote:
>> actually i can't get if SUP running SSO why you think configuration  
>> will be
>> loaded from active to standby during switchover ? !
>>
>> SSO maintains control plane and data plane resiliency and both SUP  
>> have
>> active IOS image and synchronized configuration
>
> Not during switchover - during bootup.  When the standby SUP is
> booting, it needs to fetch the config from the active.
>
> That is the syncronization problem I ran into yesterday.

I believe Jared meant that you would need to interrupt the boot  
process of one of the sups so that it WON'T boot during power up.   
Once you have one Sup fully online with all modules initialized, you  
can reset the one that you interrupted and let it boot.  And I agree  
with him.  It looks like a race condition that is happening because of  
HA initialization timing during boot with both Sups.

Sure, if you happen to have physical access you can ignore that OOB  
thing and just pop a sup out, boot, and pop it back in once everything  
else is online.  But I think most of us are used to working on  
equipment that is somewhere between "fairly inconvenient" and "20 hour  
flight" to physically access, so my default response is usually how to  
do things over the wire or though OOB as well.

Daryl

From mhuff at ox.com  Sun May 10 19:20:52 2009
From: mhuff at ox.com (Matthew Huff)
Date: Sun, 10 May 2009 19:20:52 -0400
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <4A07004D.50302@harg.net>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
	<4A01FB6D.10703@thewybles.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
	<4A07004D.50302@harg.net>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>

Thanks. It appears that some of the fixed configuration switches that have SFP ports can be 10/100/1000. I've never run into that, as all the SFP ports I've seen on the 6500/7600 are fixed at 1G. I thought it was a SFP thing, but apparently not.

----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com? | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139


-----Original Message-----
From: Will Hargrave [mailto:will at harg.net] 
Sent: Sunday, May 10, 2009 12:27 PM
To: Matthew Huff
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Nexus 5000?

Matthew Huff wrote:
> It's an SFP port rather than a copper 10/100/1000. Every Cisco SFP port fiber or copper is 1g only.

Not true.

E.g. on a c3750g

ap-c3750g-1#show int status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi1/0/6   ap-974a            connected    trunk      a-full a-1000
1000BaseSX SFP
Gi1/0/10  ap-ups1            connected    1          a-full  a-100
10/100/1000BaseTX SFP
Gi1/0/11  ap-rt1             connected    trunk      a-full a-1000
10/100/1000BaseTX SFP


From sethm at rollernet.us  Sun May 10 19:33:27 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Sun, 10 May 2009 16:33:27 -0700
Subject: [c-nsp] Stupid "Security Questions"
Message-ID: <4A076447.2090002@rollernet.us>

This is just me whining hoping someone from Cisco will listen.

So I log in today to run a crashinfo file through the output interpreter
and lo and behold, cisco is become infected with those stupid "security
question" things I loathe to no end. For the love of $diety, why? Why
must you force me to make my account less secure with information people
could find out easier than my standard random memorized combination
passwords?

My solution? Answer the security questions with an MD5 hash of a few
choice four-letter words I'd like to share with the management group who
brought this upon me.

~Seth

From cchurc05 at harris.com  Sun May 10 21:39:10 2009
From: cchurc05 at harris.com (Church, Charles)
Date: Sun, 10 May 2009 20:39:10 -0500
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>
References: <4A01BEB9.4080402@chrisserafin.com><alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu><4A01FB6D.10703@thewybles.com><483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com><4A07004D.50302@harg.net>
	<483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA023FC786@mspe2k1.cs.myharris.net>

This URL sums it up pretty well:

http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.html#wp108824

Note some say 10/100/1000 for the GLC-T, and some just say 1000BaseT

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Huff
Sent: Sunday, May 10, 2009 7:21 PM
To: Will Hargrave
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Nexus 5000?


Thanks. It appears that some of the fixed configuration switches that have SFP ports can be 10/100/1000. I've never run into that, as all the SFP ports I've seen on the 6500/7600 are fixed at 1G. I thought it was a SFP thing, but apparently not.

----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com? | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139


-----Original Message-----
From: Will Hargrave [mailto:will at harg.net] 
Sent: Sunday, May 10, 2009 12:27 PM
To: Matthew Huff
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Nexus 5000?

Matthew Huff wrote:
> It's an SFP port rather than a copper 10/100/1000. Every Cisco SFP port fiber or copper is 1g only.

Not true.

E.g. on a c3750g

ap-c3750g-1#show int status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi1/0/6   ap-974a            connected    trunk      a-full a-1000
1000BaseSX SFP
Gi1/0/10  ap-ups1            connected    1          a-full  a-100
10/100/1000BaseTX SFP
Gi1/0/11  ap-rt1             connected    trunk      a-full a-1000
10/100/1000BaseTX SFP

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From danletkeman at gmail.com  Sun May 10 23:31:58 2009
From: danletkeman at gmail.com (Dan Letkeman)
Date: Sun, 10 May 2009 22:31:58 -0500
Subject: [c-nsp] 3560 memory problem?
Message-ID: <dcbb85870905102031g1ec37bd9l5d0feea794680954@mail.gmail.com>

Hello,

I just noticed this on one of our switches:

cisco WS-C3560-24TS (PowerPC405) processor (revision E0) with 0K/8184K
bytes of memory.
Processor board ID CAT1115RH2K
Last reset from power-on
13 Virtual Ethernet interfaces
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

 12.2(44)SE


All of the other switches show the proper amount of memory:

cisco WS-C3560-24TS (PowerPC405) processor (revision D0) with
122880K/8184K bytes of memory.
Processor board ID CAT1041ZHPN
Last reset from power-on
27 Virtual Ethernet interfaces
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

 12.2(40)SE

I'm a bit worried that if i restart this switch that it won't come
back up.  Anyone seen this before?

Thanks,
Dan.

From mpalatnik at wustl.edu  Sun May 10 23:51:23 2009
From: mpalatnik at wustl.edu (Max Palatnik)
Date: Sun, 10 May 2009 22:51:23 -0500
Subject: [c-nsp] 3560 memory problem?
In-Reply-To: <mailman.550.1242012766.2469.cisco-nsp@puck.nether.net>
Message-ID: <C62D0AEB.8378%mpalatnik@wustl.edu>

Can you do a show memory statistics / show region?

Max

On 5/10/09 10:32 PM, "cisco-nsp-request at puck.nether.net"
<cisco-nsp-request at puck.nether.net> wrote:

> Send cisco-nsp mailing list submissions to
> cisco-nsp at puck.nether.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
> cisco-nsp-request at puck.nether.net
> 
> You can reach the person managing the list at
> cisco-nsp-owner at puck.nether.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
> Today's Topics:
> 
>    1. Re: Nexus 5000? (Will Hargrave)
>    2. Re: eBGP --> OSPF --> eBGP vs eBGP --> iBGP --> eBGP
>       (Charles at thewybles.com)
>    3. PIX 515E Downgrade (Paul Stainton)
>    4. Re: MRTG on SONET APS? (Pete Templin)
>    5. Re: The mechanics of SSO (Daryl G. Jurbala)
>    6. Re: Nexus 5000? (Matthew Huff)
>    7. Stupid "Security Questions" (Seth Mattinen)
>    8. Re: Nexus 5000? (Church, Charles)
>    9. 3560 memory problem? (Dan Letkeman)
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp



From elmi at 4ever.de  Mon May 11 01:26:22 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Mon, 11 May 2009 07:26:22 +0200
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
	<4A01FB6D.10703@thewybles.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
	<4A07004D.50302@harg.net>
	<483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>
Message-ID: <20090511052621.GI29526@ronin.4ever.de>

mhuff at ox.com (Matthew Huff) wrote:

> Thanks. It appears that some of the fixed configuration switches that have SFP ports can be 10/100/1000. I've never run into that, as all the SFP ports I've seen on the 6500/7600 are fixed at 1G. I thought it was a SFP thing, but apparently not.

Well...

Gi1/2   MGT port           connected    routed      a-full  a-100 10/100/1000BaseT

... on a 6503/SUP720-3B.

or...

GigabitEthernet0/0/1 is up, line protocol is up
  Hardware is 4XGE-BUILT-IN, address is 0023.04a5.2101 (bia 0023.04a5.2101)
  Description: Link to DECIX switch FRA4 (DECIX-1)
  Internet address is 80.81.192.176/22
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 44/255, rxload 26/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  Full Duplex, 100Mbps, link type is force-up, media type is T

... on a ASR1002.

I'd say most Cisco devices will be able to use GLC-T's on 10/100/1000.

Elmar.


From dale.shaw+cisco-nsp at gmail.com  Mon May 11 01:40:19 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Mon, 11 May 2009 15:40:19 +1000
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <20090511052621.GI29526@ronin.4ever.de>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
	<4A01FB6D.10703@thewybles.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
	<4A07004D.50302@harg.net>
	<483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>
	<20090511052621.GI29526@ronin.4ever.de>
Message-ID: <3329cbb40905102240r5a09fcd8yba50d3ac75d22154@mail.gmail.com>

Hi,

On Mon, May 11, 2009 at 3:26 PM, Elmar K. Bins <elmi at 4ever.de> wrote:
> I'd say most Cisco devices will be able to use GLC-T's on 10/100/1000.

I must admit, the only place I've encountered the "1000-only"
situation is on WS-X6724-SFP (and I assume 48-SFP) 6500 series line
cards.

Apart from here and the Nexus 5000, where else does it happen? It's
quite annoying.

cheers,
Dale

From justin at justinshore.com  Mon May 11 03:02:26 2009
From: justin at justinshore.com (Justin Shore)
Date: Mon, 11 May 2009 02:02:26 -0500
Subject: [c-nsp] IPv6 Subnetting - Service Provider
In-Reply-To: <20080911202727.GA9212@toontown.erial.nj.us>
References: <004401c91442$1170c510$34524f30$@org>	<Pine.LNX.4.64.0809111548590.6284@whammy.cluebyfour.org>	<004501c9144a$8e4d0f00$aae72d00$@org>
	<20080911202727.GA9212@toontown.erial.nj.us>
Message-ID: <4A07CD82.3060708@justinshore.com>

Bob Snyder wrote:
> One issue we ran into was that not all the networking gear we had could support
> /126. The vendor's (not Cisco) immature support for IPv6 could only understand
> the concept of /128 loopbacks and /64 subnets.
> 
> Device in question was a CMTS.

Not to drag an old thread out of the archives, but I'm curious what 
brand of CMTS you experienced this on.  Was it a Moto or Arris C4 by 
chance?  We have lots of Arris C3s which don't support IPv6 (never 
will).  We're eyeballing the new C4C coming out though.  It's the small 
version of the modular C4 chassis.

Justin

From ib_cims at yahoo.com  Mon May 11 03:00:58 2009
From: ib_cims at yahoo.com (Ibrahim Alsharif)
Date: Mon, 11 May 2009 00:00:58 -0700 (PDT)
Subject: [c-nsp] ASA Multiple Context Failover
Message-ID: <324488.70797.qm@web63807.mail.re1.yahoo.com>

 


Hello Guys,
I'm trying to configure Failover on 2 ASA Firewalls, their work is in multiple context mode.
so when I'm trying to connect them the synchronization between the primary unit & secondary unit is not completed, I don't know why.
there are 2 Security Contexts and only one context is synchronized the other one is  not synchronized.

I wish you help me to solve this issue, or if anybody has configured failover in multiple security contexts environment could advise what to do

Thanks
Ibrahim Alsharif


      

From perc69 at gmail.com  Mon May 11 04:01:36 2009
From: perc69 at gmail.com (Per Carlson)
Date: Mon, 11 May 2009 10:01:36 +0200
Subject: [c-nsp] Question on CRS-MSC-40G
In-Reply-To: <20090508155841.ybhkvhd080cogsgo@webmail.gallantsys.com>
References: <20090508155841.ybhkvhd080cogsgo@webmail.gallantsys.com>
Message-ID: <746ca6da0905110101i7d77d3ddx6e164115d1b3c3e0@mail.gmail.com>

Hi.

> When you purchase a CRS-MSC-40G default, does it come with 40Gbps
> license/sofware embedded in the MSC or do you have to put in a key code or
> CD ROM to access 40 gig license?

It's embedded, i.e. no fiddling with any license keys.

-- 
Pelle

From lukasz at bromirski.net  Mon May 11 05:33:42 2009
From: lukasz at bromirski.net (Lukasz Bromirski)
Date: Mon, 11 May 2009 11:33:42 +0200
Subject: [c-nsp] 3560 memory problem?
In-Reply-To: <dcbb85870905102031g1ec37bd9l5d0feea794680954@mail.gmail.com>
References: <dcbb85870905102031g1ec37bd9l5d0feea794680954@mail.gmail.com>
Message-ID: <4A07F0F6.1070105@bromirski.net>

On 2009-05-11 05:31, Dan Letkeman wrote:
> Hello,
>
> I just noticed this on one of our switches:
> cisco WS-C3560-24TS (PowerPC405) processor (revision E0) with 0K/8184K
>   12.2(44)SE

Known bug: CSCsq70343.

> cisco WS-C3560-24TS (PowerPC405) processor (revision D0) with
> 122880K/8184K bytes of memory.
>   12.2(40)SE

> I'm a bit worried that if i restart this switch that it won't come
> back up.  Anyone seen this before?

Yep. No worry, cosmetic thing.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From ayourtch at cisco.com  Mon May 11 06:13:31 2009
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Mon, 11 May 2009 12:13:31 +0200 (CEST)
Subject: [c-nsp] PIX 515E Downgrade
In-Reply-To: <000001c9d18f$54614880$0514a8c0@support>
References: <000001c9d18f$54614880$0514a8c0@support>
Message-ID: <Pine.LNX.4.64.0905111204110.4028@zippy.stdio.be>

Hi Paul,

On Sun, 10 May 2009, Paul Stainton wrote:

> Hi
>
>
>
> Is it possible to downgrade a PIX 515E from pix804.bin  to pix613.bin
>
>
>
> I have tried and so far been unsuccessful using copy ttfp and write net
> commands.
>

I'd try to first downgrade to 7.0, copy the 6.3 code as file on flash 
while running 7.0, and then use the "downgrade" command.
(http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/df.html#wp1654680)

Just out of precaution - make a note of your current activation key. And 
depending on whether you activated the features that were not in 6.3, you 
might need a new key.

>
>
> I have heard that the pix613  uses a different flash file system than the
> pix804. Does anyone know if this is correct and if so can anything be done
> about it?
>

Yes, 6.3 formats the flash differently - it uses a much simpler filesystem 
than in 7.x+

>
>
> How can I remove the asdm file from flash as the pix613.bin does not use it
>

When you downgrade, the flash will be reformatted, so the ASDM image as 
you see it now won't be there anymore.

kind regards,
andrew

From linkconnect at googlemail.com  Mon May 11 07:22:50 2009
From: linkconnect at googlemail.com (Wayne Lee)
Date: Mon, 11 May 2009 12:22:50 +0100
Subject: [c-nsp] problem with OSPF
Message-ID: <3044d0930905110422r718a15ccqe781a1acb6561892@mail.gmail.com>

Hello List.

I'm using a 7201 as a LNS (pppoa), whenever a connection drops or a
new one comes online all ospf routes have their lifetime reset to 0.

cisco-7201>show ip route ospf

O E2 192.168.0.1/32
[110/20] via 10.10.10.129, 00:01:48, GigabitEthernet0/0
[110/20] via 10.10.10.97, 00:01:48, GigabitEthernet0/1


router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 passive-interface default
 no passive-interface GigabitEthernet0/0
 no passive-interface GigabitEthernet0/1
 network 10.10.10.0 0.0.0.255 area 0
 default-information originate always
 distribute-list 50 in


External flood list length 0
    Area BACKBONE(0)
        Number of interfaces in this area is 729 (4 loopback)
        Area has no authentication
        SPF algorithm last executed 00:00:04.940 ago
        SPF algorithm executed 33927 times
        Area ranges are
        Number of LSA 9. Checksum Sum 0x051A57
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0



I'm running the same config on a 7206 without any issue's

cisco-7206>show ip route ospf

O E2 192.168.1.1/29
[110/20] via 10.10.10.132, 1d11h, GigabitEthernet0/3.999
[110/20] via 10.10.10.102, 1d11h, GigabitEthernet0/1.999

Thanks for your time.

Wayne

From ziliomarcelo at gmail.com  Mon May 11 07:35:37 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Mon, 11 May 2009 08:35:37 -0300
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <e44f1b0e0905092026n4e5208e4p4d8cb892a6d4b179@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D5203160605CD53@ad-exh01.adhost.lan>
	<62f79b510905090615h54208c69l1fbe80ff2b0fcf1b@mail.gmail.com>
	<e44f1b0e0905092026n4e5208e4p4d8cb892a6d4b179@mail.gmail.com>
Message-ID: <62f79b510905110435g7fe8d579id43e183ef5cffe21@mail.gmail.com>

Hello Ryan

Thanks for the input.

I've tryied your suggestion and I got the following:

-------
ciscoasa(config)# access-list CONDITION1 permit ip host 10.1.1.1 host
200.1.1.1
ciscoasa(config)# access-list CONDITION2 permit ip host 10.1.1.2 host
190.1.1.1
ciscoasa(config)#
ciscoasa(config)# static (inside,outside) 80.1.1.1 access-list CONDITION1
ciscoasa(config)# static (inside,outside) 80.1.1.1 access-list CONDITION2
ERROR: mapped-address conflict with existing static
  inside:10.1.1.1 to outside:80.1.1.1 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        show running-config [all] static [<mapped_ip>]
        clear configure static
ciscoasa(config)#

-------
In fact, in the config guide you've sent me, it says I cannot do that right
below. To be honest I have already saw this link.

I was expecting someone somewhere already went through this and could share
any thoughts in which way was took to resolve this issue.

Thank you and Regards
Marcelo

2009/5/10 Ryan Hughes <rshughes at gmail.com>

> Then you should use an access-list for interesting traffic to match on
> those specific conditions. This is static policy nat. See the ASA 8.0 config
> guide:
>
>
> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042553
>
> static (inside,outside) 80.1.1.1 access-list CONDITION1
> static (inside,outside) 80.1.1.1 access-list CONDITION2
>
> access-list CONDITION1 permit ip host 10.1.1.1 host 200.1.1.1
> access-list CONDITION2 permit ip host 10.1.1.2 host 190.1.1.1
>
>   On Sat, May 9, 2009 at 9:15 AM, Marcelo Zilio <ziliomarcelo at gmail.com>wrote:
>
>>  Hi Mike,
>>
>> Thank you for your response.
>> This in not exactelly what I need as you can see in my previous reply.
>>
>> Even though I think somehow this can be accomplished according to this
>> doc:
>>
>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml
>>
>> Thanks and regards
>> Marcelo
>>
>> 2009/5/8 Michael K. Smith - Adhost <mksmith at adhost.com>
>>
>> > Hello Marcelo:
>> >
>> > > I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
>> > > freeze
>> > > on a situation that seems ASA cannot "reproduce" CheckPoint
>> > > configuration.
>> > > Follow the scenario:
>> > >
>> > > - IP Address X on the Internet access IP Address X1 in the Inside
>> > > network
>> > > through the X-NAT Address.
>> > > - IP Address Y on the Internet access IP Address Y1 in the Inside
>> > > network
>> > > through the same X-NAT Address.
>> > >
>> > > CheckPoint already does this, but I couldn't find a way to do the same
>> > > with
>> > > ASA.
>> > > I've tried with Policy NAT, but it seems it doesn't work well to
>> > static
>> > > translations.
>> > >
>> >
>> > If you mean the following it can't be done on the ASA.
>> >
>> > static (inside,outside) 1.2.3.4 192.168.1.1
>> > static (inside,outside) 5.6.7.8 192.168.1.1
>> >
>> > There is a 1:1 relationship with static NAT's.  You could do PAT if that
>> > suits.
>> >
>> > static (inside,outside) tcp 1.2.3.4 http 192.168.1.1 http
>> > static (inside,outside) tcp 5.6.7.8 smtp 192.168.1.1 smtp
>> >
>> > Regards,
>> >
>> > Mike
>> >
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From charlie at playlouder.com  Mon May 11 07:36:45 2009
From: charlie at playlouder.com (Charlie Allom)
Date: Mon, 11 May 2009 12:36:45 +0100
Subject: [c-nsp] problem with OSPF
In-Reply-To: <3044d0930905110422r718a15ccqe781a1acb6561892@mail.gmail.com>
References: <3044d0930905110422r718a15ccqe781a1acb6561892@mail.gmail.com>
Message-ID: <20090511113645.GA25758@eatyourpets.com>

On Mon, May 11, 2009 at 12:22:50PM +0100, Wayne Lee wrote:
> Hello List.
> 
> I'm using a 7201 as a LNS (pppoa), whenever a connection drops or a
> new one comes online all ospf routes have their lifetime reset to 0.
> 
> cisco-7201>show ip route ospf
> 
> O E2 192.168.0.1/32

If you summarised your route that the IP pool comes from, perhaps OSPF
wouldn't need to rebuild it's SPF tree.


# ip route 192.168.1.0 255.255.255.248 Null0 200

# router ospf 1
#  network 192.168.1.0 255.255.255.248
# exit


Regards,
  C.
-- 
 020 7729 4797
 http://blog.playlouder.com/

From linkconnect at googlemail.com  Mon May 11 07:54:45 2009
From: linkconnect at googlemail.com (Wayne Lee)
Date: Mon, 11 May 2009 12:54:45 +0100
Subject: [c-nsp] problem with OSPF
In-Reply-To: <20090511113645.GA25758@eatyourpets.com>
References: <3044d0930905110422r718a15ccqe781a1acb6561892@mail.gmail.com>
	<20090511113645.GA25758@eatyourpets.com>
Message-ID: <3044d0930905110454m75fb9e14jd4cbdef0779699c3@mail.gmail.com>

On Mon, May 11, 2009 at 12:36 PM, Charlie Allom <charlie at playlouder.com> wrote:
> On Mon, May 11, 2009 at 12:22:50PM +0100, Wayne Lee wrote:
>> Hello List.
>>
>> I'm using a 7201 as a LNS (pppoa), whenever a connection drops or a
>> new one comes online all ospf routes have their lifetime reset to 0.
>>
>> cisco-7201>show ip route ospf
>>
>> O E2 192.168.0.1/32
>
> If you summarised your route that the IP pool comes from, perhaps OSPF
> wouldn't need to rebuild it's SPF tree.
>
>
> # ip route 192.168.1.0 255.255.255.248 Null0 200
>
> # router ospf 1
> # ?network 192.168.1.0 255.255.255.248
> # exit
>

We have 2 /19's for ADSL usage spread over 4 LNS's, the 7201 is the
only one which has this problem.
The 7201 is also running BGP so the routes are already summarised.

From rubensk at gmail.com  Mon May 11 08:10:27 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Mon, 11 May 2009 09:10:27 -0300
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<4A03C72B.5070803@pinskyfamily.org>
	<62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com>
Message-ID: <6bb5f5b10905110510l183204ffkbdd3285892a27b1d@mail.gmail.com>

A possible solution that it's not a straightforward Checkpoint
replacement would be using DNS views. To 200.1.1.1, DNS would answer
80.1.1.1; to 190.1.1.1, DNS would answer 80.1.1.2, and 80.1.1.2 would
be translated to 10.1.1.2.

You can even enforce this by using both NAT and access rules.


Rubens


On Sat, May 9, 2009 at 10:10 AM, Marcelo Zilio <ziliomarcelo at gmail.com> wrote:
> Hi,
>
> Thank you for the feedback.
>
> What I must do is for example:
>
> 200.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.1 (inside)
> 190.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.2 (inside)
>
> When packets come from 200.1.1.1 towards 80.1.1.1 ASA should redirect to
> inside IP 10.1.1.1.
> When packets come from 190.1.1.1 towards 80.1.1.1 ASA should redirect to
> inside IP 10.1.1.2.
>
> That is, packets are forwarded to inside network based on source Internet
> address. There are dozens of servers in this situation.
> Don't ask me why, this is the way checkpoint works today and I need to
> reproduce the same configuration at ASA. :)
>
> Port redirection is not an option today because there are overlapping ports
> in some servers.
>
> Thanks
> Marcelo
>
>
> 2009/5/8 Bruce Pinsky <bep at pinskyfamily.org>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Marcelo Zilio wrote:
>> > Hi,
>> >
>> > I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
>> freeze
>> > on a situation that seems ASA cannot "reproduce" CheckPoint
>> configuration.
>> > Follow the scenario:
>> >
>> > - IP Address X on the Internet access IP Address X1 in the Inside network
>> > through the X-NAT Address.
>> > - IP Address Y on the Internet access IP Address Y1 in the Inside network
>> > through the same X-NAT Address.
>> >
>>
>> Can you give us a more concrete example please? ?I'm not grok'ing what you
>> are trying to accomplish.
>>
>>
>> - --
>> =========
>> bep
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkoDxysACgkQE1XcgMgrtyZOMgCg8Yj4idWNvx9iTz32Pdy9QELy
>> raAAn1pjQvIpoP31virlnmmlJc3JEz73
>> =cP6b
>> -----END PGP SIGNATURE-----
>>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at rathlev.dk  Mon May 11 08:18:25 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 11 May 2009 14:18:25 +0200
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <62f79b510905110435g7fe8d579id43e183ef5cffe21@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D5203160605CD53@ad-exh01.adhost.lan>
	<62f79b510905090615h54208c69l1fbe80ff2b0fcf1b@mail.gmail.com>
	<e44f1b0e0905092026n4e5208e4p4d8cb892a6d4b179@mail.gmail.com>
	<62f79b510905110435g7fe8d579id43e183ef5cffe21@mail.gmail.com>
Message-ID: <1242044305.5239.3.camel@localhost.localdomain>

On Mon, 2009-05-11 at 08:35 -0300, Marcelo Zilio wrote:
> I've tryied your suggestion and I got the following:
...
> ciscoasa(config)# static (inside,outside) 80.1.1.1 access-list CONDITION1
> ciscoasa(config)# static (inside,outside) 80.1.1.1 access-list CONDITION2
> ERROR: mapped-address conflict with existing static
>   inside:10.1.1.1 to outside:80.1.1.1 netmask 255.255.255.255
...
> In fact, in the config guide you've sent me, it says I cannot do that right
> below. To be honest I have already saw this link.
> 
> I was expecting someone somewhere already went through this and could share
> any thoughts in which way was took to resolve this issue.

The PIX/ASA/FWSM line doesn't support translations like that at all. So
it's a no go. Linux can do it. So can *BSD probably. But not PIX based
firewalls.

I haven't thought it through, but you might be able to acheive what you
want with reversed "inside" and "outside" interfaces. I wouldn't be
pretty though. It would be better to use a platform that supports what
you want to do.

Regards,
Peter





From ziliomarcelo at gmail.com  Mon May 11 09:11:47 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Mon, 11 May 2009 10:11:47 -0300
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <6bb5f5b10905110510l183204ffkbdd3285892a27b1d@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<4A03C72B.5070803@pinskyfamily.org>
	<62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com>
	<6bb5f5b10905110510l183204ffkbdd3285892a27b1d@mail.gmail.com>
Message-ID: <62f79b510905110611n44befadev5754e8c39288e802@mail.gmail.com>

Hi Rubens,

Thanks for your response.

I'm sorry, but I didn't understand what you meant...

Remember IPs 200.1.1.1 and 190.1.1.1 are Internet address and I cannot
control their DNS resolution.

thanks and regards.
Marcelo

2009/5/11 Rubens Kuhl <rubensk at gmail.com>

> A possible solution that it's not a straightforward Checkpoint
> replacement would be using DNS views. To 200.1.1.1, DNS would answer
> 80.1.1.1; to 190.1.1.1, DNS would answer 80.1.1.2, and 80.1.1.2 would
> be translated to 10.1.1.2.
>
> You can even enforce this by using both NAT and access rules.
>
>
> Rubens
>
>
> On Sat, May 9, 2009 at 10:10 AM, Marcelo Zilio <ziliomarcelo at gmail.com>
> wrote:
> > Hi,
> >
> > Thank you for the feedback.
> >
> > What I must do is for example:
> >
> > 200.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.1 (inside)
> > 190.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.2 (inside)
> >
> > When packets come from 200.1.1.1 towards 80.1.1.1 ASA should redirect to
> > inside IP 10.1.1.1.
> > When packets come from 190.1.1.1 towards 80.1.1.1 ASA should redirect to
> > inside IP 10.1.1.2.
> >
> > That is, packets are forwarded to inside network based on source Internet
> > address. There are dozens of servers in this situation.
> > Don't ask me why, this is the way checkpoint works today and I need to
> > reproduce the same configuration at ASA. :)
> >
> > Port redirection is not an option today because there are overlapping
> ports
> > in some servers.
> >
> > Thanks
> > Marcelo
> >
> >
> > 2009/5/8 Bruce Pinsky <bep at pinskyfamily.org>
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Marcelo Zilio wrote:
> >> > Hi,
> >> >
> >> > I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
> >> freeze
> >> > on a situation that seems ASA cannot "reproduce" CheckPoint
> >> configuration.
> >> > Follow the scenario:
> >> >
> >> > - IP Address X on the Internet access IP Address X1 in the Inside
> network
> >> > through the X-NAT Address.
> >> > - IP Address Y on the Internet access IP Address Y1 in the Inside
> network
> >> > through the same X-NAT Address.
> >> >
> >>
> >> Can you give us a more concrete example please?  I'm not grok'ing what
> you
> >> are trying to accomplish.
> >>
> >>
> >> - --
> >> =========
> >> bep
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.9 (MingW32)
> >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >>
> >> iEYEARECAAYFAkoDxysACgkQE1XcgMgrtyZOMgCg8Yj4idWNvx9iTz32Pdy9QELy
> >> raAAn1pjQvIpoP31virlnmmlJc3JEz73
> >> =cP6b
> >> -----END PGP SIGNATURE-----
> >>
>  > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>

From ziliomarcelo at gmail.com  Mon May 11 09:25:02 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Mon, 11 May 2009 10:25:02 -0300
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <1242044305.5239.3.camel@localhost.localdomain>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D5203160605CD53@ad-exh01.adhost.lan>
	<62f79b510905090615h54208c69l1fbe80ff2b0fcf1b@mail.gmail.com>
	<e44f1b0e0905092026n4e5208e4p4d8cb892a6d4b179@mail.gmail.com>
	<62f79b510905110435g7fe8d579id43e183ef5cffe21@mail.gmail.com>
	<1242044305.5239.3.camel@localhost.localdomain>
Message-ID: <62f79b510905110625m2d2cb18u65a71d03061c5544@mail.gmail.com>

Hi Peter,

Thanks for you response.

I'm almost sure that I've tried reverse inside and outside interfaces, but I
will go dobule check. :)

regards,
Marcelo

2009/5/11 Peter Rathlev <peter at rathlev.dk>

> On Mon, 2009-05-11 at 08:35 -0300, Marcelo Zilio wrote:
> > I've tryied your suggestion and I got the following:
> ...
> > ciscoasa(config)# static (inside,outside) 80.1.1.1 access-list CONDITION1
> > ciscoasa(config)# static (inside,outside) 80.1.1.1 access-list CONDITION2
> > ERROR: mapped-address conflict with existing static
> >   inside:10.1.1.1 to outside:80.1.1.1 netmask 255.255.255.255
> ...
> > In fact, in the config guide you've sent me, it says I cannot do that
> right
> > below. To be honest I have already saw this link.
> >
> > I was expecting someone somewhere already went through this and could
> share
> > any thoughts in which way was took to resolve this issue.
>
> The PIX/ASA/FWSM line doesn't support translations like that at all. So
> it's a no go. Linux can do it. So can *BSD probably. But not PIX based
> firewalls.
>
> I haven't thought it through, but you might be able to acheive what you
> want with reversed "inside" and "outside" interfaces. I wouldn't be
> pretty though. It would be better to use a platform that supports what
> you want to do.
>
> Regards,
> Peter
>
>
>
>
>

From rubensk at gmail.com  Mon May 11 09:55:02 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Mon, 11 May 2009 10:55:02 -0300
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <62f79b510905110611n44befadev5754e8c39288e802@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<4A03C72B.5070803@pinskyfamily.org>
	<62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com>
	<6bb5f5b10905110510l183204ffkbdd3285892a27b1d@mail.gmail.com>
	<62f79b510905110611n44befadev5754e8c39288e802@mail.gmail.com>
Message-ID: <6bb5f5b10905110655n5f75a7dfofe5b6e706d324ad@mail.gmail.com>

On Mon, May 11, 2009 at 10:11 AM, Marcelo Zilio <ziliomarcelo at gmail.com> wrote:
> Hi Rubens,
>
> Thanks for your response.
>
> I'm sorry, but I didn't understand what you meant...
>
> Remember IPs 200.1.1.1 and 190.1.1.1 are Internet address and I cannot
> control their DNS resolution.

Yes we can! :-)

http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html

In effect, you would answer based on the IP address of the DNS
recursor and not the client itself, but if we are talking big /8s,
that usually has a strong correlation.


Rubens

From chris at lavin-llc.com  Mon May 11 10:09:05 2009
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Mon, 11 May 2009 10:09:05 -0400
Subject: [c-nsp] BGP and OSPF - redesign
Message-ID: <41008.1242050946@lavin-llc.com>

Along the lines of the recent discussions about eBGP, iBGP and OSPF intertwined routing, I have a redesign to deal with. An enterprise solution that 
currently runs eBGP, iBGP and OSPF with the iBGP and OSPF fully mixed. By that I mean there lacks a policy of seperating the two. Rather than having 
OSPF carry only the required /32s for the purpose of building the full iBGP mesh, OSPF and BGP are contributing to the forwarding tables for all 
traffic. This is causing some odd and unpredictable behavior for route announcements and path selection.

The problem I'm struggling with is how to transition the routes out of OSPF so that iBGP is used to carry the traffic, thus reducing OSPF based routes 
to only be responsible for building the full iBGP mesh. Most of the appropriate goodies are in place, like locked in router-id's and no synch. But the 
jenga-like configurations of redistribution and network statements make for a mind bending exercise for trying to migrate to the ISP Essentials formula.


-chris




From wisesham at gmail.com  Mon May 11 10:17:43 2009
From: wisesham at gmail.com (SHAM SHARMA)
Date: Mon, 11 May 2009 10:17:43 -0400
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <6bb5f5b10905110655n5f75a7dfofe5b6e706d324ad@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<4A03C72B.5070803@pinskyfamily.org>
	<62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com>
	<6bb5f5b10905110510l183204ffkbdd3285892a27b1d@mail.gmail.com>
	<62f79b510905110611n44befadev5754e8c39288e802@mail.gmail.com>
	<6bb5f5b10905110655n5f75a7dfofe5b6e706d324ad@mail.gmail.com>
Message-ID: <a2566b960905110717sf68c9b1i5c25294ed5fd80c@mail.gmail.com>

Agree .. Cisco still has long way to go match with Checkpoint

You will notice it as you will go with this transaction .... You will
endup in using more public IP's ... finding lot of bugs ... helping
Cisco not vice versa

Sorry but tht's utter truth ...

On 5/11/09, Rubens Kuhl <rubensk at gmail.com> wrote:
> On Mon, May 11, 2009 at 10:11 AM, Marcelo Zilio <ziliomarcelo at gmail.com> wrote:
> > Hi Rubens,
> >
> > Thanks for your response.
> >
> > I'm sorry, but I didn't understand what you meant...
> >
> > Remember IPs 200.1.1.1 and 190.1.1.1 are Internet address and I cannot
> > control their DNS resolution.
>
> Yes we can! :-)
>
> http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html
>
> In effect, you would answer based on the IP address of the DNS
> recursor and not the client itself, but if we are talking big /8s,
> that usually has a strong correlation.
>
>
> Rubens
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From elmi at 4ever.de  Mon May 11 10:30:12 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Mon, 11 May 2009 16:30:12 +0200
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <D002D434-5486-402B-BF57-C2C9D6816906@beanfield.com>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
	<4A01FB6D.10703@thewybles.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
	<4A07004D.50302@harg.net>
	<483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>
	<20090511052621.GI29526@ronin.4ever.de>
	<D002D434-5486-402B-BF57-C2C9D6816906@beanfield.com>
Message-ID: <20090511143012.GM29526@ronin.4ever.de>

dan at beanfield.com (Dan Armstrong) wrote:

> How did you get your ASR1002 to link at 100M?

Easy - the 3560 on the other side only has FE ports.
Apart from that: Plug and play.



From ziliomarcelo at gmail.com  Mon May 11 10:56:33 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Mon, 11 May 2009 11:56:33 -0300
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <a2566b960905110717sf68c9b1i5c25294ed5fd80c@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<4A03C72B.5070803@pinskyfamily.org>
	<62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com>
	<6bb5f5b10905110510l183204ffkbdd3285892a27b1d@mail.gmail.com>
	<62f79b510905110611n44befadev5754e8c39288e802@mail.gmail.com>
	<6bb5f5b10905110655n5f75a7dfofe5b6e706d324ad@mail.gmail.com>
	<a2566b960905110717sf68c9b1i5c25294ed5fd80c@mail.gmail.com>
Message-ID: <62f79b510905110756o21ce9a1x1929000c4b945e9d@mail.gmail.com>

Hi Sham,

I've been working with Cisco Firewalls for the past four years and until now
they always worked well for me.

The old PIXes before version 7.x really leave to be desired, but the new ASA
have been greatly improved.

However I have to agree with you in some points (using a lot of public IPs
in this particular case).

To compare different brands its complicated. There will always be advantages
and disadvantages in using one or other.

Thanks and regards
Marcelo

2009/5/11 SHAM SHARMA <wisesham at gmail.com>

> Agree .. Cisco still has long way to go match with Checkpoint
>
> You will notice it as you will go with this transaction .... You will
> endup in using more public IP's ... finding lot of bugs ... helping
> Cisco not vice versa
>
> Sorry but tht's utter truth ...
>
> On 5/11/09, Rubens Kuhl <rubensk at gmail.com> wrote:
> > On Mon, May 11, 2009 at 10:11 AM, Marcelo Zilio <ziliomarcelo at gmail.com>
> wrote:
> > > Hi Rubens,
> > >
> > > Thanks for your response.
> > >
> > > I'm sorry, but I didn't understand what you meant...
> > >
> > > Remember IPs 200.1.1.1 and 190.1.1.1 are Internet address and I cannot
> > > control their DNS resolution.
> >
> > Yes we can! :-)
> >
> > http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html
> >
> > In effect, you would answer based on the IP address of the DNS
> > recursor and not the client itself, but if we are talking big /8s,
> > that usually has a strong correlation.
> >
> >
> > Rubens
>  > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>

From mksmith at adhost.com  Mon May 11 11:12:05 2009
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Mon, 11 May 2009 08:12:05 -0700
Subject: [c-nsp] BGP and OSPF - redesign
In-Reply-To: <41008.1242050946@lavin-llc.com>
References: <41008.1242050946@lavin-llc.com>
Message-ID: <17838240D9A5544AAA5FF95F8D5203160605CE28@ad-exh01.adhost.lan>

Hello Chris:
> 
> The problem I'm struggling with is how to transition the routes out of
> OSPF so that iBGP is used to carry the traffic, thus reducing OSPF
> based routes
> to only be responsible for building the full iBGP mesh. Most of the
> appropriate goodies are in place, like locked in router-id's and no
> synch. But the
> jenga-like configurations of redistribution and network statements
make
> for a mind bending exercise for trying to migrate to the ISP
Essentials
> formula.
> 
One way,  and I'm sure there are others, would be to:

- Redistribute connected subnets into OSPF for next hop info 
- Redistribute static routes into BGP for all the rest

That's it.  

Regards,

Mike

From petelists at templin.org  Mon May 11 10:39:12 2009
From: petelists at templin.org (Pete Templin)
Date: Mon, 11 May 2009 09:39:12 -0500
Subject: [c-nsp] BGP and OSPF - redesign
In-Reply-To: <41008.1242050946@lavin-llc.com>
References: <41008.1242050946@lavin-llc.com>
Message-ID: <4A083890.2090406@templin.org>

chris at lavin-llc.com wrote:

[snip]

> The problem I'm struggling with is how to transition the routes out
> of OSPF so that iBGP is used to carry the traffic, thus reducing OSPF
> based routes to only be responsible for building the full iBGP mesh.
> Most of the appropriate goodies are in place, like locked in
> router-id's and no synch. But the jenga-like configurations of
> redistribution and network statements make for a mind bending
> exercise for trying to migrate to the ISP Essentials formula.

Ouch.  I'm guessing that iBGP carries less than the full set of routes 
that it should be carrying, and OSPF is carrying more than the set of 
routes that it should be carrying.

Here's my thoughts:

1:  Add in any necessary configurations so that OSPF is carrying AT 
LEAST what it'll have at the end of the project.
2:  Update BGP so that it's carrying everything that it should be carrying.
3:  Trim BGP so that it's carrying nothing more than what it should be 
carrying.
4:  Trim OSPF so that it's carrying nothing more than what it should be 
carrying.

pt

From dan at beanfield.com  Mon May 11 10:28:03 2009
From: dan at beanfield.com (Dan Armstrong)
Date: Mon, 11 May 2009 10:28:03 -0400
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <20090511052621.GI29526@ronin.4ever.de>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
	<4A01FB6D.10703@thewybles.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
	<4A07004D.50302@harg.net>
	<483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>
	<20090511052621.GI29526@ronin.4ever.de>
Message-ID: <D002D434-5486-402B-BF57-C2C9D6816906@beanfield.com>

How did you get your ASR1002 to link at 100M?

I've been pulling my hair out trying to get that to happen, with no  
luck at all.

GigabitEthernet0/0/2 is down, line protocol is down
   Hardware is 4XGE-BUILT-IN, address is 0025.4578.2902 (bia  
0025.4578.2902)
   MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
      reliability 255/255, txload 1/255, rxload 1/255
   Encapsulation ARPA, loopback not set
   Keepalive not supported
   Full Duplex, 1000Mbps, link type is auto, media type is T
   output flow-control is off, input flow-control is off



B-PE1.tor-Mowat#sh int gi0/0/2
GigabitEthernet0/0/2 is down, line protocol is down
   Hardware is 4XGE-BUILT-IN, address is 0025.4578.2902 (bia  
0025.4578.2902)
   MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
      reliability 255/255, txload 1/255, rxload 1/255
   Encapsulation ARPA, loopback not set
   Keepalive not supported
   Full Duplex, 100Mbps, link type is force-up, media type is T



This port has a GLC-T in it, and is plugged into a 100M Port on an  
ME3400...  I can't get it up. :-)




On 11-May-09, at 1:26 AM, Elmar K. Bins wrote:

> mhuff at ox.com (Matthew Huff) wrote:
>
>> Thanks. It appears that some of the fixed configuration switches  
>> that have SFP ports can be 10/100/1000. I've never run into that,  
>> as all the SFP ports I've seen on the 6500/7600 are fixed at 1G. I  
>> thought it was a SFP thing, but apparently not.
>
> Well...
>
> Gi1/2   MGT port           connected    routed      a-full  a-100  
> 10/100/1000BaseT
>
> ... on a 6503/SUP720-3B.
>
> or...
>
> GigabitEthernet0/0/1 is up, line protocol is up
>  Hardware is 4XGE-BUILT-IN, address is 0023.04a5.2101 (bia  
> 0023.04a5.2101)
>  Description: Link to DECIX switch FRA4 (DECIX-1)
>  Internet address is 80.81.192.176/22
>  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
>     reliability 255/255, txload 44/255, rxload 26/255
>  Encapsulation ARPA, loopback not set
>  Keepalive not supported
>  Full Duplex, 100Mbps, link type is force-up, media type is T
>
> ... on a ASR1002.
>
> I'd say most Cisco devices will be able to use GLC-T's on 10/100/1000.
>
> Elmar.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From charles at thewybles.com  Mon May 11 13:13:41 2009
From: charles at thewybles.com (Charles Wyble)
Date: Mon, 11 May 2009 10:13:41 -0700
Subject: [c-nsp] BGP and OSPF - redesign
In-Reply-To: <4A083890.2090406@templin.org>
References: <41008.1242050946@lavin-llc.com> <4A083890.2090406@templin.org>
Message-ID: <4A085CC5.4080605@thewybles.com>



Pete Templin wrote:
> chris at lavin-llc.com wrote:
> 
> [snip]

> 
> 1:  Add in any necessary configurations so that OSPF is carrying AT 
> LEAST what it'll have at the end of the project.
> 2:  Update BGP so that it's carrying everything that it should be carrying.
> 3:  Trim BGP so that it's carrying nothing more than what it should be 
> carrying.
> 4:  Trim OSPF so that it's carrying nothing more than what it should be 
> carrying.

What he said. :)

Obviously you want the systems to coexist for a short period of time.

Nanog had some presentations on OSPF to ISIS migration which went into a 
good amount of detail around the testing / roll out methodology. Check 
the presentation archives for it.



From tdurack at gmail.com  Mon May 11 13:28:49 2009
From: tdurack at gmail.com (Tim Durack)
Date: Mon, 11 May 2009 13:28:49 -0400
Subject: [c-nsp] 6500 12.2(33)SXI vrf dhcp-relay
Message-ID: <9e246b4d0905111028x4d39760fuada4fb0ccc72b95f@mail.gmail.com>

Anyone run into issues with ipv4 dhcp relay between vrfs on 6500s running
12.2(33)SXI?

The vrfs are configured for route-leaking, so there is routing between them.
Client in one vrf, dhcp server in another. Appropriate "ip helper-address"
configured. Initial client dhcp discover is relayed to the dhcp server,
server responds with an offer, but client doesn't receive it. At present the
vrfs are on the same PE. Not sure if that is significant.

I can't believe dhcp relay doesn't work in this scenario, so I must be doing
something stupid...

Tim:>

From danletkeman at gmail.com  Mon May 11 13:31:51 2009
From: danletkeman at gmail.com (Dan Letkeman)
Date: Mon, 11 May 2009 12:31:51 -0500
Subject: [c-nsp] 3560 memory problem?
In-Reply-To: <4A07F0F6.1070105@bromirski.net>
References: <dcbb85870905102031g1ec37bd9l5d0feea794680954@mail.gmail.com>
	<4A07F0F6.1070105@bromirski.net>
Message-ID: <dcbb85870905111031g60ee46o37d575fd9eef791c@mail.gmail.com>

Thanks!

2009/5/11 Lukasz Bromirski <lukasz at bromirski.net>:
> On 2009-05-11 05:31, Dan Letkeman wrote:
>>
>> Hello,
>>
>> I just noticed this on one of our switches:
>> cisco WS-C3560-24TS (PowerPC405) processor (revision E0) with 0K/8184K
>> ?12.2(44)SE
>
> Known bug: CSCsq70343.
>
>> cisco WS-C3560-24TS (PowerPC405) processor (revision D0) with
>> 122880K/8184K bytes of memory.
>> ?12.2(40)SE
>
>> I'm a bit worried that if i restart this switch that it won't come
>> back up. ?Anyone seen this before?
>
> Yep. No worry, cosmetic thing.
>
> --
> "Don't expect me to cry for all the ? ? | ? ? ? ? ? ? ? ?ukasz Bromirski
> ?reasons you had to die" -- Kurt Cobain | ? ?http://lukasz.bromirski.net
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From wisesham at gmail.com  Mon May 11 14:01:56 2009
From: wisesham at gmail.com (SHAM SHARMA)
Date: Mon, 11 May 2009 14:01:56 -0400
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <62f79b510905110756o21ce9a1x1929000c4b945e9d@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<4A03C72B.5070803@pinskyfamily.org>
	<62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com>
	<6bb5f5b10905110510l183204ffkbdd3285892a27b1d@mail.gmail.com>
	<62f79b510905110611n44befadev5754e8c39288e802@mail.gmail.com>
	<6bb5f5b10905110655n5f75a7dfofe5b6e706d324ad@mail.gmail.com>
	<a2566b960905110717sf68c9b1i5c25294ed5fd80c@mail.gmail.com>
	<62f79b510905110756o21ce9a1x1929000c4b945e9d@mail.gmail.com>
Message-ID: <a2566b960905111101n7efdee95g89ab8cf78ee97a56@mail.gmail.com>

we just moved to ASA's from checkpoint

- CPU Spike bug is confirmed by cisco .. tht has brought our network
down 3 times so far ...currently we are running 8 0 (4) 28 ... now
cisco is releasing 8 0 (4) 32 and they confident they have fixed cpu
spike issue in it ..

- plus doing changes from ASDM features are not as good as of checkpoint
like u cannot search host/source ip's

users complaining some of the application has become slow after we
shifted to ASA's

it has behaved few times so differntly .. that we are scared of
logging into ... its so un-reliable ..edit a network object and next
moment.. it dies ...

first impression is same ..good marketing but not a solid product



On 5/11/09, Marcelo Zilio <ziliomarcelo at gmail.com> wrote:
> Hi Sham,
>
> I've been working with Cisco Firewalls for the past four years and until now
> they always worked well for me.
>
> The old PIXes before version 7.x really leave to be desired, but the new ASA
> have been greatly improved.
>
> However I have to agree with you in some points (using a lot of public IPs
> in this particular case).
>
> To compare different brands its complicated. There will always be advantages
> and disadvantages in using one or other.
>
> Thanks and regards
> Marcelo
>
> 2009/5/11 SHAM SHARMA <wisesham at gmail.com>
>
> > Agree .. Cisco still has long way to go match with Checkpoint
> >
> > You will notice it as you will go with this transaction .... You will
> > endup in using more public IP's ... finding lot of bugs ... helping
> > Cisco not vice versa
> >
> > Sorry but tht's utter truth ...
> >
> >
> >
> >
> > On 5/11/09, Rubens Kuhl <rubensk at gmail.com> wrote:
> > > On Mon, May 11, 2009 at 10:11 AM, Marcelo Zilio <ziliomarcelo at gmail.com>
> wrote:
> > > > Hi Rubens,
> > > >
> > > > Thanks for your response.
> > > >
> > > > I'm sorry, but I didn't understand what you meant...
> > > >
> > > > Remember IPs 200.1.1.1 and 190.1.1.1 are Internet address and I cannot
> > > > control their DNS resolution.
> > >
> > > Yes we can! :-)
> > >
> > >
> http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html
> > >
> > > In effect, you would answer based on the IP address of the DNS
> > > recursor and not the client itself, but if we are talking big /8s,
> > > that usually has a strong correlation.
> > >
> > >
> > > Rubens
> >
> >
> >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
>
>

From tdurack at gmail.com  Mon May 11 14:23:00 2009
From: tdurack at gmail.com (Tim Durack)
Date: Mon, 11 May 2009 14:23:00 -0400
Subject: [c-nsp] 6500 12.2(33)SXI vrf dhcp-relay
In-Reply-To: <9e246b4d0905111028x4d39760fuada4fb0ccc72b95f@mail.gmail.com>
References: <9e246b4d0905111028x4d39760fuada4fb0ccc72b95f@mail.gmail.com>
Message-ID: <9e246b4d0905111123y78eb3640wddf3843f79cb3a2d@mail.gmail.com>

Sigh. dhcp-relay requires control-plane involvement. If you're using copp,
make sure the acls permit dhcp... I knew it was something stupid.

Tim:>

On Mon, May 11, 2009 at 1:28 PM, Tim Durack <tdurack at gmail.com> wrote:

> Anyone run into issues with ipv4 dhcp relay between vrfs on 6500s running
> 12.2(33)SXI?
>
> The vrfs are configured for route-leaking, so there is routing between
> them. Client in one vrf, dhcp server in another. Appropriate "ip
> helper-address" configured. Initial client dhcp discover is relayed to the
> dhcp server, server responds with an offer, but client doesn't receive it.
> At present the vrfs are on the same PE. Not sure if that is significant.
>
> I can't believe dhcp relay doesn't work in this scenario, so I must be
> doing something stupid...
>
> Tim:>
>

From drew.weaver at thenap.com  Mon May 11 14:47:35 2009
From: drew.weaver at thenap.com (Drew Weaver)
Date: Mon, 11 May 2009 11:47:35 -0700
Subject: [c-nsp] 65xx Sup-720 performance issue with "odd" (to say the
 least) traffic.
Message-ID: <F3318834F1F89D46857972DD4B411D700DAA8E6B@EXCHANGE.thenap.com>

	Hi there,

We noticed a performance issue with one of our 6500 switches, the first thing I noticed was that IP INPUT was at 92% it was dropping packets wildly and there was quite a bit of latency.

I enabled 'debug ip packet details' and checked the log, it was showing traffic hitting a VLAN with external public (internet) IP addresses as the source, and 0.0.0.0 as the destination. Fortunately the object on this VLAN/Port wasn't important so we admin shut the VLAN and almost instantly the IP INPUT dropped back to its regular 4-5%.

I don't believe I have ever seen legitimate traffic with those src/dst addresses before, so I am assuming that this was some sort of DoS attack. My question is, is this possible because the VLAN is configured incorrectly? or do I need to enable CoPP or some other mechanism for protecting the resources of the switch in the event that this occurs in the future? (both?).

Thanks!
-Drew


From tvarriale at comcast.net  Mon May 11 16:00:31 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 11 May 2009 15:00:31 -0500
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com><4A03C72B.5070803@pinskyfamily.org><62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com><6bb5f5b10905110510l183204ffkbdd3285892a27b1d@mail.gmail.com><62f79b510905110611n44befadev5754e8c39288e802@mail.gmail.com><6bb5f5b10905110655n5f75a7dfofe5b6e706d324ad@mail.gmail.com><a2566b960905110717sf68c9b1i5c25294ed5fd80c@mail.gmail.com><62f79b510905110756o21ce9a1x1929000c4b945e9d@mail.gmail.com>
	<a2566b960905111101n7efdee95g89ab8cf78ee97a56@mail.gmail.com>
Message-ID: <1EBCC822414440A9A0D24971F6CF2291@flamdt01>

What's the bug id for that?

Why are you running interim code?

tv
----- Original Message ----- 
From: "SHAM SHARMA" <wisesham at gmail.com>
To: "Marcelo Zilio" <ziliomarcelo at gmail.com>
Cc: "Cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Monday, May 11, 2009 1:01 PM
Subject: Re: [c-nsp] Trouble in an ASA migration from CheckPoint


> we just moved to ASA's from checkpoint
>
> - CPU Spike bug is confirmed by cisco .. tht has brought our network
> down 3 times so far ...currently we are running 8 0 (4) 28 ... now
> cisco is releasing 8 0 (4) 32 and they confident they have fixed cpu
> spike issue in it ..
>
> - plus doing changes from ASDM features are not as good as of checkpoint
> like u cannot search host/source ip's
>
> users complaining some of the application has become slow after we
> shifted to ASA's
>
> it has behaved few times so differntly .. that we are scared of
> logging into ... its so un-reliable ..edit a network object and next
> moment.. it dies ...
>
> first impression is same ..good marketing but not a solid product
>
>
>
> On 5/11/09, Marcelo Zilio <ziliomarcelo at gmail.com> wrote:
>> Hi Sham,
>>
>> I've been working with Cisco Firewalls for the past four years and until 
>> now
>> they always worked well for me.
>>
>> The old PIXes before version 7.x really leave to be desired, but the new 
>> ASA
>> have been greatly improved.
>>
>> However I have to agree with you in some points (using a lot of public 
>> IPs
>> in this particular case).
>>
>> To compare different brands its complicated. There will always be 
>> advantages
>> and disadvantages in using one or other.
>>
>> Thanks and regards
>> Marcelo
>>
>> 2009/5/11 SHAM SHARMA <wisesham at gmail.com>
>>
>> > Agree .. Cisco still has long way to go match with Checkpoint
>> >
>> > You will notice it as you will go with this transaction .... You will
>> > endup in using more public IP's ... finding lot of bugs ... helping
>> > Cisco not vice versa
>> >
>> > Sorry but tht's utter truth ...
>> >
>> >
>> >
>> >
>> > On 5/11/09, Rubens Kuhl <rubensk at gmail.com> wrote:
>> > > On Mon, May 11, 2009 at 10:11 AM, Marcelo Zilio 
>> > > <ziliomarcelo at gmail.com>
>> wrote:
>> > > > Hi Rubens,
>> > > >
>> > > > Thanks for your response.
>> > > >
>> > > > I'm sorry, but I didn't understand what you meant...
>> > > >
>> > > > Remember IPs 200.1.1.1 and 190.1.1.1 are Internet address and I 
>> > > > cannot
>> > > > control their DNS resolution.
>> > >
>> > > Yes we can! :-)
>> > >
>> > >
>> http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html
>> > >
>> > > In effect, you would answer based on the IP address of the DNS
>> > > recursor and not the client itself, but if we are talking big /8s,
>> > > that usually has a strong correlation.
>> > >
>> > >
>> > > Rubens
>> >
>> >
>> >
>> > > _______________________________________________
>> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> > >
>> >
>>
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From peter at rathlev.dk  Mon May 11 16:44:56 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 11 May 2009 22:44:56 +0200
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <a2566b960905111101n7efdee95g89ab8cf78ee97a56@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<4A03C72B.5070803@pinskyfamily.org>
	<62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com>
	<6bb5f5b10905110510l183204ffkbdd3285892a27b1d@mail.gmail.com>
	<62f79b510905110611n44befadev5754e8c39288e802@mail.gmail.com>
	<6bb5f5b10905110655n5f75a7dfofe5b6e706d324ad@mail.gmail.com>
	<a2566b960905110717sf68c9b1i5c25294ed5fd80c@mail.gmail.com>
	<62f79b510905110756o21ce9a1x1929000c4b945e9d@mail.gmail.com>
	<a2566b960905111101n7efdee95g89ab8cf78ee97a56@mail.gmail.com>
Message-ID: <1242074696.3435.16.camel@localhost.localdomain>

On Mon, 2009-05-11 at 14:01 -0400, SHAM SHARMA wrote:
> - CPU Spike bug is confirmed by cisco .. tht has brought our network
> down 3 times so far ...currently we are running 8 0 (4) 28 ... now
> cisco is releasing 8 0 (4) 32 and they confident they have fixed cpu
> spike issue in it ..
> 
> - plus doing changes from ASDM features are not as good as of checkpoint
> like u cannot search host/source ip's
> 
> users complaining some of the application has become slow after we
> shifted to ASA's
> 
> it has behaved few times so differntly .. that we are scared of
> logging into ... its so un-reliable ..edit a network object and next
> moment.. it dies ...
> 
> first impression is same ..good marketing but not a solid product

I would tend to disagree. I have no operational experience with the 8.x
release, but for us the 7.2 release for ASA and the 3.1 release for FWSM
have been extremely stable and without any problems across several
systems. They aren't doing anything fancy of course, just firewalling,
NAT and IPSec VPN. I personally don't use as ASDM but those of my
colleagues that do have not experienced and problems with it. I would
even go so far as to say that I am impressed with how nicely it treats
the configuration, leaving it in a usable state after editing.

Release 8.0 may not be the very latest, but it's not very old either and
as Tony implies running an interim release might not be the best way to
achieve stability.

Maybe the ASA platform is not the most flexible around but is does
follow some logic. In an operational context I'd personally prefer a
more flexible system (like netfilter), but if I were to design something
new that someone else had to support I would go a long way to avoid a
setup like what OP describes. Just as I would try to avoid PBR unless it
was really unavoidable.

Regards,
Peter



From Bryan.Welch at digeo.com  Mon May 11 16:16:16 2009
From: Bryan.Welch at digeo.com (Bryan Welch)
Date: Mon, 11 May 2009 13:16:16 -0700
Subject: [c-nsp] PIX 515E Downgrade
In-Reply-To: <000001c9d18f$54614880$0514a8c0@support>
References: <000001c9d18f$54614880$0514a8c0@support>
Message-ID: <BF9B40A4DB05A748939F67409AC2D4A1D425AC@digeo-mail1.digeo.com>

Here is a link on the upgrade which also explains the downgrade
procedure.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note
09186a00804708d8.shtml#t6



Bryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stainton
Sent: Sunday, May 10, 2009 9:49 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] PIX 515E Downgrade

Hi

 

Is it possible to downgrade a PIX 515E from pix804.bin  to pix613.bin

 

I have tried and so far been unsuccessful using copy ttfp and write net
commands.

 

I have heard that the pix613  uses a different flash file system than
the
pix804. Does anyone know if this is correct and if so can anything be
done
about it?

 

How can I remove the asdm file from flash as the pix613.bin does not use
it

 

Regards

Paul

 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From ciscochris28 at gmail.com  Mon May 11 17:16:56 2009
From: ciscochris28 at gmail.com (Chris T)
Date: Mon, 11 May 2009 16:16:56 -0500
Subject: [c-nsp] Certification Ethics
Message-ID: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>

I've got a bit of a dilemma.  I apologize in advance for how wordy this will
be.  Bear with me.  I have high hopes that someone here can provide some
insight.



I've been studying Cisco material for about a year and a half now.  I've
passed the CCNA, BSCI, and BCMSN.  Based on these two facts, I feel I have a
decent level of familiarity with the Cisco learning and testing process.



Recently, I've been changing the way I study.  I spent roughly 250
dedicated, focused study hours on the ISCW.  In that time, used the
following sources:



CBT Nuggets Videos (watched all)

Cisco Press Official Exam Certification Guide (read front to back, while
taking notes)

Cisco Press Student Guides (initially used as a supplement, then started
reading thoroughly)



Based on those resources, I typed 70 pages of notes and created over a
thousand flash cards.  I made sure I understood things before moving
on.  Additionally,
I purchased a half rack and populated it with 2 switches, 2 multilayer
switches, and 9 routers, all current enough.  I did labs and reviewed my
notes and flash cards a decent bit.  Feeling like I was over prepared, I
went into the test and promptly failed by 10 or 20 points.  I went back home
and reviewed all of my notes and flash cards until I felt I knew all of it
(about three hours a night for a week, and an eight hour day).  I went back
in and tested.  I failed again by 10 or 20 points.



This left me somewhat confused as to how to move forward.  Despite
significant review time over exactly what material Cisco provides to prepare
for the test, I still did not do any better.  I got to the point where I
felt reviewing the same material again simply would not provide me with any
more information.  I knew what was in the book.



While this was going on, work needed me to come up with a new security
strategy and put in some ASAs.  I had maintained their ASAs for a while, but
I had not configured any from scratch so I did not feel my knowledge level
was sufficient to come up with a corporate wide network security plan.  I
decided to speed up the process of learning security by putting money into
it.  I ended up going to a CCSP boot camp with a Cisco Learning Partner.



I thought going to the boot camp would be a great opportunity for me, not
only to gain a lot of direct knowledge about security, but also to learn
better ways to study.  By two days into the boot camp, I really felt like it
was way too easy to get me where I needed to be to pass.  I already knew 80%
of the material that was being taught based on previous experience
maintaining the ASAs.  I communicated this concern to the teacher on several
occasions.  He felt that everything would be fine though.  During the boot
camp they passed out practice test material from TestKeys
(testkeys.com).  Based
on what I was hearing from my peers, this material *very* closely mimicked
the real test.  Since just getting a piece of paper was not my goal and I
felt I had come into the class with more knowledge than most of my class
mates, I decided not use the material.  I took the SNAF and failed.  While
taking the test, I found that the labs in the test were inappropriately
close to the labs we had done in class.  Even most of the arbitrary names
(ACL names, etc.) were exactly the same.  My peers agreed that TestKeys
*very* closely mimicked the real test.  I went home and looked at about five
or six of the TestKeys questions and found that many of the questions were
almost word for word what I had seen on my real test.  At that point, I left
the boot camp.  I felt that it was simply cheating.  If I had wanted to do
that, I wouldn't have spent thousands of dollars on training.



This was indeed a Cisco Learning Partner though and they assured me that
Cisco explicitly approved the practice test material.  Seeking
clarification, I called Cisco's certification support.  After 30 minutes on
the phone asking them simply, "what practice test material is approved for
use" I got no answer.  I was eventually transferred to the Cisco Learning
Partner support channel.  I really didn't want to get the boot camp involved
since I was already in a financial dispute with them.  After a great deal of
time (read: two weeks), I finally made it 100% clear what my question was to
the CLP support group.  Again, simply "what practice test material is
approved for use".  Or if they can't provide that, can they at least confirm
TestKeys is approved?



Despite constant badgering, I have not received a reply to my question in
over 5 weeks.  During that time it has become painfully clear that the
majority (if not vast majority) of people who pass Cisco certifications use
these types of "advanced study aids".  Next, I tried to escalate through
Cisco.  As it turned out, I was already speaking to the boss of the boss of
the first line Cisco Learning Partner support rep.  The person I was
speaking with basically wasn't generating any progress.  I went to our Cisco
sales rep next, who said despite him selling lots of Cisco training, he has
never had a conversation like this and he feels it just doesn't matter.  I
spoke to some of the people I know that have been in networking for much
longer than me and the consensus seems to be that everyone does it and it
doesn't matter.



My problem now is that it appears to pass a test I must spend hundreds or
thousands of dollars on materials (learning materials and hardware) and
something like 400 or 500 hours to pass a single test.  The vast majority of
other people who are getting certified seem to be passing the test in 150
hours or significantly less.  Professional training doesn't help.  The
consensus around me is that I should not be such a stickler.  On top of all
this, even the manufacturer of the tests won't tell me what is and is not
fair after a total of seven weeks of badgering.



I'm starting to feel like I'm playing hockey without a hockey stick, and not
even the referee is willing to tell me if I'm allowed to have a hockey stick
or not.



I'm stuck.  I don't want to cheat.  I also don't want to have to work three
or four times harder to achieve the same results as someone else.  Moreover,
if even the moderator won't tell me what is fair and what is not, why am I
spending all of this extra effort?



My questions to the group are:

-Am I completely out of line here?  If so, please tell me how.

-What is an appropriate time to study for a single Cisco test (not expert
level)?  I understand there is a great amount of variance, but ballpark
figures are what?  100 hours? 500 hours?  1000 hours?

-What practice test material do YOU think is or is not fair for preparation
for a Cisco certification test?



Again, sorry for being so wordy.  Thanks in advance for any insight you may
be able to share.


-Chris

From william.mccall at gmail.com  Mon May 11 18:06:02 2009
From: william.mccall at gmail.com (William McCall)
Date: Mon, 11 May 2009 17:06:02 -0500
Subject: [c-nsp] Certification Ethics
In-Reply-To: <f9a8f300905111504k54f3cd1arab51c5beeab2832b@mail.gmail.com>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
	<f9a8f300905111504k54f3cd1arab51c5beeab2832b@mail.gmail.com>
Message-ID: <f9a8f300905111506v43c24d20n2843144423fe8772@mail.gmail.com>

> I'm stuck.  I don't want to cheat.  I also don't want to have to work three
> or four times harder to achieve the same results as someone else.
>  Moreover,
> if even the moderator won't tell me what is fair and what is not, why am I
> spending all of this extra effort?
>
>
I feel what you're saying. I'm about to go take my CCIE lab. There are a lot
of "aides" out there. And I'm not talking enzyte. In reality, this is a
personal conscious thing. I'm with you 100% that cheating does take away
from the exam, but you do need to remember that life (and certifications) is
not fair. Any delusion of fairness, whether in the academic realm,
certification, or other area is nonsense. The only absolute fairness is
whether the letter selected is correct or not (and marked as such).


>
>
> My questions to the group are:
>
> -Am I completely out of line here?  If so, please tell me how.
>

No, but realize this is a moral choice. Some people will do anything they
can to get ahead on paper.


>
> -What is an appropriate time to study for a single Cisco test (not expert
> level)?  I understand there is a great amount of variance, but ballpark
> figures are what?  100 hours? 500 hours?  1000 hours?
>

I usually spent around ~50 hrs total per test. Really, its all up to how
well you truly understand the workings of the exam, the devices and,
ultimately, the answer that Cisco is looking for. Some of the answers in the
exams border on arbitrary but there is a method to the madness.


>
> -What practice test material do YOU think is or is not fair for preparation
> for a Cisco certification test?
>
>
I wouldn't worry on fair or unfair. Personal moral choices are personal.
Yes, cheating takes away from the value of the certification, but your goal
should be to attain mastery of the material, right? Have you mastered the
material? If so, are you being recognized for it? What is your goal in
certification?

My personal choice is to abstain from cheating on the exams, but I have a
knack for test taking and a ridiculous memory of process flows but to be
fair, I did fail the ISCW for CCNP 4 times before I passed (William and
silly GUI questions don't mix well). Some people just want the certification
to show that they know what they think they know. Do you think you know it?


>
> Again, sorry for being so wordy.  Thanks in advance for any insight you may
> be able to share.
>

You're grown. Its obviously not stopped by the people that promote the
education and provide the exam. Do what you think is right for your
situation.


>
>
> -Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at rathlev.dk  Mon May 11 18:10:58 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 12 May 2009 00:10:58 +0200
Subject: [c-nsp] Trouble in an ASA migration from CheckPoint
In-Reply-To: <c979a8a40905111355x15012722j690eb4b8ac17e10d@mail.gmail.com>
References: <62f79b510905060511o701eebf2nd88f40eea9c3417@mail.gmail.com>
	<4A03C72B.5070803@pinskyfamily.org>
	<62f79b510905090610k188a144bl2a68e8166e65800d@mail.gmail.com>
	<6bb5f5b10905110510l183204ffkbdd3285892a27b1d@mail.gmail.com>
	<62f79b510905110611n44befadev5754e8c39288e802@mail.gmail.com>
	<6bb5f5b10905110655n5f75a7dfofe5b6e706d324ad@mail.gmail.com>
	<a2566b960905110717sf68c9b1i5c25294ed5fd80c@mail.gmail.com>
	<62f79b510905110756o21ce9a1x1929000c4b945e9d@mail.gmail.com>
	<a2566b960905111101n7efdee95g89ab8cf78ee97a56@mail.gmail.com>
	<1242074696.3435.16.camel@localhost.localdomain>
	<c979a8a40905111355x15012722j690eb4b8ac17e10d@mail.gmail.com>
Message-ID: <1242079858.3435.30.camel@localhost.localdomain>

On Mon, 2009-05-11 at 16:55 -0400, Deny IP Any Any wrote:
> 8.0.4(28) contains numerous security fixes over plain 8.0.4, as per
> http://www.cisco.com/en/US/products/products_security_advisory09186a0080a994f6.shtml

It does indeed, and they're a nasty bunch of bugs. I had completely
forgot about that one. :-) (It was a very painless HA upgrade on 7.2 for
us btw.)

Interim releases are of course still by their nature not as well tested
as non-interim. And for some reason I'd rather trust 7.2(4)9 than e.g.
8.0(4)28. I may be a luddite though.

Regards,
Peter



From peter at rathlev.dk  Mon May 11 18:49:36 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 12 May 2009 00:49:36 +0200
Subject: [c-nsp] Certification Ethics
In-Reply-To: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
Message-ID: <1242082176.5143.16.camel@localhost.localdomain>

On Mon, 2009-05-11 at 16:16 -0500, Chris T wrote: 
> -Am I completely out of line here?  If so, please tell me how.

I have heard about things not completely unlike what you describe. I
have myself been very bored the two times I tried attending CLP courses
so I don't do that anymore. It's a waste of time.

I assume Cisco is only naturally interested in people attending the
courses. From what I've heard they make more than a few pennies from
selling licenses to approved material.

> -What is an appropriate time to study for a single Cisco test (not
> expert level)?  I understand there is a great amount of variance, but
> ballpark figures are what?  100 hours? 500 hours?  1000 hours?

Hm... I used a weekend of preparation for each of three of the exams for
CCIP (BSCI, QOS and MPLS) reading through mostly Cisco Press material. I
took the BGP exam without preparation, though I took O'Reilly's book on
BGP with me to bed. Of the four exams the BSCI was the most challenging
since it covered a lot of subjects, some of which I hadn't had any
practical experience with, like IPv6.

I'm always a little nervous at exams, but I've had no problems only
using what I had learned by working with the technology.

> -What practice test material do YOU think is or is not fair for
> preparation for a Cisco certification test?

Anything you can come by without breaking laws is fair. :-) If you've
asked Cisco specifically about some learning partner and they didn't
want to even consider looking at it, it's fair game.

I personally don't think the certifications are worth very much in the
first place. I've been having discussions with CCIEs that had
misunderstood some of the most basic things (like MED being an
intransitive attribute) and it didn't just happen once.

If I were to judge someone in e.g. a hiring situation I would primarily
look at what (s)he'd been working with and then use maybe half an hour
assessing their technical merit. (I'm not in that position though, and
that's probably for the best.)

The certifications do open some doors though. Management is impressed
and it gives leverage in many situations, like "trust me, I'm a
professional" or when negotiating salaries.

Regards,
Peter



From david at hughes.com.au  Mon May 11 19:37:48 2009
From: david at hughes.com.au (David Hughes)
Date: Tue, 12 May 2009 09:37:48 +1000
Subject: [c-nsp] BGP and OSPF - redesign
In-Reply-To: <41008.1242050946@lavin-llc.com>
References: <41008.1242050946@lavin-llc.com>
Message-ID: <60DEC8F9-AE58-4233-9DBC-BE9609742C90@hughes.com.au>



On 12/05/2009, at 12:09 AM, <chris at lavin-llc.com> <chris at lavin- 
llc.com> wrote:

> The problem I'm struggling with is how to transition the routes out  
> of OSPF so that iBGP is used to carry the traffic, thus reducing  
> OSPF based routes
> to only be responsible for building the full iBGP mesh. Most of the  
> appropriate goodies are in place, like locked in router-id's and no  
> synch. But the
> jenga-like configurations of redistribution and network statements  
> make for a mind bending exercise for trying to migrate to the ISP  
> Essentials formula.


Had a similar problem a few years back.  Pete Templin's comments are  
good.  Our actual process was

* redist connected and static into iBGP at the customer edge
* check all loopbacks and point-to-points were in OSPF
* for each edge box
	- for each connected or static route route
		- check route is visible via BGP at the router reflectors
		- remove from ospf on edge box
		- check route is visible via BGP at the router reflectors :)

Slow and tedious process but a major migration was undertaken without  
an impact.


David
...


From dwinkworth at att.net  Mon May 11 20:52:34 2009
From: dwinkworth at att.net (Derick Winkworth)
Date: Mon, 11 May 2009 19:52:34 -0500
Subject: [c-nsp] Certification Ethics
In-Reply-To: <1242082176.5143.16.camel@localhost.localdomain>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
	<1242082176.5143.16.camel@localhost.localdomain>
Message-ID: <4A08C852.9030809@att.net>

Keep in mind that the value of the CCIE isn't that you can recall an
infinite number of facts about bits, bytes, headers, protocol states,
protocol errors, protocol election rules, model numbers, product
specifications, and router commands, and the output of every router
command... at any given moment without context or warning.   If you came
up to me in the middle of the day out of nowhere and asked "Whats the
difference between PIMv1 and PIMv2 DR election?"  I would have to stop
and think.  I would probably tell you to go look it up.  Because that is
what I do when I don't know or can't remember.

Its not about how much useless information you can cram into your head. 
Its how you apply the facts once you have them.  These facts by
themselves are useless without a problem you can apply them too.  You
would be a bad engineer if you didn't verify anyway that it works the
way you expect it too...  Which means I would likely say "I'm not sure,
lets look it up."

I re-memorize what I need to know to recert every 21 months.  In between
those times, if I don't touch IPv6, then I probably will forget it very
fast.  I'm busy.  I have other things to remember and think about.

So hearing you say that some CCIE, or multiple CCIEs, didn't remember
fact "x" and therefore you call into question the value of the CCIE as a
certification... I guess that demonstrates how badly you are missing the
point. 

Derick Winkworth
CCIE #15672

Peter Rathlev wrote:
> On Mon, 2009-05-11 at 16:16 -0500, Chris T wrote: 
>   
>> -Am I completely out of line here?  If so, please tell me how.
>>     
>
> I have heard about things not completely unlike what you describe. I
> have myself been very bored the two times I tried attending CLP courses
> so I don't do that anymore. It's a waste of time.
>
> I assume Cisco is only naturally interested in people attending the
> courses. From what I've heard they make more than a few pennies from
> selling licenses to approved material.
>
>   
>> -What is an appropriate time to study for a single Cisco test (not
>> expert level)?  I understand there is a great amount of variance, but
>> ballpark figures are what?  100 hours? 500 hours?  1000 hours?
>>     
>
> Hm... I used a weekend of preparation for each of three of the exams for
> CCIP (BSCI, QOS and MPLS) reading through mostly Cisco Press material. I
> took the BGP exam without preparation, though I took O'Reilly's book on
> BGP with me to bed. Of the four exams the BSCI was the most challenging
> since it covered a lot of subjects, some of which I hadn't had any
> practical experience with, like IPv6.
>
> I'm always a little nervous at exams, but I've had no problems only
> using what I had learned by working with the technology.
>
>   
>> -What practice test material do YOU think is or is not fair for
>> preparation for a Cisco certification test?
>>     
>
> Anything you can come by without breaking laws is fair. :-) If you've
> asked Cisco specifically about some learning partner and they didn't
> want to even consider looking at it, it's fair game.
>
> I personally don't think the certifications are worth very much in the
> first place. I've been having discussions with CCIEs that had
> misunderstood some of the most basic things (like MED being an
> intransitive attribute) and it didn't just happen once.
>
> If I were to judge someone in e.g. a hiring situation I would primarily
> look at what (s)he'd been working with and then use maybe half an hour
> assessing their technical merit. (I'm not in that position though, and
> that's probably for the best.)
>
> The certifications do open some doors though. Management is impressed
> and it gives leverage in many situations, like "trust me, I'm a
> professional" or when negotiating salaries.
>
> Regards,
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.325 / Virus Database: 270.12.24/2107 - Release Date: 05/10/09 07:02:00
>
>   

From mickster4470 at gmail.com  Mon May 11 21:02:12 2009
From: mickster4470 at gmail.com (The Mickster)
Date: Mon, 11 May 2009 18:02:12 -0700
Subject: [c-nsp] Channelized DS3 over SM fiber handoff
In-Reply-To: <49FBA4DA.9070701@rollernet.us>
References: <200905011720.21229.mulitskiy@acedsl.com>
	<49FB9C72.3080700@rollernet.us>
	<649E0D65-D6ED-4C78-9028-DA923AA3B7D5@i2bnetworks.com>
	<49FBA4DA.9070701@rollernet.us>
Message-ID: <7729f05c0905111802l3b86dc36n1fcbac9b5af1d969@mail.gmail.com>

If they are truely handing you a channelized OC3, then you'll need a
channelized OC3 port adaptor - not the same thing as a "normal" OC3 adapter,
at least for router interfaces.

My guess is that the DS3 was extended with media converters, but the carrier
didn't supply the  near end  media converter box as they should have.
Whenever I've gotten an extended demark for DS3, either the carrier provided
both media converters, or I had to extend the DS3 myself and I had to
provide both media converters.

There is no "normal" answer for this one - you really need to get the
carrier to tell you what equipment is on the other end, and if you ordered a
DS3 you need to insist that they hand you a pair of BNC connectors unless
you've made some other special arrangement.

-The Mickster


On 5/1/09, Seth Mattinen <sethm at rollernet.us> wrote:
>
> Troy Beisigl wrote:
> > Maybe they delivered a channelized OC3? I know that is an actual
> > product, but have never seen a DS3 as fiber handoff.
> >
>
> Maybe; odd though if one asked for a DS3. If that's the case you can
> just get an OC3 port adapter.
>
> ~Seth
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mickster4470 at gmail.com  Mon May 11 21:07:06 2009
From: mickster4470 at gmail.com (The Mickster)
Date: Mon, 11 May 2009 18:07:06 -0700
Subject: [c-nsp] BGP and OSPF - redesign
In-Reply-To: <4A085CC5.4080605@thewybles.com>
References: <41008.1242050946@lavin-llc.com> <4A083890.2090406@templin.org>
	<4A085CC5.4080605@thewybles.com>
Message-ID: <7729f05c0905111807h3bfd96aw784bd7bb2193b859@mail.gmail.com>

I agree wholeheartedly with this answer!

On 5/11/09, Charles Wyble <charles at thewybles.com> wrote:
>
>
>
> Pete Templin wrote:
>
>> chris at lavin-llc.com wrote:
>>
>> [snip]
>>
>
>
>> 1:  Add in any necessary configurations so that OSPF is carrying AT LEAST
>> what it'll have at the end of the project.
>> 2:  Update BGP so that it's carrying everything that it should be
>> carrying.
>> 3:  Trim BGP so that it's carrying nothing more than what it should be
>> carrying.
>> 4:  Trim OSPF so that it's carrying nothing more than what it should be
>> carrying.
>>
>
> What he said. :)
>
> Obviously you want the systems to coexist for a short period of time.
>
> Nanog had some presentations on OSPF to ISIS migration which went into a
> good amount of detail around the testing / roll out methodology. Check the
> presentation archives for it.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From andy.saykao at staff.netspace.net.au  Tue May 12 00:28:27 2009
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Tue, 12 May 2009 14:28:27 +1000
Subject: [c-nsp] Strange FLOW behaviour on ATM interface
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654DA2@vic-cr-ex1.staff.netspace.net.au>

Hi All,
 
I have a strange flow issue for a number of our ATM customers. The
config is identicle for all customers but what I'm finding is that flows
for certain customers are not being collected in the download direction
to the customer.
 
1/ Working example:
 
Me pinging customer RED's IP (210.15.230.BB) from my shell
(210.15.210.XX):
 
> ping 210.15.230.BB
PING 210.15.230.BB (210.15.230.BB): 56 data bytes
64 bytes from 210.15.230.BB: icmp_seq=0 ttl=62 time=4.902 ms
64 bytes from 210.15.230.BB: icmp_seq=1 ttl=62 time=4.498 ms

I'm seeing bi-drectional flows, all is good:
 
agr1-ks-mel#sh ip cache flow | inc 210.15.210.XX
Gi0/0.11      210.15.210.XX   AT1/0.303693  210.15.230.BB  01 0000 0800
5
AT1/0.303693  210.15.230.BB  Gi0/0.11      210.15.210.XX   01 0000 0000
5

 
Interface config for customer RED:
 
interface ATM1/0.303693 point-to-point
 description Customer RED
 bandwidth 4000
 ip address 210.15.230.AA 255.255.255.224
 ip flow ingress
 atm route-bridged ip
 no atm enable-ilmi-trap
 pvc 10/208
  ubr 4096
  encapsulation aal5snap
 
2/ Non Working Example
 
Me pinging customer BLUE's IP (210.15.225.KK) from my shell
(210.15.210.XX):
 
> ping 210.15.225.KK
PING 210.15.225.KK (210.15.225.KK): 56 data bytes
64 bytes from 210.15.225.KK: icmp_seq=0 ttl=61 time=9.820 ms
64 bytes from 210.15.225.KK: icmp_seq=1 ttl=61 time=9.379 ms

Only seeing one way flow in the upload direction, not so good (because
we don't bill for this data).
 
agr1-ks-mel#sh ip cache flow | inc 210.15.210.XX
AT1/0.305357  210.15.225.KK    Gi0/0.11      210.15.210.XX   01 0000
0000     5
 
Interface config for customer BLUE:
 
interface ATM1/0.305357 point-to-point
 description Customer BLUE
 bandwidth 2000
 ip address 210.15.225.JJ 255.255.255.224
 ip flow ingress
 atm route-bridged ip
 no atm enable-ilmi-trap
 pvc 10/356
  ubr 2048
  encapsulation aal5snap 
 
I don't get it. Identicle configs but we don't see bi-directional flows
for customer BLUE???
 
Here's the physical ATM config:
 
interface ATM1/0
 bandwidth 155000
 no ip address
 ip flow ingress
 no ip mroute-cache
 load-interval 30
 no atm auto-configuration
 no atm ilmi-keepalive
 no atm address-registration
 no atm ilmi-enable
 no atm enable-ilmi-trap

We are running 12.2(31)SB13 on a 7301.
 
Just wondering if anyone's seen this before or have any ideas what might
be causing this.
 
Thanks.
 
Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From jay at west.net  Tue May 12 00:48:11 2009
From: jay at west.net (Jay Hennigan)
Date: Mon, 11 May 2009 21:48:11 -0700
Subject: [c-nsp] BGP and OSPF - redesign
In-Reply-To: <41008.1242050946@lavin-llc.com>
References: <41008.1242050946@lavin-llc.com>
Message-ID: <4A08FF8B.3020408@west.net>

chris at lavin-llc.com wrote:
> Along the lines of the recent discussions about eBGP, iBGP and OSPF intertwined routing, I have a redesign to deal with. An enterprise solution that 
> currently runs eBGP, iBGP and OSPF with the iBGP and OSPF fully mixed. By that I mean there lacks a policy of seperating the two. Rather than having 
> OSPF carry only the required /32s for the purpose of building the full iBGP mesh, OSPF and BGP are contributing to the forwarding tables for all 
> traffic. This is causing some odd and unpredictable behavior for route announcements and path selection.
> 
> The problem I'm struggling with is how to transition the routes out of OSPF so that iBGP is used to carry the traffic, thus reducing OSPF based routes 
> to only be responsible for building the full iBGP mesh. Most of the appropriate goodies are in place, like locked in router-id's and no synch. But the 
> jenga-like configurations of redistribution and network statements make for a mind bending exercise for trying to migrate to the ISP Essentials formula.

Here's how we did it.

1. Originally we had infrastructure participating in OSPF, 
redistributing connected and static customer routes into OSPF.  BGP was 
primarily used externally.  iBGP was used only to interconnect border 
routers.  We found the OSPF tables getting bloated.  Reconvergence after 
a link flap was painful and rippled through routers that shouldn't have 
been affected.

2. At each site we brought all routers into iBGP.  Non-borders got a 
filter-list that included just local origin and downstream customer 
ASes.  This so as not to overwhelm small routers with full tables.  If 
you have several routers per site, it's more scalable with peer-groups 
and route reflectors.  All iBGP should be done to loopbacks, and the 
loopbacks should be routed throughout your AS via OSPF.  Configure 
next-hop-self and send-community.

We then carefully redistributed static and connected routes into iBGP 
with a route-map, thusly:

router bgp [nnnn]
  ....
  redistribute connected route-map cust-to-bgp
  redistribute static route-map cust-to-bgp
...
route-map cust-to-bgp permit 10
  match ip address prefix-list local-nets
  set origin igp
  set community no-export
...
ip prefix-list local-nets description Customer allocations
ip prefix-list local-nets seq 10 permit <customer subnet>/nn le 32

At this point all routers should have your customer networks in their 
BGP tables.  As iBGP has an AD of 200 and OSPF is 110, the routes to the 
customer networks will still show up as OSPF external in the IP routing 
tables.

3. Verify that the links interconnecting the routers and the loopbacks 
show as OSPF routes (not OSPF E1 or E2).  Verify, one router at a time, 
that customer routes redistributed into OSPF are in the BGP tables of 
other routers in your AS pointing to the loopback.  Verify that you 
aren't spewing all of these small subnets to your eBGP neighbors. 
(That's what the no-export and send-community are for.)

4. "No out" the redistribute statements for connected and static in your 
router OSPF, one router at a time.  You can set up a continuous ping to 
a customer target on a different router and you probably won't even lose 
a packet if you've checked everything first and your CPU is below 90%.

5.  Verify that your customer routes are now shown in the routing table 
as BGP.

6.  Verify that your OSPF routes are now lean and mean, with just 
infrastructure links and loopbacks.


--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From peter at rathlev.dk  Tue May 12 02:28:24 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 12 May 2009 08:28:24 +0200
Subject: [c-nsp] Certification Ethics
In-Reply-To: <4A08C852.9030809@att.net>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
	<1242082176.5143.16.camel@localhost.localdomain>
	<4A08C852.9030809@att.net>
Message-ID: <1242109704.8536.10.camel@localhost.localdomain>

On Mon, 2009-05-11 at 19:52 -0500, Derick Winkworth wrote:
...
> So hearing you say that some CCIE, or multiple CCIEs, didn't remember
> fact "x" and therefore you call into question the value of the CCIE as a
> certification... I guess that demonstrates how badly you are missing the
> point. 

I think you missed my point. The specific example given was something he
was tasked with and couldn't get to work. His excuse was that someone
else didn't do what they should. The problem was that MED was not the
right tool.

I didn't say _all_ CCIEs are wrong. And I don't expect everyone to
remember everything always. I do expect though that if I ask you about
how to control traffic flow across several independent ASs you don't
answer "MED" and stay with that answer even though others point out that
it won't work. I do expect a CCIE having chosen a specific setup to be
able to explain what choices he made and why, e.g. the general
differences between SRA and SRB instead of saying "You'er welcome to
read the release notes.", especially when being paid to do so.

I have also met CCIEs that I'm very impressed with, and many CCIEs I've
seen explain things have been way beyond what I understand. I'm just
saying that some CCIEs are good at networking and others are good at
taking exams

> Derick Winkworth
> CCIE #15672

I'm sorry if you feel insulted. So I will repeat: _Most_ CCIEs are
probably competent. I know for a fact that several aren't.

Regards,
Peter



From zivl at gilat.net  Tue May 12 02:31:45 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Tue, 12 May 2009 09:31:45 +0300
Subject: [c-nsp] Certification Ethics
In-Reply-To: <4A08C852.9030809@att.net>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
	<1242082176.5143.16.camel@localhost.localdomain>
	<4A08C852.9030809@att.net>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622FCBA00D4@exch2k7.gilat.local>

If we're talking about ethics then I think the whole certification thing is not ethical and unfair, to classify a person asking 'em for a paper that costs a lot of money to not just get but to "maintain" it's merely doing business on people's back.
I don't remember when the last time a soccer player was asked to show a certification before they pay them millions of dollars/pounds/euros for them to play in the team, they bring them for what they know, not for what they're "certified" to know.
Too bad the whole world gives this scam a hand and everywhere you go, a certification worth more than just experience.
As long as I can I will remain without any certification. I had a couple in the past I didn't renew and I don't want to have to renew them to be considered "valid" I know what I know and I'm happy my employer pays me for what I do, not for what I'm supposed to know because a paper says it.







-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick Winkworth
Sent: Tuesday, May 12, 2009 3:53 AM
To: Peter Rathlev
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Certification Ethics

Keep in mind that the value of the CCIE isn't that you can recall an
infinite number of facts about bits, bytes, headers, protocol states,
protocol errors, protocol election rules, model numbers, product
specifications, and router commands, and the output of every router
command... at any given moment without context or warning.   If you came
up to me in the middle of the day out of nowhere and asked "Whats the
difference between PIMv1 and PIMv2 DR election?"  I would have to stop
and think.  I would probably tell you to go look it up.  Because that is
what I do when I don't know or can't remember.

Its not about how much useless information you can cram into your head. 
Its how you apply the facts once you have them.  These facts by
themselves are useless without a problem you can apply them too.  You
would be a bad engineer if you didn't verify anyway that it works the
way you expect it too...  Which means I would likely say "I'm not sure,
lets look it up."

I re-memorize what I need to know to recert every 21 months.  In between
those times, if I don't touch IPv6, then I probably will forget it very
fast.  I'm busy.  I have other things to remember and think about.

So hearing you say that some CCIE, or multiple CCIEs, didn't remember
fact "x" and therefore you call into question the value of the CCIE as a
certification... I guess that demonstrates how badly you are missing the
point. 

Derick Winkworth
CCIE #15672

Peter Rathlev wrote:
> On Mon, 2009-05-11 at 16:16 -0500, Chris T wrote: 
>   
>> -Am I completely out of line here?  If so, please tell me how.
>>     
>
> I have heard about things not completely unlike what you describe. I
> have myself been very bored the two times I tried attending CLP courses
> so I don't do that anymore. It's a waste of time.
>
> I assume Cisco is only naturally interested in people attending the
> courses. From what I've heard they make more than a few pennies from
> selling licenses to approved material.
>
>   
>> -What is an appropriate time to study for a single Cisco test (not
>> expert level)?  I understand there is a great amount of variance, but
>> ballpark figures are what?  100 hours? 500 hours?  1000 hours?
>>     
>
> Hm... I used a weekend of preparation for each of three of the exams for
> CCIP (BSCI, QOS and MPLS) reading through mostly Cisco Press material. I
> took the BGP exam without preparation, though I took O'Reilly's book on
> BGP with me to bed. Of the four exams the BSCI was the most challenging
> since it covered a lot of subjects, some of which I hadn't had any
> practical experience with, like IPv6.
>
> I'm always a little nervous at exams, but I've had no problems only
> using what I had learned by working with the technology.
>
>   
>> -What practice test material do YOU think is or is not fair for
>> preparation for a Cisco certification test?
>>     
>
> Anything you can come by without breaking laws is fair. :-) If you've
> asked Cisco specifically about some learning partner and they didn't
> want to even consider looking at it, it's fair game.
>
> I personally don't think the certifications are worth very much in the
> first place. I've been having discussions with CCIEs that had
> misunderstood some of the most basic things (like MED being an
> intransitive attribute) and it didn't just happen once.
>
> If I were to judge someone in e.g. a hiring situation I would primarily
> look at what (s)he'd been working with and then use maybe half an hour
> assessing their technical merit. (I'm not in that position though, and
> that's probably for the best.)
>
> The certifications do open some doors though. Management is impressed
> and it gives leverage in many situations, like "trust me, I'm a
> professional" or when negotiating salaries.
>
> Regards,
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.325 / Virus Database: 270.12.24/2107 - Release Date: 05/10/09 07:02:00
>
>   
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


From SteveMc at netservicesplc.com  Tue May 12 03:07:19 2009
From: SteveMc at netservicesplc.com (Steve McCrory)
Date: Tue, 12 May 2009 08:07:19 +0100
Subject: [c-nsp] [SPAM?]  Certification Ethics
In-Reply-To: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
Message-ID: <1C15FB264A06794F8BDE2120972B51C1050E32F1@netexch04.ad.netservicesplc.com>

>From my experience there are three groups of people when it comes to
passing Cisco Exams:

* People who only use TestKeys or equivalents (TestKing, Pass4Sure etc)
to study for the exams. These people may look good in terms of having a
wide range of qualifications but they are soon found out, often during
an interview process. I have met numerous people of this ilk in the
industry and, to a man, they don't know jack!!!

* People who don't use TestKeys or equivalents to study for an exam. I
would say that these people are in the minority and often require more
than 1 attempt to pass an exam because they are not prepared for
ambiguity of Cisco's questions

* People who study the material well and use TestKeys or equivalents to
ensure that they pass. I, and many others, fall into this category and I
would say this accounts for the majority of people in my experience. If
I'm going for an interview, I can bet that the guy before me and the guy
after will have used these aids so if that helps me get my foot in the
door by making sure I'm as certified as I can be then I'll do it. What
will hopefully separate me from the rest is the attention to detail I
apply when I'm studying and the knowledge that I have acquired from
on-the-job experience and from brushing up on all areas of networking,
not just the ones required to study for an exam.

Unfortunately, at this time it is very easy for someone with no Cisco
knowledge or experience to pass a Cisco exam. At the end of the day it
does come down to a moral choice. However, if you know the material and
have spent 100+ hours studying then I would not consider using one of
these aids cheating. Your extensive knowledge will shine through in an
interview or on the job and that is far more important that having a
piece of paper with pass marks on it.

The only exception to all of the above is the practical element of the
CCIE but even that does not guarantee greatness. Our last boss was a
CCIE and he knew less than the guys in the NOC!!! What is important is
that YOU know the material and YOU have the knowledge to succeed. If you
can't beat them, join them.

Steven
 
Steven McCrory
 
Senior Network Engineer
 
Netservices PLC
Waters Edge Business Park
Modwen Road
Manchester, M5 3EZ
 
www.netservicesplc.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris T
Sent: 11 May 2009 22:17
To: cisco-nsp at puck.nether.net
Subject: [SPAM?] [c-nsp] Certification Ethics

I've got a bit of a dilemma.  I apologize in advance for how wordy this
will
be.  Bear with me.  I have high hopes that someone here can provide some
insight.



I've been studying Cisco material for about a year and a half now.  I've
passed the CCNA, BSCI, and BCMSN.  Based on these two facts, I feel I
have a
decent level of familiarity with the Cisco learning and testing process.



Recently, I've been changing the way I study.  I spent roughly 250
dedicated, focused study hours on the ISCW.  In that time, used the
following sources:



CBT Nuggets Videos (watched all)

Cisco Press Official Exam Certification Guide (read front to back, while
taking notes)

Cisco Press Student Guides (initially used as a supplement, then started
reading thoroughly)



Based on those resources, I typed 70 pages of notes and created over a
thousand flash cards.  I made sure I understood things before moving
on.  Additionally,
I purchased a half rack and populated it with 2 switches, 2 multilayer
switches, and 9 routers, all current enough.  I did labs and reviewed my
notes and flash cards a decent bit.  Feeling like I was over prepared, I
went into the test and promptly failed by 10 or 20 points.  I went back
home
and reviewed all of my notes and flash cards until I felt I knew all of
it
(about three hours a night for a week, and an eight hour day).  I went
back
in and tested.  I failed again by 10 or 20 points.



This left me somewhat confused as to how to move forward.  Despite
significant review time over exactly what material Cisco provides to
prepare
for the test, I still did not do any better.  I got to the point where I
felt reviewing the same material again simply would not provide me with
any
more information.  I knew what was in the book.



While this was going on, work needed me to come up with a new security
strategy and put in some ASAs.  I had maintained their ASAs for a while,
but
I had not configured any from scratch so I did not feel my knowledge
level
was sufficient to come up with a corporate wide network security plan.
I
decided to speed up the process of learning security by putting money
into
it.  I ended up going to a CCSP boot camp with a Cisco Learning Partner.



I thought going to the boot camp would be a great opportunity for me,
not
only to gain a lot of direct knowledge about security, but also to learn
better ways to study.  By two days into the boot camp, I really felt
like it
was way too easy to get me where I needed to be to pass.  I already knew
80%
of the material that was being taught based on previous experience
maintaining the ASAs.  I communicated this concern to the teacher on
several
occasions.  He felt that everything would be fine though.  During the
boot
camp they passed out practice test material from TestKeys
(testkeys.com).  Based
on what I was hearing from my peers, this material *very* closely
mimicked
the real test.  Since just getting a piece of paper was not my goal and
I
felt I had come into the class with more knowledge than most of my class
mates, I decided not use the material.  I took the SNAF and failed.
While
taking the test, I found that the labs in the test were inappropriately
close to the labs we had done in class.  Even most of the arbitrary
names
(ACL names, etc.) were exactly the same.  My peers agreed that TestKeys
*very* closely mimicked the real test.  I went home and looked at about
five
or six of the TestKeys questions and found that many of the questions
were
almost word for word what I had seen on my real test.  At that point, I
left
the boot camp.  I felt that it was simply cheating.  If I had wanted to
do
that, I wouldn't have spent thousands of dollars on training.



This was indeed a Cisco Learning Partner though and they assured me that
Cisco explicitly approved the practice test material.  Seeking
clarification, I called Cisco's certification support.  After 30 minutes
on
the phone asking them simply, "what practice test material is approved
for
use" I got no answer.  I was eventually transferred to the Cisco
Learning
Partner support channel.  I really didn't want to get the boot camp
involved
since I was already in a financial dispute with them.  After a great
deal of
time (read: two weeks), I finally made it 100% clear what my question
was to
the CLP support group.  Again, simply "what practice test material is
approved for use".  Or if they can't provide that, can they at least
confirm
TestKeys is approved?



Despite constant badgering, I have not received a reply to my question
in
over 5 weeks.  During that time it has become painfully clear that the
majority (if not vast majority) of people who pass Cisco certifications
use
these types of "advanced study aids".  Next, I tried to escalate through
Cisco.  As it turned out, I was already speaking to the boss of the boss
of
the first line Cisco Learning Partner support rep.  The person I was
speaking with basically wasn't generating any progress.  I went to our
Cisco
sales rep next, who said despite him selling lots of Cisco training, he
has
never had a conversation like this and he feels it just doesn't matter.
I
spoke to some of the people I know that have been in networking for much
longer than me and the consensus seems to be that everyone does it and
it
doesn't matter.



My problem now is that it appears to pass a test I must spend hundreds
or
thousands of dollars on materials (learning materials and hardware) and
something like 400 or 500 hours to pass a single test.  The vast
majority of
other people who are getting certified seem to be passing the test in
150
hours or significantly less.  Professional training doesn't help.  The
consensus around me is that I should not be such a stickler.  On top of
all
this, even the manufacturer of the tests won't tell me what is and is
not
fair after a total of seven weeks of badgering.



I'm starting to feel like I'm playing hockey without a hockey stick, and
not
even the referee is willing to tell me if I'm allowed to have a hockey
stick
or not.



I'm stuck.  I don't want to cheat.  I also don't want to have to work
three
or four times harder to achieve the same results as someone else.
Moreover,
if even the moderator won't tell me what is fair and what is not, why am
I
spending all of this extra effort?



My questions to the group are:

-Am I completely out of line here?  If so, please tell me how.

-What is an appropriate time to study for a single Cisco test (not
expert
level)?  I understand there is a great amount of variance, but ballpark
figures are what?  100 hours? 500 hours?  1000 hours?

-What practice test material do YOU think is or is not fair for
preparation
for a Cisco certification test?



Again, sorry for being so wordy.  Thanks in advance for any insight you
may
be able to share.


-Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

--------
NetServices plc, Company No. 4178393,
Registered Office: NetServices House, 31 Modwen Road,
Waters Edge Business Park, SALFORD, M5 3EZ
--------

From swmike at swm.pp.se  Tue May 12 03:19:17 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 12 May 2009 09:19:17 +0200 (CEST)
Subject: [c-nsp] [SPAM?]  Certification Ethics
In-Reply-To: <1C15FB264A06794F8BDE2120972B51C1050E32F1@netexch04.ad.netservicesplc.com>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
	<1C15FB264A06794F8BDE2120972B51C1050E32F1@netexch04.ad.netservicesplc.com>
Message-ID: <alpine.DEB.1.10.0905120916190.22851@uplift.swm.pp.se>

On Tue, 12 May 2009, Steve McCrory wrote:

> * People who don't use TestKeys or equivalents to study for an exam. I 
> would say that these people are in the minority and often require more 
> than 1 attempt to pass an exam because they are not prepared for 
> ambiguity of Cisco's questions

Last time I checked (5 years ago or something like that) I got so put off 
I never considered getting a Cisco certification again.

The web example question was "how many usable /26 do you have in a /24" 
and the answer was "2". Right. Like ANYONE has ever IN THE REAL WORLD used 
a Cisco router without "ip subnet-zero" and "ip classless" since 1995.

I hope this has improved since I last looked at it.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From A.L.M.Buxey at lboro.ac.uk  Tue May 12 03:27:03 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Tue, 12 May 2009 08:27:03 +0100
Subject: [c-nsp] [SPAM?]  Certification Ethics
In-Reply-To: <alpine.DEB.1.10.0905120916190.22851@uplift.swm.pp.se>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
	<1C15FB264A06794F8BDE2120972B51C1050E32F1@netexch04.ad.netservicesplc.com>
	<alpine.DEB.1.10.0905120916190.22851@uplift.swm.pp.se>
Message-ID: <20090512072703.GA25648@lboro.ac.uk>

Hi,

> The web example question was "how many usable /26 do you have in a /24"  
> and the answer was "2". Right. Like ANYONE has ever IN THE REAL WORLD 
> used a Cisco router without "ip subnet-zero" and "ip classless" since 
> 1995.
>
> I hope this has improved since I last looked at it.

not really - although to stop ambiguity they now start the
question with something akin to 'assuming classless addressing is in use....'

the main ting is when you see people with CCNP/CCIE who have 
not much real time spent in the field - only with years of
real world experience can you state how things really happen.
in the real world you have to interoperate with other vendors
kit - turn off some of the driving aids as it were - and deal
with IOS issues...oh, and users! ;-)

alan

From pigsign.pykota at gmail.com  Tue May 12 04:16:39 2009
From: pigsign.pykota at gmail.com (Darren Yang)
Date: Tue, 12 May 2009 16:16:39 +0800
Subject: [c-nsp] How to improve C3750G switch uplink speed?
Message-ID: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>

Hi,

When I plug wire into c3750g port, it would wait about "30sec" then
change to uplink status.

Are there any method can cut down uplink time?


Regards,
Pigsign

From SteveMc at netservicesplc.com  Tue May 12 04:37:00 2009
From: SteveMc at netservicesplc.com (Steve McCrory)
Date: Tue, 12 May 2009 09:37:00 +0100
Subject: [c-nsp] [SPAM?]  Certification Ethics
In-Reply-To: <alpine.DEB.1.10.0905120916190.22851@uplift.swm.pp.se>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com><1C15FB264A06794F8BDE2120972B51C1050E32F1@netexch04.ad.netservicesplc.com>
	<alpine.DEB.1.10.0905120916190.22851@uplift.swm.pp.se>
Message-ID: <1C15FB264A06794F8BDE2120972B51C1050E331E@netexch04.ad.netservicesplc.com>

> I hope this has improved since I last looked at it.

In short...no.

When I was preparing for the MPLS exam I found a post in a certification
forum relating to a blatant mistake in one of the labs. I think it was
configuring EIGRP as the CE-PE routing protocol and the information in
the lab asks you to configure AS1 but you actually need to configure
AS100 (or something similar).

The post I found was from 2005 and I sat the exam in 2008. That's 3
years that Cisco have allowed this error to remain in the
simulation....it actually beggars belief!!!

Steven
 
Steven McCrory
 
Senior Network Engineer
 
Netservices PLC
Waters Edge Business Park
Modwen Road
Manchester, M5 3EZ
 
www.netservicesplc.com


--------
NetServices plc, Company No. 4178393,
Registered Office: NetServices House, 31 Modwen Road,
Waters Edge Business Park, SALFORD, M5 3EZ
--------

From pshem.k at gmail.com  Tue May 12 04:47:53 2009
From: pshem.k at gmail.com (Pshem Kowalczyk)
Date: Tue, 12 May 2009 20:47:53 +1200
Subject: [c-nsp] How to improve C3750G switch uplink speed?
In-Reply-To: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
References: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
Message-ID: <20fe625b0905120147u7e593c85j44f4b17dea94585d@mail.gmail.com>

Hi,

If you're connecting a host then:

spanning-tree portfast

on the interface will cut this time down.

kind regards
Pshem

2009/5/12 Darren Yang <pigsign.pykota at gmail.com>:
> Hi,
>
> When I plug wire into c3750g port, it would wait about "30sec" then
> change to uplink status.
>
> Are there any method can cut down uplink time?
>
>
> Regards,
> Pigsign
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ltd at cisco.com  Tue May 12 04:49:53 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Tue, 12 May 2009 18:49:53 +1000
Subject: [c-nsp] How to improve C3750G switch uplink speed?
In-Reply-To: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
References: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
Message-ID: <4A093831.9060508@cisco.com>

Darren Yang wrote:
> Hi,
>
> When I plug wire into c3750g port, it would wait about "30sec" then
> change to uplink status.
>
> Are there any method can cut down uplink time?
>   
sounds like its going through STP
if its an edge port, configure it as such (portfast).

From peter.hicks at poggs.co.uk  Tue May 12 04:28:25 2009
From: peter.hicks at poggs.co.uk (Peter Hicks)
Date: Tue, 12 May 2009 09:28:25 +0100
Subject: [c-nsp] How to improve C3750G switch uplink speed?
In-Reply-To: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
References: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
Message-ID: <4A093329.9010608@poggs.co.uk>

Darren Yang wrote:
> When I plug wire into c3750g port, it would wait about "30sec" then
> change to uplink status.
>
> Are there any method can cut down uplink time?
>   
"spanning-tree portfast" on the port, providing that the port connects 
to a single end device that isn't bridging.


Peter


From zardoz at hotblack.net  Tue May 12 14:01:07 2009
From: zardoz at hotblack.net (Tristan Gulyas)
Date: Wed, 13 May 2009 04:01:07 +1000
Subject: [c-nsp] alternatives to Cisco's SFPs
References: <f8da69c80905051453u1462e155p5e13c03030f4fb05@mail.gmail.com>
	<20090506.001816.41703097.sthaug@nethelp.no>
	<20090505225122.GA8378@wildfire.net.ic.ac.uk>
Message-ID: <BD98F7E6A22C4E3591C95D13E5EFE863@moscato>

Hi,

I've had a look at some of the third party 1000baseLX SFPs which are 
Cisco-coded so no "service unsupported-trans" was required.  We used an 
optical power meter and did notice that the transmit power was less than the 
genuine Cisco transciever but still sufficient for specification. The 
third-party SFPs may be 1000baseLX vs. the LH standard which doubles the 
supported length.  Mind you, I've seen over 20km running without erorrs on 
the LH SFPs. I don't expect that from a third party optic...

I can't remember the brand, however.

Also our warranty is time-limited, I believe 3 years with these SFPs.  We 
haven't noticed many (but we have had some) Cisco SFPs fail.  We've only 
been using the third party ones for a short time but we've had no failures 
or DOAs thus far.  Also make sure you have some spare Cisco SFPs just in 
case you need to log a TAC case about something - I don't imagne Cisco will 
be much help with non-genuine hardware.

Tristan
----- Original Message ----- 
From: "Phil Mayers" <p.mayers at imperial.ac.uk>
To: <sthaug at nethelp.no>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, May 06, 2009 8:51 AM
Subject: Re: [c-nsp] alternatives to Cisco's SFPs


> On Tue, May 05, 2009 at 11:18:16PM +0100, sthaug at nethelp.no wrote:
>>> Does anyone have good experience with non-Cisco SFPs? In particular,
>>> we're trying to look for lower cost alternatives to GLC-T (or
>>> SFP-GE-T), GLC-SX-MM (SFP-GE-S) and  GLC-LH-SM (SFP-GE-L). Also, any
>>> problem with using non-Cisco SFPs (even after enabling "service
>>> unsupported-transceiver")?
>>
>>You can buy "Cisco coded" SFPs from a significant number of vendors,
>>at much better price than Cisco. We have bought such SFPs from, among
>
> Yep
>
>>others, Zycko. We never had a problem using SFPs not purchased from
>
> We buy the ProLabs ones, from hardware.com
>
> They're excellent.
>
>>Cisco - but buyer beware, there *are* definitely lower quality SFPs
>>out there. YMMV.
>
> Ho ho. We once paid a not-inconsiderable amount for a try of "real" Cisco 
> SFPs that turned out to be fakes.
>
> Beware of fakes - as well as having crappy lasers, sensors and build 
> quality, many of them have duplicate serial numbers and two such SFPs WILL 
> NOT work in most Cisco kit, "service unsupp" is no help.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From pigsign.pykota at gmail.com  Tue May 12 06:35:48 2009
From: pigsign.pykota at gmail.com (Darren Yang)
Date: Tue, 12 May 2009 18:35:48 +0800
Subject: [c-nsp] How to improve C3750G switch uplink speed?
In-Reply-To: <17476.196.46.241.57.1242125542.squirrel@nexmail1.nexlinx.net.pk>
References: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
	<17476.196.46.241.57.1242125542.squirrel@nexmail1.nexlinx.net.pk>
Message-ID: <c914c50e0905120335n27ae635bmb53ffb5cbd66f7da@mail.gmail.com>

That port is directly connect to a server.
so I choice type command "spanning portfast" on that interface and it
works well. :)

Thanks for all yours support !!~ :)


Regards,
pigsign




2009/5/12  <masood at nexlinx.net.pk>:
> You are using this port for UPLINK, and it could be a trunk port. I
> strongly suggest you should not use portfast on this port. This way you
> can avoid loops and 30 second wait will be worth it.
>
> Regards,
> Masood
> Blog: http://weblogs.com.pk/jahil/
>
>
>> Hi,
>>
>> When I plug wire into c3750g port, it would wait about "30sec" then
>> change to uplink status.
>>
>> Are there any method can cut down uplink time?
>>
>>
>> Regards,
>> Pigsign
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>

From masood at nexlinx.net.pk  Tue May 12 06:52:22 2009
From: masood at nexlinx.net.pk (masood at nexlinx.net.pk)
Date: Tue, 12 May 2009 15:52:22 +0500 (PKT)
Subject: [c-nsp] How to improve C3750G switch uplink speed?
In-Reply-To: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
References: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
Message-ID: <17476.196.46.241.57.1242125542.squirrel@nexmail1.nexlinx.net.pk>

You are using this port for UPLINK, and it could be a trunk port. I
strongly suggest you should not use portfast on this port. This way you
can avoid loops and 30 second wait will be worth it.

Regards,
Masood
Blog: http://weblogs.com.pk/jahil/


> Hi,
>
> When I plug wire into c3750g port, it would wait about "30sec" then
> change to uplink status.
>
> Are there any method can cut down uplink time?
>
>
> Regards,
> Pigsign
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From eng_mssk at hotmail.com  Tue May 12 07:38:26 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Tue, 12 May 2009 14:38:26 +0300
Subject: [c-nsp] MPLS Header
Message-ID: <BLU102-W45A94B67AC99BA5767BB6BFA600@phx.gbl>


Hey all 
if i have POS interface (STM-1 link) and i enabled MPLS on it 
how much header i will lose from the overall capacity (155.52 M)
and how the interface type will affect on the size ?

Thanks

_________________________________________________________________
Show them the way! Add maps and directions to your party invites. 
http://www.microsoft.com/windows/windowslive/products/events.aspx

From sthaug at nethelp.no  Tue May 12 07:55:40 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Tue, 12 May 2009 13:55:40 +0200 (CEST)
Subject: [c-nsp] MPLS Header
In-Reply-To: <BLU102-W45A94B67AC99BA5767BB6BFA600@phx.gbl>
References: <BLU102-W45A94B67AC99BA5767BB6BFA600@phx.gbl>
Message-ID: <20090512.135540.74738706.sthaug@nethelp.no>

> if i have POS interface (STM-1 link) and i enabled MPLS on it 
> how much header i will lose from the overall capacity (155.52 M)
> and how the interface type will affect on the size ?

MPLS labels are 4 bytes each. You typically need 2 labels, thus 8
bytes. There are situations where you might need 3 labels, seldom
more.

What percentage this is of the total capacity depends on packet size.
If you have to worry about it, it may mean you're doing something wrong.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From lowen at pari.edu  Tue May 12 09:11:35 2009
From: lowen at pari.edu (Lamar Owen)
Date: Tue, 12 May 2009 09:11:35 -0400
Subject: [c-nsp] MRTG on SONET APS?
In-Reply-To: <4A04A34B.2090703@templin.org>
References: <4A04A34B.2090703@templin.org>
Message-ID: <200905120911.35879.lowen@pari.edu>

On Friday 08 May 2009 05:25:31 pm Pete Templin wrote:
> I'm in the process of bringing up my first SONET APS-protected
> (single-router APS) link, and it's been an adventure. 

Is this a true 'single-router' APS setup, or is it a 'multirouter' APS setup 
that just happens to be on a single router?  (There is a difference in the 
configuration).  I have an APS protected OC3 here, and am tracking with MRTG on 
the far end, which has two routers.

> Unfortunately, MRTG is only seeing 16bps on one port, and 0bps on the
> others.  Is there something special to tracking the traffic on an APS pair?

Unless MRTG can do additive interfaces (that is, have an RRD that records the 
sum of the working and protect interfaces' counters) you will have two RRDs, 
one for the protect and one for the working.  I think the behavior is also 
platform-specific; but as I don't have MRTG monitoring the near end router pair 
at the moment, I don't know.  Hmm, I think I should enable that and see if 
that is the case.

While I currently have the near end working on a 12012, and the protect on an 
OSR7609, I do know that 'one-router multirouter' APS will work on the 12012, 
so , for grins and giggles I can set up that and do a little testing (after 
notifying my OC3 providers, of course, as they'll get LOS alarms when I move 
the plug over....).

One minor note, for completeness: I'm assuming you're not monitoring the 
loopback, but monitoring the individual POS interfaces, right?  (Like I said, 
I assume you are monitoring the POS interfaces, but, just in case....)

Welcome to the mad world of SONET APS.  I've had this circuit up for two 
years; wouldn't be quite so 'interesting' if it were a single provider 
circuit.  However, APS does 'neat' things when you hand off one provider to 
another, and they're using disparate vendors' ADM's.  Both providers have been 
very good to work with, and lots of knowledge has been gained by all parties 
in the process, though!

Also, for completeness, do you mind sharing the configs for the two POS 
interfaces, and the results of running the combination of:
debug aps
show aps
no debug aps

(sanitized of IP addresses and aps authentication information, of course)

Turning APS debugging on causes show aps to give more detailed information.


From andharri at googlemail.com  Tue May 12 09:38:30 2009
From: andharri at googlemail.com (Andrew Harris)
Date: Tue, 12 May 2009 14:38:30 +0100
Subject: [c-nsp] Disabling SSL Version 2.0 on CSM with SSL
	(WS-X6066-SLB-S-K9)
Message-ID: <63fd3a0a0905120638s55602ec9k454f9f4c0010ed5f@mail.gmail.com>

Hi,

We have a number of CSMs with SSL model WS-X6066-SLB-S-K9 (IOS
12.2(18)SXE1 CSM 2.1(5)) and we are now required to disable SSL 2.0 on
all SSL proxies.

Looking at the command reference there does not seem to be an option to do this.

Does anyone know if this is possible?

Thanks

Andy

From geoff at pendery.net  Tue May 12 10:29:30 2009
From: geoff at pendery.net (Geoffrey Pendery)
Date: Tue, 12 May 2009 09:29:30 -0500
Subject: [c-nsp] [SPAM?] Certification Ethics
In-Reply-To: <1C15FB264A06794F8BDE2120972B51C1050E32F1@netexch04.ad.netservicesplc.com>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
	<1C15FB264A06794F8BDE2120972B51C1050E32F1@netexch04.ad.netservicesplc.com>
Message-ID: <d6966e4b0905120729k4916c79fnfeb8e25d462bf68@mail.gmail.com>

A big giant YMMV and "just my two cents", but here goes:

I agree with OP Chris that it still feels like cheating, but Steve
here definitely hits on a major point:
Even if you have the best of intentions and integrity, and have
studied the textbooks and courses as best you can, you will still run
into strange questions that require "the Cisco answer", or at least a
very particular detail that you didn't see covered in the text and
which you don't use in real work.  If I saw another engineer, who I
respected and knew to be capable, using the "test keys" type materials
to prepare him for those questions... well, I might disagree, but I
probably wouldn't fault him for it.

Amongst the reputable guys I've know preparing for the exams, the most
solid "final" stage of preparation, the one that really checks whether
you learned what you were supposed to and also prepares you for these
"Cisco answers" is... the exam itself.  If you're gonna take the CCNP
Routing exam (BSCI), you study until you really feel like "I know
routing now.  I understand those concepts and protocols." then you
take the exam.  You probably fail.  No great shame in that.  But
having taken the exam, you should have seen all the questions, and
gotten a feel for what you're missing.  Now you take another week or
two to focus on the points you were weak on (the score report tries to
break this down for you, but it may miss the point) and you re-take
it.  If you fail it more than twice in a row, you're probably doing
something wrong.

Now, all that said, there's another complication or two.  Everyone has
different learning methods and study habits and levels of retention,
but I find that the closer the material is to your actual daily
production work, the better.  I had much more trouble remembering the
protocols and techniques I never worked with than the ones I worked on
every day.  Only natural.  Even labs can only go so far.  As they say,
necessity is the mother of invention.  Production gear in real-world
environments will often yield unusual requirements, prompting you to
consider strange solutions.

Lastly - the money.  Taking the exams isn't free, so it's tough to go
into the exam expecting to fail it, and write off the cost to
learning.  For me, I just consider it part of my training expenses,
and a more efficient use of that money than boot camps.  But I'll
admit being intimidated by the cost of the CCIE Lab, especially given
the expectation of failing it the first time around...


-Geoff


On Tue, May 12, 2009 at 2:07 AM, Steve McCrory
<SteveMc at netservicesplc.com> wrote:
> >From my experience there are three groups of people when it comes to
> passing Cisco Exams:
>
> * People who only use TestKeys or equivalents (TestKing, Pass4Sure etc)
> to study for the exams. These people may look good in terms of having a
> wide range of qualifications but they are soon found out, often during
> an interview process. I have met numerous people of this ilk in the
> industry and, to a man, they don't know jack!!!
>
> * People who don't use TestKeys or equivalents to study for an exam. I
> would say that these people are in the minority and often require more
> than 1 attempt to pass an exam because they are not prepared for
> ambiguity of Cisco's questions
>
> * People who study the material well and use TestKeys or equivalents to
> ensure that they pass. I, and many others, fall into this category and I
> would say this accounts for the majority of people in my experience. If
> I'm going for an interview, I can bet that the guy before me and the guy
> after will have used these aids so if that helps me get my foot in the
> door by making sure I'm as certified as I can be then I'll do it. What
> will hopefully separate me from the rest is the attention to detail I
> apply when I'm studying and the knowledge that I have acquired from
> on-the-job experience and from brushing up on all areas of networking,
> not just the ones required to study for an exam.
>
> Unfortunately, at this time it is very easy for someone with no Cisco
> knowledge or experience to pass a Cisco exam. At the end of the day it
> does come down to a moral choice. However, if you know the material and
> have spent 100+ hours studying then I would not consider using one of
> these aids cheating. Your extensive knowledge will shine through in an
> interview or on the job and that is far more important that having a
> piece of paper with pass marks on it.
>
> The only exception to all of the above is the practical element of the
> CCIE but even that does not guarantee greatness. Our last boss was a
> CCIE and he knew less than the guys in the NOC!!! What is important is
> that YOU know the material and YOU have the knowledge to succeed. If you
> can't beat them, join them.
>
> Steven
>
> Steven McCrory
>
> Senior Network Engineer
>
> Netservices PLC
> Waters Edge Business Park
> Modwen Road
> Manchester, M5 3EZ
>
> www.netservicesplc.com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris T
> Sent: 11 May 2009 22:17
> To: cisco-nsp at puck.nether.net
> Subject: [SPAM?] [c-nsp] Certification Ethics
>
> I've got a bit of a dilemma. ?I apologize in advance for how wordy this
> will
> be. ?Bear with me. ?I have high hopes that someone here can provide some
> insight.
>
>
>
> I've been studying Cisco material for about a year and a half now. ?I've
> passed the CCNA, BSCI, and BCMSN. ?Based on these two facts, I feel I
> have a
> decent level of familiarity with the Cisco learning and testing process.
>
>
>
> Recently, I've been changing the way I study. ?I spent roughly 250
> dedicated, focused study hours on the ISCW. ?In that time, used the
> following sources:
>
>
>
> CBT Nuggets Videos (watched all)
>
> Cisco Press Official Exam Certification Guide (read front to back, while
> taking notes)
>
> Cisco Press Student Guides (initially used as a supplement, then started
> reading thoroughly)
>
>
>
> Based on those resources, I typed 70 pages of notes and created over a
> thousand flash cards. ?I made sure I understood things before moving
> on. ?Additionally,
> I purchased a half rack and populated it with 2 switches, 2 multilayer
> switches, and 9 routers, all current enough. ?I did labs and reviewed my
> notes and flash cards a decent bit. ?Feeling like I was over prepared, I
> went into the test and promptly failed by 10 or 20 points. ?I went back
> home
> and reviewed all of my notes and flash cards until I felt I knew all of
> it
> (about three hours a night for a week, and an eight hour day). ?I went
> back
> in and tested. ?I failed again by 10 or 20 points.
>
>
>
> This left me somewhat confused as to how to move forward. ?Despite
> significant review time over exactly what material Cisco provides to
> prepare
> for the test, I still did not do any better. ?I got to the point where I
> felt reviewing the same material again simply would not provide me with
> any
> more information. ?I knew what was in the book.
>
>
>
> While this was going on, work needed me to come up with a new security
> strategy and put in some ASAs. ?I had maintained their ASAs for a while,
> but
> I had not configured any from scratch so I did not feel my knowledge
> level
> was sufficient to come up with a corporate wide network security plan.
> I
> decided to speed up the process of learning security by putting money
> into
> it. ?I ended up going to a CCSP boot camp with a Cisco Learning Partner.
>
>
>
> I thought going to the boot camp would be a great opportunity for me,
> not
> only to gain a lot of direct knowledge about security, but also to learn
> better ways to study. ?By two days into the boot camp, I really felt
> like it
> was way too easy to get me where I needed to be to pass. ?I already knew
> 80%
> of the material that was being taught based on previous experience
> maintaining the ASAs. ?I communicated this concern to the teacher on
> several
> occasions. ?He felt that everything would be fine though. ?During the
> boot
> camp they passed out practice test material from TestKeys
> (testkeys.com). ?Based
> on what I was hearing from my peers, this material *very* closely
> mimicked
> the real test. ?Since just getting a piece of paper was not my goal and
> I
> felt I had come into the class with more knowledge than most of my class
> mates, I decided not use the material. ?I took the SNAF and failed.
> While
> taking the test, I found that the labs in the test were inappropriately
> close to the labs we had done in class. ?Even most of the arbitrary
> names
> (ACL names, etc.) were exactly the same. ?My peers agreed that TestKeys
> *very* closely mimicked the real test. ?I went home and looked at about
> five
> or six of the TestKeys questions and found that many of the questions
> were
> almost word for word what I had seen on my real test. ?At that point, I
> left
> the boot camp. ?I felt that it was simply cheating. ?If I had wanted to
> do
> that, I wouldn't have spent thousands of dollars on training.
>
>
>
> This was indeed a Cisco Learning Partner though and they assured me that
> Cisco explicitly approved the practice test material. ?Seeking
> clarification, I called Cisco's certification support. ?After 30 minutes
> on
> the phone asking them simply, "what practice test material is approved
> for
> use" I got no answer. ?I was eventually transferred to the Cisco
> Learning
> Partner support channel. ?I really didn't want to get the boot camp
> involved
> since I was already in a financial dispute with them. ?After a great
> deal of
> time (read: two weeks), I finally made it 100% clear what my question
> was to
> the CLP support group. ?Again, simply "what practice test material is
> approved for use". ?Or if they can't provide that, can they at least
> confirm
> TestKeys is approved?
>
>
>
> Despite constant badgering, I have not received a reply to my question
> in
> over 5 weeks. ?During that time it has become painfully clear that the
> majority (if not vast majority) of people who pass Cisco certifications
> use
> these types of "advanced study aids". ?Next, I tried to escalate through
> Cisco. ?As it turned out, I was already speaking to the boss of the boss
> of
> the first line Cisco Learning Partner support rep. ?The person I was
> speaking with basically wasn't generating any progress. ?I went to our
> Cisco
> sales rep next, who said despite him selling lots of Cisco training, he
> has
> never had a conversation like this and he feels it just doesn't matter.
> I
> spoke to some of the people I know that have been in networking for much
> longer than me and the consensus seems to be that everyone does it and
> it
> doesn't matter.
>
>
>
> My problem now is that it appears to pass a test I must spend hundreds
> or
> thousands of dollars on materials (learning materials and hardware) and
> something like 400 or 500 hours to pass a single test. ?The vast
> majority of
> other people who are getting certified seem to be passing the test in
> 150
> hours or significantly less. ?Professional training doesn't help. ?The
> consensus around me is that I should not be such a stickler. ?On top of
> all
> this, even the manufacturer of the tests won't tell me what is and is
> not
> fair after a total of seven weeks of badgering.
>
>
>
> I'm starting to feel like I'm playing hockey without a hockey stick, and
> not
> even the referee is willing to tell me if I'm allowed to have a hockey
> stick
> or not.
>
>
>
> I'm stuck. ?I don't want to cheat. ?I also don't want to have to work
> three
> or four times harder to achieve the same results as someone else.
> Moreover,
> if even the moderator won't tell me what is fair and what is not, why am
> I
> spending all of this extra effort?
>
>
>
> My questions to the group are:
>
> -Am I completely out of line here? ?If so, please tell me how.
>
> -What is an appropriate time to study for a single Cisco test (not
> expert
> level)? ?I understand there is a great amount of variance, but ballpark
> figures are what? ?100 hours? 500 hours? ?1000 hours?
>
> -What practice test material do YOU think is or is not fair for
> preparation
> for a Cisco certification test?
>
>
>
> Again, sorry for being so wordy. ?Thanks in advance for any insight you
> may
> be able to share.
>
>
> -Chris
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --------
> NetServices plc, Company No. 4178393,
> Registered Office: NetServices House, 31 Modwen Road,
> Waters Edge Business Park, SALFORD, M5 3EZ
> --------
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rekordmeister at gmail.com  Tue May 12 11:05:18 2009
From: rekordmeister at gmail.com (MKS)
Date: Tue, 12 May 2009 15:05:18 +0000
Subject: [c-nsp] AS5300 SW
Message-ID: <fad2fb270905120805y2fadf71bkc250add1da777d80@mail.gmail.com>

Hi list

I have an old AS5300 that is out of support.
I'm looking for SW that is more recent than c5300-is-mz.121-17.bin but
still runs on 64ram and fits in 8 flash.

According to the sw feature navigator, there is c5300-is-mz.12.1-27b,
but it's no longer available from cisco
Is there someone out there that can help me out with software for this box?

Regards
MKS

From mduksa at gmail.com  Tue May 12 12:41:49 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Tue, 12 May 2009 09:41:49 -0700
Subject: [c-nsp] crs-1 ISSU?
Message-ID: <a89d89ac0905120941v6b424063q5bf8dbde22f854bf@mail.gmail.com>

Hi,Can anyone point me to the documentation where it says that Cisco IOS-XR
on CRS-1 supports a true  in-service-software-upgrades (ISSU)?

I've been looking on CCO but all they talk in IOS XR is ISSU where they
patch a code and things like that.

What I'm looking is to upgrade a CRS-1 to a new software image with a
subsecond outage. This means upgrading the control plane and line cards with
the new software images with subsecond outage. Not just a specific software
module or a line card but the whole system to upgrade between two major
releases.

I assume that non stop routing (not forwarding) would be a prerequisite for
this, but it seams that they support NSR only for ISIS. NSR implies
statefull failover where all protocol states/transactions are mirrored and
synched between two routing engines. For example, BGP TCP sessions stays the
same during the routing engine failover.

Thanks,
Marlon

From pshem.k at gmail.com  Tue May 12 12:42:58 2009
From: pshem.k at gmail.com (Pshem Kowalczyk)
Date: Wed, 13 May 2009 04:42:58 +1200
Subject: [c-nsp] ASR - visiblity of egress LSR in IP traceroute
Message-ID: <20fe625b0905120942w3e391c70n66e746c0f2c4dd78@mail.gmail.com>

Hi,

We have an ASR (1004) in our network. I've noticed that traceroutes
that exit the L3VPN on the ASR don't have the ASR as an IP hop. I
understand what is causing it, but the 7301s don't seem to exhibit the
same behaviour.  We would like to have this functionality mainly for
debugging and troubleshooting proposes.

We've tried to enable one label per vrf:

mpls label mode vrf CustomerXXX protocol all-afs per-vrf

but that didn't make a difference.
Is there a way to force the ASR to 'register' in the trace the same
way 7301 does?

kind regards
Pshem

From charles at thewybles.com  Tue May 12 13:02:30 2009
From: charles at thewybles.com (Charles Wyble)
Date: Tue, 12 May 2009 10:02:30 -0700
Subject: [c-nsp] Certification Ethics
In-Reply-To: <1242109704.8536.10.camel@localhost.localdomain>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>	<1242082176.5143.16.camel@localhost.localdomain>	<4A08C852.9030809@att.net>
	<1242109704.8536.10.camel@localhost.localdomain>
Message-ID: <4A09ABA6.9050707@thewybles.com>



Peter Rathlev wrote:
> On Mon, 2009-05-11 at 19:52 -0500, Derick Winkworth wrote:
> ...
>> So hearing you say that some CCIE, or multiple CCIEs, didn't remember
>> fact "x" and therefore you call into question the value of the CCIE as a
>> certification... I guess that demonstrates how badly you are missing the
>> point. 
> 
> I think you missed my point. The specific example given was something he
> was tasked with and couldn't get to work. His excuse was that someone
> else didn't do what they should. The problem was that MED was not the
> right tool.

This unfortunately sounds like many systems/network personnel who hold 
some ideal view of the world and when things don't conform they lash out.

> 
> I didn't say _all_ CCIEs are wrong. And I don't expect everyone to
> remember everything always. I do expect though that if I ask you about
> how to control traffic flow across several independent ASs you don't
> answer "MED" and stay with that answer even though others point out that
> it won't work.

Yeah. I mean even someone like me with a wikipedia level of knowledge 
about many network bits knows that.

http://en.wikipedia.org/wiki/Border_Gateway_Protocol#Uses_of_multi-exit_discriminators 


MEDs, defined in the main BGP standard, were originally intended to show 
the advertising AS's preference, to another neighbor AS, the advertising 
AS's preference as to which of several links, to the same AS,

key word SAME AS.



  I do expect a CCIE having chosen a specific setup to be
> able to explain what choices he made and why, e.g. the general
> differences between SRA and SRB instead of saying "You'er welcome to
> read the release notes.", especially when being paid to do so.

Exactly. This is what good engineers should be able to do.

> 
> I have also met CCIEs that I'm very impressed with, and many CCIEs I've
> seen explain things have been way beyond what I understand. I'm just
> saying that some CCIEs are good at networking and others are good at
> taking exams
> 

Yep.


From charles at thewybles.com  Tue May 12 13:09:34 2009
From: charles at thewybles.com (Charles Wyble)
Date: Tue, 12 May 2009 10:09:34 -0700
Subject: [c-nsp] Certification Ethics
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622FCBA00D4@exch2k7.gilat.local>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>	<1242082176.5143.16.camel@localhost.localdomain>	<4A08C852.9030809@att.net>
	<EC993E87D960A541A66BF21D62AA42A622FCBA00D4@exch2k7.gilat.local>
Message-ID: <4A09AD4E.8010406@thewybles.com>



Ziv Leyes wrote:
> If we're talking about ethics then I think the whole certification thing is not ethical and unfair,

Life isn't fair. :)

  to classify a person asking 'em for a paper that costs a lot of money 
to not just get but to "maintain" it's merely doing business on people's 
back.

Well. I disagree. I think that the CCIE (flawed though it's takers may 
be) is about the only cert that really means something. If someone has 
taken the test and obtained the number, then you should feel comfortable 
asking them questions about things at that level.

Same thing as if someone has the experience on their resume.

The CCIE and all the studying it entails allows someone entering the 
field to rapidly get up to speed. It's an excellent blueprint.

> I don't remember when the last time a soccer player was asked to show a certification before they pay them millions of dollars/pounds/euros for them to play in the team, they bring them for what they know, not for what they're "certified" to know.

Um. They usually have a pretty good track record at that point. The 
"certification" is done by scouts and references.

> Too bad the whole world gives this scam a hand and everywhere you go, a certification worth more than just experience.

Well then go get a certification. If you have the necessary experience 
then it shouldn't be a problem.

> As long as I can I will remain without any certification. I had a couple in the past I didn't renew and I don't want to have to renew them to be considered "valid" I know what I know and I'm happy my employer pays me for what I do, not for what I'm supposed to know because a paper says it.
> 

You sound pretty bitter. That's unfortunate..... it's usually not a good 
idea to moan and groan on a list with hundreds or thousands of 
subscribers. :) Google is great for hiring managers.


From walter.keen at RainierConnect.net  Tue May 12 13:19:32 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Tue, 12 May 2009 10:19:32 -0700
Subject: [c-nsp] OSPF fast convergence
Message-ID: <4A09AFA4.1070300@rainierconnect.net>

When redesigning an OSPF service provider network, (default values, with
many gig-e links).  Aside from fixing link cost issues (100mbit is
treated the same as gig-e at the moment) should I look at sub-second
timers in OSPF 'ip ospf dead-timers minimal .....' Or BFD.  It looks
like either would require an IOS upgrade, but I have seen lots of
discussion about bugs in BFD.  This is only for core interfaces (all
cisco 7600 series).  We'll be adding MPLS and iBGP on top of this after
it's completed.

From p.mayers at imperial.ac.uk  Tue May 12 13:40:12 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 12 May 2009 18:40:12 +0100
Subject: [c-nsp] OSPF fast convergence
In-Reply-To: <4A09AFA4.1070300@rainierconnect.net>
References: <4A09AFA4.1070300@rainierconnect.net>
Message-ID: <4A09B47C.8070205@imperial.ac.uk>

Walter Keen wrote:
> When redesigning an OSPF service provider network, (default values, with
> many gig-e links).  Aside from fixing link cost issues (100mbit is
> treated the same as gig-e at the moment) should I look at sub-second
> timers in OSPF 'ip ospf dead-timers minimal .....' Or BFD.  It looks
> like either would require an IOS upgrade, but I have seen lots of
> discussion about bugs in BFD.  This is only for core interfaces (all
> cisco 7600 series).  We'll be adding MPLS and iBGP on top of this after
> it's completed.

Common advice seems to be to make actual link-loss detection fast, in 
preference to using BFD. That said, I know some people use BFD.

Assuming you're using LAN cards, you may want to see if you can make 
router links as routed rather than SVI interfaces. Though routed 
interfaces are implemented internally as VLANs, presentations I saw from 
Cisco claim that this:

int G7/1
   ip address ...

...will detect link-loss (much) faster than this:

int Gi7/1
   switchport mode access
   switchport access vlan 300
int Vlan300
   ip address ...


Also, the OSPF process/SPF timers (as opposed to hello timers) are 
relevant for fast convergence (rather than link-loss). I did some 
research recently and concluded that, with a mostly-empty OSPF table 
i.e. bulk of routes in BGP, the following settings were both safe, and 
considerably "better" than the defaults:

router ospf 1
  ispf
  nsf
  timers throttle spf 10 100 5000
  timers throttle lsa all 10 100 5000
  timers lsa arrival 80

...again based on reading presentations from Cisco and others advice.


HTH

From dudepron at gmail.com  Tue May 12 17:36:43 2009
From: dudepron at gmail.com (Aaron)
Date: Tue, 12 May 2009 17:36:43 -0400
Subject: [c-nsp] MRTG on SONET APS?
In-Reply-To: <4A070AB0.1050806@templin.org>
References: <4A04A34B.2090703@templin.org>
	<480dad640905092052v72e5da31j5055f8a7a85e195a@mail.gmail.com> 
	<4A070AB0.1050806@templin.org>
Message-ID: <480dad640905121436m53bee409y1c63fcc20c24876d@mail.gmail.com>

Thats a different problem. APS wouldn't have anything to do with that.
Do you have other interfaces being monitored correctly at the same speed?

Aaron

On Sun, May 10, 2009 at 13:11, Pete Templin <petelists at templin.org> wrote:

> Aaron wrote:
>
>> Just monitor both ports as normal. One for each. That's what we used to
>> do.
>>
>
> I'm not getting valid/expected data on either.
>
> pt
>
>

From dudepron at gmail.com  Tue May 12 17:39:59 2009
From: dudepron at gmail.com (Aaron)
Date: Tue, 12 May 2009 17:39:59 -0400
Subject: [c-nsp] MPLS Header
In-Reply-To: <20090512.135540.74738706.sthaug@nethelp.no>
References: <BLU102-W45A94B67AC99BA5767BB6BFA600@phx.gbl>
	<20090512.135540.74738706.sthaug@nethelp.no>
Message-ID: <480dad640905121439r309ad48fr17ea713a88fac2bd@mail.gmail.com>

8 bytes/4470 bytes (default mtu) = 0.18%
That's per packet assuming they are 4470. So, not enough to worry about it.

Aaron

On Tue, May 12, 2009 at 07:55, <sthaug at nethelp.no> wrote:

> > if i have POS interface (STM-1 link) and i enabled MPLS on it
> > how much header i will lose from the overall capacity (155.52 M)
> > and how the interface type will affect on the size ?
>
> MPLS labels are 4 bytes each. You typically need 2 labels, thus 8
> bytes. There are situations where you might need 3 labels, seldom
> more.
>
> What percentage this is of the total capacity depends on packet size.
> If you have to worry about it, it may mean you're doing something wrong.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From leonardo.souza at nec.com.br  Tue May 12 18:09:06 2009
From: leonardo.souza at nec.com.br (Leonardo Gama Souza)
Date: Tue, 12 May 2009 19:09:06 -0300
Subject: [c-nsp] RES:  OSPF fast convergence
In-Reply-To: <4A09B47C.8070205@imperial.ac.uk>
References: <4A09AFA4.1070300@rainierconnect.net>
	<4A09B47C.8070205@imperial.ac.uk>
Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02476F0E@spsrvmail03.nec.br>

You also may want to configure 'carrier-delay msec 0' on the interface. But you will need to configure dampening on it as well.
Tweaking 'timers pacing flood' under OSPF process is an option, but use it with caution.
If you are using LDP, I would recommend using LDP-IGP synchronization.
Do not forget to configure 'ip ospf network point-to-point' for point-to-point gig interfaces.

Leonardo.

-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Phil Mayers
Enviada em: ter?a-feira, 12 de maio de 2009 14:40
Para: Walter Keen
Cc: cisco-nsp at puck.nether.net
Assunto: Re: [c-nsp] OSPF fast convergence

Walter Keen wrote:
> When redesigning an OSPF service provider network, (default values, with
> many gig-e links).  Aside from fixing link cost issues (100mbit is
> treated the same as gig-e at the moment) should I look at sub-second
> timers in OSPF 'ip ospf dead-timers minimal .....' Or BFD.  It looks
> like either would require an IOS upgrade, but I have seen lots of
> discussion about bugs in BFD.  This is only for core interfaces (all
> cisco 7600 series).  We'll be adding MPLS and iBGP on top of this after
> it's completed.

Common advice seems to be to make actual link-loss detection fast, in 
preference to using BFD. That said, I know some people use BFD.

Assuming you're using LAN cards, you may want to see if you can make 
router links as routed rather than SVI interfaces. Though routed 
interfaces are implemented internally as VLANs, presentations I saw from 
Cisco claim that this:

int G7/1
   ip address ...

...will detect link-loss (much) faster than this:

int Gi7/1
   switchport mode access
   switchport access vlan 300
int Vlan300
   ip address ...


Also, the OSPF process/SPF timers (as opposed to hello timers) are 
relevant for fast convergence (rather than link-loss). I did some 
research recently and concluded that, with a mostly-empty OSPF table 
i.e. bulk of routes in BGP, the following settings were both safe, and 
considerably "better" than the defaults:

router ospf 1
  ispf
  nsf
  timers throttle spf 10 100 5000
  timers throttle lsa all 10 100 5000
  timers lsa arrival 80

...again based on reading presentations from Cisco and others advice.


HTH
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From justin at justinshore.com  Tue May 12 19:32:49 2009
From: justin at justinshore.com (Justin Shore)
Date: Tue, 12 May 2009 18:32:49 -0500
Subject: [c-nsp] Certification Ethics
In-Reply-To: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
Message-ID: <4A0A0721.5030304@justinshore.com>

My reply looks to be about as long as your initial question!

Chris T wrote:
> I'm stuck.  I don't want to cheat.  I also don't want to have to work three
> or four times harder to achieve the same results as someone else.  Moreover,
> if even the moderator won't tell me what is fair and what is not, why am I
> spending all of this extra effort?
> 
> My questions to the group are:
> 
> -Am I completely out of line here?  If so, please tell me how.

Yes and no.  It depends on your perspective.  In my opinion you need to 
change your perspective and view this in a different light.

> -What is an appropriate time to study for a single Cisco test (not expert
> level)?  I understand there is a great amount of variance, but ballpark
> figures are what?  100 hours? 500 hours?  1000 hours?

I agree with William's estimate.  I spend approximately 50 hours 
specifically studying for any given test.  Most of the knowledge simply 
comes from doing the work at work.  Studying is just to fill in the gaps 
between what I'm already doing and what I'm about to be tested over.

> -What practice test material do YOU think is or is not fair for preparation
> for a Cisco certification test?

Books.  Lots of books.  Lab hardware.  Lots of lab hardware.  C-NSP 
archives are very helpful too.  I have a huge library of Cisco Press 
books.  Add in all the other book publishers and I have a mini LoC in my 
house.  Hands on with actual hardware is required quite frankly for any 
higher-end test.  You're not going to get a good understanding for 
something unless you actually do it in person first.

To answer your real question about whether using the study guides is 
"cheating" or not, I'll answer it this way:  it depends on how you use 
the study guides.  If you only use the study guides to bone up on the 
questions and answers in the days leading to your actual exam then yes, 
quite frankly you're cheating yourself, others competing against you in 
the industry and whomever employees you.  That's purely memorization, 
not learning.

However that doesn't mean that the study guides themselves are a bad 
thing.  They're actually quite useful.  Let's use you as an example. 
You own the books.  You own lab hardware.  You've been studying with 
both for a lengthy period of time.  You know the core components of what 
the test is about.  A few weeks before the test you review a study guide 
to check your progress and see how well you're doing in your studies. 
As it turns out the study guide asks you about several things you simply 
didn't study or didn't study hard enough.  Perhaps you didn't delve deep 
enough into the nitty gritty of IPv6 and multicast.  You also didn't do 
so good on the BGP section.  Based on that knowledge you go back and 
focus in on that material in your books and lab.  In this case you've 
used the study guide material as an actual study guide, not as a cheat 
sheet.  I see absolutely nothing wrong with using study material in this 
fashion, to study.  It's only logical.  You're not memorizing the study 
guide as a way to skimp out on your actual studies.  You're using it as 
a reference to tell you what you need to study.  It's like using the 
Cliff Notes of Beowulf as a study guide.  Sure you read Beowulf but 
maybe you missed the subtle meaning of the symbolism used in one of the 
chapters.  Thanks to the Cliff Notes you can see what you missed and 
then re-read the chapter thus learning the material.  And perhaps you 
read the book but didn't take away from it all of the funky tidbits that 
you get tested over.  The Cliff Notes point you back in the right 
direction and help you figure out what you need to learn.  That's not 
cheating.

Along that same line of thinking, the study guides will also help you 
learn how to answer questions the "Cisco way".  I think we can all agree 
that the actual Cisco tests are less based on what you're run into in 
real life and more based on what Cisco wants you to know and how they 
want you to know it.  I recently took a Cisco QoS class.  One of the 
first things the instructor did was identify who was taking the class 
for future testing purposes and who wasn't.  Then during the class the 
instructor made a point to highlight topics that on the test the 
question should be answered this way but for the rest of us working in 
the real world the actual solution would be this.  If all you studied 
was the book and it didn't have the official Cisco answers then on these 
types of questions you'd get the question wrong even though you're 
technically right.  This is another reason why the study guides are useful.

It all boils down to this:  if your intent is to use the study guides to 
quickly memorize the material for just long enough to pass the test 
cheat then yes, you're cheating.  However if your intent is to use the 
study guides as a supplement to you actual studies then no you are not 
cheating.  So in your case I would say that you're not cheating.  You're 
just using study material for what it's intended to be used for.

Justin


From td_miles at yahoo.com  Tue May 12 19:12:57 2009
From: td_miles at yahoo.com (Tony)
Date: Tue, 12 May 2009 16:12:57 -0700 (PDT)
Subject: [c-nsp] SUP720 IDB Limit
Message-ID: <324706.95481.qm@web110104.mail.gq1.yahoo.com>

If you're using the 7200's for L2TP DSL, then I don't think the 7600 can do LNS role ?

Feature navigator shows that VPDN isn't supported on 7600 and our test 7600 doesn't even know about the "vpdn enable" command.

Am I missing something ?


regards,
Tony.



--- On Fri, 8/5/09, Stephen Kratzer <kratzers at ctinetworks.com> wrote:

From: Stephen Kratzer <kratzers at ctinetworks.com>
Subject: [c-nsp] SUP720 IDB Limit
To: cisco-nsp at puck.nether.net
Date: Friday, 8 May, 2009, 10:46 PM

All,

We're looking to step up from the 7200 series to the 7600 series for DSL 
aggregation. Anyone know what the IDB limit is for this platform (#show idb)? 
We're at about 15000. Thanks.

Stephen Kratzer
Network Engineer
CTI Networks, Inc.
_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From kgraham at industrial-marshmallow.com  Tue May 12 21:53:26 2009
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Tue, 12 May 2009 18:53:26 -0700 (PDT)
Subject: [c-nsp] Disabling SSL Version 2.0 on CSM with SSL
	(WS-X6066-SLB-S-K9)
In-Reply-To: <63fd3a0a0905120638s55602ec9k454f9f4c0010ed5f@mail.gmail.com>
References: <63fd3a0a0905120638s55602ec9k454f9f4c0010ed5f@mail.gmail.com>
Message-ID: <23331.97243.qm@web901.biz.mail.mud.yahoo.com>


> we are now required to disable SSL 2.0 on all SSL proxies.

> 
> Looking at the command reference there does not seem to be an option to do this.

It's a trick question; SSLv2 isn't supported (at most, you can configure a
destination to shunt v2 traffic to):

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/ssl_srvc.html#wp1051979

> We have a number of CSMs with SSL model WS-X6066-SLB-S-K9 (IOS
> 12.2(18)SXE1 CSM 2.1(5))

Assuming this requirement came from a security review, hopefully the next
item of concern is upgrades for both of these...

From zivl at gilat.net  Wed May 13 02:24:31 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Wed, 13 May 2009 09:24:31 +0300
Subject: [c-nsp] Certification Ethics
In-Reply-To: <4A09AD4E.8010406@thewybles.com>
References: <6fb803f50905111416h5035453ejed4c57f4c078c9a9@mail.gmail.com>
	<1242082176.5143.16.camel@localhost.localdomain>	<4A08C852.9030809@att.net>
	<EC993E87D960A541A66BF21D62AA42A622FCBA00D4@exch2k7.gilat.local>
	<4A09AD4E.8010406@thewybles.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622FCBA0328@exch2k7.gilat.local>

You've got me totally wrong, I'm not bitter and I'm not moaning nor growning, just telling what I think about it.
I disagree with the certification world wide business, is that being bitter? Is that to moan?
If you think my opinion doesn't fit here then I'll refrain from doing it again.
If a manager that is looking to hire someone finds me and is really good at "googleing" he may find my "life" certifications, I also have "scouts and reference" I can show :)
Yes, he may find also this "growning" about certifications, well, I didn't say I won't do them, I just say I will avoid it as long as I can. 
But there's something I will NEVER do, is to put my certification "buzz" initials in my signature! :-D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Charles Wyble
Sent: Tuesday, May 12, 2009 8:10 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Certification Ethics



Ziv Leyes wrote:
> If we're talking about ethics then I think the whole certification thing is not ethical and unfair,

Life isn't fair. :)

  to classify a person asking 'em for a paper that costs a lot of money 
to not just get but to "maintain" it's merely doing business on people's 
back.

Well. I disagree. I think that the CCIE (flawed though it's takers may 
be) is about the only cert that really means something. If someone has 
taken the test and obtained the number, then you should feel comfortable 
asking them questions about things at that level.

Same thing as if someone has the experience on their resume.

The CCIE and all the studying it entails allows someone entering the 
field to rapidly get up to speed. It's an excellent blueprint.

> I don't remember when the last time a soccer player was asked to show a certification before they pay them millions of dollars/pounds/euros for them to play in the team, they bring them for what they know, not for what they're "certified" to know.

Um. They usually have a pretty good track record at that point. The 
"certification" is done by scouts and references.

> Too bad the whole world gives this scam a hand and everywhere you go, a certification worth more than just experience.

Well then go get a certification. If you have the necessary experience 
then it shouldn't be a problem.

> As long as I can I will remain without any certification. I had a couple in the past I didn't renew and I don't want to have to renew them to be considered "valid" I know what I know and I'm happy my employer pays me for what I do, not for what I'm supposed to know because a paper says it.
> 

You sound pretty bitter. That's unfortunate..... it's usually not a good 
idea to moan and groan on a list with hundreds or thousands of 
subscribers. :) Google is great for hiring managers.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


From tseveendorj at gmail.com  Wed May 13 02:43:03 2009
From: tseveendorj at gmail.com (=?UTF-8?B?0KbRjdCy0Y3RjdC90LTQvtGA0LYg0JbQuNCc0Y3QudC7?=)
Date: Wed, 13 May 2009 15:43:03 +0900
Subject: [c-nsp] About Multihoming
Message-ID: <4A0A6BF7.4010103@gmail.com>

Hello,

Is it possible to multihoming with BGP on one router like 3825 ISR ?

Sincerely,
Tseveendorj.

From sethm at rollernet.us  Wed May 13 03:53:19 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 13 May 2009 00:53:19 -0700
Subject: [c-nsp] About Multihoming
In-Reply-To: <4A0A6BF7.4010103@gmail.com>
References: <4A0A6BF7.4010103@gmail.com>
Message-ID: <4A0A7C6F.9040309@rollernet.us>

?????????? ?????? wrote:
> Hello,
> 
> Is it possible to multihoming with BGP on one router like 3825 ISR ?
> 

Sure.

~Seth

From gert at greenie.muc.de  Wed May 13 03:57:52 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 13 May 2009 09:57:52 +0200
Subject: [c-nsp] About Multihoming
In-Reply-To: <4A0A6BF7.4010103@gmail.com>
References: <4A0A6BF7.4010103@gmail.com>
Message-ID: <20090513075752.GS290@greenie.muc.de>

Hi,

On Wed, May 13, 2009 at 03:43:03PM +0900, ?????????? ?????? wrote:
> Is it possible to multihoming with BGP on one router like 3825 ISR ?

Yes.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090513/1a858a7c/attachment.bin>

From p.mayers at imperial.ac.uk  Wed May 13 06:09:10 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 13 May 2009 11:09:10 +0100
Subject: [c-nsp] RES:  OSPF fast convergence
In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02476F0E@spsrvmail03.nec.br>
References: <4A09AFA4.1070300@rainierconnect.net>
	<4A09B47C.8070205@imperial.ac.uk>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D02476F0E@spsrvmail03.nec.br>
Message-ID: <4A0A9C46.8090900@imperial.ac.uk>

Leonardo Gama Souza wrote:
> You also may want to configure 'carrier-delay msec 0' on the

The Cisco presentations I read claimed (and my tests seem to confirm) 
that carrier-delay is already the lowest it can be on 6500/7600 LAN 
cards. I'd be interested to hear experiences confirming or refuting that.

> interface. But you will need to configure dampening on it as well. 

Dampening is a good idea.

> Tweaking 'timers pacing flood' under OSPF process is an option, but
> use it with caution. If you are using LDP, I would recommend using
> LDP-IGP synchronization. Do not forget to configure 'ip ospf network
> point-to-point' for point-to-point gig interfaces.

Of course - shouldn't have missed that!

From dan.sabau at tbm.ro  Wed May 13 07:23:36 2009
From: dan.sabau at tbm.ro (Dan Sabau)
Date: Wed, 13 May 2009 14:23:36 +0300
Subject: [c-nsp] 7600 eigrp offset-list problem
Message-ID: <4A0AADB8.7020405@tbm.ro>

Hi,
we have the following problem, if a router reboots when it comes online 
the part of the config with the offset-list within router eigrp is 
ignored, you have to do something like:
conf t
router eigrp X
no  offset-list permit-any in 128257 Vlan2764
 offset-list permit-any in 128257 Vlan2764
Does any body know how to fix it?
The ios is: 12.2(33)SRC1 we have tried SRBx and the problem was there too.
10x

-- 
Dan Sabau
New Com Telecomunicatii SA,
Telefon: 0755049817
Email: dan.sabau at newcom.ro 


From savage at savage.za.org  Wed May 13 08:44:18 2009
From: savage at savage.za.org (Chris Knipe)
Date: Wed, 13 May 2009 14:44:18 +0200
Subject: [c-nsp] Some advice on switches....
Message-ID: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>

Hi,

We are looking currently to deploy a large scale network with 288 x 10/100
Ports.  Currently, we are basing this equipment on a configuration of 1 x 24
Port 2960, 2 x 48 Port 2960 in one cabinet, and 1 x 24 Port 2960 with 2 x 48
Port 2960 in another cabinet.  This is then tied together at a 3560 24 Port
10/100/1000 switch with 4 SFPs for future expansion (naturally, running
things like EtherChannels between all the 2960 switches).

Based on the large amount of 10/100 Ports required, I am believing that it
would be cheaper to invest into a modular switch, such as a 6500 and just
add a few blades.  So far, the bit of pricing I have seen on the blades are
very, very cheap.  Our requirements would be for 288 10/100 Ports, and a few
(no more than 16, 24 max) 1GB ports, and hey, fantastic if we can later
upgrade to 10GB interfaces by installing a module.

What I am wondering, is how close to EOL is the 6500 series?  Those switches
has been around for quite a while, and I see that certain models are already
at EOL.  What could I possibly look at?  We don't require a massively fast
backplane, nor long distance capabilities at this stage - frankly, the
network would perform very well with the 2960s and 3560s as mentioned above
- I am looking at a modular switch at this stage, purely from a pricing
perspective.

If I am to look at a 6500 (or another model), what kind of modules would  I
need to look at?  I've seen lots of different modules for the 6500 already,
but apart from the actual blades with the Ethernet ports, I'm a bit lost as
to what is required.... 

Thanks allot, and I look forward to some constructive criticism as always :)

Regards,
Chris.



From asturluismi at gmail.com  Wed May 13 09:59:27 2009
From: asturluismi at gmail.com (luismi)
Date: Wed, 13 May 2009 15:59:27 +0200
Subject: [c-nsp] 7600 eigrp offset-list problem
In-Reply-To: <4A0AADB8.7020405@tbm.ro>
References: <4A0AADB8.7020405@tbm.ro>
Message-ID: <1242223167.7504.25.camel@dsba-ipso>

Same IOS here, similar code...
We use under address-family...
  offset-list 0 out 25 Port-channel1.xxx

We will take a look to the config after a reboot. 
We didn't reboot the router yet.
Do you know if it is a well know bug?
Did you open a SR to ask for a reason for this behaviour?


El mi?, 13-05-2009 a las 14:23 +0300, Dan Sabau escribi?:
> Hi,
> we have the following problem, if a router reboots when it comes online 
> the part of the config with the offset-list within router eigrp is 
> ignored, you have to do something like:
> conf t
> router eigrp X
> no  offset-list permit-any in 128257 Vlan2764
>  offset-list permit-any in 128257 Vlan2764
> Does any body know how to fix it?
> The ios is: 12.2(33)SRC1 we have tried SRBx and the problem was there too.
> 10x
> 


From vijay.ramcharan at verizonbusiness.com  Wed May 13 11:30:07 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Wed, 13 May 2009 15:30:07 +0000
Subject: [c-nsp] 7600 eigrp offset-list problem
In-Reply-To: <1242223167.7504.25.camel@dsba-ipso>
Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB3A132B4@ASHEVS006.mcilink.com>

 
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi
Sent: May 13, 2009 09:59
To: Dan Sabau
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 7600 eigrp offset-list problem

Same IOS here, similar code...
We use under address-family...
  offset-list 0 out 25 Port-channel1.xxx

We will take a look to the config after a reboot. 
We didn't reboot the router yet.
Do you know if it is a well know bug?
Did you open a SR to ask for a reason for this behaviour?


El mi?, 13-05-2009 a las 14:23 +0300, Dan Sabau escribi?:
> Hi,
> we have the following problem, if a router reboots when it comes online 
> the part of the config with the offset-list within router eigrp is 
> ignored, you have to do something like:
> conf t
> router eigrp X
> no  offset-list permit-any in 128257 Vlan2764
>  offset-list permit-any in 128257 Vlan2764
> Does any body know how to fix it?
> The ios is: 12.2(33)SRC1 we have tried SRBx and the problem was there too.
> 10x
> 

Interesting problem. Labbed it up with available hw (1700 and 7206). 1700 runs 12.4.17. 
Offset list seemd to work after reboot of the 1700 (where the offset list was applied). I can only assume that you have a platform/code version issue. 

Did you try using a route-map to achieve the same functionality? 
Is the behavior the same? 

i.e. 
router eigrp <num> 
 distribute-list <etc> 

route-map <name>
 match ip address <acl>
 set metric +/- <num>


From rgallagh at cisco.com  Wed May 13 10:53:59 2009
From: rgallagh at cisco.com (Richard Gallagher)
Date: Wed, 13 May 2009 15:53:59 +0100
Subject: [c-nsp] crs-1 ISSU?
In-Reply-To: <a89d89ac0905120941v6b424063q5bf8dbde22f854bf@mail.gmail.com>
References: <a89d89ac0905120941v6b424063q5bf8dbde22f854bf@mail.gmail.com>
Message-ID: <784B4867-EC48-46D4-93DF-B54807583D92@cisco.com>

The only answer without more info is "it depends" unfortunately.

What release are you upgrading from and going to?

I'd start with the upgrade guides here:

http://www.cisco.com/web/Cisco_IOS_XR_Software/index.html

Rich

On 12 May 2009, at 17:41, Marlon Duksa wrote:

> Hi,Can anyone point me to the documentation where it says that Cisco  
> IOS-XR
> on CRS-1 supports a true  in-service-software-upgrades (ISSU)?
>
> I've been looking on CCO but all they talk in IOS XR is ISSU where  
> they
> patch a code and things like that.
>
> What I'm looking is to upgrade a CRS-1 to a new software image with a
> subsecond outage. This means upgrading the control plane and line  
> cards with
> the new software images with subsecond outage. Not just a specific  
> software
> module or a line card but the whole system to upgrade between two  
> major
> releases.
>
> I assume that non stop routing (not forwarding) would be a  
> prerequisite for
> this, but it seams that they support NSR only for ISIS. NSR implies
> statefull failover where all protocol states/transactions are  
> mirrored and
> synched between two routing engines. For example, BGP TCP sessions  
> stays the
> same during the routing engine failover.
>
> Thanks,
> Marlon
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From kratzers at ctinetworks.com  Wed May 13 11:46:06 2009
From: kratzers at ctinetworks.com (Stephen Kratzer)
Date: Wed, 13 May 2009 11:46:06 -0400
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <324706.95481.qm@web110104.mail.gq1.yahoo.com>
References: <324706.95481.qm@web110104.mail.gq1.yahoo.com>
Message-ID: <200905131146.07182.kratzers@ctinetworks.com>

On Tuesday 12 May 2009 19:12:57 Tony wrote:
> If you're using the 7200's for L2TP DSL, then I don't think the 7600 can do
> LNS role ?
>
VPDN is available with the SP feature set.

> Feature navigator shows that VPDN isn't supported on 7600 and our test 7600
> doesn't even know about the "vpdn enable" command.
>
> Am I missing something ?
>
>
> regards,
> Tony.
>
>
>
> --- On Fri, 8/5/09, Stephen Kratzer <kratzers at ctinetworks.com> wrote:
>
> From: Stephen Kratzer <kratzers at ctinetworks.com>
> Subject: [c-nsp] SUP720 IDB Limit
> To: cisco-nsp at puck.nether.net
> Date: Friday, 8 May, 2009, 10:46 PM
>
> All,
>
> We're looking to step up from the 7200 series to the 7600 series for DSL
> aggregation. Anyone know what the IDB limit is for this platform (#show
> idb)? We're at about 15000. Thanks.
>
> Stephen Kratzer
> Network Engineer
> CTI Networks, Inc.
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From vitya at list.ru  Wed May 13 15:32:23 2009
From: vitya at list.ru (victor)
Date: Wed, 13 May 2009 19:32:23 -0000
Subject: [c-nsp] is-is question
Message-ID: <op.ua3xtybl2vrlim@localhost.localdomain>


Hi
Because of a recent change of the organizational structure of the company  
I'm employed by I was given an order to migrate all the current routing  
infrastructure (a couple of c7604, c7201 and a dozen of c4924) from OSPF  
to is-is. I've never worked with is-is before and after a bit of studying  
I feel comfortable enough with the concept and a possible migration  
strategy. The only question I have so far is what is-is level should I  
prefer? With OSPF all devices reside in Area 0. Naturally the closest  
match from is-is world would be to configure only one level-1 area. But  
during my search the web for the best practices I saw somewhere that with  
the same result I could put each device into  separate areas configuring  
only level-2 interarea routing and completely abandon idea of level-1.
I'd very much like to hear your opinion on this matter.

-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

From sthaug at nethelp.no  Wed May 13 15:50:10 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Wed, 13 May 2009 21:50:10 +0200 (CEST)
Subject: [c-nsp] is-is question
In-Reply-To: <op.ua3xtybl2vrlim@localhost.localdomain>
References: <op.ua3xtybl2vrlim@localhost.localdomain>
Message-ID: <20090513.215010.74714401.sthaug@nethelp.no>

> Because of a recent change of the organizational structure of the company  
> I'm employed by I was given an order to migrate all the current routing  
> infrastructure (a couple of c7604, c7201 and a dozen of c4924) from OSPF  
> to is-is. I've never worked with is-is before and after a bit of studying  
> I feel comfortable enough with the concept and a possible migration  
> strategy. The only question I have so far is what is-is level should I  
> prefer? With OSPF all devices reside in Area 0. Naturally the closest  
> match from is-is world would be to configure only one level-1 area.

No, absolutely not. One level-2 area is what you want.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From geoff at pendery.net  Wed May 13 15:52:34 2009
From: geoff at pendery.net (Geoffrey Pendery)
Date: Wed, 13 May 2009 14:52:34 -0500
Subject: [c-nsp] Some advice on switches....
In-Reply-To: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
References: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
Message-ID: <d6966e4b0905131252r270e5590q23126a4ebd352e66@mail.gmail.com>

You might want to look at 4500 Series switches, rather than 6500.
If 2960's were sufficient for your requirements (no advanced routing,
Netflow, NBAR, etc) then 4500 is closer to an apples-to-apples
comparison than 6500.
4500 will generally be cheaper than 6500, especially when taking
maintenance/Smartnet into account (though YMMV).
The other upside to chassis based is that if the day ever comes you
want to move your 10/100 ports up to 10/100/1000, it'll probably be
cheaper/easier to swap blades than to buy all new stackables.

Also, if you decide to stick with the 2960's, my two cents would be
just buy 6 x 48 Port, instead of 2 x 24 and 4 x 48.
Where possible, it's nice to work on a single model.  You can purchase
a single spare which would swap in for any failed unit.  You can work
off a simpler standard config template.  You only have to become
intimately familiar with one hardware platform (though obviously
2960-24 would be pretty similar to 2960-48).  It just helps to
simplify things, making your "building blocks" more interchangeable
and uniform.  Also leaves room to expand or test or "hot cut" existing
connections.


-Geoff


On Wed, May 13, 2009 at 7:44 AM, Chris Knipe <savage at savage.za.org> wrote:
> Hi,
>
> We are looking currently to deploy a large scale network with 288 x 10/100
> Ports. ?Currently, we are basing this equipment on a configuration of 1 x 24
> Port 2960, 2 x 48 Port 2960 in one cabinet, and 1 x 24 Port 2960 with 2 x 48
> Port 2960 in another cabinet. ?This is then tied together at a 3560 24 Port
> 10/100/1000 switch with 4 SFPs for future expansion (naturally, running
> things like EtherChannels between all the 2960 switches).
>
> Based on the large amount of 10/100 Ports required, I am believing that it
> would be cheaper to invest into a modular switch, such as a 6500 and just
> add a few blades. ?So far, the bit of pricing I have seen on the blades are
> very, very cheap. ?Our requirements would be for 288 10/100 Ports, and a few
> (no more than 16, 24 max) 1GB ports, and hey, fantastic if we can later
> upgrade to 10GB interfaces by installing a module.
>
> What I am wondering, is how close to EOL is the 6500 series? ?Those switches
> has been around for quite a while, and I see that certain models are already
> at EOL. ?What could I possibly look at? ?We don't require a massively fast
> backplane, nor long distance capabilities at this stage - frankly, the
> network would perform very well with the 2960s and 3560s as mentioned above
> - I am looking at a modular switch at this stage, purely from a pricing
> perspective.
>
> If I am to look at a 6500 (or another model), what kind of modules would ?I
> need to look at? ?I've seen lots of different modules for the 6500 already,
> but apart from the actual blades with the Ethernet ports, I'm a bit lost as
> to what is required....
>
> Thanks allot, and I look forward to some constructive criticism as always :)
>
> Regards,
> Chris.
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From desolationrob at gmail.com  Wed May 13 16:06:40 2009
From: desolationrob at gmail.com (Robert Maier)
Date: Wed, 13 May 2009 22:06:40 +0200
Subject: [c-nsp] About Multihoming
In-Reply-To: <4A0A6BF7.4010103@gmail.com>
References: <4A0A6BF7.4010103@gmail.com>
Message-ID: <045FAF84-D706-41A9-9641-CB4D593ADB2B@gmail.com>

but if you are using Multihoming, only one router is single point of  
failure.

So in the most cases you would use 2 routers with HSRP to the LAN side


Am 13.05.2009 um 08:43 schrieb ?????????? ??????:

> Hello,
>
> Is it possible to multihoming with BGP on one router like 3825 ISR ?
>
> Sincerely,
> Tseveendorj.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jeff-kell at utc.edu  Wed May 13 16:16:55 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 13 May 2009 16:16:55 -0400
Subject: [c-nsp] Some advice on switches....
In-Reply-To: <d6966e4b0905131252r270e5590q23126a4ebd352e66@mail.gmail.com>
References: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
	<d6966e4b0905131252r270e5590q23126a4ebd352e66@mail.gmail.com>
Message-ID: <4A0B2AB7.9030502@utc.edu>

Geoffrey Pendery wrote:
> You might want to look at 4500 Series switches, rather than 6500.
> If 2960's were sufficient for your requirements (no advanced routing,
> Netflow, NBAR, etc) then 4500 is closer to an apples-to-apples
> comparison than 6500.
> 4500 will generally be cheaper than 6500, especially when taking
> maintenance/Smartnet into account (though YMMV).

One caveat with 4500s, be mindful of your bandwidth limitations.

For a classic non-E chassis and/or traditional supervisor blade (Sup-IV
or less), you're dealing with a 6Gbps/slot backplane limitation.  You
may be OK with your 10/100 blades, but some of the classic 10/100/1000
ones such as the WS-X4448 you are as much as 8:1 oversubscribed onto
that 6Gbps/slot.  The 2960 backplane is smoking hot in comparison (but
you're still limited in uplink b/w).

The E-series chassis with a hot supervisor will get you 24Gbps/slot.

Jeff

From eng_mssk at hotmail.com  Wed May 13 16:17:20 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 13 May 2009 23:17:20 +0300
Subject: [c-nsp] Inventory tool
Message-ID: <BLU102-W5F4684CFBD8362A9836CFFA610@phx.gbl>


hey all 
i am looking for an inventory tool to store for example the serial numbers of routers and associated modules 
is there any software that can extract these information and store it as well?

Thanks

_________________________________________________________________
Show them the way! Add maps and directions to your party invites. 
http://www.microsoft.com/windows/windowslive/products/events.aspx

From frnkblk at iname.com  Wed May 13 13:12:10 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Wed, 13 May 2009 12:12:10 -0500
Subject: [c-nsp] OSPF "transitions"
In-Reply-To: <8009FE6F1E890047837BD8444BC81EFB03B53AF0A0@server3.mutualtel.mtcnet.net>
References: <8009FE6F1E890047837BD8444BC81EFB03B53AF0A0@server3.mutualtel.mtcnet.net>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACZRHx3sEhITrBmwpCOvB9KAQAAAAA=@iname.com>

I think I can answer my own question:

OID	Object	Type	Value	
1.3.6.1.2.1.14.7.1.15.a.b.156.197.0	ospfIfEvents	COUNTER	53	
1.3.6.1.2.1.14.7.1.15.a.b.156.202.0	ospfIfEvents	COUNTER	4	
1.3.6.1.2.1.14.7.1.15.a.b.180.138.0	ospfIfEvents	COUNTER	86	

OID	Object	Type	Value	
1.3.6.1.2.1.14.10.1.7.a.b.156.194.0	ospfNbrEvents	COUNTER	12	
1.3.6.1.2.1.14.10.1.7.a.b.156.201.0	ospfNbrEvents	COUNTER	12	
1.3.6.1.2.1.14.10.1.7.a.b.180.137.0	ospfNbrEvents	COUNTER	6	

OID	Object	Type	Value	
1.3.6.1.2.1.14.10.1.6.a.b.156.194.0	ospfNbrState	INTEGER	"full (8)"

1.3.6.1.2.1.14.10.1.6.a.b.156.201.0	ospfNbrState	INTEGER	"full (8)"

1.3.6.1.2.1.14.10.1.6.a.b.180.137.0	ospfNbrState	INTEGER	"full (8)"

The ospfNbrState could change too quickly that my poll period would miss it,
but the other two would increment.

Frank

-----Original Message-----
From: Frank Bulk [mailto:frnkblk at iname.com] 
Sent: Wednesday, May 13, 2009 11:47 AM
To: 'cisco-nsp at puck.nether.net'
Subject: OSPF "transitions"

I would like to be able to monitor when an OSPF event (such as DOWN,
LOADING, etc) occurred using SNMP polling, rather than traps or syslog.  It
could be a counter or a date with the last time a certain event occurred.

Is that possible?  I looked through the Cisco private MIBs and I couldn't
find anything like that.

Frank


From ddunkin at netos.net  Wed May 13 16:26:52 2009
From: ddunkin at netos.net (Darryl Dunkin)
Date: Wed, 13 May 2009 13:26:52 -0700
Subject: [c-nsp] Inventory tool
In-Reply-To: <BLU102-W5F4684CFBD8362A9836CFFA610@phx.gbl>
References: <BLU102-W5F4684CFBD8362A9836CFFA610@phx.gbl>
Message-ID: <56F5BC5F404CF84896C447397A1AAF20F92100@MAIL.nosi.netos.com>

RANCID includes various hardware output with serial numbers and
revisions, along with full configurations:
http://www.shrubbery.net/rancid

Netdot does some of this as well:
http://netdot.uoregon.edu

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, May 13, 2009 13:17
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Inventory tool


hey all 
i am looking for an inventory tool to store for example the serial
numbers of routers and associated modules 
is there any software that can extract these information and store it as
well?

Thanks

From kgraham at industrial-marshmallow.com  Wed May 13 15:37:28 2009
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Wed, 13 May 2009 12:37:28 -0700 (PDT)
Subject: [c-nsp] PFC3/3B/3C ACL support
Message-ID: <599296.78446.qm@web908.biz.mail.mud.yahoo.com>


The "Understanding ACL on Catalyst 6500 Switches"[1] white paper indicates that:

   All TCP session traffic, except for the TCP
three-way handshake (SYN,
   SYN/ACK, ACK) and session close (FIN/RST), is
handled in hardware 

...which makes sense for reflexive ACL's, but is that also true for extended ACL's
matching TCP flags? The need to punt on these flows for reflexive's would suggest
that they can be distinguished in hardware and based on 'sh tcam int ...' it would
seem that there are masks allocated for TCP flags[2] that could presumably be
leveraged for 'simple' filtering.

With the convenience of object-group/port-group in SXI, I'm inclined to spend some
time improving ACL usage on 6500's and was hoping to make them a little more
correct at the same time.

[1] http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml

[2] http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_s6.html#wp1013139

From charles at thewybles.com  Wed May 13 16:40:55 2009
From: charles at thewybles.com (Charles Wyble)
Date: Wed, 13 May 2009 13:40:55 -0700
Subject: [c-nsp] Inventory tool
In-Reply-To: <56F5BC5F404CF84896C447397A1AAF20F92100@MAIL.nosi.netos.com>
References: <BLU102-W5F4684CFBD8362A9836CFFA610@phx.gbl>
	<56F5BC5F404CF84896C447397A1AAF20F92100@MAIL.nosi.netos.com>
Message-ID: <4A0B3057.9040200@thewybles.com>

Check out http://inventory.alterpoint.com/


Darryl Dunkin wrote:
> RANCID includes various hardware output with serial numbers and
> revisions, along with full configurations:
> http://www.shrubbery.net/rancid
> 
> Netdot does some of this as well:
> http://netdot.uoregon.edu
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Wednesday, May 13, 2009 13:17
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Inventory tool
> 
> 
> hey all 
> i am looking for an inventory tool to store for example the serial
> numbers of routers and associated modules 
> is there any software that can extract these information and store it as
> well?
> 
> Thanks
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From brett at looney.id.au  Sun May 10 22:15:56 2009
From: brett at looney.id.au (Brett Looney)
Date: Mon, 11 May 2009 10:15:56 +0800
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <FA1BA229357DB640B944218F3585FECA023FC786@mspe2k1.cs.myharris.net>
References: <4A01BEB9.4080402@chrisserafin.com><alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu><4A01FB6D.10703@thewybles.com><483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com><4A07004D.50302@harg.net>	<483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>
	<FA1BA229357DB640B944218F3585FECA023FC786@mspe2k1.cs.myharris.net>
Message-ID: <053601c9d1de$6d55e360$4801aa20$@id.au>

Don't necessarily take the table at that URL at face value.

For example, it says that the ME3750 supports the GLC-T at 10/100/1000 and
it does but only in certain ports.

B.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles
Sent: Monday, 11 May 2009 09:39
To: Matthew Huff; Will Hargrave
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Nexus 5000?

This URL sums it up pretty well:

http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compa
tibility/matrix/OL_6981.html#wp108824

Note some say 10/100/1000 for the GLC-T, and some just say 1000BaseT

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Huff
Sent: Sunday, May 10, 2009 7:21 PM
To: Will Hargrave
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Nexus 5000?


Thanks. It appears that some of the fixed configuration switches that have
SFP ports can be 10/100/1000. I've never run into that, as all the SFP ports
I've seen on the 6500/7600 are fixed at 1G. I thought it was a SFP thing,
but apparently not.

----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com? | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139


-----Original Message-----
From: Will Hargrave [mailto:will at harg.net] 
Sent: Sunday, May 10, 2009 12:27 PM
To: Matthew Huff
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Nexus 5000?

Matthew Huff wrote:
> It's an SFP port rather than a copper 10/100/1000. Every Cisco SFP port
fiber or copper is 1g only.

Not true.

E.g. on a c3750g

ap-c3750g-1#show int status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi1/0/6   ap-974a            connected    trunk      a-full a-1000
1000BaseSX SFP
Gi1/0/10  ap-ups1            connected    1          a-full  a-100
10/100/1000BaseTX SFP
Gi1/0/11  ap-rt1             connected    trunk      a-full a-1000
10/100/1000BaseTX SFP

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From frnkblk at iname.com  Wed May 13 12:47:29 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Wed, 13 May 2009 11:47:29 -0500
Subject: [c-nsp] OSPF "transitions"
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACxwBDYX0BnTLb+l7QGIyolAQAAAAA=@iname.com>

I would like to be able to monitor when an OSPF event (such as DOWN,
LOADING, etc) occurred using SNMP polling, rather than traps or syslog.  It
could be a counter or a date with the last time a certain event occurred.

Is that possible?  I looked through the Cisco private MIBs and I couldn't
find anything like that.

Frank


From pshem.k at gmail.com  Wed May 13 16:55:10 2009
From: pshem.k at gmail.com (Pshem Kowalczyk)
Date: Thu, 14 May 2009 08:55:10 +1200
Subject: [c-nsp] High memory utilisation on ASR 1004
Message-ID: <20fe625b0905131355u9dd132ek5b894c4995da6d39@mail.gmail.com>

Hi,

We use ASR 1004 for internet peering. I've noticed that despite the
fact that the device should have 4G of RAM (2G for each IOS), it only
reports about 750M:


cisco ASR1004 (RP1) processor with 750908K/6147K bytes of memory.
10 Gigabit Ethernet interfaces
1 Ten Gigabit Ethernet interface
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.

Why is there such a huge difference?

Other thing that I've noticed - after bringing first full feed the
free memory dropped by almost 300M, after bringing two more peers
we're down another 200M, even though the BGP summary doesn't reflect
that:

BGP router identifier 172.16.31.212, local AS number axaz
BGP table version is 1499020, main routing table version 1499020
319336 network entries using 45345712 bytes of memory
1754099 path entries using 119278732 bytes of memory
521347/50531 BGP path/bestpath attribute entries using 39622372 bytes of memory
12 BGP rrinfo entries using 288 bytes of memory
105606 BGP AS-PATH entries using 2952666 bytes of memory
5844 BGP community entries using 579940 bytes of memory
18 BGP extended community entries using 608 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 207780318 total bytes of memory
853191 received paths for inbound soft reconfiguration
BGP activity 451647/132207 prefixes, 2813379/1059265 paths, scan
interval 15 secs

And the last thing - there seem to be a lot of memory allocated to the
SBC process:
(sh processes memory sorted)

Processor Pool Total:  768844520 Used:  666617736 Free:  102226784
 lsmpi_io Pool Total:    6295088 Used:    6294116 Free:        972

 PID TTY  Allocated      Freed    Holding    Getbufs    Retbufs Process
 247   0  524286824  156132532  372840416          0          0 BGP Router
   0   0  157038032   10062300  127440824          0          0 *Init*
 339   0   74528188        548   74698500          0          0 SBC main process
 160   0   91102924    1746296   74647640          0          0 IP RIB Update
 221   0    7073896     320908    7097036          0          0 BGP Scanner
  90   0    4017044      39640    2498096          0          0 CWAN OIR Handler
  52   0    2309192       2832    1977032          0          0 IOSD ipc task
   1   0     540036       3104     554072          0          0 Chunk Manager
   0   0          0          0     462436          0          0 *MallocLite*
  27   0     802824       2464     436260          0          0 IPC Seat Control
   0   0 1425513440 1426114596     375724    7275888          0 *Dead*
  18   0     299268          0     321720     113400          0 EEM ED Syslog

How can i claim that memory back?

kind regards
Pshem

From achatz at forthnet.gr  Wed May 13 17:06:42 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 14 May 2009 00:06:42 +0300
Subject: [c-nsp] Inventory tool
In-Reply-To: <BLU102-W5F4684CFBD8362A9836CFFA610@phx.gbl>
References: <BLU102-W5F4684CFBD8362A9836CFFA610@phx.gbl>
Message-ID: <4A0B3662.7090401@forthnet.gr>

CiscoWorks LMS includes a nice inventory module (RME), but the whole package (which you 
must buy) is too bloated.

http://www.cisco.com/en/US/products/sw/cscowork/ps2073/index.html
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0.5/user/guide/invent.html#wp1077764

-- 
Tassos

Mohammad Khalil wrote on 13/05/2009 23:17:
> hey all 
> i am looking for an inventory tool to store for example the serial numbers of routers and associated modules 
> is there any software that can extract these information and store it as well?
> 
> Thanks
> 
> _________________________________________________________________
> Show them the way! Add maps and directions to your party invites. 
> http://www.microsoft.com/windows/windowslive/products/events.aspx
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From achatz at forthnet.gr  Wed May 13 17:33:44 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 14 May 2009 00:33:44 +0300
Subject: [c-nsp] High memory utilisation on ASR 1004
In-Reply-To: <20fe625b0905131355u9dd132ek5b894c4995da6d39@mail.gmail.com>
References: <20fe625b0905131355u9dd132ek5b894c4995da6d39@mail.gmail.com>
Message-ID: <4A0B3CB8.3010605@forthnet.gr>


Dual IOSd processes in ASR1000 SW redundancy result in both the active and standby process 
having access to about 750MB of RP memory (each); what is left is used by other RP 
processes. Check "sh platform soft status contr" for more details about RP mem usage.

Regarding the SBC thing... i had the same problem...but i haven't got any answer yet.

PS: To be honest, i haven't found any real advantage of sw redundancy yet. I only met more 
issues.

-- 
Tassos

Pshem Kowalczyk wrote on 13/05/2009 23:55:
> Hi,
> 
> We use ASR 1004 for internet peering. I've noticed that despite the
> fact that the device should have 4G of RAM (2G for each IOS), it only
> reports about 750M:
> 
> 
> cisco ASR1004 (RP1) processor with 750908K/6147K bytes of memory.
> 10 Gigabit Ethernet interfaces
> 1 Ten Gigabit Ethernet interface
> 32768K bytes of non-volatile configuration memory.
> 4194304K bytes of physical memory.
> 
> Why is there such a huge difference?
> 
> Other thing that I've noticed - after bringing first full feed the
> free memory dropped by almost 300M, after bringing two more peers
> we're down another 200M, even though the BGP summary doesn't reflect
> that:
> 
> BGP router identifier 172.16.31.212, local AS number axaz
> BGP table version is 1499020, main routing table version 1499020
> 319336 network entries using 45345712 bytes of memory
> 1754099 path entries using 119278732 bytes of memory
> 521347/50531 BGP path/bestpath attribute entries using 39622372 bytes of memory
> 12 BGP rrinfo entries using 288 bytes of memory
> 105606 BGP AS-PATH entries using 2952666 bytes of memory
> 5844 BGP community entries using 579940 bytes of memory
> 18 BGP extended community entries using 608 bytes of memory
> 0 BGP route-map cache entries using 0 bytes of memory
> 0 BGP filter-list cache entries using 0 bytes of memory
> BGP using 207780318 total bytes of memory
> 853191 received paths for inbound soft reconfiguration
> BGP activity 451647/132207 prefixes, 2813379/1059265 paths, scan
> interval 15 secs
> 
> And the last thing - there seem to be a lot of memory allocated to the
> SBC process:
> (sh processes memory sorted)
> 
> Processor Pool Total:  768844520 Used:  666617736 Free:  102226784
>  lsmpi_io Pool Total:    6295088 Used:    6294116 Free:        972
> 
>  PID TTY  Allocated      Freed    Holding    Getbufs    Retbufs Process
>  247   0  524286824  156132532  372840416          0          0 BGP Router
>    0   0  157038032   10062300  127440824          0          0 *Init*
>  339   0   74528188        548   74698500          0          0 SBC main process
>  160   0   91102924    1746296   74647640          0          0 IP RIB Update
>  221   0    7073896     320908    7097036          0          0 BGP Scanner
>   90   0    4017044      39640    2498096          0          0 CWAN OIR Handler
>   52   0    2309192       2832    1977032          0          0 IOSD ipc task
>    1   0     540036       3104     554072          0          0 Chunk Manager
>    0   0          0          0     462436          0          0 *MallocLite*
>   27   0     802824       2464     436260          0          0 IPC Seat Control
>    0   0 1425513440 1426114596     375724    7275888          0 *Dead*
>   18   0     299268          0     321720     113400          0 EEM ED Syslog
> 
> How can i claim that memory back?
> 
> kind regards
> Pshem
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From peter at rathlev.dk  Wed May 13 17:37:05 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 13 May 2009 23:37:05 +0200
Subject: [c-nsp] Some advice on switches....
In-Reply-To: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
References: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
Message-ID: <1242250625.3989.11.camel@localhost.localdomain>

On Wed, 2009-05-13 at 14:44 +0200, Chris Knipe wrote:
> What I am wondering, is how close to EOL is the 6500 series?  Those
> switches has been around for quite a while, and I see that certain
> models are already at EOL.  What could I possibly look at?

I sincerely hope that they don't EoL the 6500 as such in the near
future. :-) I think you can count on it being around for at least
several years to come. Both hardware and software development is still
happening (VSS, SXI as examples) and I think they make plenty of money
from it.

As others mention the 6500 might not be the best for the job. A Sup32
limits you to 32 Gb/s total, much lower than e.g. the 3560 backplane. A
Sup720 is faster but makes the system somewhat more expensive.

> If I am to look at a 6500 (or another model), what kind of modules would  I
> need to look at?  I've seen lots of different modules for the 6500 already,
> but apart from the actual blades with the Ethernet ports, I'm a bit lost as
> to what is required.... 

Card type would depend on whether you need PoE and other things. Take a
look at this data sheet:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet0900aecd8017376e.html
http://tinyurl.com/2uom4p

Something like WS-X6148A-45AF might be interesting.

Regards,
Peter



From brett at looney.id.au  Sun May 10 21:41:22 2009
From: brett at looney.id.au (Brett Looney)
Date: Mon, 11 May 2009 09:41:22 +0800
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
References: <4A01BEB9.4080402@chrisserafin.com>	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>	<4A01FB6D.10703@thewybles.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
Message-ID: <053201c9d1d9$996a2ab0$cc3e8010$@id.au>

> It's an SFP port rather than a copper 10/100/1000.
> Every Cisco SFP port fiber or copper is 1g only.

Not true. The GLC-T can do 10/100/1000 in some platforms but it is highly
platform and software dependent and I wouldn't rely on the Cisco website to
give you the right information.

B.


From savage at savage.za.org  Wed May 13 18:01:47 2009
From: savage at savage.za.org (Chris Knipe)
Date: Thu, 14 May 2009 00:01:47 +0200
Subject: [c-nsp] Some advice on switches....
In-Reply-To: <4A0B2AB7.9030502@utc.edu>
References: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
	<d6966e4b0905131252r270e5590q23126a4ebd352e66@mail.gmail.com>
	<4A0B2AB7.9030502@utc.edu>
Message-ID: <02da01c9d416$69600800$3c201800$@za.org>

Hi,

> > You might want to look at 4500 Series switches, rather than 6500.
> > If 2960's were sufficient for your requirements (no advanced routing,
> > Netflow, NBAR, etc) then 4500 is closer to an apples-to-apples
> > comparison than 6500.
> > 4500 will generally be cheaper than 6500, especially when taking
> > maintenance/Smartnet into account (though YMMV).
>
> For a classic non-E chassis and/or traditional supervisor blade (Sup-IV
> or less), you're dealing with a 6Gbps/slot backplane limitation.  You
> may be OK with your 10/100 blades, but some of the classic 10/100/1000
> ones such as the WS-X4448 you are as much as 8:1 oversubscribed onto
> that 6Gbps/slot.  The 2960 backplane is smoking hot in comparison (but
> you're still limited in uplink b/w).
>
> The E-series chassis with a hot supervisor will get you 24Gbps/slot.

Thank you all for the input.  I would definitely agree 4500 too rather than
6500.  The main purpose of this deployment is for Triple Play services,
IPTV, Telephony, as well as Data.  IGMP Multicast is critical for the IPTV
and almost all 10/100 Ethernet ports will be running at least 3 VLANs.  A
single switch will also make that much easier in my opinion...

I've spend a bit of time on Cisco.com now, and I just want everyone to give
this a once over and ensure that there isn't anything I missed before I send
this off to suppliers for costing - if I can ask that someone also just
check for compatibility, I would appreciate it.  I am not sure at this stage
about the NetFlow Services Card, whether or not it would be compatible with
the Supervisor.  I've worked allot with the smaller fixed configuration
Ciscos, but this is going to be all new to me in terms of size...

Cisco Catalyst 4510R-E Chassis:
1 x WS-C4510R-E
 Cisco Catalyst E Series 4510R Switch (10-slot chassis), fan, no power
supply; redundant supervisor capable
2 x PWR-C45-1400AC
 Cisco Catalyst 4500 Series 1400W AC power supply (data only)
1 x S45EIPB-12240SG(=)
 Cisco IOS Software for Supervisor Engine 6-E (IP Base image)
1 x WS-X45-Sup6-E
 Cisco Catalyst 4500 E Series Supervisor Engine 6-E, 2x10GE (X2) or 4x1GE
(SFP), Console RJ-45,USB
1 x WS-X45-Sup6-E/2
 Cisco Catalyst 4500 Redundant Supervisor Engine 6-E, 2x10GE (X2) or 4x1GE
(SFP), Console RJ-45,USB
1 x MEM-C4K-FLD128M
 Cisco Catalyst 4500 Cisco IOS Software-Based Supervisor Engine, Compact
Flash memory, 128-MB option
1 x WS-F4531(=)
 Cisco Catalyst 4500 NetFlow Services Card

Cisco Catalyst 4510R-E Line Cards:
5 x WS-X4148-RJ(=)
 Cisco Catalyst 4500 10/100 Module, 48 ports (RJ-45)
1 x WS-X4424-GB-RJ45(=)
 Cisco Catalyst 4500 24-port 10/100/1000 Module (RJ-45)


Thank you all for your time and feedback,

Regards,
Chris.




From rdobbins at arbor.net  Wed May 13 18:15:57 2009
From: rdobbins at arbor.net (Roland Dobbins)
Date: Thu, 14 May 2009 05:15:57 +0700
Subject: [c-nsp] Some advice on switches....
In-Reply-To: <02da01c9d416$69600800$3c201800$@za.org>
References: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
	<d6966e4b0905131252r270e5590q23126a4ebd352e66@mail.gmail.com>
	<4A0B2AB7.9030502@utc.edu> <02da01c9d416$69600800$3c201800$@za.org>
Message-ID: <C4C57832-558D-44A8-8432-6C426EFE5080@arbor.net>


On May 14, 2009, at 5:01 AM, Chris Knipe wrote:

> Thank you all for your time and feedback,

Be sure to do due diligence with regards to the specifics of NetFlow  
support, uRPF support, ACL functionality, and any other features  
you'll be using on the platform(s) in question (assuming features are  
important to you in this scenario, that is).  You don't want surprises  
later on when you decide to enable something, only to learn that it  
isn't supported, or its implementation differs from other platforms,  
etc.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

         Unfortunately, inefficiency scales really well.

		   -- Kevin Lawton


From petelists at templin.org  Wed May 13 17:58:50 2009
From: petelists at templin.org (Pete Templin)
Date: Wed, 13 May 2009 16:58:50 -0500
Subject: [c-nsp] Some advice on switches....
In-Reply-To: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
References: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
Message-ID: <4A0B429A.9040307@templin.org>

Chris Knipe wrote:

> What I am wondering, is how close to EOL is the 6500 series?  Those switches
> has been around for quite a while, and I see that certain models are already
> at EOL.  What could I possibly look at?  We don't require a massively fast
> backplane, nor long distance capabilities at this stage - frankly, the
> network would perform very well with the 2960s and 3560s as mentioned above
> - I am looking at a modular switch at this stage, purely from a pricing
> perspective.

Cisco and CDW did a series of lunch-n-learn sessions.  It's rather 
convenient working across the hall from Cisco!  At a LAN switching L&L 
nearly a year ago, the Cisco SE mentioned that the 6500 series is 
road-mapped through 2015.  I found some other "External Update" document 
that shows a lifecycle that touches 2020 (that could be EOL in 2015 plus 
the standard five years of support beyond EOL).  That "chronology" shows 
2010 being a "Big Bang" with a Sup-2T, a PFC4 (Earl 8), and 40G 
interfaces.  Mid-2011 shows EARL9 and some other acronyms.  Somewhere 
between 2012 and 2020 it mentions 40G/100G interfaces.

So, I think there's more to come...

pt


From td_miles at yahoo.com  Wed May 13 18:44:58 2009
From: td_miles at yahoo.com (Tony)
Date: Wed, 13 May 2009 15:44:58 -0700 (PDT)
Subject: [c-nsp] SUP720 IDB Limit
Message-ID: <533414.81350.qm@web110107.mail.gq1.yahoo.com>

Surely feature navigator wouldn't lie to me ?

If I select either "Virtual Private Dial-up Network (VPDN)" or "L2TP Layer 2 Tunneling Protocol" as the feature I need (or both) and then try to select the platform from the list of available ones then 7600 isn't listed at all.

The software I have on our test 7600 is 12.2(33) SRD1 Advanced IP Services which I believe includes all of the stuff from SP Services (or at least thats what the Cisco website says) and as I wrote below I can't even do "vpdn enable".

Am I doing something wrong, I'm genuinely curious now ?


Thanks,
Tony.


--- On Wed, 13/5/09, Stephen Kratzer <kratzers at pa.net> wrote:

From: Stephen Kratzer <kratzers at pa.net>
Subject: Re: [c-nsp] SUP720 IDB Limit
To: "Tony" <td_miles at yahoo.com>
Cc: cisco-nsp at puck.nether.net, kratzers at ctinetworks.com
Date: Wednesday, 13 May, 2009, 11:31 PM

VPDN is available with the SP feature set.

On Tuesday 12 May 2009 19:12:57 Tony wrote:
> If you're using the 7200's for L2TP DSL, then I don't think the 7600 can do
> LNS role ?
>
> Feature navigator shows that VPDN isn't supported on 7600 and our test 7600
> doesn't even know about the "vpdn enable" command.
>
> Am I missing something ?
>
>
> regards,
> Tony.
>
>
>
> --- On Fri, 8/5/09, Stephen Kratzer <kratzers at ctinetworks.com> wrote:
>
> From: Stephen Kratzer <kratzers at ctinetworks.com>
> Subject: [c-nsp] SUP720 IDB Limit
> To: cisco-nsp at puck.nether.net
> Date: Friday, 8 May, 2009, 10:46 PM
>
> All,
>
> We're looking to step up from the 7200 series to the 7600 series for DSL
> aggregation. Anyone know what the IDB limit is for this platform (#show
> idb)? We're at about 15000. Thanks.
>
> Stephen Kratzer
> Network Engineer
> CTI Networks, Inc.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/





      

From pshem.k at gmail.com  Wed May 13 20:21:33 2009
From: pshem.k at gmail.com (Pshem Kowalczyk)
Date: Thu, 14 May 2009 12:21:33 +1200
Subject: [c-nsp] High memory utilisation on ASR 1004
In-Reply-To: <4A0B3CB8.3010605@forthnet.gr>
References: <20fe625b0905131355u9dd132ek5b894c4995da6d39@mail.gmail.com> 
	<4A0B3CB8.3010605@forthnet.gr>
Message-ID: <20fe625b0905131721g6f906956leb048b3c09957c9e@mail.gmail.com>

Hi,

Are you saying that if we didn't run it in SSO mode the single IOS
running would have access to more memory? I don't have access to a
test one to verify it.

kind regards
Pshem

2009/5/14 Tassos Chatzithomaoglou <achatz at forthnet.gr>:
>
> Dual IOSd processes in ASR1000 SW redundancy result in both the active and
> standby process having access to about 750MB of RP memory (each); what is
> left is used by other RP processes. Check "sh platform soft status contr"
> for more details about RP mem usage.
>
> Regarding the SBC thing... i had the same problem...but i haven't got any
> answer yet.
>
> PS: To be honest, i haven't found any real advantage of sw redundancy yet. I
> only met more issues.

From justin at justinshore.com  Wed May 13 23:12:51 2009
From: justin at justinshore.com (Justin Shore)
Date: Wed, 13 May 2009 22:12:51 -0500
Subject: [c-nsp] OSPF fast convergence
In-Reply-To: <4A09B47C.8070205@imperial.ac.uk>
References: <4A09AFA4.1070300@rainierconnect.net>
	<4A09B47C.8070205@imperial.ac.uk>
Message-ID: <4A0B8C33.6070202@justinshore.com>

Phil Mayers wrote:
> Common advice seems to be to make actual link-loss detection fast, in 
> preference to using BFD. That said, I know some people use BFD.
> 
> Assuming you're using LAN cards, you may want to see if you can make 
> router links as routed rather than SVI interfaces. Though routed 
> interfaces are implemented internally as VLANs, presentations I saw from 
> Cisco claim that this:

I prefer to use BFD personally.  Link failure detection without BFD will 
be slow no matter what you do.  FRR doesn't gain you much if it takes 
you several seconds to realize that a link dropped.

I will point out one problem to Walter that may or may not be a big deal 
for his 7600s, depending on they're deployed.  BFD on SVIs is not 
supported or configurable beginning with SRB2.  It worked great but the 
feature was removed.  Search the archives for numerous lengthy 
discussions about the removed capability.  This feature is needed for 
people who deploy their 7600s in pairs and make some access-layer 
connections on them that require a VLAN one of more VLANs to span both 
7600s.  For example our 7600s serve as our core and for a few services 
like FTTH they serve as the L3 edge to our access layer.  We have a 1Q 
trunk on an Etherchannel link (for L1 redundancy) between the 7600s and 
run a FHRP across it (HSRPv2 in our case).  There isn't any other way to 
do this without a 1Q trunk between the chassis.  We also carry one VLAN 
across that trunk and build a L3 relationship across it between the 
7600s.  We've configured BFD on the SVI on both ends and it works great 
and will continue to work great until we upgrade (effectively 
downgrading BFD).  The only way around this is to dedicate a separate 
set of ports for the L3 connection on a dedicated Etherchannel link.  So 
now we're dedicating a minimum of 4 ports (2 per Etherchannel) to 
connecting our 2 chassis together for L2 and L3.  That's a big expense, 
even for GigE interfaces.  Imagine if you needed to do this for 10G 
interfaces.

If your 7600s are isolated islands and only route between the 7600s then 
this isn't a big problem.  However if you also want to carry multple 
VLANs between the 7600s then you need to be aware of these issues.

Justin

From p.mayers at imperial.ac.uk  Thu May 14 06:13:44 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 14 May 2009 11:13:44 +0100
Subject: [c-nsp] OSPF fast convergence
In-Reply-To: <4A0B8C33.6070202@justinshore.com>
References: <4A09AFA4.1070300@rainierconnect.net>
	<4A09B47C.8070205@imperial.ac.uk>
	<4A0B8C33.6070202@justinshore.com>
Message-ID: <4A0BEED8.3080703@imperial.ac.uk>

Justin Shore wrote:
> Phil Mayers wrote:
>> Common advice seems to be to make actual link-loss detection fast, in 
>> preference to using BFD. That said, I know some people use BFD.
>>
>> Assuming you're using LAN cards, you may want to see if you can make 
>> router links as routed rather than SVI interfaces. Though routed 
>> interfaces are implemented internally as VLANs, presentations I saw from 
>> Cisco claim that this:
> 
> I prefer to use BFD personally.  Link failure detection without BFD will 
> be slow no matter what you do.  FRR doesn't gain you much if it takes 
> you several seconds to realize that a link dropped.

Seconds? Wow. I'm curious - under what circumstances are you seeing such 
length link-loss detection times?

From sthaug at nethelp.no  Thu May 14 06:29:54 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Thu, 14 May 2009 12:29:54 +0200 (CEST)
Subject: [c-nsp] OSPF fast convergence
In-Reply-To: <4A0BEED8.3080703@imperial.ac.uk>
References: <4A09B47C.8070205@imperial.ac.uk>
	<4A0B8C33.6070202@justinshore.com>
	<4A0BEED8.3080703@imperial.ac.uk>
Message-ID: <20090514.122954.74699039.sthaug@nethelp.no>

> > I prefer to use BFD personally.  Link failure detection without BFD will 
> > be slow no matter what you do.  FRR doesn't gain you much if it takes 
> > you several seconds to realize that a link dropped.
> 
> Seconds? Wow. I'm curious - under what circumstances are you seeing such 
> length link-loss detection times?

1000baseT can in principle use several seconds. Optical interfaces 
should be much faster.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From elmi at 4ever.de  Thu May 14 05:06:38 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Thu, 14 May 2009 11:06:38 +0200
Subject: [c-nsp] ASR 1000 series again: Netflow export
Message-ID: <20090514090638.GQ29526@ronin.4ever.de>

Admitted, I am still running a Cisco Labs software version,
so my main concern is the question "has this been addressed
and fixed in an IOS version?"

The issue:

  I want to export netflow data over the management interface (Gi0)
  on an ASR1002 (this has to go through a VPN tunnel).

Configuration:

ip flow-export source GigabitEthernet0
ip flow-export destination 172.16.31.250 12001

rt#sh ip route vrf Mgmt-intf
S*    0.0.0.0/0 [1/0] via 172.16.199.1
(...)


But:

rt#sh ip flow export
Flow export v5 is enabled for main cache
  Export source and destination details :
  VRF ID : Default
    Source(1)       ***.***.***.*** (GigabitEthernet0/0/0)
    Destination(1)  172.16.31.250 (12001)
  Version 5 flow records, origin-as
  Cache for as aggregation:
    Flow export is disabled
  8007185179 flows exported in 345108888 udp datagrams



Err - I specified the source interface, right? Stupid box!
Oh, btw - I cannot add a "vrf Mgmt-intf" to the flow-export
source statement...yes, I tried that ;)

So, what happens if we for example...

rt(config)#ip route 172.16.31.250 255.255.255.255 null0

rt#sh ip flow export
Flow export v5 is enabled for main cache
  Export source and destination details :
  VRF ID : Default
    Source(1)       172.16.199.5 (Unknown)
    Destination(1)  172.16.31.250 (12001)
  Version 5 flow records, origin-as
  Cache for as aggregation:
    Flow export is disabled
  8007251179 flows exported in 345111724 udp datagrams


Eh? "Unknown"? Well, sure, in _that_ VRF yes. That's why
I'd like to change it...err...well...

Is this supposed to be this kind of stupid? Or has
that simply been fixed in later IOS versions (this
one is based on 12.2(33)XNB )?

There are of course more VRF issues on that platform.
Tacacs requires a special solution etc. etc...

So, if anyone can point me in the right direction or
just recommend the IOS this has been fixed in (still
have to check it for the Mac accounting/reboot issue
and the CEF balancing lopsidedness), your help is much
appreciated.

Cheers,
	Elmar.

PS: If anyone knows how to keep "write mem" from using
    like 20 seconds to save the config...

From Nick.Ryce at lumison.net  Thu May 14 07:05:49 2009
From: Nick.Ryce at lumison.net (Nick Ryce)
Date: Thu, 14 May 2009 12:05:49 +0100
Subject: [c-nsp] DHCP Option 66 String
Message-ID: <B5F945E48C137C49A98BC86DD35939C012D0AF57D5@nbg01-exch-01.entlstaff.domain.lumison.net>

Hi Guys,

I have been hunting around trying to find if when using cisco dhcp and option 66 I can use a http url rather than tftp?  Within most linux dhcp daemons this can be done.

Any help greatly appreciated.


Nick

________________________________
--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted. Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses. Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.

From p.mayers at imperial.ac.uk  Thu May 14 07:43:42 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 14 May 2009 12:43:42 +0100
Subject: [c-nsp] PFC3/3B/3C ACL support
In-Reply-To: <599296.78446.qm@web908.biz.mail.mud.yahoo.com>
References: <599296.78446.qm@web908.biz.mail.mud.yahoo.com>
Message-ID: <4A0C03EE.4040003@imperial.ac.uk>

Kevin Graham wrote:
> The "Understanding ACL on Catalyst 6500 Switches"[1] white paper indicates that:
> 
>    All TCP session traffic, except for the TCP
> three-way handshake (SYN,
>    SYN/ACK, ACK) and session close (FIN/RST), is
> handled in hardware 
> 
> ...which makes sense for reflexive ACL's, but is that also true for extended ACL's
> matching TCP flags? The need to punt on these flows for reflexive's would suggest
> that they can be distinguished in hardware and based on 'sh tcam int ...' it would
> seem that there are masks allocated for TCP flags[2] that could presumably be
> leveraged for 'simple' filtering.
> 
> With the convenience of object-group/port-group in SXI, I'm inclined to spend some
> time improving ACL usage on 6500's and was hoping to make them a little more
> correct at the same time.

I'm not sure I understand the question as worded, but:

  1. For reflexive ACLs, I believe (never used them on this platform) 
that the opening & closing packets are punted to CPU, so that the 
"reverse" flow can be installed into and removed from the netflow table.

  2. For other ACLs, matching is in hardware, regardless of whether 
you're matching TCP flags, first/subsequent fragments, etc. unless 
you've got another modifier that requires a CPU punt (e.g. "log")


An easy way to see whether something is hardware or punted is to use the 
tcam commands:

sh tcam interface layer3int acl in ip [detail]

Items which list "permit" or "deny" in the 1st column are hardware 
processed. Most everything else is CPU-processed.

From dan.sabau at tbm.ro  Thu May 14 07:55:24 2009
From: dan.sabau at tbm.ro (Dan Sabau)
Date: Thu, 14 May 2009 14:55:24 +0300
Subject: [c-nsp] 7600 eigrp offset-list problem
In-Reply-To: <8171C8272CE8FE4A8F5BFF8A97CE6AB3A132B4@ASHEVS006.mcilink.com>
References: <8171C8272CE8FE4A8F5BFF8A97CE6AB3A132B4@ASHEVS006.mcilink.com>
Message-ID: <4A0C06AC.90704@tbm.ro>

Hi,
tried that but I need to modify the composite metric within eigrp, that 
is why I use the offset-list, because I have the same loopback from a 
different vlan with the same composite metric, here is the result:

br01.headend.cluj#sh ip route 172.30.255.54
Routing entry for 172.30.255.54/32
  Known via "eigrp ZZZZ", distance 80, metric 130816, type internal
  Redistributing via eigrp ZZZZ
  Last update from X.X.X.X on Vlan2764, 00:00:24 ago
  Routing Descriptor Blocks:
    X.X.X.X, from X.X.X.X, 00:00:24 ago, via Vlan2764
      Route metric is 130816, traffic share count is 1
      Total delay is 5010 microseconds, minimum bandwidth is 1000000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 14/255, Hops 1
  * Y.Y.Y.Y, from Y.Y.Y.Y, 00:00:24 ago, via Vlan2864
      Route metric is 130816, traffic share count is 1
      Total delay is 5010 microseconds, minimum bandwidth is 1000000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 24/255, Hops 1

 distribute-list route-map test-eigrp in Vlan2764

sh route-map test-eigrp
route-map test-eigrp, permit, sequence 10
  Match clauses:
    ip address (access-lists): permit-any
  Set clauses:
    metric -1
  Policy routing matches: 0 packets, 0 bytes

Standard IP access list permit-any
    10 permit any (3110 matches)





Ramcharan, Vijay A wrote:
>  
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi
> Sent: May 13, 2009 09:59
> To: Dan Sabau
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] 7600 eigrp offset-list problem
>
> Same IOS here, similar code...
> We use under address-family...
>   offset-list 0 out 25 Port-channel1.xxx
>
> We will take a look to the config after a reboot. 
> We didn't reboot the router yet.
> Do you know if it is a well know bug?
> Did you open a SR to ask for a reason for this behaviour?
>
>
> El mi?, 13-05-2009 a las 14:23 +0300, Dan Sabau escribi?:
>   
>> Hi,
>> we have the following problem, if a router reboots when it comes online 
>> the part of the config with the offset-list within router eigrp is 
>> ignored, you have to do something like:
>> conf t
>> router eigrp X
>> no  offset-list permit-any in 128257 Vlan2764
>>  offset-list permit-any in 128257 Vlan2764
>> Does any body know how to fix it?
>> The ios is: 12.2(33)SRC1 we have tried SRBx and the problem was there too.
>> 10x
>>
>>     
>
> Interesting problem. Labbed it up with available hw (1700 and 7206). 1700 runs 12.4.17. 
> Offset list seemd to work after reboot of the 1700 (where the offset list was applied). I can only assume that you have a platform/code version issue. 
>
> Did you try using a route-map to achieve the same functionality? 
> Is the behavior the same? 
>
> i.e. 
> router eigrp <num> 
>  distribute-list <etc> 
>
> route-map <name>
>  match ip address <acl>
>  set metric +/- <num>
>
>   

-- 
Dan Sabau
Manager WAN
New Com Telecomunicatii SA,
Telefon: 0755049817
Email: dan.sabau at newcom.ro 


From kratzers at ctinetworks.com  Thu May 14 08:27:21 2009
From: kratzers at ctinetworks.com (Stephen Kratzer)
Date: Thu, 14 May 2009 08:27:21 -0400
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <533414.81350.qm@web110107.mail.gq1.yahoo.com>
References: <533414.81350.qm@web110107.mail.gq1.yahoo.com>
Message-ID: <200905140827.21996.kratzers@ctinetworks.com>

I'm seeing it in just a few releases using the following sequence:

Feature Nav -> Search by Feature -> Add Virtual Private Dial-up Networking -> 
Select 7600 SUP720/MSFC3 -> See 12.2(14)SX and 12.2(14)SX1.

Not as abundant as I had hoped, but still there.

On Wednesday 13 May 2009 18:44:58 Tony wrote:
> Surely feature navigator wouldn't lie to me ?
>
> If I select either "Virtual Private Dial-up Network (VPDN)" or "L2TP Layer
> 2 Tunneling Protocol" as the feature I need (or both) and then try to
> select the platform from the list of available ones then 7600 isn't listed
> at all.
>
> The software I have on our test 7600 is 12.2(33) SRD1 Advanced IP Services
> which I believe includes all of the stuff from SP Services (or at least
> thats what the Cisco website says) and as I wrote below I can't even do
> "vpdn enable".
>
> Am I doing something wrong, I'm genuinely curious now ?
>
>
> Thanks,
> Tony.
>
>
> --- On Wed, 13/5/09, Stephen Kratzer <kratzers at pa.net> wrote:
>
> From: Stephen Kratzer <kratzers at pa.net>
> Subject: Re: [c-nsp] SUP720 IDB Limit
> To: "Tony" <td_miles at yahoo.com>
> Cc: cisco-nsp at puck.nether.net, kratzers at ctinetworks.com
> Date: Wednesday, 13 May, 2009, 11:31 PM
>
> VPDN is available with the SP feature set.
>
> On Tuesday 12 May 2009 19:12:57 Tony wrote:
> > If you're using the 7200's for L2TP DSL, then I don't think the 7600 can
> > do LNS role ?
> >
> > Feature navigator shows that VPDN isn't supported on 7600 and our test
> > 7600 doesn't even know about the "vpdn enable" command.
> >
> > Am I missing something ?
> >
> >
> > regards,
> > Tony.
> >
> >
> >
> > --- On Fri, 8/5/09, Stephen Kratzer <kratzers at ctinetworks.com> wrote:
> >
> > From: Stephen Kratzer <kratzers at ctinetworks.com>
> > Subject: [c-nsp] SUP720 IDB Limit
> > To: cisco-nsp at puck.nether.net
> > Date: Friday, 8 May, 2009, 10:46 PM
> >
> > All,
> >
> > We're looking to step up from the 7200 series to the 7600 series for DSL
> > aggregation. Anyone know what the IDB limit is for this platform (#show
> > idb)? We're at about 15000. Thanks.
> >
> > Stephen Kratzer
> > Network Engineer
> > CTI Networks, Inc.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/



From jared at puck.nether.net  Thu May 14 08:04:28 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Thu, 14 May 2009 08:04:28 -0400
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <20090514090638.GQ29526@ronin.4ever.de>
References: <20090514090638.GQ29526@ronin.4ever.de>
Message-ID: <F308ED42-9A78-48E3-B125-A2B225C2FC74@puck.nether.net>

These are all things you should raise with erbu directly. We have been  
having the same config delays. This is apparently a known issue.

Jared Mauch

On May 14, 2009, at 5:06 AM, "Elmar K. Bins" <elmi at 4ever.de> wrote:

> Admitted, I am still running a Cisco Labs software version,
> so my main concern is the question "has this been addressed
> and fixed in an IOS version?"
>
> The issue:
>
>  I want to export netflow data over the management interface (Gi0)
>  on an ASR1002 (this has to go through a VPN tunnel).
>
> Configuration:
>
> ip flow-export source GigabitEthernet0
> ip flow-export destination 172.16.31.250 12001
>
> rt#sh ip route vrf Mgmt-intf
> S*    0.0.0.0/0 [1/0] via 172.16.199.1
> (...)
>
>
> But:
>
> rt#sh ip flow export
> Flow export v5 is enabled for main cache
>  Export source and destination details :
>  VRF ID : Default
>    Source(1)       ***.***.***.*** (GigabitEthernet0/0/0)
>    Destination(1)  172.16.31.250 (12001)
>  Version 5 flow records, origin-as
>  Cache for as aggregation:
>    Flow export is disabled
>  8007185179 flows exported in 345108888 udp datagrams
>
>
>
> Err - I specified the source interface, right? Stupid box!
> Oh, btw - I cannot add a "vrf Mgmt-intf" to the flow-export
> source statement...yes, I tried that ;)
>
> So, what happens if we for example...
>
> rt(config)#ip route 172.16.31.250 255.255.255.255 null0
>
> rt#sh ip flow export
> Flow export v5 is enabled for main cache
>  Export source and destination details :
>  VRF ID : Default
>    Source(1)       172.16.199.5 (Unknown)
>    Destination(1)  172.16.31.250 (12001)
>  Version 5 flow records, origin-as
>  Cache for as aggregation:
>    Flow export is disabled
>  8007251179 flows exported in 345111724 udp datagrams
>
>
> Eh? "Unknown"? Well, sure, in _that_ VRF yes. That's why
> I'd like to change it...err...well...
>
> Is this supposed to be this kind of stupid? Or has
> that simply been fixed in later IOS versions (this
> one is based on 12.2(33)XNB )?
>
> There are of course more VRF issues on that platform.
> Tacacs requires a special solution etc. etc...
>
> So, if anyone can point me in the right direction or
> just recommend the IOS this has been fixed in (still
> have to check it for the Mac accounting/reboot issue
> and the CEF balancing lopsidedness), your help is much
> appreciated.
>
> Cheers,
>    Elmar.
>
> PS: If anyone knows how to keep "write mem" from using
>    like 20 seconds to save the config...
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From geoff at pendery.net  Thu May 14 08:49:32 2009
From: geoff at pendery.net (Geoffrey Pendery)
Date: Thu, 14 May 2009 07:49:32 -0500
Subject: [c-nsp] Some advice on switches....
In-Reply-To: <02da01c9d416$69600800$3c201800$@za.org>
References: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
	<d6966e4b0905131252r270e5590q23126a4ebd352e66@mail.gmail.com>
	<4A0B2AB7.9030502@utc.edu> <02da01c9d416$69600800$3c201800$@za.org>
Message-ID: <d6966e4b0905140549v572f3300k4d1d1d433dccbc4b@mail.gmail.com>

Well these sorts of details are definitely something to confirm with
someone from Cisco, before dropping the cash on it.
I'm personally happy to contribute advice, but you wouldn't want to be
explaining to your boss that your $100,000 switches aren't working
even though "some guy on the mailing list said it would"

There's a Configurator tool on the cisco.com website, which allows you
to put together a box and check the compatibility of the modules
involved, but access may be restricted to sufficiently large accounts.
 Ditto for talking to a dedicated Cisco sales rep - if your business
is enough of a Cisco buyer (or you're buying through a VAR, and
they're sufficiently large) then there should be someone from Cisco to
field these types of questions.  Failing all that, if you're a small
customer, surely there's "chat with a Cisco rep" or "email this
address with questions".

Anyway, with the disclaimers out of the way...
All of the "stackables" (fixed 1 or 2U, non-modular switches like the
2960, 3750, etc) do not do Netflow.  The 4500 just barely does
Netflow, meaning that only the Sup V supports it, and you either need
to purchase that daughter-card, or purchase a Sup V-10GE.  If Netflow
is a must-have, then you either:

1.  Go with the Sup V.  This will limit your throughput a bit, as it's
not the "E series" like the 6, but it sounds like your bandwidth
requirements are modest (I'm not sure why others are lamenting the 6
Gbps or 32 Gbps backplane limitations of the 4500 classic or Sup32,
when your design calls for 48 10/100 port switches uplinked via one or
two gig ports, but they are correct.)

2.  Go with the 2960's, but put a router at the top instead of the
3560.  Something in the ISR line, like 2800 or 3800, would also give
you some options for voice/video services.

3.  Move up to the 6500.  It'll bump your price up a bit, but it'll do
Netflow (and probably everything else you want to do).  A Sup32 will
probably meet your bandwidth needs, a Sup 32 PISA will throw in stuff
like NBAR.  You'll have the option of adding any services blades
(firewall, VPN, wireless, etc) if the need arises.  Do be aware
however, that if you find yourself needing more power, like you want
to up the access ports to gig, you'll need to buy new Supervisors
along with the new line cards.

What you ultimately choose depends on the many details of your
environment which you're in a better place to understand than we are.
If you think this network is going to grow and expand over the next
few years, requiring more bandwidth and more elaborate routing or
services, then the 6500 is probably the most flexible and powerful of
the three options.   If you think the access ports will never need to
go gig, and you don't need Netflow, but you want to ensure no
over-subscription, then probably go with the 4500 and the 6E - the 48
ports in your stackables can theoretically add up to 4.8 Gbps, and
you're not gonna push that through the 2960 and his gig uplinks.  If
the over-subscription isn't a big concern, but you really want Netflow
and maybe some voice services, consider the stackables + ISR.  You'll
be piping your traffic through a handful of gig ports, but you'll get
access to the "routery" features like Netflow and NBAR, as well as
lots of options for modules.

There's lots of tradeoffs involved, and ultimately it's up to you to
figure out which things you really want and which things you give up.
We can just help a bit with the options.


-Geoff


On Wed, May 13, 2009 at 5:01 PM, Chris Knipe <savage at savage.za.org> wrote:
> Hi,
>
>> > You might want to look at 4500 Series switches, rather than 6500.
>> > If 2960's were sufficient for your requirements (no advanced routing,
>> > Netflow, NBAR, etc) then 4500 is closer to an apples-to-apples
>> > comparison than 6500.
>> > 4500 will generally be cheaper than 6500, especially when taking
>> > maintenance/Smartnet into account (though YMMV).
>>
>> For a classic non-E chassis and/or traditional supervisor blade (Sup-IV
>> or less), you're dealing with a 6Gbps/slot backplane limitation. ?You
>> may be OK with your 10/100 blades, but some of the classic 10/100/1000
>> ones such as the WS-X4448 you are as much as 8:1 oversubscribed onto
>> that 6Gbps/slot. ?The 2960 backplane is smoking hot in comparison (but
>> you're still limited in uplink b/w).
>>
>> The E-series chassis with a hot supervisor will get you 24Gbps/slot.
>
> Thank you all for the input. ?I would definitely agree 4500 too rather than
> 6500. ?The main purpose of this deployment is for Triple Play services,
> IPTV, Telephony, as well as Data. ?IGMP Multicast is critical for the IPTV
> and almost all 10/100 Ethernet ports will be running at least 3 VLANs. ?A
> single switch will also make that much easier in my opinion...
>
> I've spend a bit of time on Cisco.com now, and I just want everyone to give
> this a once over and ensure that there isn't anything I missed before I send
> this off to suppliers for costing - if I can ask that someone also just
> check for compatibility, I would appreciate it. ?I am not sure at this stage
> about the NetFlow Services Card, whether or not it would be compatible with
> the Supervisor. ?I've worked allot with the smaller fixed configuration
> Ciscos, but this is going to be all new to me in terms of size...
>
> Cisco Catalyst 4510R-E Chassis:
> 1 x WS-C4510R-E
> ?Cisco Catalyst E Series 4510R Switch (10-slot chassis), fan, no power
> supply; redundant supervisor capable
> 2 x PWR-C45-1400AC
> ?Cisco Catalyst 4500 Series 1400W AC power supply (data only)
> 1 x S45EIPB-12240SG(=)
> ?Cisco IOS Software for Supervisor Engine 6-E (IP Base image)
> 1 x WS-X45-Sup6-E
> ?Cisco Catalyst 4500 E Series Supervisor Engine 6-E, 2x10GE (X2) or 4x1GE
> (SFP), Console RJ-45,USB
> 1 x WS-X45-Sup6-E/2
> ?Cisco Catalyst 4500 Redundant Supervisor Engine 6-E, 2x10GE (X2) or 4x1GE
> (SFP), Console RJ-45,USB
> 1 x MEM-C4K-FLD128M
> ?Cisco Catalyst 4500 Cisco IOS Software-Based Supervisor Engine, Compact
> Flash memory, 128-MB option
> 1 x WS-F4531(=)
> ?Cisco Catalyst 4500 NetFlow Services Card
>
> Cisco Catalyst 4510R-E Line Cards:
> 5 x WS-X4148-RJ(=)
> ?Cisco Catalyst 4500 10/100 Module, 48 ports (RJ-45)
> 1 x WS-X4424-GB-RJ45(=)
> ?Cisco Catalyst 4500 24-port 10/100/1000 Module (RJ-45)
>
>
> Thank you all for your time and feedback,
>
> Regards,
> Chris.
>
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From elmi at 4ever.de  Thu May 14 08:50:34 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Thu, 14 May 2009 14:50:34 +0200
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <F308ED42-9A78-48E3-B125-A2B225C2FC74@puck.nether.net>
References: <20090514090638.GQ29526@ronin.4ever.de>
	<F308ED42-9A78-48E3-B125-A2B225C2FC74@puck.nether.net>
Message-ID: <20090514125033.GZ29526@ronin.4ever.de>

jared at puck.nether.net (Jared Mauch) wrote:

> These are all things you should raise with erbu directly. We have been  
> having the same config delays. This is apparently a known issue.

Actually, like ten minutes ago I found something deep in the CsC that 
said exporting netflow data over the Mgt Interface was an unsupported
config option...

My thought, and I quote: "WTF?"

From clinton at scripty.com  Thu May 14 09:23:50 2009
From: clinton at scripty.com (Clinton Work)
Date: Thu, 14 May 2009 07:23:50 -0600
Subject: [c-nsp] 3750 Metro - Base MAC addresses
Message-ID: <4A0C1B66.7080803@scripty.com>


"show ver" on a 3750 Metro will tell you the base MAC address, but not 
the size of the block.  Anybody know how many unique MACs are assigned 
to a 3750ME? 


switch#show version
Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 
12.2(25)SEGx, RELEASE SOFTWARE (fc1)
...
cisco ME-C3750-24TE (PowerPC405) processor (revision F0) with 
118784K/12280K bytes of memory.
Processor board ID xxxxxx
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

1024K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:1B:0C:2F:C5:80   <-- Base MAC
Motherboard assembly number     : 73-9938-04
Motherboard serial number       : xxxxx
Model revision number           : F0
Motherboard revision number     : B0
Model number                    : ME-C3750-24TE-M
Daughterboard assembly number   : 73-9939-02
Daughterboard serial number     : xxxxx
System serial number            : xxxxx
Top Assembly Part Number        : 800-25952-04
Top Assembly Revision Number    : C0
Version ID                      : V05
CLEI Code Number                : COM1510ARA
Daughterboard revision number   : A0
Hardware Board Revision Number  : 0x09

From justin at justinshore.com  Thu May 14 09:29:13 2009
From: justin at justinshore.com (Justin Shore)
Date: Thu, 14 May 2009 08:29:13 -0500
Subject: [c-nsp] OSPF fast convergence
In-Reply-To: <4A0BEED8.3080703@imperial.ac.uk>
References: <4A09AFA4.1070300@rainierconnect.net>
	<4A09B47C.8070205@imperial.ac.uk>
	<4A0B8C33.6070202@justinshore.com>
	<4A0BEED8.3080703@imperial.ac.uk>
Message-ID: <4A0C1CA9.5040601@justinshore.com>

Phil Mayers wrote:
> Justin Shore wrote:
>> Phil Mayers wrote:
>>> Common advice seems to be to make actual link-loss detection fast, in 
>>> preference to using BFD. That said, I know some people use BFD.
>>>
>>> Assuming you're using LAN cards, you may want to see if you can make 
>>> router links as routed rather than SVI interfaces. Though routed 
>>> interfaces are implemented internally as VLANs, presentations I saw 
>>> from Cisco claim that this:
>>
>> I prefer to use BFD personally.  Link failure detection without BFD 
>> will be slow no matter what you do.  FRR doesn't gain you much if it 
>> takes you several seconds to realize that a link dropped.
> 
> Seconds? Wow. I'm curious - under what circumstances are you seeing such 
> length link-loss detection times?

On our 7600s today.  We drop a link to one of them and the thing is 
oblivious to the drop for 2-3 seconds.  Dumber than a post...  L3 is 
waiting on L1 to wake up before it can start tearing down routing 
relationships and pulling routes.  I'm running SRB1 on my 7600s right 
now so that I can run BFD.  I'm trying to get my account team to carry 
my BFD on SVI request to the DE team for BFD or the product manager. 
Unfortunately I think I'm throwing pennies into a blackhole.

Justin

From geoff at pendery.net  Thu May 14 09:44:58 2009
From: geoff at pendery.net (Geoffrey Pendery)
Date: Thu, 14 May 2009 08:44:58 -0500
Subject: [c-nsp] OSPF fast convergence
In-Reply-To: <4A0C1CA9.5040601@justinshore.com>
References: <4A09AFA4.1070300@rainierconnect.net>
	<4A09B47C.8070205@imperial.ac.uk> <4A0B8C33.6070202@justinshore.com>
	<4A0BEED8.3080703@imperial.ac.uk> <4A0C1CA9.5040601@justinshore.com>
Message-ID: <d6966e4b0905140644x187e63dfke82c26029bd4f270@mail.gmail.com>

Well, if it's an SVI, then you're up a little higher than layer 1...
Presumably the VLAN still exists on other links (like a trunk over to
another 7600?) so the SVI itself doesn't go down, you just wait for
the neighbor relationship to timeout?  Or are you actually pulling a
cable and seeing "int Gig 1/1 up/up" for 3 seconds?  After the 3
seconds, do you actually see the VLAN interface go down/down?

Sorry if this is obvious stuff you already thought of, I'm just
baffled 'cause I've never seen slow link-down on 6500 or 7600
personally, though I admit I've mostly done my failure testing on
fiber not copper...

I suppose if you're in a bind, you could cobble together your own BFD
with EEM... have IPSLA ping the neighbor every 300 msec or so, and if
it fails three times you admin down the SVI...  Obviously it's a
kludge, but it might beat waiting on the proper BFD support...


-Geoff


On Thu, May 14, 2009 at 8:29 AM, Justin Shore <justin at justinshore.com> wrote:
> Phil Mayers wrote:
>>
>> Justin Shore wrote:
>>>
>>> Phil Mayers wrote:
>>>>
>>>> Common advice seems to be to make actual link-loss detection fast, in
>>>> preference to using BFD. That said, I know some people use BFD.
>>>>
>>>> Assuming you're using LAN cards, you may want to see if you can make
>>>> router links as routed rather than SVI interfaces. Though routed interfaces
>>>> are implemented internally as VLANs, presentations I saw from Cisco claim
>>>> that this:
>>>
>>> I prefer to use BFD personally. ?Link failure detection without BFD will
>>> be slow no matter what you do. ?FRR doesn't gain you much if it takes you
>>> several seconds to realize that a link dropped.
>>
>> Seconds? Wow. I'm curious - under what circumstances are you seeing such
>> length link-loss detection times?
>
> On our 7600s today. ?We drop a link to one of them and the thing is
> oblivious to the drop for 2-3 seconds. ?Dumber than a post... ?L3 is waiting
> on L1 to wake up before it can start tearing down routing relationships and
> pulling routes. ?I'm running SRB1 on my 7600s right now so that I can run
> BFD. ?I'm trying to get my account team to carry my BFD on SVI request to
> the DE team for BFD or the product manager. Unfortunately I think I'm
> throwing pennies into a blackhole.
>
> Justin
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From p.mayers at imperial.ac.uk  Thu May 14 10:58:26 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 14 May 2009 15:58:26 +0100
Subject: [c-nsp] OSPF fast convergence
In-Reply-To: <4A0C1CA9.5040601@justinshore.com>
References: <4A09AFA4.1070300@rainierconnect.net>
	<4A09B47C.8070205@imperial.ac.uk>
	<4A0B8C33.6070202@justinshore.com>
	<4A0BEED8.3080703@imperial.ac.uk>
	<4A0C1CA9.5040601@justinshore.com>
Message-ID: <4A0C3192.5030807@imperial.ac.uk>

>> Seconds? Wow. I'm curious - under what circumstances are you seeing such 
>> length link-loss detection times?
> 
> On our 7600s today.  We drop a link to one of them and the thing is 
> oblivious to the drop for 2-3 seconds.  Dumber than a post...  L3 is 
> waiting on L1 to wake up before it can start tearing down routing 
> relationships and pulling routes.  I'm running SRB1 on my 7600s right 
> now so that I can run BFD.  I'm trying to get my account team to carry 
> my BFD on SVI request to the DE team for BFD or the product manager. 
> Unfortunately I think I'm throwing pennies into a blackhole.

Nasty. Fibre or copper?

I ask because we're not seeing that on 6500/SXI

The removal of BFD on SVIs is pretty poor.

From ddelaros at cisco.com  Thu May 14 11:00:14 2009
From: ddelaros at cisco.com (Daniel de la Rosa (ddelaros))
Date: Thu, 14 May 2009 08:00:14 -0700
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <20090514125033.GZ29526@ronin.4ever.de>
References: <20090514090638.GQ29526@ronin.4ever.de><F308ED42-9A78-48E3-B125-A2B225C2FC74@puck.nether.net>
	<20090514125033.GZ29526@ronin.4ever.de>
Message-ID: <8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>


Is it supported in any mgmt port at very high speed?.. ;).. ASR1000 main
focus was to deal with the high speed netflow and fw logging needs so
that's why enabling nf exporting from this mgmt port hasn't been a very
high priority item. We can take this offline and work with you and your
account team so we can reprioritize accordingly, but this is definitely
not supported.

HTH

> 
> jared at puck.nether.net (Jared Mauch) wrote:
> 
> > These are all things you should raise with erbu directly. We have
> been
> > having the same config delays. This is apparently a known issue.
> 
> Actually, like ten minutes ago I found something deep in the CsC that
> said exporting netflow data over the Mgt Interface was an unsupported
> config option...
> 
> My thought, and I quote: "WTF?"
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From jasongurtz at npumail.com  Thu May 14 11:17:01 2009
From: jasongurtz at npumail.com (Jason Gurtz)
Date: Thu, 14 May 2009 11:17:01 -0400
Subject: [c-nsp] Some advice on switches....
In-Reply-To: <4A0B429A.9040307@templin.org>
References: <00fe01c9d3c8$87beacf0$973c06d0$@za.org>
	<4A0B429A.9040307@templin.org>
Message-ID: <A92EAF652EC423438D55C14C60771C870161F70E@exchgsrv.nputilities.local>

> Somewhere between 2012 and 2020 it mentions 40G/100G interfaces.

I'm sitting here wondering if the current "E" backplane is up to that at
80G? So 2x40G ports per chassis looks like 100% subscribed.  100G looks to
me like a no go w/o a forklift?

~JasonG

-- 

From BBlackford at nwresd.k12.or.us  Thu May 14 11:21:47 2009
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Thu, 14 May 2009 08:21:47 -0700
Subject: [c-nsp] Layer3 port channel on 3560-8
Message-ID: <6069A203FD01884885C037F81DD75080032AC5F1B1@wsc-mail-01.intra.nwresd.k12.or.us>

I just discovered that I cannot form a layer3 po1. Is this typical behavior? It works just fine on other 3650 devices.

-b

--
Bill Blackford                     
Senior Network Engineer            

my /home away from home


From elmi at 4ever.de  Thu May 14 11:32:46 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Thu, 14 May 2009 17:32:46 +0200
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>
References: <20090514125033.GZ29526@ronin.4ever.de>
	<8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>
Message-ID: <20090514153246.GE29526@ronin.4ever.de>

Hol? Daniel,

ddelaros at cisco.com (Daniel de la Rosa (ddelaros)) wrote:

> Is it supported in any mgmt port at very high speed?.. ;).. ASR1000 main
> focus was to deal with the high speed netflow and fw logging needs so
> that's why enabling nf exporting from this mgmt port hasn't been a very
> high priority item. We can take this offline and work with you and your
> account team so we can reprioritize accordingly, but this is definitely
> not supported.

I still wonder what this Mgt port is good for, then.

And: Should I not be able to make that decision myself? The "vrf" extension
to the source command is present on other platforms and it is also needed
if it occurred to me to run multiple VRFs on the box and choose one for
transport "home".

In my case, I will keep the netflow traffic down to 5 Mbps max. (and use
sampling accordingly), since I cannot afford more bw on the VPN anyway.
But I need to get the info home to my collector, and that box is inside
my Mgt network and not exposed to some crazy Internet (why should it?).

So, the conclusion is: The mgt port is absolutely useless for me and I
could have saved the money on it. Mgt Ethernet will take one of the
precious ports on the SP, and it will make ACLs and route filtering
necessary, too.

Well...
	Elmar.

PS: If you have any idea about the roadmap for the ASR1k...

From kgraham at industrial-marshmallow.com  Thu May 14 12:19:41 2009
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Thu, 14 May 2009 09:19:41 -0700 (PDT)
Subject: [c-nsp] PFC3/3B/3C ACL support
In-Reply-To: <4A0C03EE.4040003@imperial.ac.uk>
References: <599296.78446.qm@web908.biz.mail.mud.yahoo.com>
	<4A0C03EE.4040003@imperial.ac.uk>
Message-ID: <299105.37155.qm@web901.biz.mail.mud.yahoo.com>




> 1. For reflexive ACLs, I believe (never used them on this platform) that the 
> opening & closing packets are punted to CPU, so that the "reverse" flow can be 
> installed into and removed from the netflow table.

Agreed and is entirely expected for reflexive entries. Documentation indicated
(presumably incorrectly) that filters on TCP flags would be punted irrespective
of whether ACE was 'simple' or reflexive.

> 2. For other ACLs, matching is in hardware, regardless of whether you're 
> matching TCP flags, first/subsequent fragments, etc. unless you've got another 
> modifier that requires a CPU punt (e.g. "log")

I think I was thrown off by not considering that even the most pathological
cases for simple matches would be an insignificant 2^6 L4Ops. 

I am still curious whether SXH actually supports the more flexible 'ACL TCP
Flags Filtering'[1] feature, or if it was just an unintentional pick-up from
the last sync against 12.2S. ('match-any' would seem to be doable at the
expense of LOU's though don't see this discussed).

[1] http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtaclflg.html

From reflect.ocean at gmail.com  Thu May 14 13:44:15 2009
From: reflect.ocean at gmail.com (reflect ocean)
Date: Thu, 14 May 2009 12:44:15 -0500
Subject: [c-nsp] Wifi network and too many wifi users
Message-ID: <1e475c3e0905141044i19705db5r843c35cfbe007ee5@mail.gmail.com>

Hi there.I run a medium-sized wifi network.We are cisco shop
(autonommous access points).Recently wifi users number have reached
limits we didn't expect.Because of that,we had to adjust our subnet
network in order to support more users associated to the only SSID our
wireless network use.We try to keep configuration simple so creating
another ssid wouldn't be the best choice at the moment.
I've been looking for alternative to create another ssid and associate
it to another different subnet but I can't find any related to.

Any help?

Thanks

From sethm at rollernet.us  Thu May 14 14:34:25 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 14 May 2009 11:34:25 -0700
Subject: [c-nsp] Wifi network and too many wifi users
In-Reply-To: <1e475c3e0905141044i19705db5r843c35cfbe007ee5@mail.gmail.com>
References: <1e475c3e0905141044i19705db5r843c35cfbe007ee5@mail.gmail.com>
Message-ID: <4A0C6431.2090402@rollernet.us>

reflect ocean wrote:
> Hi there.I run a medium-sized wifi network.We are cisco shop
> (autonommous access points).Recently wifi users number have reached
> limits we didn't expect.Because of that,we had to adjust our subnet
> network in order to support more users associated to the only SSID our
> wireless network use.We try to keep configuration simple so creating
> another ssid wouldn't be the best choice at the moment.
> I've been looking for alternative to create another ssid and associate
> it to another different subnet but I can't find any related to.
> 
> Any help?
> 

Exactly what limits are you hitting? How is your network configured?

~Seth

From sethm at rollernet.us  Thu May 14 14:36:22 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 14 May 2009 11:36:22 -0700
Subject: [c-nsp] DHCP Option 66 String
In-Reply-To: <B5F945E48C137C49A98BC86DD35939C012D0AF57D5@nbg01-exch-01.entlstaff.domain.lumison.net>
References: <B5F945E48C137C49A98BC86DD35939C012D0AF57D5@nbg01-exch-01.entlstaff.domain.lumison.net>
Message-ID: <4A0C64A6.1050504@rollernet.us>

Nick Ryce wrote:
> Hi Guys,
> 
> I have been hunting around trying to find if when using cisco dhcp and option 66 I can use a http url rather than tftp?  Within most linux dhcp daemons this can be done.
> 
> Any help greatly appreciated.
> 


I use an URL with mine for a pool of Polycom phones:

ip dhcp pool voip
   network x x
   default-router x
   domain-name rollernet.net
   dns-server x
   option 2 hex ffff.8f80
   option 66 ascii "http://x.rollernet.us"
   option 42 ip x
   lease infinite


~Seth

From christian at automatick.net  Thu May 14 15:42:41 2009
From: christian at automatick.net (Christian Koch)
Date: Thu, 14 May 2009 12:42:41 -0700
Subject: [c-nsp] Inventory tool
In-Reply-To: <BLU102-W5F4684CFBD8362A9836CFFA610@phx.gbl>
References: <BLU102-W5F4684CFBD8362A9836CFFA610@phx.gbl>
Message-ID: <c4d480f60905141242o1502d824y86f036cddd18c5ed@mail.gmail.com>

write a script to pull down "sh inventory raw", parse the data, clean it up
and store it



On Wed, May 13, 2009 at 1:17 PM, Mohammad Khalil <eng_mssk at hotmail.com>wrote:

>
> hey all
> i am looking for an inventory tool to store for example the serial numbers
> of routers and associated modules
> is there any software that can extract these information and store it as
> well?
>
> Thanks
>
> _________________________________________________________________
> Show them the way! Add maps and directions to your party invites.
> http://www.microsoft.com/windows/windowslive/products/events.aspx
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From josh.fleishman at gmail.com  Thu May 14 15:47:03 2009
From: josh.fleishman at gmail.com (Josh Fleishman)
Date: Thu, 14 May 2009 15:47:03 -0400
Subject: [c-nsp] inter-domain multicast with mvpn
Message-ID: <31f82fd80905141247o318fe4fbmd6edf0a4e364be9a@mail.gmail.com>

I'm looking for some guidance regarding how to configure inter-domain
multicast between a mVPN and an external provider. Specifically, I have an
mVPN core running multiple mVPNs.  I want to enable multicast routing
between these mVPNs and a common external provider.  Conceptually, my
approach is to enable MBGP and MSDP peering sessions within each mVPN to the
external peer.  The external peer is not MDT or VRF aware.  I haven't been
able to find any documentation regarding this set-up.  Any suggestions or
pointers would be appreciated.

Thanks,
Josh

From john at johnlange.ca  Thu May 14 15:54:49 2009
From: john at johnlange.ca (John Lange)
Date: Thu, 14 May 2009 14:54:49 -0500
Subject: [c-nsp] DHCP Option 66 String
In-Reply-To: <4A0C64A6.1050504@rollernet.us>
References: <B5F945E48C137C49A98BC86DD35939C012D0AF57D5@nbg01-exch-01.entlstaff.domain.lumison.net>
	<4A0C64A6.1050504@rollernet.us>
Message-ID: <1242330889.5407.36.camel@vandium.darkcore.net>

On Thu, 2009-05-14 at 11:36 -0700, Seth Mattinen wrote:

> I use an URL with mine for a pool of Polycom phones:
> 
> ip dhcp pool voip
>    network x x
>    default-router x
>    domain-name rollernet.net
>    dns-server x
>    option 2 hex ffff.8f80
>    option 66 ascii "http://x.rollernet.us"
>    option 42 ip x
>    lease infinite

I've found that if you implement option 66 with the quotes (as above) it
doesn't work on some devices, especially if its actually a TFTP server.

My option 66 looks like this:

option 66 ascii tftp.somehost.com

Which works for the Aastra phones we are using.

-- 
John Lange
http://www.johnlange.ca


From nicholas.hatch at gmail.com  Thu May 14 16:03:57 2009
From: nicholas.hatch at gmail.com (nick hatch)
Date: Thu, 14 May 2009 13:03:57 -0700
Subject: [c-nsp] alternatives to Cisco's SFPs
In-Reply-To: <f8da69c80905051453u1462e155p5e13c03030f4fb05@mail.gmail.com>
References: <f8da69c80905051453u1462e155p5e13c03030f4fb05@mail.gmail.com>
Message-ID: <a71460720905141303o6f3be0b4o71c95d68b5e90796@mail.gmail.com>

Throwing in my two-cents...

I've always had surprisingly good luck on third-party SFPs. Recently I
replaced a 1000BaseZX Cisco GBIC transceiver with an ACP-EP no-name SFP
replacement. It was a bit of a leap of faith (less than 10% of the Cisco
price), so I treated it as an experiment, assumed that the optical
performance might not be ideal, and double-checked the link budget before
moving forward. In the months that followed, it has proved reliable.

I'd be interested to hear any tips when sourcing cheaper optics: even
finding a reliable data sheet for many manufacturers proved near impossible.

-Nick

On Tue, May 5, 2009 at 2:53 PM, Inca <tincan at gmail.com> wrote:

> Hello,
>
> Does anyone have good experience with non-Cisco SFPs? In particular,
> we're trying to look for lower cost alternatives to GLC-T (or
> SFP-GE-T), GLC-SX-MM (SFP-GE-S) and  GLC-LH-SM (SFP-GE-L). Also, any
> problem with using non-Cisco SFPs (even after enabling "service
> unsupported-transceiver")?
>
> Thanks,
> Nathan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mtinka at globaltransit.net  Thu May 14 16:56:10 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 15 May 2009 04:56:10 +0800
Subject: [c-nsp] is-is question
In-Reply-To: <op.ua3xtybl2vrlim@localhost.localdomain>
References: <op.ua3xtybl2vrlim@localhost.localdomain>
Message-ID: <200905150456.17092.mtinka@globaltransit.net>

On Wednesday 14 May 2008 03:31:00 am victor wrote:

> Because of a recent change of the organizational
> structure of the company I'm employed by I was given an
> order to migrate all the current routing infrastructure
> (a couple of c7604, c7201 and a dozen of c4924) from OSPF
> to is-is. I've never worked with is-is before and after a
> bit of studying I feel comfortable enough with the
> concept and a possible migration strategy. The only
> question I have so far is what is-is level should I
> prefer? With OSPF all devices reside in Area 0. Naturally
> the closest match from is-is world would be to configure
> only one level-1 area. But during my search the web for
> the best practices I saw somewhere that with the same
> result I could put each device into  separate areas
> configuring only level-2 interarea routing and completely
> abandon idea of level-1. I'd very much like to hear your
> opinion on this matter.

For a direct comparison, what Steinar mentioned would equate 
to OSPF's Area 0, i.e., a single L2 level. We use multiple 
levels, L1 within the PoP, L2 between the PoP's, but our 
design may be a little more complex than what you need.

Given the integration between prefix and topology 
information in OSPFv2, a single L2 level in IS-IS would 
scale slightly better than a single Area 0 in OSPF, because 
IS-IS separates topology from prefix information, making 
partial SPF runs more efficient.

However, this isn't an issue with OSPFv3 anymore - it's been 
addressed for OSPF.

Be careful if you're running (or plan to run) IPv6. I'd 
recommend configuring multi-topologies for IS-IS, as life 
will be a lot easier once you start turning on IPv6.

Cheers,

Mark.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090515/5ae20451/attachment.bin>

From progressus at gmail.com  Thu May 14 17:07:09 2009
From: progressus at gmail.com (Progressus)
Date: Thu, 14 May 2009 22:07:09 +0100
Subject: [c-nsp] Docsis 3.0 Deployment
Message-ID: <ace0be160905141407t788a361bmab0e48587446a05e@mail.gmail.com>

Hello all,

 Does anyone have documentation about subject DOCS 3.0 ?

 I would like read some case studies and best practices for this issue...

What are the differences in using docsis3.0 or widedocsis? How can I be a
better use of my CMTS downstreams and my SPA cards?

 I use both 1.0 and 1.1 docsis, and i want to use docsis 3.0 in the same RF
architecture, what the best settings to use?

What are your recommendations?

Thanks for your help.

Best Regards

From gert at greenie.muc.de  Thu May 14 17:21:23 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 14 May 2009 23:21:23 +0200
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <200905140827.21996.kratzers@ctinetworks.com>
References: <533414.81350.qm@web110107.mail.gq1.yahoo.com>
	<200905140827.21996.kratzers@ctinetworks.com>
Message-ID: <20090514212123.GN290@greenie.muc.de>

Hi,

On Thu, May 14, 2009 at 08:27:21AM -0400, Stephen Kratzer wrote:
> I'm seeing it in just a few releases using the following sequence:
> 
> Feature Nav -> Search by Feature -> Add Virtual Private Dial-up Networking -> 
> Select 7600 SUP720/MSFC3 -> See 12.2(14)SX and 12.2(14)SX1.

Did this IOS release ever exist???

I've only ever seen 12.2(18)SX<letter>...

In any case - the 7600 hardware doesn't do VPDN, so "just don't do this".

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090514/3cd0fba5/attachment.bin>

From mmg at transtelco.net  Thu May 14 17:49:36 2009
From: mmg at transtelco.net (=?iso-8859-1?Q?Manuel_Mar=EDn?=)
Date: Thu, 14 May 2009 17:49:36 -0400
Subject: [c-nsp] (no subject)
Message-ID: <D554AA7F-3BBF-46DD-8395-BDB99907BB38@transtelco-net.ihostexchange.net>

Llopoll
O

From dudepron at gmail.com  Thu May 14 18:47:35 2009
From: dudepron at gmail.com (Aaron)
Date: Thu, 14 May 2009 18:47:35 -0400
Subject: [c-nsp] is-is question
In-Reply-To: <200905150456.17092.mtinka@globaltransit.net>
References: <op.ua3xtybl2vrlim@localhost.localdomain>
	<200905150456.17092.mtinka@globaltransit.net>
Message-ID: <480dad640905141547p21c86234id5fbd518a4eaadd4@mail.gmail.com>

There are several Tier 1 isps that just run Level-1 only.

Aaron

On Thu, May 14, 2009 at 16:56, Mark Tinka <mtinka at globaltransit.net> wrote:

> On Wednesday 14 May 2008 03:31:00 am victor wrote:
>
> > Because of a recent change of the organizational
> > structure of the company I'm employed by I was given an
> > order to migrate all the current routing infrastructure
> > (a couple of c7604, c7201 and a dozen of c4924) from OSPF
> > to is-is. I've never worked with is-is before and after a
> > bit of studying I feel comfortable enough with the
> > concept and a possible migration strategy. The only
> > question I have so far is what is-is level should I
> > prefer? With OSPF all devices reside in Area 0. Naturally
> > the closest match from is-is world would be to configure
> > only one level-1 area. But during my search the web for
> > the best practices I saw somewhere that with the same
> > result I could put each device into  separate areas
> > configuring only level-2 interarea routing and completely
> > abandon idea of level-1. I'd very much like to hear your
> > opinion on this matter.
>
> For a direct comparison, what Steinar mentioned would equate
> to OSPF's Area 0, i.e., a single L2 level. We use multiple
> levels, L1 within the PoP, L2 between the PoP's, but our
> design may be a little more complex than what you need.
>
> Given the integration between prefix and topology
> information in OSPFv2, a single L2 level in IS-IS would
> scale slightly better than a single Area 0 in OSPF, because
> IS-IS separates topology from prefix information, making
> partial SPF runs more efficient.
>
> However, this isn't an issue with OSPFv3 anymore - it's been
> addressed for OSPF.
>
> Be careful if you're running (or plan to run) IPv6. I'd
> recommend configuring multi-topologies for IS-IS, as life
> will be a lot easier once you start turning on IPv6.
>
> Cheers,
>
> Mark.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From marka888 at gmail.com  Thu May 14 18:53:14 2009
From: marka888 at gmail.com (Mark Austen)
Date: Fri, 15 May 2009 08:53:14 +1000
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <20090514212123.GN290@greenie.muc.de>
References: <533414.81350.qm@web110107.mail.gq1.yahoo.com>
	<200905140827.21996.kratzers@ctinetworks.com>
	<20090514212123.GN290@greenie.muc.de>
Message-ID: <fff162750905141553o399ad7dfmace7e05f8cdcd363@mail.gmail.com>

VPDN on the 7600 can be done with one of these:

http://www.cisco.com/en/US/prod/collateral/modules/ps5510/product_data_sheet0900aecd800f8965_ps708_Products_Data_Sheet.html

2009/5/15 Gert Doering <gert at greenie.muc.de>

> Hi,
>
> On Thu, May 14, 2009 at 08:27:21AM -0400, Stephen Kratzer wrote:
> > I'm seeing it in just a few releases using the following sequence:
> >
> > Feature Nav -> Search by Feature -> Add Virtual Private Dial-up
> Networking ->
> > Select 7600 SUP720/MSFC3 -> See 12.2(14)SX and 12.2(14)SX1.
>
> Did this IOS release ever exist???
>
> I've only ever seen 12.2(18)SX<letter>...
>
> In any case - the 7600 hardware doesn't do VPDN, so "just don't do this".
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From bmcwhorter at bmctotalcare.com  Thu May 14 19:37:44 2009
From: bmcwhorter at bmctotalcare.com (Bob McWhorter)
Date: Thu, 14 May 2009 16:37:44 -0700
Subject: [c-nsp] (no subject)
Message-ID: <0d6a01c9d4ed$484402bd$78fca8c0@BREW.AD>



Sent from my Windows Mobile? phone.

-----Original Message-----
From: Manuel Mar?n <mmg at transtelco.net>
Sent: Thursday, May 14, 2009 2:57 PM
To: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Subject: [c-nsp] (no subject)

Llopoll
O
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From td_miles at yahoo.com  Thu May 14 20:04:47 2009
From: td_miles at yahoo.com (Tony)
Date: Thu, 14 May 2009 17:04:47 -0700 (PDT)
Subject: [c-nsp] SUP720 IDB Limit
Message-ID: <132717.84520.qm@web110105.mail.gq1.yahoo.com>

Does the WMAN card also enable L2TP on the 7600 ? 

If it does let you do VPDN & L2TP, is it a good idea ?


Thanks,
Tony.



--- On Fri, 15/5/09, Mark Austen <marka888 at gmail.com> wrote:

From: Mark Austen <marka888 at gmail.com>
Subject: Re: [c-nsp] SUP720 IDB Limit
To: "Gert Doering" <gert at greenie.muc.de>
Cc: cisco-nsp at puck.nether.net
Date: Friday, 15 May, 2009, 8:53 AM

VPDN on the 7600 can be done with one of these:

http://www.cisco.com/en/US/prod/collateral/modules/ps5510/product_data_sheet0900aecd800f8965_ps708_Products_Data_Sheet.html

2009/5/15 Gert Doering <gert at greenie.muc.de>

> Hi,
>
> On Thu, May 14, 2009 at 08:27:21AM -0400, Stephen Kratzer wrote:
> > I'm seeing it in just a few releases using the following sequence:
> >
> > Feature Nav -> Search by Feature -> Add Virtual Private Dial-up
> Networking ->
> > Select 7600 SUP720/MSFC3 -> See 12.2(14)SX and 12.2(14)SX1.
>
> Did this IOS release ever exist???
>
> I've only ever seen 12.2(18)SX<letter>...
>
> In any case - the 7600 hardware doesn't do VPDN, so "just don't do this".
>
> gert
> --


      

From benny+usenet at amorsen.dk  Fri May 15 03:51:11 2009
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Fri, 15 May 2009 09:51:11 +0200
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <20090514153246.GE29526@ronin.4ever.de> (Elmar K. Bins's message
	of "Thu\, 14 May 2009 17\:32\:46 +0200")
References: <20090514125033.GZ29526@ronin.4ever.de>
	<8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>
	<20090514153246.GE29526@ronin.4ever.de>
Message-ID: <m3tz3mhki8.fsf@ursa.amorsen.dk>

"Elmar K. Bins" <elmi at 4ever.de> writes:

> So, the conclusion is: The mgt port is absolutely useless for me and I
> could have saved the money on it. Mgt Ethernet will take one of the
> precious ports on the SP, and it will make ACLs and route filtering
> necessary, too.

The mgmt port should perhaps be thought of as an ethernet version of the
console port? Personally, I would prefer that to be the case; the more
it looks like a serial port + a terminal server + a power control bar,
the better.


/Benny


From elmi at 4ever.de  Fri May 15 04:12:57 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Fri, 15 May 2009 10:12:57 +0200
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <m3tz3mhki8.fsf@ursa.amorsen.dk>
References: <20090514125033.GZ29526@ronin.4ever.de>
	<8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>
	<20090514153246.GE29526@ronin.4ever.de>
	<m3tz3mhki8.fsf@ursa.amorsen.dk>
Message-ID: <20090515081257.GN29526@ronin.4ever.de>

benny+usenet at amorsen.dk (Benny Amorsen) wrote:

> The mgmt port should perhaps be thought of as an ethernet version of the
> console port? Personally, I would prefer that to be the case; the more
> it looks like a serial port + a terminal server + a power control bar,
> the better.

Which is of not much use. Initial configuration happens over the console,
and from then on, the Mgt port is supposed to be the out-of-band
management transfer, used for

  - AAA (Tacacs etc)
  - Logging
  - ssh
  - NTP
  - SNMP
  - SW updates
  - Netflow


What's the use of deliberately disabling part of the management
functionality, just because "it might not be able to keep up
with the bandwidth"? I can easily saturate the bw with SW updates.

This forces everyone with out-of-band management and monitoring
equipment to sacrifice one of the "power ports" for management
and again run ACL based security there. Just like in the olden
days...

I think I'll also take this up with the BU, since implementation
might be two keystrokes. Yet, with the release policy on XE, we
will probably not see such a feature for quite a while.

Life sucks sometimes...

Elmar.

From achatz at forthnet.gr  Fri May 15 04:20:36 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 15 May 2009 11:20:36 +0300
Subject: [c-nsp] High memory utilisation on ASR 1004
In-Reply-To: <20fe625b0905131721g6f906956leb048b3c09957c9e@mail.gmail.com>
References: <20fe625b0905131355u9dd132ek5b894c4995da6d39@mail.gmail.com>
	<4A0B3CB8.3010605@forthnet.gr>
	<20fe625b0905131721g6f906956leb048b3c09957c9e@mail.gmail.com>
Message-ID: <4A0D25D4.8000305@forthnet.gr>

 From my tests, SSO/RPR doesn't make a difference in the initial free mem. If you put 
"none" under redundancy, you'll get around 1.8GB of free mem.


-- 
Tassos

Pshem Kowalczyk wrote on 14/05/2009 03:21:
> Hi,
> 
> Are you saying that if we didn't run it in SSO mode the single IOS
> running would have access to more memory? I don't have access to a
> test one to verify it.
> 
> kind regards
> Pshem
> 
> 2009/5/14 Tassos Chatzithomaoglou <achatz at forthnet.gr>:
>> Dual IOSd processes in ASR1000 SW redundancy result in both the active and
>> standby process having access to about 750MB of RP memory (each); what is
>> left is used by other RP processes. Check "sh platform soft status contr"
>> for more details about RP mem usage.
>>
>> Regarding the SBC thing... i had the same problem...but i haven't got any
>> answer yet.
>>
>> PS: To be honest, i haven't found any real advantage of sw redundancy yet. I
>> only met more issues.
> 


From benny+usenet at amorsen.dk  Fri May 15 04:23:09 2009
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Fri, 15 May 2009 10:23:09 +0200
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <20090515081257.GN29526@ronin.4ever.de> (Elmar K. Bins's message
	of "Fri\, 15 May 2009 10\:12\:57 +0200")
References: <20090514125033.GZ29526@ronin.4ever.de>
	<8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>
	<20090514153246.GE29526@ronin.4ever.de>
	<m3tz3mhki8.fsf@ursa.amorsen.dk>
	<20090515081257.GN29526@ronin.4ever.de>
Message-ID: <m3preahj0y.fsf@ursa.amorsen.dk>

"Elmar K. Bins" <elmi at 4ever.de> writes:

> This forces everyone with out-of-band management and monitoring
> equipment to sacrifice one of the "power ports" for management
> and again run ACL based security there. Just like in the olden
> days...

It allows the rest of us to get rid of the terminal servers and the
managed power bars. Assuming you can power cycle a failed router through
the management ports, of course. The port should be sufficiently
isolated that there is no risk of an intrusion providing the attacker
access to the management network, even if the attacker can run arbitrary
code on the router. Again, just like a serial port.

It's about time the router vendors give us the remote management
capabilities that server vendors have provided for years or decades.


/Benny


From achatz at forthnet.gr  Fri May 15 04:49:07 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 15 May 2009 11:49:07 +0300
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <20090515081257.GN29526@ronin.4ever.de>
References: <20090514125033.GZ29526@ronin.4ever.de>	<8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>	<20090514153246.GE29526@ronin.4ever.de>	<m3tz3mhki8.fsf@ursa.amorsen.dk>
	<20090515081257.GN29526@ronin.4ever.de>
Message-ID: <4A0D2C83.8060400@forthnet.gr>

The real advantage of ASR's management port is the ability to use it regardless of the IOS 
condition.
Other than that, i don't know how QFP marketing was supposed to solve all things, but 
netflow functionality in ASR (CPU bound?) is in infant phase.


-- 
Tassos


Elmar K. Bins wrote on 15/05/2009 11:12:
> benny+usenet at amorsen.dk (Benny Amorsen) wrote:
> 
>> The mgmt port should perhaps be thought of as an ethernet version of the
>> console port? Personally, I would prefer that to be the case; the more
>> it looks like a serial port + a terminal server + a power control bar,
>> the better.
> 
> Which is of not much use. Initial configuration happens over the console,
> and from then on, the Mgt port is supposed to be the out-of-band
> management transfer, used for
> 
>   - AAA (Tacacs etc)
>   - Logging
>   - ssh
>   - NTP
>   - SNMP
>   - SW updates
>   - Netflow
> 
> 
> What's the use of deliberately disabling part of the management
> functionality, just because "it might not be able to keep up
> with the bandwidth"? I can easily saturate the bw with SW updates.
> 
> This forces everyone with out-of-band management and monitoring
> equipment to sacrifice one of the "power ports" for management
> and again run ACL based security there. Just like in the olden
> days...
> 
> I think I'll also take this up with the BU, since implementation
> might be two keystrokes. Yet, with the release policy on XE, we
> will probably not see such a feature for quite a while.
> 
> Life sucks sometimes...
> 
> Elmar.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From Anton.Schweitzer at o2.com  Fri May 15 04:50:23 2009
From: Anton.Schweitzer at o2.com (Anton.Schweitzer at o2.com)
Date: Fri, 15 May 2009 10:50:23 +0200
Subject: [c-nsp] X.28 PAD Connection
Message-ID: <OF22AAEF1E.96976504-ONC12575B7.00302B7E-C12575B7.00308F0F@o2.com>

Hi,

we do a X.25 over TCP connection with Cisco IOS 12.4. All works fine but 
when we have entred the Data Transfer Mode :


Host1----PAD---XOT------IP------XOT-------X2.25 Host2


then i have the problem that the host 1 needs to switch back vom Data 
Transfer Mode to clear the call, but when he sends BREAK
nothing happens
 
X29 profile xxx 


Anybody a Idea whots wrong

Anton Schweitzer
Senior Specialist BS Projekt & Service 
Customer Design

o2 (Germany) GmbH & Co.OHG
Georg Brauchle-Ring 23-25, D-80992 M?nchen
Tel      +49(0)89-2442-5794
Mobil +49(0)176-23407715
Fax      +49(0)89-2442-4281
anton.schweitzer at o2.com

Ein Beitrag zum Umweltschutz. Nicht jede E-Mail muss ausgedruckt werden. 
http://www.o2engagiert-fuer-morgen.de

Telef?nica o2 Germany GmbH & Co. OHG ? Georg-Brauchle-Ring 23-25 ? 80992 
M?nchen ? Deutschland ? www.o2.com/de

Ust.-Id.-Nr. DE 811 889 638. Amtsgericht M?nchen HRA 70343. 
Gesellschafter: Telef?nica o2 Germany Management GmbH. Amtsgericht M?nchen 
HRB 109061 und
Telef?nica o2 Germany Verwaltungs GmbH. Amtsgericht M?nchen HRB 121389, 
beide ebenda.
Gesch?ftsf?hrer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. 
Antonio Botas Banuelos. Andrea Folgueiras. Andr? Krause. Lutz Sch?ler. 
Carsten Wreth.

From gsgranados at comcast.net  Fri May 15 06:00:26 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Fri, 15 May 2009 03:00:26 -0700
Subject: [c-nsp] X.28 PAD Connection
In-Reply-To: <OF22AAEF1E.96976504-ONC12575B7.00302B7E-C12575B7.00308F0F@o2.com>
References: <OF22AAEF1E.96976504-ONC12575B7.00302B7E-C12575B7.00308F0F@o2.com>
Message-ID: <D277EC07B9454CBCAB6C20A00AA72E29@Toshiba>

X.25!

Right about now I expect Professor Peabody to tell his pet boy Sherman to 
set the Way Way Back machine.;)

----- Original Message ----- 
From: <Anton.Schweitzer at o2.com>
To: <cisco-nsp at puck.nether.net>
Sent: Friday, May 15, 2009 1:50 AM
Subject: [c-nsp] X.28 PAD Connection


> Hi,
>
> we do a X.25 over TCP connection with Cisco IOS 12.4. All works fine but
> when we have entred the Data Transfer Mode :
>
>
> Host1----PAD---XOT------IP------XOT-------X2.25 Host2
>
>
> then i have the problem that the host 1 needs to switch back vom Data
> Transfer Mode to clear the call, but when he sends BREAK
> nothing happens
>
> X29 profile xxx
>
>
> Anybody a Idea whots wrong
>
> Anton Schweitzer
> Senior Specialist BS Projekt & Service
> Customer Design
>
> o2 (Germany) GmbH & Co.OHG
> Georg Brauchle-Ring 23-25, D-80992 M?nchen
> Tel      +49(0)89-2442-5794
> Mobil +49(0)176-23407715
> Fax      +49(0)89-2442-4281
> anton.schweitzer at o2.com
>
> Ein Beitrag zum Umweltschutz. Nicht jede E-Mail muss ausgedruckt werden.
> http://www.o2engagiert-fuer-morgen.de
>
> Telef?nica o2 Germany GmbH & Co. OHG ? Georg-Brauchle-Ring 23-25 ? 80992
> M?nchen ? Deutschland ? www.o2.com/de
>
> Ust.-Id.-Nr. DE 811 889 638. Amtsgericht M?nchen HRA 70343.
> Gesellschafter: Telef?nica o2 Germany Management GmbH. Amtsgericht M?nchen
> HRB 109061 und
> Telef?nica o2 Germany Verwaltungs GmbH. Amtsgericht M?nchen HRB 121389,
> beide ebenda.
> Gesch?ftsf?hrer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender.
> Antonio Botas Banuelos. Andrea Folgueiras. Andr? Krause. Lutz Sch?ler.
> Carsten Wreth.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From fraglet at gmail.com  Fri May 15 06:05:40 2009
From: fraglet at gmail.com (John)
Date: Fri, 15 May 2009 11:05:40 +0100
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <4A0D2C83.8060400@forthnet.gr>
References: <20090514125033.GZ29526@ronin.4ever.de>
	<8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>
	<20090514153246.GE29526@ronin.4ever.de>
	<m3tz3mhki8.fsf@ursa.amorsen.dk>
	<20090515081257.GN29526@ronin.4ever.de> <4A0D2C83.8060400@forthnet.gr>
Message-ID: <5c374d9a0905150305xb591777ka622fb0aca0c3ab1@mail.gmail.com>

Hi

I asked the BU about this directly about a  month ago, and their response
is.

"Yes we keep getting asked this...The RP doesn't perform the netflow export
its the ESP, and there's currently no performant mechanism to get the  ESP
to return the flows to the RP for export, even if we do add  this later, the
export capability of the platform will be crippled in terms of
exports/sec.."

Their response is to add another port on the platform into a management vrf,
which is all well and good but costs $$

The vrf option in netflow export is slated for the next code release, but as
others have mentioned can be negated for now with a static route to
destination, but obviously not via the management port.

Regards
John

From elmi at 4ever.de  Fri May 15 06:22:49 2009
From: elmi at 4ever.de (Elmar K. Bins)
Date: Fri, 15 May 2009 12:22:49 +0200
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <5c374d9a0905150305xb591777ka622fb0aca0c3ab1@mail.gmail.com>
References: <20090514125033.GZ29526@ronin.4ever.de>
	<8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>
	<20090514153246.GE29526@ronin.4ever.de>
	<m3tz3mhki8.fsf@ursa.amorsen.dk>
	<20090515081257.GN29526@ronin.4ever.de>
	<4A0D2C83.8060400@forthnet.gr>
	<5c374d9a0905150305xb591777ka622fb0aca0c3ab1@mail.gmail.com>
Message-ID: <20090515102249.GT29526@ronin.4ever.de>

Re John,

thank you for the very comprehensive answer. That makes me at least
understand the issue (I don't have to like it...).

Cheers,
	Elmar.

From lists at memetic.org  Fri May 15 08:21:50 2009
From: lists at memetic.org (Adam Armstrong)
Date: Fri, 15 May 2009 13:21:50 +0100
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>
References: <20090514090638.GQ29526@ronin.4ever.de><F308ED42-9A78-48E3-B125-A2B225C2FC74@puck.nether.net>	<20090514125033.GZ29526@ronin.4ever.de>
	<8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>
Message-ID: <4A0D5E5E.6000703@memetic.org>

We've seen some pretty serious issues with all NF export on ASR1Ks 
stopping on config changes (merely taking off bgp-nexthop triggers it) 
until a reboot.

We're also a little disappointed at the lack of support for IPv6 flow 
export support and proper Flexible Netflow support.

SRD, SB and XNC all seem to have completely different levels of feature 
implementation for Netflow, which makes keeping things consistent pretty 
difficult. Is Flexible Netflow/IPv6 support coming soon?

adam.

> Is it supported in any mgmt port at very high speed?.. ;).. ASR1000 main
> focus was to deal with the high speed netflow and fw logging needs so
> that's why enabling nf exporting from this mgmt port hasn't been a very
> high priority item. We can take this offline and work with you and your
> account team so we can reprioritize accordingly, but this is definitely
> not supported.
>
> HTH
>
>   
>> jared at puck.nether.net (Jared Mauch) wrote:
>>
>>     
>>> These are all things you should raise with erbu directly. We have
>>>       
>> been
>>     
>>> having the same config delays. This is apparently a known issue.
>>>       
>> Actually, like ten minutes ago I found something deep in the CsC that
>> said exporting netflow data over the Mgt Interface was an unsupported
>> config option...
>>
>> My thought, and I quote: "WTF?"
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From gert at greenie.muc.de  Fri May 15 08:35:29 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 15 May 2009 14:35:29 +0200
Subject: [c-nsp] SUP720 IDB Limit
In-Reply-To: <fff162750905141553o399ad7dfmace7e05f8cdcd363@mail.gmail.com>
References: <533414.81350.qm@web110107.mail.gq1.yahoo.com>
	<200905140827.21996.kratzers@ctinetworks.com>
	<20090514212123.GN290@greenie.muc.de>
	<fff162750905141553o399ad7dfmace7e05f8cdcd363@mail.gmail.com>
Message-ID: <20090515123529.GP290@greenie.muc.de>

Hi,

On Fri, May 15, 2009 at 08:53:14AM +1000, Mark Austen wrote:
> VPDN on the 7600 can be done with one of these:
> 
> http://www.cisco.com/en/US/prod/collateral/modules/ps5510/product_data_sheet0900aecd800f8965_ps708_Products_Data_Sheet.html

Yes, that's an amazing product.

They might even support it longer than it takes to actually ship one
to you - and no, the 6500/7600 BUs have not been very good in building
customer trust.

I'd not go there.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090515/1c8e918e/attachment.bin>

From jared at puck.nether.net  Fri May 15 09:00:58 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Fri, 15 May 2009 09:00:58 -0400
Subject: [c-nsp] ASR 1000 series again: Netflow export
In-Reply-To: <20090515081257.GN29526@ronin.4ever.de>
References: <20090514125033.GZ29526@ronin.4ever.de>
	<8575A1BA6D8006418FD2CD73FCC2B2E6099EEC83@xmb-sjc-231.amer.cisco.com>
	<20090514153246.GE29526@ronin.4ever.de>
	<m3tz3mhki8.fsf@ursa.amorsen.dk>
	<20090515081257.GN29526@ronin.4ever.de>
Message-ID: <C1D42455-EA6A-43C5-BEAF-69A571B72F84@puck.nether.net>


On May 15, 2009, at 4:12 AM, Elmar K. Bins wrote:

> benny+usenet at amorsen.dk (Benny Amorsen) wrote:
>
>> The mgmt port should perhaps be thought of as an ethernet version  
>> of the
>> console port? Personally, I would prefer that to be the case; the  
>> more
>> it looks like a serial port + a terminal server + a power control  
>> bar,
>> the better.
>
> Which is of not much use. Initial configuration happens over the  
> console,
> and from then on, the Mgt port is supposed to be the out-of-band
> management transfer, used for
>
>  - AAA (Tacacs etc)
>  - Logging
>  - ssh
>  - NTP
>  - SNMP
>  - SW updates
>  - Netflow
>
>
> What's the use of deliberately disabling part of the management
> functionality, just because "it might not be able to keep up
> with the bandwidth"? I can easily saturate the bw with SW updates.

	Not all of the above work on the mgmt, and i'm not talking about  
netflow.  You should ask these questions to Cisco directly.

	- Jared

From rvelnara at cisco.com  Fri May 15 09:51:46 2009
From: rvelnara at cisco.com (Ramnath Velnarayanan)
Date: Fri, 15 May 2009 19:21:46 +0530
Subject: [c-nsp] Need help in cat6k.
Message-ID: <00ac01c9d564$4aa960b0$e5064d0a@cisco.com>

Hey Folks,
 
This is regarding Cisco Catalyst 6500 series Switch with PISA Sup32 engine
which is running IOS version 12.2SXI.
 
In a redundancy setup of 9 slot chassis, is there any command/rommon
variable to predefine the 6th slot Supervisor to hold  the position of
"active supervsior" even after every reload.
 
( whereas in the case of the gear running in CatalystOS , the active
supervisor will be decided based on the slot position i.e., 5th slot sup
will try to become the active always)
 
Thanks in advance
R.Ramnath
 

From KaeglerM at tessco.com  Fri May 15 11:02:43 2009
From: KaeglerM at tessco.com (Kaegler, Mike)
Date: Fri, 15 May 2009 11:02:43 -0400
Subject: [c-nsp] Wifi network and too many wifi users
In-Reply-To: <1e475c3e0905141044i19705db5r843c35cfbe007ee5@mail.gmail.com>
Message-ID: <C632FC53.BCD9%KaeglerM@tessco.com>

On 5/14/09 1:44 PM, "reflect ocean" <reflect.ocean at gmail.com> wrote:

> Hi there.I run a medium-sized wifi network.We are cisco shop
> (autonommous access points).Recently wifi users number have reached
> limits we didn't expect.Because of that,we had to adjust our subnet
> network in order to support more users associated to the only SSID our
> wireless network use.We try to keep configuration simple so creating
> another ssid wouldn't be the best choice at the moment.
> I've been looking for alternative to create another ssid and associate
> it to another different subnet but I can't find any related to.

You can grow the subnet or add another.

If you want, you can create a second wlan with the same ssid and security
settings as the first, assign it to a different vlan (and therefore subnet)
and deploy that ssid profile to half the Aps.
Of course you break mobility.

Or just make it a larger subnet. Depending on how your addressing is
configured today, you might even be able to avoid booting everybody.
-porkchop


-- 
Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295
Your wireless success, nothing less. http://www.tessco.com/


From danletkeman at gmail.com  Fri May 15 11:03:36 2009
From: danletkeman at gmail.com (Dan Letkeman)
Date: Fri, 15 May 2009 10:03:36 -0500
Subject: [c-nsp] 827 noise margin
Message-ID: <dcbb85870905150803l4c81449fo7e314ccb6db78872@mail.gmail.com>

Hello,

I have an 827 router that seems to have noise issue's after a while
and i'm wondering if it is the device or the line? The noise margin
drops down after a week or two of use. If I restart the router the
noise margin is back up to about 7 dB.

This is what is looks like after a week or two:

ATU-R (DS) ATU-C (US)
Modem Status: Showtime (DMTDSL_SHOWTIME)
DSL Mode: ITU G.992.1 (G.DMT)
ITU STD NUM: 0x01 0x01
Vendor ID: 'ALCB' 'ANDV'
Vendor Specific: 0x0000 0x0000
Vendor Country: 0x00 0x00
Capacity Used: 96% 104%
Noise Margin: -41.5 dB 11.0 dB
Output Power: 20.0 dBm 12.0 dBm
Attenuation: 32.5 dB 18.0 dB
Defect Status: LOM None
Last Fail Code: Protocol error
Selftest Result: 0x49
Subfunction: 0x02
Interrupts: 661 (1 spurious)
Activations: 2
SW Version: 3.8129
FW Version: 0x1A0

Dan.

From peter.hicks at poggs.co.uk  Fri May 15 11:27:54 2009
From: peter.hicks at poggs.co.uk (Peter Hicks)
Date: Fri, 15 May 2009 16:27:54 +0100
Subject: [c-nsp] 827 noise margin
In-Reply-To: <dcbb85870905150803l4c81449fo7e314ccb6db78872@mail.gmail.com>
References: <dcbb85870905150803l4c81449fo7e314ccb6db78872@mail.gmail.com>
Message-ID: <4A0D89FA.9050809@poggs.co.uk>

Hi Dan

Dan Letkeman wrote:
> I have an 827 router that seems to have noise issue's after a while
> and i'm wondering if it is the device or the line? The noise margin
> drops down after a week or two of use. If I restart the router the
> noise margin is back up to about 7 dB.
>   
What happens if you shut/no shut the ATM interface?  What does the DMT 
bin loading table (enable the training log on ATM0, show dsl int atm0) 
look like before and after retraining?  Are you getting noise on 
specific bins?

I have a script that you can run on a Linux system that will dump 
5-second readings for the US and DS SNR, speed, and number of ESes and 
present it graphically - I can make this available to you if you like.



Peter

From reflect.ocean at gmail.com  Fri May 15 13:44:15 2009
From: reflect.ocean at gmail.com (reflect ocean)
Date: Fri, 15 May 2009 12:44:15 -0500
Subject: [c-nsp] Wifi network and too many wifi users
In-Reply-To: <C632FC53.BCD9%KaeglerM@tessco.com>
References: <1e475c3e0905141044i19705db5r843c35cfbe007ee5@mail.gmail.com>
	<C632FC53.BCD9%KaeglerM@tessco.com>
Message-ID: <1e475c3e0905151044v5eb09ee1vc17be2763827faf0@mail.gmail.com>

Our wireless lan is currently reaching 1000 users or so.I'm not very
confortable with the idea  of having such number of users in a subnet.
We have deployed around 60 cisco autonomous acess points throughout
the campus and this subnet is firewalled and routed in our core switch
which is a hope away to accessing Internet.It's very simple design.
What would be a recommended deployment in this case with a growing
number of users?
Would deploying lwap bring any advantage to this design? We want to
keep a single ssid and mobility.
What about a mesh network?

Thanks


On Fri, May 15, 2009 at 10:02 AM, Kaegler, Mike <KaeglerM at tessco.com> wrote:
> On 5/14/09 1:44 PM, "reflect ocean" <reflect.ocean at gmail.com> wrote:
>
>> Hi there.I run a medium-sized wifi network.We are cisco shop
>> (autonommous access points).Recently wifi users number have reached
>> limits we didn't expect.Because of that,we had to adjust our subnet
>> network in order to support more users associated to the only SSID our
>> wireless network use.We try to keep configuration simple so creating
>> another ssid wouldn't be the best choice at the moment.
>> I've been looking for alternative to create another ssid and associate
>> it to another different subnet but I can't find any related to.
>
> You can grow the subnet or add another.
>
> If you want, you can create a second wlan with the same ssid and security
> settings as the first, assign it to a different vlan (and therefore subnet)
> and deploy that ssid profile to half the Aps.
> Of course you break mobility.
>
> Or just make it a larger subnet. Depending on how your addressing is
> configured today, you might even be able to avoid booting everybody.
> -porkchop
>
>
> --
> Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295
> Your wireless success, nothing less. http://www.tessco.com/
>
>

From panocisco77 at gmail.com  Fri May 15 14:05:25 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Fri, 15 May 2009 14:05:25 -0400
Subject: [c-nsp] Need Help troubleshooting a 6513
Message-ID: <16e2ac180905151105m13bb4f76t16b9913e54c06310@mail.gmail.com>

Hello list

I am configuring a 6513, I've created all my VLANs and assigned them to all
my ports however when i do sho vlan i see all my ports except the one in
slot 5 but when sho run i can see them with the correct vlan, when i do sho
mod here is what i get

Mod  Online Diag Status
---- -------------------
  1  Pass
  2  Pass
  3  Pass
  4  Pass
  5  Not Applicable
  7  Pass

is that mean the module defective? or the slot is bad ?

Any help will be appreciated

Renelson

From avayner at cisco.com  Fri May 15 14:35:20 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Fri, 15 May 2009 20:35:20 +0200
Subject: [c-nsp] Need Help troubleshooting a 6513
In-Reply-To: <16e2ac180905151105m13bb4f76t16b9913e54c06310@mail.gmail.com>
References: <16e2ac180905151105m13bb4f76t16b9913e54c06310@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D7A40CA6@xmb-ams-331.emea.cisco.com>

Renelson,

Can you please share the output of show module?

Thanks
Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Renelson Panosky
Sent: Friday, May 15, 2009 21:05
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Need Help troubleshooting a 6513

Hello list

I am configuring a 6513, I've created all my VLANs and assigned them to
all
my ports however when i do sho vlan i see all my ports except the one in
slot 5 but when sho run i can see them with the correct vlan, when i do
sho
mod here is what i get

Mod  Online Diag Status
---- -------------------
  1  Pass
  2  Pass
  3  Pass
  4  Pass
  5  Not Applicable
  7  Pass

is that mean the module defective? or the slot is bad ?

Any help will be appreciated

Renelson
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From Jay.Murphy at state.nm.us  Fri May 15 15:38:04 2009
From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH)
Date: Fri, 15 May 2009 13:38:04 -0600
Subject: [c-nsp] Need Help troubleshooting a 6513
In-Reply-To: <16e2ac180905151105m13bb4f76t16b9913e54c06310@mail.gmail.com>
References: <16e2ac180905151105m13bb4f76t16b9913e54c06310@mail.gmail.com>
Message-ID: <A925AC5C659BD64FBA4E84EC34968873089BAAD2@CEXMB4.nmes.lcl>

Do outputs for the module...reseat the module, reload the microcode.  These can be used at different moments.


Jay Murphy 
IP Network Specialist
NM State Government
 
IT Services Division
PSB - IP Network Management Center
Santa F?, New M?xico 87502 
Bus. Ph.: 505.827.2851
"We move the information that moves your world." 
P Please consider the environment before printing e-mail




































-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Renelson Panosky
Sent: Friday, May 15, 2009 12:05 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Need Help troubleshooting a 6513

Hello list

I am configuring a 6513, I've created all my VLANs and assigned them to all
my ports however when i do sho vlan i see all my ports except the one in
slot 5 but when sho run i can see them with the correct vlan, when i do sho
mod here is what i get

Mod  Online Diag Status
---- -------------------
  1  Pass
  2  Pass
  3  Pass
  4  Pass
  5  Not Applicable
  7  Pass

is that mean the module defective? or the slot is bad ?

Any help will be appreciated

Renelson
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This inbound email has been scanned by the MessageLabs Email Security System.
______________________________________________________________________
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

From misha at netspark.org  Fri May 15 19:43:09 2009
From: misha at netspark.org (Michael)
Date: Sat, 16 May 2009 03:43:09 +0400
Subject: [c-nsp] Wifi network and too many wifi users
In-Reply-To: <1e475c3e0905151044v5eb09ee1vc17be2763827faf0@mail.gmail.com>
References: <1e475c3e0905141044i19705db5r843c35cfbe007ee5@mail.gmail.com>
	<C632FC53.BCD9%KaeglerM@tessco.com>
	<1e475c3e0905151044v5eb09ee1vc17be2763827faf0@mail.gmail.com>
Message-ID: <20090515234309.GA13734@netspark.org>

reflect ocean wrote:
> Our wireless lan is currently reaching 1000 users or so.I'm not very
> confortable with the idea  of having such number of users in a subnet.
> We have deployed around 60 cisco autonomous acess points throughout
> the campus and this subnet is firewalled and routed in our core switch
> which is a hope away to accessing Internet.It's very simple design.
> What would be a recommended deployment in this case with a growing
> number of users?
> Would deploying lwap bring any advantage to this design? We want to
> keep a single ssid and mobility.
> What about a mesh network?

You definitely need controller based solution, feature which you need is
called "AP groups".

From ibrahim.abozaid at gmail.com  Sat May 16 06:12:40 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Sat, 16 May 2009 13:12:40 +0300
Subject: [c-nsp] SVI always up !
Message-ID: <a48927f70905160312wdde2333xd3045a9ff03c5a9@mail.gmail.com>

Hi All

I have a strange situation and i think it is normal but i need a solution
for it

I have 2 MLS and VLAN x is created on both and there is L2 etherchannel
between both and it allows all VLANs , when all access ports in VLAN x in
any MLS got down
SVI is always up although all access ports are down and that is normal due
to trunk ports always all VLANs .

so is there any command to bind SVI status to access ports status only so
when access port got down , SVI got down also ?

best regards
--Ibrahim

From peter at rathlev.dk  Sat May 16 07:24:12 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Sat, 16 May 2009 13:24:12 +0200
Subject: [c-nsp] SVI always up !
In-Reply-To: <a48927f70905160312wdde2333xd3045a9ff03c5a9@mail.gmail.com>
References: <a48927f70905160312wdde2333xd3045a9ff03c5a9@mail.gmail.com>
Message-ID: <1242473052.3339.1.camel@localhost.localdomain>

On Sat, 2009-05-16 at 13:12 +0300, Ibrahim Abo Zaid wrote:
> I have a strange situation and i think it is normal but i need a solution
> for it
> 
> I have 2 MLS and VLAN x is created on both and there is L2 etherchannel
> between both and it allows all VLANs , when all access ports in VLAN x in
> any MLS got down
> SVI is always up although all access ports are down and that is normal due
> to trunk ports always all VLANs .
> 
> so is there any command to bind SVI status to access ports status only so
> when access port got down , SVI got down also ?

You can use "switchport autostate exclude" on the trunk port.

http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_s7.html#wp1012922


Regards,
Peter



From progressus at gmail.com  Sat May 16 10:56:46 2009
From: progressus at gmail.com (Progressus)
Date: Sat, 16 May 2009 15:56:46 +0100
Subject: [c-nsp] Docsis 3.0 Deployment
In-Reply-To: <ace0be160905141407t788a361bmab0e48587446a05e@mail.gmail.com>
References: <ace0be160905141407t788a361bmab0e48587446a05e@mail.gmail.com>
Message-ID: <ace0be160905160756q4d817295hf6cba99c91ad88ed@mail.gmail.com>

 Hello all,

 Does anyone have documentation about subject DOCS 3.0 ?

 I would like read some case studies and best practices for this issue...

What are the differences in using docsis3.0 or widedocsis? How can I be a
better use of my CMTS downstreams and my SPA cards?

 I use both 1.0 and 1.1 docsis, and i want to use docsis 3.0 in the same RF
architecture, what the best settings to use?

What are your recommendations?

Thanks for your help.

Best Regards

From sgranger at randfinancial.com  Sat May 16 12:54:52 2009
From: sgranger at randfinancial.com (Sean Granger)
Date: Sat, 16 May 2009 11:54:52 -0500
Subject: [c-nsp] VPN Backup on PIX
Message-ID: <4A0EA98C020000D9000020C8@mail.randfinancial.com>

Running 7.2.4~, we're trying to fail from one interface which has a direct connection to the customer, to a VPN connection over the Internet ... which is the outbound interface. The assumption here was that in using tracking and a higher metric route to the tunnel's end point / gateway ... the PIX would initiate the tunnel and send traffic through it, in the event that the direct connection was down.
 
>From the customer's perspective, when they manually remove their route over the direct connection, it works.
Their gear then brings the traffic over the tunnel it's established and ours responds accordingly.
I never have to remove the route over the direct connection.
I can only assume this is because of the state of the translation slots in the tunnel and how the PIX works.
However, when I try to originate the traffic, the PIX is still trying to send it through the direct interface and not into a tunnel, even though in tracking, it knows the route isn't valid.
 

I've considered a few workarounds, i.e. having the direct connection as a vpn tunnel as well and just adding a secondary gateway in the even one cannot be reached, and/or NATing their network in one direction (currently, we exempt from both interfaces, which as I've said, works as long as they originate).

 
I've been trying to dig up an "order of operations" on the PIX, to no avail.
I would assume that directly connected neighbors take precedence in routing over establishing a VPN connection, but when that neighbor is dead, the next route should come into play.
It doesn't seem like rocket science, after all, metric routing is about as basic as it gets ... but still no luck.
 
Has anyone had any success doing something similar or am I violating routing rules on the PIX?
 
Regards,
Sean


From lists at memetic.org  Sat May 16 13:20:05 2009
From: lists at memetic.org (Adam Armstrong)
Date: Sat, 16 May 2009 18:20:05 +0100
Subject: [c-nsp] OSPF fast convergence
In-Reply-To: <4A09AFA4.1070300@rainierconnect.net>
References: <4A09AFA4.1070300@rainierconnect.net>
Message-ID: <4A0EF5C5.5000902@memetic.org>

Walter Keen wrote:
> When redesigning an OSPF service provider network, (default values, with
>   
IS-IS?

Sounds like a good time to switch (you'll not be disrupting existing 
stuff either)

adam.

From progressus at gmail.com  Sat May 16 18:08:20 2009
From: progressus at gmail.com (Miguel)
Date: Sat, 16 May 2009 23:08:20 +0100
Subject: [c-nsp]  Docsis 3.0 Deployment
In-Reply-To: <ace0be160905141407t788a361bmab0e48587446a05e@mail.gmail.com>
References: <ace0be160905141407t788a361bmab0e48587446a05e@mail.gmail.com>
Message-ID: <3e6d75bc0905161508jdd1535dj32c883d9840a1ee@mail.gmail.com>

Hello all,

 Does anyone have documentation about subject DOCS 3.0 ?

 I would like read some case studies and best practices for this issue...

What are the differences in using docsis3.0 or widedocsis? How can I be a
better use of my CMTS downstreams and my SPA cards?

 I use both 1.0 and 1.1 docsis, and i want to use docsis 3.0 in the same RF
architecture, what the best settings to use?

What are your recommendations?

Thanks for your help.

Best Regards

From networking.stuff at googlemail.com  Sun May 17 05:23:15 2009
From: networking.stuff at googlemail.com (Chintan Shah)
Date: Sun, 17 May 2009 14:53:15 +0530
Subject: [c-nsp] 3750 buffer value per port
Message-ID: <1e7e04890905170223le04aa7bi4916a1d92f075330@mail.gmail.com>

Hi Guys,

Does any one knoq Tx/Rx buffer size per port on 3750 ?
We normally allocate buffer by using mls qos with % of total size but i
could not find what is size ?

From ibrahim.abozaid at gmail.com  Sun May 17 07:53:37 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Sun, 17 May 2009 14:53:37 +0300
Subject: [c-nsp] SVI always up !
In-Reply-To: <1242473052.3339.1.camel@localhost.localdomain>
References: <a48927f70905160312wdde2333xd3045a9ff03c5a9@mail.gmail.com>
	<1242473052.3339.1.camel@localhost.localdomain>
Message-ID: <a48927f70905170453p5db71dbj2f28a051fc21144a@mail.gmail.com>

Thanks Peter

That seems it will work but it is applied globally for all VLAN , is there
any way to apply it per-VLAN ?


best regards
--Ibrahim

On Sat, May 16, 2009 at 2:24 PM, Peter Rathlev <peter at rathlev.dk> wrote:

>  On Sat, 2009-05-16 at 13:12 +0300, Ibrahim Abo Zaid wrote:
> > I have a strange situation and i think it is normal but i need a solution
> > for it
> >
> > I have 2 MLS and VLAN x is created on both and there is L2 etherchannel
> > between both and it allows all VLANs , when all access ports in VLAN x in
> > any MLS got down
> > SVI is always up although all access ports are down and that is normal
> due
> > to trunk ports always all VLANs .
> >
> > so is there any command to bind SVI status to access ports status only so
> > when access port got down , SVI got down also ?
>
> You can use "switchport autostate exclude" on the trunk port.
>
>
> http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_s7.html#wp1012922
>
>
> Regards,
> Peter
>
>
>

From dr at cluenet.de  Sun May 17 08:02:03 2009
From: dr at cluenet.de (Daniel Roesen)
Date: Sun, 17 May 2009 14:02:03 +0200
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <D002D434-5486-402B-BF57-C2C9D6816906@beanfield.com>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
	<4A01FB6D.10703@thewybles.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
	<4A07004D.50302@harg.net>
	<483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>
	<20090511052621.GI29526@ronin.4ever.de>
	<D002D434-5486-402B-BF57-C2C9D6816906@beanfield.com>
Message-ID: <20090517120203.GA4184@srv03.cluenet.de>

On Mon, May 11, 2009 at 10:28:03AM -0400, Dan Armstrong wrote:
> How did you get your ASR1002 to link at 100M?

This might be related to this thread:
http://puck.nether.net/pipermail/cisco-nsp/2008-December/056829.html


Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

From dr at cluenet.de  Sun May 17 08:12:19 2009
From: dr at cluenet.de (Daniel Roesen)
Date: Sun, 17 May 2009 14:12:19 +0200
Subject: [c-nsp] Nexus 5000?
In-Reply-To: <D002D434-5486-402B-BF57-C2C9D6816906@beanfield.com>
References: <4A01BEB9.4080402@chrisserafin.com>
	<alpine.DEB.2.00.0905061213590.9263@seatpost.its.uiowa.edu>
	<4A01FB6D.10703@thewybles.com>
	<483E6B0272B0284BA86D7596C40D29F9C38082C371@PUR-EXCH07.ox.com>
	<4A07004D.50302@harg.net>
	<483E6B0272B0284BA86D7596C40D29F9C3811FCDF4@PUR-EXCH07.ox.com>
	<20090511052621.GI29526@ronin.4ever.de>
	<D002D434-5486-402B-BF57-C2C9D6816906@beanfield.com>
Message-ID: <20090517121219.GB4184@srv03.cluenet.de>

On Mon, May 11, 2009 at 10:28:03AM -0400, Dan Armstrong wrote:
> How did you get your ASR1002 to link at 100M?
[...]
> This port has a GLC-T in it, and is plugged into a 100M Port on an 
> ME3400...  I can't get it up. :-)

I just discovered:
http://www.cisco.com/en/US/docs/routers/asr1000/quick/start/guide/asr1_qs2.html#wp64385

See the note below the table:

"**The built-in Gigabit Ethernet ports on the Cisco ASR1002 Router
support the same small form-factor pluggable (SFP) optical transceivers
as the 5x1 GE SPA. Note that the Cisco ASR1002 built-in GE ports support
only the SFP-GE-T but not the SFP-GLC-T."

So using GLC-T instead of SFP-GE-T is a non-starter. I guess it's the
SGMII thing referenced in my former reply.


Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

From daryl at introspect.net  Sun May 17 10:06:28 2009
From: daryl at introspect.net (Daryl G. Jurbala)
Date: Sun, 17 May 2009 10:06:28 -0400
Subject: [c-nsp] About Multihoming
In-Reply-To: <045FAF84-D706-41A9-9641-CB4D593ADB2B@gmail.com>
References: <4A0A6BF7.4010103@gmail.com>
	<045FAF84-D706-41A9-9641-CB4D593ADB2B@gmail.com>
Message-ID: <25567A39-4EE9-49FE-8010-6D72368AD225@introspect.net>

Multihoming is not always about redundancy, and the most likely point  
of failure is not always your own router.  It is often something much  
more expensive, like your power.

On May 13, 2009, at 4:06 PM, Robert Maier wrote:

> but if you are using Multihoming, only one router is single point of  
> failure.
>
> So in the most cases you would use 2 routers with HSRP to the LAN side


From aptgetd at gmail.com  Sun May 17 17:04:03 2009
From: aptgetd at gmail.com (sky)
Date: Sun, 17 May 2009 14:04:03 -0700
Subject: [c-nsp] netflow on 12.0(25)s1
Message-ID: <4A107BC3.8080903@gmail.com>

Hello all,

I have configured netflow on 7204vxr running 12.0(25)s1 and for some
reason my netflow collector is not seeing data whereas an adjacent
router with a different code is exporting fine. There's nothing blocking
netflow packets from source to netflow collector.

brief config:

interface fastethernet0/0
......
ip route-cache flow


ip flow-export source loopback0
ip flow-export version 5 peer-as
ip flow-export destination x.x.x.x


'show ip flow export' shows data being exported via source loopback0 to
destination but the netflow collector is not seeing anything.

Is anyone out there running netflow successfully on 12.0(25)s1?

Thanks in advance.

regards
sky





From aptgetd at gmail.com  Sun May 17 17:38:08 2009
From: aptgetd at gmail.com (sky)
Date: Sun, 17 May 2009 14:38:08 -0700
Subject: [c-nsp] netflow on 12.0(25)s1
In-Reply-To: <4A107BC3.8080903@gmail.com>
References: <4A107BC3.8080903@gmail.com>
Message-ID: <4A1083C0.2060501@gmail.com>

enable / disabling netflow off the router somehow fix this.

<head scratching>

regards
sky


sky wrote:
> Hello all,
> 
> I have configured netflow on 7204vxr running 12.0(25)s1 and for some
> reason my netflow collector is not seeing data whereas an adjacent
> router with a different code is exporting fine. There's nothing blocking
> netflow packets from source to netflow collector.
> 
> brief config:
> 
> interface fastethernet0/0
> ......
> ip route-cache flow
> 
> 
> ip flow-export source loopback0
> ip flow-export version 5 peer-as
> ip flow-export destination x.x.x.x
> 
> 
> 'show ip flow export' shows data being exported via source loopback0 to
> destination but the netflow collector is not seeing anything.
> 
> Is anyone out there running netflow successfully on 12.0(25)s1?
> 
> Thanks in advance.
> 
> regards
> sky
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From jensenja at gmail.com  Mon May 18 04:52:20 2009
From: jensenja at gmail.com (John Jensen)
Date: Mon, 18 May 2009 01:52:20 -0700
Subject: [c-nsp] 3750 buffer value per port
In-Reply-To: <1e7e04890905170223le04aa7bi4916a1d92f075330@mail.gmail.com>
References: <1e7e04890905170223le04aa7bi4916a1d92f075330@mail.gmail.com>
Message-ID: <6de481d10905180152l4bdf645dhf8bfff3144edd969@mail.gmail.com>

0.75MB of ingress buffering is dynamically divided into port
buffers/queues, 2 of which are user-configurable. There's 2MB of
egress buffering that provides 4 egress queues per physical port.

HTH

-JJ

On Sun, May 17, 2009 at 2:23 AM, Chintan Shah
<networking.stuff at googlemail.com> wrote:
> Hi Guys,
>
> Does any one knoq Tx/Rx buffer size per port on 3750 ?
> We normally allocate buffer by using mls qos with % of total size but i
> could not find what is size ?
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From wim.holemans at ua.ac.be  Mon May 18 09:19:41 2009
From: wim.holemans at ua.ac.be (Holemans Wim)
Date: Mon, 18 May 2009 15:19:41 +0200
Subject: [c-nsp] network simulator
Message-ID: <A9C0DC3E3383224B83C528B074390E8C1294FA@xmail04.ad.ua.ac.be>

I'm looking for a (free) network simulator that allows me to simulate a
small network (20 switches) with different vlans on it. I want to test
different scenario's : what happens if this switch goes down or that
link goes down, how do the packets flow in each scenario for the
different vlans...

 

Anyone has a good reference to such a product ? Free would be nice but
is no absolute condition.

 

Thanks,

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 


From moua0100 at umn.edu  Mon May 18 09:46:08 2009
From: moua0100 at umn.edu (Ge Moua)
Date: Mon, 18 May 2009 08:46:08 -0500
Subject: [c-nsp] network simulator
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C1294FA@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C1294FA@xmail04.ad.ua.ac.be>
Message-ID: <4A1166A0.3070803@umn.edu>

If I understand you correctly you prefer a s/w virtual environment (VM) 
that can simulate multiple switches; doing "trunking (802.1 ?)" and 
"switch access ports".  Maybe preferably if this was akin to a Cisco 
switch with its breadth of IOS command; which probably do exist as a 
proprietary tool for in-house Cisco developers.

Well, I've done something similar if not exact to the summary above for 
a training lab for firewall simulation.  Here is my setup:
hw:
* x86 Dual Xeon 2.6 Ghz / 4Gb RAM / 200 Gb HDD

sw:
+ (Virtualization Sw) Xen 3.3.1 running on CentOS 5.3
    + fed (1) 802.1q trunk (with 16 Vlans) from upstream Cisco3750 switch
        * (16) VMs running Ubuntu 9.04 that acts as end hosts per Vlans 
and broadcast domain
    + fed (2) "switch access ports"
        * (1) for mgmt of Host VM (CentOS 5.3)
        * (1) for another guest VM (Ubuntu 9.04)

The net effect is that the Xen environment "acts" like a switch if fed 
with 802.1q trunk.  I'm sure there are more elegant ways of doing what 
you ask, but this setup works pretty effectively for my needs.

Good luck.



Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Holemans Wim wrote:
> I'm looking for a (free) network simulator that allows me to simulate a
> small network (20 switches) with different vlans on it. I want to test
> different scenario's : what happens if this switch goes down or that
> link goes down, how do the packets flow in each scenario for the
> different vlans...
>
>  
>
> Anyone has a good reference to such a product ? Free would be nice but
> is no absolute condition.
>
>  
>
> Thanks,
>
>  
>
> Wim Holemans
>
> Netwerkdienst Universiteit Antwerpen
>
>  
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From panocisco77 at gmail.com  Mon May 18 10:21:17 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Mon, 18 May 2009 10:21:17 -0400
Subject: [c-nsp] Need Help troubleshooting a 6513
In-Reply-To: <836bf1f90905180714y7e09bb79o98feb428486a58fd@mail.gmail.com>
References: <16e2ac180905151105m13bb4f76t16b9913e54c06310@mail.gmail.com>
	<836bf1f90905180714y7e09bb79o98feb428486a58fd@mail.gmail.com>
Message-ID: <16e2ac180905180721q640d4881lb20bc1566ddc4384@mail.gmail.com>

Thank you for all the responses and troubleshoot advice but the problem has
been taking care of. Special thanks to Arie and the command to power up the
module is

config t
power enable module 5

Just in case anybody else come accross that problem again thanks Arie

Renelson

On Mon, May 18, 2009 at 10:14 AM, harbor235 <harbor235 at gmail.com> wrote:

> What type of module is it? Some modules are not supported on all versions
> of code.
> More info is needed, IOS version, module type.
>
> Is this a SPA module? and are youo running SRB code? If so this is fixed in
> SRC code.
>
> mike
>
>   On Fri, May 15, 2009 at 2:05 PM, Renelson Panosky <panocisco77 at gmail.com
> > wrote:
>
>>  Hello list
>>
>> I am configuring a 6513, I've created all my VLANs and assigned them to
>> all
>> my ports however when i do sho vlan i see all my ports except the one in
>> slot 5 but when sho run i can see them with the correct vlan, when i do
>> sho
>> mod here is what i get
>>
>> Mod  Online Diag Status
>> ---- -------------------
>>  1  Pass
>>  2  Pass
>>  3  Pass
>>  4  Pass
>>  5  Not Applicable
>>  7  Pass
>>
>> is that mean the module defective? or the slot is bad ?
>>
>> Any help will be appreciated
>>
>> Renelson
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From s.juergensen at kielnet.de  Mon May 18 09:53:13 2009
From: s.juergensen at kielnet.de (Sven Juergensen)
Date: Mon, 18 May 2009 15:53:13 +0200
Subject: [c-nsp] Netflow tools
Message-ID: <9E0B3550-FB1B-4E8F-8562-1839C9587573@kielnet.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list,

what kind of netflow tools are you folks using to
monitor and graph your (especially inter-AS)
traffic?

Thanks and best regards,

Mit freundlichen Gruessen,

i. A. Sven Juergensen

- --
Fachbereich
Netze und Rechenzentren

KielNET GmbH
Gesellschaft fuer Kommunikation
Preusserstr. 1-9, 24105 Kiel

Telefon : 0431 2219-053
Mobil   : 0170 403 5600
Telefax : 0431 2219-005
E-Mail  : s.juergensen at kielnet.de
Internet: http://www.kielnet.de

Geschaeftsfuehrer Eberhard Schmidt
HRB 4499 (Amtsgericht Kiel)

PGP details at
http://pgp.kielnet.de/sjuergensen/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)

iEYEARECAAYFAkoRaEwACgkQnEU7erAt4TKTBwCgx5DLVC3VZN/hULA+IAPZWhA/
FR4AnRpCzkgKDL47Ajr/qCw3SygOt41A
=rf8u
-----END PGP SIGNATURE-----

From Jeff.Wojciechowski at midlandpaper.com  Mon May 18 10:16:21 2009
From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski)
Date: Mon, 18 May 2009 09:16:21 -0500
Subject: [c-nsp] network simulator
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C1294FA@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C1294FA@xmail04.ad.ua.ac.be>
Message-ID: <6B8401A83219DF499C34DEAEE9A599920FF7D0E7DE@XBOX.midlandpaper.com>

Ive used NetSimK before - works pretty slick. Not sure if covers ALL the bits you are looking for but has some pretty decent debugging/tracing.





-Jeff





-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim
Sent: Monday, May 18, 2009 8:20 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] network simulator



I'm looking for a (free) network simulator that allows me to simulate a

small network (20 switches) with different vlans on it. I want to test

different scenario's : what happens if this switch goes down or that

link goes down, how do the packets flow in each scenario for the

different vlans...







Anyone has a good reference to such a product ? Free would be nice but

is no absolute condition.







Thanks,







Wim Holemans



Netwerkdienst Universiteit Antwerpen







_______________________________________________

cisco-nsp mailing list  cisco-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/


------------------------------------------------------------------------------------------------------------------------------------------------------------
This electronic mail (including any attachments) may contain information that is privileged, confidential, or otherwise protected from disclosure to anyone 
other than its intended recipient(s).  Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than 
the intended recipient(s) is strictly prohibited.  If you have received this message in error, please delete the original message in its entirety (including 
any attachments) and notify us immediately by reply email so that we may correct our internal records. Midland Paper Company accepts no responsibility
for any loss or damage from use of this electronic mail, including any damage resulting from a computer virus.

From networking.stuff at googlemail.com  Mon May 18 13:07:51 2009
From: networking.stuff at googlemail.com (Chintan Shah)
Date: Mon, 18 May 2009 22:37:51 +0530
Subject: [c-nsp] 3750 buffer value per port
In-Reply-To: <6de481d10905180152l4bdf645dhf8bfff3144edd969@mail.gmail.com>
References: <1e7e04890905170223le04aa7bi4916a1d92f075330@mail.gmail.com>
	<6de481d10905180152l4bdf645dhf8bfff3144edd969@mail.gmail.com>
Message-ID: <1e7e04890905181007w72f56a1clf54f4ce7a1155ff9@mail.gmail.com>

Hi John,

Thanks for this info. Do you have any link of Cisco refering same value ?
I wasn't able to find the the table for 3750  like what i have for 6500 like
this :
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper09186a0080131086.html

Regards,
CJ.

On Mon, May 18, 2009 at 2:22 PM, John Jensen <jensenja at gmail.com> wrote:

> 0.75MB of ingress buffering is dynamically divided into port
> buffers/queues, 2 of which are user-configurable. There's 2MB of
> egress buffering that provides 4 egress queues per physical port.
>
> HTH
>
> -JJ
>
> On Sun, May 17, 2009 at 2:23 AM, Chintan Shah
> <networking.stuff at googlemail.com> wrote:
> > Hi Guys,
> >
> > Does any one knoq Tx/Rx buffer size per port on 3750 ?
> > We normally allocate buffer by using mls qos with % of total size but i
> > could not find what is size ?
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>

From wim.holemans at ua.ac.be  Mon May 18 14:01:29 2009
From: wim.holemans at ua.ac.be (Holemans Wim)
Date: Mon, 18 May 2009 20:01:29 +0200
Subject: [c-nsp] network simulator
In-Reply-To: <4A119C41.4030206@gtsce.com>
References: <A9C0DC3E3383224B83C528B074390E8C1294FA@xmail04.ad.ua.ac.be>
	<4A119C41.4030206@gtsce.com>
Message-ID: <A9C0DC3E3383224B83C528B074390E8C04EB67@xmail04.ad.ua.ac.be>

Just found out through google, will give it a try tomorrow.

 

Thanks,

 

Wim Holemans

 

 

________________________________

From: Michal Prazenka [mailto:michal.prazenka at gtsce.com] 
Sent: maandag 18 mei 2009 19:35
To: Holemans Wim
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] network simulator

 

Have you tried GNS3?

Michal

Holemans Wim  wrote / nap?sal(a): 

I'm looking for a (free) network simulator that allows me to simulate a
small network (20 switches) with different vlans on it. I want to test
different scenario's : what happens if this switch goes down or that
link goes down, how do the packets flow in each scenario for the
different vlans...
 
 
 
Anyone has a good reference to such a product ? Free would be nice but
is no absolute condition.
 
 
 
Thanks,
 
 
 
Wim Holemans
 
Netwerkdienst Universiteit Antwerpen
 
 
 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
  

From mduksa at gmail.com  Mon May 18 14:10:58 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Mon, 18 May 2009 11:10:58 -0700
Subject: [c-nsp] CRS-1 MSC 20G card?
Message-ID: <a89d89ac0905181110o30333821xa7162c4e5aa1a2d3@mail.gmail.com>

Hi,
does anyone know what is this CRS-1 MSC 20G card (prod number CRS-MSC-20G_?

I understand that they have a MSC 40G with two SPP processors, one per
direction (ingress/egress).

But there is an option to buy a 20G version of this card. Is this done
through licensing or is the 20G card a different HW card alltogether?
Thanks,
Marlon

From walter.keen at RainierConnect.net  Mon May 18 14:18:53 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Mon, 18 May 2009 11:18:53 -0700
Subject: [c-nsp] network simulator
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C04EB67@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C1294FA@xmail04.ad.ua.ac.be>	<4A119C41.4030206@gtsce.com>
	<A9C0DC3E3383224B83C528B074390E8C04EB67@xmail04.ad.ua.ac.be>
Message-ID: <4A11A68D.5020008@rainierconnect.net>

GNS is meant for router simulations, not switch simulations.  Although, 
you can do some stuff with the 3600 series with 16ESW cards.  Last time 
I checked there were some issues testing with spanning tree.

Holemans Wim wrote:
> Just found out through google, will give it a try tomorrow.
>
>  
>
> Thanks,
>
>  
>
> Wim Holemans
>
>  
>
>  
>
> ________________________________
>
> From: Michal Prazenka [mailto:michal.prazenka at gtsce.com] 
> Sent: maandag 18 mei 2009 19:35
> To: Holemans Wim
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] network simulator
>
>  
>
> Have you tried GNS3?
>
> Michal
>
> Holemans Wim  wrote / nap?sal(a): 
>
> I'm looking for a (free) network simulator that allows me to simulate a
> small network (20 switches) with different vlans on it. I want to test
> different scenario's : what happens if this switch goes down or that
> link goes down, how do the packets flow in each scenario for the
> different vlans...
>  
>  
>  
> Anyone has a good reference to such a product ? Free would be nice but
> is no absolute condition.
>  
>  
>  
> Thanks,
>  
>  
>  
> Wim Holemans
>  
> Netwerkdienst Universiteit Antwerpen
>  
>  
>  
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



From nbernadeau at gallantsys.com  Mon May 18 14:59:39 2009
From: nbernadeau at gallantsys.com (nbernadeau at gallantsys.com)
Date: Mon, 18 May 2009 14:59:39 -0400
Subject: [c-nsp] Anyone does Cisco hardware repair?
Message-ID: <20090518145939.8dfsvsptwgc0cs48@www.gallantsys.com>

Also if you know any company that has decommissioned cisco hardware  
please pass the info.




From wim.holemans at ua.ac.be  Mon May 18 14:58:50 2009
From: wim.holemans at ua.ac.be (Holemans Wim)
Date: Mon, 18 May 2009 20:58:50 +0200
Subject: [c-nsp] network simulator
In-Reply-To: <4A11A68D.5020008@rainierconnect.net>
References: <A9C0DC3E3383224B83C528B074390E8C1294FA@xmail04.ad.ua.ac.be>	<4A119C41.4030206@gtsce.com>
	<A9C0DC3E3383224B83C528B074390E8C04EB67@xmail04.ad.ua.ac.be>
	<4A11A68D.5020008@rainierconnect.net>
Message-ID: <A9C0DC3E3383224B83C528B074390E8C04EB68@xmail04.ad.ua.ac.be>

Spanning-tree changes are just the thing i want to simulate in order not to build a physical lab environment...

Wim Holemans

-----Original Message-----
From: Walter Keen [mailto:walter.keen at RainierConnect.net] 
Sent: maandag 18 mei 2009 20:19
To: Holemans Wim
Cc: Michal Prazenka; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] network simulator

GNS is meant for router simulations, not switch simulations.  Although, 
you can do some stuff with the 3600 series with 16ESW cards.  Last time 
I checked there were some issues testing with spanning tree.

Holemans Wim wrote:
> Just found out through google, will give it a try tomorrow.
>
>  
>
> Thanks,
>
>  
>
> Wim Holemans
>
>  
>
>  
>
> ________________________________
>
> From: Michal Prazenka [mailto:michal.prazenka at gtsce.com] 
> Sent: maandag 18 mei 2009 19:35
> To: Holemans Wim
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] network simulator
>
>  
>
> Have you tried GNS3?
>
> Michal
>
> Holemans Wim  wrote / nap?sal(a): 
>
> I'm looking for a (free) network simulator that allows me to simulate a
> small network (20 switches) with different vlans on it. I want to test
> different scenario's : what happens if this switch goes down or that
> link goes down, how do the packets flow in each scenario for the
> different vlans...
>  
>  
>  
> Anyone has a good reference to such a product ? Free would be nice but
> is no absolute condition.
>  
>  
>  
> Thanks,
>  
>  
>  
> Wim Holemans
>  
> Netwerkdienst Universiteit Antwerpen
>  
>  
>  
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



From nbernadeau at gallantsys.com  Mon May 18 15:48:35 2009
From: nbernadeau at gallantsys.com (nbernadeau at gallantsys.com)
Date: Mon, 18 May 2009 15:48:35 -0400
Subject: [c-nsp] What cisco line cards support DS3 over RJ45 interface
Message-ID: <20090518154835.y3g6khptcs4ckkw4@www.gallantsys.com>

Please let me know if you know the cisco line card(s) that support DS3  
over RJ45 interface.


From jloiacon at csc.com  Mon May 18 15:48:41 2009
From: jloiacon at csc.com (Joe Loiacono)
Date: Mon, 18 May 2009 15:48:41 -0400
Subject: [c-nsp] Netflow tools
In-Reply-To: <9E0B3550-FB1B-4E8F-8562-1839C9587573@kielnet.de>
Message-ID: <OF53DBE774.6D3D3B1F-ON852575BA.006C8055-852575BA.006CD475@csc.com>

Sven,

If you're considering open-source, one option is the flow-tools/FlowViewer 
combination. Allows you to keep MRTG-like graphs (last day, last week, 
last month, etc.) for all sorts of traffic flows, including inter-AS 
traffic.

http://ensight.eos.nasa.gov/FlowViewer

Joe





Sven Juergensen <s.juergensen at kielnet.de> 
Sent by: cisco-nsp-bounces at puck.nether.net
05/18/2009 09:53 AM

To
cisco-nsp at puck.nether.net
cc

Subject
[c-nsp] Netflow tools






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list,

what kind of netflow tools are you folks using to
monitor and graph your (especially inter-AS)
traffic?

Thanks and best regards,

Mit freundlichen Gruessen,

i. A. Sven Juergensen

- --
Fachbereich
Netze und Rechenzentren

KielNET GmbH
Gesellschaft fuer Kommunikation
Preusserstr. 1-9, 24105 Kiel

Telefon : 0431 2219-053
Mobil   : 0170 403 5600
Telefax : 0431 2219-005
E-Mail  : s.juergensen at kielnet.de
Internet: http://www.kielnet.de

Geschaeftsfuehrer Eberhard Schmidt
HRB 4499 (Amtsgericht Kiel)

PGP details at
http://pgp.kielnet.de/sjuergensen/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)

iEYEARECAAYFAkoRaEwACgkQnEU7erAt4TKTBwCgx5DLVC3VZN/hULA+IAPZWhA/
FR4AnRpCzkgKDL47Ajr/qCw3SygOt41A
=rf8u
-----END PGP SIGNATURE-----
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From ddunkin at netos.net  Mon May 18 16:02:22 2009
From: ddunkin at netos.net (Darryl Dunkin)
Date: Mon, 18 May 2009 13:02:22 -0700
Subject: [c-nsp] What cisco line cards support DS3 over RJ45 interface
In-Reply-To: <20090518154835.y3g6khptcs4ckkw4@www.gallantsys.com>
References: <20090518154835.y3g6khptcs4ckkw4@www.gallantsys.com>
Message-ID: <56F5BC5F404CF84896C447397A1AAF20F9239B@MAIL.nosi.netos.com>

None.

A DS3 would be handed off with a pair of coax for all native DS3
interfaces.

You would likely need an external transceiver to handle the conversion,
assuming there is similar gear on the remote end (I have seen ethernet
over DS3 transceivers, requires one on each end, then normal ethernet
into it). What protocol is being used on this 'DS3'?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
nbernadeau at gallantsys.com
Sent: Monday, May 18, 2009 12:49
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] What cisco line cards support DS3 over RJ45 interface

Please let me know if you know the cisco line card(s) that support DS3  
over RJ45 interface.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From peter at rathlev.dk  Mon May 18 16:20:40 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 18 May 2009 22:20:40 +0200
Subject: [c-nsp] SVI always up !
In-Reply-To: <a48927f70905170453p5db71dbj2f28a051fc21144a@mail.gmail.com>
References: <a48927f70905160312wdde2333xd3045a9ff03c5a9@mail.gmail.com>
	<1242473052.3339.1.camel@localhost.localdomain>
	<a48927f70905170453p5db71dbj2f28a051fc21144a@mail.gmail.com>
Message-ID: <1242678040.4967.1.camel@localhost.localdomain>

On Sun, 2009-05-17 at 14:53 +0300, Ibrahim Abo Zaid wrote:
> That seems it will work but it is applied globally for all VLAN , is
> there any way to apply it per-VLAN ? 

Not that I know of no. It can only be per port.

Regards,
Peter





From jay at west.net  Mon May 18 15:57:46 2009
From: jay at west.net (Jay Hennigan)
Date: Mon, 18 May 2009 12:57:46 -0700
Subject: [c-nsp] What cisco line cards support DS3 over RJ45 interface
In-Reply-To: <20090518154835.y3g6khptcs4ckkw4@www.gallantsys.com>
References: <20090518154835.y3g6khptcs4ckkw4@www.gallantsys.com>
Message-ID: <4A11BDBA.6080806@west.net>

nbernadeau at gallantsys.com wrote:
> Please let me know if you know the cisco line card(s) that support DS3 
> over RJ45 interface.

None of them.  DS3 is delivered on a pair of 75-ohm BNC connectors.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From felixnkansah at gmail.com  Mon May 18 16:42:47 2009
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Mon, 18 May 2009 20:42:47 +0000
Subject: [c-nsp] OT: Cisco WAAS Setup Scenario
Message-ID: <18dba4e50905181342y6cb3c34bs275715c38338b8ff@mail.gmail.com>

Hi Team,
Pardon me for the OT.

I want to deploy Cisco WAAS as a proof of concept to a client with several
sites connected in a hub-n-spoke topology.

I would deploy only one WAE (and a CM) at the hub/head office and one WAE at
a selected spoke, in production.

I intend on setting the WAEs Inline for simplicity. However, I have some
doubts that I hope you could help clear.

If the WAE at the head office accelerates traffic going to a spoke site
without a WAE, would the traffic be dropped?

If the hub site receives non-accelerated traffic from spoke sites without
WAE, would the head office WAE drop the traffic?

I am concerned because I know the acceleration process utilizes compression
schemes which may require decompression at the other site by a WAE.

Labbing this up would give me the answers, but I felt I could leverage your
skills for quick answers to these :-)

Your responses are appreciated.

Felix

From werner at trans.net  Mon May 18 16:05:56 2009
From: werner at trans.net (Werner Detter)
Date: Mon, 18 May 2009 22:05:56 +0200
Subject: [c-nsp] Netflow tools
In-Reply-To: <9E0B3550-FB1B-4E8F-8562-1839C9587573@kielnet.de>
References: <9E0B3550-FB1B-4E8F-8562-1839C9587573@kielnet.de>
Message-ID: <4A11BFA4.5030405@trans.net>

Hi,

we use http://nfsen.sourceforge.net/

Werner
_________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
transnet Internet Services GmbH
Werner Detter - Netmaster

Lilienstr. 3-5 81669 M?nchen
http://www.trans.net
support at trans.net

From alain_camille at hotmail.com  Mon May 18 16:43:27 2009
From: alain_camille at hotmail.com (Alain Camille)
Date: Mon, 18 May 2009 16:43:27 -0400
Subject: [c-nsp] BGP Config
Message-ID: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>





My ISP will be maintaining the BGP configuration for my organization.. I need a minimal BGP configuration on my core device that will allow connectivity to the ISP. Looking for some direction. Thanks.

From ATolstykh at integrysgroup.com  Mon May 18 17:00:09 2009
From: ATolstykh at integrysgroup.com (Tolstykh, Andrew)
Date: Mon, 18 May 2009 16:00:09 -0500
Subject: [c-nsp] OT: Cisco WAAS Setup Scenario
In-Reply-To: <18dba4e50905181342y6cb3c34bs275715c38338b8ff@mail.gmail.com>
References: <18dba4e50905181342y6cb3c34bs275715c38338b8ff@mail.gmail.com>
Message-ID: <3F3802329EC1534FBCEAB6DDC0BD807C11F4D9@DOB-BXVS3.integrysgroup.net>

>>If the WAE at the head office accelerates traffic going to a spoke
site
>>without a WAE, would the traffic be dropped?

No

>>If the hub site receives non-accelerated traffic from spoke sites
without
>>WAE, would the head office WAE drop the traffic?

No

Cisco WAAS is also transparent in the sense that accelerator appliances
can use auto-discovery to determine whether a peer accelerator is
available at the other end of the link. After auto-discovery, a pair of
accelerators can auto-negotiate an acceleration policy to be applied to
the application flow. If a peer accelerator is not discovered, the
application flow passes through unchanged.

HTH,
Andrew

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah
Sent: Monday, May 18, 2009 3:43 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OT: Cisco WAAS Setup Scenario

Hi Team,
Pardon me for the OT.

I want to deploy Cisco WAAS as a proof of concept to a client with
several
sites connected in a hub-n-spoke topology.

I would deploy only one WAE (and a CM) at the hub/head office and one
WAE at
a selected spoke, in production.

I intend on setting the WAEs Inline for simplicity. However, I have some
doubts that I hope you could help clear.

If the WAE at the head office accelerates traffic going to a spoke site
without a WAE, would the traffic be dropped?

If the hub site receives non-accelerated traffic from spoke sites
without
WAE, would the head office WAE drop the traffic?

I am concerned because I know the acceleration process utilizes
compression
schemes which may require decompression at the other site by a WAE.

Labbing this up would give me the answers, but I felt I could leverage
your
skills for quick answers to these :-)

Your responses are appreciated.

Felix
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From sethm at rollernet.us  Mon May 18 17:02:23 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Mon, 18 May 2009 14:02:23 -0700
Subject: [c-nsp] What cisco line cards support DS3 over RJ45 interface
In-Reply-To: <20090518154835.y3g6khptcs4ckkw4@www.gallantsys.com>
References: <20090518154835.y3g6khptcs4ckkw4@www.gallantsys.com>
Message-ID: <4A11CCDF.4020701@rollernet.us>

nbernadeau at gallantsys.com wrote:
> Please let me know if you know the cisco line card(s) that support DS3
> over RJ45 interface.
> 

No such thing. Maybe you could tell us what you're trying to accomplish
and we can suggest something.

~Seth

From sethm at rollernet.us  Mon May 18 17:03:41 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Mon, 18 May 2009 14:03:41 -0700
Subject: [c-nsp] BGP Config
In-Reply-To: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
References: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
Message-ID: <4A11CD2D.5020504@rollernet.us>

Alain Camille wrote:
> 
> 
> 
> My ISP will be maintaining the BGP configuration for my organization.. I need a minimal BGP configuration on my core device that will allow connectivity to the ISP. Looking for some direction. Thanks.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



I'm guessing you didn't bother to look at cisco's website since they
have several basic config examples on there.

~Seth

From jay at west.net  Mon May 18 17:08:36 2009
From: jay at west.net (Jay Hennigan)
Date: Mon, 18 May 2009 14:08:36 -0700
Subject: [c-nsp] BGP Config
In-Reply-To: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
References: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
Message-ID: <4A11CE54.8090905@west.net>

Alain Camille wrote:

> My ISP will be maintaining the BGP configuration for my organization.. I need a minimal BGP configuration on my core device that will allow connectivity to the ISP. Looking for some direction. Thanks.

Are you connected to a single ISP at a single geographic location?  If 
so it probably isn't worth the effort.

If you are connected to multiple ISPs, the BGP configuration may not be 
so minimal and you'll likely want to engage the services of someone 
knowledgeable in the field to configure and maintain as needed.

Do you have an AS (Autonomous System) number assigned by your regional 
registry?  Do you have portable IP space?  If both are no, and you're 
only connected to one ISP, you almost certainly don't need to run BGP. 
A simple default route to your ISP will suffice.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From panocisco77 at gmail.com  Mon May 18 17:09:48 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Mon, 18 May 2009 17:09:48 -0400
Subject: [c-nsp] BGP Config
In-Reply-To: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
References: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
Message-ID: <16e2ac180905181409p15966234x464168c08065e070@mail.gmail.com>

Here you go boss

try this

router bgp 200
  network 131.1.12.3 mask 255.255.255.0
 neighbor 2.2.2.2 remote-as 200
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 3.3.3.3 remote-as 200
 neighbor 3.3.3.3 update-source Loopback0
 neighbor 131.1.12.2 remote-as 200
 neighbor 131.1.12.2 update-source Loopback0
 neighbor 131.1.12.3 remote-as 200
 no auto-summary

try this

On Mon, May 18, 2009 at 4:43 PM, Alain Camille <alain_camille at hotmail.com>wrote:

>
>
>
>
> My ISP will be maintaining the BGP configuration for my organization.. I
> need a minimal BGP configuration on my core device that will allow
> connectivity to the ISP. Looking for some direction. Thanks.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mksmith at adhost.com  Mon May 18 17:21:29 2009
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Mon, 18 May 2009 14:21:29 -0700
Subject: [c-nsp] BGP Config
In-Reply-To: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
References: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
Message-ID: <17838240D9A5544AAA5FF95F8D5203160605D47D@ad-exh01.adhost.lan>

Hello:
 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Alain Camille
> Sent: Monday, May 18, 2009 1:43 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] BGP Config
> 
> 
> 
> 
> 
> My ISP will be maintaining the BGP configuration for my organization..
> I need a minimal BGP configuration on my core device that will allow
> connectivity to the ISP. Looking for some direction. Thanks.

! Set a route-map for accepting all routes based on as-path access-list
1
route-map TRANSIT-IN permit 10
 match-as path 1

! Set a route-map for sending local-only based on as-path access-list 2
route-map TRANSIT-OUT permit 10
 match as-path 2

! Regexp for accept all routes
ip as-path access-list 1 permit .*

! Regexp for local-only routes
ip as-path access-list 2 permit ^$

! Tie-down route so that your network statement gets announced
ip route <the route you're are going to announce> <the subnet of that
route> null0 250

router bgp <you're as>
 network <the route you are going to announce>
 bgp router-id <your router's interface IP>
 bgp log-neighbor-changes
 no auto-summary
 no synchronization
 neighbor <your upstream's IP address> remote-as <their AS>
 neighbor <your upstream's IP address> route-map TRANSIT-IN in
 neighbor <your upstream's IP address> route-map TRANSIT-OUT out


With bogus entries, it would look like:

Your Network: 192.168.0.0/16
Your AS: 65535
Your Router Interface IP: 10.0.0.2
Your Transit Provider's IP: 10.0.0.1
Your Transit Provider's AS: 65536

route-map TRANSIT-IN permit 10
 match-as path 1

route-map TRANSIT-OUT permit 10
 match as-path 2

ip as-path access-list 1 permit .*
ip as-path access-list 2 permit ^$

ip route 192.168.0.0 255.255.0.0 null0 250

router bgp 65535
 network <the route you are going to announce>
 bgp router-id 10.0.0.2
 bgp log-neighbor-changes
 bgp scan-time 60
 no auto-summary
 no synchronization
 neighbor 10.0.0.1 remote-as 65536
 neighbor 10.0.0.1 route-map TRANSIT-IN in
 neighbor 10.0.0.1 route-map TRANSIT-OUT out

Note: if you're provider sends you a default-only route, your .* will be
only that.  If they send you a full table it will be +/- 280,000 routes.

Regards,

Mike

From charles at thewybles.com  Mon May 18 17:21:58 2009
From: charles at thewybles.com (Charles Wyble)
Date: Mon, 18 May 2009 14:21:58 -0700
Subject: [c-nsp] BGP Config
In-Reply-To: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
References: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
Message-ID: <4A11D176.8010304@thewybles.com>

This should be provided by your ISP.

Lots of BGP docs on the net..... if your asking for help on the c-nsp 
list with an ultra generic topic.... please please please please get 
some training and do some reading.

Again your provider will give you the necessary details.



Alain Camille wrote:
> 
> 
> 
> My ISP will be maintaining the BGP configuration for my organization.. I need a minimal BGP configuration on my core device that will allow connectivity to the ISP. Looking for some direction. Thanks.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From chip.gwyn at gmail.com  Mon May 18 17:24:51 2009
From: chip.gwyn at gmail.com (chip)
Date: Mon, 18 May 2009 17:24:51 -0400
Subject: [c-nsp] BGP Config
In-Reply-To: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
References: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
Message-ID: <64a8ad980905181424l61b2cd1akb4695737dd300bb8@mail.gmail.com>

http://www.netconfigs.com/tools/bgp.htm

Makes it nice and easy.  It'll get ya up atleast.  No promises after that

--chip

On Mon, May 18, 2009 at 4:43 PM, Alain Camille <alain_camille at hotmail.com>wrote:

>
>
>
>
> My ISP will be maintaining the BGP configuration for my organization.. I
> need a minimal BGP configuration on my core device that will allow
> connectivity to the ISP. Looking for some direction. Thanks.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Just my $.02, your mileage may vary,  batteries not included, etc....

From rdobbins at arbor.net  Mon May 18 17:44:06 2009
From: rdobbins at arbor.net (Roland Dobbins)
Date: Tue, 19 May 2009 04:44:06 +0700
Subject: [c-nsp] Netflow tools
In-Reply-To: <4A11BFA4.5030405@trans.net>
References: <9E0B3550-FB1B-4E8F-8562-1839C9587573@kielnet.de>
	<4A11BFA4.5030405@trans.net>
Message-ID: <5F97228F-8D65-49E6-9DC9-82A5CE5CDFDA@arbor.net>


On May 19, 2009, at 3:05 AM, Werner Detter wrote:

> we use http://nfsen.sourceforge.net/

nfsen/nfdump is a great open-source tool - I *think* it supports  
sampling, now (anyone?).

Stager is cool, too, though last I checked it didn't support v9  
(again, correction welcome; it's dependent upon the flow-tools for  
collection).

The easiest/quickest one to get up and running is probably ntop (it  
supports NetFlow, in addition to deriving statistics via packet- 
capture).

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

         Unfortunately, inefficiency scales really well.

		   -- Kevin Lawton


From felixnkansah at gmail.com  Mon May 18 17:45:47 2009
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Mon, 18 May 2009 21:45:47 +0000
Subject: [c-nsp] OT: Cisco WAAS Setup Scenario
In-Reply-To: <3F3802329EC1534FBCEAB6DDC0BD807C11F4D9@DOB-BXVS3.integrysgroup.net>
References: <18dba4e50905181342y6cb3c34bs275715c38338b8ff@mail.gmail.com>
	<3F3802329EC1534FBCEAB6DDC0BD807C11F4D9@DOB-BXVS3.integrysgroup.net>
Message-ID: <18dba4e50905181445y3daad0f3t2db163de46c73d5e@mail.gmail.com>

Thanks Andrew.
Your response is appreciated.


On Mon, May 18, 2009 at 9:00 PM, Tolstykh, Andrew <
ATolstykh at integrysgroup.com> wrote:

> >>If the WAE at the head office accelerates traffic going to a spoke
> site
> >>without a WAE, would the traffic be dropped?
>
> No
>
> >>If the hub site receives non-accelerated traffic from spoke sites
> without
> >>WAE, would the head office WAE drop the traffic?
>
> No
>
> Cisco WAAS is also transparent in the sense that accelerator appliances
> can use auto-discovery to determine whether a peer accelerator is
> available at the other end of the link. After auto-discovery, a pair of
> accelerators can auto-negotiate an acceleration policy to be applied to
> the application flow. If a peer accelerator is not discovered, the
> application flow passes through unchanged.
>
> HTH,
> Andrew
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah
> Sent: Monday, May 18, 2009 3:43 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OT: Cisco WAAS Setup Scenario
>
> Hi Team,
> Pardon me for the OT.
>
> I want to deploy Cisco WAAS as a proof of concept to a client with
> several
> sites connected in a hub-n-spoke topology.
>
> I would deploy only one WAE (and a CM) at the hub/head office and one
> WAE at
> a selected spoke, in production.
>
> I intend on setting the WAEs Inline for simplicity. However, I have some
> doubts that I hope you could help clear.
>
> If the WAE at the head office accelerates traffic going to a spoke site
> without a WAE, would the traffic be dropped?
>
> If the hub site receives non-accelerated traffic from spoke sites
> without
> WAE, would the head office WAE drop the traffic?
>
> I am concerned because I know the acceleration process utilizes
> compression
> schemes which may require decompression at the other site by a WAE.
>
> Labbing this up would give me the answers, but I felt I could leverage
> your
> skills for quick answers to these :-)
>
> Your responses are appreciated.
>
> Felix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From christian at automatick.net  Mon May 18 17:44:00 2009
From: christian at automatick.net (Christian Koch)
Date: Mon, 18 May 2009 14:44:00 -0700
Subject: [c-nsp] Netflow tools
In-Reply-To: <4A11BFA4.5030405@trans.net>
References: <9E0B3550-FB1B-4E8F-8562-1839C9587573@kielnet.de>
	<4A11BFA4.5030405@trans.net>
Message-ID: <c4d480f60905181444g480ad313h13b1196ba9cc3d83@mail.gmail.com>

https://neon1.net/as-stats/

On Mon, May 18, 2009 at 1:05 PM, Werner Detter <werner at trans.net> wrote:

> Hi,
>
> we use http://nfsen.sourceforge.net/
>
> Werner
> _________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --
> transnet Internet Services GmbH
> Werner Detter - Netmaster
>
> Lilienstr. 3-5 81669 M?nchen
> http://www.trans.net
> support at trans.net
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From dale.shaw+cisco-nsp at gmail.com  Mon May 18 18:13:25 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 19 May 2009 08:13:25 +1000
Subject: [c-nsp] OT: Cisco WAAS Setup Scenario
In-Reply-To: <18dba4e50905181445y3daad0f3t2db163de46c73d5e@mail.gmail.com>
References: <18dba4e50905181342y6cb3c34bs275715c38338b8ff@mail.gmail.com>
	<3F3802329EC1534FBCEAB6DDC0BD807C11F4D9@DOB-BXVS3.integrysgroup.net>
	<18dba4e50905181445y3daad0f3t2db163de46c73d5e@mail.gmail.com>
Message-ID: <3329cbb40905181513y59c8c3abwd5bd19f1192137cc@mail.gmail.com>

Further to this, Felix, if you decided against inline deployment, you
can set up WCCP ACLs that would ensure that only traffic to/from the
WAAS-enabled spoke site is redirected at the head-end.

i.e. if the spoke site is 192.168.10.0/24, you could have a config
like this on the WCCP router(s) at the hub site:

ip access-list extended WCCP61-LAN
 permit ip any 192.168.10.0 0.0.0.255
!
ip access-list extended WCCP62-WAN
 permit ip 192.168.10.0 0.0.0.255 any
!
ip wccp 61 redirect-list WCCP61-LAN
ip wccp 62 redirect-list WCCP62-WAN
!
interface WANx/x
 description WAN side
 ip wccp 62 redirect in
!
interface LANx/x
 description LAN side
 ip wccp 61 redirect in

You can do something similar on the spoke site to ensure that you only
redirect and optimise traffic that's come from the specified subnets
(or whatever you choose to put in the ACL).

Otherwise, everything TCP is redirected, possibly unnecessarily. Yes,
it's handled transparently and passed-through, but I prefer not to add
extra processing if possible.

cheers,
Dale

On Tue, May 19, 2009 at 7:45 AM, Felix Nkansah <felixnkansah at gmail.com> wrote:
> Thanks Andrew.
> Your response is appreciated.
>
>
> On Mon, May 18, 2009 at 9:00 PM, Tolstykh, Andrew <
> ATolstykh at integrysgroup.com> wrote:
>
>> >>If the WAE at the head office accelerates traffic going to a spoke
>> site
>> >>without a WAE, would the traffic be dropped?
>>
>> No
>>
>> >>If the hub site receives non-accelerated traffic from spoke sites
>> without
>> >>WAE, would the head office WAE drop the traffic?
>>
>> No
>>
>> Cisco WAAS is also transparent in the sense that accelerator appliances
>> can use auto-discovery to determine whether a peer accelerator is
>> available at the other end of the link. After auto-discovery, a pair of
>> accelerators can auto-negotiate an acceleration policy to be applied to
>> the application flow. If a peer accelerator is not discovered, the
>> application flow passes through unchanged.
>>
>> HTH,
>> Andrew
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah
>> Sent: Monday, May 18, 2009 3:43 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] OT: Cisco WAAS Setup Scenario
>>
>> Hi Team,
>> Pardon me for the OT.
>>
>> I want to deploy Cisco WAAS as a proof of concept to a client with
>> several
>> sites connected in a hub-n-spoke topology.
>>
>> I would deploy only one WAE (and a CM) at the hub/head office and one
>> WAE at
>> a selected spoke, in production.
>>
>> I intend on setting the WAEs Inline for simplicity. However, I have some
>> doubts that I hope you could help clear.
>>
>> If the WAE at the head office accelerates traffic going to a spoke site
>> without a WAE, would the traffic be dropped?
>>
>> If the hub site receives non-accelerated traffic from spoke sites
>> without
>> WAE, would the head office WAE drop the traffic?
>>
>> I am concerned because I know the acceleration process utilizes
>> compression
>> schemes which may require decompression at the other site by a WAE.
>>
>> Labbing this up would give me the answers, but I felt I could leverage
>> your
>> skills for quick answers to these :-)
>>
>> Your responses are appreciated.
>>
>> Felix

From jason at pins.net  Mon May 18 18:07:05 2009
From: jason at pins.net (Jason)
Date: Mon, 18 May 2009 18:07:05 -0400
Subject: [c-nsp] VLAN translation
Message-ID: <4A11DC09.6080901@pins.net>

Greetings,

I have two quick questions.  First one is when doing VLAN translation, 
does the incoming VLAN get used up from the available VLANs on the 
switch?  And the second; is VLAN translation done in hardware on the 
Cisco 6500?

Thanks,
Jason

From dale.shaw+cisco-nsp at gmail.com  Mon May 18 20:07:02 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 19 May 2009 10:07:02 +1000
Subject: [c-nsp] WCCPv2 on cat6500/SUP2-MSFC2 (WAAS)
In-Reply-To: <3329cbb40905181705u230ca3em46333fbf22eec51e@mail.gmail.com>
References: <3329cbb40905181705u230ca3em46333fbf22eec51e@mail.gmail.com>
Message-ID: <3329cbb40905181707o114748d7idb6f34795644b189@mail.gmail.com>

Hi,

Is anyone out there running WCCPv2 on cat6500/SUP2-MSFC2 hardware?

Does it work properly? Is it supported in hardware? What code are you
running? Native or hybrid? How much SP/RP memory and flash do you
have? Any noteworthy caveats?

:-) Sorry for all the questions.

We have a bunch of older SUP2-MSFC2 chassis around and I'm trying to
determine if they'll support WCCPv2 for a WAAS deployment (TCP
promiscuous; services 61 and 62).

cheers,
Dale

From javier at liendo.net  Mon May 18 20:42:21 2009
From: javier at liendo.net (Javier Liendo)
Date: Mon, 18 May 2009 19:42:21 -0500
Subject: [c-nsp] ip tcp mss on sup720
Message-ID: <f4585ba90905181742m2183c50naee0173eb8a734ff@mail.gmail.com>

hi,

on a cisco router if i want to adjust the tcp MSS from traffic flowing
*through* it, i can use the "ip tcp adjust-mss" under the *interface*
in question...

in case of a 6500 with a sup720 i have the "ip tcp mss" *global*
configuration command...will this command modify the MSS from the
traffic flowing *through* it or only from traffic
originating/terminating on it? or both?

any help/pointers/experiences will be greatly appreciated...

regards,

javier

From adrian at creative.net.au  Mon May 18 21:10:53 2009
From: adrian at creative.net.au (Adrian Chadd)
Date: Tue, 19 May 2009 09:10:53 +0800
Subject: [c-nsp] WCCPv2 on cat6500/SUP2-MSFC2 (WAAS)
In-Reply-To: <3329cbb40905181707o114748d7idb6f34795644b189@mail.gmail.com>
References: <3329cbb40905181705u230ca3em46333fbf22eec51e@mail.gmail.com>
	<3329cbb40905181707o114748d7idb6f34795644b189@mail.gmail.com>
Message-ID: <20090519011053.GA1023@skywalker.creative.net.au>

On Tue, May 19, 2009, Dale Shaw wrote:
> Hi,
> 
> Is anyone out there running WCCPv2 on cat6500/SUP2-MSFC2 hardware?

I was.

> Does it work properly? Is it supported in hardware? What code are you
> running? Native or hybrid? How much SP/RP memory and flash do you
> have? Any noteworthy caveats?

It was a while ago. Was in native mode.

> :-) Sorry for all the questions.
> 
> We have a bunch of older SUP2-MSFC2 chassis around and I'm trying to
> determine if they'll support WCCPv2 for a WAAS deployment (TCP
> promiscuous; services 61 and 62).

They should do it in hardware (L2 forward / mask assignment) but I
unfortunately don't have a 6500 in my little lab here to confirm
software versions or anything.



Adrian


From walter.keen at RainierConnect.net  Mon May 18 21:14:39 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Mon, 18 May 2009 18:14:39 -0700
Subject: [c-nsp] 7200 atm interworking
Message-ID: <047101c9d81f$4e912c4b$2c0011ac@RainierConnect.local>

Is the 7200 platform capable of atm interworking?  I see it can do mpls l2 vpn for atm, but wondering if it can do interworking so I only need to maintain atm interfaces on one end.


Walter Keen

From ibrahim.abozaid at gmail.com  Mon May 18 21:17:54 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 19 May 2009 04:17:54 +0300
Subject: [c-nsp] ip tcp mss on sup720
In-Reply-To: <f4585ba90905181742m2183c50naee0173eb8a734ff@mail.gmail.com>
References: <f4585ba90905181742m2183c50naee0173eb8a734ff@mail.gmail.com>
Message-ID: <a48927f70905181817y63fd64d0tb0505b24deafc0ac@mail.gmail.com>

Hi Javier

if you configure it under interface , it will affect transit traffic

and i think global will affect locally orginated or terminated traffic and
you won't need this


best regards
--Ibrahim

On Tue, May 19, 2009 at 3:42 AM, Javier Liendo <javier at liendo.net> wrote:

> hi,
>
> on a cisco router if i want to adjust the tcp MSS from traffic flowing
> *through* it, i can use the "ip tcp adjust-mss" under the *interface*
> in question...
>
> in case of a 6500 with a sup720 i have the "ip tcp mss" *global*
> configuration command...will this command modify the MSS from the
> traffic flowing *through* it or only from traffic
> originating/terminating on it? or both?
>
> any help/pointers/experiences will be greatly appreciated...
>
> regards,
>
> javier
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ibrahim.abozaid at gmail.com  Mon May 18 21:18:46 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 19 May 2009 04:18:46 +0300
Subject: [c-nsp] SVI always up !
In-Reply-To: <1242678040.4967.1.camel@localhost.localdomain>
References: <a48927f70905160312wdde2333xd3045a9ff03c5a9@mail.gmail.com>
	<1242473052.3339.1.camel@localhost.localdomain>
	<a48927f70905170453p5db71dbj2f28a051fc21144a@mail.gmail.com>
	<1242678040.4967.1.camel@localhost.localdomain>
Message-ID: <a48927f70905181818l380522eif4d9d9c5d5cf146c@mail.gmail.com>

Hi Peter

I tested it and it works -:)

thanks for your advice


best regards
--Ibrahim

On Mon, May 18, 2009 at 11:20 PM, Peter Rathlev <peter at rathlev.dk> wrote:

> On Sun, 2009-05-17 at 14:53 +0300, Ibrahim Abo Zaid wrote:
> > That seems it will work but it is applied globally for all VLAN , is
> > there any way to apply it per-VLAN ?
>
> Not that I know of no. It can only be per port.
>
> Regards,
> Peter
>
>
>
>
>

From javier at liendo.net  Mon May 18 21:43:59 2009
From: javier at liendo.net (Javier Liendo)
Date: Mon, 18 May 2009 20:43:59 -0500
Subject: [c-nsp] ip tcp mss on sup720
In-Reply-To: <a48927f70905181817y63fd64d0tb0505b24deafc0ac@mail.gmail.com>
References: <f4585ba90905181742m2183c50naee0173eb8a734ff@mail.gmail.com>
	<a48927f70905181817y63fd64d0tb0505b24deafc0ac@mail.gmail.com>
Message-ID: <f4585ba90905181843p223dc84dpa45b2c85fd178c1d@mail.gmail.com>

hi ibrahim,

the issue is that on a 6500 with sup720 AFAIK there is no adjust-mss
under the interface...only global...

best regards,

javier

On Mon, May 18, 2009 at 8:17 PM, Ibrahim Abo Zaid
<ibrahim.abozaid at gmail.com> wrote:
> Hi Javier
>
> if you configure it under interface , it will affect transit traffic
>
> and i think global will affect locally orginated or terminated traffic and
> you won't need this
>
>
> best regards
> --Ibrahim
>
> On Tue, May 19, 2009 at 3:42 AM, Javier Liendo <javier at liendo.net> wrote:
>>
>> hi,
>>
>> on a cisco router if i want to adjust the tcp MSS from traffic flowing
>> *through* it, i can use the "ip tcp adjust-mss" under the *interface*
>> in question...
>>
>> in case of a 6500 with a sup720 i have the "ip tcp mss" *global*
>> configuration command...will this command modify the MSS from the
>> traffic flowing *through* it or only from traffic
>> originating/terminating on it? or both?
>>
>> any help/pointers/experiences will be greatly appreciated...
>>
>> regards,
>>
>> javier
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From dale.shaw+cisco-nsp at gmail.com  Mon May 18 22:18:17 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 19 May 2009 12:18:17 +1000
Subject: [c-nsp] ip tcp mss on sup720
In-Reply-To: <f4585ba90905181843p223dc84dpa45b2c85fd178c1d@mail.gmail.com>
References: <f4585ba90905181742m2183c50naee0173eb8a734ff@mail.gmail.com>
	<a48927f70905181817y63fd64d0tb0505b24deafc0ac@mail.gmail.com>
	<f4585ba90905181843p223dc84dpa45b2c85fd178c1d@mail.gmail.com>
Message-ID: <3329cbb40905181918m4f732065x31ad6bbe12a22819@mail.gmail.com>

Hi Javier,

The command reference indicates that the "ip tcp mss" global command
is applicable only to TCP sessions terminating on or originating from
the local device.

The "ip tcp adjust-mss" interface command was integrated in
12.2(33)SXH. I've confirmed that I don't see it in 12.2(18)SXF5. Are
you in a position to upgrade? If not, I assume you are out of luck and
will need to look for an alternative option.

cheers,
Dale

On Tue, May 19, 2009 at 11:43 AM, Javier Liendo <javier at liendo.net> wrote:
> hi ibrahim,
>
> the issue is that on a 6500 with sup720 AFAIK there is no adjust-mss
> under the interface...only global...
>
> best regards,
>
> javier
>
> On Mon, May 18, 2009 at 8:17 PM, Ibrahim Abo Zaid
> <ibrahim.abozaid at gmail.com> wrote:
>> Hi Javier
>>
>> if you configure it under interface , it will affect transit traffic
>>
>> and i think global will affect locally orginated or terminated traffic and
>> you won't need this
>>
>>
>> best regards
>> --Ibrahim
>>
>> On Tue, May 19, 2009 at 3:42 AM, Javier Liendo <javier at liendo.net> wrote:
>>>
>>> hi,
>>>
>>> on a cisco router if i want to adjust the tcp MSS from traffic flowing
>>> *through* it, i can use the "ip tcp adjust-mss" under the *interface*
>>> in question...
>>>
>>> in case of a 6500 with a sup720 i have the "ip tcp mss" *global*
>>> configuration command...will this command modify the MSS from the
>>> traffic flowing *through* it or only from traffic
>>> originating/terminating on it? or both?
>>>
>>> any help/pointers/experiences will be greatly appreciated...
>>>
>>> regards,
>>>
>>> javier

From rubensk at gmail.com  Mon May 18 22:28:22 2009
From: rubensk at gmail.com (Rubens Kuhl)
Date: Mon, 18 May 2009 23:28:22 -0300
Subject: [c-nsp] ip tcp mss on sup720
In-Reply-To: <f4585ba90905181843p223dc84dpa45b2c85fd178c1d@mail.gmail.com>
References: <f4585ba90905181742m2183c50naee0173eb8a734ff@mail.gmail.com>
	<a48927f70905181817y63fd64d0tb0505b24deafc0ac@mail.gmail.com>
	<f4585ba90905181843p223dc84dpa45b2c85fd178c1d@mail.gmail.com>
Message-ID: <6bb5f5b10905181928o6a3a3d72mc6bdf909700417c5@mail.gmail.com>

And even if the command exists, there is no such feature on the PFC
AFAIK, so the 6500 would be turned into a 7200...


Rubens


On Mon, May 18, 2009 at 10:43 PM, Javier Liendo <javier at liendo.net> wrote:
> hi ibrahim,
>
> the issue is that on a 6500 with sup720 AFAIK there is no adjust-mss
> under the interface...only global...
>
> best regards,
>
> javier
>
> On Mon, May 18, 2009 at 8:17 PM, Ibrahim Abo Zaid
> <ibrahim.abozaid at gmail.com> wrote:
>> Hi Javier
>>
>> if you configure it under interface , it will affect transit traffic
>>
>> and i think global will affect locally orginated or terminated traffic and
>> you won't need this
>>
>>
>> best regards
>> --Ibrahim
>>
>> On Tue, May 19, 2009 at 3:42 AM, Javier Liendo <javier at liendo.net> wrote:
>>>
>>> hi,
>>>
>>> on a cisco router if i want to adjust the tcp MSS from traffic flowing
>>> *through* it, i can use the "ip tcp adjust-mss" under the *interface*
>>> in question...
>>>
>>> in case of a 6500 with a sup720 i have the "ip tcp mss" *global*
>>> configuration command...will this command modify the MSS from the
>>> traffic flowing *through* it or only from traffic
>>> originating/terminating on it? or both?
>>>
>>> any help/pointers/experiences will be greatly appreciated...
>>>
>>> regards,
>>>
>>> javier
>>> _______________________________________________
>>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From baimoung at inet.co.th  Mon May 18 22:41:24 2009
From: baimoung at inet.co.th (Charuntorn Baimoung)
Date: Tue, 19 May 2009 09:41:24 +0700 (ICT)
Subject: [c-nsp] IPSG and DAI
Message-ID: <Pine.LNX.4.62.0905190932230.19973@johann.inet.co.th>

    What is different between IPSG and DAI? How I implemnet in same 
interface config ?






From dcp at dcptech.com  Mon May 18 23:13:33 2009
From: dcp at dcptech.com (David Prall)
Date: Mon, 18 May 2009 23:13:33 -0400
Subject: [c-nsp] ip tcp mss on sup720
In-Reply-To: <6bb5f5b10905181928o6a3a3d72mc6bdf909700417c5@mail.gmail.com>
References: <f4585ba90905181742m2183c50naee0173eb8a734ff@mail.gmail.com>	<a48927f70905181817y63fd64d0tb0505b24deafc0ac@mail.gmail.com>	<f4585ba90905181843p223dc84dpa45b2c85fd178c1d@mail.gmail.com>
	<6bb5f5b10905181928o6a3a3d72mc6bdf909700417c5@mail.gmail.com>
Message-ID: <000001c9d82f$dd530d80$97f92880$@com>

It is first available in 12.2(33)SRA and 12.2(33)SXH

http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_tcp_ps64
41_TSD_Products_Configuration_Guide_Chapter.html#wp1054627

David

--
http://dcp.dcptech.com
 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Rubens Kuhl
> Sent: Monday, May 18, 2009 10:28 PM
> To: Javier Liendo
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ip tcp mss on sup720
> 
> And even if the command exists, there is no such feature on the PFC
> AFAIK, so the 6500 would be turned into a 7200...
> 
> 
> Rubens
> 
> 
> On Mon, May 18, 2009 at 10:43 PM, Javier Liendo <javier at liendo.net>
> wrote:
> > hi ibrahim,
> >
> > the issue is that on a 6500 with sup720 AFAIK there is no adjust-mss
> > under the interface...only global...
> >
> > best regards,
> >
> > javier
> >
> > On Mon, May 18, 2009 at 8:17 PM, Ibrahim Abo Zaid
> > <ibrahim.abozaid at gmail.com> wrote:
> >> Hi Javier
> >>
> >> if you configure it under interface , it will affect transit traffic
> >>
> >> and i think global will affect locally orginated or terminated
> traffic and
> >> you won't need this
> >>
> >>
> >> best regards
> >> --Ibrahim
> >>
> >> On Tue, May 19, 2009 at 3:42 AM, Javier Liendo <javier at liendo.net>
> wrote:
> >>>
> >>> hi,
> >>>
> >>> on a cisco router if i want to adjust the tcp MSS from traffic
> flowing
> >>> *through* it, i can use the "ip tcp adjust-mss" under the
> *interface*
> >>> in question...
> >>>
> >>> in case of a 6500 with a sup720 i have the "ip tcp mss" *global*
> >>> configuration command...will this command modify the MSS from the
> >>> traffic flowing *through* it or only from traffic
> >>> originating/terminating on it? or both?
> >>>
> >>> any help/pointers/experiences will be greatly appreciated...
> >>>
> >>> regards,
> >>>
> >>> javier
> >>> _______________________________________________
> >>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> > _______________________________________________
> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From ip at ioshints.info  Tue May 19 00:40:20 2009
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 19 May 2009 06:40:20 +0200
Subject: [c-nsp] network simulator
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C04EB67@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C1294FA@xmail04.ad.ua.ac.be><4A119C41.4030206@gtsce.com>
	<A9C0DC3E3383224B83C528B074390E8C04EB67@xmail04.ad.ua.ac.be>
Message-ID: <006801c9d83b$ebad8f20$0a00000a@nil.si>

Dynamips (which is under the hood of GNS3) could be used to emulate IOS
switching behavior as long as what you're trying to do is supported on the
routers. If you're testing standard spanning tree, Dynamips should be just
fine (you'll just configure routers as bridges).

OPNET is a great network simulation tool. I've used it years ago and I was
deeply impressed. They might have academic or test licenses.

You might also want to consider Cisco's PacketTracer:
http://www.cisco.com/web/learning/netacad/course_catalog/PacketTracer.html

Some other tools are listed here:
http://www.idsia.ch/~andrea/sim/simnet.html

Best regards
Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/


> I'm looking for a (free) network simulator that allows me to 
> simulate a small network (20 switches) with different vlans 
> on it. I want to test different scenario's : what happens if 
> this switch goes down or that link goes down, how do the 
> packets flow in each scenario for the different vlans...
>  
> Anyone has a good reference to such a product ? Free would be 
> nice but is no absolute condition.


From ip at ioshints.info  Tue May 19 00:49:03 2009
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Tue, 19 May 2009 06:49:03 +0200
Subject: [c-nsp] BGP Config
In-Reply-To: <4A11D176.8010304@thewybles.com>
References: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
	<4A11D176.8010304@thewybles.com>
Message-ID: <006e01c9d83d$231c6d40$0a00000a@nil.si>

I absolutely agree with Charles ... although not on the "provider will give
you the necessary details" part. I've seen some service providers that were
somewhat inadequate in that respect (trying to be diplomatic :).

You might find some of the links/videos on my BGP resource center useful:

http://wiki.nil.com/BGP

The next starting point is Cisco's BGP page:

http://www.cisco.com/en/US/tech/tk365/tk80/tsd_technology_support_sub-protoc
ol_home.html

Hope this helps!
Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/

> -----Original Message-----
> From: Charles Wyble [mailto:charles at thewybles.com] 
> Sent: Monday, May 18, 2009 11:22 PM
> To: Alain Camille
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP Config
> 
> This should be provided by your ISP.
> 
> Lots of BGP docs on the net..... if your asking for help on 
> the c-nsp list with an ultra generic topic.... please please 
> please please get some training and do some reading.
> 
> Again your provider will give you the necessary details.
> 
> 
> 
> Alain Camille wrote:
> > 
> > 
> > 
> > My ISP will be maintaining the BGP configuration for my 
> organization.. I need a minimal BGP configuration on my core 
> device that will allow connectivity to the ISP. Looking for 
> some direction. Thanks.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> 


From zhqasmi at cyber.net.pk  Tue May 19 00:51:01 2009
From: zhqasmi at cyber.net.pk (Amjad Ul Hasnain Qasmi)
Date: Tue, 19 May 2009 10:51:01 +0600
Subject: [c-nsp] 7200 atm interworking
In-Reply-To: <047101c9d81f$4e912c4b$2c0011ac@RainierConnect.local>
References: <047101c9d81f$4e912c4b$2c0011ac@RainierConnect.local>
Message-ID: <00bf01c9d83d$69748b60$3c5da220$@net.pk>

7200 does support interworking, I have tested it over 7206VXR with
12.2(33)SRC3. Feature navigator will give you a complete detail of protocols
and combination supported.

/AHQ   

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen
Sent: Tuesday, May 19, 2009 7:15 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 7200 atm interworking

Is the 7200 platform capable of atm interworking?  I see it can do mpls l2
vpn for atm, but wondering if it can do interworking so I only need to
maintain atm interfaces on one end.


Walter Keen
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From dale.shaw+cisco-nsp at gmail.com  Tue May 19 01:37:55 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 19 May 2009 15:37:55 +1000
Subject: [c-nsp] CEF issue with NAT pool with add-route keyword (NVI)
In-Reply-To: <3329cbb40905182235g36e45009yee899a5dd61a4097@mail.gmail.com>
References: <3329cbb40905182235g36e45009yee899a5dd61a4097@mail.gmail.com>
Message-ID: <3329cbb40905182237r706ea816k7fd6f496d9fed5cb@mail.gmail.com>

Hi,

I've just encountered a strange problem:

<SW1>__Vlan10 ?--> ?Fa0/0__<R1>__Se0/1/0 ?--> ?Se0/1/0__<R4>

SW1's config is:

interface Loopback0
?ip address 10.255.8.8 255.255.255.255
!
interface Vlan10
?ip address 10.1.18.8 255.255.255.0
!
router rip
?version 2
?network 10.0.0.0
?no auto-summary

8<---

R1's config is:

interface FastEthernet0/0
?ip address 10.1.18.1 255.255.255.0
?ip nat enable
!
interface Serial0/1/0
?ip address 10.1.14.1 255.255.255.0
?ip nat enable
!
router rip
?version 2
?redistribute static metric 1
?network 10.0.0.0
?no auto-summary
!
ip access-list standard SW1_LOOPBACK
?permit host 10.255.8.8
!
ip nat pool NET188 10.1.188.1 10.1.188.254 prefix-length 24 add-route
ip nat source list SW1_LOOPBACK pool NET188

8<---

R4's config is:

interface Serial0/1/0
?ip address 10.1.14.4 255.255.255.0
?clock rate 128000
!
router rip
?version 2
?network 10.0.0.0
?no auto-summary

8<---

- RIPv2 is providing full reachability between all interfaces.
- R1 is configured to translate the source IP of packets from SW1's
Lo0 IP address (10.255.8.8) to 10.1.188.x
- R4 sees the 10.1.188.0/24 route being redistributed by R1:

R1#sh ip ro 10.1.188.0
Routing entry for 10.1.188.0/24
?Known via "static", distance 0, metric 0
?Redistributing via rip
?Advertised by rip metric 1
?Routing Descriptor Blocks:
?* directly connected, via NVI0
? ? ?Route metric is 0, traffic share count is 1

R4#sh ip ro 10.1.188.0
Routing entry for 10.1.188.0/24
?Known via "rip", distance 120, metric 1
?Redistributing via rip
?Last update from 10.1.14.1 on Serial0/1/0, 00:00:00 ago
?Routing Descriptor Blocks:
?* 10.1.14.1, from 10.1.14.1, 00:00:00 ago, via Serial0/1/0
? ? ?Route metric is 1, traffic share count is 1

- When telnetting from SW1's Lo0 IP to R4's loopback (10.255.4.4), a
connection is established, but it's extremely slow/patchy due to
packet loss.
- If I send a ping (same src/dst as above), I see output like this:

SW1#ping 10.255.4.4 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.255.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.255.8.8
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 8/11/17 ms

- If I enable 'debug ip cef drops' on R1, I see output like this:

CEF-Drop: Stalled adjacency for 0.0.0.0 on NVI0 for destination 10.1.188.1
CEF-Drop: Packet for 10.1.188.1 -- encapsulation
CEF-Drop: Stalled adjacency for 0.0.0.0 on NVI0 for destination 10.1.188.1
CEF-Drop: Packet for 10.1.188.1 -- encapsulation

- I've found two workarounds:

1) disable CEF on R1's Se0/1/0 interface:

R1#conf t
R1(config)#int s0/1/0
R1(config-if)#no ip route-cache cef

OR:

2) remove 'add-route' from the 'ip nat pool' statement, and add a
static route manually:

R1(config)#do clear ip nat nvi trans *
R1(config)#no ip nat pool NET188 10.1.188.1 10.1.188.254 prefix-length
24 add-route
R1(config)#ip nat pool NET188 10.1.188.1 10.1.188.254 prefix-length 24
R1(config)#ip route 10.1.188.0 255.255.255.0 10.1.18.8

Either workaround restores 'good' connectivity -- no packet loss, no
CEF drops evident on R1.

Has anyone else seen this behaviour? I'm running:

Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version
12.4(23), RELEASE SOFTWARE (fc1)

cheers,
Dale

From grzegorz.drozda at gmail.com  Tue May 19 01:55:31 2009
From: grzegorz.drozda at gmail.com (Grzegorz Drozda)
Date: Tue, 19 May 2009 07:55:31 +0200
Subject: [c-nsp] IPSG and DAI
In-Reply-To: <Pine.LNX.4.62.0905190932230.19973@johann.inet.co.th>
References: <Pine.LNX.4.62.0905190932230.19973@johann.inet.co.th>
Message-ID: <f8b6b10f0905182255i60da647ne48e0b0cdcc50c3a@mail.gmail.com>

Hello

The main difference is:
- IP Source Guard validate all packets regarding to source mac address, ip
address and source port
- Dynamic ARP Inspection inspects only ARP packets

More information about configuring that features you can find on page

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807c4101.shtml

2009/5/19 Charuntorn Baimoung <baimoung at inet.co.th>

>   What is different between IPSG and DAI? How I implemnet in same interface
> config ?
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Grzegorz Drozda

From c-nsp at djvh.nl  Tue May 19 01:55:46 2009
From: c-nsp at djvh.nl (Dirk-Jan van Helmond)
Date: Tue, 19 May 2009 07:55:46 +0200
Subject: [c-nsp] IPSG and DAI
In-Reply-To: <Pine.LNX.4.62.0905190932230.19973@johann.inet.co.th>
References: <Pine.LNX.4.62.0905190932230.19973@johann.inet.co.th>
Message-ID: <439AC7A9-E9C6-42F3-BAEE-786023331935@djvh.nl>


On May 19, 2009, at 4:41 AM, Charuntorn Baimoung wrote:

>   What is different between IPSG and DAI? How I implemnet in same  
> interface config ?
>


http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=7
http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=8




From networkstuff.training at gmail.com  Tue May 19 02:01:12 2009
From: networkstuff.training at gmail.com (Swati Sharma)
Date: Tue, 19 May 2009 11:31:12 +0530
Subject: [c-nsp] mls qos vlan based
Message-ID: <8a93d4b30905182301t2e308fa0kef8c9158bcb11a20@mail.gmail.com>

Hi,

I am trying to prioritize traffic from certain vlan and send it to
port-chanel. When I do this, it says MQC not supported on channel
interfaces. What is the other way to achieve the same. I want to prioritize
any traffic from (say) vlan 10 / 20.
Regards,
Swati

From fahad.alikhan at gmail.com  Tue May 19 02:37:31 2009
From: fahad.alikhan at gmail.com (FAHAD ALI KHAN)
Date: Tue, 19 May 2009 12:37:31 +0600
Subject: [c-nsp] Tunnel (RSVP LSP) with multiple path (all UP)
Message-ID: <9347ea5b0905182337o544dd581q29ac98b0fb67a355@mail.gmail.com>

Dear All

There is a option in Juniper/Cisco Routers to set multiple Paths in the
Tunnel (LSP).
In Juniper router we can set secondary path UP (along with primary) by
configuring *standby* parameter to the secondary path. Primary will be
selected based on weight value.

Is there any option in Cisco that do the same.

Remember, my requirement is not to set two separate tunnel but single
tunnels with two paths & both paths (means LSP) will UP at the same time,
but selection is done on the weight (or path-option #) basis.

Regards

Fahad

From peter.haag at switch.ch  Tue May 19 03:39:16 2009
From: peter.haag at switch.ch (Peter Haag)
Date: Tue, 19 May 2009 09:39:16 +0200
Subject: [c-nsp] cisco-nsp Digest, Vol 78, Issue 52
In-Reply-To: <mailman.789.1242695691.57222.cisco-nsp@puck.nether.net>
References: <mailman.789.1242695691.57222.cisco-nsp@puck.nether.net>
Message-ID: <4A126224.2010701@switch.ch>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Roland et al,

> On May 19, 2009, at 3:05 AM, Werner Detter wrote:
> > we use http://nfsen.sourceforge.net/
>
> nfsen/nfdump is a great open-source tool - I *think* it supports  
> sampling, now (anyone?).

The stable version does not (yet), However, I'm currently testing the next snapshot to be released next week or so, it
will recognise sampling and lots of more v9 elements such as vlan and MPLS labels, MAC addresses, next hop IPs etc. It
will also support FNF on collector level.

Testers are welcome! :)

	- Peter

> 
> Stager is cool, too, though last I checked it didn't support v9  
> (again, correction welcome; it's dependent upon the flow-tools for  
> collection).
> 
> The easiest/quickest one to get up and running is probably ntop (it  
> supports NetFlow, in addition to deriving statistics via packet- 
> capture).


- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: peter.haag at switch.ch Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBShJiH/5AbZRALNr/AQKjbgP/SPrjsgDWHVCGcqqoh+W9EqUNE+Y2T/Xs
zU6Hmh4h/G0ukINg41DrWmKAxIMMPOGSvyI8qI2NLEXLOwpuX0hlhS/xfRAvCbWA
eoCgSuu7J1qOIhHO3wNOkW4vcIXWQKwSdL9Sh1Pc9kiF/vDkMniTXWNH6bvUtsFe
2xZpGiGP814=
=FI3I
-----END PGP SIGNATURE-----

From nsp-list at pollok.net  Tue May 19 04:11:16 2009
From: nsp-list at pollok.net (Sascha E. Pollok)
Date: Tue, 19 May 2009 10:11:16 +0200 (CEST)
Subject: [c-nsp] VRRP / MAC Forwarding Problem on Sup2/PFC2
Message-ID: <alpine.DEB.1.10.0905191002460.9533@locus>

Hello people,

recently I have discussed a problem here and there and there
is not proper solution/explanation yet so I thought I'd share
it with you:

                      Server
                        |
                        |
                +-----3548XL-----+
     .1q Trunk  |                | .1q Trunk
                |      MST       |
                |                |
    MST Root  6509#1----------6509#2  MST Backup
  VRRP Backup   |    L2 Trunk    |    VRRP Master
    on SVI      |       .1q      |      on SVI
                |                |
              BB#1              BB#2   Backbone Routers


Problem: 6509#1 was VRRP Master before and terminated all the
IP traffic from the server on its SVI and routed it towards the
internet (via BB#1).

Now 6509#2 is configured VRRP master. Thus, because of MST,
the ethernet frames should travel on layer 2 to 6509#2 and
fall out of the SVI there like this:

   Server -> 3548XL -> 6509#1 -> 6509#2 -> SVI -> BB#2.

What actually happens is the strange part: the traffic
can still be seen on the SVI on 6509#1. 6509#1 is still
pushing the traffic from layer 2 to layer 3 on its local SVI
and the 6509#2 never sees the traffic coming from the server.

Even if I deconfigure VRRP on 6509#1. And: even if I do
"no ip address" on the SVI on 6509#1 it is still routing
the traffic (of course only incoming from the server as
the connected routes are gone when doing "no ip address").

The 6509#2 only sees the traffic in two cases:

   1. I shutdown the SVI on 6509#1. In this case the traffic
      is immediately switched to 6509#2 and routed to the 6509#2's
      SVI. When I "no shut" the SVI on 6509#1 we are back to the
      previous situation. Deleting and re-creating the SVI on
      6509#1 does not help.

   2. When I change the VRRP Group on 6509#2 to a VRRP Group that
      NEVER was configured on the SVI on 6509#1. Then the traffic
      goes as expected via the SVI on 6509#2.
      When I make 6509#1 the VRRP master in this situation, the
      L3 Traffic switches to 6509#1. When I make the 6509#2
      the master again, it does NOT switch back to 6509#2.

This leads me to the following assumption: the 6509#1 somehow
memorizes the destination MAC addresses that it is supposed to
"route" to the locally configured SVI even when the ethernet
frame's destination address is reachable via a remote trunk.

"sh mac-address-table vlan xx" on 6509#1 shows that it has been
dynamically learned via the trunk towards 6509#2. This looks
perfect. So there must be something else to let the 6509#1
send the packet to the SVI.

To make it more complex, I would like to add that a traceroute
from the server to the Internet looks like this:

    1  6509#2    (yes, thats correct)
    2  BB#1      (oh that can't be since there is
                  no link to BB#1 on 6509#2)
Details about the platform: 6509 with SUP2, MSFC2
and SFM cards running 12.2(18)SXF15.

Anyone?

Thank you for your thoughts.
Sascha

From rgallagh at cisco.com  Tue May 19 05:36:19 2009
From: rgallagh at cisco.com (Richard Gallagher)
Date: Tue, 19 May 2009 10:36:19 +0100
Subject: [c-nsp] CRS-1 MSC 20G card?
In-Reply-To: <a89d89ac0905181110o30333821xa7162c4e5aa1a2d3@mail.gmail.com>
References: <a89d89ac0905181110o30333821xa7162c4e5aa1a2d3@mail.gmail.com>
Message-ID: <9CF20016-D9D3-41B7-BC0C-5AB23AAC9BA5@cisco.com>

Marlon,

This is the same 40GB card but limited in SW to 20GB, so depending on  
your BW requirements you can chose the right license.

http://www.cisco.com/en/US/products/hw/modules/ps2710/prod_eol_notice0900aecd80460709.html

Rich

On 18 May 2009, at 19:10, Marlon Duksa wrote:

> Hi,
> does anyone know what is this CRS-1 MSC 20G card (prod number CRS- 
> MSC-20G_?
>
> I understand that they have a MSC 40G with two SPP processors, one per
> direction (ingress/egress).
>
> But there is an option to buy a 20G version of this card. Is this done
> through licensing or is the 20G card a different HW card alltogether?
> Thanks,
> Marlon
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From p.mayers at imperial.ac.uk  Tue May 19 05:51:39 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 19 May 2009 10:51:39 +0100
Subject: [c-nsp] ip tcp mss on sup720
In-Reply-To: <6bb5f5b10905181928o6a3a3d72mc6bdf909700417c5@mail.gmail.com>
References: <f4585ba90905181742m2183c50naee0173eb8a734ff@mail.gmail.com>
	<a48927f70905181817y63fd64d0tb0505b24deafc0ac@mail.gmail.com>
	<f4585ba90905181843p223dc84dpa45b2c85fd178c1d@mail.gmail.com>
	<6bb5f5b10905181928o6a3a3d72mc6bdf909700417c5@mail.gmail.com>
Message-ID: <20090519095139.GB23757@wildfire.net.ic.ac.uk>

On Tue, May 19, 2009 at 03:28:22AM +0100, Rubens Kuhl wrote:
>And even if the command exists, there is no such feature on the PFC
>AFAIK, so the 6500 would be turned into a 7200...

Not quite true. I believe the feature works by punting the SYN & SYN/ACK 
to the sup for modification of the MSS TCP option, then installing a 
higher-priority netflow entry, leaving the rest of the flow to be 
hardware-forwarded.

So it'll certainly incur a CPU load, but it's dependent on the session 
rate, not the packet rate.

From Sachin.Bodkhe at Airtel.in  Tue May 19 05:15:30 2009
From: Sachin.Bodkhe at Airtel.in (Sachin.Bodkhe at Airtel.in)
Date: Tue, 19 May 2009 14:45:30 +0530
Subject: [c-nsp] What cisco line cards support DS3 over RJ45 interface
In-Reply-To: <4A11CCDF.4020701@rollernet.us>
Message-ID: <OFFC32FFB8.4E832479-ON652575BB.0032D289-652575BB.00335DC6@bharti.com>

IT Works 


Regards,
Sachin  Bodkhe
DSL NOC TEAM
Bharti Airtel Services Ltd.






Seth Mattinen <sethm at rollernet.us> 
Sent by: cisco-nsp-bounces at puck.nether.net
05/19/2009 02:47 AM

To
cisco-nsp at puck.nether.net
cc

Subject
Re: [c-nsp] What cisco line cards support DS3 over RJ45 interface
         P  Please do not print this e-mail unless it is absolutely 
necessary P





nbernadeau at gallantsys.com wrote:
> Please let me know if you know the cisco line card(s) that support DS3
> over RJ45 interface.
> 

No such thing. Maybe you could tell us what you're trying to accomplish
and we can suggest something.

~Seth
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies and the original message. Any unauthorized review, use, disclosure,dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. 
The recipient acknowledges that Bharti Airtel Limited or its subsidiaries and associated companies(collectively "Bharti Airtel Limited"),are unable to exercise control or ensure or guarantee the integrity of/overthe contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of Bharti Airtel Limited. Before opening any attachments please check them for viruses and defects.



From avayner at cisco.com  Tue May 19 07:32:55 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 19 May 2009 13:32:55 +0200
Subject: [c-nsp] mls qos vlan based
In-Reply-To: <8a93d4b30905182301t2e308fa0kef8c9158bcb11a20@mail.gmail.com>
References: <8a93d4b30905182301t2e308fa0kef8c9158bcb11a20@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D7A41583@xmb-ams-331.emea.cisco.com>

You need to apply the marking ingress policy on the "interface vlan".
Even if it's a L2 only VLAN, you can do "interface vlan", but do not
have to configure an IP address.

This is documented here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con
figuration/guide/qos.html#wp1726124

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Swati Sharma
Sent: Tuesday, May 19, 2009 09:01
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] mls qos vlan based

Hi,

I am trying to prioritize traffic from certain vlan and send it to
port-chanel. When I do this, it says MQC not supported on channel
interfaces. What is the other way to achieve the same. I want to
prioritize
any traffic from (say) vlan 10 / 20.
Regards,
Swati
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From devon at noved.org  Tue May 19 08:19:44 2009
From: devon at noved.org (Devon True)
Date: Tue, 19 May 2009 08:19:44 -0400
Subject: [c-nsp] Netflow tools
In-Reply-To: <5F97228F-8D65-49E6-9DC9-82A5CE5CDFDA@arbor.net>
References: <9E0B3550-FB1B-4E8F-8562-1839C9587573@kielnet.de>	<4A11BFA4.5030405@trans.net>
	<5F97228F-8D65-49E6-9DC9-82A5CE5CDFDA@arbor.net>
Message-ID: <4A12A3E0.4080400@noved.org>

Roland Dobbins wrote:
> nfsen/nfdump is a great open-source tool - I *think* it supports
> sampling, now (anyone?).

Peter said a nfdump snapshot supporting sampling should be uploaded
sometime this week.

http://sourceforge.net/mailarchive/forum.php?thread_name=4A083998.60702%40switch.ch&forum_name=nfdump-discuss

--
Devon

From geoff at pendery.net  Tue May 19 09:54:07 2009
From: geoff at pendery.net (Geoffrey Pendery)
Date: Tue, 19 May 2009 08:54:07 -0500
Subject: [c-nsp] VRRP / MAC Forwarding Problem on Sup2/PFC2
In-Reply-To: <alpine.DEB.1.10.0905191002460.9533@locus>
References: <alpine.DEB.1.10.0905191002460.9533@locus>
Message-ID: <d6966e4b0905190654p76bbf836jd0755f8d8024dad3@mail.gmail.com>

1.  You mention 12.2(18)SXF15 - I assume you're running native?  With
"ip cef"?  The "memorize the MAC address" you mentioned sounds like
the old style MLS on hybrid...

2.  I've seen the "traceroute doesn't match ip route path" behavior
before, with a CEF bug.  The CEF table had been holding onto an old
default route even though the IP routing table had a new one.  You
might be able to confirm this behavior with a "show ip cef" on 6509#1
(looking to confirm that the next hop leaves via the interface to BB#1
instead of 6509#2), and/or a "clear ip route *" on 6509#1, which
should clear the CEF FIB as well and force it to rebuild the table.

3.  A sniffer on 6509#1 might shed more light on the problem, as
you'll be able to really see the destination MAC addresses and the
ingress/egress ports.  The only other idea that's coming to me which
fits into semi-normal routing behavior is - maybe 6509#2 wants to
route the packet out BB#1 anyway, and is sending an ICMP redirect to
your server after the first packet, telling him to use 6509#1 instead.
 Another idea for checking this - clear the ARPs on your server, then
run some of this traffic, then show the ARPs.  See if he has an ARP
for the backup VRRP address, not just his default gateway.


Hope that helps.  Even if I'm wrong, I'd be curious to know how it turns out.


-Geoff


On Tue, May 19, 2009 at 3:11 AM, Sascha E. Pollok <nsp-list at pollok.net> wrote:
> Hello people,
>
> recently I have discussed a problem here and there and there
> is not proper solution/explanation yet so I thought I'd share
> it with you:
>
> ? ? ? ? ? ? ? ? ? ? Server
> ? ? ? ? ? ? ? ? ? ? ? |
> ? ? ? ? ? ? ? ? ? ? ? |
> ? ? ? ? ? ? ? +-----3548XL-----+
> ? ?.1q Trunk ?| ? ? ? ? ? ? ? ?| .1q Trunk
> ? ? ? ? ? ? ? | ? ? ?MST ? ? ? |
> ? ? ? ? ? ? ? | ? ? ? ? ? ? ? ?|
> ? MST Root ?6509#1----------6509#2 ?MST Backup
> ?VRRP Backup ? | ? ?L2 Trunk ? ?| ? ?VRRP Master
> ? on SVI ? ? ?| ? ? ? .1q ? ? ?| ? ? ?on SVI
> ? ? ? ? ? ? ? | ? ? ? ? ? ? ? ?|
> ? ? ? ? ? ? BB#1 ? ? ? ? ? ? ?BB#2 ? Backbone Routers
>
>
> Problem: 6509#1 was VRRP Master before and terminated all the
> IP traffic from the server on its SVI and routed it towards the
> internet (via BB#1).
>
> Now 6509#2 is configured VRRP master. Thus, because of MST,
> the ethernet frames should travel on layer 2 to 6509#2 and
> fall out of the SVI there like this:
>
> ?Server -> 3548XL -> 6509#1 -> 6509#2 -> SVI -> BB#2.
>
> What actually happens is the strange part: the traffic
> can still be seen on the SVI on 6509#1. 6509#1 is still
> pushing the traffic from layer 2 to layer 3 on its local SVI
> and the 6509#2 never sees the traffic coming from the server.
>
> Even if I deconfigure VRRP on 6509#1. And: even if I do
> "no ip address" on the SVI on 6509#1 it is still routing
> the traffic (of course only incoming from the server as
> the connected routes are gone when doing "no ip address").
>
> The 6509#2 only sees the traffic in two cases:
>
> ?1. I shutdown the SVI on 6509#1. In this case the traffic
> ? ? is immediately switched to 6509#2 and routed to the 6509#2's
> ? ? SVI. When I "no shut" the SVI on 6509#1 we are back to the
> ? ? previous situation. Deleting and re-creating the SVI on
> ? ? 6509#1 does not help.
>
> ?2. When I change the VRRP Group on 6509#2 to a VRRP Group that
> ? ? NEVER was configured on the SVI on 6509#1. Then the traffic
> ? ? goes as expected via the SVI on 6509#2.
> ? ? When I make 6509#1 the VRRP master in this situation, the
> ? ? L3 Traffic switches to 6509#1. When I make the 6509#2
> ? ? the master again, it does NOT switch back to 6509#2.
>
> This leads me to the following assumption: the 6509#1 somehow
> memorizes the destination MAC addresses that it is supposed to
> "route" to the locally configured SVI even when the ethernet
> frame's destination address is reachable via a remote trunk.
>
> "sh mac-address-table vlan xx" on 6509#1 shows that it has been
> dynamically learned via the trunk towards 6509#2. This looks
> perfect. So there must be something else to let the 6509#1
> send the packet to the SVI.
>
> To make it more complex, I would like to add that a traceroute
> from the server to the Internet looks like this:
>
> ? 1 ?6509#2 ? ?(yes, thats correct)
> ? 2 ?BB#1 ? ? ?(oh that can't be since there is
> ? ? ? ? ? ? ? ? no link to BB#1 on 6509#2)
> Details about the platform: 6509 with SUP2, MSFC2
> and SFM cards running 12.2(18)SXF15.
>
> Anyone?
>
> Thank you for your thoughts.
> Sascha
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From lobotiger at gmail.com  Tue May 19 11:57:46 2009
From: lobotiger at gmail.com (Lobo)
Date: Tue, 19 May 2009 11:57:46 -0400
Subject: [c-nsp] Need help understanding mpls error message
Message-ID: <4A12D6FA.3070402@gmail.com>

I've search on Cisco's website to help understand the following message 
but I'm not 100% clear on how to find the network/router responsible for 
generating these error messages:

.May 19 08:39:06.235 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 0 0 255}
.May 19 08:39:39.175 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255}
.May 19 08:40:19.392 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255}
.May 19 08:41:26.413 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255}
.May 19 08:42:02.225 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 6 1 255}

Since it's giving multiple labels, which one should I do a "mpls 
forwarding-table label" command on and will that point me to the 
offending block?  FYI, Vlan101 is part of our NMS network and does not 
have LDP enabled on it.


Thanks.

Jose

From rodunn at cisco.com  Tue May 19 12:12:52 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 19 May 2009 12:12:52 -0400
Subject: [c-nsp] Need help understanding mpls error message
In-Reply-To: <4A12D6FA.3070402@gmail.com>
References: <4A12D6FA.3070402@gmail.com>
Message-ID: <20090519161252.GK13559@rtp-cse-489.cisco.com>

If you sniff that vlan do you see packets coming
in with 0x8847 on them?

If could be bogus packets with that on them and no valid
label stack behind them.

Rodney

On Tue, May 19, 2009 at 11:57:46AM -0400, Lobo wrote:
> I've search on Cisco's website to help understand the following message 
> but I'm not 100% clear on how to find the network/router responsible for 
> generating these error messages:
> 
> .May 19 08:39:06.235 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
> on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 0 0 255}
> .May 19 08:39:39.175 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
> on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255}
> .May 19 08:40:19.392 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
> on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255}
> .May 19 08:41:26.413 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
> on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255}
> .May 19 08:42:02.225 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
> on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 6 1 255}
> 
> Since it's giving multiple labels, which one should I do a "mpls 
> forwarding-table label" command on and will that point me to the 
> offending block?  FYI, Vlan101 is part of our NMS network and does not 
> have LDP enabled on it.
> 
> 
> Thanks.
> 
> Jose
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From peter at rathlev.dk  Tue May 19 12:17:32 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 19 May 2009 18:17:32 +0200
Subject: [c-nsp] Need help understanding mpls error message
In-Reply-To: <4A12D6FA.3070402@gmail.com>
References: <4A12D6FA.3070402@gmail.com>
Message-ID: <1242749852.3440.13.camel@localhost.localdomain>

On Tue, 2009-05-19 at 11:57 -0400, Lobo wrote:
> I've search on Cisco's website to help understand the following message 
> but I'm not 100% clear on how to find the network/router responsible for 
> generating these error messages:
> 
> .May 19 08:39:06.235 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
> on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 0 0 255}
...
> Since it's giving multiple labels, which one should I do a "mpls 
> forwarding-table label" command on and will that point me to the 
> offending block?  FYI, Vlan101 is part of our NMS network and does not 
> have LDP enabled on it.

You probably won't be able to look it up in the FIB. As it says: You
received a MPLS tagged frame on a non MPLS interface. This frame was
probably not tagged with labels that your router assigned.

What else exists on VLAN 101? Any MPLS speakers? Is VLAN 101 a "trusted"
interface?

With a sniffer you'd be able to see the source MAC address of the
frames. Something like tcpdump with the "-e" flag will show you:

18:14:39.807669 00:19:07:73:c9:40 > 00:0b:46:5a:74:20, ethertype MPLS unicast (0x8847), length 78: MPLS (label 54, exp 0, [S], ttl 247), IP, length: 64

Then you can look up the MAC-address in the L2 FIB.

Regards,
Peter



From mhuff at ox.com  Tue May 19 12:20:19 2009
From: mhuff at ox.com (Matthew Huff)
Date: Tue, 19 May 2009 12:20:19 -0400
Subject: [c-nsp] PFC QOS question about 802.1Q trunks
In-Reply-To: <4A12D6FA.3070402@gmail.com>
References: <4A12D6FA.3070402@gmail.com>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9C3811FCF46@PUR-EXCH07.ox.com>

I have a question about QOS trust between two 6509 switches connected via a L2 802.1Q trunk with multiple VLANs. If the port is set to "trust cos", what does the internal DSCP value get set for native frames since their isn't a COS field? I would assume the internal DSCP value would be set to the default or normally zero. Do most people then set the native VLAN to a unused VLAN so that native packets have internal DSCP values set? Or do most use "trust dscp"? If so, what do people use "trust cos" for?



----
Matthew Huff       | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139


From sethm at rollernet.us  Tue May 19 12:27:06 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Tue, 19 May 2009 09:27:06 -0700
Subject: [c-nsp] What cisco line cards support DS3 over RJ45 interface
In-Reply-To: <20090518172326.sz4r1r2f40gsc0g4@www.gallantsys.com>
References: <20090518154835.y3g6khptcs4ckkw4@www.gallantsys.com>	<4A11CCDF.4020701@rollernet.us>
	<20090518172326.sz4r1r2f40gsc0g4@www.gallantsys.com>
Message-ID: <4A12DDDA.2070506@rollernet.us>

nbernadeau at gallantsys.com wrote:
> This is actually a DS3 Handoff to RJ45.  It is coming in to the Demarc
> as Coax.  I just want to know what interfaces can then support the Handoff.
> 

How about an Ethernet card? It's been converted to something else.

~Seth

From geoff at pendery.net  Tue May 19 12:35:49 2009
From: geoff at pendery.net (Geoffrey Pendery)
Date: Tue, 19 May 2009 11:35:49 -0500
Subject: [c-nsp] PFC QOS question about 802.1Q trunks
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9C3811FCF46@PUR-EXCH07.ox.com>
References: <4A12D6FA.3070402@gmail.com>
	<483E6B0272B0284BA86D7596C40D29F9C3811FCF46@PUR-EXCH07.ox.com>
Message-ID: <d6966e4b0905190935v6763f42fs63fda8ec12d39789@mail.gmail.com>

I can't answer your question about the default DSCP value without
lab-ing it, but as to the second part: yes, it's generally a good
practice to either pick a bogus/dummy VLAN for your native, or to
apply the command "vlan dot1q tag native" to force it to apply a tag
even on the native VLAN.

If you need the native VLAN untagged, like to present a potential
trunk port as an access port for untagged hosts, then "trust cos"
might be inappropriate.

Like you I would expect the DSCP to default to zero, but maybe someone
else has the answer...


-Geoff


On Tue, May 19, 2009 at 11:20 AM, Matthew Huff <mhuff at ox.com> wrote:
> I have a question about QOS trust between two 6509 switches connected via a L2 802.1Q trunk with multiple VLANs. If the port is set to "trust cos", what does the internal DSCP value get set for native frames since their isn't a COS field? I would assume the internal DSCP value would be set to the default or normally zero. Do most people then set the native VLAN to a unused VLAN so that native packets have internal DSCP values set? Or do most use "trust dscp"? If so, what do people use "trust cos" for?
>
>
>
> ----
> Matthew Huff ? ? ? | One Manhattanville Rd
> OTA Management LLC | Purchase, NY 10577
> http://www.ox.com ?| Phone: 914-460-4039
> aim: matthewbhuff ?| Fax: ? 914-460-4139
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From lobotiger at gmail.com  Tue May 19 12:38:14 2009
From: lobotiger at gmail.com (Lobo)
Date: Tue, 19 May 2009 12:38:14 -0400
Subject: [c-nsp] Need help understanding mpls error message
In-Reply-To: <1242749852.3440.13.camel@localhost.localdomain>
References: <4A12D6FA.3070402@gmail.com>
	<1242749852.3440.13.camel@localhost.localdomain>
Message-ID: <4A12E076.6010509@gmail.com>

Hmmm good point Peter.  I didn't realize that it wouldn't show up in the 
FIB.  VLAN 101 should be a trusted interface since only NMS type of 
traffic is supposed to traverse on it for this part of the network.

I'll see if there's a way to hook up a packet sniffer to that 6524 and 
see if I can figure out the MAC address from there.

Thanks.

Jose

Peter Rathlev wrote:
> On Tue, 2009-05-19 at 11:57 -0400, Lobo wrote:
>   
>> I've search on Cisco's website to help understand the following message 
>> but I'm not 100% clear on how to find the network/router responsible for 
>> generating these error messages:
>>
>> .May 19 08:39:06.235 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received 
>> on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 0 0 255}
>>     
> ...
>   
>> Since it's giving multiple labels, which one should I do a "mpls 
>> forwarding-table label" command on and will that point me to the 
>> offending block?  FYI, Vlan101 is part of our NMS network and does not 
>> have LDP enabled on it.
>>     
>
> You probably won't be able to look it up in the FIB. As it says: You
> received a MPLS tagged frame on a non MPLS interface. This frame was
> probably not tagged with labels that your router assigned.
>
> What else exists on VLAN 101? Any MPLS speakers? Is VLAN 101 a "trusted"
> interface?
>
> With a sniffer you'd be able to see the source MAC address of the
> frames. Something like tcpdump with the "-e" flag will show you:
>
> 18:14:39.807669 00:19:07:73:c9:40 > 00:0b:46:5a:74:20, ethertype MPLS unicast (0x8847), length 78: MPLS (label 54, exp 0, [S], ttl 247), IP, length: 64
>
> Then you can look up the MAC-address in the L2 FIB.
>
> Regards,
> Peter
>
>
>   

From charles at thewybles.com  Tue May 19 13:57:58 2009
From: charles at thewybles.com (Charles Wyble)
Date: Tue, 19 May 2009 10:57:58 -0700
Subject: [c-nsp] BGP Config
In-Reply-To: <006e01c9d83d$231c6d40$0a00000a@nil.si>
References: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
	<4A11D176.8010304@thewybles.com>
	<006e01c9d83d$231c6d40$0a00000a@nil.si>
Message-ID: <4A12F326.9080406@thewybles.com>



Ivan Pepelnjak wrote:
> I absolutely agree with Charles ... although not on the "provider will give
> you the necessary details" part. I've seen some service providers that were
> somewhat inadequate in that respect (trying to be diplomatic :).


Yes. That's quite true unfortunately. :(


> 
> You might find some of the links/videos on my BGP resource center useful:
> 
> http://wiki.nil.com/BGP

Ah yes. Excellent work your doing Ivan! Great blog and wiki. :)

> 
> The next starting point is Cisco's BGP page:
> 
> http://www.cisco.com/en/US/tech/tk365/tk80/tsd_technology_support_sub-protoc
> ol_home.html

Yep. Read up on Ivans page for theory/explanations etc, and then utilize 
the extensive reference documentation that cisco makes available.

They have always been very good at reference material, but seem to rely 
on 3rd parties to create tutorial/overview material.... either that or 
attend the CCNA/CCNP/CCIE courses. Navigating the docs is still 
something of an art form though. Cisco has 20 some years of history and 
an incredibly broad product matrix (and I thought Microsoft licensing 
was difficult!) So lists like c-nsp exist for when the finer parts of 
the art need to be discussed and reviewed.

In ciscos defense, it seems they have been  creating more and more 
tutorial/design material recently, and making it freely available via 
their website. Things like the chalk talks 
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html


There are a wide variety of knobs that can be turned, and incorrect 
operation of a router that participates in BGP exchange can result in 
very nasty problems. ( 
http://asert.arbornetworks.com/2008/02/internet-routing-insecuritypakistan-nukes-youtube/
http://www.renesys.com/blog/2008/02/pakistan-hijacks-youtube-1.shtml
)





From chris at chrisserafin.com  Tue May 19 14:00:03 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Tue, 19 May 2009 13:00:03 -0500
Subject: [c-nsp] 'Simple' BGP multi homing
Message-ID: <4A12F3A3.1010604@chrisserafin.com>

I have 2 ISPs connecting at my data center at the moment, both with 
simple basic static routes, and I would like to multi-home them to 
provide redundancy in the event one goes down.

I have created a simple diagram here: http://chrisserafin.com/WAN-BGP.jpg

I have a few assumptions, so let me know if I'm on the correct page:

    * I will need to get both routers setup for BGP peering to their ISPs
    * I will need to request/buy a new IP block and AS from ARIN that
      both routers will advertise

I'm hoping I can 'lab this up' if both routers have spare 
(gig/fa)ethernet ports...sound possible?


Thanks

--chris

From james at mor-pah.net  Tue May 19 14:38:16 2009
From: james at mor-pah.net (James Greig)
Date: Tue, 19 May 2009 19:38:16 +0100
Subject: [c-nsp] 'Simple' BGP multi homing
References: <4A12F3A3.1010604@chrisserafin.com>
Message-ID: <4F837D6B87B44C8482E424FFCF116648@x64>

Hi Chris,

Just out of interest, what model routers are you intending to use to achieve 
this?  Also, are you aiming to load balance between the two peers?

James Greig

----- Original Message ----- 
From: "ChrisSerafin" <chris at chrisserafin.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, May 19, 2009 7:00 PM
Subject: [c-nsp] 'Simple' BGP multi homing


>I have 2 ISPs connecting at my data center at the moment, both with simple 
>basic static routes, and I would like to multi-home them to provide 
>redundancy in the event one goes down.
>
> I have created a simple diagram here: http://chrisserafin.com/WAN-BGP.jpg
>
> I have a few assumptions, so let me know if I'm on the correct page:
>
>    * I will need to get both routers setup for BGP peering to their ISPs
>    * I will need to request/buy a new IP block and AS from ARIN that
>      both routers will advertise
>
> I'm hoping I can 'lab this up' if both routers have spare (gig/fa)ethernet 
> ports...sound possible?
>
>
> Thanks
>
> --chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From booloo at ucsc.edu  Tue May 19 14:46:02 2009
From: booloo at ucsc.edu (Mark Boolootian)
Date: Tue, 19 May 2009 11:46:02 -0700
Subject: [c-nsp] BGP Config
In-Reply-To: <4A12F326.9080406@thewybles.com>
References: <BLU130-W2536C36937881CE38DCD4D985A0@phx.gbl>
	<4A11D176.8010304@thewybles.com>
	<006e01c9d83d$231c6d40$0a00000a@nil.si>
	<4A12F326.9080406@thewybles.com>
Message-ID: <20090519184602.GA12167@root.ucsc.edu>


Ivan's stuff is excellent.  Another very good resource for BGP
is Philip Smith.  He does BGP tutorials, among others, regularly 
all over the world.  

The last NANOG BGP multihoming session is here:

http://www.nanog.org/meetings/nanog41/abstracts.php?pt=MTQ4Jm5hbm9nNDE=&nm=nanog41

You can find his other NANOG presentations using the "Show This Speaker"
drop-down tab here:

  http://www.nanog.org/presentations/archive/index.php

From mduksa at gmail.com  Tue May 19 15:00:17 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Tue, 19 May 2009 12:00:17 -0700
Subject: [c-nsp] netflow sampling
Message-ID: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>

Hi - Does anyone know what is netflow sampling? My understanding is that
when NetFlow is enabled, certain flows (determined by ACL, or all of the
flows on a port if there is no ACL) are cashed and stats for them updated.
After 'inactivity' timer expires, flow is deleted and the record exported.

But where is this sampling coming from? Is it sampling per flow - you count
some packet of the flow but not all? Or is it that you sample some flows
(each sampled flow accurately counting) but not the others, and you do this
randomly?

Also in relation to netflow I see a lot of info like that '1:1500' and I
think this is related to purchasing/licensing options.What does this '1:x'
ratio means?

I understand the Netflow version (5,8,9) concept, don't need any info on
that. Just this sampling aspect is what confuse me.

Thanks,
Marlon

From brian at bluecoat93.org  Tue May 19 15:21:32 2009
From: brian at bluecoat93.org (Brian Landers)
Date: Tue, 19 May 2009 15:21:32 -0400
Subject: [c-nsp] What cisco line cards support DS3 over RJ45 interface
In-Reply-To: <4A12DDDA.2070506@rollernet.us>
References: <20090518154835.y3g6khptcs4ckkw4@www.gallantsys.com>
	<4A11CCDF.4020701@rollernet.us>
	<20090518172326.sz4r1r2f40gsc0g4@www.gallantsys.com>
	<4A12DDDA.2070506@rollernet.us>
Message-ID: <689ea7e40905191221v39d6a700p8f74316696d1bc1a@mail.gmail.com>

On Tue, May 19, 2009 at 12:27 PM, Seth Mattinen <sethm at rollernet.us> wrote:

> nbernadeau at gallantsys.com wrote:
> > This is actually a DS3 Handoff to RJ45.  It is coming in to the Demarc
> > as Coax.  I just want to know what interfaces can then support the
> Handoff.
> >


Is it possible it's RJ48C instead or RJ45 and you need one of these to
convert to BNC?  We just had to get one to connect a G.703 E1 to a VWIC.

http://www.pacificcable.com/Picture_Page.asp?DataName=CAB-E1-RJ45BNC


-- 
Brian C Landers
http://www.packetslave.com/
CCIE #23115

From brian at bluecoat93.org  Tue May 19 15:35:41 2009
From: brian at bluecoat93.org (Brian Landers)
Date: Tue, 19 May 2009 15:35:41 -0400
Subject: [c-nsp] What cisco line cards support DS3 over RJ45 interface
In-Reply-To: <689ea7e40905191221v39d6a700p8f74316696d1bc1a@mail.gmail.com>
References: <20090518154835.y3g6khptcs4ckkw4@www.gallantsys.com>
	<4A11CCDF.4020701@rollernet.us>
	<20090518172326.sz4r1r2f40gsc0g4@www.gallantsys.com>
	<4A12DDDA.2070506@rollernet.us>
	<689ea7e40905191221v39d6a700p8f74316696d1bc1a@mail.gmail.com>
Message-ID: <689ea7e40905191235x69c55de0o9500fd1772adaa0@mail.gmail.com>

On Tue, May 19, 2009 at 3:21 PM, Brian Landers <brian at bluecoat93.org> wrote:

> On Tue, May 19, 2009 at 12:27 PM, Seth Mattinen <sethm at rollernet.us>wrote:
>
>> nbernadeau at gallantsys.com wrote:
>> > This is actually a DS3 Handoff to RJ45.  It is coming in to the Demarc
>> > as Coax.  I just want to know what interfaces can then support the
>> Handoff.
>> >
>
>
> Is it possible it's RJ48C instead or RJ45 and you need one of these to
> convert to BNC?  We just had to get one to connect a G.703 E1 to a VWIC.
>
> http://www.pacificcable.com/Picture_Page.asp?DataName=CAB-E1-RJ45BNC
>

Oops, that's E1-specific.  Please move along, nothing to see here...


-- 
Brian C Landers
http://www.packetslave.com/
CCIE #23115

From charles at thewybles.com  Tue May 19 16:20:33 2009
From: charles at thewybles.com (Charles Wyble)
Date: Tue, 19 May 2009 13:20:33 -0700
Subject: [c-nsp] IP Tunneling Question
Message-ID: <4A131491.5040509@thewybles.com>

All,


I'm looking to setup a VPN with a couple colocation providers who are 
friends of mine, and have some under utilized address space. They are 
supporting some security research I am doing (a darknet/honeynet). [1]

I am exploring different options to utilize that IP space on my lab 
servers.

How do folks typically accomplish IP tunneling? IPSEC tunnels? Do you 
use GRE? What about OpenVPN?

I can easily setup any of the above mentioned approaches as howtos 
abound. Just wondering if there is anything to consider for this 
scenario to reduce overhead and packet molestation as much as possible.

Thanks.

[1] If more information is desired please see my blog at 
http://cnwccxx.blogspot.com/ I'll be posting there on various 
visualization tools and methodologies etc.

From moua0100 at umn.edu  Tue May 19 16:24:36 2009
From: moua0100 at umn.edu (Ge Moua)
Date: Tue, 19 May 2009 15:24:36 -0500
Subject: [c-nsp] IP Tunneling Question
In-Reply-To: <4A131491.5040509@thewybles.com>
References: <4A131491.5040509@thewybles.com>
Message-ID: <4A131584.6030504@umn.edu>

What seems to be gaining popularity is a "GRE-like" tunnel with IPSec 
encapsulation; Cisco calls this "IPSec VTI"; caveat is that equipment in 
question may need to be Csico based.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Charles Wyble wrote:
> All,
>
>
> I'm looking to setup a VPN with a couple colocation providers who are 
> friends of mine, and have some under utilized address space. They are 
> supporting some security research I am doing (a darknet/honeynet). [1]
>
> I am exploring different options to utilize that IP space on my lab 
> servers.
>
> How do folks typically accomplish IP tunneling? IPSEC tunnels? Do you 
> use GRE? What about OpenVPN?
>
> I can easily setup any of the above mentioned approaches as howtos 
> abound. Just wondering if there is anything to consider for this 
> scenario to reduce overhead and packet molestation as much as possible.
>
> Thanks.
>
> [1] If more information is desired please see my blog at 
> http://cnwccxx.blogspot.com/ I'll be posting there on various 
> visualization tools and methodologies etc.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From sthaug at nethelp.no  Tue May 19 16:34:23 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Tue, 19 May 2009 22:34:23 +0200 (CEST)
Subject: [c-nsp] netflow sampling
In-Reply-To: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>
References: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>
Message-ID: <20090519.223423.74678908.sthaug@nethelp.no>

> But where is this sampling coming from? Is it sampling per flow - you count
> some packet of the flow but not all? Or is it that you sample some flows
> (each sampled flow accurately counting) but not the others, and you do this
> randomly?

Deterministic sampling: Every Nth packet has flow data extracted and
added to the flow cache. N is often 1000 or similar.

Random sampling: *On average* every Nth packet has flow data extracted
and added to the flow cache. Because the sampling is not deterministic,
it has somewhat better statistical properties.

An obvious corollary of sampling: Without sampling A flow of, say, 20
packets, will generate *one* flow record. With sampling, if at least
*one* packet from such a flow is sampled, you'll still get one flow
record. Thus, 1:N sampling will *not* reduce your netflow traffic, going
to your collector, by a factor of N. It will be reduced - just not as
much as you might think.

> Also in relation to netflow I see a lot of info like that '1:1500' and I
> think this is related to purchasing/licensing options.What does this '1:x'
> ratio means?

Nothing to do with licensing, it simply refers to the sampling rate.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From mduksa at gmail.com  Tue May 19 17:08:43 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Tue, 19 May 2009 14:08:43 -0700
Subject: [c-nsp] netflow sampling
In-Reply-To: <20090519.223423.74678908.sthaug@nethelp.no>
References: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>
	<20090519.223423.74678908.sthaug@nethelp.no>
Message-ID: <a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>

ok. Thanks. So there is a possibility that some flows will never be sampled
(accounted for). And even a bigger possibility that more packets of the same
flow will never be sampled.
It looks to me that the accuracy of such approach is pretty bad. How can you
use this for any meaningful accounting, much less billing.

Pardon my ignorance on the subject, just trying to understand the concept.
Marlon


And you guys who uesed it are happy with the accuracy?

On Tue, May 19, 2009 at 1:34 PM, <sthaug at nethelp.no> wrote:

> > But where is this sampling coming from? Is it sampling per flow - you
> count
> > some packet of the flow but not all? Or is it that you sample some flows
> > (each sampled flow accurately counting) but not the others, and you do
> this
> > randomly?
>
> Deterministic sampling: Every Nth packet has flow data extracted and
> added to the flow cache. N is often 1000 or similar.
>
> Random sampling: *On average* every Nth packet has flow data extracted
> and added to the flow cache. Because the sampling is not deterministic,
> it has somewhat better statistical properties.
>
> An obvious corollary of sampling: Without sampling A flow of, say, 20
> packets, will generate *one* flow record. With sampling, if at least
> *one* packet from such a flow is sampled, you'll still get one flow
> record. Thus, 1:N sampling will *not* reduce your netflow traffic, going
> to your collector, by a factor of N. It will be reduced - just not as
> much as you might think.
>
> > Also in relation to netflow I see a lot of info like that '1:1500' and I
> > think this is related to purchasing/licensing options.What does this
> '1:x'
> > ratio means?
>
> Nothing to do with licensing, it simply refers to the sampling rate.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>

From sthaug at nethelp.no  Tue May 19 17:18:59 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Tue, 19 May 2009 23:18:59 +0200 (CEST)
Subject: [c-nsp] netflow sampling
In-Reply-To: <a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
References: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>
	<20090519.223423.74678908.sthaug@nethelp.no>
	<a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
Message-ID: <20090519.231859.41708283.sthaug@nethelp.no>

> ok. Thanks. So there is a possibility that some flows will never be sampled
> (accounted for). And even a bigger possibility that more packets of the same
> flow will never be sampled.

Absolutely.

> It looks to me that the accuracy of such approach is pretty bad. How can you
> use this for any meaningful accounting, much less billing.

The accuracy is actually pretty good, as long as you remember that it is
*sampled*, and what you get is statistics, not accurate accounting. You
should *not* use sampled netflow for accounting/billing.

We use sampled netflow for two main purposes:

- Traffic planning - seeing what ASes we exchange the most traffic with,
in order to find possible peering candidates, etc.
- Abuse handling - after the fact analysis of DDoS attacks, port scans
and similar.

For our purposes, sampled netflow works well here.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From mduksa at gmail.com  Tue May 19 17:29:41 2009
From: mduksa at gmail.com (Marlon Duksa)
Date: Tue, 19 May 2009 14:29:41 -0700
Subject: [c-nsp] netflow sampling
In-Reply-To: <20090519.231859.41708283.sthaug@nethelp.no>
References: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>
	<20090519.223423.74678908.sthaug@nethelp.no>
	<a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
	<20090519.231859.41708283.sthaug@nethelp.no>
Message-ID: <a89d89ac0905191429m7bbcea8rc1b080a6855ac8ac@mail.gmail.com>

I see. Thanks. Do you know of any 'non-sampled' implementation (by vendor)
or deployment (network) where all traffic is accounted for? What would you
normally use for a more accurate  accounting/billing?Thanks,
Marlon

On Tue, May 19, 2009 at 2:18 PM, <sthaug at nethelp.no> wrote:

> > ok. Thanks. So there is a possibility that some flows will never be
> sampled
> > (accounted for). And even a bigger possibility that more packets of the
> same
> > flow will never be sampled.
>
> Absolutely.
>
> > It looks to me that the accuracy of such approach is pretty bad. How can
> you
> > use this for any meaningful accounting, much less billing.
>
> The accuracy is actually pretty good, as long as you remember that it is
> *sampled*, and what you get is statistics, not accurate accounting. You
> should *not* use sampled netflow for accounting/billing.
>
> We use sampled netflow for two main purposes:
>
> - Traffic planning - seeing what ASes we exchange the most traffic with,
> in order to find possible peering candidates, etc.
> - Abuse handling - after the fact analysis of DDoS attacks, port scans
> and similar.
>
> For our purposes, sampled netflow works well here.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>

From sthaug at nethelp.no  Tue May 19 17:37:21 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Tue, 19 May 2009 23:37:21 +0200 (CEST)
Subject: [c-nsp] netflow sampling
In-Reply-To: <a89d89ac0905191429m7bbcea8rc1b080a6855ac8ac@mail.gmail.com>
References: <a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
	<20090519.231859.41708283.sthaug@nethelp.no>
	<a89d89ac0905191429m7bbcea8rc1b080a6855ac8ac@mail.gmail.com>
Message-ID: <20090519.233721.71159371.sthaug@nethelp.no>

> I see. Thanks. Do you know of any 'non-sampled' implementation (by vendor)
> or deployment (network) where all traffic is accounted for? What would you
> normally use for a more accurate  accounting/billing?Thanks,

Cisco 6500/7600 as far as I know always does non-sampled netflow in
hardware - then the netflow may or may not be sampled before export,
depending on your configuration. There have been lots of discussions
about 6500/7600 netflow on this list.

If I had to do traffic/volume-based accounting/billing I would probably
base it on normal per-interface SNMP statistics

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From Grzegorz at Janoszka.pl  Tue May 19 17:43:04 2009
From: Grzegorz at Janoszka.pl (Grzegorz Janoszka)
Date: Tue, 19 May 2009 23:43:04 +0200
Subject: [c-nsp] netflow sampling
In-Reply-To: <a89d89ac0905191429m7bbcea8rc1b080a6855ac8ac@mail.gmail.com>
References: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>	<20090519.223423.74678908.sthaug@nethelp.no>	<a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>	<20090519.231859.41708283.sthaug@nethelp.no>
	<a89d89ac0905191429m7bbcea8rc1b080a6855ac8ac@mail.gmail.com>
Message-ID: <4A1327E8.5060608@Janoszka.pl>

Marlon Duksa wrote:
> I see. Thanks. Do you know of any 'non-sampled' implementation (by vendor)
> or deployment (network) where all traffic is accounted for? What would you
> normally use for a more accurate  accounting/billing?Thanks,

You can set sampling parameters not to loose any flow. But the amount of 
the data will be so huge, that you will be unable to store/process it.

-- 
Grzegorz Janoszka

From td_miles at yahoo.com  Tue May 19 19:22:00 2009
From: td_miles at yahoo.com (Tony)
Date: Tue, 19 May 2009 16:22:00 -0700 (PDT)
Subject: [c-nsp] IP Tunneling Question
Message-ID: <567850.76162.qm@web110107.mail.gq1.yahoo.com>

Given that you're probably not too worried about the traffic being secured, I'd go with GRE for a number of reasons:

1. Less overhead
2. Been around for ages, good support for it
3. Multi vendor support
4. Fairly standard and easy to understand
5. Easy to configure

Unless the packets are coming from a source really close to you there's a good chance they will already be fragmented to a smallish size (smaller than 1500 ethernet anyway), so you shouldn't have too many issues with fragmentation.


regards,
Tony.

--- On Wed, 20/5/09, Charles Wyble <charles at thewybles.com> wrote:

From: Charles Wyble <charles at thewybles.com>
Subject: [c-nsp] IP Tunneling Question
To: "cisco-nsp" <cisco-nsp at puck.nether.net>
Date: Wednesday, 20 May, 2009, 6:20 AM

All,


I'm looking to setup a VPN with a couple colocation providers who are friends of mine, and have some under utilized address space. They are supporting some security research I am doing (a darknet/honeynet). [1]

I am exploring different options to utilize that IP space on my lab servers..

How do folks typically accomplish IP tunneling? IPSEC tunnels? Do you use GRE? What about OpenVPN?

I can easily setup any of the above mentioned approaches as howtos abound. Just wondering if there is anything to consider for this scenario to reduce overhead and packet molestation as much as possible.

Thanks.




      

From marka888 at gmail.com  Tue May 19 19:55:10 2009
From: marka888 at gmail.com (Mark Austen)
Date: Wed, 20 May 2009 09:55:10 +1000
Subject: [c-nsp] PFC QOS question about 802.1Q trunks
In-Reply-To: <d6966e4b0905190935v6763f42fs63fda8ec12d39789@mail.gmail.com>
References: <4A12D6FA.3070402@gmail.com>
	<483E6B0272B0284BA86D7596C40D29F9C3811FCF46@PUR-EXCH07.ox.com>
	<d6966e4b0905190935v6763f42fs63fda8ec12d39789@mail.gmail.com>
Message-ID: <fff162750905191655g3a4c6a3atbf557419c775ddb4@mail.gmail.com>

Just copied out of the Cisco doco:


*Ingress Classification and Marking at Trust CoS LAN Ports*

You should configure LAN ports to trust CoS only if they receive traffic
that carries valid Layer 2 CoS.

When an ISL frame enters the switch through a trusted ingress LAN port,
PFC QoS accepts the three least significant bits in the User field as a CoS
value. When an 802.1Q frame enters the switch through a trusted ingress LAN
port, PFC QoS accepts the User Priority bits as a CoS value. PFC QoS Layer 2
remarking marks all traffic received in untagged frames with the ingress
port CoS value.

On ports configured to trust CoS, PFC QoS does the following:

?PFC QoS maps the received CoS value in tagged trust CoS traffic to the
initial internal DSCP value.

*?PFC QoS maps the ingress port CoS value applied to untagged trusted
traffic to the initial internal DSCP value.*
?PFC QoS enables the CoS-based ingress queues and thresholds to provide
congestion avoidance. See the "Understanding Port-Based Queue Types"
section<http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/qos.html#wp1665946>for
more information about ingress queues and thresholds.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/qos.html#wp1705197

*Configuring the Ingress LAN Port CoS Value*
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/qos.html#wp1727961


-Mark

2009/5/20 Geoffrey Pendery <geoff at pendery.net>

> I can't answer your question about the default DSCP value without
> lab-ing it, but as to the second part: yes, it's generally a good
> practice to either pick a bogus/dummy VLAN for your native, or to
> apply the command "vlan dot1q tag native" to force it to apply a tag
> even on the native VLAN.
>
> If you need the native VLAN untagged, like to present a potential
> trunk port as an access port for untagged hosts, then "trust cos"
> might be inappropriate.
>
> Like you I would expect the DSCP to default to zero, but maybe someone
> else has the answer...
>
>
> -Geoff
>
>
> On Tue, May 19, 2009 at 11:20 AM, Matthew Huff <mhuff at ox.com> wrote:
> > I have a question about QOS trust between two 6509 switches connected via
> a L2 802.1Q trunk with multiple VLANs. If the port is set to "trust cos",
> what does the internal DSCP value get set for native frames since their
> isn't a COS field? I would assume the internal DSCP value would be set to
> the default or normally zero. Do most people then set the native VLAN to a
> unused VLAN so that native packets have internal DSCP values set? Or do most
> use "trust dscp"? If so, what do people use "trust cos" for?
> >
> >
> >
> > ----
> > Matthew Huff       | One Manhattanville Rd
> > OTA Management LLC | Purchase, NY 10577
> > http://www.ox.com  | Phone: 914-460-4039
> > aim: matthewbhuff  | Fax:   914-460-4139
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rdobbins at arbor.net  Tue May 19 20:15:10 2009
From: rdobbins at arbor.net (Roland Dobbins)
Date: Wed, 20 May 2009 07:15:10 +0700
Subject: [c-nsp] netflow sampling
In-Reply-To: <a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
References: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>
	<20090519.223423.74678908.sthaug@nethelp.no>
	<a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
Message-ID: <68E8F7C7-F60E-4157-BA52-8A0D05D5D548@arbor.net>


On May 20, 2009, at 4:08 AM, Marlon Duksa wrote:

> It looks to me that the accuracy of such approach is pretty bad.

To the contrary, it's quite good, and operationally useful.  The  
majority of NetFlow export on large, high-speed networks is sampled,  
due to the sheer speed/volume of traffic and concomitant level of  
hardware support from vendors; most commercial NetFlow collection/ 
analysis systems (full disclosure:  I work for a company in this  
field) understand and statistically smooth sampled NetFlow, and an  
increasing number of open-source tools do, as well (see recent  
discussion on this topic).

> How can you use this for any meaningful accounting, much less billing.


In the same way that sampling is used for all sorts of statistics and  
for all sorts of other purposes.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

         Unfortunately, inefficiency scales really well.

		   -- Kevin Lawton


From rdobbins at arbor.net  Tue May 19 20:18:44 2009
From: rdobbins at arbor.net (Roland Dobbins)
Date: Wed, 20 May 2009 07:18:44 +0700
Subject: [c-nsp] netflow sampling
In-Reply-To: <20090519.231859.41708283.sthaug@nethelp.no>
References: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>
	<20090519.223423.74678908.sthaug@nethelp.no>
	<a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
	<20090519.231859.41708283.sthaug@nethelp.no>
Message-ID: <56A6E699-8ABA-41AB-8AB0-02E3C388E7AC@arbor.net>


On May 20, 2009, at 4:18 AM, sthaug at nethelp.no wrote:

> You should *not* use sampled netflow for accounting/billing.


It's my understanding that it's actually pretty common for sampled  
NetFlow to be used for accounting and billing purposes.  If one makes  
use of sampled flow telemetry for things such as capacity planning and  
security, whyever would one object to using it for accounting/billing  
purposes?  The only objection I've ever seen along these lines is in a  
couple of countries whose laws/regulations could be interpreted as  
disallowing the use of sampling in this context (though even in the  
particular circumstances to which I refer, it was my view that this  
was an overinterpretative stretch; IANAL, however).

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

         Unfortunately, inefficiency scales really well.

		   -- Kevin Lawton


From rdobbins at arbor.net  Tue May 19 20:21:37 2009
From: rdobbins at arbor.net (Roland Dobbins)
Date: Wed, 20 May 2009 07:21:37 +0700
Subject: [c-nsp] netflow sampling
In-Reply-To: <20090519.233721.71159371.sthaug@nethelp.no>
References: <a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
	<20090519.231859.41708283.sthaug@nethelp.no>
	<a89d89ac0905191429m7bbcea8rc1b080a6855ac8ac@mail.gmail.com>
	<20090519.233721.71159371.sthaug@nethelp.no>
Message-ID: <B7C9AB5D-34FE-45A9-BC68-BC65D9896B7E@arbor.net>


On May 20, 2009, at 4:37 AM, sthaug at nethelp.no wrote:

> Cisco 6500/7600 as far as I know always does non-sampled netflow in  
> hardware - then the netflow may or may not be sampled before export,  
> depending on your configuration.

Unfortunately, the caveats associated with NetFlow on past and current  
6500/7600 hardware generally tend to render it unsuitable due to the  
high likelihood of mls table overflow in most circumstances, along  
with the lack of TCP flags and insight into dropped traffic.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

         Unfortunately, inefficiency scales really well.

		   -- Kevin Lawton


From rdobbins at arbor.net  Tue May 19 20:23:06 2009
From: rdobbins at arbor.net (Roland Dobbins)
Date: Wed, 20 May 2009 07:23:06 +0700
Subject: [c-nsp] netflow sampling
In-Reply-To: <a89d89ac0905191429m7bbcea8rc1b080a6855ac8ac@mail.gmail.com>
References: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>
	<20090519.223423.74678908.sthaug@nethelp.no>
	<a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
	<20090519.231859.41708283.sthaug@nethelp.no>
	<a89d89ac0905191429m7bbcea8rc1b080a6855ac8ac@mail.gmail.com>
Message-ID: <03D29B2C-DC83-4A8C-8FA8-C8A1C95F025F@arbor.net>


On May 20, 2009, at 4:29 AM, Marlon Duksa wrote:

> Do you know of any 'non-sampled' implementation (by vendor)
> or deployment (network) where all traffic is accounted for?

Depends upon the vendor/platform, and the traffic speeds/volumes in  
question.

> What would you normally use for a more accurate  accounting/billing? 
> Thanks


As mentioned earlier, sampled NetFlow is viewed by many as quite  
accurate enough for accounting/billing.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

         Unfortunately, inefficiency scales really well.

		   -- Kevin Lawton


From david.freedman at uk.clara.net  Tue May 19 20:35:08 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Wed, 20 May 2009 01:35:08 +0100
Subject: [c-nsp] C4K_PKTPROCESSING-5-NOTAPPLYINGACL
Message-ID: <7B8B0D6F623C3A40A0D0A80A66756E2B0105C0@EXVS01.claranet.local>

Anybody seen these messages occur frequently?

> May 18 09:19:31 box 575: May 18 08:20:37 UTC:
> %C4K_PKTPROCESSING-5-NOTAPPLYINGACL: Not applying Output Acl for packet
> udp srcHost 1.1.1.1 dstHost 2.2.2.2 tos 0 srcPort 934
> dstPort 2049

According the error decoder, they are CAM programming issue but that is about the level
of detail it goes into, I would infer from this that they should only be seen rarely
but I'm starting to see them frequently, box is 4948 running 12.2(25)EWA10, bugtool
as usual has nothing.

Any pointers appreciated.

Regards,

------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net


From progressus at gmail.com  Tue May 19 21:02:13 2009
From: progressus at gmail.com (Progressus)
Date: Wed, 20 May 2009 02:02:13 +0100
Subject: [c-nsp] docsis 3.0 channel bonding
Message-ID: <ace0be160905191802i174834b1w7f9a26bdc6a97ef7@mail.gmail.com>

Hello,

Anyone can give me more information about docsis 3.0 channel bonding?

At this moment i can?t synchronize my wideband cable modem ... i?ve got
always offline status...

I use for my *primary* *downstream channel* , the cmts 520 and one of
downstreams of the Edge QAM...

I use a DTI server, Arris Edge QAM,cisco uBR10K for this scenario

Follow the sample of my config :

controller Modular-Cable 1/0/0
 ip-address 192.168.251.2
 modular-host subslot 6/1
 rf-channel 0 cable downstream channel-id 24
 rf-channel 0 frequency 633000000 annex B modulation 256qam interleave 32
 rf-channel 0 ip-address 192.168.251.1 mac-address 0000.cafe.1ad5
depi-remote-id 49162
 rf-channel 1 cable downstream channel-id 25
 rf-channel 1 frequency 639000000 annex B modulation 256qam interleave 32
 rf-channel 1 ip-address 192.168.251.1 mac-address 0000.cafe.1ad5
depi-remote-id 49163
 rf-channel 2 cable downstream channel-id 26
 rf-channel 2 frequency 645000000 annex B modulation 256qam interleave 32
 rf-channel 2 ip-address 192.168.251.1 mac-address 0000.cafe.1ad5
depi-remote-id 49164

interface Wideband-Cable1/0/0:0
 no ip address
 cable bundle 1
 cable bonding-group-id 1
 cable dynamic-bw-sharing
 cable rf-channel 0 bandwidth-percent 50
 cable rf-channel 1
 cable rf-channel 2

interface Modular-Cable1/0/0:0
 no ip address
 cable bundle 1
 cable dynamic-bw-sharing
 cable rf-bandwidth-percent 10

interface Cable6/1/1
 no ip address
 downstream Modular-Cable 1/0/0 rf-channel 0 upstream 0
 no cable packet-cache
 cable max-hosts 16
 cable insertion-interval 100
 cable bundle 1
 cable downstream channel-id 149
 cable downstream annex B
 cable downstream modulation 256qam
 cable downstream interleave-depth 32
 cable downstream frequency 621000000
 no cable downstream rf-shutdown
 cable downstream rf-power 45
 cable upstream max-ports 4
 cable upstream 0 connector 4
 cable upstream 0 frequency 33000000
 cable upstream 0 docsis-mode tdma-atdma
 cable upstream 0 channel-width 3200000 3200000
 cable upstream 0 minislot-size 2
 cable upstream 0 range-backoff 3 6
 cable upstream 0 modulation-profile 121
 no cable upstream 0 shutdown

cable fiber-node 1
  downstream Modular-Cable 1/0/0 rf-channel 0-2
!

Anyone can help me with this task?

Best regards

From dbenson at swingpad.com  Tue May 19 20:46:32 2009
From: dbenson at swingpad.com (Dan Benson)
Date: Tue, 19 May 2009 20:46:32 -0400
Subject: [c-nsp] Cat 6500 (IOS) dhcp Client
Message-ID: <1D444DAF-52E5-4761-9D44-0826D6217B60@swingpad.com>

As strange as this sounds, I have a need to be assigned an address on  
a Cat6500 Running IOS via dhcp (to a vlan or a dedicated port).  On  
most routers running IOS the command syntax is, "ip address dhcp" as  
just about anyone knows but on the sups running IOS (tested sup1a-ge/ 
MSFC1, sup2 and sup720s) I have not found a way to be assigned an  
address.

I can only assume this is because no one in their right mind would  
ever do this on this platform but my install is requiring such.    
Before I try a flexwan with a PA-FE in it has anyone out there had  
this issue and if so would you be so kind to pass along a solution if  
there is one.

Thanks in advance for the time and help. //db



From rdobbins at arbor.net  Tue May 19 21:28:46 2009
From: rdobbins at arbor.net (Roland Dobbins)
Date: Wed, 20 May 2009 08:28:46 +0700
Subject: [c-nsp] netflow sampling
In-Reply-To: <B7C9AB5D-34FE-45A9-BC68-BC65D9896B7E@arbor.net>
References: <a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
	<20090519.231859.41708283.sthaug@nethelp.no>
	<a89d89ac0905191429m7bbcea8rc1b080a6855ac8ac@mail.gmail.com>
	<20090519.233721.71159371.sthaug@nethelp.no>
	<B7C9AB5D-34FE-45A9-BC68-BC65D9896B7E@arbor.net>
Message-ID: <5A91D374-C3B9-4564-A8E7-F8970E849E98@arbor.net>


On May 20, 2009, at 7:21 AM, Roland Dobbins wrote:

> Unfortunately, the caveats associated with NetFlow on past and  
> current 6500/7600 hardware generally tend to render it unsuitable  
> due to the high likelihood of mls table overflow in most  
> circumstances, along with the lack of TCP flags and insight into  
> dropped traffic.

I should point out that the EARL8 ASIC in the Nexus 7000 rectifies  
these issues in IDC environments.  Presumably, if this newer ASIC is  
incorporated in future into 6500 and/or 7600 Supervisors and LCs, it  
would have the same salutary effect for those platforms, as well.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

         Unfortunately, inefficiency scales really well.

		   -- Kevin Lawton


From vinzoda.hitesh at gmail.com  Wed May 20 00:45:39 2009
From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda)
Date: Wed, 20 May 2009 10:15:39 +0530
Subject: [c-nsp] TCP Reset
Message-ID: <c04fd4f90905192145i6da7b6c2w3928cee0066620d0@mail.gmail.com>

Dear All,
I m facing a problem from some clients behaving suspiciously when they
telnet to squid proxy. ( 10.4.188.180)

After TCP Syn request by client the server is responding with RST.


Wireshark logs from client is attached. Comments are invited for this case.

Thanks in advance

Ronnie
-------------- next part --------------
No.     Time        Source                Destination           Protocol Info
      6 2.188964    10.4.52.53            10.4.188.180          TCP      BESApi > http-alt [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 6 (62 bytes on wire, 62 bytes captured)
    Arrival Time: May 19, 2009 17:04:41.083189000
    [Time delta from previous captured frame: 0.874347000 seconds]
    [Time delta from previous displayed frame: 2.188964000 seconds]
    [Time since reference or first frame: 2.188964000 seconds]
    Frame Number: 6
    Frame Length: 62 bytes
    Capture Length: 62 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP SYN/FIN]
    [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Foxconn_e4:dc:12 (00:15:58:e4:dc:12), Dst: All-HSRP-routers_34 (00:00:0c:07:ac:34)
    Destination: All-HSRP-routers_34 (00:00:0c:07:ac:34)
        Address: All-HSRP-routers_34 (00:00:0c:07:ac:34)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.4.52.53 (10.4.52.53), Dst: 10.4.188.180 (10.4.188.180)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x1672 (5746)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0xdf64 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.4.52.53 (10.4.52.53)
    Destination: 10.4.188.180 (10.4.188.180)
Transmission Control Protocol, Src Port: BESApi (3408), Dst Port: http-alt (8080), Seq: 0, Len: 0
    Source port: BESApi (3408)
    Destination port: http-alt (8080)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0xbfa3 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

No.     Time        Source                Destination           Protocol Info
      8 2.195952    10.4.188.180          10.4.52.53            TCP      http-alt > BESApi [RST, ACK] Seq=1 Ack=1 Win=29141 Len=0

Frame 8 (60 bytes on wire, 60 bytes captured)
    Arrival Time: May 19, 2009 17:04:41.090177000
    [Time delta from previous captured frame: 0.004504000 seconds]
    [Time delta from previous displayed frame: 0.006988000 seconds]
    [Time since reference or first frame: 2.195952000 seconds]
    Frame Number: 8
    Frame Length: 60 bytes
    Capture Length: 60 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP RST]
    [Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: Cisco_51:44:00 (00:18:74:51:44:00), Dst: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
    Destination: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Cisco_51:44:00 (00:18:74:51:44:00)
        Address: Cisco_51:44:00 (00:18:74:51:44:00)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src: 10.4.188.180 (10.4.188.180), Dst: 10.4.52.53 (10.4.52.53)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x01 (DSCP 0x00: Default; ECN: 0x01)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...1 = ECN-CE: 1
    Total Length: 40
    Identification: 0x1d0d (7437)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 61
    Protocol: TCP (0x06)
    Header checksum: 0x5bd1 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.4.188.180 (10.4.188.180)
    Destination: 10.4.52.53 (10.4.52.53)
Transmission Control Protocol, Src Port: http-alt (8080), Dst Port: BESApi (3408), Seq: 1, Ack: 1, Len: 0
    Source port: http-alt (8080)
    Destination port: BESApi (3408)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 29141
    Checksum: 0x282b [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
      9 2.598052    10.4.52.53            10.4.188.180          TCP      BESApi > http-alt [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 9 (62 bytes on wire, 62 bytes captured)
    Arrival Time: May 19, 2009 17:04:41.492277000
    [Time delta from previous captured frame: 0.402100000 seconds]
    [Time delta from previous displayed frame: 0.402100000 seconds]
    [Time since reference or first frame: 2.598052000 seconds]
    Frame Number: 9
    Frame Length: 62 bytes
    Capture Length: 62 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP SYN/FIN]
    [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Foxconn_e4:dc:12 (00:15:58:e4:dc:12), Dst: All-HSRP-routers_34 (00:00:0c:07:ac:34)
    Destination: All-HSRP-routers_34 (00:00:0c:07:ac:34)
        Address: All-HSRP-routers_34 (00:00:0c:07:ac:34)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.4.52.53 (10.4.52.53), Dst: 10.4.188.180 (10.4.188.180)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x1676 (5750)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0xdf60 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.4.52.53 (10.4.52.53)
    Destination: 10.4.188.180 (10.4.188.180)
Transmission Control Protocol, Src Port: BESApi (3408), Dst Port: http-alt (8080), Seq: 0, Len: 0
    Source port: BESApi (3408)
    Destination port: http-alt (8080)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0xbfa3 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
     10 2.598375    10.4.188.180          10.4.52.53            TCP      http-alt > BESApi [RST, ACK] Seq=1 Ack=1 Win=29141 Len=0

Frame 10 (60 bytes on wire, 60 bytes captured)
    Arrival Time: May 19, 2009 17:04:41.492600000
    [Time delta from previous captured frame: 0.000323000 seconds]
    [Time delta from previous displayed frame: 0.000323000 seconds]
    [Time since reference or first frame: 2.598375000 seconds]
    Frame Number: 10
    Frame Length: 60 bytes
    Capture Length: 60 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP RST]
    [Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: Cisco_51:44:00 (00:18:74:51:44:00), Dst: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
    Destination: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Cisco_51:44:00 (00:18:74:51:44:00)
        Address: Cisco_51:44:00 (00:18:74:51:44:00)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src: 10.4.188.180 (10.4.188.180), Dst: 10.4.52.53 (10.4.52.53)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x01 (DSCP 0x00: Default; ECN: 0x01)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...1 = ECN-CE: 1
    Total Length: 40
    Identification: 0x1d0d (7437)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 61
    Protocol: TCP (0x06)
    Header checksum: 0x5bd1 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.4.188.180 (10.4.188.180)
    Destination: 10.4.52.53 (10.4.52.53)
Transmission Control Protocol, Src Port: http-alt (8080), Dst Port: BESApi (3408), Seq: 1, Ack: 1, Len: 0
    Source port: http-alt (8080)
    Destination port: BESApi (3408)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 29141
    Checksum: 0x282b [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
     15 3.144898    10.4.52.53            10.4.188.180          TCP      BESApi > http-alt [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 15 (62 bytes on wire, 62 bytes captured)
    Arrival Time: May 19, 2009 17:04:42.039123000
    [Time delta from previous captured frame: 0.049596000 seconds]
    [Time delta from previous displayed frame: 0.546523000 seconds]
    [Time since reference or first frame: 3.144898000 seconds]
    Frame Number: 15
    Frame Length: 62 bytes
    Capture Length: 62 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP SYN/FIN]
    [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Foxconn_e4:dc:12 (00:15:58:e4:dc:12), Dst: All-HSRP-routers_34 (00:00:0c:07:ac:34)
    Destination: All-HSRP-routers_34 (00:00:0c:07:ac:34)
        Address: All-HSRP-routers_34 (00:00:0c:07:ac:34)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.4.52.53 (10.4.52.53), Dst: 10.4.188.180 (10.4.188.180)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x167e (5758)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0xdf58 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.4.52.53 (10.4.52.53)
    Destination: 10.4.188.180 (10.4.188.180)
Transmission Control Protocol, Src Port: BESApi (3408), Dst Port: http-alt (8080), Seq: 0, Len: 0
    Source port: BESApi (3408)
    Destination port: http-alt (8080)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0xbfa3 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
     16 3.145212    10.4.188.180          10.4.52.53            TCP      http-alt > BESApi [RST, ACK] Seq=1 Ack=1 Win=29141 Len=0

Frame 16 (60 bytes on wire, 60 bytes captured)
    Arrival Time: May 19, 2009 17:04:42.039437000
    [Time delta from previous captured frame: 0.000314000 seconds]
    [Time delta from previous displayed frame: 0.000314000 seconds]
    [Time since reference or first frame: 3.145212000 seconds]
    Frame Number: 16
    Frame Length: 60 bytes
    Capture Length: 60 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP RST]
    [Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: Cisco_51:44:00 (00:18:74:51:44:00), Dst: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
    Destination: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Cisco_51:44:00 (00:18:74:51:44:00)
        Address: Cisco_51:44:00 (00:18:74:51:44:00)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src: 10.4.188.180 (10.4.188.180), Dst: 10.4.52.53 (10.4.52.53)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x01 (DSCP 0x00: Default; ECN: 0x01)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...1 = ECN-CE: 1
    Total Length: 40
    Identification: 0x1d0d (7437)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 61
    Protocol: TCP (0x06)
    Header checksum: 0x5bd1 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.4.188.180 (10.4.188.180)
    Destination: 10.4.52.53 (10.4.52.53)
Transmission Control Protocol, Src Port: http-alt (8080), Dst Port: BESApi (3408), Seq: 1, Ack: 1, Len: 0
    Source port: http-alt (8080)
    Destination port: BESApi (3408)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 29141
    Checksum: 0x282b [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]

From steve at enta.net  Wed May 20 02:39:05 2009
From: steve at enta.net (Steve Lalonde)
Date: Wed, 20 May 2009 07:39:05 +0100
Subject: [c-nsp] Cat 6500 (IOS) dhcp Client
In-Reply-To: <1D444DAF-52E5-4761-9D44-0826D6217B60@swingpad.com>
References: <1D444DAF-52E5-4761-9D44-0826D6217B60@swingpad.com>
Message-ID: <84F648FC-7A9C-4765-8B16-479175273CF3@enta.net>


On 20 May 2009, at 01:46, Dan Benson wrote:

> As strange as this sounds, I have a need to be assigned an address  
> on a Cat6500 Running IOS via dhcp (to a vlan or a dedicated port).   
> On most routers running IOS the command syntax is, "ip address dhcp"  
> as just about anyone knows but on the sups running IOS (tested sup1a- 
> ge/MSFC1, sup2 and sup720s) I have not found a way to be assigned an  
> address.
>
> I can only assume this is because no one in their right mind would  
> ever do this on this platform but my install is requiring such.    
> Before I try a flexwan with a PA-FE in it has anyone out there had  
> this issue and if so would you be so kind to pass along a solution  
> if there is one.
>
> Thanks in advance for the time and help. //db


Hi

Not so strange.

This works for us on 6500/7600 sup32 sup720 rsp720 from SXF to SRC

ip dhcp pool POP-DHCP
    network 1.2.3.224 255.255.255.248
    domain-name a.net
    dns-server 1.2.3.4
    default-router 1.2.3.225
    lease 0 2


interface GigabitEthernetx/x
  description Engineer laptop access
  ip address 1.2.3.225 255.255.255.248


HTH




-- 
Steve Lalonde RTFM
Chief Technical Officer
Entanet International Ltd
http://www.enta.net/




From dale.shaw+cisco-nsp at gmail.com  Wed May 20 02:52:05 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Wed, 20 May 2009 16:52:05 +1000
Subject: [c-nsp] Cat 6500 (IOS) dhcp Client
In-Reply-To: <84F648FC-7A9C-4765-8B16-479175273CF3@enta.net>
References: <1D444DAF-52E5-4761-9D44-0826D6217B60@swingpad.com>
	<84F648FC-7A9C-4765-8B16-479175273CF3@enta.net>
Message-ID: <3329cbb40905192352j94db4c9uc52e535c408aea21@mail.gmail.com>

Hi,

> On 20 May 2009, at 01:46, Dan Benson wrote:
>> As strange as this sounds, I have a need to be assigned an address on a Cat6500 Running IOS via dhcp (to a vlan or a dedicated port).

On Wed, May 20, 2009 at 4:39 PM, Steve Lalonde <steve at enta.net> wrote:
> Not so strange.

You've got a DHCP server. Dan needs a DHCP client.

cheers,
Dale

From steve at enta.net  Wed May 20 03:31:34 2009
From: steve at enta.net (Steve Lalonde)
Date: Wed, 20 May 2009 08:31:34 +0100
Subject: [c-nsp] Cat 6500 (IOS) dhcp Client
In-Reply-To: <3329cbb40905192352j94db4c9uc52e535c408aea21@mail.gmail.com>
References: <1D444DAF-52E5-4761-9D44-0826D6217B60@swingpad.com>
	<84F648FC-7A9C-4765-8B16-479175273CF3@enta.net>
	<3329cbb40905192352j94db4c9uc52e535c408aea21@mail.gmail.com>
Message-ID: <FD808CAA-A054-4C3F-9991-CD39B8319FB4@enta.net>


On 20 May 2009, at 07:52, Dale Shaw wrote:

> Hi,
>
>> On 20 May 2009, at 01:46, Dan Benson wrote:
>>> As strange as this sounds, I have a need to be assigned an address  
>>> on a Cat6500 Running IOS via dhcp (to a vlan or a dedicated port).
>
> On Wed, May 20, 2009 at 4:39 PM, Steve Lalonde <steve at enta.net> wrote:
>> Not so strange.
>
> You've got a DHCP server. Dan needs a DHCP client.
>
> cheers,
> Dale

Doh!

Thats what happens when you reply to emails while half asleep

Steve

From mjsaarin at cc.helsinki.fi  Wed May 20 03:52:32 2009
From: mjsaarin at cc.helsinki.fi (Matti Saarinen)
Date: Wed, 20 May 2009 10:52:32 +0300
Subject: [c-nsp] BGP, backdoor and route-map
Message-ID: <yq3jiqjw1a9r.fsf@lagavulin.it.helsinki.fi>


In short, my question is has the following command any special effect in
BGP config compared to similar line without the route-map part?

network N.N.N.N mask M.M.M.M route-map foo backdoor

So, is the route-map statement just ignored silently? The IOS is
question is 12.2(18)SXF15.


Longer story leading to my question:

I have got a very ugly setup: there are Quagga boxes advertising
certaing /32 IPV4 prefixes via eBGP to few 6500s that redistribute
routes to OSPF. The 6500 don't speak iBGP with each other - the only BGP
is the eBGP to Quagga. I want to use BGP because in some cases I don't
have control over the Quagga boxes. Also I don't want to begin setting
up iBGP only for this case. The whole point of this concept is to
provide anycast service address for DNS, RADIUS etc. I don't want to
achieve load balancing just availability.

In general this setup works. The /32s are advertised. In all but one of
the 6500s the network is defined as backdoor network in BGP config so
that the same route learned via OSPF will override the one learned via
BGP. One of the servers is the preferred one and its prefix
advertisement is therefore not declared as backdoor.

Now, if I want to provide the server admins, who are also administering
the Quagga, a way to change dynamically the preferred server without any
change to Cisco config, can this be done with the current setup? I hoped
it could be done by selectively acivating the backdoor with route-maps.
I tried applying route-map to network N.N.N.N mask M.M.M.M backdoor
statement. It appeared in config but it seemed to have no effect. I
tried even to apply a route-map that would block everything but still
the prefix was declared as backdoor.

Cheers,


-- 
- Matti -

From peter at rathlev.dk  Wed May 20 04:03:43 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 20 May 2009 10:03:43 +0200
Subject: [c-nsp] TCP Reset
In-Reply-To: <c04fd4f90905192145i6da7b6c2w3928cee0066620d0@mail.gmail.com>
References: <c04fd4f90905192145i6da7b6c2w3928cee0066620d0@mail.gmail.com>
Message-ID: <1242806623.5401.2.camel@localhost.localdomain>

On Wed, 2009-05-20 at 10:15 +0530, Hitesh Vinzoda wrote:
> I m facing a problem from some clients behaving suspiciously when they
> telnet to squid proxy. ( 10.4.188.180)
> 
> After TCP Syn request by client the server is responding with RST.
> 
> Wireshark logs from client is attached. Comments are invited for this case.

And the server is really listening on that port? I assume "http-alt" is
8080/tcp, and Squid normally listens on 3128/tcp.

What does a wireshark dump on the server tell you?

The only thing that comes to mind apart from the port-issue would be
that Cisco PIX/ASA/FWSM firewalls will actually reject an ACL denied
connection from "inside" (higher security level) with a TCP RST.

Regards,
Peter



From dwinkworth at att.net  Wed May 20 07:50:18 2009
From: dwinkworth at att.net (Derick Winkworth)
Date: Wed, 20 May 2009 06:50:18 -0500
Subject: [c-nsp] TCP Reset
In-Reply-To: <c04fd4f90905192145i6da7b6c2w3928cee0066620d0@mail.gmail.com>
References: <c04fd4f90905192145i6da7b6c2w3928cee0066620d0@mail.gmail.com>
Message-ID: <4A13EE7A.6040706@att.net>

What Cisco devices are in the path?  We had to configure an ACL on a
7200 denying inbound TCP RSTs, because of a bug where there there 7200
(if it was doing PAT) was erroneously sending the RST to the wrong
connection. 

Long story short,  NAT session #1 would properly terminate on the 7200,
but the server would think the port was still open.  The server would
timeout and send a RST four minutes later.

Within that four minute window the 7200 would reuse the same source port
for a NAT session #2.  When the server's four minute timer went off for
the first session, and the RST was sent... the 7200 would send the RST
to the client in the second session, thus erroneously terminating a
valid TCP session.  There is a bug ID for this somewhere....


Hitesh Vinzoda wrote:
> Dear All,
> I m facing a problem from some clients behaving suspiciously when they
> telnet to squid proxy. ( 10.4.188.180)
>
> After TCP Syn request by client the server is responding with RST.
>
>
> Wireshark logs from client is attached. Comments are invited for this case.
>
> Thanks in advance
>
> Ronnie
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.339 / Virus Database: 270.12.35/2123 - Release Date: 05/19/09 17:59:00
>

From maillist at webjogger.net  Wed May 20 08:54:28 2009
From: maillist at webjogger.net (Adam Greene)
Date: Wed, 20 May 2009 08:54:28 -0400
Subject: [c-nsp] 'Simple' BGP multi homing
References: <4A12F3A3.1010604@chrisserafin.com>
Message-ID: <532A9D6D837944B5B8E399D2757A078B@GINKGO>

Hi Chris,

Yes, in general, what you propose sounds feasible ...

Thanks,
Adam


----- Original Message ----- 
From: "ChrisSerafin" <chris at chrisserafin.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, May 19, 2009 2:00 PM
Subject: [c-nsp] 'Simple' BGP multi homing


>I have 2 ISPs connecting at my data center at the moment, both with 
> simple basic static routes, and I would like to multi-home them to 
> provide redundancy in the event one goes down.
> 
> I have created a simple diagram here: http://chrisserafin.com/WAN-BGP.jpg
> 
> I have a few assumptions, so let me know if I'm on the correct page:
> 
>    * I will need to get both routers setup for BGP peering to their ISPs
>    * I will need to request/buy a new IP block and AS from ARIN that
>      both routers will advertise
> 
> I'm hoping I can 'lab this up' if both routers have spare 
> (gig/fa)ethernet ports...sound possible?
> 
> 
> Thanks
> 
> --chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>


From rgallagh at cisco.com  Wed May 20 09:01:42 2009
From: rgallagh at cisco.com (Richard Gallagher)
Date: Wed, 20 May 2009 14:01:42 +0100
Subject: [c-nsp] C4K_PKTPROCESSING-5-NOTAPPLYINGACL
In-Reply-To: <7B8B0D6F623C3A40A0D0A80A66756E2B0105C0@EXVS01.claranet.local>
References: <7B8B0D6F623C3A40A0D0A80A66756E2B0105C0@EXVS01.claranet.local>
Message-ID: <4DFC6824-C7E8-488A-B3A1-CC9F582ED337@cisco.com>

David,

How often did the message occur? Were any ACL changes being made at  
the time?

Rich

On 20 May 2009, at 01:35, David Freedman wrote:

> Anybody seen these messages occur frequently?
>
>> May 18 09:19:31 box 575: May 18 08:20:37 UTC:
>> %C4K_PKTPROCESSING-5-NOTAPPLYINGACL: Not applying Output Acl for  
>> packet
>> udp srcHost 1.1.1.1 dstHost 2.2.2.2 tos 0 srcPort 934
>> dstPort 2049
>
> According the error decoder, they are CAM programming issue but that  
> is about the level
> of detail it goes into, I would infer from this that they should  
> only be seen rarely
> but I'm starting to see them frequently, box is 4948 running  
> 12.2(25)EWA10, bugtool
> as usual has nothing.
>
> Any pointers appreciated.
>
> Regards,
>
> ------------------------------------------------
> David Freedman
> Group Network Engineering
> Claranet Limited
> http://www.clara.net
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From david.freedman at uk.clara.net  Wed May 20 09:03:56 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Wed, 20 May 2009 14:03:56 +0100
Subject: [c-nsp] C4K_PKTPROCESSING-5-NOTAPPLYINGACL
In-Reply-To: <4DFC6824-C7E8-488A-B3A1-CC9F582ED337@cisco.com>
References: <7B8B0D6F623C3A40A0D0A80A66756E2B0105C0@EXVS01.claranet.local>
	<4DFC6824-C7E8-488A-B3A1-CC9F582ED337@cisco.com>
Message-ID: <4A13FFBC.7050802@uk.clara.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No ACL changes being made at the time, a block of these occur randomly
at once, could there be a CAM problem?

Dave.

Richard Gallagher wrote:
> David,
> 
> How often did the message occur? Were any ACL changes being made at the
> time?
> 
> Rich
> 
> On 20 May 2009, at 01:35, David Freedman wrote:
> 
>> Anybody seen these messages occur frequently?
>>
>>> May 18 09:19:31 box 575: May 18 08:20:37 UTC:
>>> %C4K_PKTPROCESSING-5-NOTAPPLYINGACL: Not applying Output Acl for packet
>>> udp srcHost 1.1.1.1 dstHost 2.2.2.2 tos 0 srcPort 934
>>> dstPort 2049
>>
>> According the error decoder, they are CAM programming issue but that
>> is about the level
>> of detail it goes into, I would infer from this that they should only
>> be seen rarely
>> but I'm starting to see them frequently, box is 4948 running
>> 12.2(25)EWA10, bugtool
>> as usual has nothing.
>>
>> Any pointers appreciated.
>>
>> Regards,
>>
>> ------------------------------------------------
>> David Freedman
>> Group Network Engineering
>> Claranet Limited
>> http://www.clara.net
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoT/7sACgkQtFWeqpgEZrIloQCgnn03i5uxmNuN6ia1jsq5g5qD
kF4An1mG6qPuCYaZebsJ3dnDvjbsIDsP
=8N8V
-----END PGP SIGNATURE-----

From psirt at cisco.com  Wed May 20 10:49:33 2009
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed, 20 May 2009 10:49:33 -0400
Subject: [c-nsp] Cisco Security Advisory: CiscoWorks TFTP Directory
	Traversal Vulnerability
Message-ID: <200905201050.cw@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: CiscoWorks TFTP Directory Traversal
Vulnerability

Advisory ID: cisco-sa-20090520-cw

http://www.cisco.com/warp/public/707/cisco-sa-20090520-cw.shtml

Revision 1.0

For Public Release 2009 May 20 1600 UTC (GMT)

Summary
=======

CiscoWorks Common Services contains a vulnerability that could allow an
unauthenticated remote attacker to access application and host operating
system files.

Cisco has released free software updates that address this
vulnerability. A workaround that mitigates this vulnerability is
available.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090520-cw.shtml.

Affected Products
=================

Vulnerable Products
+------------------

Products that have TFTP services enabled and that run CiscoWorks
Common Services versions 3.0.x, 3.1.x, and 3.2.x are vulnerable.
Only CiscoWorks Common Services systems running on Microsoft Windows
operating systems are affected.

The following Cisco products that use CiscoWorks Common Services as
their base are affected by this vulnerability.

  * Cisco Unified Service Monitor versions 1.0, 1.1, 2.0, and 2.1
  * CiscoWorks QoS Policy Manager versions 4.0 and 4.1
  * CiscoWorks LAN Management Solution versions 2.5, 2.6, and 3.0
  * Cisco Security Manager versions 3.0, 3.1, and 3.2
  * Cisco TelePresence Readiness Assessment Manager version 1.0
  * CiscoWorks Voice Manager versions 3.0 and 3.1
  * CiscoWorks Health and Utilization Monitor versions 1.0 and 1.1
  * Cisco Unified Operations Manager versions 1.0, 1.1, 2.0, and 2.1
  * Cisco Unified Provisioning Manager versions 1.0, 1.1, 1.2, and
    1.3

The Solaris version of CiscoWorks Common Services is not affected by
this vulnerability.

The TFTP service is enabled by default. To verify that the TFTP service
is running connect to the CiscoWorks interface and choose "Start >
Settings > Control Panel > Administrative Tools > Services" to access
the "Services" window. The name of the service is "CWCS tftp service".

Note: Administrators can also issue the "tasklist/svc" Microsoft Windows
command to list the services that are running on the system.

Products Confirmed Not Vulnerable
+--------------------------------

Products that do not use CiscoWorks Common Services versions 3.0.x,
3.1.x, and 3.2.x or that do not have TFTP services enabled are not
vulnerable. The Solaris version of CiscoWorks Common Services is not
affected by this vulnerability. No other Cisco products are currently
known to be affected by this vulnerability.

Details
=======

CiscoWorks Common Services represents a common set of management
services that is shared by CiscoWorks applications. CiscoWorks is a
family of products based on Internet standards for managing networks and
devices. Many CiscoWorks products use and depend on Common Services.

CiscoWorks Common Services contains a TFTP directory traversal
vulnerability that could allow an unauthenticated remote attacker to
access application and host operating system files.

Note: Only CiscoWorks Common Services systems that run on Microsoft
Windows operating systems are vulnerable. The Solaris version of
CiscoWorks Common Services is not affected by this vulnerability.

This vulnerability is documented in Cisco Bug ID CSCsx07107 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1161.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

* CSM: TFTP service allows directory traversal (CSCsx07107)

CVSS Base Score - 10.0
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 8.7
    Exploitability -           High
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

Impact
======

A successful exploitation of this vulnerability may allow an attacker
unauthorized access to view or modify application and host operating
system files. Modification of some system files could result in a denial
of service condition.

Software Versions and Fixes
===========================

Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

This vulnerability has been corrected in the following CiscoWorks Common
Services software patch:

cwcs3.x-win-CSCsx07107-0.zip

The CiscoWorks Common Services patch can be downloaded from the
following link:

http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Workarounds
===========

To mitigate this vulnerability, administrators can disable TFTP services
by completing the following steps:

Step 1. Choose "Start > Settings > Control Panel > Administrative Tools
> Services" to access the Services window.

Step 2. Right-click "CWCS tftp service" and select "Properties".

Step 3. Set the "Startup Type" to "Disabled".

Step 4. Click the "Stop" button to stop the TFTP service.

Note: Disabling TFTP services may impact the functionality of some of
the CiscoWorks components.

Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:

http://www.cisco.com/warp/public/707/cisco-amb-20090520-cw.shtml.

Obtaining Fixed Software
========================

Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt at cisco.com or security-alert at cisco.com for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was found during the resolution of customer service
requests.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20090520-cw.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+------------------------------------------------------------+
| Revision 1.0   | 2009-May-20   | Initial public release    |
+------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: May 20, 2009                             Document ID: 110143
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoUF9wACgkQ86n/Gc8U/uD6vwCfR19hcS8fBuvDrshKYSc9zbsM
Yp8AoJj60tLS7dMKkYcRcgJLreh3dl8A
=yjnP
-----END PGP SIGNATURE-----

From gkg at gmx.de  Wed May 20 14:09:17 2009
From: gkg at gmx.de (Garry)
Date: Wed, 20 May 2009 20:09:17 +0200
Subject: [c-nsp] Limits of STP/RSTP/REP?
Message-ID: <4A14474D.10202@gmx.de>

Wondering, what's the sensible limits of STP, RSTP, REP or any other
spanning tree/ring protocol available on Cisco switches like 29, 35, 37
or ME3400 series? I was told by a customer whom we try to sell some
Cisco gear that beyond anything like 4 or 5 switches in a ring,
recognition/recovery times of the ring would quickly go well beyond 10s
on failure of a link ...

Now, on STP the times are definitely somewhere in that range, but what
about RSTP or stuff like REP?

Tnx, -garry

From sthaug at nethelp.no  Wed May 20 15:24:15 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Wed, 20 May 2009 21:24:15 +0200 (CEST)
Subject: [c-nsp] Limits of STP/RSTP/REP?
In-Reply-To: <4A14474D.10202@gmx.de>
References: <4A14474D.10202@gmx.de>
Message-ID: <20090520.212415.71170641.sthaug@nethelp.no>

> Wondering, what's the sensible limits of STP, RSTP, REP or any other
> spanning tree/ring protocol available on Cisco switches like 29, 35, 37
> or ME3400 series? I was told by a customer whom we try to sell some
> Cisco gear that beyond anything like 4 or 5 switches in a ring,
> recognition/recovery times of the ring would quickly go well beyond 10s
> on failure of a link ...

This may be only marginally relevant to your question, but here goes:
We have Extreme EAPS rings of up to 11 switches. Recovery times are
well under 1 second.

REP is similar to EAPS in several ways. I would expect Cisco to be
able to tell you about reasonable size of REP rings and expected
recovery times.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From ross at kallisti.us  Wed May 20 16:04:03 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 20 May 2009 16:04:03 -0400
Subject: [c-nsp] Limits of STP/RSTP/REP?
In-Reply-To: <4A14474D.10202@gmx.de>
References: <4A14474D.10202@gmx.de>
Message-ID: <20090520200403.GA13268@kallisti.us>

On Wed, May 20, 2009 at 08:09:17PM +0200, Garry wrote:
> Wondering, what's the sensible limits of STP, RSTP, REP or any other
> spanning tree/ring protocol available on Cisco switches like 29, 35, 37
> or ME3400 series? I was told by a customer whom we try to sell some
> Cisco gear that beyond anything like 4 or 5 switches in a ring,
> recognition/recovery times of the ring would quickly go well beyond 10s
> on failure of a link ...
> 
> Now, on STP the times are definitely somewhere in that range, but what
> about RSTP or stuff like REP?

In a usual ring scenario, an RSTP bridge would have two paths to root.
For either cost or tiebreaker reasons, one would be chosen as the root
port and one would be chose as the alternate.  If the root port goes
down then the switch will rapidly move the alternate port to root and
start sending BPDUs with the TCN flag set.  This will in turn cause
the other bridges to age-out their MAC table.

The process of flooding TCNs should lead to worst-case full
reconvergence in approximately (hello-interval * max number of hops in
the active topology) seconds.  For a ring of five switches, all of who
have only edge ports on the non-ring interfaces, this is a worst case
of six seconds until all bridges have flushed their MAC tables.

This worst case isn't very realistic.  802.1D-2004 specifies that a
bridge should immediately transmit a BPDU if it has new information,
including topololgy changes.  It also specifies that there is an
absolute max of 1.0 seconds permitted between an external event
requiring a BPDU and the transmission of that BPDU.  That gives a more
realistic worst-case of three seconds. [1]

In practice, I've seen tons of link failures happen with no measurable
impact on traffic.  That doesn't mean there wasn't any, but it's quick
enough that I don't usually drop a ping during link maintenance.  Of
course this isn't a super-fine measuring tool, so do your own testing!

Cisco has a decent article on various features and changes in RSTP
that you might find interesting:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml

And finally, if that isn't enough, the IEEE lets you download 802
specs for free at http://standards.ieee.org/getieee802/.  802.1D-2004
(and .1Q too) is actually pretty readable for someone serious about
understanding it.

[1] Of course, it's anyone guess as to how close the vendors come to
implementing this :).


-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From gkg at gmx.de  Wed May 20 16:27:31 2009
From: gkg at gmx.de (Garry)
Date: Wed, 20 May 2009 22:27:31 +0200
Subject: [c-nsp] Limits of STP/RSTP/REP?
In-Reply-To: <20090520200403.GA13268@kallisti.us>
References: <4A14474D.10202@gmx.de> <20090520200403.GA13268@kallisti.us>
Message-ID: <4A1467B3.5000705@gmx.de>

Ross Vandegrift wrote:
> On Wed, May 20, 2009 at 08:09:17PM +0200, Garry wrote:
>   
>> Wondering, what's the sensible limits of STP, RSTP, REP or any other
>> spanning tree/ring protocol available on Cisco switches like 29, 35, 37
>> or ME3400 series? I was told by a customer whom we try to sell some
>> Cisco gear that beyond anything like 4 or 5 switches in a ring,
>> recognition/recovery times of the ring would quickly go well beyond 10s
>> on failure of a link ...
>>
>> Now, on STP the times are definitely somewhere in that range, but what
>> about RSTP or stuff like REP?
>>     
>
> In a usual ring scenario, an RSTP bridge would have two paths to root.
> For either cost or tiebreaker reasons, one would be chosen as the root
> port and one would be chose as the alternate.  If the root port goes
> down then the switch will rapidly move the alternate port to root and
> start sending BPDUs with the TCN flag set.  This will in turn cause
> the other bridges to age-out their MAC table.
>
> The process of flooding TCNs should lead to worst-case full
> reconvergence in approximately (hello-interval * max number of hops in
> the active topology) seconds.  For a ring of five switches, all of who
> have only edge ports on the non-ring interfaces, this is a worst case
> of six seconds until all bridges have flushed their MAC tables.
>   
Question mainly is: Can Cisco gear handle a setup where there might be a
ring made of - say - 20-30 switches, each of which having two interfaces
each in the ring ("in" and "out", so to speak) ... while at the moment I
don't expect that customer to set up more than 4-6 switches to begin
with, locations are there that will require that number of switches over
time ... (sort of a MAN scenario)
To date, anything I've come across of (usually a set of 3-4 switches)
never caused any king of problem, but then very rarely were there any
line/link failures ...

Tnx, -garry

From steve at ibctech.ca  Wed May 20 19:18:45 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 20 May 2009 19:18:45 -0400
Subject: [c-nsp] Bandwidth displayed on Tunnel interfaces
Message-ID: <4A148FD5.9030504@ibctech.ca>

Hi all,

I've got a few protocol 41 tunnels configured on a few different
routers, all for IPv6 only.

Some of the tunnels are used for BGP peering with transit providers, and
the rest join my PoPs together.

If I understand the Cisco documentation correctly, the "BW" is used
exclusively for link metric/cost, but it also shows up in my MRTG graphs
and skews the percentage results.

Since these tunnels operate on top of the same underlying connection
type as the IPv4 infrastructure, I'd like to set the bandwidth manually
to the same setting as the interface type the tunnel is connected over
(or better yet, set it globally for all tunnel interfaces).

AFAICT, doing this won't have any operational impact other than what it
would normally have on an IGP (which is fine, because all IGP is over
direct Ethernet), and fixing my graphing/statistical applications.

Can I get some feedback on whether my thinking is correct? Tunnel
bandwidth should be 100Mb:

pe2-fibre#sh int tun5
Tunnel5 is up, line protocol is up
  Hardware is Tunnel
  Description: IPv6 BGP Tunnel to he.net
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
     reliability 255/255, txload 18/255, rxload 163/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 208.70.111.131, destination 216.218.229.118
  Tunnel protocol/transport IPv6/IP
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)

Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090520/7720500e/attachment.bin>

From jay at west.net  Wed May 20 19:25:26 2009
From: jay at west.net (Jay Hennigan)
Date: Wed, 20 May 2009 16:25:26 -0700
Subject: [c-nsp] Bandwidth displayed on Tunnel interfaces
In-Reply-To: <4A148FD5.9030504@ibctech.ca>
References: <4A148FD5.9030504@ibctech.ca>
Message-ID: <4A149166.50702@west.net>

Steve Bertrand wrote:
> Hi all,
> 
> I've got a few protocol 41 tunnels configured on a few different
> routers, all for IPv6 only.
> 
> Some of the tunnels are used for BGP peering with transit providers, and
> the rest join my PoPs together.
> 
> If I understand the Cisco documentation correctly, the "BW" is used
> exclusively for link metric/cost, but it also shows up in my MRTG graphs
> and skews the percentage results.
> 
> Since these tunnels operate on top of the same underlying connection
> type as the IPv4 infrastructure, I'd like to set the bandwidth manually
> to the same setting as the interface type the tunnel is connected over
> (or better yet, set it globally for all tunnel interfaces).
> 
> AFAICT, doing this won't have any operational impact other than what it
> would normally have on an IGP (which is fine, because all IGP is over
> direct Ethernet), and fixing my graphing/statistical applications.
> 
> Can I get some feedback on whether my thinking is correct? Tunnel
> bandwidth should be 100Mb:
> 
> pe2-fibre#sh int tun5
> Tunnel5 is up, line protocol is up
>   Hardware is Tunnel
>   Description: IPv6 BGP Tunnel to he.net
>   MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
>      reliability 255/255, txload 18/255, rxload 163/255
>   Encapsulation TUNNEL, loopback not set
>   Keepalive not set
>   Tunnel source 208.70.111.131, destination 216.218.229.118
>   Tunnel protocol/transport IPv6/IP
>   Tunnel TTL 255
>   Fast tunneling enabled
>   Tunnel transmit bandwidth 8000 (kbps)
>   Tunnel receive bandwidth 8000 (kbps)

Correct.

conf t
int tu5
bandwidth 100000
^Z
wr


--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From ross at kallisti.us  Wed May 20 19:34:05 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 20 May 2009 19:34:05 -0400
Subject: [c-nsp] Limits of STP/RSTP/REP?
In-Reply-To: <4A1467B3.5000705@gmx.de>
References: <4A14474D.10202@gmx.de> <20090520200403.GA13268@kallisti.us>
	<4A1467B3.5000705@gmx.de>
Message-ID: <20090520233405.GA14624@kallisti.us>

On Wed, May 20, 2009 at 10:27:31PM +0200, Garry wrote:
> Question mainly is: Can Cisco gear handle a setup where there might be a
> ring made of - say - 20-30 switches, each of which having two interfaces
> each in the ring ("in" and "out", so to speak) ... while at the moment I
> don't expect that customer to set up more than 4-6 switches to begin
> with, locations are there that will require that number of switches over
> time ... (sort of a MAN scenario)

Definitely not more than 20 in a ring.  As far as I know, IOS limits
the value of max-hops to 20.  This means you can't have a BPDU
traverse more than 20 hops without being thrown away.  If one pair of
switches in the ring experienced a total cut, your network would have
a diameter of 20, end to end.

JUNOS lets you set that value to 255, but I doubt that STP-like
protocols ever scale that well.  I don't know anything about the
various vendor-specific link redundancy features - my guess is you'll
have to go there.

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From ross at kallisti.us  Wed May 20 19:37:57 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 20 May 2009 19:37:57 -0400
Subject: [c-nsp] Limits of STP/RSTP/REP?
In-Reply-To: <20090520233405.GA14624@kallisti.us>
References: <4A14474D.10202@gmx.de> <20090520200403.GA13268@kallisti.us>
	<4A1467B3.5000705@gmx.de> <20090520233405.GA14624@kallisti.us>
Message-ID: <20090520233757.GB14624@kallisti.us>

On Wed, May 20, 2009 at 07:34:05PM -0400, ross wrote:
> Definitely not more than 20 in a ring.  As far as I know, IOS limits
> the value of max-hops to 20.

Nope, I'm wrong about this.  According to my lab 6500s, MSTP on IOS
will let you go all the way to 255 as well.

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From steve at ibctech.ca  Wed May 20 19:42:53 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 20 May 2009 19:42:53 -0400
Subject: [c-nsp] Bandwidth displayed on Tunnel interfaces
In-Reply-To: <4A149166.50702@west.net>
References: <4A148FD5.9030504@ibctech.ca> <4A149166.50702@west.net>
Message-ID: <4A14957D.3090703@ibctech.ca>

Jay Hennigan wrote:
> Steve Bertrand wrote:

>> If I understand the Cisco documentation correctly, the "BW" is used
>> exclusively for link metric/cost, but it also shows up in my MRTG graphs
>> and skews the percentage results.
>>
>> Since these tunnels operate on top of the same underlying connection
>> type as the IPv4 infrastructure, I'd like to set the bandwidth manually
>> to the same setting as the interface type the tunnel is connected over
>> (or better yet, set it globally for all tunnel interfaces).
>>
>> AFAICT, doing this won't have any operational impact other than what it
>> would normally have on an IGP (which is fine, because all IGP is over
>> direct Ethernet), and fixing my graphing/statistical applications.
>>
>> Can I get some feedback on whether my thinking is correct? Tunnel
>> bandwidth should be 100Mb:
>>
>> pe2-fibre#sh int tun5
>> Tunnel5 is up, line protocol is up
>>   Hardware is Tunnel
>>   Description: IPv6 BGP Tunnel to he.net
>>   MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
>>      reliability 255/255, txload 18/255, rxload 163/255
>>   Encapsulation TUNNEL, loopback not set
>>   Keepalive not set
>>   Tunnel source 208.70.111.131, destination 216.218.229.118
>>   Tunnel protocol/transport IPv6/IP
>>   Tunnel TTL 255
>>   Fast tunneling enabled
>>   Tunnel transmit bandwidth 8000 (kbps)
>>   Tunnel receive bandwidth 8000 (kbps)
> 
> Correct.
> 
> conf t
> int tu5
> bandwidth 100000
> ^Z
> wr

Much, MUCH better!

Now my quick graphs actually account for proper v6 throughput.

Thanks!

Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090520/84bf30cc/attachment.bin>

From justin at justinshore.com  Wed May 20 21:55:57 2009
From: justin at justinshore.com (Justin Shore)
Date: Wed, 20 May 2009 20:55:57 -0500
Subject: [c-nsp] OT:  871W config
Message-ID: <4A14B4AD.2090003@justinshore.com>

I've got an off-topic plea.  I'm trying to configure a simple little 
871W as a CE that I need to deploy next week.  The wifi on this thing is 
kicking my ass.  881Ws are completely different than their 871W 
ancestors.  881Ws have a logically separate internal AP that you 
basically session into.  The 871W's radio is integrated into the 
router's config itself.  I can't for the life of me get wifi sub-ints to 
bridge onto the SVIs that I'm using on the wired side (3x VLANs: data, 
voice, and guest).

I found a config guide online that showed SVIs configured with nothing 
but the bridge-group commands, BVIs corresponding to those bridge-groups 
where all the L3 config now resides, and then normal Dot11Radio sub-ints 
with matching bridge-groups.  However doing this and putting the 
bridge-group commands on the SVIs breaks the wired connectivity (and 
doesn't make wifi work anyway).

Does anyone have a working config for a 871W that they wouldn't mind 
sharing off-list?  This should be a trivially minor config and for some 
reason it's thoroughly stumping me.

Thanks
  Justin


From ray at oneunified.net  Wed May 20 22:32:27 2009
From: ray at oneunified.net (Ray Burkholder)
Date: Wed, 20 May 2009 23:32:27 -0300
Subject: [c-nsp] OT:  871W config
In-Reply-To: <4A14B4AD.2090003@justinshore.com>
References: <4A14B4AD.2090003@justinshore.com>
Message-ID: <0C4FF5425DEE44C58DB6398BD9E62179@oneunified.local>

> 
> Does anyone have a working config for a 871W that they 
> wouldn't mind sharing off-list?  This should be a trivially 
> minor config and for some reason it's thoroughly stumping me.
> 

http://www.oneunified.net/blog/Cisco/Cisco871Wireless.article

Done with the CLI.  In addition 12.4(15)T8 works.  12.4(20) doesn't do
wireless well.


-- 
Scanned for viruses and dangerous content at 
http://www.oneunified.net and is believed to be clean.


From pkranz at unwiredltd.com  Wed May 20 22:40:20 2009
From: pkranz at unwiredltd.com (Peter Kranz)
Date: Wed, 20 May 2009 19:40:20 -0700
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
	Sup720-3BXL?
Message-ID: <010201c9d9bd$7c072860$74157920$@com>

Setup is as follows; 2 edge routers, each with a BGP session receiving full
routes to the same provider router. The provider is load balancing inbound
traffic to our AS nicely, 50/50 between the edge routers.. I would also like
to load balance the outbound traffic.. I've considered adding 'maximum-paths
2' to install the two equal paths, but an concerned about FIB TCAM impacts.
Will adding this command cause each equal cost route to take one additional
TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC meltdown?

 

Current FIB TCAM:

L3 Forwarding Resources

             FIB TCAM usage:                     Total        Used
%Used

                  72 bits (IPv4, MPLS, EoM)     524288      285506
54%

                 144 bits (IP mcast, IPv6)      262144           5
1%

 

Peter Kranz
 <http://www.UnwiredLtd.com> www.UnwiredLtd.com
Desk: 510-868-1614 x100

Mobile: 510-207-0000
 <mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com

 


From achatz at forthnet.gr  Thu May 21 04:52:00 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 21 May 2009 11:52:00 +0300
Subject: [c-nsp] WS-X6724-SFP & SXI = high cpu usage?
In-Reply-To: <49D44972.9010202@forthnet.gr>
References: <49D44972.9010202@forthnet.gr>
Message-ID: <4A151630.1040400@forthnet.gr>


For everyone interested, the outcome is that WS-X6724-SFP or WS-X6748-SFP need to have a lot (~15-20) of SFPs connected 
in order for the cpu to increase.

CSCsr21196:  x6724/x6748 SFP enhanced link detection method
The link background aggressively polls 24 ports at a poll. There is no toggle to turn it on or off.

--
Tassos

Tassos Chatzithomaoglou wrote on 02/04/2009 08:13:
> Anyone running SXI with a WS-X6724-SFP module (DFC or non DFC), showing 
> high cpu usage due to the fw_lcp process?
> 
> 
> 6500#remote command module 1 sh proc cpu sort | exc 0.00
> 
> CPU utilization for five seconds: 32%/1%; one minute: 31%; five minutes: 
> 31%
>  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
>  187     1949496    613964       3175 31.19% 30.47% 30.45%   0 fw_lcp 
> process
> 
> 
> 6500#sh platform hardware capacity cpu
> CPU Resources
>   CPU utilization: Module             5 seconds       1 minute       5 
> minutes
>                    1                  28% /  0%            
> 28%             28%
>                    6  RP               1% /  1%             
> 1%              1%
>                    6  SP              18% /  0%            
> 15%             14%
> 6500#sh mod
> Mod Ports Card Type                              Model              
> Serial No.
> --- ----- -------------------------------------- ------------------ 
> -----------
>   1   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP       
> XXXXXXXXXXX
>   6    2  Supervisor Engine 720 (Active)         WS-SUP720-3B       
> XXXXXXXXXXX
> 
> 
> SXH, SXF do not seem to have this problem.
> 


From ibrahim.abozaid at gmail.com  Thu May 21 06:58:07 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Thu, 21 May 2009 13:58:07 +0300
Subject: [c-nsp] Dynamic NAT on router and ASA
Message-ID: <a48927f70905210358y164ad7dfl815eabfb328c79f7@mail.gmail.com>

Hi All

i have NAT and PAT configured on ASA 5520 and it works as expcted from ASA ,
NAT all incoming connection 1:1 untill NAT pool is depepated than PAT all
next connections

but actually , NAT pool never get depelated and ASA started to use PAT pool
although there are free IPs in NAT pool and that is strange

so i think to transfer NAT to the edge router and use dynamic NAT instead of
dynmic NAT on ASA but i need to know is dynamic NAT on router will do that

1- configure NAT pool with N global address
2- NAT first N connection to NAT pool 1:1
3- for next connections , begin from start again so N+1 connection will get
the same translation as first connection

that seems like "Rotatary" NAT but it works for outside connection not
inside , does anyone has practical experience it will work as described
above ?


best regards
--Ibrahim

From kevin.hodle at gmail.com  Thu May 21 08:35:35 2009
From: kevin.hodle at gmail.com (Kevin Hodle)
Date: Thu, 21 May 2009 07:35:35 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
	Sup720-3BXL?
In-Reply-To: <010201c9d9bd$7c072860$74157920$@com>
References: <010201c9d9bd$7c072860$74157920$@com>
Message-ID: <9639597a0905210535k16458411nebac7a6b2ab2936a@mail.gmail.com>

Hi Peter,

  Another option for load balancing outbound traffic in your scenario
would be to do some netflow analysis on your upstream ports and have a
look at what the top destination ASNs your outbound traffic is flowing
toward. Using this data, you can construct as-path ACLs which you can
utilize in your inbound route-map on each upstream BGP session to set
a higher local-preference  for 'preferred' routes on each session (ie
routes from ASXXX get a local-preference 1 higher than your standard
upstream route local-preference), and accept the rest of the full
table on each session with your normal local-preference. Using your
netflow analysis you should be able to achieve a fairly equal traffic
split (as you will be able to see what % of your total outbound
traffic is going to which ASNs, use this data to come up with an
approximated 50/50 outbound traffic split) and you will still have
redundancy in place for all routes if one of the sessions drop. It
would take a little more effort than simply turning on multi-pathing,
but in your scenario it might be more ideal as you won't have to worry
about 3bxl TCAM constraints with this method.

Cheers,
Kevin Hodle

On Wed, May 20, 2009 at 9:40 PM, Peter Kranz <pkranz at unwiredltd.com> wrote:
> Setup is as follows; 2 edge routers, each with a BGP session receiving full
> routes to the same provider router. The provider is load balancing inbound
> traffic to our AS nicely, 50/50 between the edge routers.. I would also like
> to load balance the outbound traffic.. I've considered adding 'maximum-paths
> 2' to install the two equal paths, but an concerned about FIB TCAM impacts.
> Will adding this command cause each equal cost route to take one additional
> TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC meltdown?
>
>
>
> Current FIB TCAM:
>
> L3 Forwarding Resources
>
> ? ? ? ? ? ? FIB TCAM usage: ? ? ? ? ? ? ? ? ? ? Total ? ? ? ?Used
> %Used
>
> ? ? ? ? ? ? ? ? ?72 bits (IPv4, MPLS, EoM) ? ? 524288 ? ? ?285506
> 54%
>
> ? ? ? ? ? ? ? ? 144 bits (IP mcast, IPv6) ? ? ?262144 ? ? ? ? ? 5
> 1%
>
>
>
> Peter Kranz
> ?<http://www.UnwiredLtd.com> www.UnwiredLtd.com
> Desk: 510-868-1614 x100
>
> Mobile: 510-207-0000
> ?<mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
>
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
||  Kevin Hodle
||
||  913-780-3959 (Primary)
||  913-626-7197 (Mobile)

PGP KeyID [0xBBDE8ED7]
fingerprint [3E1B 1F10 938E A831 8CF2 670C 1329 0B8B BBDE 8ED7]

From ratio+nsp at invalid.org.ua  Thu May 21 05:25:44 2009
From: ratio+nsp at invalid.org.ua (=?UTF-8?B?0KHQtdGA0LPRltC5INCl0LDQu9Cw0LLRh9GD0Lo=?=)
Date: Thu, 21 May 2009 12:25:44 +0300
Subject: [c-nsp] Limits of STP/RSTP/REP?
In-Reply-To: <20090520233405.GA14624@kallisti.us>
References: <4A14474D.10202@gmx.de> <20090520200403.GA13268@kallisti.us>
	<4A1467B3.5000705@gmx.de> <20090520233405.GA14624@kallisti.us>
Message-ID: <4f909a820905210225m76dd8727o35da241ff124015@mail.gmail.com>

> Definitely not more than 20 in a ring. ?As far as I know, IOS limits
> the value of max-hops to 20. ?This means you can't have a BPDU
> traverse more than 20 hops without being thrown away. ?If one pair of
> switches in the ring experienced a total cut, your network would have
> a diameter of 20, end to end.

this is STP limitation: MaxAge is by default 20 hops.
for IOS, you can change this value:

Switch(config)#spanning-tree vlan 1 max-age ?
  <6-40>  maximum number of seconds the information in a BPDU is valid
or for MST
Switch(config)#spanning-tree mst max-age ?
  <6-40>  maximum number of seconds the information in a BPDU is valid

value 40 is maximum bpdu hopcount for 3560 switch, for other models
there can be other upper limit.

--
wbr
sergey khalavchuk

From brhedlun at cisco.com  Thu May 21 00:07:13 2009
From: brhedlun at cisco.com (Brad Hedlund (brhedlun))
Date: Wed, 20 May 2009 23:07:13 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact
	onSup720-3BXL?
In-Reply-To: <010201c9d9bd$7c072860$74157920$@com>
References: <010201c9d9bd$7c072860$74157920$@com>
Message-ID: <70B682BC-5E89-4474-A0C9-97DFDE19944F@cisco.com>

Better to use 'ebgp multihop' and peer to provider router's loopback.   
Then have equal cost static routes to provider's loopback via the two  
physical interface next hop IP addresses.

Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org


On May 20, 2009, at 9:47 PM, "Peter Kranz" <pkranz at unwiredltd.com>  
wrote:

> Setup is as follows; 2 edge routers, each with a BGP session  
> receiving full
> routes to the same provider router. The provider is load balancing  
> inbound
> traffic to our AS nicely, 50/50 between the edge routers.. I would  
> also like
> to load balance the outbound traffic.. I've considered adding  
> 'maximum-paths
> 2' to install the two equal paths, but an concerned about FIB TCAM  
> impacts.
> Will adding this command cause each equal cost route to take one  
> additional
> TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC  
> meltdown?
>
>
>
> Current FIB TCAM:
>
> L3 Forwarding Resources
>
>             FIB TCAM usage:                     Total        Used
> %Used
>
>                  72 bits (IPv4, MPLS, EoM)     524288      285506
> 54%
>
>                 144 bits (IP mcast, IPv6)      262144           5
> 1%
>
>
>
> Peter Kranz
> <http://www.UnwiredLtd.com> www.UnwiredLtd.com
> Desk: 510-868-1614 x100
>
> Mobile: 510-207-0000
> <mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From p.mayers at imperial.ac.uk  Thu May 21 09:11:38 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 21 May 2009 14:11:38 +0100
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
 Sup720-3BXL?
In-Reply-To: <010201c9d9bd$7c072860$74157920$@com>
References: <010201c9d9bd$7c072860$74157920$@com>
Message-ID: <4A15530A.7070605@imperial.ac.uk>

Peter Kranz wrote:
> Setup is as follows; 2 edge routers, each with a BGP session receiving full
> routes to the same provider router. The provider is load balancing inbound
> traffic to our AS nicely, 50/50 between the edge routers.. I would also like
> to load balance the outbound traffic.. I've considered adding 'maximum-paths
> 2' to install the two equal paths, but an concerned about FIB TCAM impacts.
> Will adding this command cause each equal cost route to take one additional
> TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC meltdown?

I'm not 100% certain about this, but my understanding is that there is 
still only 1 FIB entry for the route; it just has >1 next hop.

However - will this work? For eBGP-multipath, the paths have to be 
basically identical except next-hop. This won't be the case, since each 
router will prefer its direct link (lower IGP cost).

From ibrahim.abozaid at gmail.com  Thu May 21 05:34:00 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Thu, 21 May 2009 12:34:00 +0300
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
	Sup720-3BXL?
In-Reply-To: <010201c9d9bd$7c072860$74157920$@com>
References: <010201c9d9bd$7c072860$74157920$@com>
Message-ID: <a48927f70905210234r4a81e425o4a489ff807bbbcde@mail.gmail.com>

Hi Peter

If 2 upstream provider provides exactly same routes with same attributes so
BGP will select 2 routes to each destination then TCAM will reach its
maximum as installed BGP routes will be doubled but if some destination are
preferely reachable from one of them and 2nd route will be backup route , so
BGP routes won't be doubled but that depends on percentage

but if you have exactly the same routes from both of them , why u don't use
default ? otherwise u will have to upgrade Sup .


best regards
--Ibrahim
On Thu, May 21, 2009 at 5:40 AM, Peter Kranz <pkranz at unwiredltd.com> wrote:

> Setup is as follows; 2 edge routers, each with a BGP session receiving full
> routes to the same provider router. The provider is load balancing inbound
> traffic to our AS nicely, 50/50 between the edge routers.. I would also
> like
> to load balance the outbound traffic.. I've considered adding
> 'maximum-paths
> 2' to install the two equal paths, but an concerned about FIB TCAM impacts.
> Will adding this command cause each equal cost route to take one additional
> TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC meltdown?
>
>
>
> Current FIB TCAM:
>
> L3 Forwarding Resources
>
>             FIB TCAM usage:                     Total        Used
> %Used
>
>                  72 bits (IPv4, MPLS, EoM)     524288      285506
> 54%
>
>                 144 bits (IP mcast, IPv6)      262144           5
> 1%
>
>
>
> Peter Kranz
>  <http://www.UnwiredLtd.com <http://www.unwiredltd.com/>>
> www.UnwiredLtd.com <http://www.unwiredltd.com/>
> Desk: 510-868-1614 x100
>
> Mobile: 510-207-0000
>  <mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From zivl at gilat.net  Thu May 21 09:42:06 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Thu, 21 May 2009 16:42:06 +0300
Subject: [c-nsp] OT:  871W config
In-Reply-To: <4A14B4AD.2090003@justinshore.com>
References: <4A14B4AD.2090003@justinshore.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622FCC65FBD@exch2k7.gilat.local>

Why do you think this is off topic?
This is a config sample of I'm using at home and it's working great, of course you need to change some of the settings to match your needs.
!
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 description WLAN
 no ip address
 ip virtual-reassembly
 load-interval 30
 !
 broadcast-key vlan 1 change 45
 !
 !
 encryption vlan 1 mode ciphers tkip 
 !
 ssid MY-SSID-NAME
	vlan 1
    authentication open 
    authentication key-management wpa
    guest-mode
    wpa-psk ascii my-wpa-psk-key
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no keepalive
 dot1x reauth-period 60
 no cdp enable
!
interface Dot11Radio0.1
 description WLAN
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description LAN
 no ip address
 load-interval 30
 bridge-group 1
!
interface BVI1
 description Connection to LAN & WLAN
 ip address 192.168.0.1 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 load-interval 30
!

Hope this helps
Ziv




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Thursday, May 21, 2009 4:56 AM
To: 'Cisco-nsp'
Subject: [c-nsp] OT: 871W config

I've got an off-topic plea.  I'm trying to configure a simple little 
871W as a CE that I need to deploy next week.  The wifi on this thing is 
kicking my ass.  881Ws are completely different than their 871W 
ancestors.  881Ws have a logically separate internal AP that you 
basically session into.  The 871W's radio is integrated into the 
router's config itself.  I can't for the life of me get wifi sub-ints to 
bridge onto the SVIs that I'm using on the wired side (3x VLANs: data, 
voice, and guest).

I found a config guide online that showed SVIs configured with nothing 
but the bridge-group commands, BVIs corresponding to those bridge-groups 
where all the L3 config now resides, and then normal Dot11Radio sub-ints 
with matching bridge-groups.  However doing this and putting the 
bridge-group commands on the SVIs breaks the wired connectivity (and 
doesn't make wifi work anyway).

Does anyone have a working config for a 871W that they wouldn't mind 
sharing off-list?  This should be a trivially minor config and for some 
reason it's thoroughly stumping me.

Thanks
  Justin

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


From achatz at forthnet.gr  Thu May 21 09:43:50 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 21 May 2009 16:43:50 +0300
Subject: [c-nsp] Limits of STP/RSTP/REP?
In-Reply-To: <4f909a820905210225m76dd8727o35da241ff124015@mail.gmail.com>
References: <4A14474D.10202@gmx.de>
	<20090520200403.GA13268@kallisti.us>	<4A1467B3.5000705@gmx.de>
	<20090520233405.GA14624@kallisti.us>
	<4f909a820905210225m76dd8727o35da241ff124015@mail.gmail.com>
Message-ID: <4A155A96.8070206@forthnet.gr>

I had the impression that STP diameter defined the max number of bridges between 2 points.
And the recommended value by the IEEE was 7 (using default timers).

--
Tassos

?????? ???????? wrote on 21/05/2009 12:25:
>> Definitely not more than 20 in a ring.  As far as I know, IOS limits
>> the value of max-hops to 20.  This means you can't have a BPDU
>> traverse more than 20 hops without being thrown away.  If one pair of
>> switches in the ring experienced a total cut, your network would have
>> a diameter of 20, end to end.
> 
> this is STP limitation: MaxAge is by default 20 hops.
> for IOS, you can change this value:
> 
> Switch(config)#spanning-tree vlan 1 max-age ?
>   <6-40>  maximum number of seconds the information in a BPDU is valid
> or for MST
> Switch(config)#spanning-tree mst max-age ?
>   <6-40>  maximum number of seconds the information in a BPDU is valid
> 
> value 40 is maximum bpdu hopcount for 3560 switch, for other models
> there can be other upper limit.
> 
> --
> wbr
> sergey khalavchuk
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jlewis at lewis.org  Thu May 21 09:48:54 2009
From: jlewis at lewis.org (Jon Lewis)
Date: Thu, 21 May 2009 09:48:54 -0400 (EDT)
Subject: [c-nsp] netflow sampling
In-Reply-To: <03D29B2C-DC83-4A8C-8FA8-C8A1C95F025F@arbor.net>
References: <a89d89ac0905191200o7520d84bse14078c17f35cac0@mail.gmail.com>
	<20090519.223423.74678908.sthaug@nethelp.no>
	<a89d89ac0905191408g1f0a552bu66fa2196db9cf6b8@mail.gmail.com>
	<20090519.231859.41708283.sthaug@nethelp.no>
	<a89d89ac0905191429m7bbcea8rc1b080a6855ac8ac@mail.gmail.com>
	<03D29B2C-DC83-4A8C-8FA8-C8A1C95F025F@arbor.net>
Message-ID: <Pine.LNX.4.61.0905210940030.6312@soloth.lewis.org>

On Wed, 20 May 2009, Roland Dobbins wrote:

> As mentioned earlier, sampled NetFlow is viewed by many as quite accurate 
> enough for accounting/billing.

If you're only looking at 1/64th of the packets, how do you accurately 
bill for traffic?  Are you assuming that netflow would be collected on 
the customer-facing interfaces, and that the data for each would simply be 
multiplied by 64 (in the case of sampling time-based 64)?

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From achatz at forthnet.gr  Thu May 21 09:54:40 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 21 May 2009 16:54:40 +0300
Subject: [c-nsp] Limits of STP/RSTP/REP?
In-Reply-To: <4A155A96.8070206@forthnet.gr>
References: <4A14474D.10202@gmx.de>
	<20090520200403.GA13268@kallisti.us>	<4A1467B3.5000705@gmx.de>
	<20090520233405.GA14624@kallisti.us>
	<4f909a820905210225m76dd8727o35da241ff124015@mail.gmail.com>
	<4A155A96.8070206@forthnet.gr>
Message-ID: <4A155D20.7040107@forthnet.gr>

switch(config)#spanning-tree vlan 7 root primary ?
   diameter  Network diameter of this spanning tree
   <cr>

switch(config)#spanning-tree vlan 7 root primary diameter ?
   <2-7>  Maximum number of bridges between any two end nodes


--
Tassos

Tassos Chatzithomaoglou wrote on 21/05/2009 16:43:
> I had the impression that STP diameter defined the max number of bridges 
> between 2 points.
> And the recommended value by the IEEE was 7 (using default timers).
> 
> -- 
> Tassos
> 
> ?????? ???????? wrote on 21/05/2009 12:25:
>>> Definitely not more than 20 in a ring.  As far as I know, IOS limits
>>> the value of max-hops to 20.  This means you can't have a BPDU
>>> traverse more than 20 hops without being thrown away.  If one pair of
>>> switches in the ring experienced a total cut, your network would have
>>> a diameter of 20, end to end.
>>
>> this is STP limitation: MaxAge is by default 20 hops.
>> for IOS, you can change this value:
>>
>> Switch(config)#spanning-tree vlan 1 max-age ?
>>   <6-40>  maximum number of seconds the information in a BPDU is valid
>> or for MST
>> Switch(config)#spanning-tree mst max-age ?
>>   <6-40>  maximum number of seconds the information in a BPDU is valid
>>
>> value 40 is maximum bpdu hopcount for 3560 switch, for other models
>> there can be other upper limit.
>>
>> -- 
>> wbr
>> sergey khalavchuk
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

-- 
****************************
   Tassos Chatzithomaoglou
  Backbone & Access Networks
        FORTHnet S.A.
     <achatz at forthnet.gr>
****************************

From chris.garzon at gmail.com  Thu May 21 03:52:09 2009
From: chris.garzon at gmail.com (Dracul)
Date: Thu, 21 May 2009 15:52:09 +0800
Subject: [c-nsp] Video Network Load Tests
Message-ID: <876789290905210052j35c62d56g3d355e0d81c17558@mail.gmail.com>

Hi Guys,

Can anyone recommend good Video Simulator test tools to be documented inside
a cisco network?

I want to test the load using streams of HD, SD streams, using simulated
clients.
iperf seem to be mentioned as one of them. Any idea if there's a standard
test script to
do this as well? this also involves igmp snooping and the likes. THanks!

chris

From felixnkansah at gmail.com  Thu May 21 10:10:52 2009
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Thu, 21 May 2009 14:10:52 +0000
Subject: [c-nsp] OT: Access Point Automatically shifting between
	Controller-based and Autonomous Modes?
Message-ID: <18dba4e50905210710scef41c7j8d42f505d57d8284@mail.gmail.com>

Hi,
I am looking to deploy a unified wlan solution (controller-based) for a
customer with a central office and several remote business branches.

The branches are all connected to the head office by radio or vsat links.

I am considering placing a controller at the head office to manage all
access points including those at the remote locations.

However, if the radio or vsat link to the branch should go down (which is
quite common in my country), I do not want clients to lose connection on the
wireless.

I would love the access points to shift to some kind of autonomous mode
automatically so that client workstations can at least remain connected and
access other resources that may be localized at the remote locations (such
as network printers). The APs should automatically reconnect if the link to
the H/O comes back up. (just like SRST feature used in IPT).

I was wondering if this is possible?

Thanks,

Felix

From zivl at gilat.net  Thu May 21 03:11:18 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Thu, 21 May 2009 10:11:18 +0300
Subject: [c-nsp] OT:  871W config
In-Reply-To: <4A14B4AD.2090003@justinshore.com>
References: <4A14B4AD.2090003@justinshore.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622FCC65E28@exch2k7.gilat.local>

This is a config sample of I'm using at home and it's working great, of course you need to change some of the settings to match your needs.

!
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 description WLAN
 no ip address
 ip virtual-reassembly
 load-interval 30
 !
 broadcast-key vlan 1 change 45
 !
 !
 encryption vlan 1 mode ciphers tkip 
 !
 ssid MY-SSID-NAME
	vlan 1
    authentication open 
    authentication key-management wpa
    guest-mode
    wpa-psk ascii my-wpa-psk-key
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no keepalive
 dot1x reauth-period 60
 no cdp enable
!
interface Dot11Radio0.1
 description WLAN
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description LAN
 no ip address
 load-interval 30
 bridge-group 1
!
interface BVI1
 description Connection to LAN & WLAN
 ip address 192.168.0.1 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 load-interval 30
!

Hope this helps
Ziv





-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Thursday, May 21, 2009 4:56 AM
To: 'Cisco-nsp'
Subject: [c-nsp] OT: 871W config

I've got an off-topic plea.  I'm trying to configure a simple little 
871W as a CE that I need to deploy next week.  The wifi on this thing is 
kicking my ass.  881Ws are completely different than their 871W 
ancestors.  881Ws have a logically separate internal AP that you 
basically session into.  The 871W's radio is integrated into the 
router's config itself.  I can't for the life of me get wifi sub-ints to 
bridge onto the SVIs that I'm using on the wired side (3x VLANs: data, 
voice, and guest).

I found a config guide online that showed SVIs configured with nothing 
but the bridge-group commands, BVIs corresponding to those bridge-groups 
where all the L3 config now resides, and then normal Dot11Radio sub-ints 
with matching bridge-groups.  However doing this and putting the 
bridge-group commands on the SVIs breaks the wired connectivity (and 
doesn't make wifi work anyway).

Does anyone have a working config for a 871W that they wouldn't mind 
sharing off-list?  This should be a trivially minor config and for some 
reason it's thoroughly stumping me.

Thanks
  Justin

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


From A.L.M.Buxey at lboro.ac.uk  Thu May 21 10:34:46 2009
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Thu, 21 May 2009 15:34:46 +0100
Subject: [c-nsp] OT: Access Point Automatically shifting
	between	Controller-based and Autonomous Modes?
In-Reply-To: <18dba4e50905210710scef41c7j8d42f505d57d8284@mail.gmail.com>
References: <18dba4e50905210710scef41c7j8d42f505d57d8284@mail.gmail.com>
Message-ID: <20090521143446.GA9764@lboro.ac.uk>

Hi,

> The branches are all connected to the head office by radio or vsat links.
> 
> I am considering placing a controller at the head office to manage all
> access points including those at the remote locations.
> 
> However, if the radio or vsat link to the branch should go down (which is
> quite common in my country), I do not want clients to lose connection on the
> wireless.

i know that the cisco wireless solution can do this - the access points
talk back to a central controller and you can operate in whats known as H-REAP mode
under which the LANs that the AP serves out drop out to the local switch
the AP is fed by (trunk link yada yada) and if the main link goes
down then the AP uses a cache of all current sessions - so that they can continue..
its only new sessions that cannot be authenticated.
 
> I was wondering if this is possible?

very possible. chat to your SE


alan

From jackson.tim at gmail.com  Thu May 21 10:45:57 2009
From: jackson.tim at gmail.com (Tim Jackson)
Date: Thu, 21 May 2009 09:45:57 -0500
Subject: [c-nsp] Video Network Load Tests
In-Reply-To: <876789290905210052j35c62d56g3d355e0d81c17558@mail.gmail.com>
References: <876789290905210052j35c62d56g3d355e0d81c17558@mail.gmail.com>
Message-ID: <4407932e0905210745n31d99c9bo3490464f94af13ba@mail.gmail.com>

VLC can stream video in whatever form(s) you want...

Also, checkout IQMediaStim from IneoQuest... We use our Geminus probe
to generate GigE linerate of duplicated streams, too... Works well...

--
Tim

On Thu, May 21, 2009 at 2:52 AM, Dracul <chris.garzon at gmail.com> wrote:
> Hi Guys,
>
> Can anyone recommend good Video Simulator test tools to be documented inside
> a cisco network?
>
> I want to test the load using streams of HD, SD streams, using simulated
> clients.
> iperf seem to be mentioned as one of them. Any idea if there's a standard
> test script to
> do this as well? this also involves igmp snooping and the likes. THanks!
>
> chris
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From Jeff.Wojciechowski at midlandpaper.com  Thu May 21 10:45:09 2009
From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski)
Date: Thu, 21 May 2009 09:45:09 -0500
Subject: [c-nsp] OT:  871W config
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622FCC65E28@exch2k7.gilat.local>
References: <4A14B4AD.2090003@justinshore.com>,
	<EC993E87D960A541A66BF21D62AA42A622FCC65E28@exch2k7.gilat.local>
Message-ID: <6B8401A83219DF499C34DEAEE9A599920FF7CC55E7@XBOX.midlandpaper.com>

Thanks Ziv...

Exactly what I was looking for as well! Try it out after I unpack my equipment after moving to the new house.

-Jeff

________________________________________
From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes [zivl at gilat.net]
Sent: Thursday, May 21, 2009 2:11 AM
To: 'Cisco-nsp'
Subject: Re: [c-nsp] OT:  871W config

This is a config sample of I'm using at home and it's working great, of course you need to change some of the settings to match your needs.

!
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 description WLAN
 no ip address
 ip virtual-reassembly
 load-interval 30
 !
 broadcast-key vlan 1 change 45
 !
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid MY-SSID-NAME
        vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii my-wpa-psk-key
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no keepalive
 dot1x reauth-period 60
 no cdp enable
!
interface Dot11Radio0.1
 description WLAN
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description LAN
 no ip address
 load-interval 30
 bridge-group 1
!
interface BVI1
 description Connection to LAN & WLAN
 ip address 192.168.0.1 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 load-interval 30
!

Hope this helps
Ziv





-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Thursday, May 21, 2009 4:56 AM
To: 'Cisco-nsp'
Subject: [c-nsp] OT: 871W config

I've got an off-topic plea.  I'm trying to configure a simple little
871W as a CE that I need to deploy next week.  The wifi on this thing is
kicking my ass.  881Ws are completely different than their 871W
ancestors.  881Ws have a logically separate internal AP that you
basically session into.  The 871W's radio is integrated into the
router's config itself.  I can't for the life of me get wifi sub-ints to
bridge onto the SVIs that I'm using on the wired side (3x VLANs: data,
voice, and guest).

I found a config guide online that showed SVIs configured with nothing
but the bridge-group commands, BVIs corresponding to those bridge-groups
where all the L3 config now resides, and then normal Dot11Radio sub-ints
with matching bridge-groups.  However doing this and putting the
bridge-group commands on the SVIs breaks the wired connectivity (and
doesn't make wifi work anyway).

Does anyone have a working config for a 871W that they wouldn't mind
sharing off-list?  This should be a trivially minor config and for some
reason it's thoroughly stumping me.

Thanks
  Justin

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************



************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From kevin.hodle at gmail.com  Thu May 21 10:49:35 2009
From: kevin.hodle at gmail.com (Kevin Hodle)
Date: Thu, 21 May 2009 09:49:35 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact
	onSup720-3BXL?
In-Reply-To: <70B682BC-5E89-4474-A0C9-97DFDE19944F@cisco.com>
References: <010201c9d9bd$7c072860$74157920$@com>
	<70B682BC-5E89-4474-A0C9-97DFDE19944F@cisco.com>
Message-ID: <9639597a0905210749v7a1e4d37w1ae9f22c0552eb2a@mail.gmail.com>

This would be a good solution if both of his sessions terminated on
the same edge router, but in Peter's scenario he has 2 sessions, each
on a different edge router so multi-hop load-balacing wouldn't be
helpful for him. If he had both upstream provider links on the same
edge router, I think he would be better off just doing
LACP/link-aggregation (or ml-ppp for serial links)  with his upstream
and using that for load-sharing since both of his upstream links are
terminating on the same router on his provider's side..

Cheers,
Kevin

On Wed, May 20, 2009 at 11:07 PM, Brad Hedlund (brhedlun)
<brhedlun at cisco.com> wrote:
> Better to use 'ebgp multihop' and peer to provider router's loopback. ?Then
> have equal cost static routes to provider's loopback via the two physical
> interface next hop IP addresses.
>
> Cheers,
>
> Brad Hedlund
> bhedlund at cisco.com
> http://www.internetworkexpert.org
>
>
> On May 20, 2009, at 9:47 PM, "Peter Kranz" <pkranz at unwiredltd.com> wrote:
>
>> Setup is as follows; 2 edge routers, each with a BGP session receiving
>> full
>> routes to the same provider router. The provider is load balancing inbound
>> traffic to our AS nicely, 50/50 between the edge routers.. I would also
>> like
>> to load balance the outbound traffic.. I've considered adding
>> 'maximum-paths
>> 2' to install the two equal paths, but an concerned about FIB TCAM
>> impacts.
>> Will adding this command cause each equal cost route to take one
>> additional
>> TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC meltdown?
>>
>>
>>
>> Current FIB TCAM:
>>
>> L3 Forwarding Resources
>>
>> ? ? ? ? ? ?FIB TCAM usage: ? ? ? ? ? ? ? ? ? ? Total ? ? ? ?Used
>> %Used
>>
>> ? ? ? ? ? ? ? ? 72 bits (IPv4, MPLS, EoM) ? ? 524288 ? ? ?285506
>> 54%
>>
>> ? ? ? ? ? ? ? ?144 bits (IP mcast, IPv6) ? ? ?262144 ? ? ? ? ? 5
>> 1%
>>
>>
>>
>> Peter Kranz
>> <http://www.UnwiredLtd.com> www.UnwiredLtd.com
>> Desk: 510-868-1614 x100
>>
>> Mobile: 510-207-0000
>> <mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
||  Kevin Hodle
||
||  913-780-3959 (Primary)
||  913-626-7197 (Mobile)

PGP KeyID [0xBBDE8ED7]
fingerprint [3E1B 1F10 938E A831 8CF2 670C 1329 0B8B BBDE 8ED7]

From kloch at kl.net  Thu May 21 10:47:00 2009
From: kloch at kl.net (Kevin Loch)
Date: Thu, 21 May 2009 10:47:00 -0400
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM
	impact	onSup720-3BXL?
In-Reply-To: <70B682BC-5E89-4474-A0C9-97DFDE19944F@cisco.com>
References: <010201c9d9bd$7c072860$74157920$@com>
	<70B682BC-5E89-4474-A0C9-97DFDE19944F@cisco.com>
Message-ID: <4A156964.7010709@kl.net>

I am doing 8 parallel full tables to the same provider on an rsp720
with no issues.  You can barely do 6 full tables on a sup720-3bxl.
The limitation is processor memory not tcam.

Here is what 6 looks like with 12.2SXF16:

                 Head    Total(b)     Used(b)     Free(b)   Lowest(b) 
Largest(b)
Processor   44B0D4B0   927902544   815304080   112598464    88132216 
77785200


              FIB TCAM usage:                     Total        Used 
   %Used
                   72 bits (IPv4, MPLS, EoM)     524288      281823 
     54%

As you can see memory is very tight with 6 parallel full tables
but tcam usage is normal. I would not expect any problems with 2
however.

- Kevin

Brad Hedlund (brhedlun) wrote:
> Better to use 'ebgp multihop' and peer to provider router's loopback.  
> Then have equal cost static routes to provider's loopback via the two 
> physical interface next hop IP addresses.
> 
> Cheers,
> 
> Brad Hedlund
> bhedlund at cisco.com
> http://www.internetworkexpert.org
> 
> 
> On May 20, 2009, at 9:47 PM, "Peter Kranz" <pkranz at unwiredltd.com> wrote:
> 
>> Setup is as follows; 2 edge routers, each with a BGP session receiving 
>> full
>> routes to the same provider router. The provider is load balancing 
>> inbound
>> traffic to our AS nicely, 50/50 between the edge routers.. I would 
>> also like
>> to load balance the outbound traffic.. I've considered adding 
>> 'maximum-paths
>> 2' to install the two equal paths, but an concerned about FIB TCAM 
>> impacts.
>> Will adding this command cause each equal cost route to take one 
>> additional
>> TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC 
>> meltdown?
>>
>>
>>
>> Current FIB TCAM:
>>
>> L3 Forwarding Resources
>>
>>             FIB TCAM usage:                     Total        Used
>> %Used
>>
>>                  72 bits (IPv4, MPLS, EoM)     524288      285506
>> 54%
>>
>>                 144 bits (IP mcast, IPv6)      262144           5
>> 1%
>>
>>
>>
>> Peter Kranz
>> <http://www.UnwiredLtd.com> www.UnwiredLtd.com
>> Desk: 510-868-1614 x100
>>
>> Mobile: 510-207-0000
>> <mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From ibrahim.abozaid at gmail.com  Thu May 21 10:52:38 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Thu, 21 May 2009 17:52:38 +0300
Subject: [c-nsp] C4K_PKTPROCESSING-5-NOTAPPLYINGACL
In-Reply-To: <4A13FFBC.7050802@uk.clara.net>
References: <7B8B0D6F623C3A40A0D0A80A66756E2B0105C0@EXVS01.claranet.local>
	<4DFC6824-C7E8-488A-B3A1-CC9F582ED337@cisco.com>
	<4A13FFBC.7050802@uk.clara.net>
Message-ID: <a48927f70905210752l489c1c18gaa75553ad57e6c9a@mail.gmail.com>

Hi David

from Cisco


Error Message    C4K_PKTPROCESSING-5-NOTAPPLYINGACL:Not applying
[input/output] Acl
for packet [packet-info]

Explanation    The software has not taken the ACL actions because it could
not determine the correct ACL entry indicated by the hardware. The
hardware-provided index of the ACL content addressable memory (CAM)
indicates that the software needs to take the actions for the entry at that
index. If the packet was queued in the hardware before being processed by
the software, the index is out-of-date.
Recommended Action    This message is informational only. No action is
required.

the only thing i am wondering about is ACL HW-Index is temp and has
expiration timer ?

so do have any QoS policy applied at the same interface ? do u have any CPU
problem on this gear ?


best regards
--Ibrahim

On Wed, May 20, 2009 at 4:03 PM, David Freedman <david.freedman at uk.clara.net
> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> No ACL changes being made at the time, a block of these occur randomly
> at once, could there be a CAM problem?
>
> Dave.
>
> Richard Gallagher wrote:
> > David,
> >
> > How often did the message occur? Were any ACL changes being made at the
> > time?
> >
> > Rich
> >
> > On 20 May 2009, at 01:35, David Freedman wrote:
> >
> >> Anybody seen these messages occur frequently?
> >>
> >>> May 18 09:19:31 box 575: May 18 08:20:37 UTC:
> >>> %C4K_PKTPROCESSING-5-NOTAPPLYINGACL: Not applying Output Acl for packet
> >>> udp srcHost 1.1.1.1 dstHost 2.2.2.2 tos 0 srcPort 934
> >>> dstPort 2049
> >>
> >> According the error decoder, they are CAM programming issue but that
> >> is about the level
> >> of detail it goes into, I would infer from this that they should only
> >> be seen rarely
> >> but I'm starting to see them frequently, box is 4948 running
> >> 12.2(25)EWA10, bugtool
> >> as usual has nothing.
> >>
> >> Any pointers appreciated.
> >>
> >> Regards,
> >>
> >> ------------------------------------------------
> >> David Freedman
> >> Group Network Engineering
> >> Claranet Limited
> >> http://www.clara.net
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkoT/7sACgkQtFWeqpgEZrIloQCgnn03i5uxmNuN6ia1jsq5g5qD
> kF4An1mG6qPuCYaZebsJ3dnDvjbsIDsP
> =8N8V
> -----END PGP SIGNATURE-----
>  _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From thilak.t at gmail.com  Thu May 21 10:58:10 2009
From: thilak.t at gmail.com (Thilak T)
Date: Thu, 21 May 2009 07:58:10 -0700
Subject: [c-nsp] OT: 871W config - Digest, Vol 78, Issue 63
Message-ID: <1d11fbf80905210758v5fa55097pdcb43e90b517aba1@mail.gmail.com>

On Thu, May 21, 2009 at 5:50 AM, <cisco-nsp-request at puck.nether.net> wrote:

> Send cisco-nsp mailing list submissions to
>        cisco-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
>        cisco-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
>        cisco-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
>
>
> Today's Topics:
>
>   1. Re: Bandwidth displayed on Tunnel interfaces (Steve Bertrand)
>   2. OT:  871W config (Justin Shore)
>   3. Re: OT:  871W config (Ray Burkholder)
>   4. ebgp load balancing using maxiumu-paths TCAM impact on
>      Sup720-3BXL? (Peter Kranz)
>   5. Re: WS-X6724-SFP & SXI = high cpu usage? (Tassos Chatzithomaoglou)
>   6. Dynamic NAT on router and ASA (Ibrahim Abo Zaid)
>   7. Re: ebgp load balancing using maxiumu-paths TCAM impact on
>      Sup720-3BXL? (Kevin Hodle)
>   8. Re: Limits of STP/RSTP/REP? (?????? ????????)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 20 May 2009 19:42:53 -0400
> From: Steve Bertrand <steve at ibctech.ca>
> Subject: Re: [c-nsp] Bandwidth displayed on Tunnel interfaces
> To: Jay Hennigan <jay at west.net>
> Cc: Cisco-NSP Mailing List <cisco-nsp at puck.nether.net>
> Message-ID: <4A14957D.3090703 at ibctech.ca>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Jay Hennigan wrote:
> > Steve Bertrand wrote:
>
> >> If I understand the Cisco documentation correctly, the "BW" is used
> >> exclusively for link metric/cost, but it also shows up in my MRTG graphs
> >> and skews the percentage results.
> >>
> >> Since these tunnels operate on top of the same underlying connection
> >> type as the IPv4 infrastructure, I'd like to set the bandwidth manually
> >> to the same setting as the interface type the tunnel is connected over
> >> (or better yet, set it globally for all tunnel interfaces).
> >>
> >> AFAICT, doing this won't have any operational impact other than what it
> >> would normally have on an IGP (which is fine, because all IGP is over
> >> direct Ethernet), and fixing my graphing/statistical applications.
> >>
> >> Can I get some feedback on whether my thinking is correct? Tunnel
> >> bandwidth should be 100Mb:
> >>
> >> pe2-fibre#sh int tun5
> >> Tunnel5 is up, line protocol is up
> >>   Hardware is Tunnel
> >>   Description: IPv6 BGP Tunnel to he.net
> >>   MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
> >>      reliability 255/255, txload 18/255, rxload 163/255
> >>   Encapsulation TUNNEL, loopback not set
> >>   Keepalive not set
> >>   Tunnel source 208.70.111.131, destination 216.218.229.118
> >>   Tunnel protocol/transport IPv6/IP
> >>   Tunnel TTL 255
> >>   Fast tunneling enabled
> >>   Tunnel transmit bandwidth 8000 (kbps)
> >>   Tunnel receive bandwidth 8000 (kbps)
> >
> > Correct.
> >
> > conf t
> > int tu5
> > bandwidth 100000
> > ^Z
> > wr
>
> Much, MUCH better!
>
> Now my quick graphs actually account for proper v6 throughput.
>
> Thanks!
>
> Steve
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3233 bytes
> Desc: S/MIME Cryptographic Signature
> URL: <
> https://puck.nether.net/pipermail/cisco-nsp/attachments/20090520/84bf30cc/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 2
> Date: Wed, 20 May 2009 20:55:57 -0500
> From: Justin Shore <justin at justinshore.com>
> Subject: [c-nsp] OT:  871W config
> To: "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
> Message-ID: <4A14B4AD.2090003 at justinshore.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> I've got an off-topic plea.  I'm trying to configure a simple little
> 871W as a CE that I need to deploy next week.  The wifi on this thing is
> kicking my ass.  881Ws are completely different than their 871W
> ancestors.  881Ws have a logically separate internal AP that you
> basically session into.  The 871W's radio is integrated into the
> router's config itself.  I can't for the life of me get wifi sub-ints to
> bridge onto the SVIs that I'm using on the wired side (3x VLANs: data,
> voice, and guest).
>
> I found a config guide online that showed SVIs configured with nothing
> but the bridge-group commands, BVIs corresponding to those bridge-groups
> where all the L3 config now resides, and then normal Dot11Radio sub-ints
> with matching bridge-groups.  However doing this and putting the
> bridge-group commands on the SVIs breaks the wired connectivity (and
> doesn't make wifi work anyway).
>
> Does anyone have a working config for a 871W that they wouldn't mind
> sharing off-list?  This should be a trivially minor config and for some
> reason it's thoroughly stumping me.
>
> Thanks
>  Justin
>

Here is one of the sample config from one of our production AP.

!
dot11 ssid andromeda
   vlan 997
   authentication open eap xxxxxxxx
   authentication network-eap xxxxxxx
   authentication key-management wpa
   accounting xxxxxxxxxxx
   guest-mode
   mbssid guest-mode
!
dot11 ssid infrastructure
   vlan 999
   authentication open
   authentication network-eap wireless
   authentication client username xxxxxx password xxxxxxxxxxxx
   infrastructure-ssid
!
dot11 ssid minutemen
   vlan 996
   authentication open eap xxxxxxxxxx
   authentication network-eap xxxxxxxxxxxxx
   accounting xxxxxxxxxxxx
!
dot11 ssid rainbow
   vlan 998
   authentication open
   accounting xxxxxxxxxxx

dot11 network-map
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 1
dot11 priority-map avvid
!
crypto pki trustpoint TP-self-signed-3162012866
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3162012866
 revocation-check none
 rsakeypair TP-self-signed-3162012866
!
!
crypto ca certificate chain TP-self-signed-3162012866
 certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer
!
!
class-map match-any VOICE-CONTROL
 match access-group name VOICE-CONTROL
 match any
class-map match-any VOICE
 match access-group name VOICE
 match any
!
!
policy-map WLAN_QOS
 class VOICE-CONTROL
  set cos 3
 class VOICE
  set cos 5
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip route-cache
 !
 encryption vlan 997 mode ciphers tkip
 !
 encryption vlan 999 mode wep mandatory mic key-hash
 !
 encryption vlan 996 mode wep mandatory
 !
 ssid andromeda
 !
 ssid infrastructure
 !
 ssid minutemen
 !
 ssid rainbow
 !
 mbssid
 traffic-class best-effort cw-min 3 cw-max 4 fixed-slot 2
 parent 1 000d.29f0.a601
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0
 power local cck 100
 power local ofdm 30
 channel 2462
 station-role root fallback shutdown
 rts threshold 2312
 beacon period 97
 dot11 qos class best-effort
     transmit-op 1504
 !
 dot11 extension power native
 world-mode dot11d country US both
 no cdp enable
 dot1x reauth-period server
!
interface Dot11Radio0.996
 encapsulation dot1Q 996
 service-policy input WLAN_QOS
 service-policy output WLAN_QOS
 no ip route-cache
 bridge-group 253
 bridge-group 253 subscriber-loop-control
 bridge-group 253 block-unknown-source
 no bridge-group 253 source-learning
 no bridge-group 253 unicast-flooding
 bridge-group 253 spanning-disabled
!
interface Dot11Radio0.997
 encapsulation dot1Q 997
 no ip route-cache
 bridge-group 255
 bridge-group 255 subscriber-loop-control
 bridge-group 255 block-unknown-source
 no bridge-group 255 source-learning
 no bridge-group 255 unicast-flooding
 bridge-group 255 spanning-disabled
!
interface Dot11Radio0.998
 encapsulation dot1Q 998
 no ip route-cache
 bridge-group 254
 bridge-group 254 subscriber-loop-control
 bridge-group 254 port-protected
 bridge-group 254 block-unknown-source
 no bridge-group 254 source-learning
 no bridge-group 254 unicast-flooding
 bridge-group 254 spanning-disabled
!
interface Dot11Radio0.999
 encapsulation dot1Q 999 native
 no ip route-cache
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 input-address-list 700
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip route-cache
 speed 100
 full-duplex
!
interface FastEthernet0.996
 encapsulation dot1Q 996
 no ip route-cache
 bridge-group 253
 no bridge-group 253 source-learning
 bridge-group 253 spanning-disabled
!
interface FastEthernet0.997
 encapsulation dot1Q 997
 no ip route-cache
 bridge-group 255
 no bridge-group 255 source-learning
 bridge-group 255 spanning-disabled
!
interface FastEthernet0.998
 encapsulation dot1Q 998
 ip helper-address 152.135.148.226
 no ip route-cache
 bridge-group 254
 no bridge-group 254 source-learning
 bridge-group 254 spanning-disabled
!
interface FastEthernet0.999
 encapsulation dot1Q 999 native
 ip dhcp relay information trusted
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 description Wireless Management Network
 ip address 10.100.127.23 255.255.255.128
 no ip route-cache
!
ip default-gateway 10.100.127.1
ip http server
ip http authentication aaa
ip http secure-server
ip http secure-ciphersuite 3des-ede-cbc-sha
ip http secure-client-auth
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!

!
ip access-list extended VOICE
 permit udp any any range 16384 32767
ip access-list extended VOICE-CONTROL
 permit tcp any any range 2000 2002
 permit tcp any any eq 1720
 permit tcp any any range 11000 11999
 permit udp any any eq 2427
logging history debugging
logging trap debugging
logging facility local2
logging 152.135.171.55
radius-server attribute 32 include-in-access-req format %h
radius-server host XXXXXXXauth-port 1645 acct-port 1646 key 7
075D2F7B1D280A12410632
radius-server timeout 15
radius-server deadtime 1
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
wlccp ap username scla_wds password 7 xxxxxxxxxxxx
wlccp authentication-server infrastructure amat_wireless
wlccp authentication-server client leap amat_wireless
wlccp authentication-server client any amat_wireless
banner motd CCCCC


>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 20 May 2009 23:32:27 -0300
> From: "Ray Burkholder" <ray at oneunified.net>
> Subject: Re: [c-nsp] OT:  871W config
> To: "'Justin Shore'" <justin at justinshore.com>,  "'Cisco-nsp'"
>        <cisco-nsp at puck.nether.net>
> Message-ID: <0C4FF5425DEE44C58DB6398BD9E62179 at oneunified.local>
> Content-Type: text/plain;       charset="us-ascii"
>
> >
> > Does anyone have a working config for a 871W that they
> > wouldn't mind sharing off-list?  This should be a trivially
> > minor config and for some reason it's thoroughly stumping me.
> >
>
> http://www.oneunified.net/blog/Cisco/Cisco871Wireless.article
>
> Done with the CLI.  In addition 12.4(15)T8 works.  12.4(20) doesn't do
> wireless well.
>
>
> --
> Scanned for viruses and dangerous content at
> http://www.oneunified.net and is believed to be clean.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 20 May 2009 19:40:20 -0700
> From: "Peter Kranz" <pkranz at unwiredltd.com>
> Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact
>        on      Sup720-3BXL?
> To: <cisco-nsp at puck.nether.net>
> Message-ID: <010201c9d9bd$7c072860$74157920$@com>
> Content-Type: text/plain;       charset="us-ascii"
>
> Setup is as follows; 2 edge routers, each with a BGP session receiving full
> routes to the same provider router. The provider is load balancing inbound
> traffic to our AS nicely, 50/50 between the edge routers.. I would also
> like
> to load balance the outbound traffic.. I've considered adding
> 'maximum-paths
> 2' to install the two equal paths, but an concerned about FIB TCAM impacts.
> Will adding this command cause each equal cost route to take one additional
> TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC meltdown?
>
>
>
> Current FIB TCAM:
>
> L3 Forwarding Resources
>
>             FIB TCAM usage:                     Total        Used
> %Used
>
>                  72 bits (IPv4, MPLS, EoM)     524288      285506
> 54%
>
>                 144 bits (IP mcast, IPv6)      262144           5
> 1%
>
>
>
> Peter Kranz
>  <http://www.UnwiredLtd.com> www.UnwiredLtd.com
> Desk: 510-868-1614 x100
>
> Mobile: 510-207-0000
>  <mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
>
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 21 May 2009 11:52:00 +0300
> From: Tassos Chatzithomaoglou <achatz at forthnet.gr>
> Subject: Re: [c-nsp] WS-X6724-SFP & SXI = high cpu usage?
> To: cisco-nsp <cisco-nsp at puck.nether.net>
> Message-ID: <4A151630.1040400 at forthnet.gr>
> Content-Type: text/plain; charset=ISO-8859-7; format=flowed
>
>
> For everyone interested, the outcome is that WS-X6724-SFP or WS-X6748-SFP
> need to have a lot (~15-20) of SFPs connected
> in order for the cpu to increase.
>
> CSCsr21196:  x6724/x6748 SFP enhanced link detection method
> The link background aggressively polls 24 ports at a poll. There is no
> toggle to turn it on or off.
>
> --
> Tassos
>
> Tassos Chatzithomaoglou wrote on 02/04/2009 08:13:
> > Anyone running SXI with a WS-X6724-SFP module (DFC or non DFC), showing
> > high cpu usage due to the fw_lcp process?
> >
> >
> > 6500#remote command module 1 sh proc cpu sort | exc 0.00
> >
> > CPU utilization for five seconds: 32%/1%; one minute: 31%; five minutes:
> > 31%
> >  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
> >  187     1949496    613964       3175 31.19% 30.47% 30.45%   0 fw_lcp
> > process
> >
> >
> > 6500#sh platform hardware capacity cpu
> > CPU Resources
> >   CPU utilization: Module             5 seconds       1 minute       5
> > minutes
> >                    1                  28% /  0%
> > 28%             28%
> >                    6  RP               1% /  1%
> > 1%              1%
> >                    6  SP              18% /  0%
> > 15%             14%
> > 6500#sh mod
> > Mod Ports Card Type                              Model
> > Serial No.
> > --- ----- -------------------------------------- ------------------
> > -----------
> >   1   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP
> > XXXXXXXXXXX
> >   6    2  Supervisor Engine 720 (Active)         WS-SUP720-3B
> > XXXXXXXXXXX
> >
> >
> > SXH, SXF do not seem to have this problem.
> >
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 21 May 2009 13:58:07 +0300
> From: Ibrahim Abo Zaid <ibrahim.abozaid at gmail.com>
> Subject: [c-nsp] Dynamic NAT on router and ASA
> To: cisco_nsp <cisco-nsp at puck.nether.net>
> Message-ID:
>        <a48927f70905210358y164ad7dfl815eabfb328c79f7 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi All
>
> i have NAT and PAT configured on ASA 5520 and it works as expcted from ASA
> ,
> NAT all incoming connection 1:1 untill NAT pool is depepated than PAT all
> next connections
>
> but actually , NAT pool never get depelated and ASA started to use PAT pool
> although there are free IPs in NAT pool and that is strange
>
> so i think to transfer NAT to the edge router and use dynamic NAT instead
> of
> dynmic NAT on ASA but i need to know is dynamic NAT on router will do that
>
> 1- configure NAT pool with N global address
> 2- NAT first N connection to NAT pool 1:1
> 3- for next connections , begin from start again so N+1 connection will get
> the same translation as first connection
>
> that seems like "Rotatary" NAT but it works for outside connection not
> inside , does anyone has practical experience it will work as described
> above ?
>
>
> best regards
> --Ibrahim
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 21 May 2009 07:35:35 -0500
> From: Kevin Hodle <kevin.hodle at gmail.com>
> Subject: Re: [c-nsp] ebgp load balancing using maxiumu-paths TCAM
>        impact on       Sup720-3BXL?
> To: cisco-nsp at puck.nether.net
> Message-ID:
>        <9639597a0905210535k16458411nebac7a6b2ab2936a at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Peter,
>
>  Another option for load balancing outbound traffic in your scenario
> would be to do some netflow analysis on your upstream ports and have a
> look at what the top destination ASNs your outbound traffic is flowing
> toward. Using this data, you can construct as-path ACLs which you can
> utilize in your inbound route-map on each upstream BGP session to set
> a higher local-preference  for 'preferred' routes on each session (ie
> routes from ASXXX get a local-preference 1 higher than your standard
> upstream route local-preference), and accept the rest of the full
> table on each session with your normal local-preference. Using your
> netflow analysis you should be able to achieve a fairly equal traffic
> split (as you will be able to see what % of your total outbound
> traffic is going to which ASNs, use this data to come up with an
> approximated 50/50 outbound traffic split) and you will still have
> redundancy in place for all routes if one of the sessions drop. It
> would take a little more effort than simply turning on multi-pathing,
> but in your scenario it might be more ideal as you won't have to worry
> about 3bxl TCAM constraints with this method.
>
> Cheers,
> Kevin Hodle
>
> On Wed, May 20, 2009 at 9:40 PM, Peter Kranz <pkranz at unwiredltd.com>
> wrote:
> > Setup is as follows; 2 edge routers, each with a BGP session receiving
> full
> > routes to the same provider router. The provider is load balancing
> inbound
> > traffic to our AS nicely, 50/50 between the edge routers.. I would also
> like
> > to load balance the outbound traffic.. I've considered adding
> 'maximum-paths
> > 2' to install the two equal paths, but an concerned about FIB TCAM
> impacts.
> > Will adding this command cause each equal cost route to take one
> additional
> > TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC
> meltdown?
> >
> >
> >
> > Current FIB TCAM:
> >
> > L3 Forwarding Resources
> >
> > ? ? ? ? ? ? FIB TCAM usage: ? ? ? ? ? ? ? ? ? ? Total ? ? ? ?Used
> > %Used
> >
> > ? ? ? ? ? ? ? ? ?72 bits (IPv4, MPLS, EoM) ? ? 524288 ? ? ?285506
> > 54%
> >
> > ? ? ? ? ? ? ? ? 144 bits (IP mcast, IPv6) ? ? ?262144 ? ? ? ? ? 5
> > 1%
> >
> >
> >
> > Peter Kranz
> > ?<http://www.UnwiredLtd.com> www.UnwiredLtd.com
> > Desk: 510-868-1614 x100
> >
> > Mobile: 510-207-0000
> > ?<mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>
> --
> ||  Kevin Hodle
> ||
> ||  913-780-3959 (Primary)
> ||  913-626-7197 (Mobile)
>
> PGP KeyID [0xBBDE8ED7]
> fingerprint [3E1B 1F10 938E A831 8CF2 670C 1329 0B8B BBDE 8ED7]
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 21 May 2009 12:25:44 +0300
> From: ?????? ????????   <ratio+nsp at invalid.org.ua<ratio%2Bnsp at invalid.org.ua>
> >
> Subject: Re: [c-nsp] Limits of STP/RSTP/REP?
> To: Ross Vandegrift <ross at kallisti.us>
> Cc: c-nsp <cisco-nsp at puck.nether.net>
> Message-ID:
>        <4f909a820905210225m76dd8727o35da241ff124015 at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> > Definitely not more than 20 in a ring. ?As far as I know, IOS limits
> > the value of max-hops to 20. ?This means you can't have a BPDU
> > traverse more than 20 hops without being thrown away. ?If one pair of
> > switches in the ring experienced a total cut, your network would have
> > a diameter of 20, end to end.
>
> this is STP limitation: MaxAge is by default 20 hops.
> for IOS, you can change this value:
>
> Switch(config)#spanning-tree vlan 1 max-age ?
>  <6-40>  maximum number of seconds the information in a BPDU is valid
> or for MST
> Switch(config)#spanning-tree mst max-age ?
>  <6-40>  maximum number of seconds the information in a BPDU is valid
>
> value 40 is maximum bpdu hopcount for 3560 switch, for other models
> there can be other upper limit.
>
> --
> wbr
> sergey khalavchuk
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> End of cisco-nsp Digest, Vol 78, Issue 62
> *****************************************
>

From petelists at templin.org  Thu May 21 10:27:39 2009
From: petelists at templin.org (Pete Templin)
Date: Thu, 21 May 2009 09:27:39 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
 Sup720-3BXL?
In-Reply-To: <4A15530A.7070605@imperial.ac.uk>
References: <010201c9d9bd$7c072860$74157920$@com>
	<4A15530A.7070605@imperial.ac.uk>
Message-ID: <4A1564DB.4080301@templin.org>

Phil Mayers wrote:

> I'm not 100% certain about this, but my understanding is that there is 
> still only 1 FIB entry for the route; it just has >1 next hop.
> 
> However - will this work? For eBGP-multipath, the paths have to be 
> basically identical except next-hop. This won't be the case, since each 
> router will prefer its direct link (lower IGP cost).

I think you're close: rule #7 says "Prefer eBGP over iBGP paths", so 
each router will prefer its direct link (since it's external).  The 
indirect paths won't be available for parallel path selection since 
they've fallen out before the bottom.

pt


From david.freedman at uk.clara.net  Thu May 21 10:59:01 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Thu, 21 May 2009 15:59:01 +0100
Subject: [c-nsp] C4K_PKTPROCESSING-5-NOTAPPLYINGACL
In-Reply-To: <a48927f70905210752l489c1c18gaa75553ad57e6c9a@mail.gmail.com>
References: <7B8B0D6F623C3A40A0D0A80A66756E2B0105C0@EXVS01.claranet.local>	
	<4DFC6824-C7E8-488A-B3A1-CC9F582ED337@cisco.com>	
	<4A13FFBC.7050802@uk.clara.net>
	<a48927f70905210752l489c1c18gaa75553ad57e6c9a@mail.gmail.com>
Message-ID: <4A156C35.7070501@uk.clara.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ibrahim:

- - No QoS
- - V.small outbound ACL
- - Low load / CPU
- - Low traffic

 think it may be a CAM programming issue, am going to capture a textual
representation of the ACLents in the CAM with the command

show platform hardware acl <dir> entries interface <int> all

and compare it to the textual ACL applied (or supposedly applied) and
try and do this from an EEM applet, this should give me a diff of the
two and I can then see which entries don't make it to the CAM and for
how long.

Will keep you all updated as I progress (first step to get EEM on the box!!)

Mant thanks to richard for pointing me in the right direction here.

Dave.


Ibrahim Abo Zaid wrote:
> Hi David
> 
> from Cisco
> 
> 
> Error Message    C4K_PKTPROCESSING-5-NOTAPPLYINGACL:Not applying
> [input/output] Acl
> for packet [packet-info]
> 
> Explanation    The software has not taken the ACL actions because it could
> not determine the correct ACL entry indicated by the hardware. The
> hardware-provided index of the ACL content addressable memory (CAM)
> indicates that the software needs to take the actions for the entry at that
> index. If the packet was queued in the hardware before being processed by
> the software, the index is out-of-date.
> Recommended Action    This message is informational only. No action is
> required.
> 
> the only thing i am wondering about is ACL HW-Index is temp and has
> expiration timer ?
> 
> so do have any QoS policy applied at the same interface ? do u have any CPU
> problem on this gear ?
> 
> 
> best regards
> --Ibrahim
> 
> On Wed, May 20, 2009 at 4:03 PM, David Freedman <david.freedman at uk.clara.net
>> wrote:
> 
> No ACL changes being made at the time, a block of these occur randomly
> at once, could there be a CAM problem?
> 
> Dave.
> 
> Richard Gallagher wrote:
>>>> David,
>>>>
>>>> How often did the message occur? Were any ACL changes being made at the
>>>> time?
>>>>
>>>> Rich
>>>>
>>>> On 20 May 2009, at 01:35, David Freedman wrote:
>>>>
>>>>> Anybody seen these messages occur frequently?
>>>>>
>>>>>> May 18 09:19:31 box 575: May 18 08:20:37 UTC:
>>>>>> %C4K_PKTPROCESSING-5-NOTAPPLYINGACL: Not applying Output Acl for packet
>>>>>> udp srcHost 1.1.1.1 dstHost 2.2.2.2 tos 0 srcPort 934
>>>>>> dstPort 2049
>>>>> According the error decoder, they are CAM programming issue but that
>>>>> is about the level
>>>>> of detail it goes into, I would infer from this that they should only
>>>>> be seen rarely
>>>>> but I'm starting to see them frequently, box is 4948 running
>>>>> 12.2(25)EWA10, bugtool
>>>>> as usual has nothing.
>>>>>
>>>>> Any pointers appreciated.
>>>>>
>>>>> Regards,
>>>>>
>>>>> ------------------------------------------------
>>>>> David Freedman
>>>>> Group Network Engineering
>>>>> Claranet Limited
>>>>> http://www.clara.net
>>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
 _______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoVbDUACgkQtFWeqpgEZrLQ2ACguoFB8AMRPfLAmLfdpNdfVYLI
a8kAoM+f7K4y1yD/F5BIl9x9cZv/Mo0/
=8w6Z
-----END PGP SIGNATURE-----

From kevin.hodle at gmail.com  Thu May 21 02:20:43 2009
From: kevin.hodle at gmail.com (Kevin Hodle)
Date: Thu, 21 May 2009 01:20:43 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
	Sup720-3BXL?
In-Reply-To: <010201c9d9bd$7c072860$74157920$@com>
References: <010201c9d9bd$7c072860$74157920$@com>
Message-ID: <9639597a0905202320l2553c312y7b54b737a5ec404f@mail.gmail.com>

Hi Peter,

  Another option for load balancing outbound traffic in your scenario
would be to do some netflow analysis on your upstream ports and have a
look at what the top destination ASNs your outbound traffic is flowing
toward. Using this data, you can construct as-path ACLs which you can
utilize in your inbound route-map on each upstream BGP session to set
a higher local-preference  for 'preferred' routes on each session (ie
routes from ASXXX get a local-preference 1 higher than your standard
upstream route local-preference), and accept the rest of the full
table on each session with your normal local-preference. Using your
netflow analysis you should be able to achieve a fairly equal traffic
split (as you will be able to see what % of your total outbound
traffic is going to which ASNs, use this data to come up with an
approximated 50/50 outbound traffic split) and you will still have
redundancy in place for all routes if one of the sessions drop. It
would take a little more effort than simply turning on multi-pathing,
but in your scenario it might be more ideal as you won't have to worry
about 3bxl TCAM constraints with this method.

Cheers,
Kevin Hodle

On Wed, May 20, 2009 at 9:40 PM, Peter Kranz <pkranz at unwiredltd.com> wrote:
> Setup is as follows; 2 edge routers, each with a BGP session receiving full
> routes to the same provider router. The provider is load balancing inbound
> traffic to our AS nicely, 50/50 between the edge routers.. I would also like
> to load balance the outbound traffic.. I've considered adding 'maximum-paths
> 2' to install the two equal paths, but an concerned about FIB TCAM impacts.
> Will adding this command cause each equal cost route to take one additional
> TCAM entry, i.e. full routing table x 2 > 524k TCAM limit = EPIC meltdown?
>
>
>
> Current FIB TCAM:
>
> L3 Forwarding Resources
>
> ? ? ? ? ? ? FIB TCAM usage: ? ? ? ? ? ? ? ? ? ? Total ? ? ? ?Used
> %Used
>
> ? ? ? ? ? ? ? ? ?72 bits (IPv4, MPLS, EoM) ? ? 524288 ? ? ?285506
> 54%
>
> ? ? ? ? ? ? ? ? 144 bits (IP mcast, IPv6) ? ? ?262144 ? ? ? ? ? 5
> 1%
>
>
>
> Peter Kranz
> ?<http://www.UnwiredLtd.com> www.UnwiredLtd.com
> Desk: 510-868-1614 x100
>
> Mobile: 510-207-0000
> ?<mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
>
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
||  Kevin Hodle
||
|| PGP KeyID [0xBBDE8ED7]
|| fingerprint [3E1B 1F10 938E A831 8CF2 670C 1329 0B8B BBDE 8ED7]

From rwest at zyedge.com  Thu May 21 11:12:59 2009
From: rwest at zyedge.com (Ryan West)
Date: Thu, 21 May 2009 11:12:59 -0400
Subject: [c-nsp] OT: Access Point Automatically shifting
	between	Controller-based and Autonomous Modes?
In-Reply-To: <18dba4e50905210710scef41c7j8d42f505d57d8284@mail.gmail.com>
References: <18dba4e50905210710scef41c7j8d42f505d57d8284@mail.gmail.com>
Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14011A0ED0756D@zy-ex1.zyedge.local>

Felix,

Check into H-REAP for this functionality.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah
Sent: Thursday, May 21, 2009 10:11 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OT: Access Point Automatically shifting between Controller-based and Autonomous Modes?

Hi,
I am looking to deploy a unified wlan solution (controller-based) for a
customer with a central office and several remote business branches.

The branches are all connected to the head office by radio or vsat links.

I am considering placing a controller at the head office to manage all
access points including those at the remote locations.

However, if the radio or vsat link to the branch should go down (which is
quite common in my country), I do not want clients to lose connection on the
wireless.

I would love the access points to shift to some kind of autonomous mode
automatically so that client workstations can at least remain connected and
access other resources that may be localized at the remote locations (such
as network printers). The APs should automatically reconnect if the link to
the H/O comes back up. (just like SRST feature used in IPT).

I was wondering if this is possible?

Thanks,

Felix
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From felixnkansah at gmail.com  Thu May 21 11:14:42 2009
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Thu, 21 May 2009 15:14:42 +0000
Subject: [c-nsp] OT: Access Point Automatically shifting between
	Controller-based and Autonomous Modes?
In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14011A0ED0756D@zy-ex1.zyedge.local>
References: <18dba4e50905210710scef41c7j8d42f505d57d8284@mail.gmail.com>
	<6E21B2BDEF6E714EA0B5BA8D5D0E14011A0ED0756D@zy-ex1.zyedge.local>
Message-ID: <18dba4e50905210814r5d6dd1dfm52ec9879a122bed9@mail.gmail.com>

Thanks guys. I think that is the solution to my requirement.

From r.engehausen at gmail.com  Thu May 21 11:56:21 2009
From: r.engehausen at gmail.com (Roy)
Date: Thu, 21 May 2009 08:56:21 -0700
Subject: [c-nsp] Dual homed but no BGP
Message-ID: <4A1579A5.8050705@gmail.com>

Does anyone have an example of a dual homed router without BGP but with NAT?

From petelists at templin.org  Thu May 21 11:07:09 2009
From: petelists at templin.org (Pete Templin)
Date: Thu, 21 May 2009 10:07:09 -0500
Subject: [c-nsp] Interface descriptions - what do you put in?
Message-ID: <4A156E1D.2080404@templin.org>

List,

What do you put into your interface descriptions?  Do you document 
circuit ID, far-end equipment/port, near-end equipment/port, and/or 
anything else?

Pete

From rwest at zyedge.com  Thu May 21 12:05:06 2009
From: rwest at zyedge.com (Ryan West)
Date: Thu, 21 May 2009 12:05:06 -0400
Subject: [c-nsp] Dual homed but no BGP
In-Reply-To: <4A1579A5.8050705@gmail.com>
References: <4A1579A5.8050705@gmail.com>
Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14011A0ED0757F@zy-ex1.zyedge.local>

Roy,

Check this out:

http://supportwiki.cisco.com/ViewWiki/index.php/Configuring_dynamic_NAT_with_route-maps

You may want to throw in some SLA configs to build in more redundancy.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Roy
Sent: Thursday, May 21, 2009 11:56 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Dual homed but no BGP

Does anyone have an example of a dual homed router without BGP but with NAT?
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From kevin.hodle at gmail.com  Thu May 21 12:15:44 2009
From: kevin.hodle at gmail.com (Kevin Hodle)
Date: Thu, 21 May 2009 11:15:44 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
	Sup720-3BXL?
In-Reply-To: <4A1564DB.4080301@templin.org>
References: <010201c9d9bd$7c072860$74157920$@com>
	<4A15530A.7070605@imperial.ac.uk> <4A1564DB.4080301@templin.org>
Message-ID: <9639597a0905210915q42fb4bb9vd76fbf48ad030910@mail.gmail.com>

This is correct - the primary benefit of multi-hop in most topologies
would be on a downstream iBGP speaker to (for example, a core facing
route-reflector) with equal IGP costs to each edge router - this would
achieve proper outbound load balancing. Also worth noting is that this
will only be useful if Peter continues to use a single provider for
his multiple sessions. If, one day Peter decides to bring in a second
carrier for redundancy purposes multi-path will no longer load balance
since as-path's will now be different. There is a hidden IOS command
in newer releases to get around this: bgp bestpath as-path
multipath-relax that will permit multi-path table installation of
identical routes ignoring the as-paths attribute. As you continue to
add diverse upstreams in multiple locations however, this will not
scale too well. Eventually you will need to start doing some traffic
engineering via as-path + local-pref or other method to nail-down
upstream route preferencing if you want to meet commits on all these
diverse ports.

Cheers,
Kevin Hodle

On Thu, May 21, 2009 at 9:27 AM, Pete Templin <petelists at templin.org> wrote:
> Phil Mayers wrote:
>
>> I'm not 100% certain about this, but my understanding is that there is
>> still only 1 FIB entry for the route; it just has >1 next hop.
>>
>> However - will this work? For eBGP-multipath, the paths have to be
>> basically identical except next-hop. This won't be the case, since each
>> router will prefer its direct link (lower IGP cost).
>
> I think you're close: rule #7 says "Prefer eBGP over iBGP paths", so each
> router will prefer its direct link (since it's external). ?The indirect
> paths won't be available for parallel path selection since they've fallen
> out before the bottom.
>
> pt
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
||  Kevin Hodle
||
||  913-780-3959 (Primary)
||  913-626-7197 (Mobile)

PGP KeyID [0xBBDE8ED7]
fingerprint [3E1B 1F10 938E A831 8CF2 670C 1329 0B8B BBDE 8ED7]

From synack at live.com  Thu May 21 12:23:53 2009
From: synack at live.com (Darin Herteen)
Date: Thu, 21 May 2009 11:23:53 -0500
Subject: [c-nsp] Interface descriptions - what do you put in?
In-Reply-To: <4A156E1D.2080404@templin.org>
References: <4A156E1D.2080404@templin.org>
Message-ID: <BLU129-W251782106876EC2894A266AE590@phx.gbl>


I always try to put "customer name - Circuit ID". I've found ip addressing and bandwidth are too dynamic and become inaccurate over time

Darin Herteen

> Date: Thu, 21 May 2009 10:07:09 -0500
> From: petelists at templin.org
> To: cisco-nsp at puck.nether.net
    Send
> Subject: [c-nsp] Interface descriptions - what do you put in?
> 
> List,
> 
> What do you put into your interface descriptions?  Do you document 
> circuit ID, far-end equipment/port, near-end equipment/port, and/or 
> anything else?
> 
> Pete
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________
Insert movie times and more without leaving Hotmail?.
http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd1_052009

From ray at oneunified.net  Thu May 21 12:30:31 2009
From: ray at oneunified.net (Ray Burkholder)
Date: Thu, 21 May 2009 13:30:31 -0300
Subject: [c-nsp] Dual homed but no BGP
In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14011A0ED0757F@zy-ex1.zyedge.local>
References: <4A1579A5.8050705@gmail.com>
	<6E21B2BDEF6E714EA0B5BA8D5D0E14011A0ED0757F@zy-ex1.zyedge.local>
Message-ID: <301b01c9da31$93bdec40$bb39c4c0$@net>

> 
> http://supportwiki.cisco.com/ViewWiki/index.php/Configuring_dynamic_NAT
> _with_route-maps
> 
> You may want to throw in some SLA configs to build in more redundancy.
> 
> 
> Does anyone have an example of a dual homed router without BGP but with
> NAT?


A variation on a theme with zone-based policy firewall:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration
_example09186a0080950b87.shtml

Same but with SLA:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration
_example09186a00809454c7.shtml






-- 
Scanned for viruses and dangerous content at 
http://www.oneunified.net and is believed to be clean.


From chris.garzon at gmail.com  Thu May 21 12:45:44 2009
From: chris.garzon at gmail.com (Dracul)
Date: Fri, 22 May 2009 00:45:44 +0800
Subject: [c-nsp] Video Network Load Tests
In-Reply-To: <5C279FC1-FB56-4EAC-A436-336A3E9AA13C@gizmopartners.com>
References: <876789290905210052j35c62d56g3d355e0d81c17558@mail.gmail.com>
	<5C279FC1-FB56-4EAC-A436-336A3E9AA13C@gizmopartners.com>
Message-ID: <876789290905210945m2b268815gbec2c240ece4086d@mail.gmail.com>

THanks guys!

But considering the economy, I believe the opensource tools is more
practical ;) i've been looking
into iperf. it has a server - client scenario for throughput tests.

On Thu, May 21, 2009 at 11:52 PM, Chris Boyd <cboyd at gizmopartners.com>wrote:

>
> On May 21, 2009, at 2:52 AM, Dracul wrote:
>
>  Hi Guys,
>>
>> Can anyone recommend good Video Simulator test tools to be documented
>> inside
>> a cisco network?
>>
>> I want to test the load using streams of HD, SD streams, using simulated
>> clients.
>> iperf seem to be mentioned as one of them. Any idea if there's a standard
>> test script to
>> do this as well? this also involves igmp snooping and the likes. THanks!
>>
>
> If you have some cash for the project take a look at Spirent's video test
> suite.
>
> --Chris
>
>

From ray at oneunified.net  Thu May 21 12:55:13 2009
From: ray at oneunified.net (Ray Burkholder)
Date: Thu, 21 May 2009 13:55:13 -0300
Subject: [c-nsp] AS5300 Modem Server
Message-ID: <304301c9da35$079f6be0$16de43a0$@net>

Although they are almost a thing of the past, I still have to maintain a
dial up pool.  I'd like to replace my Ascends with some used AS5300s.   It
seems that there is a choice of MICA vs Microcomm modems.  Any idea on which
would be preferred?

Way back when, one bad experience with MICA:
http://networking.missouristate.edu/pub/news/19990506_BadMICA.htm

Any particular numbers to look for in used gear?

Ray 




-- 
Scanned for viruses and dangerous content at 
http://www.oneunified.net and is believed to be clean.


From ip at ioshints.info  Thu May 21 13:22:18 2009
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Thu, 21 May 2009 19:22:18 +0200
Subject: [c-nsp] Dual homed but no BGP
In-Reply-To: <4A1579A5.8050705@gmail.com>
References: <4A1579A5.8050705@gmail.com>
Message-ID: <001301c9da38$b2871230$0a00000a@nil.si>

Pointers to everything you've ever wanted to know (and probably a lot of
what you don't want to know :)

http://wiki.nil.com/Small_site_multihoming

Hope it helps
Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/ 

> -----Original Message-----
> From: Roy [mailto:r.engehausen at gmail.com] 
> Sent: Thursday, May 21, 2009 5:56 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Dual homed but no BGP
> 
> Does anyone have an example of a dual homed router without 
> BGP but with NAT?
> 
> 


From gert at greenie.muc.de  Thu May 21 13:45:01 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 21 May 2009 19:45:01 +0200
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
	Sup720-3BXL?
In-Reply-To: <a48927f70905210234r4a81e425o4a489ff807bbbcde@mail.gmail.com>
References: <010201c9d9bd$7c072860$74157920$@com>
	<a48927f70905210234r4a81e425o4a489ff807bbbcde@mail.gmail.com>
Message-ID: <20090521174501.GU290@greenie.muc.de>

Hi,

On Thu, May 21, 2009 at 12:34:00PM +0300, Ibrahim Abo Zaid wrote:
> If 2 upstream provider provides exactly same routes with same attributes so
> BGP will select 2 routes to each destination then TCAM will reach its
> maximum as installed BGP routes will be doubled but if some destination are
> preferely reachable from one of them and 2nd route will be backup route , so
> BGP routes won't be doubled but that depends on percentage

Unless you use BGP multipath, BGP will only install one route to the FIB,
ever.  So while *BGP* will use twice the amount of memory, TCAM won't.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090521/e69784c2/attachment.bin>

From gsgranados at comcast.net  Thu May 21 14:33:09 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Thu, 21 May 2009 11:33:09 -0700
Subject: [c-nsp] General performance based routing question?
Message-ID: <106EE0969DC545D09B71C3412C4F6588@Toshiba>

Hi, I have a general question and Google isn't steering me right.;)
    While BGP contains next hop information and other various knobs for traffic engineering there is no performance metric included.  Take the following example, say router A is connected to ISP1 and ISP2 via two equal bandwidth and cost links.  Suppose that ISP2 takes the bulk of the traffic but has congestion issues in the local pop.  BGP will select ISP2 based on AS-Path etc but has know knowledge that this is not the "best" path because congestion is degrading performance.  Are there any tools or techniques that could track performance and optimize the routing process either by adjusting local pref or some variable in the router to adjust traffic flow?  I've heard of some boxes that do this but but at the time the general feeling was that these were rubbish and simply thrashed around /16's for no real reason.  What are people doing to factor in traffic performance instead of making purely distance based calculations?

Thanks
Scott



From peter at rathlev.dk  Thu May 21 14:34:27 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Thu, 21 May 2009 20:34:27 +0200
Subject: [c-nsp] Interface descriptions - what do you put in?
In-Reply-To: <4A156E1D.2080404@templin.org>
References: <4A156E1D.2080404@templin.org>
Message-ID: <1242930867.5080.10.camel@localhost.localdomain>

On Thu, 2009-05-21 at 10:07 -0500, Pete Templin wrote:
> What do you put into your interface descriptions?  Do you document 
> circuit ID, far-end equipment/port, near-end equipment/port, and/or 
> anything else?

We typically use something like "TGE-trunk-HER.CORE-Te6/1" or
"FE-access-AAR-SNA-KMD-Fa0/0", mentioning local end link hardware and
type, and remote end name and interface.

On interface down/up we extract the description and sends it along with
the alert.

We're an enterprise network though, not service provider. :-)

Regards,
Peter



From brhedlun at cisco.com  Thu May 21 15:03:01 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Thu, 21 May 2009 14:03:01 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
 Sup720-3BXL?
In-Reply-To: <9639597a0905210915q42fb4bb9vd76fbf48ad030910@mail.gmail.com>
Message-ID: <C63B0F95.356F2%brhedlun@cisco.com>


On 5/21/09 11:15 AM, "Kevin Hodle" <kevin.hodle at gmail.com> wrote:

> Eventually you will need to start doing some traffic
> engineering via as-path + local-pref or other method to nail-down
> upstream route preferencing if you want to meet commits on all these
> diverse ports.

Better yet, have Cisco PfR automate the traffic engineering based on defined
policies such as load sharing, latency, or packet loss.

http://www.cisco.com/go/pfr


Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org




From brhedlun at cisco.com  Thu May 21 15:31:12 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Thu, 21 May 2009 14:31:12 -0500
Subject: [c-nsp] General performance based routing question?
In-Reply-To: <106EE0969DC545D09B71C3412C4F6588@Toshiba>
Message-ID: <C63B1630.35709%brhedlun@cisco.com>



On 5/21/09 1:33 PM, "Scott Granados" <gsgranados at comcast.net> wrote:

> What are people 
> doing to factor in traffic performance instead of making purely distance based
> calculations?

Cisco has a unique technology in IOS for this called Performance Routing
(PfR).


http://www.cisco.com/go/pfr



Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org



From kevin.hodle at gmail.com  Thu May 21 16:04:25 2009
From: kevin.hodle at gmail.com (Kevin Hodle)
Date: Thu, 21 May 2009 15:04:25 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
	Sup720-3BXL?
In-Reply-To: <C63B0F95.356F2%brhedlun@cisco.com>
References: <9639597a0905210915q42fb4bb9vd76fbf48ad030910@mail.gmail.com>
	<C63B0F95.356F2%brhedlun@cisco.com>
Message-ID: <9639597a0905211304r1a339a7bn7bf4a5bb4f29d91@mail.gmail.com>

Yes - that will be a fine solution for your redundant multi-vendor
backbone... er, wait. Sorry, forgot what list I was on :P Also, I had
a look at this, and in the QA section, I got a good laugh from this
portion:

Q. How do I deploy Cisco PfR in networks not running internal BGP
(iBGP) within the enterprise?
A. To synchronize routing within the enterprise and take advantage of
new optimal Cisco PfR routes, route redistribution into the local
Interior Gateway Protocol (IGP; for example, EIGRP, OSPF, or RIP)
needs to occur. Static routes injected by Cisco PfR are tagged by an
identifier that can be specifically redistributed. On the other hand,
BGP routes are usually not redistributed into IGP.

BEST IDEA EVAR!

(Sorry - but this just wouldn't fly in a service provider environment)

Kevin Hodle

On Thu, May 21, 2009 at 2:03 PM, Brad Hedlund <brhedlun at cisco.com> wrote:
>
> On 5/21/09 11:15 AM, "Kevin Hodle" <kevin.hodle at gmail.com> wrote:
>
>> Eventually you will need to start doing some traffic
>> engineering via as-path + local-pref or other method to nail-down
>> upstream route preferencing if you want to meet commits on all these
>> diverse ports.
>
> Better yet, have Cisco PfR automate the traffic engineering based on defined
> policies such as load sharing, latency, or packet loss.
>
> http://www.cisco.com/go/pfr
>
>
> Cheers,
>
> Brad Hedlund
> bhedlund at cisco.com
> http://www.internetworkexpert.org
>
>
>
>



-- 
||  Kevin Hodle
||
||  913-780-3959 (Primary)
||  913-626-7197 (Mobile)

PGP KeyID [0xBBDE8ED7]
fingerprint [3E1B 1F10 938E A831 8CF2 670C 1329 0B8B BBDE 8ED7]

From gsgranados at comcast.net  Thu May 21 16:05:57 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Thu, 21 May 2009 13:05:57 -0700
Subject: [c-nsp] General performance based routing question?
In-Reply-To: <C63B1630.35709%brhedlun@cisco.com>
References: <C63B1630.35709%brhedlun@cisco.com>
Message-ID: <E1BC9A3B06A04EFBBAC2E67FA0C7E227@Toshiba>

Hi Brad, thanks for the response.

Doesn't PFR require that PFR enabled routers be on both ends?

I'm thinking more similar to an Internap type deal where you can attempt to 
optimize performance as a whole with out having devices on both ends or 
maybe collect data from agents.

Am I correct in my assumption about PFR or can it be used one ended?

Thanks
Scott


----- Original Message ----- 
From: "Brad Hedlund" <brhedlun at cisco.com>
To: "Scott Granados" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Thursday, May 21, 2009 12:31 PM
Subject: Re: [c-nsp] General performance based routing question?


>
>
> On 5/21/09 1:33 PM, "Scott Granados" <gsgranados at comcast.net> wrote:
>
>> What are people
>> doing to factor in traffic performance instead of making purely distance 
>> based
>> calculations?
>
> Cisco has a unique technology in IOS for this called Performance Routing
> (PfR).
>
>
> http://www.cisco.com/go/pfr
>
>
>
> Cheers,
>
> Brad Hedlund
> bhedlund at cisco.com
> http://www.internetworkexpert.org
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus 
> signature database 4094 (20090521) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
> 


From kevin.hodle at gmail.com  Thu May 21 16:19:05 2009
From: kevin.hodle at gmail.com (Kevin Hodle)
Date: Thu, 21 May 2009 15:19:05 -0500
Subject: [c-nsp] General performance based routing question?
In-Reply-To: <106EE0969DC545D09B71C3412C4F6588@Toshiba>
References: <106EE0969DC545D09B71C3412C4F6588@Toshiba>
Message-ID: <9639597a0905211319r67f172dfq92653534562de4f4@mail.gmail.com>

Hi Scott,

    There are several other 'tried and true' vendor neutral
technologies that tackle this problem. Avaya routescience and
Internap's Flow Control Platform are two that immediately come to
mind, but I'm sure there are others..

Cheers,
Kevin Hodle

On Thu, May 21, 2009 at 1:33 PM, Scott Granados <gsgranados at comcast.net> wrote:
> Hi, I have a general question and Google isn't steering me right.;)
> ? ?While BGP contains next hop information and other various knobs for traffic engineering there is no performance metric included. ?Take the following example, say router A is connected to ISP1 and ISP2 via two equal bandwidth and cost links. ?Suppose that ISP2 takes the bulk of the traffic but has congestion issues in the local pop. ?BGP will select ISP2 based on AS-Path etc but has know knowledge that this is not the "best" path because congestion is degrading performance. ?Are there any tools or techniques that could track performance and optimize the routing process either by adjusting local pref or some variable in the router to adjust traffic flow? ?I've heard of some boxes that do this but but at the time the general feeling was that these were rubbish and simply thrashed around /16's for no real reason. ?What are people doing to factor in traffic performance instead of making purely distance based calculations?
>
> Thanks
> Scott
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
||  Kevin Hodle
||
||  913-780-3959 (Primary)
||  913-626-7197 (Mobile)

PGP KeyID [0xBBDE8ED7]
fingerprint [3E1B 1F10 938E A831 8CF2 670C 1329 0B8B BBDE 8ED7]

From brhedlun at cisco.com  Thu May 21 16:37:32 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Thu, 21 May 2009 15:37:32 -0500
Subject: [c-nsp] General performance based routing question?
In-Reply-To: <E1BC9A3B06A04EFBBAC2E67FA0C7E227@Toshiba>
Message-ID: <C63B25BC.35728%brhedlun@cisco.com>



On 5/21/09 3:05 PM, "Scott Granados" <gsgranados at comcast.net> wrote:

> Doesn't PFR require that PFR enabled routers be on both ends?

No, not at all.  PFR runs locally on the router and does not rely on any
other routers having PFR enabled (unless you have separated the MC
function).  PFR makes traffic engineering decisions based on the traffic
measurements on your routers only.  You do not need any special
configuration, coordination, or support from a 3rd party.

Hope this helps.

Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org





From frnkblk at iname.com  Thu May 21 16:53:29 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Thu, 21 May 2009 15:53:29 -0500
Subject: [c-nsp] OT: Access Point Automatically shifting between
	Controller-based and Autonomous Modes?
In-Reply-To: <18dba4e50905210710scef41c7j8d42f505d57d8284@mail.gmail.com>
References: <18dba4e50905210710scef41c7j8d42f505d57d8284@mail.gmail.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAC1zZ51Dfu+RqL/4UtcjJz1AQAAAAA=@iname.com>

This functionality is table-stakes in the enterprise wireless market.  If
someone can't do it, move on to the next vendor.

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah
Sent: Thursday, May 21, 2009 9:11 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OT: Access Point Automatically shifting between
Controller-based and Autonomous Modes?

<snip>

I would love the access points to shift to some kind of autonomous mode
automatically so that client workstations can at least remain connected and
access other resources that may be localized at the remote locations (such
as network printers). The APs should automatically reconnect if the link to
the H/O comes back up. (just like SRST feature used in IPT).

I was wondering if this is possible?

Thanks,

Felix
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From oliver.gorwits at oucs.ox.ac.uk  Thu May 21 16:57:28 2009
From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits)
Date: Thu, 21 May 2009 21:57:28 +0100
Subject: [c-nsp] 3750 Metro - Base MAC addresses
In-Reply-To: <4A0C1B66.7080803@scripty.com>
References: <4A0C1B66.7080803@scripty.com>
Message-ID: <4A15C038.7080006@oucs.ox.ac.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Clinton Work wrote:
> "show ver" on a 3750 Metro will tell you the base MAC address,
> but not the size of the block.  Anybody know how many unique MACs
> are assigned to a 3750ME?

No I don't for the ME, but you could start with this for the non-ME:

http://supportwiki.cisco.com/ViewWiki/index.php/MAC_Addresses_used_by_the_Cisco_3750
(seems to be 64 for physical ports, 64 for SVI)

and the way I reverse engineered that was just to run a script to
set up 500 SVIs and take a look at the results.

HTH,

- --
Oliver Gorwits, Network and Telecommunications Group,
Oxford University Computing Services
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKFcA42NPq7pwWBt4RAt+lAKCT3HMkUHITc3Vm4LA78+TVapXVrgCfYtTB
gk3ZXH8Gsuk3PHgviY2hamk=
=CGg7
-----END PGP SIGNATURE-----

From brhedlun at cisco.com  Thu May 21 17:16:23 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Thu, 21 May 2009 16:16:23 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
 Sup720-3BXL?
In-Reply-To: <9639597a0905211304r1a339a7bn7bf4a5bb4f29d91@mail.gmail.com>
Message-ID: <C63B2ED7.35741%brhedlun@cisco.com>


Interesting, I thought it was common for service providers to run iBGP.
At any rate, yes, Enterprise customers typically do not have iBGP running
through their core, just at the Internet and WAN edges, which by the way
happens to be the perfect places to run PfR  :-)

Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org


On 5/21/09 3:04 PM, "Kevin Hodle" <kevin.hodle at gmail.com> wrote:

> Yes - that will be a fine solution for your redundant multi-vendor
> backbone... er, wait. Sorry, forgot what list I was on :P Also, I had
> a look at this, and in the QA section, I got a good laugh from this
> portion:
> 
> Q. How do I deploy Cisco PfR in networks not running internal BGP
> (iBGP) within the enterprise?
> A. To synchronize routing within the enterprise and take advantage of
> new optimal Cisco PfR routes, route redistribution into the local
> Interior Gateway Protocol (IGP; for example, EIGRP, OSPF, or RIP)
> needs to occur. Static routes injected by Cisco PfR are tagged by an
> identifier that can be specifically redistributed. On the other hand,
> BGP routes are usually not redistributed into IGP.
> 
> BEST IDEA EVAR!
> 
> (Sorry - but this just wouldn't fly in a service provider environment)




From justin at justinshore.com  Thu May 21 18:12:21 2009
From: justin at justinshore.com (Justin Shore)
Date: Thu, 21 May 2009 17:12:21 -0500
Subject: [c-nsp] OT:  871W config
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622FCC65FBD@exch2k7.gilat.local>
References: <4A14B4AD.2090003@justinshore.com>
	<EC993E87D960A541A66BF21D62AA42A622FCC65FBD@exch2k7.gilat.local>
Message-ID: <4A15D1C5.8050608@justinshore.com>

Thanks for all who replied on and off-list.  I see a few things in the 
configs that were sent to me that I overlooked, like the 'bridge # route 
ip' commands.  That could very well be the problem.  All of the configs 
sent were using only a single default VLAN whereas I've disabled VLAN 1 
and am trying to use 3 other VLANs to manage security and dedicate a 
VLAN to voice.  That may complicate things more.  I will see if I get a 
working config and then I'll share the relevant config with the list.

Thanks again
  Justin



Ziv Leyes wrote:
> Why do you think this is off topic?
> This is a config sample of I'm using at home and it's working great, of course you need to change some of the settings to match your needs.
> !
> bridge irb
> bridge 1 protocol ieee
> bridge 1 route ip


From cordmacleod at gmail.com  Thu May 21 18:18:50 2009
From: cordmacleod at gmail.com (Cord MacLeod)
Date: Thu, 21 May 2009 15:18:50 -0700
Subject: [c-nsp] 3560 cpu load question
Message-ID: <FA2E0D18-2EDB-49AB-A333-DED6DDC36E09@gmail.com>

My graphs show cpu spikes up to 20% every now and again, but the  
following command shows 100% spikes.  Question being is this normal  
behavior, how would I track the cause (assuming my traffic is  
relatively stable throughout the day) and should I be worried this may  
be impacting traffic?

crs1.sc9.admob.int#show processes cpu history

       
6567644446636535443643965683644323543453456338456486343663432264535643
       
5712312441078774564199002967184891980080051294351191554306777916829326
100
  90                        *   *                       *
  80                        *   *                  *    *
  70  *  *        *         *  **                  *    *
  60  *****    ** **     *  ** ** *     *   *  **  * ** **   **     *  
* **
  50  *****    ** ** *** ** ***** **    **  *  **  * ** ** * ** *    
*** **
  40  ****************** *************  ** ** *** ********** *****   
*** ****
  30   
**********************************************************************
  20   
#*****************##***#*****************######*#*****************##**
  10   
######################################################################
      
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
               0    5    0    5    0    5    0    5    0    5    0     
5    0

                    CPU% per hour (last 72 hours)
                   * = maximum CPU%   # = average CPU%


From peter at rathlev.dk  Thu May 21 19:09:48 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 22 May 2009 01:09:48 +0200
Subject: [c-nsp] 3560 cpu load question
In-Reply-To: <FA2E0D18-2EDB-49AB-A333-DED6DDC36E09@gmail.com>
References: <FA2E0D18-2EDB-49AB-A333-DED6DDC36E09@gmail.com>
Message-ID: <1242947388.14497.5.camel@localhost.localdomain>

On Thu, 2009-05-21 at 15:18 -0700, Cord MacLeod wrote:
> My graphs show cpu spikes up to 20% every now and again, but the  
> following command shows 100% spikes.  Question being is this normal  
> behavior, how would I track the cause (assuming my traffic is  
> relatively stable throughout the day) and should I be worried this may  
> be impacting traffic?

Is it normal: Probably not. But that depends on what the device is
doing.

Will there be traffic impact: Probably not. Traffic forwarding is not
CPU bound. Traffic forwarding of course relies on the CPU executing
certain algorithms depending of protocols in use. (STP, IGP, BGP etc.)
which it might not be able to do in a timely fashion if busy doing
something else.

Tracking the cause: Start looking at "show proc cpu sorted" and see what
processes take up most CPU when the spike is occuring.

What is the device configured to do, apart from forwarding traffic?

Regards,
Peter



From cordmacleod at gmail.com  Thu May 21 19:20:31 2009
From: cordmacleod at gmail.com (Cord MacLeod)
Date: Thu, 21 May 2009 16:20:31 -0700
Subject: [c-nsp] 3560 cpu load question
In-Reply-To: <1242947388.14497.5.camel@localhost.localdomain>
References: <FA2E0D18-2EDB-49AB-A333-DED6DDC36E09@gmail.com>
	<1242947388.14497.5.camel@localhost.localdomain>
Message-ID: <40D9F781-63CB-4A38-9ED7-73DC8137993F@gmail.com>

It sits in the middle of a network.  Below are layer 2 2960 switches  
at the top of rack which the machines plug in to.  Above are routers  
announcing BGP default at it in the confederation.  The machines use  
the 3560 to traverse vlans, it is also the root switch in spanning  
tree and has around 110 inbound acls applied on the interface leading  
to the edge routers.  As far as STP is concerned, the topology never  
changes so we can rule out convergence.

That's every function the switch is performing.  These spikes are  
abnormal spikes, and they do not show up on my graphs, nor can I find  
the process causing them.  There is no correlation I find between the  
CPU spikes and any network traffic.

On May 21, 2009, at 4:09 PM, Peter Rathlev wrote:

> On Thu, 2009-05-21 at 15:18 -0700, Cord MacLeod wrote:
>> My graphs show cpu spikes up to 20% every now and again, but the
>> following command shows 100% spikes.  Question being is this normal
>> behavior, how would I track the cause (assuming my traffic is
>> relatively stable throughout the day) and should I be worried this  
>> may
>> be impacting traffic?
>
> Is it normal: Probably not. But that depends on what the device is
> doing.
>
> Will there be traffic impact: Probably not. Traffic forwarding is not
> CPU bound. Traffic forwarding of course relies on the CPU executing
> certain algorithms depending of protocols in use. (STP, IGP, BGP etc.)
> which it might not be able to do in a timely fashion if busy doing
> something else.
>
> Tracking the cause: Start looking at "show proc cpu sorted" and see  
> what
> processes take up most CPU when the spike is occuring.
>
> What is the device configured to do, apart from forwarding traffic?
>
> Regards,
> Peter
>
>


From zhanghuanjie at gmail.com  Thu May 21 20:29:52 2009
From: zhanghuanjie at gmail.com (Zhang Huanjie)
Date: Fri, 22 May 2009 08:29:52 +0800
Subject: [c-nsp] mpls packets were forwarded via software or hardware mode?
Message-ID: <cbc417510905211729g7d2a5636k4a09bd9fd77db2a3@mail.gmail.com>

Our 6509 has SUP720-3B engine, but some modules have DFC3A installed.
It support MPLS in test network.
I want to known whether  the MPLS packets were processed by CPU or
switched in hardware mode.


#show mod
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  1    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE
  2   16  Pure SFM-mode 16 port 1000mb GBIC      WS-X6816-GBIC
  3   16  Pure SFM-mode 16 port 1000mb GBIC      WS-X6816-GBIC
  4   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX
  5    2  Supervisor Engine 720 (Active)         WS-SUP720-3B
  6    2  Supervisor Engine 720 (Hot)            WS-SUP720-3B
  7   48  48-port 10/100/1000 RJ45 EtherModule   WS-X6148A-GE-TX
  8   48  48-port 10/100/1000 RJ45 EtherModule   WS-X6148A-GE-TX

Mod  Sub-Module                  Model              Serial       Hw     Status
---- --------------------------- ------------------ ----------- ------- -------
  1  Distributed Forwarding Card WS-F6700-DFC3B                  4.6    Ok
  2  Distributed Forwarding Card WS-F6K-DFC3A                    2.4    Ok
  3  Distributed Forwarding Card WS-F6K-DFC3A                    2.4    Ok
  4  Distributed Forwarding Card WS-F6700-DFC3B                  4.6    Ok
  5  Policy Feature Card 3       WS-F6K-PFC3B                    1.1    Ok
  5  MSFC3 Daughterboard         WS-SUP720                       2.2    Ok
  6  Policy Feature Card 3       WS-F6K-PFC3B                    1.1    Ok
  6  MSFC3 Daughterboard         WS-SUP720                       2.2    Ok


#show platform hardware pfc mode
PFC operating mode : PFC3A

#show platform hardware capacity
System Resources
  PFC operating mode: PFC3A
  Supervisor redundancy mode: administratively sso, operationally sso
  Switching resources: Module   Part number               Series      CEF mode
                       1        WS-X6704-10GE             CEF720          dCEF
                       2        WS-X6816-GBIC            dCEF256          dCEF
                       3        WS-X6816-GBIC            dCEF256          dCEF
                       4        WS-X6748-GE-TX            CEF720          dCEF
                       5        WS-SUP720-3B          supervisor           CEF
                       6        WS-SUP720-3B          supervisor           CEF
                       7        WS-X6148A-GE-TX          classic           CEF
                       8        WS-X6148A-GE-TX          classic           CEF

...
L3 Forwarding Resources
             FIB TCAM usage:                     Total        Used       %Used
                  72 bits (IPv4, MPLS, EoM)     196608        2324          1%
                 144 bits (IP mcast, IPv6)       32768         264          1%

                     detail:      Protocol                    Used       %Used
                                  IPv4                        2106          1%
                                  MPLS                         218          1%
                                  EoM                            0          0%

                                  IPv6                         194          1%
                                  IPv4 mcast                    70          1%
                                  IPv6 mcast                     0          0%

            Adjacency usage:                     Total        Used       %Used
                                               1048576        1284          1%


Thanks
Zhang Huanjie

From dale.shaw+cisco-nsp at gmail.com  Thu May 21 23:38:23 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Fri, 22 May 2009 13:38:23 +1000
Subject: [c-nsp] WCCPv2 - what happens to existing connections when
	redirect-list is modified?
Message-ID: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>

Hi all,

Scenario: WCCPv2 configured and active for WAAS, all TCP traffic
redirected (no redirect-list configured for service groups 61 and 62)

What happens to active/existing TCP sessions that _are_ being
intercepted/redirected if I configure a redirect-list with a 'deny'
statement that matches the session?

I'm not intimately familiar with WCCPv2 operation but I assume these
are the possibilities:

1) existing connections are not affected and continue to be
intercepted/redirected in spite of ACL; new connections are not
intercepted/redirected; WCCP is smart!
2) new packets for existing connections stop being
intercepted/redirected and are routed normally - TCP copes OK and
sessions stay up; TCP is amazing!
3) as above, but TCP does not cope, as SEQs/ACKs etc. change; sessions
are torn down/time out; TCP is only human
4) something else :-)

Can anyone provide any insight?

Adrian Chadd, I'm shining the bat torch towards the sky, are you out there? :-)

cheers,
Dale

From brhedlun at cisco.com  Thu May 21 23:58:01 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Thu, 21 May 2009 22:58:01 -0500
Subject: [c-nsp] WCCPv2 - what happens to existing connections when
 redirect-list is modified?
In-Reply-To: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>
Message-ID: <C63B8CF9.35792%brhedlun@cisco.com>

Dale,

If the affected flows are NOT being optimized by WAAS (pass-through
connections), your result should be #2.

If the affected flows ARE being optimized by WAAS, your result should be #3.

Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org


On 5/21/09 10:38 PM, "Dale Shaw" <dale.shaw+cisco-nsp at gmail.com> wrote:

> Hi all,
> 
> Scenario: WCCPv2 configured and active for WAAS, all TCP traffic
> redirected (no redirect-list configured for service groups 61 and 62)
> 
> What happens to active/existing TCP sessions that _are_ being
> intercepted/redirected if I configure a redirect-list with a 'deny'
> statement that matches the session?
> 
> I'm not intimately familiar with WCCPv2 operation but I assume these
> are the possibilities:
> 
> 1) existing connections are not affected and continue to be
> intercepted/redirected in spite of ACL; new connections are not
> intercepted/redirected; WCCP is smart!
> 2) new packets for existing connections stop being
> intercepted/redirected and are routed normally - TCP copes OK and
> sessions stay up; TCP is amazing!
> 3) as above, but TCP does not cope, as SEQs/ACKs etc. change; sessions
> are torn down/time out; TCP is only human
> 4) something else :-)
> 
> Can anyone provide any insight?
> 
> Adrian Chadd, I'm shining the bat torch towards the sky, are you out there?
> :-)
> 
> cheers,
> Dale
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From adrian at creative.net.au  Fri May 22 00:16:47 2009
From: adrian at creative.net.au (Adrian Chadd)
Date: Fri, 22 May 2009 12:16:47 +0800
Subject: [c-nsp] WCCPv2 - what happens to existing connections when
	redirect-list is modified?
In-Reply-To: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>
References: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>
Message-ID: <20090522041647.GC21660@skywalker.creative.net.au>

On Fri, May 22, 2009, Dale Shaw wrote:

> Can anyone provide any insight?

> Adrian Chadd, I'm shining the bat torch towards the sky, are you out there? :-)

Sigh. Yes i'm here. :)

Unless stuff has changed, WCCPv2 will just still be matching on bits in your
packet headers and rewriting next hops.

The TCP state management stuff and redirection management stuff is done on
the cache engines (the WAAS boxes) rather than the routers themselves.

So if you update the redirect list, packets will most likely start flowing
to WAAS devices that are set to receive them (save say, any kind of
load balancing, slow start, etc which may be fiddling with your hash/mask
assignments in a way that rejects some packets) and then hopefully
the WAAS devices will do what the older school cache engines did:

* if its for that box, it'll terminate it locally;
* if its for another cache engine in the group that it -knew- about
  (and has seen the topology change happen), it'll redirect the packet
  to the cache that was last handling that flow;
* otherwise, it'll just punt it back to the router to be passed
  through.

But this is all a guess, I've not got a WAAS device to test and I've never
deployed them. :) The important bit to enlightenment here is exactly what
the router and cache engine responsibilities are. WCCPv2 pushes a lot of
the smarts (ie, everything session oriented) out to the cache engines,
leaving the router to get on with the job of punting packets.

2c,



Adrian


From engel.labiro at gmail.com  Fri May 22 00:22:37 2009
From: engel.labiro at gmail.com (Engelhard Labiro)
Date: Fri, 22 May 2009 13:22:37 +0900
Subject: [c-nsp] Interface descriptions - what do you put in?
In-Reply-To: <4A156E1D.2080404@templin.org>
References: <4A156E1D.2080404@templin.org>
Message-ID: <74b0c3330905212122r4eccdf8tc3310987afb1c8e3@mail.gmail.com>

Pete,
for WAN connection we put the Provider name and circuit number,
for LAN connection we put the hostname of the other end and its
interface number.

HTH,
Engel

On Fri, May 22, 2009 at 12:07 AM, Pete Templin <petelists at templin.org> wrote:
> List,
>
> What do you put into your interface descriptions? ?Do you document circuit
> ID, far-end equipment/port, near-end equipment/port, and/or anything else?
>
> Pete
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mb at adv.gcomm.com.au  Thu May 21 23:26:29 2009
From: mb at adv.gcomm.com.au (mb at adv.gcomm.com.au)
Date: Fri, 22 May 2009 13:26:29 +1000
Subject: [c-nsp] Redundancy setup - comments please..
Message-ID: <20090522132629.xrtz12l1lfwosc0w@webmail.datafx.com.au>

Would like opinions on the following setup - Limited budget, we are 
attempting to have relatively simple cut-over should we lose primary 
switch or 7200

7200 w/ NPE-G2 (2 Gb ports in PortChannel) 7200 w/ NPE-400 (2 x 10/100 
ports in PortChan)

3560 48 Gb ports (Primary Switch) - 2 Gb ports in PortChannel 2960 48 
Gb ports (Backup Switch) - 2 Gb ports in PortChannel

All devices managed via OOB w/ 2509

Theory is that new services are added as portchan dot1q Ints to 
7200's(And vlans on 3560+2960), and in the event we lost 3560, we could 
simply patch the 2960 into the 7200 and we would be operational 
again(Obviously we would also need to re-patch any active ports on 
3560->2960)...Similar scenario if we lost G2 7200.


Reason for Portchan's was that we are currently exceeding 100Mb, 
therefore 2 x 10/100 ports from NPE-400 7200 we can get 200Mb, plus 
ease of maintaining config consistency between 7200's

Clients have co-located devices connected to switch....so if we lost 
3560, we would need to physically re-patch.



Thanks in advance for comments.



-------------------------------------------------------------------------
This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/



From gregariouspearl at gmail.com  Fri May 22 00:56:33 2009
From: gregariouspearl at gmail.com (Muhammad Salman Zahid)
Date: Fri, 22 May 2009 10:56:33 +0600
Subject: [c-nsp] Interface descriptions - what do you put in?
In-Reply-To: <74b0c3330905212122r4eccdf8tc3310987afb1c8e3@mail.gmail.com>
References: <4A156E1D.2080404@templin.org>
	<74b0c3330905212122r4eccdf8tc3310987afb1c8e3@mail.gmail.com>
Message-ID: <44c523750905212156v58a78cb4t52d7ab3a045d1e6b@mail.gmail.com>

Try the following as well.

*** [Client Name] [Media] [Data/Internet] [BW] ***
You can easily judge all the general relvants in "sh int desc" command.

In your core you can use the following:

*** Connected to [BOX] [Port] ***

MSZ

On Fri, May 22, 2009 at 10:22 AM, Engelhard Labiro
<engel.labiro at gmail.com>wrote:

> Pete,
> for WAN connection we put the Provider name and circuit number,
> for LAN connection we put the hostname of the other end and its
> interface number.
>
> HTH,
> Engel
>
> On Fri, May 22, 2009 at 12:07 AM, Pete Templin <petelists at templin.org>
> wrote:
> > List,
> >
> > What do you put into your interface descriptions?  Do you document
> circuit
> > ID, far-end equipment/port, near-end equipment/port, and/or anything
> else?
> >
> > Pete
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
"Death is no the greatest loss in life ....
The greatest loss is what dies inside
 you while U live...!"

From ltd at cisco.com  Fri May 22 00:58:45 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Fri, 22 May 2009 14:58:45 +1000
Subject: [c-nsp] WCCPv2 - what happens to existing connections
 when	redirect-list is modified?
In-Reply-To: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>
References: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>
Message-ID: <4A163105.3050701@cisco.com>

Dale Shaw wrote:
> Hi all,
>
> Scenario: WCCPv2 configured and active for WAAS, all TCP traffic
> redirected (no redirect-list configured for service groups 61 and 62)
>
> What happens to active/existing TCP sessions that _are_ being
> intercepted/redirected if I configure a redirect-list with a 'deny'
> statement that matches the session?
>
> I'm not intimately familiar with WCCPv2 operation but I assume these
> are the possibilities:
>
> 1) existing connections are not affected and continue to be
> intercepted/redirected in spite of ACL; new connections are not
> intercepted/redirected; WCCP is smart!
> 2) new packets for existing connections stop being
> intercepted/redirected and are routed normally - TCP copes OK and
> sessions stay up; TCP is amazing!
> 3) as above, but TCP does not cope, as SEQs/ACKs etc. change; sessions
> are torn down/time out; TCP is only human
> 4) something else :-)
>
> Can anyone provide any insight?
>   
some of the magic voodoo stuff that WAAS does is outlined in a high 
level at 
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/prod_white_paper0900aecd8051c11d.html

basically, there are multiple things going on here:
 - TFO means that even if the host initiating a TCP connection doesn't 
use large windows, SACK and other go-fast TCP options, TFO will do that 
for you.  that in itself implies that the TCP connection established by 
the original host will NOT be the one that the end host sees (even 
though it may seem to originate from the same ip-address as that of the 
original host)
 - DRE means that not all the data necessarily goes over the WAN either.
 - what goes over the WAN may also have LZ compression applied to it too.

so, suffice to say, there will be significant differences 
"pre-optimized" and "post-optimized" for traffic which is elegible for 
acceleration.

thus, to answer your question, anything that was previously eligable for 
optimization which now is forwarded rather than redirected (due to your 
redirect-list) will hit #3.
for other traffic which may be sent to the WAAS box but where WAAS 
decides its not worthwhile doing anything with, will likely have #2 apply.


the underlying design of WCCP is that the network doesn't maintain "flow 
state".  but that isn't to say that there aren't methods of WCCP 
utilizing "flow acceleration" aspects of netflow-capable router/switch 
platforms.
but generally speaking, in this modern day & age, "flow switching" is 
frowned upon, doesn't scale, and otherwise considered not worthwhile 
except purely as an accounting mechanism only.


cheers,

lincoln.

From clinton at scripty.com  Fri May 22 01:04:02 2009
From: clinton at scripty.com (Clinton Work)
Date: Thu, 21 May 2009 23:04:02 -0600
Subject: [c-nsp] 3750 Metro - Base MAC addresses
In-Reply-To: <4A15C038.7080006@oucs.ox.ac.uk>
References: <4A0C1B66.7080803@scripty.com> <4A15C038.7080006@oucs.ox.ac.uk>
Message-ID: <4A163242.8070308@scripty.com>


Turns out that we have a number of 3750 Metros with adjacent base MAC 
addresses.  The 3750 Metros have 128 MACs assigned per chassis as well. 

Clinton. 

Oliver Gorwits wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>   
> No I don't for the ME, but you could start with this for the non-ME:
>
> http://supportwiki.cisco.com/ViewWiki/index.php/MAC_Addresses_used_by_the_Cisco_3750
> (seems to be 64 for physical ports, 64 for SVI)
>
>   


-- 
==================================================================
Clinton Work
Airdrie, AB



From dale.shaw+cisco-nsp at gmail.com  Fri May 22 01:06:19 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Fri, 22 May 2009 15:06:19 +1000
Subject: [c-nsp] WCCPv2 - what happens to existing connections when
	redirect-list is modified?
In-Reply-To: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>
References: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>
Message-ID: <3329cbb40905212206w559c8f9cm90badb8035aa878f@mail.gmail.com>

Hi all,

On Fri, May 22, 2009 at 1:38 PM, Dale Shaw
<dale.shaw+cisco-nsp at gmail.com> wrote:
> Can anyone provide any insight?

Thanks for the replies -- that makes sense. I'm proceeding on the
basis that by _not_ intercepting/redirecting, the affected flows will
barf, as I'm sure that TFO, at least, is in effect.

FWIW, the affected TCP protocols are a bunch of Nortel media gateway
to call server IPTel related (signalling) connections.

cheers,
Dale

From jacob at vargas.com  Fri May 22 01:28:01 2009
From: jacob at vargas.com (Jacob Vargas)
Date: Thu, 21 May 2009 22:28:01 -0700
Subject: [c-nsp] WAS: dhcprelay regression on latest pix 515 firmware
	(8.0.4) NOW: ASA5510 8.0(4) issue with DHCP RELAY
Message-ID: <000301c9da9e$155093e0$3ff1bba0$@com>

I've seen some issues out in the wild about the ASA 8.0(4) not honoring DHCP
Request packets when a windows system boots. 

The conversation correlates as follows:

PCAP conversation on ASA:

1: 15:42:05.537783 0.0.0.0.68 > 255.255.255.255.67:  udp 323 (DHCP Request)
<-"can't find binding"
2: 15:42:08.526416 0.0.0.0.68 > 255.255.255.255.67:  udp 323 (DHCP Request)
<-"can't find binding"
3: 15:42:16.542025 0.0.0.0.68 > 255.255.255.255.67:  udp 323 (DHCP Request)
<-"can't find binding"
4: 15:42:44.558061 0.0.0.0.68 > 255.255.255.255.67:  udp 300 (DHCP Discover)
<- fall back after 40 sec timeout
5: 15:42:44.558671 172.20.0.3.67 > 255.255.255.255.68:  udp 326 (DHCP Offer)
6: 15:42:44.559022 0.0.0.0.68 > 255.255.255.255.67:  udp 329 (DHCP Request)
7: 15:42:44.559709 172.20.0.3.67 > 255.255.255.255.68:  udp 331 (DHCP ACK)
<- we finally have an IP address

DHCP Debug on ASA (1 single DHCP Request): 

DHCPD: setting giaddr to 172.20.0.3.
dhcpd_forward_request: request from 0015.17aa.4ae8 (DHCP CLIENT) forwarded
to 172.20.3.15 (DHCP SERVER).
DHCPD/RA: Punt 172.20.3.15/17152 --> 172.20.0.3/17152 to CP
DHCPRA: Received a BOOTREPLY from interface 3
DHCPRA: dhcp_relay_agent_receiver:can't find binding
DHCPRA: Can't Create binding

The "can't create binding" correlates to the DHCP Request packet and the
client fails to obtain an IP from the DHCP Server. 

If you look at the timestamp, it takes 40 seconds for the DHCP client to
give up on requesting and fall back to doing a discover which then the ASA
honors, creates the binding and provides clear communication between client
and server. 

Under normal working circumstances, a DHCP Request to 255.255.255.255 would
be heard by the relay and would be forwarded to the DHCP server as per the
ASA configuration.

It should work like this if it had an IP address via DHCP before:
1: 15:42:16.542025 0.0.0.0.68 > 255.255.255.255.67:  udp 323 (DHCP Request)
2: 15:42:16.553119 172.20.0.3.67 > 255.255.255.255.68:  udp 331 (DHCP ACK)

If the IP address that it had previously was announced via the DHCP Request
was not part of the authoritative scope on the DHCP Server, the server would
send a NACK and this would trigger the client to immediately go into DHCP
Discover mode. This would easily resolve the problem with waiting 40 seconds
for a timeout of the Windows DHCP client and drastically cut the time. 

What's happening in the case of the 8.0(4) code of the ASA is that it
ignores the DHCP Request, if not preceded by a DHCP Discover. Causing the
DHCP Client to fail after the timeout and fall back to the DHCP Discover
mode (after 40 seconds). 

In the event of DHCP Discover, this is what happens:

4: 15:42:44.558061 0.0.0.0.68 > 255.255.255.255.67:  udp 300 (DHCP Discover)
<- fall back after 40 sec timeout
5: 15:42:44.558671 172.20.0.3.67 > 255.255.255.255.68:  udp 326 (DHCP Offer)
6: 15:42:44.559022 0.0.0.0.68 > 255.255.255.255.67:  udp 329 (DHCP Request)
7: 15:42:44.559709 172.20.0.3.67 > 255.255.255.255.68:  udp 331 (DHCP ACK)
<- we finally have an IP address

dhcpd_forward_request: request from 0015.17aa.4ae8 forwarded to 172.20.3.15.
DHCPD/RA: Punt 172.20.3.15/17152 --> 172.20.0.3/17152 to CP
DHCPRA: Received a BOOTREPLY from interface 3
DHCPRA: dhcp_relay_agent_receiver:can't find binding
DHCPRA: relay binding created for client 0015.17aa.4ae8.
DHCPD: setting giaddr to 172.20.0.3.
dhcpd_forward_request: request from 0015.17aa.4ae8 forwarded to 172.20.3.15.
DHCPD/RA: Punt 172.20.3.15/17152 --> 172.20.0.3/17152 to CP
DHCPRA: Received a BOOTREPLY from interface 3
DHCPRA: relay binding found for client 0015.17aa.4ae8.
DHCPRA: Adding rule to allow client to respond using offered address
172.20.1.199
DHCPRA: forwarding reply to client 0015.17aa.4ae8.
DHCPRA: relay binding found for client 0015.17aa.4ae8.
DHCPD: setting giaddr to 172.20.0.3.
dhcpd_forward_request: request from 0015.17aa.4ae8 forwarded to 172.20.3.15.
DHCPD/RA: Punt 172.20.3.15/17152 --> 172.20.0.3/17152 to CP
DHCPRA: Received a BOOTREPLY from interface 3
DHCPRA: relay binding found for client 0015.17aa.4ae8.
DHCPRA: exchange complete - relay binding deleted for client 0015.17aa.4ae8.
DHCPD: returned relay binding 172.20.0.3/0015.17aa.4ae8 to address pool.
dhcpd_destroy_binding() removing NP rule for client 172.20.0.3
DHCPRA: forwarding reply to client 0015.17aa.4ae8.

It will allow a DHCP Inform, DHCP Release, DHCP Discover from the client but
not the DHCP Request! This causes problems for automated servers that
require auto-logon and scripts to run after boot (being that Always wait for
network is part of the group policy). There is no issue with port-fast or
edge-port spanning tree configurations. We even had this issue confirmed on
a hub ;).

I am currently working with Cisco on this problem but am having a hard time
explaining things to them. Has anyone had this problem and have a viable
solution? It would help my case a lot. 

Much obliged, 

Jake Vargas


From oliver.gorwits at oucs.ox.ac.uk  Fri May 22 02:00:35 2009
From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits)
Date: Fri, 22 May 2009 07:00:35 +0100
Subject: [c-nsp] Interface descriptions - what do you put in?
In-Reply-To: <74b0c3330905212122r4eccdf8tc3310987afb1c8e3@mail.gmail.com>
References: <4A156E1D.2080404@templin.org>
	<74b0c3330905212122r4eccdf8tc3310987afb1c8e3@mail.gmail.com>
Message-ID: <4A163F83.8040209@oucs.ox.ac.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> <petelists at templin.org> wrote:
>> What do you put into your interface descriptions?  Do you
>> document circuit ID, far-end equipment/port, near-end
>> equipment/port, and/or anything else?

On occasion we add a coded message to tell our monitoring system to
do something different with that port.

A simple example - "[DNA]" in the description for "Do Not Alert".

HTH,

- --
Oliver Gorwits, Network and Telecommunications Group,
Oxford University Computing Services
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKFj+D2NPq7pwWBt4RAuIyAJoD8TSodxQEG8G+gSZD5YzMmDvqFACgzOSd
viAYXP1Y2V2YmbLRlcdP9lg=
=Fex1
-----END PGP SIGNATURE-----

From Vincent.Abello at ps.net  Fri May 22 02:37:41 2009
From: Vincent.Abello at ps.net (Abello, Vinny)
Date: Fri, 22 May 2009 01:37:41 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
 Sup720-3BXL?
In-Reply-To: <C63B2ED7.35741%brhedlun@cisco.com>
References: <9639597a0905211304r1a339a7bn7bf4a5bb4f29d91@mail.gmail.com>
	<C63B2ED7.35741%brhedlun@cisco.com>
Message-ID: <A47E89A512E4FF4492CA4DE10D7B7C900230530F21@pscdalpexmb02.perotsystems.net>

Yes, it is commonplace for service providers to run iBGP. The uncommon thing Kevin was eluding to was redistributing BGP into your IGP. That's a no no. :)

-Vinny

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Brad Hedlund
> Sent: Thursday, May 21, 2009 5:16 PM
> To: Kevin Hodle; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ebgp load balancing using maxiumu-paths TCAM
> impact on Sup720-3BXL?
> 
> 
> Interesting, I thought it was common for service providers to run iBGP.
> At any rate, yes, Enterprise customers typically do not have iBGP
> running
> through their core, just at the Internet and WAN edges, which by the
> way
> happens to be the perfect places to run PfR  :-)
> 
> Cheers,
> 
> Brad Hedlund
> bhedlund at cisco.com
> http://www.internetworkexpert.org
> 
> 
> On 5/21/09 3:04 PM, "Kevin Hodle" <kevin.hodle at gmail.com> wrote:
> 
> > Yes - that will be a fine solution for your redundant multi-vendor
> > backbone... er, wait. Sorry, forgot what list I was on :P Also, I had
> > a look at this, and in the QA section, I got a good laugh from this
> > portion:
> >
> > Q. How do I deploy Cisco PfR in networks not running internal BGP
> > (iBGP) within the enterprise?
> > A. To synchronize routing within the enterprise and take advantage of
> > new optimal Cisco PfR routes, route redistribution into the local
> > Interior Gateway Protocol (IGP; for example, EIGRP, OSPF, or RIP)
> > needs to occur. Static routes injected by Cisco PfR are tagged by an
> > identifier that can be specifically redistributed. On the other hand,
> > BGP routes are usually not redistributed into IGP.
> >
> > BEST IDEA EVAR!
> >
> > (Sorry - but this just wouldn't fly in a service provider
> environment)
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From blahu77 at gmail.com  Fri May 22 04:23:31 2009
From: blahu77 at gmail.com (Mateusz Blaszczyk)
Date: Fri, 22 May 2009 09:23:31 +0100
Subject: [c-nsp] Interface descriptions - what do you put in?
In-Reply-To: <4A156E1D.2080404@templin.org>
References: <4A156E1D.2080404@templin.org>
Message-ID: <383357750905220123v7877a900h6155f8c0d06e63d8@mail.gmail.com>

> What do you put into your interface descriptions? ?Do you document circuit
> ID, far-end equipment/port, near-end equipment/port, and/or anything else?

I like to have short description that fits 'show int status' so
something like <hostname> and use cdp if I need more info.

Best Regards,

-mat

From benny+usenet at amorsen.dk  Fri May 22 05:02:31 2009
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Fri, 22 May 2009 11:02:31 +0200
Subject: [c-nsp] General performance based routing question?
In-Reply-To: <C63B25BC.35728%brhedlun@cisco.com> (Brad Hedlund's message of
	"Thu\, 21 May 2009 15\:37\:32 -0500")
References: <E1BC9A3B06A04EFBBAC2E67FA0C7E227@Toshiba>
	<C63B25BC.35728%brhedlun@cisco.com>
Message-ID: <m3vdntldco.fsf@ursa.amorsen.dk>

Brad Hedlund <brhedlun at cisco.com> writes:

> No, not at all.  PFR runs locally on the router and does not rely on any
> other routers having PFR enabled (unless you have separated the MC
> function).  PFR makes traffic engineering decisions based on the traffic
> measurements on your routers only.  You do not need any special
> configuration, coordination, or support from a 3rd party.

Does PfR do anything for incoming traffic, or is it strictly for
outgoing traffic?

Dynamic, automatic management of BGP-prefix-prepending and BGP
communities would be quite neat. If Cisco solved that problem I'd be
very impressed.


/Benny


From peter at rathlev.dk  Fri May 22 05:05:40 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 22 May 2009 11:05:40 +0200
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
 Sup720-3BXL?
In-Reply-To: <A47E89A512E4FF4492CA4DE10D7B7C900230530F21@pscdalpexmb02.perotsystems.net>
References: <9639597a0905211304r1a339a7bn7bf4a5bb4f29d91@mail.gmail.com>
	<C63B2ED7.35741%brhedlun@cisco.com>
	<A47E89A512E4FF4492CA4DE10D7B7C900230530F21@pscdalpexmb02.perotsystems.net>
Message-ID: <1242983140.3517.57.camel@localhost.localdomain>

On Thu, 2009-05-21 at 15:04 -0500, Kevin Hodle wrote:
...
> Q. How do I deploy Cisco PfR in networks not running internal BGP
> (iBGP) within the enterprise?
> A. To synchronize routing within the enterprise and take advantage of
> new optimal Cisco PfR routes, route redistribution into the local
> Interior Gateway Protocol (IGP; for example, EIGRP, OSPF, or RIP)
> needs to occur.
...
> (Sorry - but this just wouldn't fly in a service provider environment)

On Thu, 2009-05-21 at 16:16 -0500, Brad Hedlund wrote: 
> Interesting, I thought it was common for service providers to run iBGP.

On Fri, 2009-05-22 at 01:37 -0500, Abello, Vinny wrote:
> Yes, it is commonplace for service providers to run iBGP. The uncommon
> thing Kevin was eluding to was redistributing BGP into your IGP.
> That's a no no. :)

But the redistribution is only needed if you're not running iBGP
throughout your core, right? So most service providers and larger
enterprises will not have any problems.

Or did I misunderstand PfR (with which I have no experience)?

Regards,
Peter



From peter at rathlev.dk  Fri May 22 05:49:12 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 22 May 2009 11:49:12 +0200
Subject: [c-nsp] 3560 cpu load question
In-Reply-To: <40D9F781-63CB-4A38-9ED7-73DC8137993F@gmail.com>
References: <FA2E0D18-2EDB-49AB-A333-DED6DDC36E09@gmail.com>
	<1242947388.14497.5.camel@localhost.localdomain>
	<40D9F781-63CB-4A38-9ED7-73DC8137993F@gmail.com>
Message-ID: <1242985752.3517.94.camel@localhost.localdomain>

On Thu, 2009-05-21 at 16:20 -0700, Cord MacLeod wrote:
> It sits in the middle of a network.  Below are layer 2 2960 switches  
> at the top of rack which the machines plug in to.  Above are routers  
> announcing BGP default at it in the confederation.  The machines use  
> the 3560 to traverse vlans, it is also the root switch in spanning  
> tree and has around 110 inbound acls applied on the interface leading  
> to the edge routers.  As far as STP is concerned, the topology never  
> changes so we can rule out convergence.

Would this switch happen to have a L3 interface in a VLAN with other
hosts? Broadcasts are always sent to the CPU, so user traffic then might
cause spikes.

> That's every function the switch is performing.  These spikes are  
> abnormal spikes, and they do not show up on my graphs, nor can I find  
> the process causing them.  There is no correlation I find between the  
> CPU spikes and any network traffic.

Strange. What are the graphs graphing? Maybe the 5 min avg. every 5
minutes? That would explain why spikes couldn't be seen there at least.

You can setup rmon to alert you specifically when the CPU load exceeds
some threshold:

rmon event 1 trap SecretCommunity description "Rising Event for busyPer" owner admin
rmon event 2 trap SecretCommunity description "Falling Event for busyPer" owner admin
rmon alarm 1 lsystem.56.0 60 absolute rising-threshold 90 1 falling-threshold 70 2 owner admin

With EEM or a script on the trap receiver you could extract the process
table at exactly the moment the CPU spikes occur.

Regards,
Peter



From achatz at forthnet.gr  Fri May 22 05:51:47 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 22 May 2009 12:51:47 +0300
Subject: [c-nsp] General performance based routing question?
In-Reply-To: <m3vdntldco.fsf@ursa.amorsen.dk>
References: <E1BC9A3B06A04EFBBAC2E67FA0C7E227@Toshiba>	<C63B25BC.35728%brhedlun@cisco.com>
	<m3vdntldco.fsf@ursa.amorsen.dk>
Message-ID: <4A1675B3.4010603@forthnet.gr>

In latest IOS as prepending can be used for influencing incoming traffic.

I believe there are 2 major drawbacks in PfR:

1) traffic-classes/prefixes are limited (5000), so you cannot use it in a ISP environment 
(i don't know if using multiple MCs can increase that number)
2) not-basic cli config is quite complex (PfR manager from Fluke seems to solve that one)


-- 
Tassos

Benny Amorsen wrote on 22/05/2009 12:02:
> Brad Hedlund <brhedlun at cisco.com> writes:
> 
>> No, not at all.  PFR runs locally on the router and does not rely on any
>> other routers having PFR enabled (unless you have separated the MC
>> function).  PFR makes traffic engineering decisions based on the traffic
>> measurements on your routers only.  You do not need any special
>> configuration, coordination, or support from a 3rd party.
> 
> Does PfR do anything for incoming traffic, or is it strictly for
> outgoing traffic?
> 
> Dynamic, automatic management of BGP-prefix-prepending and BGP
> communities would be quite neat. If Cisco solved that problem I'd be
> very impressed.
> 
> 
> /Benny
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From zardoz at hotblack.net  Fri May 22 07:35:22 2009
From: zardoz at hotblack.net (Tristan Gulyas)
Date: Fri, 22 May 2009 21:35:22 +1000
Subject: [c-nsp] How to improve C3750G switch uplink speed?
References: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
	<17476.196.46.241.57.1242125542.squirrel@nexmail1.nexlinx.net.pk>
Message-ID: <F4C5F0DAB3AF4FBBBC846F16B8CA3748@moscato>

Hi,

I find that using

spanning-tree uplinkfast

is best-suited for uplink ports.

If all your equipment supports it, I strongly suggest using Rapid Per-VLAN 
spanning tree:

spanning-tree mode rapid-pvst

Which will reduce your convergence time dramatically.

I've found standarizing on portfast for PC/server connections is always a 
good idea - enabling bpduguard will prevent any device that participate in 
the spanning tree to talk to the network, reducing the risk of having ports 
in the wild where users *might* create a network loop.  Just make sure you 
enable an automatic recovery for the port (errdisable recovery) or else this 
may require you to manually intervene to restore connectivity.

Good luck,
Tristan


----- Original Message ----- 
From: <masood at nexlinx.net.pk>
To: "Darren Yang" <pigsign.pykota at gmail.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Tuesday, May 12, 2009 8:52 PM
Subject: Re: [c-nsp] How to improve C3750G switch uplink speed?


> You are using this port for UPLINK, and it could be a trunk port. I
> strongly suggest you should not use portfast on this port. This way you
> can avoid loops and 30 second wait will be worth it.
>
> Regards,
> Masood
> Blog: http://weblogs.com.pk/jahil/
>
>
>> Hi,
>>
>> When I plug wire into c3750g port, it would wait about "30sec" then
>> change to uplink status.
>>
>> Are there any method can cut down uplink time?
>>
>>
>> Regards,
>> Pigsign
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From ashnet2009 at gmail.com  Fri May 22 09:30:05 2009
From: ashnet2009 at gmail.com (Ash Net)
Date: Fri, 22 May 2009 09:30:05 -0400
Subject: [c-nsp] Nexus 7010 Racking
Message-ID: <896a291f0905220630v3d6f2848pc83581ecb23b36fe@mail.gmail.com>

Hi Folks,

We're looking to Rack the 7010's and it seems that both front mount
and rail mount racking options are available.

Does anybody have experience in rail mount racking of the 7k chassis
in the DC. Any details in relation to the cabinet types used and rail
mount parts list as well as experiences with such racking would be
great.

Thanks in advance

-- 
Sent from my mobile device

From Jonathan.Brashear at hq.speakeasy.net  Fri May 22 09:01:27 2009
From: Jonathan.Brashear at hq.speakeasy.net (Jonathan Brashear)
Date: Fri, 22 May 2009 06:01:27 -0700
Subject: [c-nsp] How to improve C3750G switch uplink speed?
In-Reply-To: <F4C5F0DAB3AF4FBBBC846F16B8CA3748@moscato>
References: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
	<17476.196.46.241.57.1242125542.squirrel@nexmail1.nexlinx.net.pk>
	<F4C5F0DAB3AF4FBBBC846F16B8CA3748@moscato>
Message-ID: <725755F5E728EE4086DAAF1A54DACF4F10B577DE@sea5exbe1.speakeasy.hq>

>  enabling bpduguard will prevent any device that participate in 
> the spanning tree to talk to the network, reducing the risk of having ports 
> in the wild where users *might* create a network loop.  ___Just make sure you 
> enable an automatic recovery for the port (errdisable recovery) or else this 
> may require you to manually intervene to restore connectivity.___

Sage advice, especially in a data center environment.  Bpduguard has its uses, but only if you can automate the recovery.  Otherwise it becomes a massive time-sink.

As an aside, PVST can become an issue when you're scaling up into dozens/hundreds of VLANs.  All of those spanning tree instances can start to become a drag on your network's cpu/memory resources.  You might also consider moving to MSTP if you're using hundreds of VLANs & PVST to free up a bit of your router/switch performance.

Network Engineer, JNCIS-M
> 214-981-1954 (office) 
> 214-642-4075 (cell)
> jbrashear at hq.speakeasy.net 
http://www.speakeasy.net
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tristan Gulyas
Sent: Friday, May 22, 2009 6:35 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] How to improve C3750G switch uplink speed?

Hi,

I find that using

spanning-tree uplinkfast

is best-suited for uplink ports.

If all your equipment supports it, I strongly suggest using Rapid Per-VLAN 
spanning tree:

spanning-tree mode rapid-pvst

Which will reduce your convergence time dramatically.

I've found standarizing on portfast for PC/server connections is always a 
good idea - enabling bpduguard will prevent any device that participate in 
the spanning tree to talk to the network, reducing the risk of having ports 
in the wild where users *might* create a network loop.  Just make sure you 
enable an automatic recovery for the port (errdisable recovery) or else this 
may require you to manually intervene to restore connectivity.

Good luck,
Tristan


----- Original Message ----- 
From: <masood at nexlinx.net.pk>
To: "Darren Yang" <pigsign.pykota at gmail.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Tuesday, May 12, 2009 8:52 PM
Subject: Re: [c-nsp] How to improve C3750G switch uplink speed?


> You are using this port for UPLINK, and it could be a trunk port. I
> strongly suggest you should not use portfast on this port. This way you
> can avoid loops and 30 second wait will be worth it.
>
> Regards,
> Masood
> Blog: http://weblogs.com.pk/jahil/
>
>
>> Hi,
>>
>> When I plug wire into c3750g port, it would wait about "30sec" then
>> change to uplink status.
>>
>> Are there any method can cut down uplink time?
>>
>>
>> Regards,
>> Pigsign
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ross at kallisti.us  Fri May 22 10:15:26 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Fri, 22 May 2009 10:15:26 -0400
Subject: [c-nsp] Limits of STP/RSTP/REP?
In-Reply-To: <4A155D20.7040107@forthnet.gr>
References: <4A14474D.10202@gmx.de> <20090520200403.GA13268@kallisti.us>
	<4A1467B3.5000705@gmx.de> <20090520233405.GA14624@kallisti.us>
	<4f909a820905210225m76dd8727o35da241ff124015@mail.gmail.com>
	<4A155A96.8070206@forthnet.gr> <4A155D20.7040107@forthnet.gr>
Message-ID: <20090522141526.GB2305@kallisti.us>

On Thu, May 21, 2009 at 04:54:40PM +0300, Tassos Chatzithomaoglou wrote:
> switch(config)#spanning-tree vlan 7 root primary ?
>   diameter  Network diameter of this spanning tree
>   <cr>
> 
> switch(config)#spanning-tree vlan 7 root primary diameter ?
>   <2-7>  Maximum number of bridges between any two end nodes

Are those are numbers for classic PVST?  RST allow for larger diameter
networks because TCNs don't have to propogate to the root and then
back down.  My numbers come from the MST version:

lab(config)#spanning-tree mst max-hops ?
  <1-255>  maximum number of hops a BPDU is valid

Ross

> 
> 
> --
> Tassos
> 
> Tassos Chatzithomaoglou wrote on 21/05/2009 16:43:
> >I had the impression that STP diameter defined the max number of bridges 
> >between 2 points.
> >And the recommended value by the IEEE was 7 (using default timers).
> >
> >-- 
> >Tassos
> >
> >?????? ???????? wrote on 21/05/2009 12:25:
> >>>Definitely not more than 20 in a ring.  As far as I know, IOS limits
> >>>the value of max-hops to 20.  This means you can't have a BPDU
> >>>traverse more than 20 hops without being thrown away.  If one pair of
> >>>switches in the ring experienced a total cut, your network would have
> >>>a diameter of 20, end to end.
> >>
> >>this is STP limitation: MaxAge is by default 20 hops.
> >>for IOS, you can change this value:
> >>
> >>Switch(config)#spanning-tree vlan 1 max-age ?
> >>  <6-40>  maximum number of seconds the information in a BPDU is valid
> >>or for MST
> >>Switch(config)#spanning-tree mst max-age ?
> >>  <6-40>  maximum number of seconds the information in a BPDU is valid
> >>
> >>value 40 is maximum bpdu hopcount for 3560 switch, for other models
> >>there can be other upper limit.
> >>
> >>-- 
> >>wbr
> >>sergey khalavchuk
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> 
> -- 
> ****************************
>   Tassos Chatzithomaoglou
>  Backbone & Access Networks
>        FORTHnet S.A.
>     <achatz at forthnet.gr>
> ****************************
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From geoff at pendery.net  Fri May 22 10:25:56 2009
From: geoff at pendery.net (Geoffrey Pendery)
Date: Fri, 22 May 2009 09:25:56 -0500
Subject: [c-nsp] WCCPv2 - what happens to existing connections when
	redirect-list is modified?
In-Reply-To: <4A163105.3050701@cisco.com>
References: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>
	<4A163105.3050701@cisco.com>
Message-ID: <d6966e4b0905220725q15e833bfndb568a21b026fa72@mail.gmail.com>

"thus, to answer your question, anything that was previously eligable
for optimization which now is forwarded rather than redirected (due to
your redirect-list) will hit #3.  for other traffic which may be sent
to the WAAS box but where WAAS decides its not worthwhile doing
anything with, will likely have #2 apply."

I believe that the WAAS boxes also alter some of the TCP attributes
(like jumping the SEQ number way up when it enters the local WAAS,
then dropping it back down when it leaves the remote WAAS) in such a
way that, if one WAAS box suddenly disappears from the path, your TCP
session is going down, whether it was being properly optimized or not.
 They have to do this sort of thing, not just to optimize, but to
recognize each other:  If I'm "core WAAS", and I see a new TCP conn
come in, I need to know just by looking at this conn whether it's
coming from another WAAS or just an end host.  So if I'm taking a new
conn from an end host, when I pass it on I need to modify it so that
other WAASes (WAASi?  WAASen?  ouch.) know that I'm out there.

In other words, there is no scenario #2, ever.
I think the answer is pretty much #3 across the board.

As always though - someone jump in and correct me if I'm wrong here.


-Geoff


On Thu, May 21, 2009 at 11:58 PM, Lincoln Dale <ltd at cisco.com> wrote:
> Dale Shaw wrote:
>>
>> Hi all,
>>
>> Scenario: WCCPv2 configured and active for WAAS, all TCP traffic
>> redirected (no redirect-list configured for service groups 61 and 62)
>>
>> What happens to active/existing TCP sessions that _are_ being
>> intercepted/redirected if I configure a redirect-list with a 'deny'
>> statement that matches the session?
>>
>> I'm not intimately familiar with WCCPv2 operation but I assume these
>> are the possibilities:
>>
>> 1) existing connections are not affected and continue to be
>> intercepted/redirected in spite of ACL; new connections are not
>> intercepted/redirected; WCCP is smart!
>> 2) new packets for existing connections stop being
>> intercepted/redirected and are routed normally - TCP copes OK and
>> sessions stay up; TCP is amazing!
>> 3) as above, but TCP does not cope, as SEQs/ACKs etc. change; sessions
>> are torn down/time out; TCP is only human
>> 4) something else :-)
>>
>> Can anyone provide any insight?
>>
>
> some of the magic voodoo stuff that WAAS does is outlined in a high level at
> http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/prod_white_paper0900aecd8051c11d.html
>
> basically, there are multiple things going on here:
> - TFO means that even if the host initiating a TCP connection doesn't use
> large windows, SACK and other go-fast TCP options, TFO will do that for you.
> ?that in itself implies that the TCP connection established by the original
> host will NOT be the one that the end host sees (even though it may seem to
> originate from the same ip-address as that of the original host)
> - DRE means that not all the data necessarily goes over the WAN either.
> - what goes over the WAN may also have LZ compression applied to it too.
>
> so, suffice to say, there will be significant differences "pre-optimized"
> and "post-optimized" for traffic which is elegible for acceleration.
>
> thus, to answer your question, anything that was previously eligable for
> optimization which now is forwarded rather than redirected (due to your
> redirect-list) will hit #3.
> for other traffic which may be sent to the WAAS box but where WAAS decides
> its not worthwhile doing anything with, will likely have #2 apply.
>
>
> the underlying design of WCCP is that the network doesn't maintain "flow
> state". ?but that isn't to say that there aren't methods of WCCP utilizing
> "flow acceleration" aspects of netflow-capable router/switch platforms.
> but generally speaking, in this modern day & age, "flow switching" is
> frowned upon, doesn't scale, and otherwise considered not worthwhile except
> purely as an accounting mechanism only.
>
>
> cheers,
>
> lincoln.
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From panocisco77 at gmail.com  Fri May 22 10:43:49 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Fri, 22 May 2009 10:43:49 -0400
Subject: [c-nsp] Please give me your opinion in those two network designs
Message-ID: <16e2ac180905220743x6b20773amd5e176cc57a4656a@mail.gmail.com>

My company is expanding one of his site :



They already have a voice enable ISR 3845 router with etherswitch sevice
module (NME-XD-48ES-2S-P with 3x 6509-E

WAN: T3

The plan is for them to bring four more 6509-E

Now here is my question:

Should i connect all this 7x 6509-E on that router with etherswitch module?

or

Should i replace the 3845 with 6509-E with sup720, 6724-SFP, 6748-ge-tx as
my core
and connect all 7x fully loaded 6509-E switch on it.

Some of my colleagues think it's not necessary to get another 6509-E with
sup720 on the core.

what do you think?

From roger.wiklund at gmail.com  Fri May 22 11:24:23 2009
From: roger.wiklund at gmail.com (Roger Wiklund)
Date: Fri, 22 May 2009 17:24:23 +0200
Subject: [c-nsp] 3560 cpu load question
In-Reply-To: <1242985752.3517.94.camel@localhost.localdomain>
References: <FA2E0D18-2EDB-49AB-A333-DED6DDC36E09@gmail.com>
	<1242947388.14497.5.camel@localhost.localdomain>
	<40D9F781-63CB-4A38-9ED7-73DC8137993F@gmail.com>
	<1242985752.3517.94.camel@localhost.localdomain>
Message-ID: <c960e2120905220824o7d28fd7ck3b32299d1659477@mail.gmail.com>

Could be broadcast storms, configure a filter on desired interface with the
storm-control command.
You can set thresholds for unicast, multicast and broadcast.

Regards

On Fri, May 22, 2009 at 11:49 AM, Peter Rathlev <peter at rathlev.dk> wrote:

> On Thu, 2009-05-21 at 16:20 -0700, Cord MacLeod wrote:
> > It sits in the middle of a network.  Below are layer 2 2960 switches
> > at the top of rack which the machines plug in to.  Above are routers
> > announcing BGP default at it in the confederation.  The machines use
> > the 3560 to traverse vlans, it is also the root switch in spanning
> > tree and has around 110 inbound acls applied on the interface leading
> > to the edge routers.  As far as STP is concerned, the topology never
> > changes so we can rule out convergence.
>
> Would this switch happen to have a L3 interface in a VLAN with other
> hosts? Broadcasts are always sent to the CPU, so user traffic then might
> cause spikes.
>
> > That's every function the switch is performing.  These spikes are
> > abnormal spikes, and they do not show up on my graphs, nor can I find
> > the process causing them.  There is no correlation I find between the
> > CPU spikes and any network traffic.
>
> Strange. What are the graphs graphing? Maybe the 5 min avg. every 5
> minutes? That would explain why spikes couldn't be seen there at least.
>
> You can setup rmon to alert you specifically when the CPU load exceeds
> some threshold:
>
> rmon event 1 trap SecretCommunity description "Rising Event for busyPer"
> owner admin
> rmon event 2 trap SecretCommunity description "Falling Event for busyPer"
> owner admin
> rmon alarm 1 lsystem.56.0 60 absolute rising-threshold 90 1
> falling-threshold 70 2 owner admin
>
> With EEM or a script on the trap receiver you could extract the process
> table at exactly the moment the CPU spikes occur.
>
> Regards,
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From p.mayers at imperial.ac.uk  Fri May 22 11:41:10 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 22 May 2009 16:41:10 +0100
Subject: [c-nsp] Interface descriptions - what do you put in?
In-Reply-To: <4A156E1D.2080404@templin.org>
References: <4A156E1D.2080404@templin.org>
Message-ID: <20090522154110.GB7549@wildfire.net.ic.ac.uk>

On Thu, May 21, 2009 at 04:07:09PM +0100, Pete Templin wrote:
>List,
>
>What do you put into your interface descriptions?  Do you document 
>circuit ID, far-end equipment/port, near-end equipment/port, and/or 
>anything else?

Far end equipment, though I might reconsider that as LLDP takes hold.

>
>Pete
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

From brhedlun at cisco.com  Fri May 22 11:44:34 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Fri, 22 May 2009 10:44:34 -0500
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
 Sup720-3BXL?
In-Reply-To: <1242983140.3517.57.camel@localhost.localdomain>
Message-ID: <C63C3292.35821%brhedlun@cisco.com>



On 5/22/09 4:05 AM, "Peter Rathlev" <peter at rathlev.dk> wrote:

> But the redistribution is only needed if you're not running iBGP
> throughout your core, right? So most service providers and larger
> enterprises will not have any problems.
> 
> Or did I misunderstand PfR (with which I have no experience)?


PfR relies on an iBGP session between the Border Routers for route control.
This is usually not a problem because the pair of routers facing the
Internet or WAN running eBGP will usually already have an iBGP link to each
other (with or without PfR).

PfR runs at the edge routers and does not need to be enabled everywhere
through your core.


http://www.cisco.com/go/pfr


Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org




From sethm at rollernet.us  Fri May 22 11:44:53 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Fri, 22 May 2009 08:44:53 -0700
Subject: [c-nsp] Please give me your opinion in those two network designs
In-Reply-To: <16e2ac180905220743x6b20773amd5e176cc57a4656a@mail.gmail.com>
References: <16e2ac180905220743x6b20773amd5e176cc57a4656a@mail.gmail.com>
Message-ID: <4A16C875.4080307@rollernet.us>

Renelson Panosky wrote:
> My company is expanding one of his site :
> 
> 
> 
> They already have a voice enable ISR 3845 router with etherswitch sevice
> module (NME-XD-48ES-2S-P with 3x 6509-E
> 
> WAN: T3
> 
> The plan is for them to bring four more 6509-E
> 
> Now here is my question:
> 
> Should i connect all this 7x 6509-E on that router with etherswitch module?
> 
> or
> 
> Should i replace the 3845 with 6509-E with sup720, 6724-SFP, 6748-ge-tx as
> my core
> and connect all 7x fully loaded 6509-E switch on it.
> 
> Some of my colleagues think it's not necessary to get another 6509-E with
> sup720 on the core.
> 
> what do you think?

If you're keeping the T3 you'll probably need to keep the 3845. Or you
need a flexwan module and a PA-T3 for one of the 6509's.

~Seth

From achatz at forthnet.gr  Fri May 22 12:07:42 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 22 May 2009 19:07:42 +0300
Subject: [c-nsp] Limits of STP/RSTP/REP?
In-Reply-To: <20090522141526.GB2305@kallisti.us>
References: <4A14474D.10202@gmx.de> <20090520200403.GA13268@kallisti.us>
	<4A1467B3.5000705@gmx.de> <20090520233405.GA14624@kallisti.us>
	<4f909a820905210225m76dd8727o35da241ff124015@mail.gmail.com>
	<4A155A96.8070206@forthnet.gr> <4A155D20.7040107@forthnet.gr>
	<20090522141526.GB2305@kallisti.us>
Message-ID: <4A16CDCE.2040105@forthnet.gr>

That was for Rapid PVST+ (cisco prop). MST doesn't use such timers, besides MST0/IST (probably for compatibility outside 
the region).

switch(config)#spanning-tree mst 0 root primary diameter ?
   <2-7>  Maximum number of bridges between any two end nodes

switch(config)#spanning-tree mst 1 root primary ?
   <cr>


Keep in mind that the diameter value is just an internal IOS kind-of-macro that just changes automatically all other stp 
timers according to its value. So you can configure a diameter of 7, check the produced timers and then take the risk 
and increase them further.

Also 802.1D-2004 proposes some values for max-age in accordance to other timers.

2 ? (Bridge_Forward_Delay -- 1.0 seconds) >= Bridge_Max_Age
Bridge_Max_Age >= 2 ? (Bridge_Hello_Time + 1.0 seconds)

--
Tassos

Ross Vandegrift wrote on 22/05/2009 17:15:
> On Thu, May 21, 2009 at 04:54:40PM +0300, Tassos Chatzithomaoglou wrote:
>> switch(config)#spanning-tree vlan 7 root primary ?
>>   diameter  Network diameter of this spanning tree
>>   <cr>
>>
>> switch(config)#spanning-tree vlan 7 root primary diameter ?
>>   <2-7>  Maximum number of bridges between any two end nodes
> 
> Are those are numbers for classic PVST?  RST allow for larger diameter
> networks because TCNs don't have to propogate to the root and then
> back down.  My numbers come from the MST version:
> 
> lab(config)#spanning-tree mst max-hops ?
>   <1-255>  maximum number of hops a BPDU is valid
> 
> Ross
> 
>>
>> --
>> Tassos
>>
>> Tassos Chatzithomaoglou wrote on 21/05/2009 16:43:
>>> I had the impression that STP diameter defined the max number of bridges 
>>> between 2 points.
>>> And the recommended value by the IEEE was 7 (using default timers).
>>>
>>> -- 
>>> Tassos
>>>
>>> ?????? ???????? wrote on 21/05/2009 12:25:
>>>>> Definitely not more than 20 in a ring.  As far as I know, IOS limits
>>>>> the value of max-hops to 20.  This means you can't have a BPDU
>>>>> traverse more than 20 hops without being thrown away.  If one pair of
>>>>> switches in the ring experienced a total cut, your network would have
>>>>> a diameter of 20, end to end.
>>>> this is STP limitation: MaxAge is by default 20 hops.
>>>> for IOS, you can change this value:
>>>>
>>>> Switch(config)#spanning-tree vlan 1 max-age ?
>>>>  <6-40>  maximum number of seconds the information in a BPDU is valid
>>>> or for MST
>>>> Switch(config)#spanning-tree mst max-age ?
>>>>  <6-40>  maximum number of seconds the information in a BPDU is valid
>>>>
>>>> value 40 is maximum bpdu hopcount for 3560 switch, for other models
>>>> there can be other upper limit.
>>>>
>>>> -- 
>>>> wbr
>>>> sergey khalavchuk
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>

> 


From dbenson at swingpad.com  Fri May 22 12:09:10 2009
From: dbenson at swingpad.com (Dan Benson)
Date: Fri, 22 May 2009 12:09:10 -0400
Subject: [c-nsp] Cat 6500 (IOS) dhcp Client
In-Reply-To: <3329cbb40905192352j94db4c9uc52e535c408aea21@mail.gmail.com>
References: <1D444DAF-52E5-4761-9D44-0826D6217B60@swingpad.com>
	<84F648FC-7A9C-4765-8B16-479175273CF3@enta.net>
	<3329cbb40905192352j94db4c9uc52e535c408aea21@mail.gmail.com>
Message-ID: <AFC776CA-6848-4F03-B698-2A0EF32131E6@swingpad.com>

Safe to assume I am up the river on this one then?  Thanks. //db


>> As strange as this sounds, I have a need to be assigned an address  
>> on a Cat6500 Running IOS via dhcp (to a vlan or a dedicated port).   
>> On most routers running IOS the command syntax is, "ip address  
>> dhcp" as just about anyone knows but on the sups running IOS  
>> (tested sup1a-ge/MSFC1, sup2 and sup720s) I have not found a way to  
>> be assigned an address.
>>
>> I can only assume this is because no one in their right mind would  
>> ever do this on this platform but my install is requiring such.    
>> Before I try a flexwan with a PA-FE in it has anyone out there had  
>> this issue and if so would you be so kind to pass along a solution  
>> if there is one.
>>
>> Thanks in advance for the time and help. //db


From tstevens at cisco.com  Fri May 22 12:20:05 2009
From: tstevens at cisco.com (Tim Stevenson)
Date: Fri, 22 May 2009 09:20:05 -0700
Subject: [c-nsp] Nexus 7010 Racking
In-Reply-To: <896a291f0905220630v3d6f2848pc83581ecb23b36fe@mail.gmail.co
 m>
References: <896a291f0905220630v3d6f2848pc83581ecb23b36fe@mail.gmail.com>
Message-ID: <200905221620.n4MGKBuB000664@sj-core-1.cisco.com>

At 06:30 AM 5/22/2009, Ash Net noted:

>Hi Folks,
>
>We're looking to Rack the 7010's and it seems that both front mount
>and rail mount racking options are available.

Not quite. N7K requires *both* the front-mounted L brackets (or 
"ears") *and* the bottom mounted rails, in a 4-post rack.

http://www.cisco.com/en/US/docs/switches/datacenter/hw/nexus7000/installation/guide/n7k_installation_7010.html


More details on site requirements here:
http://www.cisco.com/en/US/docs/switches/datacenter/hw/nexus7000/site_prep/guide/siteprep_rack.html


HTH,
Tim

>Does anybody have experience in rail mount racking of the 7k chassis
>in the DC. Any details in relation to the cabinet types used and rail
>mount parts list as well as experiences with such racking would be
>great.
>
>Thanks in advance
>
>--
>Sent from my mobile device
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
><https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at 
><http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/




Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

From brhedlun at cisco.com  Fri May 22 12:25:50 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Fri, 22 May 2009 11:25:50 -0500
Subject: [c-nsp] General performance based routing question?
In-Reply-To: <m3vdntldco.fsf@ursa.amorsen.dk>
Message-ID: <C63C3C3E.35842%brhedlun@cisco.com>



On 5/22/09 4:02 AM, "Benny Amorsen" <benny+usenet at amorsen.dk> wrote:

> Does PfR do anything for incoming traffic, or is it strictly for
> outgoing traffic?
> 
> Dynamic, automatic management of BGP-prefix-prepending and BGP
> communities would be quite neat. If Cisco solved that problem I'd be
> very impressed.

Benny,

PfR uses BGP AS prepend to influence path selection for incoming traffic.
For example if you have (2) ISP's and PfR detects that traffic through ISP#1
is experiencing packet loss or excessive latency, it can have the routers
connected to ISP#1 prepend AS to make ISP#2 appear to be the best path to
your domain.



Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org


From jcdarby at usgs.gov  Fri May 22 12:37:36 2009
From: jcdarby at usgs.gov (Justin C. Darby)
Date: Fri, 22 May 2009 10:37:36 -0600
Subject: [c-nsp] Nexus 7010 Racking
In-Reply-To: <200905221620.n4MGKBuB000664@sj-core-1.cisco.com>
References: <896a291f0905220630v3d6f2848pc83581ecb23b36fe@mail.gmail.com>
	<200905221620.n4MGKBuB000664@sj-core-1.cisco.com>
Message-ID: <4A16D4D0.7010308@usgs.gov>

These things are heavy - I know from experience. Get a mechanical lift 
or be prepared with 4-6 people to lift. I did not have a lift, and we 
got it installed safely, but in retrospect, I should have rented the lift.

Justin

Tim Stevenson wrote:
> At 06:30 AM 5/22/2009, Ash Net noted:
>
>> Hi Folks,
>>
>> We're looking to Rack the 7010's and it seems that both front mount
>> and rail mount racking options are available.
>
> Not quite. N7K requires *both* the front-mounted L brackets (or 
> "ears") *and* the bottom mounted rails, in a 4-post rack.
>
> http://www.cisco.com/en/US/docs/switches/datacenter/hw/nexus7000/installation/guide/n7k_installation_7010.html 
>
>
>
> More details on site requirements here:
> http://www.cisco.com/en/US/docs/switches/datacenter/hw/nexus7000/site_prep/guide/siteprep_rack.html 
>
>
>
> HTH,
> Tim
>
>> Does anybody have experience in rail mount racking of the 7k chassis
>> in the DC. Any details in relation to the cabinet types used and rail
>> mount parts list as well as experiences with such racking would be
>> great.
>>
>> Thanks in advance
>>
>> -- 
>> Sent from my mobile device
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> <https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp 
>>
>> archive at 
>> <http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/ 
>>
>
>
>
>
> Tim Stevenson, tstevens at cisco.com
> Routing & Switching CCIE #5561
> Technical Marketing Engineer, Cisco Nexus 7000
> Cisco - http://www.cisco.com
> IP Phone: 408-526-6759
> ********************************************************
> The contents of this message may be *Cisco Confidential*
> and are intended for the specified recipients only.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From chris at chrisserafin.com  Fri May 22 12:40:50 2009
From: chris at chrisserafin.com (ChrisSerafin)
Date: Fri, 22 May 2009 11:40:50 -0500
Subject: [c-nsp] 3750 not routing L3 ports...?
Message-ID: <4A16D592.7020809@chrisserafin.com>

I have a 3750 switch configured with 2 L3 ports but I cannot ping from 
one interface to the other. I normally just do IP addresses on VLAN and 
perform intra-vlan routing but I would assume this would work the 
same....any ideas..?

xxx-02#ping 10.63.7.6 source 10.63.7.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.63.7.6, timeout is 2 seconds:
Packet sent with a source address of 10.63.7.2
.....
Success rate is 0 percent (0/5)
xxx-02#ping 10.63.7.6 source 10.63.7.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.63.7.6, timeout is 2 seconds:
Packet sent with a source address of 10.63.7.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
xxx-02#sh ip int brie
Interface              IP-Address      OK? Method Status                
Protocol
GigabitEthernet1/0/1   10.63.7.2       YES NVRAM  up                    up
GigabitEthernet1/0/2   10.63.7.5       YES NVRAM  up                    up
!



Here is the config:


interface GigabitEthernet1/0/1
 no switchport
 ip address 10.63.7.2 255.255.255.252
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 queue-set 2
 priority-queue out
 mls qos trust cos
 auto qos voip trust
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 no switchport
 ip address 10.63.7.5 255.255.255.252
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 queue-set 2
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input xxxxxPolice-CiscoPhone
!
!
ip routing
ip default-gateway 10.63.7.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.63.7.6
ip route 10.0.0.0 255.0.0.0 10.63.7.1
ip route 10.63.4.192 255.255.255.192 10.63.7.6
ip route 10.63.30.0 255.255.255.0 10.63.7.1
ip route 10.254.254.0 255.255.255.0 10.63.7.6


-chris





From brhedlun at cisco.com  Fri May 22 12:54:36 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Fri, 22 May 2009 11:54:36 -0500
Subject: [c-nsp] General performance based routing question?
In-Reply-To: <4A1675B3.4010603@forthnet.gr>
Message-ID: <C63C42FC.35859%brhedlun@cisco.com>



On 5/22/09 4:51 AM, "Tassos Chatzithomaoglou" <achatz at forthnet.gr> wrote:

> I believe there are 2 major drawbacks in PfR:
> 
> 1) traffic-classes/prefixes are limited (5000), so you cannot use it in a ISP
> environment 
> (i don't know if using multiple MCs can increase that number)
> 2) not-basic cli config is quite complex (PfR manager from Fluke seems to
> solve that one)


1) With a 7200-NPE-G2 as a dedicated Master Controller you can manage 20K
prefixes.  Managed prefixes can be dynamically learned and always changing
based on activity, or statically defined.

2) I definitely agree with that.  PfR is not just one or two commands and
your done.  It has a lot of nerd knobs.



Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexert.org




From panocisco77 at gmail.com  Fri May 22 12:56:58 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Fri, 22 May 2009 12:56:58 -0400
Subject: [c-nsp] Please give me your opinion in those two network designs
In-Reply-To: <C63C22EF.14D829%ncnet@sbcglobal.net>
References: <16e2ac180905220743x6b20773amd5e176cc57a4656a@mail.gmail.com>
	<C63C22EF.14D829%ncnet@sbcglobal.net>
Message-ID: <16e2ac180905220956l552914e1i53b1fc9cb363831e@mail.gmail.com>

Hey Seth

you are right but the PA-T3 taht i know of only goes  in the 7200VXR, so
what's the part number of the T3 card that goes to the 6509

On Fri, May 22, 2009 at 12:37 PM, Larry Stites <ncnet at sbcglobal.net> wrote:

> Renelson,
>
> When you expand with 4 x 6509-E Northern California Networks, Inc., (NCN)
> can supply at 4 x (WS-C6509-E & FAN)@$4500/ea - Rack kit and slot covers
> included. Previously owned, Smartnet eligible, fully tested and very clean.
>
> Tough economic conditions and heightened environmental awareness are
> reinforcing an already strong case to use previously owned network gear. By
> choosing one of the larger, more experienced secondary market
> organizations,
> businesses can be confident that their gear is authentic, has been fully
> tested and refurbished, ready for redeployment, delivered on time and as
> expected. NCN in association with United Network Equipment Dealers
> Association can supply most if not all of your CISCO requirements. Such as:
>
> WS-CAC-2500W    $450.00
> WS-CAC-3000W    $750.00
> WS-CAC-4000W    $775.00
> WS-CAC-6000W    $950.00
> With power cords
>
> SUP720-3BXL available for $8k.each
> Other supervisor modules available...
>
> WS-X6724-SFP w/CFC $2950.each
> WS-X6748-GE-TX $4500.each
> More 6500 series modules available...
>
> 90 day warranty with pre and post sales tech support - no charge.
>
> Please allow us an opportunity to win your business.
>
> --
>
> Best regards,
>
>
> Larry E. Stites
> Northern California Networks, Inc.
> United Network Equip. Dealers Assoc. Inc.
> CA LIC# SR KH 100-484111
> Nevada City, CA 95959
> cell 530 320 4194
> land 530 265 2588
> ncnet at sbcglobal.net
> www.uneda.com
>
>
>
> on 5/22/09 7:43 AM, Renelson Panosky wrote:
>
> > My company is expanding one of his site :
> >
> >
> >
> > They already have a voice enable ISR 3845 router with etherswitch sevice
> > module (NME-XD-48ES-2S-P with 3x 6509-E
> >
> > WAN: T3
> >
> > The plan is for them to bring four more 6509-E
> >
> > Now here is my question:
> >
> > Should i connect all this 7x 6509-E on that router with etherswitch
> module?
> >
> > or
> >
> > Should i replace the 3845 with 6509-E with sup720, 6724-SFP, 6748-ge-tx
> as
> > my core
> > and connect all 7x fully loaded 6509-E switch on it.
> >
> > Some of my colleagues think it's not necessary to get another 6509-E with
> > sup720 on the core.
> >
> > what do you think?
>  > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>

From sethm at rollernet.us  Fri May 22 13:12:56 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Fri, 22 May 2009 10:12:56 -0700
Subject: [c-nsp] Please give me your opinion in those two network designs
In-Reply-To: <16e2ac180905220956l552914e1i53b1fc9cb363831e@mail.gmail.com>
References: <16e2ac180905220743x6b20773amd5e176cc57a4656a@mail.gmail.com>	<C63C22EF.14D829%ncnet@sbcglobal.net>
	<16e2ac180905220956l552914e1i53b1fc9cb363831e@mail.gmail.com>
Message-ID: <4A16DD18.5060706@rollernet.us>

Renelson Panosky wrote:
> Hey Seth
> 
> you are right but the PA-T3 taht i know of only goes  in the 7200VXR, so
> what's the part number of the T3 card that goes to the 6509
> 

Same one. The flexwan module adds two PA slots. There's a datasheet on
cisco.com somewhere, just look for flexwan.

~Seth

From achatz at forthnet.gr  Fri May 22 13:22:59 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 22 May 2009 20:22:59 +0300
Subject: [c-nsp] General performance based routing question?
In-Reply-To: <C63C42FC.35859%brhedlun@cisco.com>
References: <C63C42FC.35859%brhedlun@cisco.com>
Message-ID: <4A16DF73.9090707@forthnet.gr>



Brad Hedlund wrote on 22/05/2009 19:54:
> 
> On 5/22/09 4:51 AM, "Tassos Chatzithomaoglou" <achatz at forthnet.gr> wrote:
> 
>> I believe there are 2 major drawbacks in PfR:
>>
>> 1) traffic-classes/prefixes are limited (5000), so you cannot use it in a ISP
>> environment 
>> (i don't know if using multiple MCs can increase that number)
>> 2) not-basic cli config is quite complex (PfR manager from Fluke seems to
>> solve that one)
> 
> 
> 1) With a 7200-NPE-G2 as a dedicated Master Controller you can manage 20K
> prefixes.  Managed prefixes can be dynamically learned and always changing
> based on activity, or statically defined.
> 

I had the impression that 5000 was a platform independent limit. Nice to know that.
Does this also mean that 7600 or ASR1k can do more?

--
Tassos

> 2) I definitely agree with that.  PfR is not just one or two commands and
> your done.  It has a lot of nerd knobs.
> 
> 
> 
> Cheers,
> 
> Brad Hedlund
> bhedlund at cisco.com
> http://www.internetworkexert.org
> 
> 
> 
> 


From brhedlun at cisco.com  Fri May 22 13:34:46 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Fri, 22 May 2009 12:34:46 -0500
Subject: [c-nsp] General performance based routing question?
In-Reply-To: <4A16DF73.9090707@forthnet.gr>
Message-ID: <C63C4C66.35872%brhedlun@cisco.com>




On 5/22/09 12:22 PM, "Tassos Chatzithomaoglou" <achatz at forthnet.gr> wrote:

> I had the impression that 5000 was a platform independent limit. Nice to know
> that.
> Does this also mean that 7600 or ASR1k can do more?


Good question.  I don't know the answer to that.  That would be a great
question to ask in the "Deploying PfR" class at Cisco Live 2009 this year
;-)



Cheers,


Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org



From moez1055 at yahoo.com  Fri May 22 12:38:01 2009
From: moez1055 at yahoo.com (Moez Bhimji)
Date: Fri, 22 May 2009 09:38:01 -0700 (PDT)
Subject: [c-nsp] CSS flow-timeout-multiplier question
Message-ID: <87547.50151.qm@web38303.mail.mud.yahoo.com>

 My customer uses a CSS 11500 CISCO for SLB. For a content rule, we don't use the application port and the nature of the port (tcp or udp), so we just have a service.

My content rule is really generic. Is there a way of  differentiating UDP and TCP flow timeout with  flow-timeout-multiplier?

Maybe duplicating the content rule and change the index? so same VIP but one for UDP and one TCP?

I've no platform to test it.


thx


      __________________________________________________________________
The new Internet Explorer? 8 - Faster, safer, easier.  Optimized for Yahoo!  Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/

From panocisco77 at gmail.com  Fri May 22 14:23:37 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Fri, 22 May 2009 14:23:37 -0400
Subject: [c-nsp] Please give me your opinion in those two network designs
In-Reply-To: <4A16DD18.5060706@rollernet.us>
References: <16e2ac180905220743x6b20773amd5e176cc57a4656a@mail.gmail.com>
	<C63C22EF.14D829%ncnet@sbcglobal.net>
	<16e2ac180905220956l552914e1i53b1fc9cb363831e@mail.gmail.com>
	<4A16DD18.5060706@rollernet.us>
Message-ID: <16e2ac180905221123j7855ceb1j3e13660335b72b8f@mail.gmail.com>

Hey Seth

Thank you i just found it on cisco

On Fri, May 22, 2009 at 1:12 PM, Seth Mattinen <sethm at rollernet.us> wrote:

> Renelson Panosky wrote:
> > Hey Seth
> >
> > you are right but the PA-T3 taht i know of only goes  in the 7200VXR, so
> > what's the part number of the T3 card that goes to the 6509
> >
>
> Same one. The flexwan module adds two PA slots. There's a datasheet on
> cisco.com somewhere, just look for flexwan.
>
> ~Seth
>  _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ashnet2009 at gmail.com  Fri May 22 14:57:06 2009
From: ashnet2009 at gmail.com (Ash Net)
Date: Fri, 22 May 2009 14:57:06 -0400
Subject: [c-nsp] Nexus 7010 Racking
In-Reply-To: <4A16D4D0.7010308@usgs.gov>
References: <896a291f0905220630v3d6f2848pc83581ecb23b36fe@mail.gmail.com>
	<200905221620.n4MGKBuB000664@sj-core-1.cisco.com>
	<4A16D4D0.7010308@usgs.gov>
Message-ID: <896a291f0905221157m7ad1f9f8h4982389c1615418b@mail.gmail.com>

This is great info. Thanks Tim and Justin.

On 5/22/09, Justin C. Darby <jcdarby at usgs.gov> wrote:
> These things are heavy - I know from experience. Get a mechanical lift
> or be prepared with 4-6 people to lift. I did not have a lift, and we
> got it installed safely, but in retrospect, I should have rented the lift.
>
> Justin
>
> Tim Stevenson wrote:
>> At 06:30 AM 5/22/2009, Ash Net noted:
>>
>>> Hi Folks,
>>>
>>> We're looking to Rack the 7010's and it seems that both front mount
>>> and rail mount racking options are available.
>>
>> Not quite. N7K requires *both* the front-mounted L brackets (or
>> "ears") *and* the bottom mounted rails, in a 4-post rack.
>>
>> http://www.cisco.com/en/US/docs/switches/datacenter/hw/nexus7000/installation/guide/n7k_installation_7010.html
>>
>>
>>
>>
>> More details on site requirements here:
>> http://www.cisco.com/en/US/docs/switches/datacenter/hw/nexus7000/site_prep/guide/siteprep_rack.html
>>
>>
>>
>>
>> HTH,
>> Tim
>>
>>> Does anybody have experience in rail mount racking of the 7k chassis
>>> in the DC. Any details in relation to the cabinet types used and rail
>>> mount parts list as well as experiences with such racking would be
>>> great.
>>>
>>> Thanks in advance
>>>
>>> --
>>> Sent from my mobile device
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> <https://puck.nether.net/mailman/listinfo/cisco-nsp>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>
>>>
>>> archive at
>>> <http://puck.nether.net/pipermail/cisco-nsp/>http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>>
>>
>>
>> Tim Stevenson, tstevens at cisco.com
>> Routing & Switching CCIE #5561
>> Technical Marketing Engineer, Cisco Nexus 7000
>> Cisco - http://www.cisco.com
>> IP Phone: 408-526-6759
>> ********************************************************
>> The contents of this message may be *Cisco Confidential*
>> and are intended for the specified recipients only.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

-- 
Sent from my mobile device

From rshughes at gmail.com  Fri May 22 15:19:19 2009
From: rshughes at gmail.com (Ryan Hughes)
Date: Fri, 22 May 2009 15:19:19 -0400
Subject: [c-nsp] Nexus 7010 Racking
In-Reply-To: <4A16D4D0.7010308@usgs.gov>
References: <896a291f0905220630v3d6f2848pc83581ecb23b36fe@mail.gmail.com>
	<200905221620.n4MGKBuB000664@sj-core-1.cisco.com>
	<4A16D4D0.7010308@usgs.gov>
Message-ID: <e44f1b0e0905221219x5895f80fqe9a9bc51ca572ab6@mail.gmail.com>

Same experience as Justin - get a lift! And make sure you're running enough
power to it.



On Fri, May 22, 2009 at 12:37 PM, Justin C. Darby <jcdarby at usgs.gov> wrote:

> These things are heavy - I know from experience. Get a mechanical lift or
> be prepared with 4-6 people to lift. I did not have a lift, and we got it
> installed safely, but in retrospect, I should have rented the lift.
>
> Justin
>
>
> Tim Stevenson wrote:
>
>> At 06:30 AM 5/22/2009, Ash Net noted:
>>
>>  Hi Folks,
>>>
>>> We're looking to Rack the 7010's and it seems that both front mount
>>> and rail mount racking options are available.
>>>
>>
>> Not quite. N7K requires *both* the front-mounted L brackets (or "ears")
>> *and* the bottom mounted rails, in a 4-post rack.
>>
>>
>> http://www.cisco.com/en/US/docs/switches/datacenter/hw/nexus7000/installation/guide/n7k_installation_7010.html
>>
>>
>> More details on site requirements here:
>>
>> http://www.cisco.com/en/US/docs/switches/datacenter/hw/nexus7000/site_prep/guide/siteprep_rack.html
>>
>>
>> HTH,
>> Tim
>>
>>  Does anybody have experience in rail mount racking of the 7k chassis
>>> in the DC. Any details in relation to the cabinet types used and rail
>>> mount parts list as well as experiences with such racking would be
>>> great.
>>>
>>> Thanks in advance
>>>
>>> --
>>> Sent from my mobile device
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> <https://puck.nether.net/mailman/listinfo/cisco-nsp>
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at <http://puck.nether.net/pipermail/cisco-nsp/>
>>> http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>
>>
>>
>> Tim Stevenson, tstevens at cisco.com
>> Routing & Switching CCIE #5561
>> Technical Marketing Engineer, Cisco Nexus 7000
>> Cisco - http://www.cisco.com
>> IP Phone: 408-526-6759
>> ********************************************************
>> The contents of this message may be *Cisco Confidential*
>> and are intended for the specified recipients only.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jlewis at lewis.org  Fri May 22 16:31:26 2009
From: jlewis at lewis.org (Jon Lewis)
Date: Fri, 22 May 2009 16:31:26 -0400 (EDT)
Subject: [c-nsp] AS5300 Modem Server
In-Reply-To: <304301c9da35$079f6be0$16de43a0$@net>
References: <304301c9da35$079f6be0$16de43a0$@net>
Message-ID: <Pine.LNX.4.61.0905221625340.6312@soloth.lewis.org>

On Thu, 21 May 2009, Ray Burkholder wrote:

> Although they are almost a thing of the past, I still have to maintain a
> dial up pool.  I'd like to replace my Ascends with some used AS5300s.   It
> seems that there is a choice of MICA vs Microcomm modems.  Any idea on which
> would be preferred?
>
> Way back when, one bad experience with MICA:
> http://networking.missouristate.edu/pub/news/19990506_BadMICA.htm

Both are old...but the Microcomm are much older.  I wasn't even aware 
there were 5300s with Microcomm's.  I know we had some 5248's with them.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From benny+usenet at amorsen.dk  Fri May 22 16:35:40 2009
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Fri, 22 May 2009 22:35:40 +0200
Subject: [c-nsp] How to improve C3750G switch uplink speed?
In-Reply-To: <725755F5E728EE4086DAAF1A54DACF4F10B577DE@sea5exbe1.speakeasy.hq>
	(Jonathan Brashear's message of "Fri\,
	22 May 2009 06\:01\:27 -0700")
References: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
	<17476.196.46.241.57.1242125542.squirrel@nexmail1.nexlinx.net.pk>
	<F4C5F0DAB3AF4FBBBC846F16B8CA3748@moscato>
	<725755F5E728EE4086DAAF1A54DACF4F10B577DE@sea5exbe1.speakeasy.hq>
Message-ID: <m3ws88swo3.fsf@ursa.amorsen.dk>

Jonathan Brashear <Jonathan.Brashear at hq.speakeasy.net> writes:

> As an aside, PVST can become an issue when you're scaling up into
> dozens/hundreds of VLANs.

The 3560/3750 series supports only 128 PVST instances. I discovered this
the hard way.


/Benny


From geoff at pendery.net  Fri May 22 17:01:33 2009
From: geoff at pendery.net (Geoffrey Pendery)
Date: Fri, 22 May 2009 16:01:33 -0500
Subject: [c-nsp] 3750 not routing L3 ports...?
In-Reply-To: <4A16D592.7020809@chrisserafin.com>
References: <4A16D592.7020809@chrisserafin.com>
Message-ID: <d6966e4b0905221401g7380c08eg91c01d1de3a1fb65@mail.gmail.com>

The host on the other side (10.63.7.6) needs a route back to
10.63.7.2.  He'll see the .5 as connected, but not the .2.
Add statics on the other side, or a routing protocol between the two.


-Geoff


On Fri, May 22, 2009 at 11:40 AM, ChrisSerafin <chris at chrisserafin.com> wrote:
> I have a 3750 switch configured with 2 L3 ports but I cannot ping from one
> interface to the other. I normally just do IP addresses on VLAN and perform
> intra-vlan routing but I would assume this would work the same....any
> ideas..?
>
> xxx-02#ping 10.63.7.6 source 10.63.7.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.63.7.6, timeout is 2 seconds:
> Packet sent with a source address of 10.63.7.2
> .....
> Success rate is 0 percent (0/5)
> xxx-02#ping 10.63.7.6 source 10.63.7.5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.63.7.6, timeout is 2 seconds:
> Packet sent with a source address of 10.63.7.5
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
> xxx-02#sh ip int brie
> Interface ? ? ? ? ? ? ?IP-Address ? ? ?OK? Method Status
> ?Protocol
> GigabitEthernet1/0/1 ? 10.63.7.2 ? ? ? YES NVRAM ?up ? ? ? ? ? ? ? ? ? ?up
> GigabitEthernet1/0/2 ? 10.63.7.5 ? ? ? YES NVRAM ?up ? ? ? ? ? ? ? ? ? ?up
> !
>
>
>
> Here is the config:
>
>
> interface GigabitEthernet1/0/1
> no switchport
> ip address 10.63.7.2 255.255.255.252
> srr-queue bandwidth share 10 10 60 20
> srr-queue bandwidth shape ?10 ?0 ?0 ?0
> queue-set 2
> priority-queue out
> mls qos trust cos
> auto qos voip trust
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/2
> no switchport
> ip address 10.63.7.5 255.255.255.252
> srr-queue bandwidth share 10 10 60 20
> srr-queue bandwidth shape ?10 ?0 ?0 ?0
> queue-set 2
> priority-queue out
> mls qos trust device cisco-phone
> mls qos trust cos
> auto qos voip cisco-phone
> spanning-tree portfast
> service-policy input xxxxxPolice-CiscoPhone
> !
> !
> ip routing
> ip default-gateway 10.63.7.1
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.63.7.6
> ip route 10.0.0.0 255.0.0.0 10.63.7.1
> ip route 10.63.4.192 255.255.255.192 10.63.7.6
> ip route 10.63.30.0 255.255.255.0 10.63.7.1
> ip route 10.254.254.0 255.255.255.0 10.63.7.6
>
>
> -chris
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jlewis at lewis.org  Fri May 22 17:05:48 2009
From: jlewis at lewis.org (Jon Lewis)
Date: Fri, 22 May 2009 17:05:48 -0400 (EDT)
Subject: [c-nsp] How to improve C3750G switch uplink speed?
In-Reply-To: <m3ws88swo3.fsf@ursa.amorsen.dk>
References: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
	<17476.196.46.241.57.1242125542.squirrel@nexmail1.nexlinx.net.pk>
	<F4C5F0DAB3AF4FBBBC846F16B8CA3748@moscato>
	<725755F5E728EE4086DAAF1A54DACF4F10B577DE@sea5exbe1.speakeasy.hq>
	<m3ws88swo3.fsf@ursa.amorsen.dk>
Message-ID: <Pine.LNX.4.61.0905221704430.6312@soloth.lewis.org>

On Fri, 22 May 2009, Benny Amorsen wrote:

> Jonathan Brashear <Jonathan.Brashear at hq.speakeasy.net> writes:
>
>> As an aside, PVST can become an issue when you're scaling up into
>> dozens/hundreds of VLANs.
>
> The 3560/3750 series supports only 128 PVST instances. I discovered this
> the hard way.

I just went searching for this to find the limit for 3550s, and couldn't 
find it.  Anyone have a pointer to where in the docs cisco says how many 
rapid-pvst instances can be done on the 3550 and 6509?

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From dale.shaw+cisco-nsp at gmail.com  Fri May 22 18:42:30 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Sat, 23 May 2009 08:42:30 +1000
Subject: [c-nsp] WCCPv2 - what happens to existing connections when
	redirect-list is modified?
In-Reply-To: <d6966e4b0905220725q15e833bfndb568a21b026fa72@mail.gmail.com>
References: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>
	<4A163105.3050701@cisco.com>
	<d6966e4b0905220725q15e833bfndb568a21b026fa72@mail.gmail.com>
Message-ID: <3329cbb40905221542j4b205806i9a36f4d187f961b7@mail.gmail.com>

Hi Geoff,

On Sat, May 23, 2009 at 12:25 AM, Geoffrey Pendery <geoff at pendery.net> wrote:
> If I'm "core WAAS", and I see a new TCP conn
> come in, I need to know just by looking at this conn whether it's
> coming from another WAAS or just an end host. ?So if I'm taking a new
> conn from an end host, when I pass it on I need to modify it so that
> other WAASes (WAASi? ?WAASen? ?ouch.) know that I'm out there.

Discovery of other WAAS devices is performed using TCP options. I
haven't captured a SYN as it travels from an end host, through a WAAS,
towards the destination, but I imagine that within the TCP option
'payload', the WAAS embeds its ID which is known to the far-end WAAS
by virtue of their common link with the Central Manager.

Pure speculation, but anyway, discovery IS performed using TCP
options. It is possible for a WAAS device to pass-through a connection
without modifying the packet (TCP header) contents at all.

cheers,
Dale

From ltd at cisco.com  Fri May 22 18:56:25 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Sat, 23 May 2009 08:56:25 +1000
Subject: [c-nsp] WCCPv2 - what happens to existing connections when
 redirect-list is modified?
In-Reply-To: <d6966e4b0905220725q15e833bfndb568a21b026fa72@mail.gmail.com>
References: <3329cbb40905212038p401ac204hb9a89c09ca6aa5ad@mail.gmail.com>	
	<4A163105.3050701@cisco.com>
	<d6966e4b0905220725q15e833bfndb568a21b026fa72@mail.gmail.com>
Message-ID: <4A172D99.409@cisco.com>

Geoffrey Pendery wrote:
> I believe that the WAAS boxes also alter some of the TCP attributes
> (like jumping the SEQ number way up when it enters the local WAAS,
> then dropping it back down when it leaves the remote WAAS) in such a
>   
not quite true.  it uses TCP options on the initial SYN in order for the 
WAAS boxes to discover each other.

the sequence number change is for established sessions that ARE being 
optimized.
http://www.cisco.com/en/US/docs/safe_harbor/data_center/DCAP5/DataGuard.pdf 
gives a bit of detail on the processes involved, perhaps simplying it 
somewhat, there is more voodoo involved than it says. :)

as such, there is still the possibility of both #2 and #3 as outcomes.


cheers,

lincoln.


From dale.shaw+cisco-nsp at gmail.com  Fri May 22 20:10:24 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Sat, 23 May 2009 10:10:24 +1000
Subject: [c-nsp] Cat 6500 (IOS) dhcp Client
In-Reply-To: <AFC776CA-6848-4F03-B698-2A0EF32131E6@swingpad.com>
References: <1D444DAF-52E5-4761-9D44-0826D6217B60@swingpad.com>
	<84F648FC-7A9C-4765-8B16-479175273CF3@enta.net>
	<3329cbb40905192352j94db4c9uc52e535c408aea21@mail.gmail.com>
	<AFC776CA-6848-4F03-B698-2A0EF32131E6@swingpad.com>
Message-ID: <3329cbb40905221710g2b00525am71a897cc7dffcbf@mail.gmail.com>

Hi Dan,

On Sat, May 23, 2009 at 2:09 AM, Dan Benson <dbenson at swingpad.com> wrote:
> Safe to assume I am up the river on this one then? ?Thanks. //db

The command lookup tool [1] suggests the 'ip address dhcp' command is
available in 12.2SX and 12.2SR trains, but it "depends on your feature
set, platform, and platform hardware"

Have a play around with the feature navigator tool [2], using the
"DHCP Client" feature and your specific platform(s) and IOS as
filters. Sometimes Feature Navigator tells lies, but generally steers
you in the right direction :-)

cheers,
Dale

[1] http://tools.cisco.com/Support/CLILookup/cltSearchAction.do
[2] http://www.cisco.com/go/fn

From dale.shaw+cisco-nsp at gmail.com  Fri May 22 20:43:55 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Sat, 23 May 2009 10:43:55 +1000
Subject: [c-nsp] Interface descriptions - what do you put in?
In-Reply-To: <4A156E1D.2080404@templin.org>
References: <4A156E1D.2080404@templin.org>
Message-ID: <3329cbb40905221743h71291798ua345b9c48ad8a877@mail.gmail.com>

Hi Pete,

On Fri, May 22, 2009 at 1:07 AM, Pete Templin <petelists at templin.org> wrote:
>
> What do you put into your interface descriptions? ?Do you document circuit
> ID, far-end equipment/port, near-end equipment/port, and/or anything else?

Our L3VPN service provider uses this format on PE-CE interfaces:

user1 at T3NVB66AW11-RE1> show configuration interfaces ge-0/2/4.246
description "By ProJEN SRID#92658 : SLID#74826 : IPVPN (: QOS : #27740
: U4NN T3NV B66AW11 PRX005 : JOEBLOGGSCORP : JBC : WA :
PERTH_33SMITH_63 : PR ):  :  : XX :  : ";

Obviously ":" is used as a delimiter and some fields can be empty.
Most fields map back to billing and provisioning system IDs. Some
fields are customer specific and others link specific. "U4NN" and
"L3NV" are building codes. "B66AW11" is the PE router's hostname
suffix. "PR" is the business unit with the SP that owns the customer.

This only references the L3VPN circuit ID -- the underlying PE-CE
transmission gets a different ID.

I guess this is the other end of the spectrum to "description To
ROUTER4 Fa0/0" :-)

cheers,
Dale
(field values changed to protect the innocent)

From largent at ai.net  Fri May 22 20:14:50 2009
From: largent at ai.net (L'argent)
Date: Fri, 22 May 2009 20:14:50 -0400
Subject: [c-nsp] EoMPLS/Sup32/xconnect - missing something obvious
Message-ID: <4A173FFA.4040000@ai.net>



Setup: Two directly connected Sup32's directly connected one running 
12.2-33.SXH5, the other 12.2-33.SXI1 otherwise identical configurations.
Goal: Test (new) MPLS configuration using EoMPLS (xconnect) between G4/2 
on each. I want to transport 1G over a 10G link between two sites.

Problem: The VC won't come up. Labels don't appear to be generated. Not 
sure what knob to twiddle to make it happy. LDP appears to see its 
neighbor, but no MPLS adjacency appears. I am guessing I'm missing 
something dead obvious.

Router 1:

mls ip slb purge global
mls netflow interface
no mls flow ip
no mls flow ipv6
mls cef error action reset
mpls traffic-eng tunnels
mpls ldp graceful-restart
mpls ldp discovery targeted-hello accept
mpls ip default-route
mpls label range 50 524000
mpls label protocol ldp

pseudowire-class EtherEncap
  encapsulation mpls
  interworking ip

interface Loopback0
   ip address 10.0.0.113 255.255.255.255

interface GigabitEthernet4/2
  mtu 1526
  no ip address
  speed nonegotiate
  mpls ldp discovery transport-address interface
  mpls bgp forwarding
  mpls label protocol ldp
  mpls ip
  xconnect 10.0.0.114 100 encapsulation mpls

router ospf 1
  log-adjacency-changes
  network 10.0.0.113 0.0.0.0 area 0
  bfd all-interfaces
  mpls traffic-eng router-id Loopback0
!
router bgp 65517
  bgp router-id 10.0.0.113
  bgp log-neighbor-changes
  bgp confederation identifier 100
  bgp confederation peers 65516 65518
  neighbor 10.0.0.114 remote-as 65518
  neighbor 10.0.0.114 ebgp-multihop 255
  neighbor 10.0.0.114 update-source Loopback0
  neighbor 10.0.0.114 version 4
  !
  address-family ipv4
   neighbor 10.0.0.114 activate
   neighbor 10.0.0.114 send-label
   no auto-summary
   no synchronization
   network 10.0.0.113 mask 255.255.255.255
  exit-address-family
!
ip classless

#sh mpls l2 binding
   Destination Address: 10.0.0.114,  VC ID: 100
     Local Label:  unassigned.
     Remote Label: unassigned


#sh mpls l2 vc

Local intf     Local circuit              Dest address    VC ID      Status
-------------  -------------------------- --------------- ---------- 
----------
Gi4/2          Ethernet                   10.0.0.114 100        DOWN

#sh mpls l2 vc detail
Local interface: Gi4/2 down, line protocol down, Ethernet down
   Destination address: 10.0.0.114, VC ID: 100, VC status: down
     Output interface: none, imposed label stack {}
     Preferred path: not configured
     Default path: no route
     No adjacency
   Create time: 00:53:56, last status change time: 00:53:56
   Signaling protocol: LDP, peer 10.0.0.114:0 up
     Targeted Hello: 10.0.0.113(LDP Id) -> 10.0.0.114
     MPLS VC labels: local unassigned, remote unassigned
     Group ID: local unknown, remote unknown
     MTU: local unknown, remote unknown
     Remote interface description:
   Sequencing: receive disabled, send disabled
   VC statistics:
     packet totals: receive 0, send 0
     byte totals:   receive 0, send 0
     packet drops:  receive 0, send 0

#sh ip route 10.0.0.114
Routing entry for 10.0.0.114/32
   Known via "ospf 1", distance 110, metric 2, type intra area
   Last update from 10.1.1.38 on TenGigabitEthernet5/1, 02:35:37 ago
   Routing Descriptor Blocks:
   * 10.1.1.38, from 10.0.0.114, 02:35:37 ago, via TenGigabitEthernet5/
1
       Route metric is 2, traffic share count is 1

#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet4/2     Yes           No       Yes No     No

#sh mpls ldp neigh
     Peer LDP Ident: 10.0.0.114:0; Local LDP Ident 10.0.0.113:0
         TCP connection: 10.0.0.114.1026 - 10.0.0.113.646
         State: Oper; Msgs sent/rcvd: 174/172; Downstream
         Up time: 02:20:12
         LDP discovery sources:
           Targeted Hello 10.0.0.113 -> 10.0.0.114, active, passive
         Addresses bound to peer LDP Ident:
           10.0.0.114 10.1.1.38


#sh xconnect all detail             <--- command doesn't exist on SXH5
Legend: XC ST=Xconnect State, S1=Segment1 State, S2=Segment2 State
UP=Up, DN=Down, AD=Admin Down, IA=Inactive, NH=No Hardware
XC ST  Segment 1                         S1 Segment 2 
       S2
------+---------------------------------+--+---------------------------------+--
DN     ac   Gi4/2(Ethernet)              DN mpls 10.0.0.114:100 
       DN
             Interworking: ip                     Local VC label unassigned
                                                  Remote VC label unassigned
                                                  pw-class: EtherEncap

Router 2:

mls ip slb purge global
mls netflow interface
no mls flow ip
no mls flow ipv6
mls cef error action reset
mpls traffic-eng tunnels
mpls ldp graceful-restart
mpls ldp discovery targeted-hello accept
mpls ip default-route
mpls label range 50 524000
mpls label protocol ldp

pseudowire-class EtherEncap
  encapsulation mpls
  interworking ip

interface Loopback0
   ip address 10.0.0.114 255.255.255.255

interface GigabitEthernet4/2
  mtu 1526
  no ip address
  speed nonegotiate
  mpls ldp discovery transport-address interface
  mpls bgp forwarding
  mpls label protocol ldp
  mpls ip
  bfd interval 50 min_rx 100 multiplier 3
  xconnect 10.0.0.113 100 encapsulation mpls

router ospf 1
  log-adjacency-changes
  network 10.0.0.114 0.0.0.0 area 0
  bfd all-interfaces
  mpls traffic-eng router-id Loopback0
!
router bgp 65518
  bgp router-id 10.0.0.114
  bgp log-neighbor-changes
  bgp confederation identifier 100
  bgp confederation peers 65517
  neighbor 10.0.0.113 remote-as 65517
  neighbor 10.0.0.113 ebgp-multihop 255
  neighbor 10.0.0.113 update-source Loopback0
  neighbor 10.0.0.113 version 4
  !
  address-family ipv4
   neighbor 10.0.0.113 activate
   neighbor 10.0.0.113 send-label
   no auto-summary
   no synchronization
   network 10.0.0.114 mask 255.255.255.255
  exit-address-family
!
ip classless

#sh mpls l2 binding
   Destination Address: 10.0.0.113,  VC ID: 100
     Local Label:  unassigned.
     Remote Label: unassigned

#sh mpls l2 vc detail
Local interface: Gi4/2 down, line protocol down, Ethernet down
   MPLS VC type is Ethernet, interworking type is IP
   Destination address: 10.0.0.113, VC ID: 100, VC status: down
     Output interface: if-?(0), imposed label stack {}
     Preferred path: not configured
     Default path: no route
     No adjacency
   Create time: 02:11:47, last status change time: 02:11:30
   Signaling protocol: LDP, peer 10.0.0.113:0 up
     MPLS VC labels: local unassigned, remote unassigned
     Group ID: local unknown, remote unknown
     MTU: local unknown, remote unknown
     Remote interface description:
   Sequencing: receive disabled, send disabled
   VC statistics:
     packet totals: receive 0, send 0
     byte totals:   receive 0, send 0
     packet drops:  receive 0, send 0

#sh ip route 10.0.0.113
Routing entry for 10.0.0.113/32
   Known via "ospf 1", distance 110, metric 2, type intra area
   Last update from 10.1.1.37 on TenGigabitEthernet5/1, 02:34:18 ago
   Routing Descriptor Blocks:
   * 10.1.1.37, from 10.0.0.113, 02:34:18 ago, via TenGigabitEthernet5/
1
       Route metric is 2, traffic share count is 1


#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet4/2     Yes           No       Yes No     No

#sh mpls ldp neigh
     Peer LDP Ident: 10.0.0.113:0; Local LDP Ident 10.0.0.114:0
         TCP connection: 10.0.0.113.646 - 10.0.0.114.1026
         State: Oper; Msgs sent/rcvd: 173/175; Downstream
         Up time: 02:21:08
         LDP discovery sources:
           Targeted Hello 10.0.0.114 -> 10.0.0.113, active, passive
         Addresses bound to peer LDP Ident:
           10.0.0.113 10.1.1.34  10.1.1.37


*Feb  2 06:05:54.223: AToM MGR [10.0.0.114, 100]: Event provision, state ch
anged from idle to provisioned
*Feb  2 06:05:54.223: AToM MGR [10.0.0.114, 100]: Provision vc
*Feb  2 06:05:54.223: AToM LDP [10.0.0.114]: Opening session, 1 clients
*Feb  2 06:05:54.223: AToM LDP [10.0.0.114]: Session is up
*Feb  2 06:05:54.227: AToM MGR [10.0.0.114, 100]: Signaling peer-id of VC c
hanged to 10.0.0.114
*Feb  2 06:05:54.227: AToM MGR [10.0.0.114, 100]: Event ldp up, state chang
ed from provisioned to ldp ready
*Feb  2 06:05:54.227: AToM MGR [10.0.0.114, 100]: Take no action
*Feb  2 06:05:54.231: AToM MGR [10.0.0.114, 100]: Event SSS service found,
state changed from ldp ready to ldp ready
*Feb  2 06:05:54.231: AToM MGR [10.0.0.114, 100]: Take no action

--------------------------------------------

I've spent a few hours googling, searching and other things. It *seems* 
like this should be super-simple and I'm left thinking I've missed 
something obvious.

No labels are being assigned even though I believe I've correctly 
assigned VC ID:100 and agreed to IBGP internal exchange of routing 
information and labels.

I see 113(R1) sending a targeted hello to 114 (R2) and 114 seeing 113 
up. The VC is down, even though L3 connectivity exists between the two 
loopbacks, the mpls config shows no adjacency, no default path, no 
output interface.

Every sample config I've seen online seems to agree with my config (that 
didn't still use terms like tagswitching or mpls l2connect), so I am 
pretty sure I am being completely bone-headed about this. I've matched 
mtu sizes on both interfaces, so that should be okay as well.

Please tell me where I've taken a wrong turn in MPLS land.

Thanks so much!

LA

From dale.shaw+cisco-nsp at gmail.com  Fri May 22 22:16:43 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Sat, 23 May 2009 12:16:43 +1000
Subject: [c-nsp] WCCPv2 - what happens to existing connections when
	redirect-list is modified?
In-Reply-To: <C63CC138.358D6%brhedlun@cisco.com>
References: <3329cbb40905212206w559c8f9cm90badb8035aa878f@mail.gmail.com>
	<C63CC138.358D6%brhedlun@cisco.com>
Message-ID: <3329cbb40905221916m7ecc6575s3738d11384c4f517@mail.gmail.com>

Hi Brad,

On Sat, May 23, 2009 at 11:53 AM, Brad Hedlund <brhedlun at cisco.com> wrote:
>
> One thing you could do to make this transition hitless would be to first
> apply "No Optimization" policies in your WAAS appliances for the flows in
> question (VoIP call signaling).
>
> Once this is done any new flows will go into "pass through" mode on WAAS
> while existing flows are still optimized. ?When all existing flows
> eventually close you have no optimized connections for this traffic and you
> can at this point apply your WCCP redirect list with no impact -- result #2.

Thanks for the suggestion -- I'll look into it.

Hopefully the TCP flows in question are short-lived. I have a feeling,
though, that at least some of them come up and stay up.

This is something I've observed, actually. When we do WAAS maintenance
(firmware updates, code updates), we typically take the WAE out of
service with "no wccp version 2" after setting the WCCP shutdown wait
time to something really high - the max of 86400 seconds usually. This
is an attempt to reduce the impact of reloading the WAE. More often
than not, though, there are zillions of long-lived TCP sessions that
we have no choice but to zap 'cause we can't wait forever. Looking at
the connection stats, some TCP sessions last for days, weeks..

It'd be way cool if there was a way to gracefully hand off existing
flows to another WAAS in the same group. I guess that would require
some kind of state tracking between WAEs, similar to PIX/ASA
connection state sync, or even stateful NAT.

On a related note, we had a head-end WAE die most ungracefully the
other day. The fixed WCCPv2 timers meant that we were black-holing
traffic for something like 30 seconds. This is why I'm looking at
removing some traffic with the redirect-list. We've got some end
systems that do not cope at all well when their precious TCP
connection goes away.

cheers,
Dale

From ray at oneunified.net  Fri May 22 21:05:34 2009
From: ray at oneunified.net (Ray Burkholder)
Date: Fri, 22 May 2009 22:05:34 -0300
Subject: [c-nsp] EoMPLS/Sup32/xconnect - missing something obvious
In-Reply-To: <4A173FFA.4040000@ai.net>
References: <4A173FFA.4040000@ai.net>
Message-ID: <351801c9db42$b1c741c0$1555c540$@net>

> 
> 
> 
> Setup: Two directly connected Sup32's directly connected one running
> 12.2-33.SXH5, the other 12.2-33.SXI1 otherwise identical
> configurations.
> Goal: Test (new) MPLS configuration using EoMPLS (xconnect) between
> G4/2
> on each. I want to transport 1G over a 10G link between two sites.
> 
> Problem: The VC won't come up. Labels don't appear to be generated. Not
> sure what knob to twiddle to make it happy. LDP appears to see its
> neighbor, but no MPLS adjacency appears. I am guessing I'm missing
> something dead obvious.
> 

I gather the g4/2 interfaces are tied together.  You need inbound
interfaces.  These are the ones on which you do the xconnect.  A L2
interface on one router gets labelled, crosses g4/2 to g4/2 and then gets
'xconnected' to the outbound l2 interface.


-- 
Scanned for viruses and dangerous content at 
http://www.oneunified.net and is believed to be clean.


From brhedlun at cisco.com  Fri May 22 21:53:12 2009
From: brhedlun at cisco.com (Brad Hedlund)
Date: Fri, 22 May 2009 20:53:12 -0500
Subject: [c-nsp] WCCPv2 - what happens to existing connections when
 redirect-list is modified?
In-Reply-To: <3329cbb40905212206w559c8f9cm90badb8035aa878f@mail.gmail.com>
Message-ID: <C63CC138.358D6%brhedlun@cisco.com>

Dale,

One thing you could do to make this transition hitless would be to first
apply "No Optimization" policies in your WAAS appliances for the flows in
question (VoIP call signaling).

Once this is done any new flows will go into "pass through" mode on WAAS
while existing flows are still optimized.  When all existing flows
eventually close you have no optimized connections for this traffic and you
can at this point apply your WCCP redirect list with no impact -- result #2.


Cheers,

Brad Hedlund
bhedlund at cisco.com
http://www.internetworkexpert.org


On 5/22/09 12:06 AM, "Dale Shaw" <dale.shaw+cisco-nsp at gmail.com> wrote:

> Hi all,
> 
> On Fri, May 22, 2009 at 1:38 PM, Dale Shaw
> <dale.shaw+cisco-nsp at gmail.com> wrote:
>> Can anyone provide any insight?
> 
> Thanks for the replies -- that makes sense. I'm proceeding on the
> basis that by _not_ intercepting/redirecting, the affected flows will
> barf, as I'm sure that TFO, at least, is in effect.
> 
> FWIW, the affected TCP protocols are a bunch of Nortel media gateway
> to call server IPTel related (signalling) connections.
> 
> cheers,
> Dale
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/






From jacob at vargas.com  Sat May 23 05:20:34 2009
From: jacob at vargas.com (Jacob Vargas)
Date: Sat, 23 May 2009 02:20:34 -0700
Subject: [c-nsp] Resolved: ASA5510 8.0(4) issue with DHCP RELAY (aka
	dhcprelay regression on latest pix 515 firmware)
Message-ID: <000001c9db87$bbc222e0$334668a0$@com>

ASA5510 8.0(4) issue with DHCP RELAY

Word from Cisco is: 

This is a known bug CSCsq87533 1st Found in: 7.2 and 8.0(4) 

Fixed-In: 7.2(4.17), 8.0(4.8), 8.2(0.166), 8.1(2.2), ,8.0(4.220) Interim
releases. Requires Contract and "special file access" until publically
released. 


From gert at greenie.muc.de  Sat May 23 08:14:10 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 23 May 2009 14:14:10 +0200
Subject: [c-nsp] EoMPLS/Sup32/xconnect - missing something obvious
In-Reply-To: <4A173FFA.4040000@ai.net>
References: <4A173FFA.4040000@ai.net>
Message-ID: <20090523121410.GZ290@greenie.muc.de>

Hi,

On Fri, May 22, 2009 at 08:14:50PM -0400, L'argent wrote:
> interface GigabitEthernet4/2
>  mtu 1526
>  no ip address
>  speed nonegotiate
>  mpls ldp discovery transport-address interface
>  mpls bgp forwarding
>  mpls label protocol ldp
>  mpls ip
>  xconnect 10.0.0.114 100 encapsulation mpls

On the interface that forms the EoMPLS bridge ("towards the customer"),
you should NOT enable any MPLS stuff.  (I'm not sure what happens if
you do, but that's not required).

You need the MPLS stuff on the 10G interface that interconnects the
routers.

Then check "show ip cef 10.0.0.114" on this router, and it should tell
you that a MPLS path exists ("nexthop ... label yy")

> #sh mpls l2 binding
>   Destination Address: 10.0.0.114,  VC ID: 100
>     Local Label:  unassigned.
>     Remote Label: unassigned

This might be due to missing "mpls ip" on the 10G link.

> #sh mpls interfaces
> Interface              IP            Tunnel   BGP Static Operational
> GigabitEthernet4/2     Yes           No       Yes No     No

... indeed.  Don't enable MPSL on the customer-facing ports, enable it
on your "router-to-router" interfaces.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090523/69a96b16/attachment.bin>

From peter at rathlev.dk  Sat May 23 09:17:43 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Sat, 23 May 2009 15:17:43 +0200
Subject: [c-nsp] Cat 6500 (IOS) dhcp Client
In-Reply-To: <3329cbb40905221710g2b00525am71a897cc7dffcbf@mail.gmail.com>
References: <1D444DAF-52E5-4761-9D44-0826D6217B60@swingpad.com>
	<84F648FC-7A9C-4765-8B16-479175273CF3@enta.net>
	<3329cbb40905192352j94db4c9uc52e535c408aea21@mail.gmail.com>
	<AFC776CA-6848-4F03-B698-2A0EF32131E6@swingpad.com>
	<3329cbb40905221710g2b00525am71a897cc7dffcbf@mail.gmail.com>
Message-ID: <1243084663.3547.13.camel@localhost.localdomain>

On Sat, 2009-05-23 at 10:10 +1000, Dale Shaw wrote:
> On Sat, May 23, 2009 at 2:09 AM, Dan Benson <dbenson at swingpad.com> wrote:
> > Safe to assume I am up the river on this one then?  Thanks. //db
> 
> The command lookup tool [1] suggests the 'ip address dhcp' command is
> available in 12.2SX and 12.2SR trains, but it "depends on your feature
> set, platform, and platform hardware"
> 
> Have a play around with the feature navigator tool [2], using the
> "DHCP Client" feature and your specific platform(s) and IOS as
> filters. Sometimes Feature Navigator tells lies, but generally steers
> you in the right direction :-)

Well, according to FN the SXF Advanced IP Services should support the
command, but it doesn't work for me at least.

One could open a TAC case to either have FN corrected or have the
command implemented.

Regards,
Peter



From aa at tenet.ac.za  Sat May 23 16:13:19 2009
From: aa at tenet.ac.za (Andrew Alston)
Date: Sat, 23 May 2009 22:13:19 +0200
Subject: [c-nsp] 7600 SRC, layer 2 switched traffic and netflow
Message-ID: <E65B3ED7E6FCBA48BC3E2FA89972921601E156F2@rouwkoop.ac.za>

Hi Guys,

 

I'm wondering if anyone has a solution to the following:

 

I have netflow enabled and working on a 7600 running SRC, configured as
follows:

 

mls flow ip interface-full

ip flow ingress layer2-switched vlan 137,190,282,500,1240,2750

ip flow-export source Vlan2750

ip flow-export version 5 origin-as bgp-nexthop

ip flow-export destination xxx.xxx.xxx.xxx 2055

 

Then the relevant ip flow ingress and ip flow egress on the various
interfaces.

 

I'm looking at my netflow stats and all works fine if the traffic is
routed.  However, if the flow comes in on an interface (be it an SVI or
a routed interface), and then gets switched to an SVI, the destination
network in the flow is always recorded as 0.0.0.0/0

 

For example:

 

Flow comes in on G3/6 from 10.0.0.1, its destined for 172.16.3.4

 

Vlan 1240 is configured with

 

IP Address 172.16.3.1/24 

 

When I examine the netflow data, I can see traffic sourced from
10.0.0.1, I can see egress traffic on the SVI, the whole trip, but the
destination network always shows up as 0.0.0.0/0

 

Any ideas?

 

Andrew

 


From largent at ai.net  Sat May 23 19:54:06 2009
From: largent at ai.net (L'argent)
Date: Sat, 23 May 2009 19:54:06 -0400
Subject: [c-nsp] EoMPLS/Sup32/xconnect - missing something obvious
In-Reply-To: <20090523121410.GZ290@greenie.muc.de>
References: <4A173FFA.4040000@ai.net> <20090523121410.GZ290@greenie.muc.de>
Message-ID: <4A188C9E.6080306@ai.net>

Gert Doering wrote:
>
> On the interface that forms the EoMPLS bridge ("towards the customer"),
> you should NOT enable any MPLS stuff.  (I'm not sure what happens if
> you do, but that's not required).
>
>   
Ok. Removed.

> You need the MPLS stuff on the 10G interface that interconnects the
> routers.
>
> Then check "show ip cef 10.0.0.114" on this router, and it should tell
> you that a MPLS path exists ("nexthop ... label yy")
>
>   
I posted the ip cef detail for the two loopbacks and I don't see a label 
applied after the nexthop. So no MPLS path exists.  What should I check 
next?
>> #sh mpls l2 binding
>>   Destination Address: 10.0.0.114,  VC ID: 100
>>     Local Label:  unassigned.
>>     Remote Label: unassigned
>>     
>
> This might be due to missing "mpls ip" on the 10G link.
>
>   
>> #sh mpls interfaces
>> Interface              IP            Tunnel   BGP Static Operational
>> GigabitEthernet4/2     Yes           No       Yes No     No
>>     
>
> ... indeed.  Don't enable MPSL on the customer-facing ports, enable it
> on your "router-to-router" interfaces.
>
> gert
>   

So the topology looks like this:

G4/2-T5/1 <---> T5/1- G4/2.

G4/2 is customer facing.
Tengig 5/1 is router1 to router 2 facing.

Router 1's two interfaces now look like this:

interface GigabitEthernet4/2
 mtu 1526
 no ip address
 speed nonegotiate
 xconnect 10.0.0.114 100 pw-class EtherEncap

interface TenGigabitEthernet5/1
 mtu 1538
 ip address 10.1.1.37 255.255.255.252
 mpls traffic-eng tunnels
 mpls ldp discovery transport-address interface
 mpls bgp forwarding
 mpls label protocol ldp
 mpls ip

#sh ip cef 10.0.0.114 detail
10.0.0.114/32, epoch 4
  local label info: global/50
  nexthop 10.1.1.38 TenGigabitEthernet5/1

#sh ip cef 10.0.0.114
10.0.0.114/32
  nexthop 10.1.1.38 TenGigabitEthernet5/1

and

Router 2:

interface GigabitEthernet4/2
 mtu 1526
 no ip address
 speed nonegotiate
 xconnect 10.0.0.113 100 pw-class EtherEncap

interface TenGigabitEthernet5/1
 mtu 1538
 ip address 10.1.1.38 255.255.255.252
 mpls traffic-eng tunnels
 mpls ldp discovery transport-address interface
 mpls bgp forwarding
 mpls label protocol ldp
 mpls ip

#sh ip cef 10.0.0.113 detail
10.0.0.113/32, epoch 5
  local label info: global/21
  nexthop 10.1.1.37 TenGigabitEthernet5/1

#sh ip cef 10.0.0.113
10.0.0.113/32
  nexthop 10.1.1.37 TenGigabitEthernet5/1

----

I cleared the mpls ldp neighbors and they reestablished, but no other 
changes that I can determine. There does not appear to be an MPLS path 
between the two 10G interfaces.

sh mpls l2 binding on both routers shows unassigned labels, though the 
ip cef seems to show a local label assigned.

Where should I look next?

Thanks so much for the assistance so far!



From largent at ai.net  Sat May 23 20:11:08 2009
From: largent at ai.net (L'argent)
Date: Sat, 23 May 2009 20:11:08 -0400
Subject: [c-nsp] EoMPLS/Sup32/xconnect - missing something obvious
In-Reply-To: <4A188C9E.6080306@ai.net>
References: <4A173FFA.4040000@ai.net> <20090523121410.GZ290@greenie.muc.de>
	<4A188C9E.6080306@ai.net>
Message-ID: <4A18909C.6010604@ai.net>

L'argent wrote:
> Gert Doering wrote:
>>
>> On the interface that forms the EoMPLS bridge ("towards the customer"),
>> you should NOT enable any MPLS stuff.  (I'm not sure what happens if
>> you do, but that's not required).
>>
>>   
> Ok. Removed.
>
>> You need the MPLS stuff on the 10G interface that interconnects the
>> routers.
>>
>> Then check "show ip cef 10.0.0.114" on this router, and it should tell
>> you that a MPLS path exists ("nexthop ... label yy")
>>
>>   
> I posted the ip cef detail for the two loopbacks and I don't see a 
> label applied after the nexthop. So no MPLS path exists.  What should 
> I check next?
>>> #sh mpls l2 binding
>>>   Destination Address: 10.0.0.114,  VC ID: 100
>>>     Local Label:  unassigned.
>>>     Remote Label: unassigned
>>>     
>>
>> This might be due to missing "mpls ip" on the 10G link.
>>
>>  
>>> #sh mpls interfaces
>>> Interface              IP            Tunnel   BGP Static Operational
>>> GigabitEthernet4/2     Yes           No       Yes No     No
>>>     
>>
>> ... indeed.  Don't enable MPSL on the customer-facing ports, enable it
>> on your "router-to-router" interfaces.
>>
>> gert
>>   
>
> So the topology looks like this:
>
> G4/2-T5/1 <---> T5/1- G4/2.
>
> G4/2 is customer facing.
> Tengig 5/1 is router1 to router 2 facing.
>
> Router 1's two interfaces now look like this:
>
> interface GigabitEthernet4/2
> mtu 1526
> no ip address
> speed nonegotiate
> xconnect 10.0.0.114 100 pw-class EtherEncap
>
> interface TenGigabitEthernet5/1
> mtu 1538
> ip address 10.1.1.37 255.255.255.252
> mpls traffic-eng tunnels
> mpls ldp discovery transport-address interface
> mpls bgp forwarding
> mpls label protocol ldp
> mpls ip
>
> #sh ip cef 10.0.0.114 detail
> 10.0.0.114/32, epoch 4
>  local label info: global/50
>  nexthop 10.1.1.38 TenGigabitEthernet5/1
>
> #sh ip cef 10.0.0.114
> 10.0.0.114/32
>  nexthop 10.1.1.38 TenGigabitEthernet5/1
>
> and
>
> Router 2:
>
> interface GigabitEthernet4/2
> mtu 1526
> no ip address
> speed nonegotiate
> xconnect 10.0.0.113 100 pw-class EtherEncap
>
> interface TenGigabitEthernet5/1
> mtu 1538
> ip address 10.1.1.38 255.255.255.252
> mpls traffic-eng tunnels
> mpls ldp discovery transport-address interface
> mpls bgp forwarding
> mpls label protocol ldp
> mpls ip
>
> #sh ip cef 10.0.0.113 detail
> 10.0.0.113/32, epoch 5
>  local label info: global/21
>  nexthop 10.1.1.37 TenGigabitEthernet5/1
>
> #sh ip cef 10.0.0.113
> 10.0.0.113/32
>  nexthop 10.1.1.37 TenGigabitEthernet5/1
>
> ----
>
> I cleared the mpls ldp neighbors and they reestablished, but no other 
> changes that I can determine. There does not appear to be an MPLS path 
> between the two 10G interfaces.
>
> sh mpls l2 binding on both routers shows unassigned labels, though the 
> ip cef seems to show a local label assigned.
>
> Where should I look next?
>
> Thanks so much for the assistance so far!
Both routers are reporting this on their tengig interfaces (now):

#sh mpls interfaces detail
Interface TenGigabitEthernet5/1:
        IP labeling enabled (ldp)
        LSP Tunnel labeling enabled
        BGP labeling enabled
        MPLS operational
        MTU = 1538


I don't know if there is some thing that should be reset to "reset" the 
xconnect, but I've tried a shut/no-shut without success.

Thanks.



From zivl at gilat.net  Sun May 24 03:47:36 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Sun, 24 May 2009 10:47:36 +0300
Subject: [c-nsp] Interface descriptions - what do you put in?
In-Reply-To: <4A156E1D.2080404@templin.org>
References: <4A156E1D.2080404@templin.org>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622FCC66175@exch2k7.gilat.local>


I think all the others already gave a lot of examples, I can only add one little suggestion.
Omit the "connected to" prefix for a description and save yourself some characters for more important info.
What else can an interface be other than "connected to" something else???? Isn't it obvious?



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pete Templin
Sent: Thursday, May 21, 2009 6:07 PM
To: Cisco Nsp
Subject: [c-nsp] Interface descriptions - what do you put in?

List,

What do you put into your interface descriptions?  Do you document 
circuit ID, far-end equipment/port, near-end equipment/port, and/or 
anything else?

Pete
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


From gert at greenie.muc.de  Sun May 24 05:02:13 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sun, 24 May 2009 11:02:13 +0200
Subject: [c-nsp] EoMPLS/Sup32/xconnect - missing something obvious
In-Reply-To: <4A188C9E.6080306@ai.net>
References: <4A173FFA.4040000@ai.net> <20090523121410.GZ290@greenie.muc.de>
	<4A188C9E.6080306@ai.net>
Message-ID: <20090524090213.GE290@greenie.muc.de>

Hi,

On Sat, May 23, 2009 at 07:54:06PM -0400, L'argent wrote:
> interface TenGigabitEthernet5/1
> mtu 1538
> ip address 10.1.1.37 255.255.255.252
> mpls traffic-eng tunnels
> mpls ldp discovery transport-address interface
> mpls bgp forwarding
> mpls label protocol ldp
> mpls ip

I'm not sure if you need *all* these MPLS commands - they might actually
interfere with the rest of your setup.

We don't use MPLS TE, just "plain" MPLS, and our interfaces just have

  interface TenG x/y
    mtu ...
    ip addr 1.2.3.4 255.255.255.0
    mpls ip

and that's it.

OTOH, we use EIGRP as IGP, and I'm not sure whether you might have to
tweak something in OSPF to get the labels.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090524/7c9f103d/attachment.bin>

From pl+list at pmacct.net  Sun May 24 07:22:18 2009
From: pl+list at pmacct.net (Paolo Lucente)
Date: Sun, 24 May 2009 12:22:18 +0100
Subject: [c-nsp] EoMPLS/Sup32/xconnect - missing something obvious
In-Reply-To: <4A173FFA.4040000@ai.net>
References: <4A173FFA.4040000@ai.net>
Message-ID: <20090524112218.GA28702@london.pmacct.net>

Hi,

make sure OSPF is configured properly and you can see router
loopbacks advertised in the IGP: LDP establishing adjacencies
is not enough to generate labels. 

Also, as the pseudowire is simply Eth-to-Eth, i guess you
don't want the interworking feature (interworking ip) to
lie within the pseudowire-class.

As Gert suggested, try a simplified configuration first.

Cheers,
Paolo



On Fri, May 22, 2009 at 08:14:50PM -0400, L'argent wrote:
>
>
> Setup: Two directly connected Sup32's directly connected one running  
> 12.2-33.SXH5, the other 12.2-33.SXI1 otherwise identical configurations.
> Goal: Test (new) MPLS configuration using EoMPLS (xconnect) between G4/2  
> on each. I want to transport 1G over a 10G link between two sites.
>
> Problem: The VC won't come up. Labels don't appear to be generated. Not  
> sure what knob to twiddle to make it happy. LDP appears to see its  
> neighbor, but no MPLS adjacency appears. I am guessing I'm missing  
> something dead obvious.
>
> Router 1:
>
> mls ip slb purge global
> mls netflow interface
> no mls flow ip
> no mls flow ipv6
> mls cef error action reset
> mpls traffic-eng tunnels
> mpls ldp graceful-restart
> mpls ldp discovery targeted-hello accept
> mpls ip default-route
> mpls label range 50 524000
> mpls label protocol ldp
>
> pseudowire-class EtherEncap
>  encapsulation mpls
>  interworking ip
>
> interface Loopback0
>   ip address 10.0.0.113 255.255.255.255
>
> interface GigabitEthernet4/2
>  mtu 1526
>  no ip address
>  speed nonegotiate
>  mpls ldp discovery transport-address interface
>  mpls bgp forwarding
>  mpls label protocol ldp
>  mpls ip
>  xconnect 10.0.0.114 100 encapsulation mpls
>
> router ospf 1
>  log-adjacency-changes
>  network 10.0.0.113 0.0.0.0 area 0
>  bfd all-interfaces
>  mpls traffic-eng router-id Loopback0
> !
> router bgp 65517
>  bgp router-id 10.0.0.113
>  bgp log-neighbor-changes
>  bgp confederation identifier 100
>  bgp confederation peers 65516 65518
>  neighbor 10.0.0.114 remote-as 65518
>  neighbor 10.0.0.114 ebgp-multihop 255
>  neighbor 10.0.0.114 update-source Loopback0
>  neighbor 10.0.0.114 version 4
>  !
>  address-family ipv4
>   neighbor 10.0.0.114 activate
>   neighbor 10.0.0.114 send-label
>   no auto-summary
>   no synchronization
>   network 10.0.0.113 mask 255.255.255.255
>  exit-address-family
> !
> ip classless
>
> #sh mpls l2 binding
>   Destination Address: 10.0.0.114,  VC ID: 100
>     Local Label:  unassigned.
>     Remote Label: unassigned
>
>
> #sh mpls l2 vc
>
> Local intf     Local circuit              Dest address    VC ID      Status
> -------------  -------------------------- --------------- ----------  
> ----------
> Gi4/2          Ethernet                   10.0.0.114 100        DOWN
>
> #sh mpls l2 vc detail
> Local interface: Gi4/2 down, line protocol down, Ethernet down
>   Destination address: 10.0.0.114, VC ID: 100, VC status: down
>     Output interface: none, imposed label stack {}
>     Preferred path: not configured
>     Default path: no route
>     No adjacency
>   Create time: 00:53:56, last status change time: 00:53:56
>   Signaling protocol: LDP, peer 10.0.0.114:0 up
>     Targeted Hello: 10.0.0.113(LDP Id) -> 10.0.0.114
>     MPLS VC labels: local unassigned, remote unassigned
>     Group ID: local unknown, remote unknown
>     MTU: local unknown, remote unknown
>     Remote interface description:
>   Sequencing: receive disabled, send disabled
>   VC statistics:
>     packet totals: receive 0, send 0
>     byte totals:   receive 0, send 0
>     packet drops:  receive 0, send 0
>
> #sh ip route 10.0.0.114
> Routing entry for 10.0.0.114/32
>   Known via "ospf 1", distance 110, metric 2, type intra area
>   Last update from 10.1.1.38 on TenGigabitEthernet5/1, 02:35:37 ago
>   Routing Descriptor Blocks:
>   * 10.1.1.38, from 10.0.0.114, 02:35:37 ago, via TenGigabitEthernet5/
> 1
>       Route metric is 2, traffic share count is 1
>
> #sh mpls interfaces
> Interface              IP            Tunnel   BGP Static Operational
> GigabitEthernet4/2     Yes           No       Yes No     No
>
> #sh mpls ldp neigh
>     Peer LDP Ident: 10.0.0.114:0; Local LDP Ident 10.0.0.113:0
>         TCP connection: 10.0.0.114.1026 - 10.0.0.113.646
>         State: Oper; Msgs sent/rcvd: 174/172; Downstream
>         Up time: 02:20:12
>         LDP discovery sources:
>           Targeted Hello 10.0.0.113 -> 10.0.0.114, active, passive
>         Addresses bound to peer LDP Ident:
>           10.0.0.114 10.1.1.38
>
>
> #sh xconnect all detail             <--- command doesn't exist on SXH5
> Legend: XC ST=Xconnect State, S1=Segment1 State, S2=Segment2 State
> UP=Up, DN=Down, AD=Admin Down, IA=Inactive, NH=No Hardware
> XC ST  Segment 1                         S1 Segment 2       S2
> ------+---------------------------------+--+---------------------------------+--
> DN     ac   Gi4/2(Ethernet)              DN mpls 10.0.0.114:100       DN
>             Interworking: ip                     Local VC label unassigned
>                                                  Remote VC label unassigned
>                                                  pw-class: EtherEncap
>
> Router 2:
>
> mls ip slb purge global
> mls netflow interface
> no mls flow ip
> no mls flow ipv6
> mls cef error action reset
> mpls traffic-eng tunnels
> mpls ldp graceful-restart
> mpls ldp discovery targeted-hello accept
> mpls ip default-route
> mpls label range 50 524000
> mpls label protocol ldp
>
> pseudowire-class EtherEncap
>  encapsulation mpls
>  interworking ip
>
> interface Loopback0
>   ip address 10.0.0.114 255.255.255.255
>
> interface GigabitEthernet4/2
>  mtu 1526
>  no ip address
>  speed nonegotiate
>  mpls ldp discovery transport-address interface
>  mpls bgp forwarding
>  mpls label protocol ldp
>  mpls ip
>  bfd interval 50 min_rx 100 multiplier 3
>  xconnect 10.0.0.113 100 encapsulation mpls
>
> router ospf 1
>  log-adjacency-changes
>  network 10.0.0.114 0.0.0.0 area 0
>  bfd all-interfaces
>  mpls traffic-eng router-id Loopback0
> !
> router bgp 65518
>  bgp router-id 10.0.0.114
>  bgp log-neighbor-changes
>  bgp confederation identifier 100
>  bgp confederation peers 65517
>  neighbor 10.0.0.113 remote-as 65517
>  neighbor 10.0.0.113 ebgp-multihop 255
>  neighbor 10.0.0.113 update-source Loopback0
>  neighbor 10.0.0.113 version 4
>  !
>  address-family ipv4
>   neighbor 10.0.0.113 activate
>   neighbor 10.0.0.113 send-label
>   no auto-summary
>   no synchronization
>   network 10.0.0.114 mask 255.255.255.255
>  exit-address-family
> !
> ip classless
>
> #sh mpls l2 binding
>   Destination Address: 10.0.0.113,  VC ID: 100
>     Local Label:  unassigned.
>     Remote Label: unassigned
>
> #sh mpls l2 vc detail
> Local interface: Gi4/2 down, line protocol down, Ethernet down
>   MPLS VC type is Ethernet, interworking type is IP
>   Destination address: 10.0.0.113, VC ID: 100, VC status: down
>     Output interface: if-?(0), imposed label stack {}
>     Preferred path: not configured
>     Default path: no route
>     No adjacency
>   Create time: 02:11:47, last status change time: 02:11:30
>   Signaling protocol: LDP, peer 10.0.0.113:0 up
>     MPLS VC labels: local unassigned, remote unassigned
>     Group ID: local unknown, remote unknown
>     MTU: local unknown, remote unknown
>     Remote interface description:
>   Sequencing: receive disabled, send disabled
>   VC statistics:
>     packet totals: receive 0, send 0
>     byte totals:   receive 0, send 0
>     packet drops:  receive 0, send 0
>
> #sh ip route 10.0.0.113
> Routing entry for 10.0.0.113/32
>   Known via "ospf 1", distance 110, metric 2, type intra area
>   Last update from 10.1.1.37 on TenGigabitEthernet5/1, 02:34:18 ago
>   Routing Descriptor Blocks:
>   * 10.1.1.37, from 10.0.0.113, 02:34:18 ago, via TenGigabitEthernet5/
> 1
>       Route metric is 2, traffic share count is 1
>
>
> #sh mpls interfaces
> Interface              IP            Tunnel   BGP Static Operational
> GigabitEthernet4/2     Yes           No       Yes No     No
>
> #sh mpls ldp neigh
>     Peer LDP Ident: 10.0.0.113:0; Local LDP Ident 10.0.0.114:0
>         TCP connection: 10.0.0.113.646 - 10.0.0.114.1026
>         State: Oper; Msgs sent/rcvd: 173/175; Downstream
>         Up time: 02:21:08
>         LDP discovery sources:
>           Targeted Hello 10.0.0.114 -> 10.0.0.113, active, passive
>         Addresses bound to peer LDP Ident:
>           10.0.0.113 10.1.1.34  10.1.1.37
>
>
> *Feb  2 06:05:54.223: AToM MGR [10.0.0.114, 100]: Event provision, state ch
> anged from idle to provisioned
> *Feb  2 06:05:54.223: AToM MGR [10.0.0.114, 100]: Provision vc
> *Feb  2 06:05:54.223: AToM LDP [10.0.0.114]: Opening session, 1 clients
> *Feb  2 06:05:54.223: AToM LDP [10.0.0.114]: Session is up
> *Feb  2 06:05:54.227: AToM MGR [10.0.0.114, 100]: Signaling peer-id of VC c
> hanged to 10.0.0.114
> *Feb  2 06:05:54.227: AToM MGR [10.0.0.114, 100]: Event ldp up, state chang
> ed from provisioned to ldp ready
> *Feb  2 06:05:54.227: AToM MGR [10.0.0.114, 100]: Take no action
> *Feb  2 06:05:54.231: AToM MGR [10.0.0.114, 100]: Event SSS service found,
> state changed from ldp ready to ldp ready
> *Feb  2 06:05:54.231: AToM MGR [10.0.0.114, 100]: Take no action
>
> --------------------------------------------
>
> I've spent a few hours googling, searching and other things. It *seems*  
> like this should be super-simple and I'm left thinking I've missed  
> something obvious.
>
> No labels are being assigned even though I believe I've correctly  
> assigned VC ID:100 and agreed to IBGP internal exchange of routing  
> information and labels.
>
> I see 113(R1) sending a targeted hello to 114 (R2) and 114 seeing 113  
> up. The VC is down, even though L3 connectivity exists between the two  
> loopbacks, the mpls config shows no adjacency, no default path, no  
> output interface.
>
> Every sample config I've seen online seems to agree with my config (that  
> didn't still use terms like tagswitching or mpls l2connect), so I am  
> pretty sure I am being completely bone-headed about this. I've matched  
> mtu sizes on both interfaces, so that should be okay as well.
>
> Please tell me where I've taken a wrong turn in MPLS land.
>
> Thanks so much!
>
> LA
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From scubacuda at gmail.com  Sun May 24 10:31:08 2009
From: scubacuda at gmail.com (Rogelio)
Date: Sun, 24 May 2009 07:31:08 -0700
Subject: [c-nsp] reasons for giving new VLAN int a new IP
Message-ID: <4A195A2C.4060300@gmail.com>

I've got a general question about VLANs that grew out of two separate 
VLAN implementations -- one on Cisco switches and another one on BelAir 
BA200 radios:

Do you have have to have to put an IP on that VLAN for traffic to flow? 
  Or only if you'd like to manage it from that VLAN?

Obviously, in general, an IP address (or even correct IP address) on a 
layer two device isn't necessary for traffic to flow through it, but I 
was thinking that there might be a possibility that some other "thing" 
(limitation in vendor implementations, practicality, feature set, 
controllers to work, etc) compelled putting an IP address on.

I've always added an IP on each VLAN on Cisco switches and recently 
started doing it on the BelAir BA200 quad radios out of habit.  (A 
coworker said that it wasn't required, and normally I'd test it out, but 
I'm not in a position  to easily test out this theory.)

Nothing earth shattering, but if anyone had any insight on the matter, 
I'd love to hear it.

From sthaug at nethelp.no  Sun May 24 14:03:34 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Sun, 24 May 2009 20:03:34 +0200 (CEST)
Subject: [c-nsp] reasons for giving new VLAN int a new IP
In-Reply-To: <4A195A2C.4060300@gmail.com>
References: <4A195A2C.4060300@gmail.com>
Message-ID: <20090524.200334.74699266.sthaug@nethelp.no>

> I've always added an IP on each VLAN on Cisco switches and recently 
> started doing it on the BelAir BA200 quad radios out of habit.  (A 
> coworker said that it wasn't required, and normally I'd test it out, but 
> I'm not in a position  to easily test out this theory.)

A switch doing L2 only may need an IP address for management purposes.
However, it certainly will *not* need a VLAN *interface* complete with
IP address for each VLAN you create.

So the general principle is - one management VLAN (which should *not*
be VLAN 1) with IP address, and then any other VLAN is simply a VLAN,
it does not have an interface or IP address.

If you're using the switch as an L3 router, it's another ballgame of
course.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From jmaimon at ttec.com  Sun May 24 15:23:57 2009
From: jmaimon at ttec.com (Joe Maimon)
Date: Sun, 24 May 2009 15:23:57 -0400
Subject: [c-nsp] c7200 format bootflash: etc
In-Reply-To: <20051123020023.C30902@freelsd.net>
References: <20051123020023.C30902@freelsd.net>
Message-ID: <4A199ECD.6080103@ttec.com>

Hey,

I am having the same issue with a I/O controller, I have been trying 
different combinations of IOS, but I cant seem to get this resolved.

Do you have c7200-boot-mz.120-21.ST.bin ?

Thanks,

Joe

FreeLSD wrote:
> btw, seems 122-14.S15 and 122-18.S10 have broken format for bootflash: 
> and card?:, because rommon cant read it after formating.
> but after loading IOS card/bootflash can be perfectly readed/formated/writed.
> 
> reformating such cards with c7200-boot-mz.120-21.ST.bin have good result,
> it can be readed by rommon. (success with slot?: cards. dont tryed for 
> bootflash: case, because have no time... router in production :) 
> 
> workaround:
> boot system disk1:c7200-p-mz.122-18.S10.bin
> boot bootldr disk1:c7200-kboot-mz.122-18.S10.bin
> 
> ps. tested on two c72xx routers
> 
> System Bootstrap, Version 12.1(20000710:044039) [nlaw-121E_npeb 117], DEVELOPMENT SOFTWARE
> Copyright (c) 1994-2000 by cisco Systems, Inc.
> C7200 platform with 524288 Kbytes of main memory
> 
> getdevnum warning: device "boot flash" has size of zero
> getdevnum warning: device "boot flash" has size of zero
> open: read error...requested 0x4 bytes, got 0xffffffff
> trouble reading device magic number
> boot: cannot open "bootflash:"
> an alternate boot helper program is not specified
> (monitor variable "BOOTLDR" is not set)
> and unable to determine first file in bootflash
> loadprog: error - on file open
> boot: cannot load "cisco2-C7200"
> 
> ...
> 
> rommon 3 > dev
> Devices in device table:
>         id  name
> bootflash:  boot flash                 
>     slot0:  PCMCIA slot 0              
>     slot1:  PCMCIA slot 1              
>     disk0:  PCMCIA slot 0              
>     disk1:  PCMCIA slot 1              
>     eprom:  eprom                      
> rommon 4 > dir bootflash:
> getdevnum warning: device "boot flash" has size of zero
> getdevnum warning: device "boot flash" has size of zero
> getdevnum warning: device "boot flash" has size of zero
> getdevnum warning: device "boot flash" has size of zero
> getdevnum warning: device "boot flash" has size of zero
> open: read error...requested 0x4 bytes, got 0xffffffff
> trouble reading device magic number
> dir: cannot open device "bootflash:"
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

From rkitsolution at yahoo.com  Mon May 25 01:14:38 2009
From: rkitsolution at yahoo.com (ram krishna khati)
Date: Sun, 24 May 2009 22:14:38 -0700 (PDT)
Subject: [c-nsp] cisco 2950G
Message-ID: <948523.68328.qm@web53612.mail.re2.yahoo.com>

HI all,


Error on initialize VLAN database 1: VTP feature not yet initialized[OK]



Anybody know what this error means.

Device running WS-C2950G-48-EI in Transparent VTP mode. Help me how can I solve this problem. 



Thank You,


Regards

Ram Krishna 



      

From koug at intracom.gr  Mon May 25 04:24:09 2009
From: koug at intracom.gr (John Kougoulos)
Date: Mon, 25 May 2009 11:24:09 +0300 (GTB Daylight Time)
Subject: [c-nsp] How to improve C3750G switch uplink speed?
In-Reply-To: <Pine.LNX.4.61.0905221704430.6312@soloth.lewis.org>
References: <c914c50e0905120116m3d9a2dedg846b0ab5adae3a83@mail.gmail.com>
	<17476.196.46.241.57.1242125542.squirrel@nexmail1.nexlinx.net.pk>
	<F4C5F0DAB3AF4FBBBC846F16B8CA3748@moscato>
	<725755F5E728EE4086DAAF1A54DACF4F10B577DE@sea5exbe1.speakeasy.hq>
	<m3ws88swo3.fsf@ursa.amorsen.dk>
	<Pine.LNX.4.61.0905221704430.6312@soloth.lewis.org>
Message-ID: <alpine.WNT.2.00.0905251110570.1112@pckoug1.intranet.gr>

On Fri, 22 May 2009, Jon Lewis wrote:

> On Fri, 22 May 2009, Benny Amorsen wrote:
>
>> Jonathan Brashear <Jonathan.Brashear at hq.speakeasy.net> writes:
>> 
>>> As an aside, PVST can become an issue when you're scaling up into
>>> dozens/hundreds of VLANs.
>> 
>> The 3560/3750 series supports only 128 PVST instances. I discovered this
>> the hard way.
>
> I just went searching for this to find the limit for 3550s, and couldn't find 
> it.  Anyone have a pointer to where in the docs cisco says how many 
> rapid-pvst instances can be done on the 3550 and 6509?
>

For the 3550:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swvlan.html#wp1353846

It is hidden in the Supported VLAN configuration secion


From affanzbasalamah at gmail.com  Mon May 25 11:02:42 2009
From: affanzbasalamah at gmail.com (Affan Basalamah)
Date: Mon, 25 May 2009 22:02:42 +0700
Subject: [c-nsp] POS SPA card offline in event of SDH link problem
Message-ID: <eb1b5f970905250802m61caba2cpa48da2360abbd013@mail.gmail.com>

Hi all,

I experienced this case not one month ago. I have installation of 1
STM-1 link connected to SPA-2XOC3-POS in 7600-SIP-200 on 7609 in SRC3.
It happened when I have problem with my SDH link from my provider.
After the problem happened, they tell me that the problem comes from
their SDH equipment.

When the problem happened, this message is logged :

May 11 06:12:06.069: %DIAG-SP-6-RUN_MINIMUM: Module 1/1: Running
Minimal Diagnostics...
May 11 06:12:06.701: %DIAG-SP-6-DIAG_OK: Module 1/1: Passed Online Diagnostics
.May 11 06:12:07.073: %SPA_OIR-6-ONLINECARD: SPA (SPA-2XOC3-POS)
online in subslot 1/1
.May 11 06:12:08.077: %SONET-4-ALARM:  POS1/1/0: B1 declared
<snip>
.May 11 06:13:33.489: %SPA_OIR-6-OFFLINECARD: SPA (SPA-2XOC3-POS)
offline in subslot 1/1
SLOT 1: May 11 06:13:33.461: %INTR_MGR-3-INTR:  PL3 RX Sequence error

My POS interface just restarting on and off at the event. The whole
module just shutdown, and back on again, and off again.

I am looking for explanation what is the cause of this event. I just
don't want to see any problem with my link that cause the whole SPA
module to shut off.

Thanks for your comment/ideas/suggestion to prevent this event to happen again.

Regards,

-affan

From leonardo.souza at nec.com.br  Mon May 25 12:44:51 2009
From: leonardo.souza at nec.com.br (Leonardo Gama Souza)
Date: Mon, 25 May 2009 13:44:51 -0300
Subject: [c-nsp] RES:  Interface descriptions - what do you put in?
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622FCC66175@exch2k7.gilat.local>
References: <4A156E1D.2080404@templin.org>
	<EC993E87D960A541A66BF21D62AA42A622FCC66175@exch2k7.gilat.local>
Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D024D8049@spsrvmail03.nec.br>

I would avoid using special characters like \ and #.
You may face some issue with ISC and other softwares.	


-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Ziv Leyes
Enviada em: domingo, 24 de maio de 2009 04:48
Para: Cisco Nsp
Assunto: Re: [c-nsp] Interface descriptions - what do you put in?


I think all the others already gave a lot of examples, I can only add
one little suggestion.
Omit the "connected to" prefix for a description and save yourself some
characters for more important info.
What else can an interface be other than "connected to" something
else???? Isn't it obvious?



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pete Templin
Sent: Thursday, May 21, 2009 6:07 PM
To: Cisco Nsp
Subject: [c-nsp] Interface descriptions - what do you put in?

List,

What do you put into your interface descriptions?  Do you document 
circuit ID, far-end equipment/port, near-end equipment/port, and/or 
anything else?

Pete
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************
************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals &
computer viruses.
************************************************************************
************

 
 
************************************************************************
************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals &
computer viruses.
************************************************************************
************

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From asturluismi at gmail.com  Mon May 25 13:47:29 2009
From: asturluismi at gmail.com (luismi)
Date: Mon, 25 May 2009 19:47:29 +0200
Subject: [c-nsp] Interface descriptions - what do you put in?
In-Reply-To: <4A163F83.8040209@oucs.ox.ac.uk>
References: <4A156E1D.2080404@templin.org>
	<74b0c3330905212122r4eccdf8tc3310987afb1c8e3@mail.gmail.com>
	<4A163F83.8040209@oucs.ox.ac.uk>
Message-ID: <1243273649.7245.2.camel@dsba-ipso>

What we do here....

Area Code - Severity - Description

Example:

A - 00 - Gi0/1 FEC12 SW8  BT_Internet

Where...
 A is IP team
 00 is total service disruption if interface is down
 Gi0/1 FEC12 SW8  BT_Internet, remote end of the cable as type of
traffic inside






El vie, 22-05-2009 a las 07:00 +0100, Oliver Gorwits escribi?:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> > <petelists at templin.org> wrote:
> >> What do you put into your interface descriptions?  Do you
> >> document circuit ID, far-end equipment/port, near-end
> >> equipment/port, and/or anything else?
> 
> On occasion we add a coded message to tell our monitoring system to
> do something different with that port.
> 
> A simple example - "[DNA]" in the description for "Do Not Alert".
> 
> HTH,
> 
> - --
> Oliver Gorwits, Network and Telecommunications Group,
> Oxford University Computing Services
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFKFj+D2NPq7pwWBt4RAuIyAJoD8TSodxQEG8G+gSZD5YzMmDvqFACgzOSd
> viAYXP1Y2V2YmbLRlcdP9lg=
> =Fex1
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From ayourtch at cisco.com  Mon May 25 13:59:23 2009
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Mon, 25 May 2009 19:59:23 +0200 (CEST)
Subject: [c-nsp] WAS: dhcprelay regression on latest pix 515 firmware
 (8.0.4) NOW: ASA5510 8.0(4) issue with DHCP RELAY
In-Reply-To: <000301c9da9e$155093e0$3ff1bba0$@com>
References: <000301c9da9e$155093e0$3ff1bba0$@com>
Message-ID: <Pine.LNX.4.64.0905251909440.19223@zippy.stdio.be>

Hi Jake,

sorry for delay with the reply - and top-posting to avoid having 
the rest scroll through the debugs in case they find my scribbles 
of any use.

>From the messages you mentioned looks like it's the *reply* from the 
server (presumably, DHCPACK) that gets dropped by the ASA because of no 
binding, rather than the request - you should be able to verify with the 
sniffer trace (or capture, for that matter) on the DHCP server interface, 
that the request is forwarded, and the DHCPACK is being received and 
thrown away because of no binding.

Upon a quick look at the code, "in principle" this should work - the 
DHCPREQUEST should create a binding, and the DHCPACK from the server 
should hit it and get forwarded by the ASA. So, either the binding does 
not get created, or it does not get found. You can verify "show dhcpd 
binding all" if you see anything at all pertaining to that client during 
those. Actually, even better - if there is a simultaneous pcap from the 
client interface and the server interface, a simple tcpreplay of 
DHCPREQUEST and DHCPACK should allow to see the problem in the lab - 
please collect those captures if they're not yet in the case.

As far as explaining how the things should work: standards are a good 
tool for that :-)

RFC2131 (which is the standards-track one for DHCP), page 13:

"
    DHCPREQUEST  -  Client message to servers either (a) requesting
                    offered parameters from one server and implicitly
                    declining offers from all others, (b) confirming
                    correctness of previously allocated address after,
                    e.g., system reboot, or (c) extending the lease on a
                    particular network address.
"

The scenario is "(b)" right there, I think.

The more detailed procedure is described at bottom of page 16 (as per 
layout on http://www.ietf.org/rfc/rfc2131.txt) - it's a pretty clear 
explanation, IMHO.

If there is a misunderstanding after presenting that description - please 
use the standard escalation procedure 
(http://www.cisco.com/kobayashi/news_training/tac_overview.html#howcaniescalate)

cheers,
andrew

p.s. also could you please unicast me the SR#.

On Thu, 21 May 2009, Jacob Vargas wrote:

> I've seen some issues out in the wild about the ASA 8.0(4) not honoring DHCP
> Request packets when a windows system boots.
>
> The conversation correlates as follows:
>
> PCAP conversation on ASA:
>
> 1: 15:42:05.537783 0.0.0.0.68 > 255.255.255.255.67:  udp 323 (DHCP Request)
> <-"can't find binding"
> 2: 15:42:08.526416 0.0.0.0.68 > 255.255.255.255.67:  udp 323 (DHCP Request)
> <-"can't find binding"
> 3: 15:42:16.542025 0.0.0.0.68 > 255.255.255.255.67:  udp 323 (DHCP Request)
> <-"can't find binding"
> 4: 15:42:44.558061 0.0.0.0.68 > 255.255.255.255.67:  udp 300 (DHCP Discover)
> <- fall back after 40 sec timeout
> 5: 15:42:44.558671 172.20.0.3.67 > 255.255.255.255.68:  udp 326 (DHCP Offer)
> 6: 15:42:44.559022 0.0.0.0.68 > 255.255.255.255.67:  udp 329 (DHCP Request)
> 7: 15:42:44.559709 172.20.0.3.67 > 255.255.255.255.68:  udp 331 (DHCP ACK)
> <- we finally have an IP address
>
> DHCP Debug on ASA (1 single DHCP Request):
>
> DHCPD: setting giaddr to 172.20.0.3.
> dhcpd_forward_request: request from 0015.17aa.4ae8 (DHCP CLIENT) forwarded
> to 172.20.3.15 (DHCP SERVER).
> DHCPD/RA: Punt 172.20.3.15/17152 --> 172.20.0.3/17152 to CP
> DHCPRA: Received a BOOTREPLY from interface 3
> DHCPRA: dhcp_relay_agent_receiver:can't find binding
> DHCPRA: Can't Create binding
>
> The "can't create binding" correlates to the DHCP Request packet and the
> client fails to obtain an IP from the DHCP Server.
>
> If you look at the timestamp, it takes 40 seconds for the DHCP client to
> give up on requesting and fall back to doing a discover which then the ASA
> honors, creates the binding and provides clear communication between client
> and server.
>
> Under normal working circumstances, a DHCP Request to 255.255.255.255 would
> be heard by the relay and would be forwarded to the DHCP server as per the
> ASA configuration.
>
> It should work like this if it had an IP address via DHCP before:
> 1: 15:42:16.542025 0.0.0.0.68 > 255.255.255.255.67:  udp 323 (DHCP Request)
> 2: 15:42:16.553119 172.20.0.3.67 > 255.255.255.255.68:  udp 331 (DHCP ACK)
>
> If the IP address that it had previously was announced via the DHCP Request
> was not part of the authoritative scope on the DHCP Server, the server would
> send a NACK and this would trigger the client to immediately go into DHCP
> Discover mode. This would easily resolve the problem with waiting 40 seconds
> for a timeout of the Windows DHCP client and drastically cut the time.
>
> What's happening in the case of the 8.0(4) code of the ASA is that it
> ignores the DHCP Request, if not preceded by a DHCP Discover. Causing the
> DHCP Client to fail after the timeout and fall back to the DHCP Discover
> mode (after 40 seconds).
>
> In the event of DHCP Discover, this is what happens:
>
> 4: 15:42:44.558061 0.0.0.0.68 > 255.255.255.255.67:  udp 300 (DHCP Discover)
> <- fall back after 40 sec timeout
> 5: 15:42:44.558671 172.20.0.3.67 > 255.255.255.255.68:  udp 326 (DHCP Offer)
> 6: 15:42:44.559022 0.0.0.0.68 > 255.255.255.255.67:  udp 329 (DHCP Request)
> 7: 15:42:44.559709 172.20.0.3.67 > 255.255.255.255.68:  udp 331 (DHCP ACK)
> <- we finally have an IP address
>
> dhcpd_forward_request: request from 0015.17aa.4ae8 forwarded to 172.20.3.15.
> DHCPD/RA: Punt 172.20.3.15/17152 --> 172.20.0.3/17152 to CP
> DHCPRA: Received a BOOTREPLY from interface 3
> DHCPRA: dhcp_relay_agent_receiver:can't find binding
> DHCPRA: relay binding created for client 0015.17aa.4ae8.
> DHCPD: setting giaddr to 172.20.0.3.
> dhcpd_forward_request: request from 0015.17aa.4ae8 forwarded to 172.20.3.15.
> DHCPD/RA: Punt 172.20.3.15/17152 --> 172.20.0.3/17152 to CP
> DHCPRA: Received a BOOTREPLY from interface 3
> DHCPRA: relay binding found for client 0015.17aa.4ae8.
> DHCPRA: Adding rule to allow client to respond using offered address
> 172.20.1.199
> DHCPRA: forwarding reply to client 0015.17aa.4ae8.
> DHCPRA: relay binding found for client 0015.17aa.4ae8.
> DHCPD: setting giaddr to 172.20.0.3.
> dhcpd_forward_request: request from 0015.17aa.4ae8 forwarded to 172.20.3.15.
> DHCPD/RA: Punt 172.20.3.15/17152 --> 172.20.0.3/17152 to CP
> DHCPRA: Received a BOOTREPLY from interface 3
> DHCPRA: relay binding found for client 0015.17aa.4ae8.
> DHCPRA: exchange complete - relay binding deleted for client 0015.17aa.4ae8.
> DHCPD: returned relay binding 172.20.0.3/0015.17aa.4ae8 to address pool.
> dhcpd_destroy_binding() removing NP rule for client 172.20.0.3
> DHCPRA: forwarding reply to client 0015.17aa.4ae8.
>
> It will allow a DHCP Inform, DHCP Release, DHCP Discover from the client but
> not the DHCP Request! This causes problems for automated servers that
> require auto-logon and scripts to run after boot (being that Always wait for
> network is part of the group policy). There is no issue with port-fast or
> edge-port spanning tree configurations. We even had this issue confirmed on
> a hub ;).
>
> I am currently working with Cisco on this problem but am having a hard time
> explaining things to them. Has anyone had this problem and have a viable
> solution? It would help my case a lot.
>
> Much obliged,
>
> Jake Vargas
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ayourtch at cisco.com  Mon May 25 14:54:25 2009
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Mon, 25 May 2009 20:54:25 +0200 (CEST)
Subject: [c-nsp] Resolved: ASA5510 8.0(4) issue with DHCP RELAY (aka
 dhcprelay regression on latest pix 515 firmware)
In-Reply-To: <000001c9db87$bbc222e0$334668a0$@com>
References: <000001c9db87$bbc222e0$334668a0$@com>
Message-ID: <Pine.LNX.4.64.0905252045440.19223@zippy.stdio.be>

(even though at first I thought I just produced a pure noise by trying to 
solve a not-anymore-an-issue, looks like I will make a second attempt 
writing something :-)

>From the looks at the bug, it would apply for the scenario of sending the 
unicast DHCPREQUEST (because that one previously was simply flying through 
the box being the UDP traffic, so no binding was created and the ACK was 
being denied). The broadcast DHCPREQUESTs (that I saw in your pcap) 
should have been processed even before, so I think everything I mentioned 
in the original reply would still hold.

kind regards,
andrew



On Sat, 23 May 2009, Jacob Vargas wrote:

> ASA5510 8.0(4) issue with DHCP RELAY
>
> Word from Cisco is:
>
> This is a known bug CSCsq87533 1st Found in: 7.2 and 8.0(4)
>
> Fixed-In: 7.2(4.17), 8.0(4.8), 8.2(0.166), 8.1(2.2), ,8.0(4.220) Interim
> releases. Requires Contract and "special file access" until publically
> released.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at rathlev.dk  Mon May 25 19:54:35 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 26 May 2009 01:54:35 +0200
Subject: [c-nsp] WS-X6708-10GE FM-2-BAD-MESSAGE + traceback
Message-ID: <1243295675.5313.29.camel@localhost.localdomain>

Hi,

We just experienced something nasty during a C6kSup720 upgrade from
SXF13 to SXI1. We've been upgrading redundant nodes in three PoPs (eight
nodes total) with no problems except one. This node was taken offline
(set-overload-bit, lowered local pref etc.) and then reloaded, just like
all the other nodes who had not had any problems with this.

The last node came up but couldn't boot the 6708 card providing the core
connections. The console put out messages like this:

-Traceback= 425EABD4 42C2417C 42C24330 4134B0BC 4134B0A8
003593: May 25 20:27:30.854 CEST: %FM-2-BAD_MESSAGE: Error in internal messaging - context: 0x53E4ECA0, result: 0, reply_pak:0x0, slot6, online_status: ONLINE

The traceback line was always the same. The "context" part of the
FM-2-BAD-MESSAGE line changed for every line, but some values were
repeated between non adjacent lines. The switch logged hundreds of
message almost all at once (i.e. within ~100 ms).

The 6708 module ended up in "PwrDown" state. I tried booting it again
(with "power enable") but just ended up in the same place with the same
messages. A full power down of the whole chassis resolved the problem.

All this wouldn't have been a problem in itself; the redundant node was
providing the relevant services while the failed node was down. The
nasty bit was that the failed node actually interfered in the network.
Example: Even though configured with "standby preempt delay minimum 300"
the node tried to take over HSRP gateway functionality. We've also seen
evidence of some kind of corruption in L2 switching. Even though the
6708 module never actually came online some of the neighbors saw
interfaces as up/up.

The question is then: Should we look more into this? We don't have much
spare time, so if we can safely assume this was a "one off" we'll just
let it be at that. Cisco.com says the "FM-2-BAD-MESSAGE" is a software
error, but not much else. We haven't (yet) had time to look at the show
tech output but will do so in the near future.

Any input much appreciated.

Regards,
Peter






From ml at t-b-o-h.net  Mon May 25 20:37:48 2009
From: ml at t-b-o-h.net (Tuc at T-B-O-H)
Date: Mon, 25 May 2009 20:37:48 -0400 (EDT)
Subject: [c-nsp] Port debugging on C2924
Message-ID: <200905260037.n4Q0bmkw041012@vjofn.tucs-beachin-obx-house.com>

Hi,

	Has anyone done a port debug on a C2924:

IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC10, RELEASE SOFTWARE (fc1)

	I just need to see all the traffic on a specific port (Its really
low volume, so not a big deal).

	Normally a port mirror would do wonders, but I'm 900 miles away from
it and so thats not an option (If I was near it, I wouldn't need to debug
the device thats acting weird. :) ). I tried "debug packet int fa0/22", but
"packet" isn't an option in that version.

	Any thoughts?

		Thanks, Tuc

From adrian at creative.net.au  Mon May 25 20:41:28 2009
From: adrian at creative.net.au (Adrian Chadd)
Date: Tue, 26 May 2009 08:41:28 +0800
Subject: [c-nsp] Port debugging on C2924
In-Reply-To: <200905260037.n4Q0bmkw041012@vjofn.tucs-beachin-obx-house.com>
References: <200905260037.n4Q0bmkw041012@vjofn.tucs-beachin-obx-house.com>
Message-ID: <20090526004128.GB31973@skywalker.creative.net.au>

int fa0/1
	port monitor fa0/22

?

On Mon, May 25, 2009, Tuc at T-B-O-H wrote:
> Hi,
> 
> 	Has anyone done a port debug on a C2924:
> 
> IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC10, RELEASE SOFTWARE (fc1)
> 
> 	I just need to see all the traffic on a specific port (Its really
> low volume, so not a big deal).
> 
> 	Normally a port mirror would do wonders, but I'm 900 miles away from
> it and so thats not an option (If I was near it, I wouldn't need to debug
> the device thats acting weird. :) ). I tried "debug packet int fa0/22", but
> "packet" isn't an option in that version.
> 
> 	Any thoughts?
> 
> 		Thanks, Tuc
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

From rkitsolution at yahoo.com  Mon May 25 22:13:10 2009
From: rkitsolution at yahoo.com (ram krishna khati)
Date: Mon, 25 May 2009 19:13:10 -0700 (PDT)
Subject: [c-nsp] Error on initialize VLAN database
Message-ID: <951107.47791.qm@web53605.mail.re2.yahoo.com>

Hi all,

I am using cisco 2950G- 48 -EI.During the vlan add and configuration write it display the following Error.

Error on initialize VLAN database 1: VTP feature not yet initialized[OK]

after reboot the Switch it will solved temporarily.

Anybody know what this error means.


Regards

Ram Krishna
Network Engineer Subisu Cable net 



      

From zivl at gilat.net  Tue May 26 02:55:38 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Tue, 26 May 2009 09:55:38 +0300
Subject: [c-nsp] HSRP on Sub-interface
Message-ID: <EC993E87D960A541A66BF21D62AA42A622FCC66646@exch2k7.gilat.local>

Hi all,
I know that theoretically it's supposed to be working but I must be sure it does before I implement it.
I have two 7200VXR and I want to make one of the Gigabit interfaces to receive a trunk from the switch and create two sub-interfaces line the following example:

Current config:

interface GigabitEthernet0/1
 ip address 1.1.1.2 255.255.255.0
 ip address 2.2.2.2 255.255.255.0 secondary
 standby 0 ip 1.1.1.1
 standby 0 ip 2.2.2.1 secondary
!

New desired config:

interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/1.100
 encapsulation dot1q 100
 ip address 1.1.1.2 255.255.255.0
 standby 0 ip 1.1.1.1
!
interface GigabitEthernet0/1.200
 encapsulation dot1q 200
 ip address 2.2.2.2 255.255.255.0
 standby 1 ip 2.2.2.1
!

So my question is: will this work for sure?

TIA
Ziv
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


From dale.shaw+cisco-nsp at gmail.com  Tue May 26 03:07:23 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 26 May 2009 17:07:23 +1000
Subject: [c-nsp] HSRP on Sub-interface
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622FCC66646@exch2k7.gilat.local>
References: <EC993E87D960A541A66BF21D62AA42A622FCC66646@exch2k7.gilat.local>
Message-ID: <3329cbb40905260007t23b6427er443f00b396922944@mail.gmail.com>

Hi Ziv,

On Tue, May 26, 2009 at 4:55 PM, Ziv Leyes <zivl at gilat.net> wrote:
> Hi all,
> I know that theoretically it's supposed to be working but I must be sure it does before I implement it.
> I have two 7200VXR and I want to make one of the Gigabit interfaces to receive a trunk from the switch and create two sub-interfaces line the following example:
>
[...]
>
> So my question is: will this work for sure?

Yes.

We do this on c7200/NPE-400s, c7200/NPE-G1s and c7200/NPE-G2s running 12.4(15)T

cheers,
Dale

From avayner at cisco.com  Tue May 26 04:08:48 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 26 May 2009 10:08:48 +0200
Subject: [c-nsp] HSRP on Sub-interface
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A622FCC66646@exch2k7.gilat.local>
References: <EC993E87D960A541A66BF21D62AA42A622FCC66646@exch2k7.gilat.local>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D7B1C193@xmb-ams-331.emea.cisco.com>

Ziv,

This works perfectly.
One point to make sure - use a different group for each other group you
create. The group number is used to calculate the virtual MAC assigned
for the HSRP group, and you want the MACs to be different.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
Sent: Tuesday, May 26, 2009 09:56
To: Cisco Nsp
Subject: [c-nsp] HSRP on Sub-interface

Hi all,
I know that theoretically it's supposed to be working but I must be sure
it does before I implement it.
I have two 7200VXR and I want to make one of the Gigabit interfaces to
receive a trunk from the switch and create two sub-interfaces line the
following example:

Current config:

interface GigabitEthernet0/1
 ip address 1.1.1.2 255.255.255.0
 ip address 2.2.2.2 255.255.255.0 secondary
 standby 0 ip 1.1.1.1
 standby 0 ip 2.2.2.1 secondary
!

New desired config:

interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/1.100
 encapsulation dot1q 100
 ip address 1.1.1.2 255.255.255.0
 standby 0 ip 1.1.1.1
!
interface GigabitEthernet0/1.200
 encapsulation dot1q 200
 ip address 2.2.2.2 255.255.255.0
 standby 1 ip 2.2.2.1
!

So my question is: will this work for sure?

TIA
Ziv
 
 
************************************************************************
************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals &
computer viruses.
************************************************************************
************

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From zivl at gilat.net  Tue May 26 04:12:24 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Tue, 26 May 2009 11:12:24 +0300
Subject: [c-nsp] HSRP on Sub-interface
In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7B1C193@xmb-ams-331.emea.cisco.com>
References: <EC993E87D960A541A66BF21D62AA42A622FCC66646@exch2k7.gilat.local>
	<78C984F8939D424697B15E4B1C1BB3D7B1C193@xmb-ams-331.emea.cisco.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A622FCC666B7@exch2k7.gilat.local>

Yes, of course, pay attention that they're now both in group 0 and in the desired config I've made them separated to group 0 and group 1,
I've already had a bad experience in the past when I forgot to separate and couldn't understand why one of them is not working until I payed attention to that.
Thanks all for your answers.
Ziv





-----Original Message-----
From: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sent: Tuesday, May 26, 2009 11:09 AM
To: Ziv Leyes; Cisco Nsp
Subject: RE: [c-nsp] HSRP on Sub-interface

Ziv,

This works perfectly.
One point to make sure - use a different group for each other group you
create. The group number is used to calculate the virtual MAC assigned
for the HSRP group, and you want the MACs to be different.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
Sent: Tuesday, May 26, 2009 09:56
To: Cisco Nsp
Subject: [c-nsp] HSRP on Sub-interface

Hi all,
I know that theoretically it's supposed to be working but I must be sure
it does before I implement it.
I have two 7200VXR and I want to make one of the Gigabit interfaces to
receive a trunk from the switch and create two sub-interfaces line the
following example:

Current config:

interface GigabitEthernet0/1
 ip address 1.1.1.2 255.255.255.0
 ip address 2.2.2.2 255.255.255.0 secondary
 standby 0 ip 1.1.1.1
 standby 0 ip 2.2.2.1 secondary
!

New desired config:

interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/1.100
 encapsulation dot1q 100
 ip address 1.1.1.2 255.255.255.0
 standby 0 ip 1.1.1.1
!
interface GigabitEthernet0/1.200
 encapsulation dot1q 200
 ip address 2.2.2.2 255.255.255.0
 standby 1 ip 2.2.2.1
!

So my question is: will this work for sure?

TIA
Ziv
 
 
************************************************************************
************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals &
computer viruses.
************************************************************************
************

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


From BBlackford at nwresd.k12.or.us  Tue May 26 13:51:37 2009
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Tue, 26 May 2009 10:51:37 -0700
Subject: [c-nsp] Cat 6509 Power supplies
Message-ID: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>

I have a question about power supplies.

I am upgrading a 6509 chassis from SuP1/MFSC2 to a pair of SUP720-3BXL's, fan and new power supplies. I originally spec'd a pair of 4000W units. Now as we know, these can only support NEMA L6-30, vs. the variable power supplies such as the 3000W. I've run out of L6-30R's in my data center as our new rack PDU's are of this spec. I may need to use 110V NEMA 5-20 plugs.

Can the 3000W power supply (in redundant mode) support a fully populated 6509 chassis (no POE) when using 110VAC?

Thanks



--
Bill Blackford                     
Senior Network Engineer            
Technology Systems Group           
Northwest Regional ESD             

my /home away from home



From ml at t-b-o-h.net  Tue May 26 14:01:25 2009
From: ml at t-b-o-h.net (Tuc at T-B-O-H)
Date: Tue, 26 May 2009 14:01:25 -0400 (EDT)
Subject: [c-nsp] Port debugging on C2924
In-Reply-To: <20090526004128.GB31973@skywalker.creative.net.au> from "Adrian
	Chadd" at May 26, 2009 08:41:28 AM
Message-ID: <200905261801.n4QI1Pvd046688@vjofn.tucs-beachin-obx-house.com>

Hi,

	If I had physical access, thats exactly what I'd do. But I don't, so
I need it to dump the packets into syslog for me. I don't have "debug
packet" available on the IOS on the unit, nor does "debug interface" seem
to be generating anything....

		Thanks, Tuc

> 
> int fa0/1
> 	port monitor fa0/22
> 
> ?
> 
> On Mon, May 25, 2009, Tuc at T-B-O-H wrote:
> > Hi,
> > 
> > 	Has anyone done a port debug on a C2924:
> > 
> > IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC10, RELEASE SOFTWARE (fc1)
> > 
> > 	I just need to see all the traffic on a specific port (Its really
> > low volume, so not a big deal).
> > 
> > 	Normally a port mirror would do wonders, but I'm 900 miles away from
> > it and so thats not an option (If I was near it, I wouldn't need to debug
> > the device thats acting weird. :) ). I tried "debug packet int fa0/22", but
> > "packet" isn't an option in that version.
> > 
> > 	Any thoughts?
> > 
> > 		Thanks, Tuc
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> -- 
> - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
> - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
> 


From sethm at rollernet.us  Tue May 26 14:38:36 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Tue, 26 May 2009 11:38:36 -0700
Subject: [c-nsp] Cat 6509 Power supplies
In-Reply-To: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
References: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <4A1C372C.5040704@rollernet.us>

Bill Blackford wrote:
> I have a question about power supplies.
> 
> I am upgrading a 6509 chassis from SuP1/MFSC2 to a pair of SUP720-3BXL's, fan and new power supplies. I originally spec'd a pair of 4000W units. Now as we know, these can only support NEMA L6-30, vs. the variable power supplies such as the 3000W. I've run out of L6-30R's in my data center as our new rack PDU's are of this spec. I may need to use 110V NEMA 5-20 plugs.
> 
> Can the 3000W power supply (in redundant mode) support a fully populated 6509 chassis (no POE) when using 110VAC?
> 

As far as I'm aware, the specs for the 3000W power supply are:

16A maximum at 200 VAC at 3000W output
16A maximum at 100 VAC at 1450W output

~Seth

From aaron at wsc.ma.edu  Tue May 26 14:44:34 2009
From: aaron at wsc.ma.edu (Childs, Aaron)
Date: Tue, 26 May 2009 14:44:34 -0400
Subject: [c-nsp] Cat 6509 Power supplies
In-Reply-To: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
References: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <3760B7E1B344364AA0384B231FE7BA6901B4E742B1@ex-be1.ads.wsc.ma.edu>

Hi Bill,

It all depends on what other modules you have installed in your chassis.  I am running a 6509-E with 3000W power supplies using 110v, however I have to run them in combined mode.  To give you some real-time data here's the output from my 'sh power':

system power redundancy mode = combined
system power total =     1952.16 Watts (46.48 Amps @ 42V)
system power used =      1275.54 Watts (30.37 Amps @ 42V)
system power available =  676.62 Watts (16.11 Amps @ 42V)
                        Power-Capacity PS-Fan Output Oper
PS   Type               Watts   A @42V Status Status State
---- ------------------ ------- ------ ------ ------ -----
1    WS-CAC-3000W       1171.38 27.89  OK     OK     on 
2    WS-CAC-3000W       1171.38 27.89  OK     OK     on 
                        Pwr-Allocated  Oper
Fan  Type               Watts   A @42V State
---- ------------------ ------- ------ -----
1    WS-C6509-E-FAN      150.36  3.58  OK
                        Pwr-Requested  Pwr-Allocated  Admin Oper
Slot Card-Type          Watts   A @42V Watts   A @42V State State
---- ------------------ ------- ------ ------- ------ ----- -----
1    WS-X6516A-GBIC      152.04  3.62   152.04  3.62  on    on
2    WS-X6148-RJ-45      100.38  2.39   100.38  2.39  on    on
3    WS-X6148-RJ-45      100.38  2.39   100.38  2.39  on    on
4    WS-X6148-45AF       107.94  2.57   107.94  2.57  on    on
5    WS-SUP720-BASE      315.00  7.50   315.00  7.50  on    on
6    (Redundant Sup)       -     -      315.00  7.50  -     -
                        Inline         Inline         Inline         Inline
                        Pwr-Requested  Pwr-Allocated  Local-Pwr-Pool Power
Slot Card-Type          Watts   A @42V Watts   A @42V Watts   A @42V Status
---- ------------------ ------- ------ ------- ------ ------- ------ ----------
4    WS-F6K-FE48-AF        -     -        -     -       34.61  0.82  On


Have a good day,
  Aaron

-------------
Aaron Childs
Assistant Director, Networking
Westfield State College
http://www.wsc.ma.edu/it/

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford
Sent: Tuesday, May 26, 2009 1:52 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cat 6509 Power supplies

I have a question about power supplies.

I am upgrading a 6509 chassis from SuP1/MFSC2 to a pair of SUP720-3BXL's, fan and new power supplies. I originally spec'd a pair of 4000W units. Now as we know, these can only support NEMA L6-30, vs. the variable power supplies such as the 3000W. I've run out of L6-30R's in my data center as our new rack PDU's are of this spec. I may need to use 110V NEMA 5-20 plugs.

Can the 3000W power supply (in redundant mode) support a fully populated 6509 chassis (no POE) when using 110VAC?

Thanks



--
Bill Blackford                     
Senior Network Engineer            
Technology Systems Group           
Northwest Regional ESD             

my /home away from home


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From lowen at pari.edu  Tue May 26 15:01:35 2009
From: lowen at pari.edu (Lamar Owen)
Date: Tue, 26 May 2009 15:01:35 -0400
Subject: [c-nsp] Cat 6509 Power supplies
In-Reply-To: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
References: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <200905261501.35436.lowen@pari.edu>

On Tuesday 26 May 2009 01:51:37 pm Bill Blackford wrote:
> I may need to use 110V NEMA 5-20
> plugs.

> Can the 3000W power supply (in redundant mode) support a fully populated
> 6509 chassis (no POE) when using 110VAC?

A NEMA 5-20 plug can only support a max normal load of 80% of 2400W 
(20A at 120V), which is 1920W.

Even a 30A 120V circuit is only good for 2.8KW continuous.   A 20A 240V 
circuit will do 3.84KW max continuous, though.  You might get away with 6-20 
plugs, or L6-20, for the 3KW supplies.


From billbuhlman at yahoo.com  Tue May 26 15:34:35 2009
From: billbuhlman at yahoo.com (Bill Buhlman)
Date: Tue, 26 May 2009 12:34:35 -0700 (PDT)
Subject: [c-nsp] Cat 6509 Power supplies
Message-ID: <453356.1924.qm@web43136.mail.sp1.yahoo.com>

Example of lightly loaded 7609 running at 240v redundant with 3000watt supplies and sup720-3b. No POE.
?
edge#sh power
system power redundancy mode = redundant
system power total =???? 2771.16 Watts (65.98 Amps @ 42V)
system power used =????? 1636.74 Watts (38.97 Amps @ 42V)
system power available = 1134.42 Watts (27.01 Amps @ 42V)
??????????????????????? Power-Capacity PS-Fan Output Oper
PS?? Type?????????????? Watts?? A @42V Status Status State
---- ------------------ ------- ------ ------ ------ -----
1??? WS-CAC-3000W?????? 2771.16 65.98? OK???? OK???? on
2??? WS-CAC-3000W?????? 2771.16 65.98? OK???? OK???? on
??????????????????????? Pwr-Allocated? Oper
Fan? Type?????????????? Watts?? A @42V State
---- ------------------ ------- ------ -----
1??? FAN-MOD-09????????? 241.50? 5.75? OK
2??? FAN-MOD-09????????? 241.50? 5.75? OK
??????????????????????? Pwr-Requested? Pwr-Allocated? Admin Oper
Slot Card-Type????????? Watts?? A @42V Watts?? A @42V State State
---- ------------------ ------- ------ ------- ------ ----- -----
1??? 7600-SIP-200??????? 240.24? 5.72?? 240.24? 5.72? on??? on
2??? 7600-SIP-400??????? 265.02? 6.31?? 265.02? 6.31? on??? on
4??? WS-X6408A-GBIC?????? 84.00? 2.00??? 84.00? 2.00? on??? on
5??? WS-SUP720-3B??????? 282.24? 6.72?? 282.24? 6.72? on??? on
6??? WS-SUP720-3B??????? 282.24? 6.72?? 282.24? 6.72? on??? on

--- On Tue, 5/26/09, Bill Blackford <BBlackford at nwresd.k12.or.us> wrote:


From: Bill Blackford <BBlackford at nwresd.k12.or.us>
Subject: [c-nsp] Cat 6509 Power supplies
To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Date: Tuesday, May 26, 2009, 10:51 AM


I have a question about power supplies.

I am upgrading a 6509 chassis from SuP1/MFSC2 to a pair of SUP720-3BXL's, fan and new power supplies. I originally spec'd a pair of 4000W units. Now as we know, these can only support NEMA L6-30, vs. the variable power supplies such as the 3000W. I've run out of L6-30R's in my data center as our new rack PDU's are of this spec. I may need to use 110V NEMA 5-20 plugs.

Can the 3000W power supply (in redundant mode) support a fully populated 6509 chassis (no POE) when using 110VAC?

Thanks



--
Bill Blackford? ? ? ? ? ? ? ? ? ???
Senior Network Engineer? ? ? ? ? ? 
Technology Systems Group? ? ? ? ???
Northwest Regional ESD? ? ? ? ? ???

my /home away from home


_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From lists.james.edwards at gmail.com  Tue May 26 15:43:01 2009
From: lists.james.edwards at gmail.com (james edwards)
Date: Tue, 26 May 2009 13:43:01 -0600
Subject: [c-nsp] A ggod doc for etherchan between Cisco and Extreme switches
	?
Message-ID: <b7f636a60905261243s12c855fdxf3c9d356d46c1506@mail.gmail.com>

I am looking for a good doc on doing etherchan between these 2 switches. I
realize I need to do LACP but I was looking for some more detail
and with luck a sample config. I can't seem to turn anything up at the cisco
or extreme site.

Thanks,

-- 
James H. Edwards
Senior Network Systems Administrator
Judicial Information Division
jedwards at nmcourts.gov

From braaen at zcorum.com  Tue May 26 15:48:37 2009
From: braaen at zcorum.com (Brian Raaen)
Date: Tue, 26 May 2009 15:48:37 -0400
Subject: [c-nsp] Port debugging on C2924
In-Reply-To: <200905260037.n4Q0bmkw041012@vjofn.tucs-beachin-obx-house.com>
References: <200905260037.n4Q0bmkw041012@vjofn.tucs-beachin-obx-house.com>
Message-ID: <4A1C4795.3070300@zcorum.com>

Have you tried setting up rspan
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/swspan.html

-- 
-----------------
Brian Raaen
Network Engineer
email: /braaen at zcorum.com/ <mailto:braaen at zcorum.com>


Tuc at T-B-O-H wrote:
> Hi,
>
> 	Has anyone done a port debug on a C2924:
>
> IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC10, RELEASE SOFTWARE (fc1)
>
> 	I just need to see all the traffic on a specific port (Its really
> low volume, so not a big deal).
>
> 	Normally a port mirror would do wonders, but I'm 900 miles away from
> it and so thats not an option (If I was near it, I wouldn't need to debug
> the device thats acting weird. :) ). I tried "debug packet int fa0/22", but
> "packet" isn't an option in that version.
>
> 	Any thoughts?
>
> 		Thanks, Tuc
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From pavel.skovajsa at gmail.com  Tue May 26 09:31:34 2009
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Tue, 26 May 2009 15:31:34 +0200
Subject: [c-nsp] Simple Application performance assesment tool
Message-ID: <323aca890905260631m14e54afao6cb5ba5f4afd104d@mail.gmail.com>

Hello all,

Does somebody know of a good application performance assesment tool
that would help me understand what is the current bandwidth per given
application, something similar to simple Netflow collector but
preferably end-user capture based that can be installed on end-user
machine.
I have spend some time searching for something like this and always
ran into 'rocket-science appliances' that do a lots of stuff more then
that. I just need simple evaluation of what/where/how fast/how much.

Regards,
Pavel

From nicolas.rolans at gmail.com  Tue May 26 16:06:51 2009
From: nicolas.rolans at gmail.com (Nicolas Rolans)
Date: Tue, 26 May 2009 22:06:51 +0200
Subject: [c-nsp] Cat 6509 Power supplies
In-Reply-To: <453356.1924.qm@web43136.mail.sp1.yahoo.com>
References: <453356.1924.qm@web43136.mail.sp1.yahoo.com>
Message-ID: <a1873f1f0905261306i63bb7c71o2924d5f8b8d8bb31@mail.gmail.com>

Hi,

Here's another example. It's a 6509-E almost fully loaded.

#show power
system power redundancy mode = redundant
system power total =???? 2331.00 Watts (55.50 Amps @ 42V)
system power used =????? 1259.16 Watts (29.98 Amps @ 42V)
system power available = 1071.84 Watts (25.52 Amps @ 42V)
????????????????????? ??Power-Capacity PS-Fan Output Oper
PS?? Type?????????????? Watts?? A @42V Status Status State
---- ------------------ ------- ------ ------ ------ -----
1??? WS-CAC-2500W?????? 2331.00 55.50? OK???? OK???? on
2??? WS-CAC-2500W?????? 2331.00 55.50? OK???? OK???? on
??????????????????????? Pwr-Allocated? Oper
Fan? Type?????????????? Watts?? A @42V State
---- ------------------ ------- ------ -----
1??? WS-C6509-E-FAN????? 150.36? 3.58? OK
??????????????????????? Pwr-Requested? Pwr-Allocated? Admin Oper
Slot Card-Type????????? Watts?? A @42V Watts?? A @42V State State
---- ------------------ ------- ------ ------- ------ ----- -----
1??? WS-X6548-GE-TX????? 125.16? 2.98?? 125.16? 2.98? on??? on
2??? WS-X6548-GE-TX????? 125.16? 2.98?? 125.16? 2.98? on??? on
3? ??WS-X6548-GE-TX????? 125.16? 2.98?? 125.16? 2.98? on??? on
4??? WS-X6548-GE-TX????? 125.16? 2.98?? 125.16? 2.98? on??? on
5??? WS-SUP720-BASE????? 315.00? 7.50?? 315.00? 7.50? on??? on
7??? WS-X6548-GE-TX????? 125.16? 2.98?? 125.16? 2.98? on??? on
8??? WS-X6408-GBIC??????? 84.00? 2.00??? 84.00? 2.00? on??? on
9??? WS-X6408-GBIC??????? 84.00? 2.00??? 84.00? 2.00? on??? on

From streiner at cluebyfour.org  Tue May 26 15:09:33 2009
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Tue, 26 May 2009 15:09:33 -0400 (EDT)
Subject: [c-nsp] Cat 6509 Power supplies
In-Reply-To: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
References: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <Pine.LNX.4.64.0905261506110.3635@whammy.cluebyfour.org>

On Tue, 26 May 2009, Bill Blackford wrote:

> Can the 3000W power supply (in redundant mode) support a fully 
> populated 6509 chassis (no POE) when using 110VAC?

I don't think you'll be able to fully energize the power supplies at 
110VAC.

jms

From howard at leadmon.net  Tue May 26 17:17:13 2009
From: howard at leadmon.net (Howard Leadmon)
Date: Tue, 26 May 2009 17:17:13 -0400
Subject: [c-nsp] Cat 6509 Power supplies
In-Reply-To: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
References: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <002401c9de47$5a2813b0$0e783b10$@net>

 I see some have answered as to the usage of 3Kw supplies, but I wanted to
also point out there is a big difference between an L5 and an L6 series
plug.  The 5 tells you it's a 100-120V plug, and the L6 tells you it is a
200-240V plug.   So you would never want to take off a 5 or 6 series plug,
and replace it with the other, unless you could reconfigure your input
voltage to the device.  Yes, I know some are auto-sensing, which is fine,
but as a general rule of thumb.

 So in the blow, you have a 30amp 240V plug, and you were talking about
changing it with a 20amp 120V plug, so that would only give you half the AC
power the device was expecting.   Also to actually draw 4Kw from a 120V
outlet, you would need to draw in the range of 35 amps, which of course
would exceed the plug, and breaker, another no-no for sure.



---
Howard Leadmon 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Bill Blackford
> Sent: Tuesday, May 26, 2009 1:52 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat 6509 Power supplies
> 
> I have a question about power supplies.
> 
> I am upgrading a 6509 chassis from SuP1/MFSC2 to a pair of SUP720-3BXL's,
> fan and new power supplies. I originally spec'd a pair of 4000W units. Now
> as we know, these can only support NEMA L6-30, vs. the variable power
> supplies such as the 3000W. I've run out of L6-30R's in my data center as
> our new rack PDU's are of this spec. I may need to use 110V NEMA 5-20
> plugs.
> 
> Can the 3000W power supply (in redundant mode) support a fully populated
> 6509 chassis (no POE) when using 110VAC?
> 
> Thanks
> 
> 
> 
> --
> Bill Blackford
> Senior Network Engineer
> Technology Systems Group
> Northwest Regional ESD
> 
> my /home away from home
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From merlyn at Geeks.ORG  Tue May 26 16:17:01 2009
From: merlyn at Geeks.ORG (Doug McIntyre)
Date: Tue, 26 May 2009 15:17:01 -0500
Subject: [c-nsp] Port debugging on C2924
In-Reply-To: <200905261801.n4QI1Pvd046688@vjofn.tucs-beachin-obx-house.com>
References: <20090526004128.GB31973@skywalker.creative.net.au>
	<200905261801.n4QI1Pvd046688@vjofn.tucs-beachin-obx-house.com>
Message-ID: <20090526201701.GA14546@geeks.org>

On Tue, May 26, 2009 at 02:01:25PM -0400, Tuc at T-B-O-H wrote:
> 	If I had physical access, thats exactly what I'd do. But I don't, so
> I need it to dump the packets into syslog for me. I don't have "debug
> packet" available on the IOS on the unit, nor does "debug interface" seem
> to be generating anything....

There's nothing available on that hardware. Port monitor is your only choice.

From dale.shaw+cisco-nsp at gmail.com  Tue May 26 18:46:19 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Wed, 27 May 2009 08:46:19 +1000
Subject: [c-nsp] Cat 6509 Power supplies
In-Reply-To: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
References: <6069A203FD01884885C037F81DD75080032AC5FA2F@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <3329cbb40905261546g6a730728o382c55ab706a7aa4@mail.gmail.com>

Hi Bill,

On Wed, May 27, 2009 at 3:51 AM, Bill Blackford
<BBlackford at nwresd.k12.or.us> wrote:
> I have a question about power supplies.
>
> I am upgrading a 6509 chassis from SuP1/MFSC2 to a pair of SUP720-3BXL's, fan and new power supplies. I originally spec'd a pair of 4000W units. Now as we know, these can only support NEMA L6-30, vs. the variable power supplies such as the 3000W. I've run out of L6-30R's in my data center as our new rack PDU's are of this spec. I may need to use 110V NEMA 5-20 plugs.
>
> Can the 3000W power supply (in redundant mode) support a fully populated 6509 chassis (no POE) when using 110VAC?

I've only had a passing glance at your message, so apologies if this
isn't helpful, but have you had a look at the Power Calculator tool?

http://tools.cisco.com/cpc/

cheers,
Dale

From ashnet2009 at gmail.com  Tue May 26 22:06:30 2009
From: ashnet2009 at gmail.com (Ash Net)
Date: Tue, 26 May 2009 22:06:30 -0400
Subject: [c-nsp] Control Plane monitoring
Message-ID: <896a291f0905261906y7806ade0lb4019d1648628476@mail.gmail.com>

Hi Folks,

We're looking at ways to monitor our L3 control Plane at the Routing
level. So essentially monitoring our IGP (EIGRP/OSPF)/ BGP and being
able to track the routing updates that propagate through the Network
laying the forwarding path.

 This is needed to keep an eye on the control plane at a lower level
and identify any unexpected changes in the routing paths due to a
maintenance or due to topology instabilities  caused by link failures
and flaps that may go unnoticed due to large Rotuing tables. The
expectation is to be able to proactively monitor routing and identify
issues like Assymetric Routing and routing loops before the Apps and
end users start suffering.

Arbor does a great job in identifying BGP instabilities but nothing
for IGP. Route analytics is potentially another tool that offers
routing monitoring but we haven't used it and not sure what to expect.

Any feedback on what people use for the above in their prod networks
would be appreciated.

Thanks in advance

From tseveendorj at gmail.com  Wed May 27 01:24:42 2009
From: tseveendorj at gmail.com (=?UTF-8?B?0KbRjdCy0Y3RjdC90LTQvtGA0LYg0JbQuNCc0Y3QudC7?=)
Date: Wed, 27 May 2009 14:24:42 +0900
Subject: [c-nsp] NAS-Port attribute
Message-ID: <4A1CCE9A.1040307@gmail.com>

Hello,

I have problem with NAS-Port on c3825 ISR router. Access-Request packet 
contain NAS-Port attribute with 0 value.

May 27 13:54:52.984 GMT: RADIUS:  authenticator 37 5A 1D 50 70 7D DF A2 
- 9A 8A 22 80 0C C4 A0 6C
May 27 13:54:52.984 GMT: RADIUS:  Vendor, Cisco       [26]  41
May 27 13:54:52.984 GMT: RADIUS:   Cisco AVpair       [1]   35  
"client-mac-address=0030.4f6d.d45a"
May 27 13:54:52.984 GMT: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
May 27 13:54:52.984 GMT: RADIUS:  User-Name           [1]   12  "username"
May 27 13:54:52.984 GMT: RADIUS:  User-Password       [2]   18  *
May 27 13:54:52.984 GMT: RADIUS:  NAS-Port-Type       [61]  6   
Ethernet                  [15]
*May 27 13:54:52.984 GMT: RADIUS:  NAS-Port            [5]   6   0*
May 27 13:54:52.984 GMT: RADIUS:  NAS-Port-Id         [87]  10  "0/0/0/10"
May 27 13:54:52.984 GMT: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
May 27 13:54:52.984 GMT: RADIUS:  NAS-IP-Address      [4]   6   
xxx.xxx.xxx.xxx

Why the router sent NAS-Port = 0 ?
How do I get NAS-Port ?

Sincerely,
Tseveen.

From daniele at orlandi.com  Wed May 27 05:38:56 2009
From: daniele at orlandi.com (Daniele Orlandi)
Date: Wed, 27 May 2009 11:38:56 +0200
Subject: [c-nsp] MLD process using 100% CPU
Message-ID: <200905271138.56810.daniele@orlandi.com>


Hello,

I have several routers which sometimes show high cpu utilization for several 
seconds in the MLD process:

#show processes cpu sorted 5min
CPU utilization for five seconds: 99%/7%; one minute: 41%; five minutes: 16%
PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process 
284    11930608     9385919       1271 90.09% 31.39%  7.43%   0 MLD    

The router above is a NPE-G2 (IOS 12.4T) which should have plenty of CPU 
capacity but MLD is running for a minute  at 100% nonetheless.

Is this a known issue? Am I actually having some sort of MLD storm?

Thanks,
Bye,

From rdobbins at arbor.net  Wed May 27 08:10:59 2009
From: rdobbins at arbor.net (Roland Dobbins)
Date: Wed, 27 May 2009 19:10:59 +0700
Subject: [c-nsp] Control Plane monitoring
In-Reply-To: <896a291f0905261906y7806ade0lb4019d1648628476@mail.gmail.com>
References: <896a291f0905261906y7806ade0lb4019d1648628476@mail.gmail.com>
Message-ID: <24354270-C167-4BA1-A76D-2312D715A92A@arbor.net>


On May 27, 2009, at 9:06 AM, Ash Net wrote:

> Any feedback on what people use for the above in their prod networks
> would be appreciated.


Packet Design have a pretty good tool which can participate in and  
provide visibility into IGPs, even including Cisco-proprietary EIGRP.   
They also can look at MPLS labels, and generate dynamic routing/VPN  
topology diagrams based upon the information they obtain.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

         Unfortunately, inefficiency scales really well.

		   -- Kevin Lawton


From blahu77 at gmail.com  Wed May 27 03:55:32 2009
From: blahu77 at gmail.com (Mateusz Blaszczyk)
Date: Wed, 27 May 2009 08:55:32 +0100
Subject: [c-nsp] Simple Application performance assesment tool
In-Reply-To: <323aca890905260631m14e54afao6cb5ba5f4afd104d@mail.gmail.com>
References: <323aca890905260631m14e54afao6cb5ba5f4afd104d@mail.gmail.com>
Message-ID: <383357750905270055x190a978aqa5f129b420105730@mail.gmail.com>

Pavel,

2009/5/26 Pavel Skovajsa <pavel.skovajsa at gmail.com>:
> Hello all,
>
> Does somebody know of a good application performance assesment tool
> that would help me understand what is the current bandwidth per given
> application, something similar to simple Netflow collector but
> preferably end-user capture based that can be installed on end-user
> machine.
[...]
> I just need simple evaluation of what/where/how fast/how much.
>

I would go with wireshark suite which can draw nice I/O diagrams, and
these can be created using standard filters so you can easily select
packets, flows you are interested in.

Best Regards,

-mat

From gert at greenie.muc.de  Wed May 27 08:44:15 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 27 May 2009 14:44:15 +0200
Subject: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on
	Sup720-3BXL?
In-Reply-To: <03b001c9da3d$36e02810$a4a07830$@com>
References: <010201c9d9bd$7c072860$74157920$@com>
	<a48927f70905210234r4a81e425o4a489ff807bbbcde@mail.gmail.com>
	<20090521174501.GU290@greenie.muc.de>
	<03b001c9da3d$36e02810$a4a07830$@com>
Message-ID: <20090527124415.GS290@greenie.muc.de>

Hi,

On Thu, May 21, 2009 at 10:54:40AM -0700, Peter Kranz wrote:
> I have two edge routers, with each edge router has a BGP session to the same
> upstream provider (Level3 AS3356)
> The edge routers are connected 
> I would like outbound traffic from our AS that arrives at either edge router
> to be load balanced across the two sessions to AS3356
> 
> I tried adding bgp multipath and ibgp multipath to install both routes and
> load balance, but this is not working as of yet.. and perhaps I am going
> about this the wrong way..

Following up on this.  I don't think this is going to work the way you
envision it - one of the practical problems is that if "Router A" sends
a packet to "Router B" (to be balanced to the other upstream link), you
might up with "B" sending it *back* to "Router A", because it has 
hashed the parallel routes differently, or because it does per-packet
balancing and will always send 50% of the packets back to "A".

So the chance of routing loops is pretty high.


Regarding actual implementation: as "eBGP" will always win over "iBGP",
there isn't anything you can do to make this "multipath" - this would
only work if both paths are "eBGP" or both "iBGP".


To solve your issue at hand - what we do in this situation is to 
play with MED a bit.  We have a similar setup, two routers on our
end and two provider routers on their end, with same-sized links
on router pair "A" and "B".  In our case, what we did was to move
all traffic to "<upstream>_3320_" (the local incumbent) to router "A",
and to move everything else to router "B".

We do this by manipulating the MEDs

  Router A:  MED for "all paths that do not have 3320 in them" +50
  Router B:  MED for "all paths that *do* have 3320 in them" +50

for us, this means that the traffic is somewhat balanced, and has the
added benefit of telling use exactly how much traffic goes to 3320...
(which is always a big problem in germany).

If A or B fails, the MED manipulation is not strong enough to force 
traffic away from the other link (as would lowering the local-pref be),
so we still have full redundancy.


So, in your environment, you could find some other characteristic that
would balance your traffic somewhat, like "peers of my upstream" vs.
"upstreams of my upstream" (which is usually tagged by BGP communities)
and manually balance the traffic that way.  Try and error...

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

From drew.weaver at thenap.com  Wed May 27 09:01:34 2009
From: drew.weaver at thenap.com (Drew Weaver)
Date: Wed, 27 May 2009 06:01:34 -0700
Subject: [c-nsp] Queue drops, real performance monitoring and other..
Message-ID: <F3318834F1F89D46857972DD4B411D700FC918B7@EXCHANGE.thenap.com>

                Howdy,

I am a little confused about queue drops and how to know when they're a problem vs. when they are not a problem. (that sounds silly).

Everything I have read indicates that some number of IQD/OQD is normal in the 'show interface summary' command, but how do you know if it is a performance problem or not?

Does anyone know of any good tools/software (commercial/free) that monitor performance metrics inside Cisco switches to ensure they are operating correctly?

We'd really like a way to track the performance our users are getting and if there is any quality degradation in services such as Voice, etc.

Thanks,
-Drew


From schilling2006 at gmail.com  Wed May 27 10:31:19 2009
From: schilling2006 at gmail.com (schilling)
Date: Wed, 27 May 2009 10:31:19 -0400
Subject: [c-nsp] Is Nachi Worm Mitigation Measure Still Necessary in Campus?
Message-ID: <bd3771a60905270731vd6d1ac6idb8145411febfc2e@mail.gmail.com>

Hi All,

We have PBR which drops 92 bytes icmp echo/echo-reply applied on our
enterprise backbone(Catalyst 6500/Sup7203BXL)  links and all customer
access VLANs. There are several issues, icmp echo/echo-reply are
punted to cpu, it breaks windows tracert/ping, and it's harder to
implement the Control Plane Policing(CoPP) regarding the icmp
messages.   Is is still necessary to keep the PBR in place nowadays?



Cisco Security Notice:?Nachi Worm Mitigation Recommendations
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml

Policy Based Routing for Cisco IOS Software

The Nachi worm detects the availability of a node by sending ICMP type
8 (echo request) packets before trying to exploit the RPC
vulnerability. The size of the ICMP packet is 92 bytes including the
IP header.

This Policy Based Routing (PBR) configuration can be used to match and
drop the ICMP type 8 and type 0 packets that are 92 bytes long. The
ICMP type 8 packets generated by the ping utility on other operating
systems, such as Cisco IOS Software, Windows 2000, Linux, and Solaris,
have different packet sizes than 92 bytes. This configuration should
not filter the packets that are generated by the ping utility on those
operating systems.

caution Caution:?Once applied, this configuration may cause all
packets to be process switched on hardware switching platforms, such
as the Catalyst 6500 series and Cisco 12000 GSR, or PBR may not be
supported on these platforms. This may significantly impact the
performance of those devices and it is therefore not recommended to
use this method on hardware switching platforms.

caution Caution:?Enabling PBR may effect the performance of your
throughput. It is recommended to enable CEF for improved performance.
If CEF is not enabled on the router, it is recommended to have the ip
route-cache policy command on the interface. This increases the
performance of PBR.

warning Warning:?Microsoft Windows tracert utility uses 92-byte sized
ICMP packets. Using PBR to filter those packets causes the tracert
utility not to work.


Thanks,

Schilling

From jared at puck.nether.net  Wed May 27 10:44:13 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Wed, 27 May 2009 10:44:13 -0400
Subject: [c-nsp] Is Nachi Worm Mitigation Measure Still Necessary in
	Campus?
In-Reply-To: <bd3771a60905270731vd6d1ac6idb8145411febfc2e@mail.gmail.com>
References: <bd3771a60905270731vd6d1ac6idb8145411febfc2e@mail.gmail.com>
Message-ID: <037D1D74-4DB1-445A-9A18-7F61CF01F534@puck.nether.net>

I would remove it.  There is an endless list of things you can attempt  
to mitigate.

I'm sure some devices are still infected/scanning for CodeRed.

	- Jared

On May 27, 2009, at 10:31 AM, schilling wrote:

> Hi All,
>
> We have PBR which drops 92 bytes icmp echo/echo-reply applied on our
> enterprise backbone(Catalyst 6500/Sup7203BXL)  links and all customer
> access VLANs. There are several issues, icmp echo/echo-reply are
> punted to cpu, it breaks windows tracert/ping, and it's harder to
> implement the Control Plane Policing(CoPP) regarding the icmp
> messages.   Is is still necessary to keep the PBR in place nowadays?


From clinton at scripty.com  Wed May 27 11:44:59 2009
From: clinton at scripty.com (Clinton Work)
Date: Wed, 27 May 2009 09:44:59 -0600
Subject: [c-nsp] Queue drops, real performance monitoring and other..
In-Reply-To: <F3318834F1F89D46857972DD4B411D700FC918B7@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700FC918B7@EXCHANGE.thenap.com>
Message-ID: <4A1D5FFB.8000109@scripty.com>

Drew, I think it depends upon a number of factors to determine if its 
normal or not:  
- Which queue (EF?) are the input/output drops occurring in?
- What type of data are you carrying?   Bursty Internet, Voice, Video, ...
- Is the interface core facing or customer facing (with policing/shaping)?
- What type of device are you using (small switch, IOS router, Cisco 
7600, ...) ?

I would not expect to see drops on Cisco 7600 interfaces carrying Voice 
traffic in an EF queue.  

Drew Weaver wrote:
>                 Howdy,
>
> I am a little confused about queue drops and how to know when they're a problem vs. when they are not a problem. (that sounds silly).
>
> Everything I have read indicates that some number of IQD/OQD is normal in the 'show interface summary' command, but how do you know if it is a performance problem or not?
>
> Does anyone know of any good tools/software (commercial/free) that monitor performance metrics inside Cisco switches to ensure they are operating correctly?
>
> We'd really like a way to track the performance our users are getting and if there is any quality degradation in services such as Voice, etc.
>   


From panocisco77 at gmail.com  Wed May 27 14:41:55 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Wed, 27 May 2009 14:41:55 -0400
Subject: [c-nsp] Comparison chart of 6509-E vs 4506-E
Message-ID: <16e2ac180905271141h1ad601fboc1efe19456667dfd@mail.gmail.com>

Hello everyone

By anychance does anybody have a comparison chart of these two systems
(6509-E vs 4506-E)? or knows how to find one because  I've looked in the
cisco website and i searched google, my company is thinking about changing
their 6509-E with the new 4506-E cisco has put out not too long ago.

Renelson

From jared at corp.sonic.net  Wed May 27 15:21:22 2009
From: jared at corp.sonic.net (Jared Gillis)
Date: Wed, 27 May 2009 12:21:22 -0700
Subject: [c-nsp] Sup720-3B Gig port mac address strangeness
Message-ID: <4A1D92B2.5050505@corp.sonic.net>

Hello all,

I'm working with 2 7606s, each with 1 Sup720-3B, and noticed something strange
when moving the Supervisors between the two chassis. The MAC address assigned to
the gig ports on the Supervisor seems to stick with a chassis, rather than
follow the Supervisor.
For example, I plug Supervisor A into chassis A, and the first gig port on the
supervisor gets assigned MAC address A. Sup B in chassis B gets MAC B likewise.
I then write erase both Supervisors, power down both chassis, and swap the
Supervisors. Now Sup A is in chassis B, and Sup B in chassis A. However, Sup A
in chassis B gets MAC B, and Sup B in chassis A gets MAC A.

This is contrary to how I would expect this to work, as MACs are usually
programmed into the EEPROM on the interface card. This is supported by the Cisco
docs here:
http://www.cisco.com/en/US/docs/routers/7600/Hardware/Hardware_Guides/Supervisor_Engine_and_Route_Switch_Processor_Guide/SupE01.html#wp1015861

Is this a known "feature" of the 7600/Sup720-3B?

-- 
Jared Gillis - jared at corp.sonic.net       Sonic.net, Inc.
Network Operations                        2260 Apollo Way
707.522.1000 (Voice)                      Santa Rosa, CA 95407
707.547.3400 (Support)                    http://www.sonic.net/

From panocisco77 at gmail.com  Wed May 27 15:59:03 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Wed, 27 May 2009 15:59:03 -0400
Subject: [c-nsp] Comparison chart of 6509-E vs 4506-E
In-Reply-To: <4A1D9AC4.4090603@slepicka.net>
References: <16e2ac180905271141h1ad601fboc1efe19456667dfd@mail.gmail.com>
	<4A1D9AC4.4090603@slepicka.net>
Message-ID: <16e2ac180905271259y777023fcl3ba472d9c515b645@mail.gmail.com>

Hey James

Thank you that's the same thing i found on the cisco website but i was
hoping for something a little better but thanks anyway

On Wed, May 27, 2009 at 3:55 PM, James Slepicka <cisco-nsp at slepicka.net>wrote:

>
> http://www.cisco.com/en/US/prod/switches/ps5718/ps708/networking_solutions_products_genericcontent0900aecd805f0955.pdf
>
>
> Renelson Panosky wrote:
>
>>  Hello everyone
>>
>> By anychance does anybody have a comparison chart of these two systems
>> (6509-E vs 4506-E)? or knows how to find one because  I've looked in the
>> cisco website and i searched google, my company is thinking about changing
>> their 6509-E with the new 4506-E cisco has put out not too long ago.
>>
>> Renelson
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>

From drrtuy at ya.ru  Wed May 27 15:39:53 2009
From: drrtuy at ya.ru (junior)
Date: Wed, 27 May 2009 22:39:53 +0300
Subject: [c-nsp] NAS-Port attribute
In-Reply-To: <4A1CCE9A.1040307@gmail.com>
References: <4A1CCE9A.1040307@gmail.com>
Message-ID: <4A1D9709.9070701@ya.ru>

Hello.

> I have problem with NAS-Port on c3825 ISR router. Access-Request packet 
> contain NAS-Port attribute with 0 value.
> 
> May 27 13:54:52.984 GMT: RADIUS:  authenticator 37 5A 1D 50 70 7D DF A2 
> - 9A 8A 22 80 0C C4 A0 6C
> May 27 13:54:52.984 GMT: RADIUS:  Vendor, Cisco       [26]  41
> May 27 13:54:52.984 GMT: RADIUS:   Cisco AVpair       [1]   35  
> "client-mac-address=0030.4f6d.d45a"
> May 27 13:54:52.984 GMT: RADIUS:  Framed-Protocol     [7]   6   
> PPP                       [1]
> May 27 13:54:52.984 GMT: RADIUS:  User-Name           [1]   12  "username"
> May 27 13:54:52.984 GMT: RADIUS:  User-Password       [2]   18  *
> May 27 13:54:52.984 GMT: RADIUS:  NAS-Port-Type       [61]  6   
> Ethernet                  [15]
> *May 27 13:54:52.984 GMT: RADIUS:  NAS-Port            [5]   6   0*
> May 27 13:54:52.984 GMT: RADIUS:  NAS-Port-Id         [87]  10  "0/0/0/10"
> May 27 13:54:52.984 GMT: RADIUS:  Service-Type        [6]   6   
> Framed                    [2]
> May 27 13:54:52.984 GMT: RADIUS:  NAS-IP-Address      [4]   6   
> xxx.xxx.xxx.xxx
> 
> Why the router sent NAS-Port = 0 ?
> How do I get NAS-Port ?

Have You tried to use "radius-server attribute 87 circuit-id" command of 
IOS config?

WBR
Roman A. Nozdrin

From BBlackford at nwresd.k12.or.us  Wed May 27 18:13:54 2009
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Wed, 27 May 2009 15:13:54 -0700
Subject: [c-nsp] CPUHOG - BGP Scheduler
Message-ID: <6069A203FD01884885C037F81DD7508016CE1883D0@wsc-mail-01.intra.nwresd.k12.or.us>

So this started showing up:

May 27 14:45:26: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (0/0),process = BGP Scheduler.
-Traceback= 824C1AC 8261AF8 8261D84 94FA00C 8263BB0 8263CCC A6DCBC8 A6D2A54 
May 27 14:46:34: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (1/1),process = BGP Scheduler.
-Traceback= 824C214 8261AF8 8261D84 94FA00C 8263BB0 8263CCC A6DCBC8 A6D2A54 
May 27 14:47:26: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (1/0),process = BGP Scheduler.
-Traceback= 824C1D8 8261AF8 8261D84 94FA00C 8263BB0 8263CCC A6DCBC8 A6D2A54

7606/RSP720-3CXL/12.2(33)SRB1

Uptime is 1 year, 26 weeks. 

Two full feeds and 10 other peers.

Where should I start looking?

Thanks

-b



--
Bill Blackford                     bblackford at nwresd.k12.or.us
Senior Network Engineer            503-614-1460 Desk
Technology Systems Group           503-863-0561 Cell
Northwest Regional ESD             503-614-1400 Helpdesk
5825 Ray Circle                    503-614-1281 Fax
Hillsboro, Oregon  97124

my /home away from home



From mksmith at adhost.com  Wed May 27 19:02:22 2009
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Wed, 27 May 2009 16:02:22 -0700
Subject: [c-nsp] ICMP Ouptut
Message-ID: <17838240D9A5544AAA5FF95F8D5203160605DACB@ad-exh01.adhost.lan>

I've never seen this and I'd love to know what it is.  This is trying to
ping a CARP interface on set of PF boxes.

Cisco GSR 12.0(32)S8

sea-cor00#ping ipv6 2001:4970:cccc::6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:4970:CCCC::6, timeout is 2
seconds:
TTTTT
Success rate is 0 percent (0/5)

However, it shows up in the neighbor statement.

sea-cor00#sho ipv6 nei
IPv6 Address                              Age Link-layer Addr State
Interface
2001:4970:CCCC::6                           0 0000.5e00.0101  REACH
Gi0/0.19

Regards,

Mike
--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)




From ashnet2009 at gmail.com  Wed May 27 19:49:03 2009
From: ashnet2009 at gmail.com (Ash Net)
Date: Wed, 27 May 2009 19:49:03 -0400
Subject: [c-nsp] Control Plane monitoring
In-Reply-To: <24354270-C167-4BA1-A76D-2312D715A92A@arbor.net>
References: <896a291f0905261906y7806ade0lb4019d1648628476@mail.gmail.com>
	<24354270-C167-4BA1-A76D-2312D715A92A@arbor.net>
Message-ID: <896a291f0905271649l434be1cfy817938cf4ad23ec1@mail.gmail.com>

Thanks Guys for your Feedback. Its very much appreciated.

On 5/27/09, Roland Dobbins <rdobbins at arbor.net> wrote:
>
> On May 27, 2009, at 9:06 AM, Ash Net wrote:
>
>> Any feedback on what people use for the above in their prod networks
>> would be appreciated.
>
>
> Packet Design have a pretty good tool which can participate in and
> provide visibility into IGPs, even including Cisco-proprietary EIGRP.
> They also can look at MPLS labels, and generate dynamic routing/VPN
> topology diagrams based upon the information they obtain.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>          Unfortunately, inefficiency scales really well.
>
> 		   -- Kevin Lawton
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jeff-kell at utc.edu  Wed May 27 20:54:35 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 27 May 2009 20:54:35 -0400
Subject: [c-nsp] Multicast over VRF possible?
Message-ID: <4A1DE0CB.4070105@utc.edu>

In the process of an upgrade/reconfiguration today, I discovered that 
PIM multicast routing and VRF-lite are apparently mutually exclusive on 
a 4506.  In this case, specifically IOS 
cat4500-entservicesk9-mz.122-50.SG1 on a Sup-IV  WS-X4515.

With an "ip vrf forwarding ..." directive, there is no "ip pim" option 
available, it disappears from the configuration options.

OK, that was the "old school" fix to make some limited multicast work in 
this situation (Symantec Ghost for imaging remote labs).

Is there another way to achieve routed multicasting in a VRF 
environment?  Specifically, the imaging server resides in a "public 
services" VRF, while the target labs are in other VRFs.

Is this a platform-specific restriction?  Or is it Catalyst-wide?  Can 
the 6500 handle it (on a 'ip vrf forward'ed interface or SVI)?

There are some imaging alternatives (just relocate a suitable "master" 
copy to the local subnet), but there are some other multicast "plans" on 
the table that aren't so easily bypassed.

Thanks in advance,

Jeff

From stephens at ameslab.gov  Wed May 27 22:48:06 2009
From: stephens at ameslab.gov (Douglas C. Stephens)
Date: Wed, 27 May 2009 21:48:06 -0500
Subject: [c-nsp] Multicast over VRF possible?
In-Reply-To: <4A1DE0CB.4070105@utc.edu>
References: <4A1DE0CB.4070105@utc.edu>
Message-ID: <6.2.3.4.2.20090527211936.02cea848@imap.ameslab.gov>

Jeff,

I've successfully used "ip pim sparse-mode" on SVIs assigned to VRF-lite
contexts on all my 6500s.  This was on Sup720+MSFC3+PFC3B blades running
both ADVENTERPRISEK9_WAN-M and ADVIPSERVICESK9_WAN-M feature sets of the
12.2(18)SXF release.

I've not run into this problem on my 4500 switches, but then I'm running
them with SupV blades, and I've not yet had much call for VRF-lite there.



At 07:54 PM 5/27/2009, Jeff Kell wrote:
>In the process of an upgrade/reconfiguration today, I discovered 
>that PIM multicast routing and VRF-lite are apparently mutually 
>exclusive on a 4506.  In this case, specifically IOS 
>cat4500-entservicesk9-mz.122-50.SG1 on a Sup-IV  WS-X4515.
>
>With an "ip vrf forwarding ..." directive, there is no "ip pim" 
>option available, it disappears from the configuration options.
>
>OK, that was the "old school" fix to make some limited multicast 
>work in this situation (Symantec Ghost for imaging remote labs).
>
>Is there another way to achieve routed multicasting in a VRF 
>environment?  Specifically, the imaging server resides in a "public 
>services" VRF, while the target labs are in other VRFs.
>
>Is this a platform-specific restriction?  Or is it 
>Catalyst-wide?  Can the 6500 handle it (on a 'ip vrf forward'ed 
>interface or SVI)?
>
>There are some imaging alternatives (just relocate a suitable 
>"master" copy to the local subnet), but there are some other 
>multicast "plans" on the table that aren't so easily bypassed.
>
>Thanks in advance,
>
>Jeff
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

--
Douglas C. Stephens             | UNIX/Windows/Email Admin
System Support Specialist       | Network/DNS Admin
Information Systems             | Phone: (515) 294-6102
Ames Laboratory, US DOE         | Email: stephens at ameslab.gov 


From uugnaa_mns at yahoo.com  Thu May 28 00:48:38 2009
From: uugnaa_mns at yahoo.com (uugnaa)
Date: Wed, 27 May 2009 21:48:38 -0700 (PDT)
Subject: [c-nsp] router 7609
Message-ID: <474736.84893.qm@web55107.mail.re4.yahoo.com>

hello all,

I am going to make an order for Cisco Router 7609 with Cisco 7600 Series Supervisor Engine 32 (8 ports Gigabit Ethernet).

My question is I need 24 Optical GE ports line card and another 7 Optical GE ports line card. I have seen the line card of 10-Port Gigabit Ethernet Shared Port Adapters.

Please somebody make me clear on this what is the SPA(Shared Port Adapter). The difference between SPA and SFP. 

regards,
uuganbat



      

From bbasler at cisco.com  Thu May 28 02:05:14 2009
From: bbasler at cisco.com (Ben Basler (bbasler))
Date: Wed, 27 May 2009 23:05:14 -0700
Subject: [c-nsp] Multicast over VRF possible?
In-Reply-To: <6.2.3.4.2.20090527211936.02cea848@imap.ameslab.gov>
References: <4A1DE0CB.4070105@utc.edu>
	<6.2.3.4.2.20090527211936.02cea848@imap.ameslab.gov>
Message-ID: <CDAC1B8268BBD34582332CE9183D6FD308D90CE5@xmb-sjc-21a.amer.cisco.com>

Jeff,

At this point multicast on VRF interfaces is only supported with Sup6-E
and 4900M.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/52sg/conf
iguration/guide/vrf.html#wp1064137 

6500 does it on any PFC3 based sup since SXE.

Cheers,
Ben

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Douglas C. Stephens
> Sent: Wednesday, May 27, 2009 7:48 PM
> To: Jeff Kell
> Cc: 'NSP List'
> Subject: Re: [c-nsp] Multicast over VRF possible?
> 
> Jeff,
> 
> I've successfully used "ip pim sparse-mode" on SVIs assigned to
VRF-lite
> contexts on all my 6500s.  This was on Sup720+MSFC3+PFC3B blades
running
> both ADVENTERPRISEK9_WAN-M and ADVIPSERVICESK9_WAN-M feature sets of
the
> 12.2(18)SXF release.
> 
> I've not run into this problem on my 4500 switches, but then I'm
running
> them with SupV blades, and I've not yet had much call for VRF-lite
there.
> 
> 
> 
> At 07:54 PM 5/27/2009, Jeff Kell wrote:
> >In the process of an upgrade/reconfiguration today, I discovered
> >that PIM multicast routing and VRF-lite are apparently mutually
> >exclusive on a 4506.  In this case, specifically IOS
> >cat4500-entservicesk9-mz.122-50.SG1 on a Sup-IV  WS-X4515.
> >
> >With an "ip vrf forwarding ..." directive, there is no "ip pim"
> >option available, it disappears from the configuration options.
> >
> >OK, that was the "old school" fix to make some limited multicast
> >work in this situation (Symantec Ghost for imaging remote labs).
> >
> >Is there another way to achieve routed multicasting in a VRF
> >environment?  Specifically, the imaging server resides in a "public
> >services" VRF, while the target labs are in other VRFs.
> >
> >Is this a platform-specific restriction?  Or is it
> >Catalyst-wide?  Can the 6500 handle it (on a 'ip vrf forward'ed
> >interface or SVI)?
> >
> >There are some imaging alternatives (just relocate a suitable
> >"master" copy to the local subnet), but there are some other
> >multicast "plans" on the table that aren't so easily bypassed.
> >
> >Thanks in advance,
> >
> >Jeff
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> --
> Douglas C. Stephens             | UNIX/Windows/Email Admin
> System Support Specialist       | Network/DNS Admin
> Information Systems             | Phone: (515) 294-6102
> Ames Laboratory, US DOE         | Email: stephens at ameslab.gov
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From security at cytanet.com.cy  Thu May 28 02:49:28 2009
From: security at cytanet.com.cy (Michalis Palis)
Date: Thu, 28 May 2009 09:49:28 +0300
Subject: [c-nsp] Remove BGP AS path number  number from an AS PATH
Message-ID: <98CA85E599A54176BD471FFC2AC3BD70@PCArr2007MP>

Hello All

Is their a way to remove the first AS number (not private) from an AS path?

For example we are receiving a route with AS PATH  123 456 456 456 and we want to remove the 123 AS and put in the BGP table the route with AS 456 456 456 .

Thanks for your reply

From llc at dansketelecom.com  Thu May 28 03:13:24 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Thu, 28 May 2009 09:13:24 +0200
Subject: [c-nsp] router 7609
In-Reply-To: <474736.84893.qm@web55107.mail.re4.yahoo.com>
References: <474736.84893.qm@web55107.mail.re4.yahoo.com>
Message-ID: <44417CD2F19FEA4F885088340A71D33201F0DEE4@mail.office.dansketelecom.com>

Hi Uuganbat,

The 10-port GE SPA is a module residing in the SIP-600 card (which is required) and the SFP is the actual optical module.

Due to pricing, I would believe you get cheaper ports by using another 24-port optical GE linecard, as the 10-port SPA would cost the additional SIP-600 which isn't cheap at all.

______________________________________

Med venlig hilsen / Kind regards

Lars Lystrup Christensen 
Director of Engineering, CCIE(tm) #20292

Danske Telecom A/S
Sundkrogsgade 13, 4 
2100 K?benhavn ? 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of uugnaa
Sent: 28. maj 2009 06:49
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] router 7609

hello all,

I am going to make an order for Cisco Router 7609 with Cisco 7600 Series Supervisor Engine 32 (8 ports Gigabit Ethernet).

My question is I need 24 Optical GE ports line card and another 7 Optical GE ports line card. I have seen the line card of 10-Port Gigabit Ethernet Shared Port Adapters.

Please somebody make me clear on this what is the SPA(Shared Port Adapter). The difference between SPA and SFP. 

regards,
uuganbat



      
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From felixnkansah at gmail.com  Thu May 28 07:50:09 2009
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Thu, 28 May 2009 11:50:09 +0000
Subject: [c-nsp] ITP Deployment Guide
Message-ID: <18dba4e50905280450v68b87ab1rfb0d7803aa71db44@mail.gmail.com>

Hi Team,
A messaging company that wants to sell a solution to a mobile carrier has
subcontracted a portion of implementation for their demo solution to my
company.

My portion of the project requires deploying SSoIP using Cisco ITP with two
2811 routers at both sides of a link, in a staged lab. Frankly, the
contractor's ITP requirements are yet to be defined.

Coming from a purely IP background, I expect this to be a challenge.

I should be glad if any on this list could share with me links to useful
guides, examples, scenarios, experiences, caveats, etc on Cisco's ITP
offering.

Thanks for your responses.

Felix

From j.varaillon at cosmoline.com  Thu May 28 10:37:30 2009
From: j.varaillon at cosmoline.com (Varaillon Jean Christophe)
Date: Thu, 28 May 2009 17:37:30 +0300
Subject: [c-nsp] Remove BGP AS path number  number from an AS PATH
In-Reply-To: <98CA85E599A54176BD471FFC2AC3BD70@PCArr2007MP>
References: <98CA85E599A54176BD471FFC2AC3BD70@PCArr2007MP>
Message-ID: <012501c9dfa1$d4e73260$7eb59720$%varaillon@cosmoline.com>

I doubt that you can do that... but if this is to influence your outgoing
traffic, then I would use local-preferences.

Christophe


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michalis Palis
Sent: Thursday, May 28, 2009 9:49 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Remove BGP AS path number number from an AS PATH

Hello All

Is their a way to remove the first AS number (not private) from an AS path?

For example we are receiving a route with AS PATH  123 456 456 456 and we
want to remove the 123 AS and put in the BGP table the route with AS 456 456
456 .

Thanks for your reply
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 

__________ Information from ESET Smart Security, version of virus signature
database 4112 (20090528) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 
 

__________ Information from ESET Smart Security, version of virus signature
database 4112 (20090528) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 


From masood at nexlinx.net.pk  Thu May 28 12:55:40 2009
From: masood at nexlinx.net.pk (masood at nexlinx.net.pk)
Date: Thu, 28 May 2009 21:55:40 +0500 (PKT)
Subject: [c-nsp] Remove BGP AS path number  number from an AS PATH
In-Reply-To: <012501c9dfa1$d4e73260$7eb59720$%varaillon@cosmoline.com>
References: <98CA85E599A54176BD471FFC2AC3BD70@PCArr2007MP>
	<012501c9dfa1$d4e73260$7eb59720$%varaillon@cosmoline.com>
Message-ID: <45297.196.46.241.40.1243529740.squirrel@nexmail1.nexlinx.net.pk>

yup, you can't remove public AS from AS path. would you please share the
idea why you wana remove it :)

there are many other attributes to tweak bgp, y not u use them.

BR\\
Masood


> I doubt that you can do that... but if this is to influence your outgoing
> traffic, then I would use local-preferences.
>
> Christophe
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michalis Palis
> Sent: Thursday, May 28, 2009 9:49 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Remove BGP AS path number number from an AS PATH
>
> Hello All
>
> Is their a way to remove the first AS number (not private) from an AS
> path?
>
> For example we are receiving a route with AS PATH  123 456 456 456 and we
> want to remove the 123 AS and put in the BGP table the route with AS 456
> 456
> 456 .
>
> Thanks for your reply
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> __________ Information from ESET Smart Security, version of virus
> signature
> database 4112 (20090528) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature
> database 4112 (20090528) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From jay-ford at uiowa.edu  Thu May 28 12:19:23 2009
From: jay-ford at uiowa.edu (Jay Ford)
Date: Thu, 28 May 2009 11:19:23 -0500 (CDT)
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
Message-ID: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>

In the past 9 days I've found that 3 of our Catalyst 6500 WS-X67xx cards (2
WS-X6748-GE-TX & 1 WS-X6748-SFP) had dislodged heat fins.  The fins are
supposed to be tethered by a spring hooked into a small wire loop which seems
to be soldered onto the circuit board.  In the case at hand the wire loop
pulls out of the board & the heat fin then flops around free & in 1 case the
wire loop was rattling around on the card.  Not good.

I'm trying to determine if this is a systemic problem or just a fluke.  It
seems like a design flaw, with the spring being too much for the soldered
wire loop.  Has anybody else seen this?  If so, with how many cards & of what
types?

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951

From ip at ioshints.info  Thu May 28 12:30:57 2009
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Thu, 28 May 2009 18:30:57 +0200
Subject: [c-nsp] Remove BGP AS path number  number from an AS PATH
In-Reply-To: <45297.196.46.241.40.1243529740.squirrel@nexmail1.nexlinx.net.pk>
References: <98CA85E599A54176BD471FFC2AC3BD70@PCArr2007MP><012501c9dfa1$d4e73260$7eb59720$%varaillon@cosmoline.com>
	<45297.196.46.241.40.1243529740.squirrel@nexmail1.nexlinx.net.pk>
Message-ID: <01b301c9dfb1$aef30f60$0a00000a@nil.si>

Let's be more precise. There is no publicly known way to remove a
non-private AS number from AS-path on a device running Cisco IOS ... but you
could always adapt Quagga source code to your needs.

As pointed out by previous replies, tweaking AS-PATH is a really bad idea.
BGP has numerous other tools.

Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/

> -----Original Message-----
> From: masood at nexlinx.net.pk [mailto:masood at nexlinx.net.pk] 
> Sent: Thursday, May 28, 2009 6:56 PM
> To: Varaillon Jean Christophe
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Remove BGP AS path number number from an AS PATH
> 
> yup, you can't remove public AS from AS path. would you 
> please share the idea why you wana remove it :)
> 
> there are many other attributes to tweak bgp, y not u use them.
> 
> BR\\
> Masood
> 
> 
> > I doubt that you can do that... but if this is to influence your 
> > outgoing traffic, then I would use local-preferences.
> >
> > Christophe
> >
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net 
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> Michalis Palis
> > Sent: Thursday, May 28, 2009 9:49 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Remove BGP AS path number number from an AS PATH
> >
> > Hello All
> >
> > Is their a way to remove the first AS number (not private) 
> from an AS 
> > path?
> >
> > For example we are receiving a route with AS PATH  123 456 
> 456 456 and 
> > we want to remove the 123 AS and put in the BGP table the 
> route with 
> > AS 456
> > 456
> > 456 .
> >
> > Thanks for your reply
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> > __________ Information from ESET Smart Security, version of virus 
> > signature database 4112 (20090528) __________
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
> >
> >
> > __________ Information from ESET Smart Security, version of virus 
> > signature database 4112 (20090528) __________
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> 
> 


From p.mayers at imperial.ac.uk  Thu May 28 13:17:52 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 28 May 2009 18:17:52 +0100
Subject: [c-nsp] Sup720-3B Gig port mac address strangeness
In-Reply-To: <4A1D92B2.5050505@corp.sonic.net>
References: <4A1D92B2.5050505@corp.sonic.net>
Message-ID: <20090528171751.GA21759@wildfire.net.ic.ac.uk>

On Wed, May 27, 2009 at 08:21:22PM +0100, Jared Gillis wrote:
>Hello all,
>
>I'm working with 2 7606s, each with 1 Sup720-3B, and noticed something strange
>when moving the Supervisors between the two chassis. The MAC address assigned to
>the gig ports on the Supervisor seems to stick with a chassis, rather than
>follow the Supervisor.
>For example, I plug Supervisor A into chassis A, and the first gig port on the
>supervisor gets assigned MAC address A. Sup B in chassis B gets MAC B likewise.
>I then write erase both Supervisors, power down both chassis, and swap the
>Supervisors. Now Sup A is in chassis B, and Sup B in chassis A. However, Sup A
>in chassis B gets MAC B, and Sup B in chassis A gets MAC A.
>
>This is contrary to how I would expect this to work, as MACs are usually
>programmed into the EEPROM on the interface card. This is supported by the Cisco
>docs here:
>http://www.cisco.com/en/US/docs/routers/7600/Hardware/Hardware_Guides/Supervisor_Engine_and_Route_Switch_Processor_Guide/SupE01.html#wp1015861
>
>Is this a known "feature" of the 7600/Sup720-3B?

IIRC SVIs use the chassis mac address, and routed ports use the phy MAC 
address. L2 PDUs (STP, CDP, LLDP) always use the phy mac.

>
>-- 
>Jared Gillis - jared at corp.sonic.net       Sonic.net, Inc.
>Network Operations                        2260 Apollo Way
>707.522.1000 (Voice)                      Santa Rosa, CA 95407
>707.547.3400 (Support)                    http://www.sonic.net/
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

From rooknee at gmail.com  Thu May 28 13:38:05 2009
From: rooknee at gmail.com (Randy Rooney)
Date: Thu, 28 May 2009 10:38:05 -0700
Subject: [c-nsp] CPUHOG - BGP Scheduler
In-Reply-To: <6069A203FD01884885C037F81DD7508016CE1883D0@wsc-mail-01.intra.nwresd.k12.or.us>
References: <6069A203FD01884885C037F81DD7508016CE1883D0@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <148ea5c60905281038r2fcf53bfu2a6807c3cdb983cf@mail.gmail.com>

Hi, I would start by looking at upgrading. SRB1 has a lot of known BGP
bugs. Most notably is BGP process hogging CPU on large table
convergence.

SRB3 is stable as long as you don't do "sh mem", will crash active proc
SRB5 is stable as long as you don't care about netflow
SRD1 so far ok

If you don't need the latest features in SRD I would stick with the
latest SRB train.

RR

On Wed, May 27, 2009 at 3:13 PM, Bill Blackford
<BBlackford at nwresd.k12.or.us> wrote:
> So this started showing up:
>
> May 27 14:45:26: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (0/0),process = BGP Scheduler.
> -Traceback= 824C1AC 8261AF8 8261D84 94FA00C 8263BB0 8263CCC A6DCBC8 A6D2A54
> May 27 14:46:34: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (1/1),process = BGP Scheduler.
> -Traceback= 824C214 8261AF8 8261D84 94FA00C 8263BB0 8263CCC A6DCBC8 A6D2A54
> May 27 14:47:26: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (1/0),process = BGP Scheduler.
> -Traceback= 824C1D8 8261AF8 8261D84 94FA00C 8263BB0 8263CCC A6DCBC8 A6D2A54
>
> 7606/RSP720-3CXL/12.2(33)SRB1
>
> Uptime is 1 year, 26 weeks.
>
> Two full feeds and 10 other peers.
>
> Where should I start looking?
>
> Thanks
>
> -b
>
>
>
> --
> Bill Blackford ? ? ? ? ? ? ? ? ? ? bblackford at nwresd.k12.or.us
> Senior Network Engineer ? ? ? ? ? ?503-614-1460 Desk
> Technology Systems Group ? ? ? ? ? 503-863-0561 Cell
> Northwest Regional ESD ? ? ? ? ? ? 503-614-1400 Helpdesk
> 5825 Ray Circle ? ? ? ? ? ? ? ? ? ?503-614-1281 Fax
> Hillsboro, Oregon ?97124
>
> my /home away from home
>
>
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at rathlev.dk  Thu May 28 12:58:48 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Thu, 28 May 2009 18:58:48 +0200
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
Message-ID: <1243529928.8060.2.camel@localhost.localdomain>

On Thu, 2009-05-28 at 11:19 -0500, Jay Ford wrote:
> In the past 9 days I've found that 3 of our Catalyst 6500 WS-X67xx cards (2
> WS-X6748-GE-TX & 1 WS-X6748-SFP) had dislodged heat fins.  The fins are
> supposed to be tethered by a spring hooked into a small wire loop which seems
> to be soldered onto the circuit board.  In the case at hand the wire loop
> pulls out of the board & the heat fin then flops around free & in 1 case the
> wire loop was rattling around on the card.  Not good.
> 
> I'm trying to determine if this is a systemic problem or just a fluke.  It
> seems like a design flaw, with the spring being too much for the soldered
> wire loop.  Has anybody else seen this?  If so, with how many cards & of what
> types?

We had this happen to three 6748-GE-TX cards. We discovered it while
performing some physical relocations/upgrades. It might have happened to
other modules that we didn't look at.

For some reason we decided to let one of the systems run, just to see
what effect it had. FWIW it has had no problems for ~1 year now.

It was no problem RMAing them.

Regards,
Peter



From jlewis at lewis.org  Thu May 28 15:48:58 2009
From: jlewis at lewis.org (Jon Lewis)
Date: Thu, 28 May 2009 15:48:58 -0400 (EDT)
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
Message-ID: <Pine.LNX.4.61.0905281546540.6312@soloth.lewis.org>

On Thu, 28 May 2009, Jay Ford wrote:

> I'm trying to determine if this is a systemic problem or just a fluke. 
> It seems like a design flaw, with the spring being too much for the 
> soldered wire loop.  Has anybody else seen this?  If so, with how many 
> cards & of what types?

I've seen this sort of failure on the chipset heatsink on a Soyo P4 
motherboard.  I used superglue to 're-anchor' the wire loop into the 
motherboard.  The repair outlasted the motherboard (which eventually died 
due to bad [expanding & leaking] capacitors).

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From ml at t-b-o-h.net  Thu May 28 15:24:20 2009
From: ml at t-b-o-h.net (Tuc at T-B-O-H)
Date: Thu, 28 May 2009 15:24:20 -0400 (EDT)
Subject: [c-nsp] Port debugging on C2924
In-Reply-To: <20090526201701.GA14546@geeks.org> from "Doug McIntyre" at May 26,
	2009 03:17:01 PM
Message-ID: <200905281924.n4SJOKsQ005338@vjofn.tucs-beachin-obx-house.com>

> 
> On Tue, May 26, 2009 at 02:01:25PM -0400, Tuc at T-B-O-H wrote:
> > 	If I had physical access, thats exactly what I'd do. But I don't, so
> > I need it to dump the packets into syslog for me. I don't have "debug
> > packet" available on the IOS on the unit, nor does "debug interface" seem
> > to be generating anything....
> 
> There's nothing available on that hardware. Port monitor is your only choice.
> 
	That makes bunny sad. Ok, thanks. I guess I'm SOL until the next
site visit.

			Tuc

From llc at dansketelecom.com  Thu May 28 16:59:10 2009
From: llc at dansketelecom.com (Lars Lystrup Christensen)
Date: Thu, 28 May 2009 22:59:10 +0200
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
Message-ID: <44417CD2F19FEA4F885088340A71D33201F0DFCB@mail.office.dansketelecom.com>

Hi Jay,

I've RMA'ed at least one board and could suspect other boards with the same flaw, so I believe this might be either a design fault or simply a faulty batch.

______________________________________

Med venlig hilsen / Kind regards

Lars Lystrup Christensen 
Director of Engineering, CCIE(tm) #20292

Danske Telecom A/S
Sundkrogsgade 13, 4 
2100 K?benhavn ? 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Ford
Sent: 28. maj 2009 18:19
To: cisco-nsp
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards

In the past 9 days I've found that 3 of our Catalyst 6500 WS-X67xx cards (2
WS-X6748-GE-TX & 1 WS-X6748-SFP) had dislodged heat fins.  The fins are
supposed to be tethered by a spring hooked into a small wire loop which seems
to be soldered onto the circuit board.  In the case at hand the wire loop
pulls out of the board & the heat fin then flops around free & in 1 case the
wire loop was rattling around on the card.  Not good.

I'm trying to determine if this is a systemic problem or just a fluke.  It
seems like a design flaw, with the spring being too much for the soldered
wire loop.  Has anybody else seen this?  If so, with how many cards & of what
types?

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From jay at west.net  Thu May 28 17:23:20 2009
From: jay at west.net (Jay Hennigan)
Date: Thu, 28 May 2009 14:23:20 -0700
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <44417CD2F19FEA4F885088340A71D33201F0DFCB@mail.office.dansketelecom.com>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
	<44417CD2F19FEA4F885088340A71D33201F0DFCB@mail.office.dansketelecom.com>
Message-ID: <4A1F00C8.9060109@west.net>


> In the past 9 days I've found that 3 of our Catalyst 6500 WS-X67xx cards (2
> WS-X6748-GE-TX & 1 WS-X6748-SFP) had dislodged heat fins.  The fins are
> supposed to be tethered by a spring hooked into a small wire loop which seems
> to be soldered onto the circuit board.  In the case at hand the wire loop
> pulls out of the board & the heat fin then flops around free & in 1 case the
> wire loop was rattling around on the card.  Not good.
> 
> I'm trying to determine if this is a systemic problem or just a fluke.  It
> seems like a design flaw, with the spring being too much for the soldered
> wire loop.  Has anybody else seen this?  If so, with how many cards & of what
> types?

It sounds like a design flaw.  The spring force on the loop is upward. 
Heat from the chip is conducted to the fins, the spring, and the loop 
which softens the solder.  Tension on the loop pulls it out.

They probably need to come up with a different means of attaching the 
loop, maybe a stamped part with a base on the underside of the board, or 
at the least use a high-melting-point solder for that attachment point.

-- 
--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From dean at eatworms.org.uk  Thu May 28 16:52:16 2009
From: dean at eatworms.org.uk (Dean Smith)
Date: Thu, 28 May 2009 21:52:16 +0100
Subject: [c-nsp] Remove BGP AS path number  number from an AS PATH
In-Reply-To: <45297.196.46.241.40.1243529740.squirrel@nexmail1.nexlinx.net.pk>
References: <98CA85E599A54176BD471FFC2AC3BD70@PCArr2007MP>	<012501c9dfa1$d4e73260$7eb59720$%varaillon@cosmoline.com>
	<45297.196.46.241.40.1243529740.squirrel@nexmail1.nexlinx.net.pk>
Message-ID: <00ab01c9dfd6$2f5d5150$8e17f3f0$@org.uk>

This list does tend to focus on public internet issues and forget that BGP
is used in corporate or other "non-internet" environments that don't follow
nice conventions and after 15+ years of corporate take-overs,mergers and
demergers can often find situations where AS Paths need to be "cleaned"or
manipulated with something more flexible than a straight pre-pend. IOS
allows every other key BGP metric to be tweaked and we accept the risks that
brings - so this sort of manipulation of the AS-Path is long overdue.

Examples where I have had to dump BGP routes into an IGP for a hop and stick
them back into BGP with a "clean" AS-Path. :-

A) 2 independant organisations both use MPLS VPN from the same provider and
want to exchange routes across a private peering. The MPLS provider AS is in
the AS-Path on both sides and the provider drops routes. The provider
doesn't offer any of the provider side workarounds. 

B) 1 Organisation that has historically been a fully private network and has
some historic peerings that use non-private AS/non-registered AS now wants
to have a private peering with "a proper" public network. The AS-Path needs
to have the "junk" removed before the routes could be advertised. Yes the
historic networks should be migrated away but the fact is there is often no
resource and no money to do that when the workaround is simply another
Router.

C) Organisation wants to Dual Home to 2 ISPs at 2 locations for a new
internet service. It wants to use its private network for backhaul between
the sites but can't have free flow of routes between because if they
traverse the MPLS VPN they get the provider AS inserted in the path.

I don't intend to debate the above....they happened and the solutions were
ratified by Cisco but in all cases manipulating the AS-Path (usually to
remove the MPLS provider public AS) would have been much much easier than
the final solutions. 

The summary is...BGP isn't just used on the Internet, and corporate networks
get messy when CEOs get ambitious (or fired).

Dean

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
masood at nexlinx.net.pk
Sent: 28 May 2009 17:56
To: Varaillon Jean Christophe
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Remove BGP AS path number number from an AS PATH

yup, you can't remove public AS from AS path. would you please share the
idea why you wana remove it :)

there are many other attributes to tweak bgp, y not u use them.

BR\\
Masood


> I doubt that you can do that... but if this is to influence your outgoing
> traffic, then I would use local-preferences.
>
> Christophe
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michalis Palis
> Sent: Thursday, May 28, 2009 9:49 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Remove BGP AS path number number from an AS PATH
>
> Hello All
>
> Is their a way to remove the first AS number (not private) from an AS
> path?
>
> For example we are receiving a route with AS PATH  123 456 456 456 and we
> want to remove the 123 AS and put in the BGP table the route with AS 456
> 456
> 456 .
>
> Thanks for your reply
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> __________ Information from ESET Smart Security, version of virus
> signature
> database 4112 (20090528) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature
> database 4112 (20090528) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From achatz at forthnet.gr  Thu May 28 18:07:53 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Fri, 29 May 2009 01:07:53 +0300
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <4A1F00C8.9060109@west.net>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>	<44417CD2F19FEA4F885088340A71D33201F0DFCB@mail.office.dansketelecom.com>
	<4A1F00C8.9060109@west.net>
Message-ID: <4A1F0B39.6040907@forthnet.gr>

Can someone please take a photo and upload it somewhere, so everyone else can better 
understand what exactly is the issue you're talking about?

--
Tassos

Jay Hennigan wrote on 29/05/2009 00:23:
> 
>> In the past 9 days I've found that 3 of our Catalyst 6500 WS-X67xx 
>> cards (2
>> WS-X6748-GE-TX & 1 WS-X6748-SFP) had dislodged heat fins.  The fins are
>> supposed to be tethered by a spring hooked into a small wire loop 
>> which seems
>> to be soldered onto the circuit board.  In the case at hand the wire loop
>> pulls out of the board & the heat fin then flops around free & in 1 
>> case the
>> wire loop was rattling around on the card.  Not good.
>>
>> I'm trying to determine if this is a systemic problem or just a 
>> fluke.  It
>> seems like a design flaw, with the spring being too much for the soldered
>> wire loop.  Has anybody else seen this?  If so, with how many cards & 
>> of what
>> types?
> 
> It sounds like a design flaw.  The spring force on the loop is upward. 
> Heat from the chip is conducted to the fins, the spring, and the loop 
> which softens the solder.  Tension on the loop pulls it out.
> 
> They probably need to come up with a different means of attaching the 
> loop, maybe a stamped part with a base on the underside of the board, or 
> at the least use a high-melting-point solder for that attachment point.
> 

From ecables at gmail.com  Thu May 28 19:55:27 2009
From: ecables at gmail.com (Eric Cables)
Date: Thu, 28 May 2009 16:55:27 -0700
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
Message-ID: <d5c7ccac0905281655r42d1eeb8lfdd41b3e97371d05@mail.gmail.com>

We experienced the same problem on a number of 6748 blades, and requested
failure analysis from Cisco (report below).

We were performing a chassis swap, and the heatsink/fin/whatever literally
fell off upon card removal, which led to the discovery of the faulty bracket
on multiple cards -- but not all cards.

Here's the failure analysis report:

*FA case Number: FA-0063752

Fault Isolated

The customer reported that the line cards had faulty Heatsink latches.  The
customer's symptom was duplicated.  The line cards failed visual inspection.

The line card with serial number <<REMOVED>> had a Z1 latch became detached.

The Z1 came off and caused the heatsink to become loose. No damage was done
to the baseboard.  The line card with serial number <<REMOVED>> had both Z1
and Z2 missing.  The latches were not on the card, which caused the Heatsink
to move around. Only some minor scratches were observed on the baseboard.

This case was closed as fault isolated due to the detached latches on the
boards. MM/CG*


-- Eric Cables


On Thu, May 28, 2009 at 9:19 AM, Jay Ford <jay-ford at uiowa.edu> wrote:

> In the past 9 days I've found that 3 of our Catalyst 6500 WS-X67xx cards (2
> WS-X6748-GE-TX & 1 WS-X6748-SFP) had dislodged heat fins.  The fins are
> supposed to be tethered by a spring hooked into a small wire loop which
> seems
> to be soldered onto the circuit board.  In the case at hand the wire loop
> pulls out of the board & the heat fin then flops around free & in 1 case
> the
> wire loop was rattling around on the card.  Not good.
>
> I'm trying to determine if this is a systemic problem or just a fluke.  It
> seems like a design flaw, with the spring being too much for the soldered
> wire loop.  Has anybody else seen this?  If so, with how many cards & of
> what
> types?
>
> ________________________________________________________________________
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jlewis at lewis.org  Thu May 28 21:42:21 2009
From: jlewis at lewis.org (Jon Lewis)
Date: Thu, 28 May 2009 21:42:21 -0400 (EDT)
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <4A1F0B39.6040907@forthnet.gr>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
	<44417CD2F19FEA4F885088340A71D33201F0DFCB@mail.office.dansketelecom.com>
	<4A1F00C8.9060109@west.net> <4A1F0B39.6040907@forthnet.gr>
Message-ID: <Pine.LNX.4.61.0905282139230.6312@soloth.lewis.org>

On Fri, 29 May 2009, Tassos Chatzithomaoglou wrote:

> Can someone please take a photo and upload it somewhere, so everyone else can 
> better understand what exactly is the issue you're talking about?

Pardon the crappy cellphone pic...but
http://www.lewis.org/~jlewis/heatsink.jpg

The anchor points (at least on this motherboard) basically look like 
jumper posts that have been joined with an arch.  The heatsink is held in 
place by spring tension against the four anchors.  Just one anchor failing 
results in the heatsink popping up off the chip and in my case resulted in 
very frequent system crashes.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From panocisco77 at gmail.com  Thu May 28 22:29:15 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Thu, 28 May 2009 22:29:15 -0400
Subject: [c-nsp] Comparison chart of 6509-E vs 4506-E
In-Reply-To: <4A1DA333.6080708@ems.psu.edu>
References: <16e2ac180905271141h1ad601fboc1efe19456667dfd@mail.gmail.com>
	<4A1D9AC4.4090603@slepicka.net>
	<16e2ac180905271259y777023fcl3ba472d9c515b645@mail.gmail.com>
	<4A1DA333.6080708@ems.psu.edu>
Message-ID: <16e2ac180905281929x3180e41fxd87f9c607d04bc71@mail.gmail.com>

Hello Jeff

I work for the government so we do have cisco, i will ask him for the NDA
and thank you the info you have provided is very helpful

Renelson

On Wed, May 27, 2009 at 4:31 PM, Jeff Wolfe <wolfe at ems.psu.edu> wrote:

> Do you have access to a Cisco sales team and SE? You should ask for an NDA
> on the 4500 and 6500.
>
> The architecture of the 4500 is different than the 6500. In the 4500, the
> linecards are basically smart PHYs, all the packets go back to the SUP for
> switching/forwarding.. The "E" chassis currently has 24Gb/s per slot back to
> the Sup, resulting in 2:1 oversubscription on all ports.
>
> Compare that with the 6500, where "it depends".  61xx modules put all
> packets on a 16Gb/s ring bus that passes through the SUP. Packets go on the
> bus regardless of where they exit the switch. 67xx modules have 20 or 40Gb/s
> 'taps' to the SUP. Packets go to the SUP for forwarding, unless the card has
> a DFC module, in which case the packets only go to the SUP if the
> destination port is not on the same slot.
>
> 6500 can hold other non-linecard modules, 4500 can not.
>
> 6500 does netflow.
> 4500 Sup5 does netflow, but Sup6E does *not* do netflow.
>
> We like the 4500 a lot. It's not perfect, but it fits our current and
> future needs in our enterprise LAN.
> We have 4507R-E chassis with redundant SUPs and full of 48p 1G linecards.
> They provide all the same functionality that a 6509 would, but they're
> physically smaller, consume half the power and are approximately half the
> price of the DFC enabled 6509 with 67xx modules.
>
> Compared to a 6509 with 61xx modules and Sup32, the 4500 is a considerably
> better switch from a performance and capacity perspective.
>
>
> You should ask your Cisco reps for an NDA on the 4500 and 6500. They have
> detailed comparisons, but they're only shown under NDA.
>
> $0.02
>
>
> -JEff
>
>
>
> Renelson Panosky wrote:
>
>> Hey James
>>
>> Thank you that's the same thing i found on the cisco website but i was
>> hoping for something a little better but thanks anyway
>>
>>

From christian at zengl.net  Fri May 29 07:34:18 2009
From: christian at zengl.net (Christian Zeng)
Date: Fri, 29 May 2009 13:34:18 +0200
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <4A1F0B39.6040907@forthnet.gr>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
	<44417CD2F19FEA4F885088340A71D33201F0DFCB@mail.office.dansketelecom.com>
	<4A1F00C8.9060109@west.net> <4A1F0B39.6040907@forthnet.gr>
Message-ID: <20090529113418.GB32049@zengl.net>

Hi,

* Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote:
> Can someone please take a photo and upload it somewhere, so everyone else 
> can better understand what exactly is the issue you're talking about?

http://img32.imageshack.us/img32/1692/cimg1691r.jpg
http://img30.imageshack.us/img30/1563/cimg1685u.jpg
http://img34.imageshack.us/img34/7126/cimg1686.jpg
http://img33.imageshack.us/img33/39/cimg1690.jpg

Same happened to us. I was pulling out a 6748 SFP blade to relocate it
and was confronted with what you can see in the pictures above.

The card was working fine up to this point. Instead of RMAing it, we
decided to reattach it by applying heat conductive glue to the heat sink
and the chip.



Christian

From jlewis at lewis.org  Fri May 29 09:54:29 2009
From: jlewis at lewis.org (Jon Lewis)
Date: Fri, 29 May 2009 09:54:29 -0400 (EDT)
Subject: [c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
In-Reply-To: <Pine.LNX.4.61.0905072014240.6312@soloth.lewis.org>
References: <4A0308DA.9040802@utc.edu> <4A036876.2050606@rollernet.us>
	<Pine.LNX.4.61.0905072014240.6312@soloth.lewis.org>
Message-ID: <Pine.LNX.4.61.0905290944140.6312@soloth.lewis.org>

On Thu, 7 May 2009, Jon Lewis wrote:

> I didn't think ACL logging worked in either direction on the 3550.  I ran 
> across something even more disturbing recently.  A customer had an apparently 
> compromised system found SSH scanning remote hosts.  I put a simple ACL on 
> the customer's layer 3 port (i.e. no switchport, ip address ...),
> ip access-list extended f0/48-in-acl
> deny   tcp any any eq 22
> permit ip any any
>
> int f0/48
> ip access-group f0/48-in-acl in
>
> According to netflow (on our 6500s upstream of the 3550s) some SSH scanning 
> traffic was still getting through...or remote hosts just happened to be 
> sending this customer tcp traffic from their port 22 to random high ports. 
> This is under 12.1(22)EA10b.  I haven't gotten around to testing this 
> further.

After further investigation (port monitoring), I've determined that the 
customer server is not sending ssh scan traffic anymore, but for some 
reason, one host in Ukraine is continuing to send it packets that look 
like malformed responses to an ssh session.

So, I'm going to blame this on a misbehaving host in Ukraine and not on 
the 3550's ACL failing to drop packets.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From jay-ford at uiowa.edu  Fri May 29 09:58:11 2009
From: jay-ford at uiowa.edu (Jay Ford)
Date: Fri, 29 May 2009 08:58:11 -0500 (CDT)
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <4A1F0B39.6040907@forthnet.gr>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
	<44417CD2F19FEA4F885088340A71D33201F0DFCB@mail.office.dansketelecom.com>
	<4A1F00C8.9060109@west.net> <4A1F0B39.6040907@forthnet.gr>
Message-ID: <alpine.DEB.2.00.0905290851570.23331@seatpost.its.uiowa.edu>

On Fri, 29 May 2009, Tassos Chatzithomaoglou wrote:
> Can someone please take a photo and upload it somewhere, so everyone else can 
> better understand what exactly is the issue you're talking about?

Take a look at:
    http://myweb.uiowa.edu/jnford/images/IMG_0589.jpg
    http://myweb.uiowa.edu/jnford/images/IMG_0590.jpg
The first shows the "Z1" socket in the background with the fuzzy loop in the 
foreground. The second shows the heat fin & loop in the foregraound with the 
socket in the background.  The loop is supposed to be in the Z1 socket.

Based on the responses I've received it seems that this is a fairly common 
failure due to a design flaw.  I got the usual "that's strange; nobody else 
is having this problem" from Cisco.  I now have ample justification for 
telling them "bull".

Thanks everybody.

Jay

From BBlackford at nwresd.k12.or.us  Fri May 29 10:42:32 2009
From: BBlackford at nwresd.k12.or.us (Bill Blackford)
Date: Fri, 29 May 2009 07:42:32 -0700
Subject: [c-nsp] Latest IOS for sup1/msfc2
Message-ID: <6069A203FD01884885C037F81DD7508016CE188599@wsc-mail-01.intra.nwresd.k12.or.us>

I'm a little unclear on a few things.

Currently, I'm running it in hybrid-mode and would like to run native IOS. I don't believe this is possible, but one can wish.

I'm not clear what the difference is between c6msfc2-jk2sv-mz.121.27b.E4.bin vs. c6sup12-jk2sv-mz.121.27b.E1.bin (c6msfc2 vs. c6sup12).

Is the 12.1 the latest series for this switch?

What is 12.1 E?

Thank you. Any guidance here would be appreciated.

-b

--
Bill Blackford                     
Senior Network Engineer            
Technology Systems Group           
Northwest Regional ESD             


my /home away from home


From madunix at gmail.com  Fri May 29 11:52:16 2009
From: madunix at gmail.com (madunix)
Date: Fri, 29 May 2009 17:52:16 +0200
Subject: [c-nsp] MPLS
Message-ID: <4d3f56c90905290852o6d780ce1t4a5d642b32440f4f@mail.gmail.com>

I have 3x sites with DS8100 SAN Storage at each side, I will be
replicating data from one side to another (A - B, synchronous,
distance 100Km) and (B-C, asynchronous, 300Km). Am thinking to use
MPLS based on IP-VPN  since its secure and not visible to other
customers or internet.
Out of your experience ...what do you think about ?

madunix

From bep at whack.org  Fri May 29 12:27:17 2009
From: bep at whack.org (Bruce Pinsky)
Date: Fri, 29 May 2009 09:27:17 -0700
Subject: [c-nsp] MPLS
In-Reply-To: <4d3f56c90905290852o6d780ce1t4a5d642b32440f4f@mail.gmail.com>
References: <4d3f56c90905290852o6d780ce1t4a5d642b32440f4f@mail.gmail.com>
Message-ID: <4A200CE5.3060409@whack.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

madunix wrote:
> I have 3x sites with DS8100 SAN Storage at each side, I will be
> replicating data from one side to another (A - B, synchronous,
> distance 100Km) and (B-C, asynchronous, 300Km). Am thinking to use
> MPLS based on IP-VPN  since its secure and not visible to other
> customers or internet.
> Out of your experience ...what do you think about ?
> 

Well, it's not "secure", it's simply routing isolated.  If you want
security, as in encryption, you will need to do that on your own.

If you need low convergence times, MPLS/VPN is probably not your best
choice.  I don't know of many (if any) providers who will guarantee the
convergence times through their network.  You should expect convergence
times in the 10's of seconds or more for certain types of failures.

You may want to consider getting an L2VPN solution such as VPWS or VPLS and
running your own routing protocol and failure detection methods.

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkogDOQACgkQE1XcgMgrtyZGgQCfWiGT5lRQBBLSfgG20sBbXsHr
0mIAoNr/tvJ7D+aP19LhTzlz2e6aJjXP
=Cr6s
-----END PGP SIGNATURE-----

From jared at corp.sonic.net  Fri May 29 13:09:37 2009
From: jared at corp.sonic.net (Jared Gillis)
Date: Fri, 29 May 2009 10:09:37 -0700
Subject: [c-nsp] Sup720-3B Gig port mac address strangeness
In-Reply-To: <20090528171751.GA21759@wildfire.net.ic.ac.uk>
References: <4A1D92B2.5050505@corp.sonic.net>
	<20090528171751.GA21759@wildfire.net.ic.ac.uk>
Message-ID: <4A2016D1.2040609@corp.sonic.net>

Phil Mayers wrote:
> IIRC SVIs use the chassis mac address, and routed ports use the phy MAC
> address. L2 PDUs (STP, CDP, LLDP) always use the phy mac.

I believe that is true as well, however I'm not using any SVIs on the interface
I'm looking at. In fact, the interface I'm looking at is unconfigured and shut.
I've even verified that there's no internal vlan assigned to it, so it should
definitely be using the phy mac, but it's not, hence my confusion and email =)

-- 
Jared Gillis - jared at corp.sonic.net       Sonic.net, Inc.
Network Operations                        2260 Apollo Way
707.522.1000 (Voice)                      Santa Rosa, CA 95407
707.547.3400 (Support)                    http://www.sonic.net/

From gtb at slac.stanford.edu  Fri May 29 13:26:44 2009
From: gtb at slac.stanford.edu (Buhrmaster, Gary)
Date: Fri, 29 May 2009 10:26:44 -0700
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu>
Message-ID: <D0D0330CBD07114D85B70B784E80C2F2022FD2E7@exch-mail2.win.slac.stanford.edu>

> I'm trying to determine if this is a systemic problem or just a fluke.

I have had it occur on a couple of (older) 67xx cards.  Looking
at the board, it appeared that the solder joint holding the
loop had the classic appearance of a cold solder joint (it
looked brittle and crystallized).

I have this vague suspicion (and it is only a suspicion)
that the combination of the large hole and the large
wire (as opposed to a SMT device) requires more heat/time
than the soldering equipment is/was providing.(*)

I have not seen any recent version cards with the
problem, so I presumed that the manufacturing defect
was corrected at some point (turned up the heat?)

Gary

(*) I have a further suspicion that the conversion
    to ROHS compliant solder could have had an
    impact on this issue.  Lead-free solder usually
    requires higher temperatures for proper bonding
    (depends on the particular solder).


From ross at kallisti.us  Fri May 29 15:12:36 2009
From: ross at kallisti.us (Ross Vandegrift)
Date: Fri, 29 May 2009 15:12:36 -0400
Subject: [c-nsp] Sup720-3B Gig port mac address strangeness
In-Reply-To: <4A2016D1.2040609@corp.sonic.net>
References: <4A1D92B2.5050505@corp.sonic.net>
	<20090528171751.GA21759@wildfire.net.ic.ac.uk>
	<4A2016D1.2040609@corp.sonic.net>
Message-ID: <20090529191236.GA29141@kallisti.us>

On Fri, May 29, 2009 at 10:09:37AM -0700, Jared Gillis wrote:
> Phil Mayers wrote:
> > IIRC SVIs use the chassis mac address, and routed ports use the phy MAC
> > address. L2 PDUs (STP, CDP, LLDP) always use the phy mac.
> 
> I believe that is true as well, however I'm not using any SVIs on the interface
> I'm looking at. In fact, the interface I'm looking at is unconfigured and shut.
> I've even verified that there's no internal vlan assigned to it, so it should
> definitely be using the phy mac, but it's not, hence my confusion and email =)

Hmmm - on a lab box, the sup interfaces take their MAC from the
range on the sup.  Both are currently configured as switchports, and
SVIs are indeed all using the chassis MAC.

router.lab>show interface gi5/1 | include Hardware
  Hardware is C6k 1000Mb 802.3, address is 0019.e7d3.94c4 (bia 0019.e7d3.94c4)
router.lab>show interface gi5/2 | include Hardware 
  Hardware is C6k 1000Mb 802.3, address is 0019.e7d3.94c5 (bia 0019.e7d3.94c5)
router.lab>show catalyst6000 chassis-mac-addresses 
  chassis MAC addresses: 1024 addresses from 0011.5d4a.9480 to 0011.5d4a.987f
router.lab>show mod 5
...
Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
  5  0019.e7d3.94c4 to 0019.e7d3.94c7   5.4   8.5(2)       12.2(2009050 Ok
...


I haven't tried swapping my sups, but the only reason I can imagine it
would stick is if I hot-swapped SUPs.  A cold restart, I would bet,
changes that interface MAC.

Weird :)

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From dcp at dcptech.com  Fri May 29 14:06:55 2009
From: dcp at dcptech.com (David Prall)
Date: Fri, 29 May 2009 14:06:55 -0400
Subject: [c-nsp] Latest IOS for sup1/msfc2
In-Reply-To: <6069A203FD01884885C037F81DD7508016CE188599@wsc-mail-01.intra.nwresd.k12.or.us>
References: <6069A203FD01884885C037F81DD7508016CE188599@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <00cc01c9e088$52472c60$f6d58520$@com>

C6msfc2 is hybrid for the msfc only, still need catos on the sp. C6sup12 is
native ios for a sup1 with msfc2. 12.1E was the last version for the sup1. 

--
http://dcp.dcptech.com
 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Bill Blackford
> Sent: Friday, May 29, 2009 10:43 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Latest IOS for sup1/msfc2
> 
> I'm a little unclear on a few things.
> 
> Currently, I'm running it in hybrid-mode and would like to run native
> IOS. I don't believe this is possible, but one can wish.
> 
> I'm not clear what the difference is between c6msfc2-jk2sv-
> mz.121.27b.E4.bin vs. c6sup12-jk2sv-mz.121.27b.E1.bin (c6msfc2 vs.
> c6sup12).
> 
> Is the 12.1 the latest series for this switch?
> 
> What is 12.1 E?
> 
> Thank you. Any guidance here would be appreciated.
> 
> -b
> 
> --
> Bill Blackford
> Senior Network Engineer
> Technology Systems Group
> Northwest Regional ESD
> 
> 
> my /home away from home
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From nicholas.hatch at gmail.com  Fri May 29 15:31:14 2009
From: nicholas.hatch at gmail.com (nick hatch)
Date: Fri, 29 May 2009 12:31:14 -0700
Subject: [c-nsp] heat fins popping loose on WS-X67xx cards
In-Reply-To: <alpine.DEB.2.00.0905290851570.23331@seatpost.its.uiowa.edu>
References: <alpine.DEB.2.00.0905281110020.7239@seatpost.its.uiowa.edu> 
	<44417CD2F19FEA4F885088340A71D33201F0DFCB@mail.office.dansketelecom.com>
	<4A1F00C8.9060109@west.net> <4A1F0B39.6040907@forthnet.gr> 
	<alpine.DEB.2.00.0905290851570.23331@seatpost.its.uiowa.edu>
Message-ID: <a71460720905291231ya1635bat57207ba286b245d6@mail.gmail.com>

On Fri, May 29, 2009 at 6:58 AM, Jay Ford <jay-ford at uiowa.edu> wrote:

>
> Based on the responses I've received it seems that this is a fairly common
> failure due to a design flaw.  I got the usual "that's strange; nobody else
> is having this problem" from Cisco.  I now have ample justification for
> telling them "bull".
>

This is a total design flaw.  I've never seen it on Cisco gear, but came
across the exact same failure while replacing an IBM x3550 mainboard last
night. (MT: 79784AU)

The failure mode looks exactly like cimg1690.jpg posted by Christian:
dry/brittle/crystalline looking joint on the horseshoe jumper. There's
barely any solder there.

I can't imagine it's a good idea to design a joint which serves as a
structural element when the applied force is normal to the board, along the
axis of the joint. Can anyone else name a situation where this is done (and
it doesn't fall apart...)? I can't think of one.

Anyone know who does the ODM work for Cisco for these boards? The IBM board
I mentioned earlier is ca. 2007, made by ASUS. I can't believe that firms
started using this brilliant idea independently of each other.

-Nick

From chris at lavin-llc.com  Fri May 29 15:11:54 2009
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Fri, 29 May 2009 15:11:54 -0400
Subject: [c-nsp] MPLS
Message-ID: <50868.1243624315@lavin-llc.com>

Bruce Pinsky  sent:


>madunix wrote:
>> I have 3x sites with DS8100 SAN Storage at each side, I will be
>> replicating data from one side to another (A - B, synchronous,
>> distance 100Km) and (B-C, asynchronous, 300Km). Am thinking to use
>> MPLS based on IP-VPN  since its secure and not visible to other
>> customers or internet.
>> Out of your experience ...what do you think about ?
>> 
>
>Well, it's not "secure", it's simply routing isolated.  If you want
>security, as in encryption, you will need to do that on your own.
>
>If you need low convergence times, MPLS/VPN is probably not your best
>choice.  I don't know of many (if any) providers who will guarantee the
>convergence times through their network.  You should expect convergence
>times in the 10's of seconds or more for certain types of failures.
>
>You may want to consider getting an L2VPN solution such as VPWS or VPLS and
>running your own routing protocol and failure detection methods.
>

I agree with Bruce. To take it a step further, you can get any kind of vanilla connectivity method and run your own DMVPN. This would allow you to 
encrypt the data yourself as well as run and tweak routing protocols as desired w/in the tunnels.

-chris

From ip at ioshints.info  Sat May 30 12:12:02 2009
From: ip at ioshints.info (Ivan Pepelnjak)
Date: Sat, 30 May 2009 18:12:02 +0200
Subject: [c-nsp] MPLS
In-Reply-To: <4A200CE5.3060409@whack.org>
References: <4d3f56c90905290852o6d780ce1t4a5d642b32440f4f@mail.gmail.com>
	<4A200CE5.3060409@whack.org>
Message-ID: <002e01c9e141$5ed1c760$0a00000a@nil.si>

Absolutely agree with Bruce. For your particular setup, it would be best to
use two pseudowires (A-B and B-C) and run your own routing protocol over
them. This would (worst case, try to avoid) also allow you to transport
non-IP LAN data between sites (I don't know what DS8100 can do). However,
keep in mind that VPWS or VPLS are not 100% reliable (you might experience
packet drops, jitter or congestion), so check what's acceptable with your
SAN vendor.

As for security: don't rely on the "MPLS/VPN is secure" pamphlets published
by vendors and "independent" labs. MPLS VPN is undoubtedly infinitely better
than public Internet, but if you need true security, use IPSEC. More details
here:

http://blog.ioshints.info/2009/04/true-or-false-mpls-vpns-offer.html

Hope this helps
Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/

> -----Original Message-----
> From: Bruce Pinsky [mailto:bep at whack.org] 
> Sent: Friday, May 29, 2009 6:27 PM
> To: madunix
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] MPLS
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> madunix wrote:
> > I have 3x sites with DS8100 SAN Storage at each side, I will be 
> > replicating data from one side to another (A - B, synchronous, 
> > distance 100Km) and (B-C, asynchronous, 300Km). Am thinking to use 
> > MPLS based on IP-VPN  since its secure and not visible to other 
> > customers or internet.
> > Out of your experience ...what do you think about ?
> > 
> 
> Well, it's not "secure", it's simply routing isolated.  If 
> you want security, as in encryption, you will need to do that 
> on your own.
> 
> If you need low convergence times, MPLS/VPN is probably not 
> your best choice.  I don't know of many (if any) providers 
> who will guarantee the convergence times through their 
> network.  You should expect convergence times in the 10's of 
> seconds or more for certain types of failures.
> 
> You may want to consider getting an L2VPN solution such as 
> VPWS or VPLS and running your own routing protocol and 
> failure detection methods.
> 
> - --
> =========
> bep
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkogDOQACgkQE1XcgMgrtyZGgQCfWiGT5lRQBBLSfgG20sBbXsHr
> 0mIAoNr/tvJ7D+aP19LhTzlz2e6aJjXP
> =Cr6s
> -----END PGP SIGNATURE-----
> 
> 


From lowen at pari.edu  Sat May 30 18:53:47 2009
From: lowen at pari.edu (Lamar Owen)
Date: Sat, 30 May 2009 18:53:47 -0400
Subject: [c-nsp] Latest IOS for sup1/msfc2
In-Reply-To: <6069A203FD01884885C037F81DD7508016CE188599@wsc-mail-01.intra.nwresd.k12.or.us>
References: <6069A203FD01884885C037F81DD7508016CE188599@wsc-mail-01.intra.nwresd.k12.or.us>
Message-ID: <200905301853.48183.lowen@pari.edu>

On Friday 29 May 2009 10:42:32 am Bill Blackford wrote:
> Is the 12.1 the latest series for this switch?

Yes.

> What is 12.1 E?

Enterprise train.

Variants are also found on the Catalyst 8540 CSR and MSR, Cat 8510 CSR/MSR, 
and Lightstream 1010.  A 12.1E was also available for 7500 and 7200, I think.  
Not sure of other platforms.

12.1E was maintained long after 12.1 regular went EOL.

You'll have to look at feature navigator or software advisor to get the 
details, but do take what feature navigator has to say with a teaspoon of 
salt.

From madunix at gmail.com  Sun May 31 05:42:15 2009
From: madunix at gmail.com (madunix)
Date: Sun, 31 May 2009 11:42:15 +0200
Subject: [c-nsp] MPLS
In-Reply-To: <002e01c9e141$5ed1c760$0a00000a@nil.si>
References: <4d3f56c90905290852o6d780ce1t4a5d642b32440f4f@mail.gmail.com>
	<4A200CE5.3060409@whack.org> <002e01c9e141$5ed1c760$0a00000a@nil.si>
Message-ID: <4d3f56c90905310242w2b82c0efhfb25a16a5b0e08d6@mail.gmail.com>

I agree with you all , most ip networks do not manage BW to each
connection, specailly for peak performance it can go infinity to
observe more replication copy sets, i.e. the B will never be synch
with C, at the moment am using 2Mbps for Data replication between B
and C, as finding when sites are located many miles, there can be
unacceptable delays in the completion of an I/O. Increasing the
available BW may not solve this issue ..., since am using FCIP router
between the 2xsites.
so some recommendation for managing bandwidth with FCIP over should be
done, such as

1. create VPN with QoS
2. guarantee the BW using a third party router/WAN optimizer.
3. distance
4. size of Data
5. the RTO and RTP should be defined

just my thoughts about this issue

madunix


On Sat, May 30, 2009 at 6:12 PM, Ivan Pepelnjak <ip at ioshints.info> wrote:
> Absolutely agree with Bruce. For your particular setup, it would be best to
> use two pseudowires (A-B and B-C) and run your own routing protocol over
> them. This would (worst case, try to avoid) also allow you to transport
> non-IP LAN data between sites (I don't know what DS8100 can do). However,
> keep in mind that VPWS or VPLS are not 100% reliable (you might experience
> packet drops, jitter or congestion), so check what's acceptable with your
> SAN vendor.
>
> As for security: don't rely on the "MPLS/VPN is secure" pamphlets published
> by vendors and "independent" labs. MPLS VPN is undoubtedly infinitely better
> than public Internet, but if you need true security, use IPSEC. More details
> here:
>
> http://blog.ioshints.info/2009/04/true-or-false-mpls-vpns-offer.html
>
> Hope this helps
> Ivan
>
> http://www.ioshints.info/about
> http://blog.ioshints.info/
>
>> -----Original Message-----
>> From: Bruce Pinsky [mailto:bep at whack.org]
>> Sent: Friday, May 29, 2009 6:27 PM
>> To: madunix
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] MPLS
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> madunix wrote:
>> > I have 3x sites with DS8100 SAN Storage at each side, I will be
>> > replicating data from one side to another (A - B, synchronous,
>> > distance 100Km) and (B-C, asynchronous, 300Km). Am thinking to use
>> > MPLS based on IP-VPN ?since its secure and not visible to other
>> > customers or internet.
>> > Out of your experience ...what do you think about ?
>> >
>>
>> Well, it's not "secure", it's simply routing isolated. ?If
>> you want security, as in encryption, you will need to do that
>> on your own.
>>
>> If you need low convergence times, MPLS/VPN is probably not
>> your best choice. ?I don't know of many (if any) providers
>> who will guarantee the convergence times through their
>> network. ?You should expect convergence times in the 10's of
>> seconds or more for certain types of failures.
>>
>> You may want to consider getting an L2VPN solution such as
>> VPWS or VPLS and running your own routing protocol and
>> failure detection methods.
>>
>> - --
>> =========
>> bep
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkogDOQACgkQE1XcgMgrtyZGgQCfWiGT5lRQBBLSfgG20sBbXsHr
>> 0mIAoNr/tvJ7D+aP19LhTzlz2e6aJjXP
>> =Cr6s
>> -----END PGP SIGNATURE-----
>>
>>
>
>

From mhuff at ox.com  Sun May 31 12:36:49 2009
From: mhuff at ox.com (Matthew Huff)
Date: Sun, 31 May 2009 12:36:49 -0400
Subject: [c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
In-Reply-To: <Pine.LNX.4.61.0905290944140.6312@soloth.lewis.org>
References: <4A0308DA.9040802@utc.edu> <4A036876.2050606@rollernet.us>
	<Pine.LNX.4.61.0905072014240.6312@soloth.lewis.org>
	<Pine.LNX.4.61.0905290944140.6312@soloth.lewis.org>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9C3811FD0DA@PUR-EXCH07.ox.com>

Various types of switching optimization will prevent ACL logging. If you absolutely need to debug something, try putting "no ip route-cache" on the interface. This will reduce per packet performance and increase CPU utilization, but it will cause the log and log-input to work correctly. Be very careful with this is the interface has high packet utilization.





----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com? | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis
Sent: Friday, May 29, 2009 9:54 AM
To: Seth Mattinen
Cc: cisco-nsp
Subject: Re: [c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)

On Thu, 7 May 2009, Jon Lewis wrote:

> I didn't think ACL logging worked in either direction on the 3550.  I ran 
> across something even more disturbing recently.  A customer had an apparently 
> compromised system found SSH scanning remote hosts.  I put a simple ACL on 
> the customer's layer 3 port (i.e. no switchport, ip address ...),
> ip access-list extended f0/48-in-acl
> deny   tcp any any eq 22
> permit ip any any
>
> int f0/48
> ip access-group f0/48-in-acl in
>
> According to netflow (on our 6500s upstream of the 3550s) some SSH scanning 
> traffic was still getting through...or remote hosts just happened to be 
> sending this customer tcp traffic from their port 22 to random high ports. 
> This is under 12.1(22)EA10b.  I haven't gotten around to testing this 
> further.

After further investigation (port monitoring), I've determined that the 
customer server is not sending ssh scan traffic anymore, but for some 
reason, one host in Ukraine is continuing to send it packets that look 
like malformed responses to an ssh session.

So, I'm going to blame this on a misbehaving host in Ukraine and not on 
the 3550's ACL failing to drop packets.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From chale99 at gmail.com  Sun May 31 16:01:48 2009
From: chale99 at gmail.com (Chris Hale)
Date: Sun, 31 May 2009 16:01:48 -0400
Subject: [c-nsp] strange behavior over MPLS network - remote desktop won't
	work
Message-ID: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>

All -

We have a simple three node MPLS network that we've deployed for a customer
across our backbone.  Two sites connect to POP "N" and one site connects to
POP "H".  We have CE (Juniper J2320's) that provide OSPF updates to the PE
for customer routes, and Internet is also provided via a second circuit to
the site off POP "H".

Site W and Site S are off POP N.

Site B is off POP H.

POP N and POP H are connected directly to each other via GigE over wireless
backhaul.  Sites W, S, and B are connected to POPs via wireless bridges and
use 802.1q trunks to aggregate traffic to the core routers.

Here is a simple ASCII text:

Site W
   |
cisco 7206 (POP-N) ->---wireless backhaul gige ---->-cisco-7206
(POP-H)--->fastE--->cisco7206(POP-H)--->---Site B ----> Cisco ASA --->
Internet
   |
Site S

All CE routers pick up the routes from the other CE routers, and ICMP works
fine throughout network. Users in Sites W & S can access Internet.

Users between Site W and Site S can use remote desktop/VNC to access other
desktops/servers within these sites (i.e. between Site S and Site W, remote
desktop is fine).

The issue is when users in Site B try to remote desktop into Site W or Site
S, or either Site W or S go to Site B.  Again, site S<-->W is fine.

I have packet captures with and without the CE routers, and I see traffic
going back and forth between W and B for a test on TCP 3389.  Again, pings
and other traffic work fine between these sites, it just seems to be remote
desktop or VNC.  The customer can get the login window to pop up but then it
seems to hang after a few seconds.

They are migrating off a p2p T1 connect between W<---->B<---->S, and they
used plain 1600 series routers.  Remote desktop/VNC worked fine before
migrating to our MPLS connections.

Thanks,
Chris

From avayner at cisco.com  Sun May 31 16:48:22 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sun, 31 May 2009 22:48:22 +0200
Subject: [c-nsp] strange behavior over MPLS network - remote desktop
	won'twork
In-Reply-To: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>
References: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>
Message-ID: <78C984F8939D424697B15E4B1C1BB3D7B74B28@xmb-ams-331.emea.cisco.com>

Chris,

This sounds like an MTU issue...
Try to run large pings and see what is the biggest MTU you can make go
through.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Hale
Sent: Sunday, May 31, 2009 23:02
To: cisco-nsp
Subject: [c-nsp] strange behavior over MPLS network - remote desktop
won'twork

All -

We have a simple three node MPLS network that we've deployed for a
customer
across our backbone.  Two sites connect to POP "N" and one site connects
to
POP "H".  We have CE (Juniper J2320's) that provide OSPF updates to the
PE
for customer routes, and Internet is also provided via a second circuit
to
the site off POP "H".

Site W and Site S are off POP N.

Site B is off POP H.

POP N and POP H are connected directly to each other via GigE over
wireless
backhaul.  Sites W, S, and B are connected to POPs via wireless bridges
and
use 802.1q trunks to aggregate traffic to the core routers.

Here is a simple ASCII text:

Site W
   |
cisco 7206 (POP-N) ->---wireless backhaul gige ---->-cisco-7206
(POP-H)--->fastE--->cisco7206(POP-H)--->---Site B ----> Cisco ASA --->
Internet
   |
Site S

All CE routers pick up the routes from the other CE routers, and ICMP
works
fine throughout network. Users in Sites W & S can access Internet.

Users between Site W and Site S can use remote desktop/VNC to access
other
desktops/servers within these sites (i.e. between Site S and Site W,
remote
desktop is fine).

The issue is when users in Site B try to remote desktop into Site W or
Site
S, or either Site W or S go to Site B.  Again, site S<-->W is fine.

I have packet captures with and without the CE routers, and I see
traffic
going back and forth between W and B for a test on TCP 3389.  Again,
pings
and other traffic work fine between these sites, it just seems to be
remote
desktop or VNC.  The customer can get the login window to pop up but
then it
seems to hang after a few seconds.

They are migrating off a p2p T1 connect between W<---->B<---->S, and
they
used plain 1600 series routers.  Remote desktop/VNC worked fine before
migrating to our MPLS connections.

Thanks,
Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ray at oneunified.net  Sun May 31 16:09:29 2009
From: ray at oneunified.net (Ray Burkholder)
Date: Sun, 31 May 2009 17:09:29 -0300
Subject: [c-nsp] strange behavior over MPLS network - remote desktop
	won'twork
In-Reply-To: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>
References: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>
Message-ID: <D4ABCD2596B94499B44AA8AB56A0A566@oneunified.local>


> All -
> 
> We have a simple three node MPLS network that we've deployed 
> for a customer across our backbone.  Two sites connect to POP 
> "N" and one site connects to POP "H".  We have CE (Juniper 
> J2320's) that provide OSPF updates to the PE for customer 
> routes, and Internet is also provided via a second circuit to 
> the site off POP "H".


Test that you have 1500 MTU's through out your network.  RDP has problems
with <1500 byte MTU's.  I think Microsoft has an updated client to solve
this.  You'll get <1500 byte MTU's if you are doing IPSEC across your links
or are doing MPLS across normal 1500 byte MTU layer 2 networks.

Ray


-- 
Scanned for viruses and dangerous content at 
http://www.oneunified.net and is believed to be clean.


From chale99 at gmail.com  Sun May 31 17:04:57 2009
From: chale99 at gmail.com (Chris Hale)
Date: Sun, 31 May 2009 17:04:57 -0400
Subject: [c-nsp] strange behavior over MPLS network - remote desktop
	won't work
In-Reply-To: <4A22E68F.4010605@wbsconnect.com>
References: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>
	<4A22E68F.4010605@wbsconnect.com>
Message-ID: <db092ca60905311404j2ae21a00ve1017a4060285d@mail.gmail.com>

Should be at least 1500.  I have forced the FastE ports between the two
cisco 7206's at POP H to use I have a server at POP "H" connected to an agg
switch that is connected to the 7206 on the left of POP H.  The server is
only connected via FastE, but the results are 1500 MTU:

tracepath:
     Resume: pmtu 1500 hops 4 back 4

This tracepath is to the CE WAN port.  All traffic from 7206's to CE is via
VLANs through wireless bridges.  All traffic between POPs is over GE ports
in NPE-G1.

Using IOS 12.4(15)T5 on 7206's, FYI.

The mpls MTU over the gige wireless backbone between the POPs was MTU1500.
I will change that to 1538 and see what happens.

Thanks,
Chris


On Sun, May 31, 2009 at 4:20 PM, Chris Phillips <cphillips at wbsconnect.com>wrote:

> A shot in the dark here, but what's the MTU along the path?
>
> I know things like Outlook Web Access won't work unless there's a minimum
> 1500 MTU.
>
> I highly recommend grabbing MTUroute.exe and testing this.
>
> http://www.elifulkerson.com/projects/mturoute.php
>
> Chris Hale wrote:
>
>> All -
>>
>> We have a simple three node MPLS network that we've deployed for a
>> customer
>> across our backbone.  Two sites connect to POP "N" and one site connects
>> to
>> POP "H".  We have CE (Juniper J2320's) that provide OSPF updates to the PE
>> for customer routes, and Internet is also provided via a second circuit to
>> the site off POP "H".
>>
>> Site W and Site S are off POP N.
>>
>> Site B is off POP H.
>>
>> POP N and POP H are connected directly to each other via GigE over
>> wireless
>> backhaul.  Sites W, S, and B are connected to POPs via wireless bridges
>> and
>> use 802.1q trunks to aggregate traffic to the core routers.
>>
>> Here is a simple ASCII text:
>>
>> Site W
>>   |
>> cisco 7206 (POP-N) ->---wireless backhaul gige ---->-cisco-7206
>> (POP-H)--->fastE--->cisco7206(POP-H)--->---Site B ----> Cisco ASA --->
>> Internet
>>   |
>> Site S
>>
>> All CE routers pick up the routes from the other CE routers, and ICMP
>> works
>> fine throughout network. Users in Sites W & S can access Internet.
>>
>> Users between Site W and Site S can use remote desktop/VNC to access other
>> desktops/servers within these sites (i.e. between Site S and Site W,
>> remote
>> desktop is fine).
>>
>> The issue is when users in Site B try to remote desktop into Site W or
>> Site
>> S, or either Site W or S go to Site B.  Again, site S<-->W is fine.
>>
>> I have packet captures with and without the CE routers, and I see traffic
>> going back and forth between W and B for a test on TCP 3389.  Again, pings
>> and other traffic work fine between these sites, it just seems to be
>> remote
>> desktop or VNC.  The customer can get the login window to pop up but then
>> it
>> seems to hang after a few seconds.
>>
>> They are migrating off a p2p T1 connect between W<---->B<---->S, and they
>> used plain 1600 series routers.  Remote desktop/VNC worked fine before
>> migrating to our MPLS connections.
>>
>> Thanks,
>> Chris
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> --
> Chris Phillips
>
>


-- 
------------------
Chris Hale
chale99 at gmail.com

From cphillips at wbsconnect.com  Sun May 31 16:20:31 2009
From: cphillips at wbsconnect.com (Chris Phillips)
Date: Sun, 31 May 2009 13:20:31 -0700
Subject: [c-nsp] strange behavior over MPLS network - remote desktop
 won't work
In-Reply-To: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>
References: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>
Message-ID: <4A22E68F.4010605@wbsconnect.com>

A shot in the dark here, but what's the MTU along the path?

I know things like Outlook Web Access won't work unless there's a 
minimum 1500 MTU.

I highly recommend grabbing MTUroute.exe and testing this.

http://www.elifulkerson.com/projects/mturoute.php

Chris Hale wrote:
> All -
> 
> We have a simple three node MPLS network that we've deployed for a customer
> across our backbone.  Two sites connect to POP "N" and one site connects to
> POP "H".  We have CE (Juniper J2320's) that provide OSPF updates to the PE
> for customer routes, and Internet is also provided via a second circuit to
> the site off POP "H".
> 
> Site W and Site S are off POP N.
> 
> Site B is off POP H.
> 
> POP N and POP H are connected directly to each other via GigE over wireless
> backhaul.  Sites W, S, and B are connected to POPs via wireless bridges and
> use 802.1q trunks to aggregate traffic to the core routers.
> 
> Here is a simple ASCII text:
> 
> Site W
>    |
> cisco 7206 (POP-N) ->---wireless backhaul gige ---->-cisco-7206
> (POP-H)--->fastE--->cisco7206(POP-H)--->---Site B ----> Cisco ASA --->
> Internet
>    |
> Site S
> 
> All CE routers pick up the routes from the other CE routers, and ICMP works
> fine throughout network. Users in Sites W & S can access Internet.
> 
> Users between Site W and Site S can use remote desktop/VNC to access other
> desktops/servers within these sites (i.e. between Site S and Site W, remote
> desktop is fine).
> 
> The issue is when users in Site B try to remote desktop into Site W or Site
> S, or either Site W or S go to Site B.  Again, site S<-->W is fine.
> 
> I have packet captures with and without the CE routers, and I see traffic
> going back and forth between W and B for a test on TCP 3389.  Again, pings
> and other traffic work fine between these sites, it just seems to be remote
> desktop or VNC.  The customer can get the login window to pop up but then it
> seems to hang after a few seconds.
> 
> They are migrating off a p2p T1 connect between W<---->B<---->S, and they
> used plain 1600 series routers.  Remote desktop/VNC worked fine before
> migrating to our MPLS connections.
> 
> Thanks,
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Chris Phillips


From nsp-list at pollok.net  Sun May 31 17:22:08 2009
From: nsp-list at pollok.net (Sascha E. Pollok)
Date: Sun, 31 May 2009 23:22:08 +0200 (CEST)
Subject: [c-nsp] strange behavior over MPLS network - remote desktop
 won't work
In-Reply-To: <db092ca60905311404j2ae21a00ve1017a4060285d@mail.gmail.com>
References: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>
	<4A22E68F.4010605@wbsconnect.com>
	<db092ca60905311404j2ae21a00ve1017a4060285d@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0905312320090.21799@locus>

Chris,

> The mpls MTU over the gige wireless backbone between the POPs was MTU1500.
> I will change that to 1538 and see what happens.

try to do the 1500 Byte pings between the PEs with
DF bit set. I'd rather test the connectivity at
1500 bytes before trying to tweak something.

Also, what kind of FE boards do you use on the 7206?
I am currently unsure whether e.g. PA-FE-TX support
larger MTUs needed for MPLS/VPN.

Cheers
Sascha

From ray at oneunified.net  Sun May 31 18:12:43 2009
From: ray at oneunified.net (Ray Burkholder)
Date: Sun, 31 May 2009 19:12:43 -0300
Subject: [c-nsp] strange behavior over MPLS network - remote
	desktopwon't work
In-Reply-To: <db092ca60905311404j2ae21a00ve1017a4060285d@mail.gmail.com>
References: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com><4A22E68F.4010605@wbsconnect.com>
	<db092ca60905311404j2ae21a00ve1017a4060285d@mail.gmail.com>
Message-ID: <2B3C6F2985284AD8BD1EB4F5A8A17DA1@oneunified.local>

> 
> The mpls MTU over the gige wireless backbone between the POPs 
> was MTU1500.
> I will change that to 1538 and see what happens.
> 

http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/newmtu.html

Interface mtu should be as big as or bigger than mpls mtu otherwise you'll
have drops and stuff.

Ray


-- 
Scanned for viruses and dangerous content at 
http://www.oneunified.net and is believed to be clean.


From chale99 at gmail.com  Sun May 31 19:54:16 2009
From: chale99 at gmail.com (Chris Hale)
Date: Sun, 31 May 2009 19:54:16 -0400
Subject: [c-nsp] strange behavior over MPLS network - remote desktop
	won't work
In-Reply-To: <alpine.DEB.1.10.0905312320090.21799@locus>
References: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>
	<4A22E68F.4010605@wbsconnect.com>
	<db092ca60905311404j2ae21a00ve1017a4060285d@mail.gmail.com>
	<alpine.DEB.1.10.0905312320090.21799@locus>
Message-ID: <db092ca60905311654u11afa2ddncfdcc0f5b77f43f4@mail.gmail.com>

On Sun, May 31, 2009 at 5:22 PM, Sascha E. Pollok <nsp-list at pollok.net>wrote:

> Chris,
>
>  The mpls MTU over the gige wireless backbone between the POPs was MTU1500.
>> I will change that to 1538 and see what happens.
>>
>
> try to do the 1500 Byte pings between the PEs with
> DF bit set. I'd rather test the connectivity at
> 1500 bytes before trying to tweak something.
>
> Also, what kind of FE boards do you use on the 7206?
> I am currently unsure whether e.g. PA-FE-TX support
> larger MTUs needed for MPLS/VPN.
>

I'm using PA-FE-TX as you guessed.  I have enabled the larger MTUs for MPLS
with mpls mtu 1538 as per others who have successfully used this.

I'm using one of my J2320's (CE router) and found this:

ping do-not-fragment detail size 1473 192.168.3.254
PING 192.168.3.254 (192.168.3.254): 1473 data bytes
ping: sendto: Message too long


ping do-not-fragment detail size 1472 192.168.3.254
PING 192.168.3.254 (192.168.3.254): 1472 data bytes
1480 bytes from 192.168.3.254 via ge-0/0/3.600: icmp_seq=0 ttl=62
time=12.598 ms
1480 bytes from 192.168.3.254 via ge-0/0/3.600: icmp_seq=1 ttl=62
time=14.612 ms


What does that indicate to you?  1472 + VLAN tag plus MPLS < 1500?

Chris
-- 
------------------
Chris Hale
chale99 at gmail.com

From tbaranski at mail.com  Sun May 31 20:38:52 2009
From: tbaranski at mail.com (Terry Baranski)
Date: Sun, 31 May 2009 20:38:52 -0400
Subject: [c-nsp] strange behavior over MPLS network - remote
	desktopwon't work
In-Reply-To: <db092ca60905311654u11afa2ddncfdcc0f5b77f43f4@mail.gmail.com>
Message-ID: <000001c9e251$56d6dd00$0a01a8c0@pleth0ra>

> On Sun, May 31, 2009 at 8:03 PM, Chris Hale wrote:
> 
> I'm using PA-FE-TX as you guessed.  I have enabled the larger 
> MTUs for MPLS
> with mpls mtu 1538 as per others who have successfully used this.
> 
> I'm using one of my J2320's (CE router) and found this:
> 
> ping do-not-fragment detail size 1473 192.168.3.254
> PING 192.168.3.254 (192.168.3.254): 1473 data bytes
> ping: sendto: Message too long
> 
> ping do-not-fragment detail size 1472 192.168.3.254
> PING 192.168.3.254 (192.168.3.254): 1472 data bytes
> 1480 bytes from 192.168.3.254 via ge-0/0/3.600: icmp_seq=0 ttl=62
> time=12.598 ms
> 1480 bytes from 192.168.3.254 via ge-0/0/3.600: icmp_seq=1 ttl=62
> time=14.612 ms
> 
> What does that indicate to you?  1472 + VLAN tag plus MPLS < 1500?

When you ping from a Juniper, the packet size that you specify doesn't
include overhead.  So once you add IP (20 bytes) and ICMP (8 bytes) to the
above, a ping of 1472 is really a ping of 1500.  Therefore 1473 wouldn't be
expected to work if all links on the path have an IP MTU of 1500.

Which CE is the above ping from?  Is it testing the end-to-end path that
isn't working?  If so the MTU seems fine (now).  If RDP still isn't working
maybe you can post the capture.

-Terry



From ray at oneunified.net  Sun May 31 21:04:36 2009
From: ray at oneunified.net (Ray Burkholder)
Date: Sun, 31 May 2009 22:04:36 -0300
Subject: [c-nsp] strange behavior over MPLS network - remote
	desktopwon't work
In-Reply-To: <db092ca60905311654u11afa2ddncfdcc0f5b77f43f4@mail.gmail.com>
References: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com><4A22E68F.4010605@wbsconnect.com><db092ca60905311404j2ae21a00ve1017a4060285d@mail.gmail.com><alpine.DEB.1.10.0905312320090.21799@locus>
	<db092ca60905311654u11afa2ddncfdcc0f5b77f43f4@mail.gmail.com>
Message-ID: <E5C9EC8A665E4CFFAA1BFB99DE34E678@oneunified.local>

> 
> 
> What does that indicate to you?  1472 + VLAN tag plus MPLS < 1500?
> 

When provisioning MPLS circuits, one has to be careful.  Basic MPLS will
attach one or more 4 byte labels on to each packet.  Psuedowires attach
additional bytes onto each packet.  WAN circuits running MPLS need to be
provisioned such that the interface MTU is set to 1500 PLUS any pseudowire
overhead plus any MPLS label overhead.  If you try to run MPLS stuff across
a standard 1500 MTU WAN interface, you get the problems you are now
encountering: fragmentation, drops, corruption, ...  Some protocols can
handle it, but I've read that RDP sets the no-fragment bit, thus dropping
the packets.

STM-1 and DS3 circuits run by default at 4470 bytes so easily accommodate
MPLS overhead.  Ethernet circuits are at 1500, and you have to work with
upstream vendors to ensure their networks can handle MTU's greater than
1500.  Cisco switches need a reboot after setting a system mtu setting.
Routers can change interface mtu settings on the fly.

You could try setting your MTU setting on your pc to 1300 and see if things
work.  If they do, then you know you have an upstream mtu problem.

Ray
http://www.oneunified.net/blog


-- 
Scanned for viruses and dangerous content at 
http://www.oneunified.net and is believed to be clean.


From chale99 at gmail.com  Sun May 31 22:39:30 2009
From: chale99 at gmail.com (Chris Hale)
Date: Sun, 31 May 2009 22:39:30 -0400
Subject: [c-nsp] strange behavior over MPLS network - remote
	desktopwon't work
In-Reply-To: <000001c9e251$56d6dd00$0a01a8c0@pleth0ra>
References: <db092ca60905311654u11afa2ddncfdcc0f5b77f43f4@mail.gmail.com>
	<000001c9e251$56d6dd00$0a01a8c0@pleth0ra>
Message-ID: <db092ca60905311939nfea73cftea84de7b63d3d84c@mail.gmail.com>

On Sun, May 31, 2009 at 8:38 PM, Terry Baranski <tbaranski at mail.com> wrote:

> > On Sun, May 31, 2009 at 8:03 PM, Chris Hale wrote:
> >
> > I'm using PA-FE-TX as you guessed.  I have enabled the larger
> > MTUs for MPLS
> > with mpls mtu 1538 as per others who have successfully used this.
> >
> > I'm using one of my J2320's (CE router) and found this:
> >
> > ping do-not-fragment detail size 1473 192.168.3.254
> > PING 192.168.3.254 (192.168.3.254): 1473 data bytes
> > ping: sendto: Message too long
> >
> > ping do-not-fragment detail size 1472 192.168.3.254
> > PING 192.168.3.254 (192.168.3.254): 1472 data bytes
> > 1480 bytes from 192.168.3.254 via ge-0/0/3.600: icmp_seq=0 ttl=62
> > time=12.598 ms
> > 1480 bytes from 192.168.3.254 via ge-0/0/3.600: icmp_seq=1 ttl=62
> > time=14.612 ms
> >
> > What does that indicate to you?  1472 + VLAN tag plus MPLS < 1500?
>
> When you ping from a Juniper, the packet size that you specify doesn't
> include overhead.  So once you add IP (20 bytes) and ICMP (8 bytes) to the
> above, a ping of 1472 is really a ping of 1500.  Therefore 1473 wouldn't be
> expected to work if all links on the path have an IP MTU of 1500.
>
> Which CE is the above ping from?  Is it testing the end-to-end path that
> isn't working?  If so the MTU seems fine (now).  If RDP still isn't working
> maybe you can post the capture.
>
> This is pinging from the CE at Site B to Site W.  Yes, it is testing the
end-to-end path that doesn't carry the RDP traffic.

I will be capturing traffic at the POP before it hits the PE tomorrow.  I'll
post for all to see in both binary Wireshark format and plain text.

Thanks,
Chris

-- 
------------------
Chris Hale
chale99 at gmail.com

From chale99 at gmail.com  Sun May 31 22:42:02 2009
From: chale99 at gmail.com (Chris Hale)
Date: Sun, 31 May 2009 22:42:02 -0400
Subject: [c-nsp] strange behavior over MPLS network - remote
	desktopwon't work
In-Reply-To: <E5C9EC8A665E4CFFAA1BFB99DE34E678@oneunified.local>
References: <db092ca60905311301p13e05985q2d3442be7aba6fc@mail.gmail.com>
	<4A22E68F.4010605@wbsconnect.com>
	<db092ca60905311404j2ae21a00ve1017a4060285d@mail.gmail.com>
	<alpine.DEB.1.10.0905312320090.21799@locus>
	<db092ca60905311654u11afa2ddncfdcc0f5b77f43f4@mail.gmail.com>
	<E5C9EC8A665E4CFFAA1BFB99DE34E678@oneunified.local>
Message-ID: <db092ca60905311942j78008f3ew7f39db9a578fa6fc@mail.gmail.com>

On Sun, May 31, 2009 at 9:04 PM, Ray Burkholder <ray at oneunified.net> wrote:

> >
> >
> > What does that indicate to you?  1472 + VLAN tag plus MPLS < 1500?
> >
>
> When provisioning MPLS circuits, one has to be careful.  Basic MPLS will
> attach one or more 4 byte labels on to each packet.  Psuedowires attach
> additional bytes onto each packet.  WAN circuits running MPLS need to be
> provisioned such that the interface MTU is set to 1500 PLUS any pseudowire
> overhead plus any MPLS label overhead.  If you try to run MPLS stuff across
> a standard 1500 MTU WAN interface, you get the problems you are now
> encountering: fragmentation, drops, corruption, ...  Some protocols can
> handle it, but I've read that RDP sets the no-fragment bit, thus dropping
> the packets.
>
> STM-1 and DS3 circuits run by default at 4470 bytes so easily accommodate
> MPLS overhead.  Ethernet circuits are at 1500, and you have to work with
> upstream vendors to ensure their networks can handle MTU's greater than
> 1500.  Cisco switches need a reboot after setting a system mtu setting.
> Routers can change interface mtu settings on the fly.
>
> You could try setting your MTU setting on your pc to 1300 and see if things
> work.  If they do, then you know you have an upstream mtu problem.
>

I have an available DS3 interface on each of the POP H routers.  Maybe I
will set that up tomorrow and push the MPLS traffic across this interconnect
to see if that helps.  Maybe the mpls mtu setting on the PA-FE-TX interfaces
just isn't working.  I have also forced the GigE MPLS MTU settings on the
backbone link between the POPs to 1538 as they were at the default of 1500
before.

Thanks again,
Chris

From kratzer at ctinetworks.com  Sun May 31 22:13:22 2009
From: kratzer at ctinetworks.com (Stephen Kratzer)
Date: Sun, 31 May 2009 22:13:22 -0400
Subject: [c-nsp] MPLS TE load-balancing
Message-ID: <1243822402.24506.26.camel@kratzers-laptop>

All,

Is there a trick to load-balancing across TE tunnels and native IP
paths? I'm using auto-route with a relative metric of 0 for a tunnel
across an explicit path which should mirror which should mirror the IGP
least-cost route, but traffic is only flowing over the IGP path. If I
set the relative metric to -1, traffic flows only over the TE tunnel.
Auto-route announce is configured.

Thanks,
Stephen Kratzer


From tom at snnap.net  Sun May 31 22:38:50 2009
From: tom at snnap.net (Tom Storey)
Date: Mon, 1 Jun 2009 11:38:50 +0900 (EIT)
Subject: [c-nsp] Ingress policing on a 3560
Message-ID: <63266.172.25.144.4.1243823930.squirrel@imap.snnap.net>

Hi all.

What I'm trying to do is police ingress on a port, using a MAC ACL to
match traffic to police (just a "permit any any" to match all traffic).

But what I'm getting is that the switch doesnt appear to be matching any
traffic at all.

sw2#sh int gi0/14 | inc put rate
  30 second input rate 20449000 bits/sec, 1688 packets/sec
  30 second output rate 2620000 bits/sec, 1690 packets/sec
sw2#sh policy-map int gi0/14
 GigabitEthernet0/14

  Service-policy input: police-10mbit-in

    Class-map: mac-any-any (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: access-group name mac-any-any
        0 packets, 0 bytes
        30 second rate 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
        0 packets, 0 bytes
        30 second rate 0 bps

Does anyone have any pointers as to what I'm doing wrong? Below is my config.

mac access-list extended mac-any-any
 permit any any
!
class-map match-any mac-any-any
 match access-group name mac-any-any
!
policy-map police-10mbit-in
 class mac-any-any
  police 10000000 1000000 exceed-action drop
!
interface GigabitEthernet0/14
 service-policy input police-10mbit-in
!

Ive also tried with just class-default, but got the same result.

I am currently using the "vlan" SDM profile, if that makes any difference.

Cheers,
Tom